(SM-2205) Java Connector Setup

Java connector is a component used for authentication and communication with remote services using JDBC drivers or Java SDKs. It runs as an independent OS process and can be configured and controlled through transaction /DVD/JCO_MNG.

In this section:

/DVD/JCO_MNG allows you to link the Java connector with the SAP RFC destination which will be used as a communication channel between SAP and JCO and maintain the settings.
After all required fields are filled and saved, you can click the Restart button to start the Java service.
When there are multiple SAP application servers, in a standard scenario there is one JCO instance for each server. These can be started and stopped all at once using Restart all and Stop all buttons.

 

Table of Contents:

Setup

This component requires an initial setup to be fully functional.

Java runtime environment (JRE)

An up-to-date Java runtime needs to be available to the SAP's <sid>adm user.
Java connector is tested and built using OpenJDK 11, but generally, most of the releases - Java 8, Java 11, and Java 16 are usable.
Recommended JRE is OpenJDK 11, which can be downloaded from the Adoptium download site for most architectures.
Not to interfere with possible Java installation already present on the SAP application server, the archive can be simply unpacked into a non-default directory, e.g. /sapmnt/<SID>/global/JRE_11/.

SAP Java Connector library

Java Connector uses a shared library published by SAP named libsapjco3.so (or sapjco3.dll on Windows OS).
Starting with SNP JCo version 229, the library for Linux 86_x64 and Windows x64 systems is included in SNP transports.
If the system hosting the JCo is x64, there is no further action needed.

If the system hosting JCo is running on different processor architecture, it is necessary to manually download and replace the library after the first attempt to start the JCo.
The first start attempt will fail due to incompatibility, but it will deploy all other libraries and configuration files needed for the JCo run. Location of the libraries is /<installation_directory_path>/lib/.

To acquire the library from the SAP launchpad, search for “SAP JCO” in Downloads, navigate to SOFTWARE CATEGORY: SAP JCO 3.1 and select the required system architecture:

Once uploaded to the JCo host, after the first startup attempt (see below), simply replace the library and change the ownership to <sid>adm:sapsys, example:

cp libsapjco3.so /usr/sap/NSD/DVEBMGS01/work/dvd_conn/jco230/lib/ chown nsdadm:sapsys /usr/sap/NSD/DVEBMGS01/work/dvd_conn/jco230/lib/libsapjco3.so

SAP RFC role and user

Java connector uses a dedicated user in the SAP system for registration on the SAP gateway and further communication.
This user should be created with the type System and with authorizations limiting his privileges to basic RFC communication.

The required authorization object is S_RFC with these settings:

  • ACTVT = 16

  • RFC_NAME = RFC1, RFC_METADATA, SDIFRUNTIME, SYST

  • RFC_TYPE = FUGR

Example of custom SAP role in PFCG transaction (Display Authorization Data):

 

Java Connector RFC

Java Connector RFC name refers to the Java service which is used for authentication and communication with other services.

Settings:

  • Connection Type - T for TCP/IP Connection

  • Activation Type - select Registered Server Program

  • Program ID - name of the program how JCO will identify itself when logged on to SAP gateway (Example: DATAVARD_JAVA_CONN)

SAP gateway access

External communication with the SAP system goes through the SAP gateway. If SAP system parameter gw/acl_mode is enabled, there are files reginfo that limit the access of external programs.
In this case, a program needs to have granted access either by wildcard definition or by explicitly defining the program registration name (in our example it is DATAVARD_JAVA_CONN).

More information on the SAP gateway ACL topic can be found on the SAP website Gateway Security Files secinfo and reginfo.

/DVD/JCO_MNG initial setup

  1. Select the latest JCO version by double-clicking the row on the left side of the screen

  2. Switch to Edit mode

  3. Click “Fill default values

  4. Adjust values you want to change

    1. Config

       

      • Client - client in which SAP RFC user is created

      • RFC User - username of SAP RFC user used to register on SAP gateway

      • Password - hashed password of SAP RFC user. The hash can be created by typing the password in the field below and clicking the 'Hash' button

      • Install directory - directory on the application server where the libraries, configuration, and log files will be generated - can be a physical path or a logical path enclosed in <>. A logical path is recommended when the SAP system consists of multiple application servers because the instance directory will differ between them. Default path </DVD/DEF_JCO_DIR> is imported with our transports and translates to physical path /usr/sap/<SID>/<instance_dir>/work/dvd_conn/. Customer can define their own custom logical path to be used in transaction ‘FILE’. After installing the directory value, you have to click the 'Generate paths' button, which will propagate the new path structure to the rest of the configuration (this can be seen in the Advanced tab). It is recommended to extend the path with a subdirectory dedicated to a particular connector version (e.g. /jco230) which will provide the possibility to switch between connector versions during SW updates with an easy fallback option.

