Logon Group in a Cluster

Similar Messages

• Issue with parallel operation of SAP NW SSO 2.0 and SNC Client Encryption (Logon Groups)

  Hi!
  One of our customers is using the SNC Client Encryption solution to ensure encryption using SNC (based on Kerberos Technology) for their SAP GUI Dialog connections. They have lots of SAP backends DEV, QAS, PRD all with the SNC Client Encryption SNC Lib installed. The profile parameter snc/identity/as contains the following value: p:CN=SAP/<ServiceAccount>@<DOMAIN>.
  Example: p:CN=SAP/[email protected]
  The customer is using one AD Service Account "SNCServiceUser" with one registered SPN "SAP/SNCServiceUser" for all systems (yes, this is not recommended... but the case).
  Important: All users use group entries in the SAP Logon (saplogin.ini). Means, for SAP logon the SNC name can not be manually configured on the SAP Front End. With group logons, the application server's SNC name is dynamically requested by the message server each time a SAP GUI connection is started. The SNC Name is greyed out in this case as dynamically obtained from the applications servers profile parameter snc/identity/as.
  Now our customer implements SAP NetWeaver Single Sign-On 2.0 within his landscape. Based on the Secure Login Server 2.0 (SP3) he likes to use X.509 based authentication to his AS ABAP backends using SAP GUI SNC while others still use SNC Client Encryption.
  Replacing the SNC Library on the AS ABAP
  The Secure Login Library 2.0 (SP3) has been installed on one of the ABAP systems and the SNC Client Encryption SNC Library (which is based on SSO 1.0) is no longer used, thus we changed the parameter snc/gssapi_lib to point to the new SNC library. We removed the old PSE.ZIP containing the keytab and created the new SAPSNCSKERB.PSE incl. the keytab and proper credentials. To ensure parallel operation, we kept the snc/identity/as value as is =  p:CN=SAP/[email protected].
  After restarting the system with initialized Secure Login Library 2.0, still the SNC client encryption works fine for existing users.
  The problem
  We created on the Secure Login Server an SNC certificate for the AS ABAP which has the following X.509 Distinguised Name Fomat: CN=SAP/[email protected] This is to avoid having to change the snc/identity/as to an "real" X.509 DN which would lead to non-working SNC Client Encryption for all the other users using SAP GUI and logon groups.
  As soon as we install the PSE via STRUST on the system the SNC Client Encryption solution stops working with error „Server refuses kerberos key exchange“.
  As part of an pilot implementation we have installed Secure Login Client 2.0 (SP3) on some test PCs. The test PC with SLC is able to perform Single Sign-On with SNC based on X.509 (incl. Encryption) to the ABAP system.
  Seems the SAP System now only tries to do X.509 based authentication thus key exchange fails. The problem is, we cannot change the snc/identity/as value because of the logon groups. If we were able to do so, we would in any case set the server identity to X.509 DN and in addition create the SAPSNCSKERB.PSE incl. keytab. This should work, as confirmed by SAP see this post.  
  Any ideas how to solve this and have both solutions in parallel?
  Appreciate any help.
  Regards,
  Carsten

  Hi all,
  we was able to fix the issue. It was an issue with the customers cluster configuration and the  $SECUDIR variable. This tricky issue leads to non working or sporadic working SNC Client Encryption...
  This was how the configuration looks before:
  Environment variable $SECUDIR is defined:
  "/ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec“
  sapgenpse seclogin -l -v
  running seclogin with USER="<SID>adm"
  Credentials for username '<SID>adm':
  0 (LPS:OFF):
           (LPS:OFF): /ABCDEF<SID>/usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCSKERB.pse
  1 (LPS:OFF):
           (LPS:OFF): /usr/sap/<SID>/DVEBMGSxx/sec/SAPSNCS.pse
  After changing the $SECUDIR to "/usr/sap/<SID>/DVEBMGSxx/sec“ and re-creating the credentials, it worked like a charm.
  As a result of this we can confirm, this configuration and SNC Client Encryption works with CommonCryptoLib in parallel to the SSO configuration.
  And Valerie was right with 2. SLC starting from V. 1.0 SP2 PL3 was able to convert the CN= part of the SNC Name into an SPN, was my mistake. In addition SNC Client Encryption starting from Version 1 SP1 PL1 does this also.. just to make this clear
  Thread closed hope this helps someone
  Carsten