      • Java exe - path to Java executable on the SAP application server

      • Java vendor - name of Java vendor, ORACLE, or IBM (for SAP JVM, or OpenJDK, fill ORACLE)

    2. Dependencies

       

      • Select a library bundle that you want to use with JCO. The latest version is usually recommended

    3. Advanced
      In most scenarios, these settings do not need to be changed.

      • OS Command for starting java service - name of an OS command for starting Java service (SM69)

      • OS Command for setting access permissions - name of an OS command for setting execution rights (SM69)

      • Max RAM used - maximum amount of RAM used by Java service (heap size)

      • Additional java starting arguments - additional arguments used to start the Java service

      • Repository destination - client destination from which repository should be obtained

      • Work thread MIN - number of threads Java service always runs with

      • Work thread MAX - maximum number of threads that can be used by the Java service

      • Connection count - number of connections registered at SAP gateway

      • Peak limit - limit of JCo connections at peak

      • Log4j log level - level of messages collected in logs

      • Log4j log deletion - log retention period

      • Log files path - directory where the log files will be saved

      • JAR path - path where the JCO JAR file will be created

      • Log4j config path - path where the log4j config file will be created

      • Server config path - path where the server config will be created

      • Destination config path - path where the destination config will be created

      • Avoid JCO config files creation - special option which prevents automatic overwriting of existing JCO files. Useful for cases when manual modification of configuration files is needed (troubleshooting).

      • Use JCO dir for parquet conversion - if required, JCO performs data conversion into PARQUET format. This is by default done in memory; when this option is active, conversion is done using temporary files in JCO_install_dir/parquet subdirectory. This may be necessary if the memory allowance for JCO is limited.

  5. Go to the 'General' tab and assign the RFC to the Java connector

     

    • RFC Usage - Refers to the RFC destination that enables communication with JCO.

  6. Save the settings

  7. Start the Java service by clicking the 'Restart' button

                         

The Java service is started with a system command. You can adjust the name of this command in the table Advanced tab. The default name of the command is ZDVD_START_JAVA. In the case the system command doesn't exist, it is created automatically. You can view the system commands through the transaction SM69. On Linux, another system command is required, which sets executable rights for the configuration files (chmod 755 <filename>). Its name can be adjusted in the Advanced tab.

The following authorizations are required for the automatic start of the Java process:

  • S_RFC_ADM (Administration for RFC Destination): ACTVT = 03, RFCTYPE = * , RFCDEST = <JAVA_RFC>, ICF_VALUE = *

  • S_DATASET (Authorization for file access): PROGRAM =/DVD/*, ACTVT = *, FILENAME = *

  • S_LOG_COM (Authorization to Execute Logical Operating System Commands): COMMAND = ZDVD*, OPSYSTEM = * , HOST = *

Management of JCO config versions (upload/download) also requires S_GUI (Authorization for GUI activities) with ACTVT = 61,60

Central Java instance

It is possible to have a single Java connector running, instead of running one on every application server. To set such a scenario, follow these steps:

  1. If the Java connector is already running on several application servers, stop all instances.

  2. Open the Java RFC destination and fill the Gateway options valid for the desired instance

     

  3. When you restart transaction /DVD/JCO_MNG, only buttons belonging to the desired application server should be functional and all the other app. servers should be using this connection.
    Start the connector and all rows in the Connection column should be green.

     

Setting up the connection via proxy server

Sometimes communication with a service outside the corporate network needs to be routed through a proxy server to comply with company security standards.

To achieve this, you need to add the following java parameters to the Additional java starting arguments field in the Advanced tab of /DVD/JCO_MNG.

-Dhttp.useProxy=true -Dhttps.proxyHost=<proxy_host> -Dhttp.proxyHost=<proxy_host> -Dhttps.proxyPort=<proxy_port> -Dhttp.proxyPort=<proxy_port>

SNC configuration

If the SAP system is hardened by enabled Secured Network Communication (system parameter snc/enable = 1), there are additional configuration steps.

  1. The first step is the creation of a Personal Security Environment (PSE) for JCo. This is to be done under <sid>adm user. PSE should be stored together with other SAP PSE files, by default on path /usr/sap/<SID>/<SAP_instance>/sec, referenced by environment variable $SECUDIR. Commands to create the PSE, with an example of system ID NSZ with csh as nszadm’s shell:
    su - nszadm
    setenv SECUDIR /usr/sap/NSZ/D00/sec
    cd $SECUDIR
    sapgenpse gen_pse -v -p DVDJCO.pse

    A passphrase can optionally protect PSE. The mandatory input parameter is the Distinguished name of the PSE owner, in our example, it’s CN=JCO_RFC, OU=DVD, C=DE

    nsz:nszadm 98> sapgenpse gen_pse -v -p DVDJCO.pse Got absolute PSE path "/usr/sap/NSZ/D00/sec/DVDJCO.pse". Please enter PSE PIN/Passphrase: Please reenter PSE PIN/Passphrase: !!! WARNING: For security reasons it is recommended to use a PIN/passphrase !!! WARNING: which is at least 8 characters long and contains characters in !!! WARNING: upper and lower case, numbers and non-alphanumeric symbols. get_pse: Distinguished name of PSE owner: CN=JCO_RFC, OU=DVD, C=DE Supplied distinguished name: "CN=JCO_RFC, OU=DVD, C=DE" Creating PSE with format v2 (default) succeeded. certificate creation... ok PSE update... ok PKRoot... ok Generating certificate request... ok. Certificate Request: Signed Part: Subject: CN=JCO_RFC, OU=DVD, C=DE Key: rsaEncryption (2048 bits) Attributes: None Signature: Signature algorithm: sha256WithRsaEncryption (1.2.840.113549.1.1.11) Signature: <Not displayed> PKCS#10 certificate request for "/usr/sap/NSZ/D00/sec/DVDJCO.pse": -----BEGIN CERTIFICATE REQUEST----- MIICcjCCAVoCAQAwLTELMAkGA1UEBhMCREUxDDAKBgNVBAsTA0RWRDEQMA4GA1UE ################################################################ ################################################################ ################################################################ PxmDNQSCYvLxURXcP+vQxDSOq5QYgQf4g4egjVXRcyQwOJNZRpHlP1olXc4Aa675 -----END CERTIFICATE REQUEST----- nsz:nszadm 99>

     

  2. The second step is to export the certificate with the public key from the newly created PSE, using the command:
    sapgenpse export_own_cert -v -p DVDJCO.pse -o DVDJCO.crt
    This produces a DVDJCO.crt file.

     

  3. Now import the DVD JCo certificate file into the SAP system’s Trust manager.
    Run transaction STRUST → switch to Edit mode → double-click SNC PSE node → in the lower part of the screen click on the Import certificate icon, locate the certificate file, confirm file selection → click Add to Certificate ListSave (Ctrl+S)
    NOTE: You may need to download the certificate file to your front end to be able to select it.

  4. We have imported the JCo certificate to SAP. To create two-way trust between SAP and JCo, now we need to import the SAP system’s certificate to JCo PSE.
    Export SAP’s own certificate, similarly as in step 3. run STRUST select SNC PSE node, but double-click on Own certificate and at the bottom of the screen click icon Export certificate. Choose Base64 format, path, and filename to save the .crt file. Upload the file to the application server, ideally to $SECUDIR.

  5. To import the SAP certificate to JCo PSE, run the command:
    sapgenpse maintain_pk -v -a SAP.crt -p DVDJCO.pse

     

  6. To allow JCo to run under <sid>adm user using the credentials stored in the PSE, SSO credentials need to be created in the cred_v2 file.
    It is advised to back up the cred_v2 file before proceeding.
    The file should already exist in SECUDIR and will be updated using the command:
    sapgenpse seclogin -p DVDJCO.pse -O nszadm


    Available SSO credentials can always be checked using the command:
    sapgenpse seclogin -l

  7. Now that the security environment is prepared, configure JCo SNC in transaction /DVD/JCO_MNG as follows:

     

    • SNC enabled - once activated, user and password fields will be greyed out and have no effect on JCo configuration

    • SNC QoP Level - SNC Quality of Protection, needs to be the same level as set in system parameter snc/data_protection/use (default = 3)

    • JCo SNC name - Distinguished name chosen during the creation of JCo PSE (step 1.)

    • SNC enabled GW port - SAP gateway port used for secure communication. The default port number is 48$$, $$ being the instance number

    • SNC partner name - Distinguished name of SAP system, pre-filled from SAP profile parameter snc/identity/as

      Save the configuration when completed, but do not start the JCo yet.

  8. There are two more configuration pieces to complete before JCo can properly start and register on the SAP gateway.
    In SU01, activate SNC for RFC user dedicated to JCo communication, filling SNC name dedicated to JCo.
    Despite the user no longer being configured in /DVD/JCO_MNG, it is used by matching the SNC name entered here and the Distinguished name configured in JCo PSE.


    Secondly, via SM59 activate SNC in RFC destination dedicated to communication between SAP and JCo and fill JCo Distinguished name again in the Logon & Security tab (SNC options button):


    Having all SNC prerequisites met, Java Connector can be started.

Sample JCo configuration files with SNC enabled

Upgrading Java connector

This is a list of steps to do when you update your SNP software and you would like to switch to a new version of the Java connector.

With SAP JCO version 3.1 additional authorization is required for JCO’s RFC user, which allows execution of function modules in function group RFC_METADATA.
Please make sure the RFC user has all authorizations listed in “SAP RFC role and user” section of this page.

  1. Open transaction /DVD/JCO_MNG

     

  2. Double-click the current working connector and click Copy config

     

  3. Double-click the latest connector, enter Edit mode, then click Paste config, then fill the RFC Usage field with the same RFC that was used with the old connector

     

  4. Switch to the Dependencies tab and make sure you are using the latest libraries for your connector

  5. Switch back to the General tab and click Restart for every Application server