• Send Idoc's to R/3 System with logon group

  Hello everybody,
  I have the next scenario
  Sender R/3 Idoc -> XI -> Receiver R/3 Idoc
  now I have a doubt, the receiver system has a logon group, is there any benefits for me in XI to use the logon group to send the Idocs to this system?, and if it's better to use logon group how can I use it, juts by defining the RFC that exists in SM59 that points to the receiver R/3 system in XI as load balancing and pointing to the logon group????, thanks in advance for your answers.

  Julio,
  Yes you are right, load balancing can be achieved using logon groups in the RFC destination for the IDoc adapter. It basically enables the ABAP dispatcher to decide whats the best available application server to process the inbound message sent by PI.The purpose is to load-balance successive connections across a group of ECC application servers.
  To do this a connection is established through the message server (the central ECC instances communication process) to determine which ECC instance is to handle the RFC call.
  The key parameters here are:
  u2022     the hostname, on which the message server process runs,
  u2022     the system name of the ECC central instance, and
  u2022     The logon group, which indicates the cluster of applications servers that an ECC instance will be selected from, to serve the request.
  Greetings,
  Gerardo.

• Portal-based logon Groups?

  Hi,
  I´m working with in a Application Sharing setup and in help.sap related to configuring Application Sharing in a clustered environment it mentions something about a portal-based logon group and a zone separator when just having a stand alone server with more than one server nodes.
  This is found in the following document under ClusterLogonGroupName and ClusterGroupSeparator explanation.
  http://help.sap.com/saphelp_nw70/helpdata/en/6d/41e74196d8c517e10000000a155106/content.htm
  I have never heard about logon groups inside SAP Portal and a zone separator, has somebody worked with them? where do you configure them or is this info in help.sap not accurate?
  Kind Regards,
  Gerardo J

  Hi Gerado,
  You define logon groups to determine how client requests to certain applications are load balanced when your system setup uses the SAP Web Dispatcher or a third-party hardware load balancer in front of your application servers. For example, you can define a logon group so that a certain application (such as one with high CPU usage) is accessible only on two instances within your cluster, which are running on machines equipped with extra CPU resources.
  http://help.sap.com/saphelp_nw70/helpdata/en/f3/795a421b5ec153e10000000a1550b0/frameset.htm
  Information regarding the zone seperator can be found here:
  http://help.sap.com/saphelp_nw70/helpdata/en/56/dcf4c12b072c4e89884dc164b3762c/frameset.htm
  I have not worked with these, but they seem interesting.
  Regards,
  Kai

• Public logon group not showing up

  Hi everybody
  I am trying to create a SAPGui entry for logon group access to customer ECC6.0 system.
  I have configured the service and sapmsg.ini file.
  I was told by customer sysadmin that PUBLIC logon group was created but in the list of logon groups I can only see SPACE.
  Moreover, if I complete the procedure with SPACE logon group, when I try to login it won't succeed, warning that even the client number is wrong (?!).
  My questions are:
  - how to retrieve message server number and port (even though I am fairly certain that they are ok, otherwise the Logon group list wouldn't have been populated... right?)
  - what might be the cause for the PUBLIC logon group not to show up
  Thanks, points will be awarded
  Vincenzo

  Hi,
  Since you get such strange errors, it almost seems like you are trying to logon to the wrong server.
  Please check sapmsg.ini again to see that the correct hostname/ip-address is entered.
  Also, did you notice if the server name is correct at the logon screen ?
  Every Dialog instance or Central Instance gets logon group SPACE by default. Then, when you create logon groups for the instance,
  the group SPACE will disappear.
  In some installations the central instance and the message server both uses the instance number of the central instance as a base to calculate the ports.
  CentralInstance/DialogInstance = 3200, MsgServer=3600
  but, on some installations (E g Windows Cluster) this could be different.
  There you might have something like:
  CentralInstance/DialogInstance = 3200 and the MsgServer=3601
  You need to ask your sysadmin for message server port and host.

• Can Portal be configured with Logon Group?

  Hi, gurus:
  is concept 'logon group' used for Enterprise Portal?
  how to configure Logon Group for enterprise?
  Thank you
  Br,
  Chrina

  Hi Chrina,
  don't get me wrong. You still need a dedicated load balancer system to realize load balancing between multiple application servers. This could be a software load balancer (e.g. SAP Web Dispatcher) or a hardware load balancer (e.g. F5).
  If you deploy an application, it is deployed to all application servers. A user who tries to access this applicaion could be forwarded (by the load balancer) to any of your application servers.
  But sometimes you do not want this. In case you have an application which has very high CPU usage you can use logon groups to restrict the routing of the load balancer. Basically, you tell the load balancer to forward requests for a specific application to one of your application servers which belongs to a previously defined sub set of your cluster. For example, you have 4 application servers (AS1, AS2, AS3, AS4). Now you define a logon group for a certain application (App1), which is deployed on all servers. By defining the logon group you tell the load balancer to forward all requests for application App1 to either server AS1 or server AS2, but never to server AS3 or server AS4.
  This way you avoid that all of your application servers become really busy processing requests for the applicaion with very high CPU usage.
  Best regards,
  Martin

• Create Logon Group on EP for Load Balancing

  Dear All,
  How to create logon group on EP.
  This group will include group of dialogue instance systems.
  (di01, di02, di03)
  Current landscape is
  all these 3 di are under CI(production system).
  EP d/b is connected and mapped over this production system.
  Now I want whenever user access EP they should not login to PRD sys but thy shd login to any one of the DI SYS.
  Responce Awaited.
  Regards,
  Purav

  please believe me, the portal has no such mechanism itself for this kind of load balancing - it is ALWAYS done by an external solution such as web dispatcher.
  In a portal cluster the CI may or may not have the SCS installed (it depends on the specific installation) but each node has its own inbuilt load balancing via the dispatcher - however this is purely round robin not based on any kind of exta intelligence.
  Although portal can be installed in a cluster, any nodes (app or otherwise) can be treated as individual servers.  In order to balance load across any / all servers in this configuration an external mechanism must be employed.
  Chances are anyone claiming to have done load balancing this way without hardware is almost certainly using the web dispatcher as an additional layer.
  Haydn

• SSO to SAP via SAP Logon Group

  Hi,
  I've tried to configure SSO to SAP via SAP logon group. When trying this I'll get the following error:
  Connect to message server failed Connect_PM MSHOST=<server>, R3NAME=IB1, GROUP=IB1_Web LOCATION CPIC (TCP/IP) on local host ERROR The message received isn't from a message server. Are you really connected to the message server? Please check your connection parameters. (<server> / sapmsIB1) TIME Tue Dec 16 16:48:49 2008 RELEASE 640 COMPONENT MS (message handling interface, multithreaded) VERSION 4 RC -2
  I've also configured the file services under winnt\system32\drivers\etc on the BO server with the following line:
  +sapmsIB1      443/tcp     +
  Is there anything I'll have to configure too? Or what does this error mean? The server which I have tried to reach is a message server.
  Thanks in advice.
  Claudia

  HI Ingo,
  yes I can connect with SAP GUI via message server and application server. I can also connect with BO via sso to the application server. Only the message server failed.
  I have now found out that I had the wrong port. But also the right port doesn't work. I have tested the port with telnet. The port is reachable.
  Thanks
  Claudia

• Scheduling background job on Logon group

  Hi All,
  We have 4  logon groups configured in SMLG, while scheduling the job  in SM36 ->Target server field i am able to see only one group and other indivdual servers not  all the Groups configured in SMLG.
  Is there any option i have to check to let all the groups configured in SLMG to diaply in  SM36 for scheduling so that i can select the Logon group. I tried giving the logon group names manually which are not listed in Target server field it's giving the error group not exist..
  Please suggest..how to make all the Groups configured in SMLG to get displayed in SM36  for scheduling jobs...
  Thanks,
  Subhash.G

  Target server field is Name of an SAP instance at which a background job should be run.  The name has the following format:  <host name>_<SAP System name>_<SAP System number>, where host name is the name of the server computer on which the instance is running, as specified in the system profile parameter SAPLOCALHOST.
  The name of each instance is specified in the system profile parameter rdisp/myname.
  Example:  hs0123_C11_55
  In programming:  As the table field EXECSERVER, shows the target instance selected by the user for running a job.  As the table field REAXSERVER, shows the SAP instance at which a job was actually run.
  Hope this is clear.
  Thank you,
  Shyam

• J2EE logon groups in an ABAP+JAVA system

  Hi,
  We are trying to restrict java calls to specific App servers in our ABAP+JAVA system. So if we have 5 App servers, we want all J2EE requests to go to 3 Apps only.
  We are using SAP web dispatcher for this purpose. When checking on SAP help site, it suggested two options.
  1) Configuring Logon Groups on AS Java
  2) Configuring Logon Groups Using Configuration Files
  Which of the above would be a better option for ABAP+JAVA system?
  Has anyone implemented this before? If yes, can you share your experiences/lessons learned??
  Thanks.
  Fahad

  1. Log on to the ABAP system.
  2. Call transaction SPRO.
  3. Go to SAP Solution Manager Implementation Guide -->
  SAP Solution Manager --> Basic Settings --> SAP Solution Manager
  System --> General Settings --> Client Copy
  4. Perform the following steps:
  a) Maintain Profile Parameters
  b) Create Client
  c) Copy Client 000
  d) Convert UME

• How to create Logon groups for JAVA Systems

  Hi,
  I am implementing an BI JAVA Landscape. We do have 1 Central Instance(CI) and 2 Dialog Instances (DI) JAVA Standalone. Everything based on NW04s
  I have set up a Web Dispatcher to do a load balancing. The Web Dispatcher is connected to the Message Server (MS) of the JAVA CI to get all the information about the Engines.
  I am now looking to create Logon groups to distibute the load according the application used applications. I am not sure if there is a possibility to set up logon groups (server groups) directly somewhere in the J2EE engine, or if I have to set this up in the WebDispatcher konfiguration files?!
  Thanks in advance and best regards,
  Dominik

  We're trying to do something similar with NetWeaver CE 7.1.
  According to [this documentation|http://help.sap.com/saphelp_nwce10/helpdata/en/45/3dbe11a82b6bf1e10000000a1553f6/frameset.htm] there are 3 steps to doing this for NetWeaver CE 7.1:
  1. Logon Groups
  2. Web Dispatcher profile changes
  3. HTTP Provider property changes
  We've set up a Logon Group in the NetWeaver nwa and associated the two instances (one host) with it.
  "[Configuring Logon Groups Using Configuration Files|http://help.sap.com/saphelp_nwce10/helpdata/en/45/3c3f0cad9f4c2de10000000a1553f6/frameset.htm]" says: "...to create the files using HTTP Provider service."
  There it doesn't say exactly how to generate those 3 text files; it says: "1. Create the icrgroups.txt and urlinfo.txt files that define the logon groups. For more information, see the documentation of SAP Web Dispatcher." ; but, has no link to what it says to see.  So, I manually go to ["SAP Web Dispatcher", "Assigning Logon Groups"|http://help.sap.com/saphelp_nwce10/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm].  But, it all pretty much breaks down there because it's referring to apparently non-NetWeaver CE 7.1 stuff (as near as I can tell); for instance, how do the transactions SMLG and SICF relate to NetWeaver CE 7.1, or am I in the wrong place?
  I tried to press ahead with files similar to the examples here, but I hit this error in the Web Dispatcher:
  [Thr 5132] *** WARNING => ICT: path prefix /Curam/ not allowed in this context. Only prefix / allowed. [ictxxptab.c 764]
  [Thr 5132] *** WARNING => When a file is specified in wdisp/J2EE/url_map_location only URL prefix '/' is supported. See also SAP note 1033470. [icrxx.c 2925]
  The note reference looks hopeful, but I cannot read it; I get:
  Note 1033470  
  The requested SAP Note is either in reworking or is released internally only
  Does anyone have a copy of this Note or knows if it's helpful?
  Has anyone done this with NetWeaver CE 7.1?
  Tahnks,
  William

• How to create logon group in a JAVA only system?

  We have a JAVA-only CI and several JAVA-only application servers.
  They are all for a single EP7.
  How to make sure that no end EP7 user can use CI ?
  Thanks! Points!

  Hi Jeff,
  You might want to check the following documentation for setting up logon groups on your AS Java environment using NW Administrator tool: <a href="http://help.sap.com/saphelp_nw04s/helpdata/en/a9/775a421b5ec153e10000000a1550b0/frameset.htm">Logon Groups Configuration</a>
  You can also check this <a href="https://www.sdn.sap.com/irj/sdn/thread?threadID=384105">thread</a> which might apply to your environment.
  Hope this helps.
  Regards,
  Joseph

• Cannot use file for clustered server. Only formatted files on which the cluster resource of the server has a dependency can be used. Either the disk resource containing the file is not present in the cluster group or the cluster resource of the Sql Serve

  Hi
  Windows serv 2012 cluster on sql 2012 cluster with 2 instance. on works fine , Second instanc ewhen i try to creat DB a get this message. 
  Cannot use file  for clustered server. Only formatted files on which the cluster resource of the server has a dependency can be used. Either the disk resource containing the file is not present in the cluster group or the cluster resource of the Sql
  Server does not have a dependency on it.
  CREATE DATABASE failed. Some file names listed could not be created. Check related errors. (Microsoft SQL Server, Error: 5184)
  Any help please
  kam
  KAMEL

  Hi Saurabh
  Exactly I have SQL SERVER 2012
  Failover Clustering   in windows server 2012 with two nodes with
  two instances and exactly I run them in the same server and each instance with
  three drives Backup, Data and log.   
  KAMEL

• Logon Load Balancing / Configuring Logon Groups problem

  In existing system setting:
  One Logon group (PUBLIC) and point to one instances.  This setting is work and SAP LOGON default clinet no is 320.
  I try to install one more instances on other server and add to same Logon group (PUBLIC).
  Install compent as below:
  SAP ERP 2005 Support Release 2 -> SAP systems -> MS SQL, Server -> High available system -> Base on ABAP System -> Dialog System
  The instance has been installed and start and stop this instance is successful.
  Add instance into logon group (PUBLIC)
  Logon system via logon group, the logon redirect to new instanace server. But the default client no has been changed from 320 to 001. Change client from 001 to 320 and logon. But no response from new instance server.
  Any suggestion to solve this problem.
  Thanks!

  I found the profile in profile directory as below:
  default.1.pfl
  COQ_D02_BSSPI11   (New Instance)
  START_D02_BSSPI11  (New Instance)
  COQ_DVEBMGS02_bssco11     (existing Instance)
  START_DVEBMGS02_bssco11  (existing Instance)
  I strat the new instance and add to Public group and logon successful.
  The problem is in transaction RZ10.
  I cannot select COQ_D02_BSSPI11  and START_D02_BSSPI11  profile from Profile field.
  how to fix it.
  Thanks!

• How to use logon group of backend systems via reverse proxy

  Hi
  we have setup EP 6.0 in DMZ2 and connected backend servers in INTERNAL network. We have another firewall for DMZ1. In order to provide access to EP and respective backend systems, we have installed two reverse proxy servers on Apache, one in DMZ1 and another in DMZ2. We could able to reach to the backend system successfully in this setup by using proper rewrite rule for virtual systems in order to connect to multiple systems.
  However we have observed that connection for backend systems is established only to respective CI and not to any of the application server, even though we have created "Load Balancing" systems in EP and used the same logon group of backend systems.
  Kindly suggest us if there is any option using which we can establish connection via Load balancing option in this current setup of ours.
  Thanks
  Pradeep

  Hi Mechael/Dutt
  We r using Integrated ITS in WAS 6.40. and we r maintaing seperate entries for each systems in rewrite rule.
  Thanks
  PRadeep