Troubleshooting for ABAP Systems

This page gives you some hints when you get an error or run into a problem during the SAP Cloud ALM monitoring setup of ABAP on-premise systems.

The troubleshooting on the page can be used for the products:

  • SAP NetWeaver Application Server for ABAP (7.40 or higher)
  • SAP S/4HANA
  • SAP Business Suite
  • SAP S/4HANA Cloud Private Edition
  • SAP SuccessFactors Employee Central Payroll

Configuration

Error messages during the registration with SAP Cloud ALM.

When clicking on "Register" a synchronous call to SAP Cloud ALM is executed. If no LMS-Id is retrieved and displayed the registration was not successful.

There might be several reasons:

  1. Cannot create HTTP Client: Operation successfully executed
    Your setup user probably doesn't have enough authorizations or the SAP_BASIS version is too low.
  2. Cannot create HTTP Client: Destination <RFC Destination> not defined (See Long Text)
    Something with setup went wrong e.g.access to the target is blocked by a firewall. Details can be found in SLG1.
  3. Cannot save HTTP Destination: Password Too long.
    In case the client credentials are longer than 64 characters you might get the following error when saving the destination.You need to apply SAP_BASIS 7.40 SP24 (7.50 SP19) or SAP Note 909503 - Use max Password length Destination API Type G
  4. Direct connect to ... failed NIECONN_REFUSED(-10)
    Your system cannot reach the target directly and a proxy is required (see also SAP KBA 3106170).
  5. IcmConnInitClientSSL: Proxy connection to https://....:443 via proxy:3128 failed (proxy returned 403 Forbidden)
    In case you need a proxy to reach the target this must be allowed in the proxy. In the ECS environment, this should be ensured. 
  6. IcmConnInitClientSSL: Proxy connection to https://....:443 via proxy:3128 failed (proxy returned 407 Proxy Authentication Required)
    In case the proxy requires authentication you should check in SM59 if both destinations ZSDF_<your_name> and ZSDE_<your_name> exist and if proxy credentials are available. If this is not the case delete the destination from /SDF/ALM_SETUP and create a new destination.
  7. ERROR => SSL handshake with ..hana.ondemand.com:443 failed: SSSLERR_ALERT_PROTOCOL_VERSION ... Server aborted TLS handshake with fatal TLS
    Check the dev_icm ( in SMICM) for details. It indicates a wrong configuration of ssl/client_ciphersuites (Check SAP Note 51007 section 7)
  8. ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL... secussl_read: SSL_read() failed => "Failed to verify peer certificate. Peer not trusted."
    It seems the DigiCert Global Root CA is not installed. Check this setup step in STRUST.
  9. 'Oauth access_token not found from Destination' 401
    The password length for the service key was recently increased. Please apply the latest ST-PI support package (at least SP22) or SAP Note 3240966 to address this. The already created destination cannot be used. Please delete it and re-enter the API service key or update the client secret. If you have connected also other clients of this system to SAP Cloud ALM the underlying HTTP destination is not deleted when deleting the destination from /SDF/ALM_SETUP. Check if there is still a destination ZSDF_<your_name>. Client ID and secret can be updated also in SM59. A connection check should then return a status code 400.
  10.  SSL handshake with <subdomain>.authentication.<datacenter>.hana.ondemand.com:443 failed: SSSLERR_EWOULDBLOCK (-71)#(no error) non-blocking network read/write could not complete###
    Check SAP Note 2728600 - SSSLERR_ when accessing HCI/(S)CPI/NEO/CF servers under  *.hana.ondemand.com → point 2.
  11. SSL handshake with XXX:443 failed: SSSLRC_CONN_CLOSED (-10)
    Probably a firewall is preventing the request from the server with SAP Cloud ALM.
  12.  No LMS ID retrieved. Scheduling jobs is skipped. Check SLG1 /SDF/CALM
    In SLG1 you can find:
    URL = https://<DC>.alm.cloud.sap/api/landscape-management/v1/Registration
    Response Code = 400
    Check that profile Parameter SAPDBHOST is set and the system has a valid system number in transaction SLICENSE.
  13.  SSL handshake with .....alm.cloud.sap:443 failed: SSSLERR_ALERT_HANDSHAKE_FAILURE (-122)
    When all parameters are set correctly and you get this error or the following message in the dev_icm trace:
    received a fatal TLS handshake failure alert message from the peer
    probably a "TLS-intercepting" network middlebox is in place. You can verify that by executing e.g.
    curl -S -v -k https://us10.alm.cloud.sap/ 2>&1
    (replace us10 by your data center.)
    The output should contain:
    * Server certificate:
    *  subject: C=DE; ST=Baden-W#rttemberg; L=Walldorf; O=SAP SE; CN=*.us10.alm.cloud.sap
    ...
    *  issuer: C=..; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
    If it contains a weird issuer then you need to contact your network administrator e.g.
    *  issuer: CN=E....MS.cnp.int

When executing /SDF/ALM_SETUP at least one HTTP destination is created. You can display them in SM59 (type G) with the prefix ZSDF_<your destination name>.

When you need proxy access with authentication a second destination ZSDE_ <your destination name> is created.

Don't manipulate the Path Prefix in SM59!

A connection check in transaction SM59 with HTTP status code 400 is normal. Everything else e.g. 401 (wrong credentials), 403 (forbidden), and 500 (error) is not normal.

You click on the "Activate Usecases" button and select a use case. However, when you save your changes the selection is not saved. 

During the initial setup, you can specify in each client which data should be collected. However, SAP Cloud ALM is the leading instance. If the use case is deactivated after the initial activation in SAP Cloud ALM or in /SDF/ALM_SETUP, it can only be reactivated in the use case in SAP Cloud ALM. 

The deactivation of the data collection from the ABAP system is always possible. 

 

 

Please note that it is not possible to use the Cloud Connector from SAP to establish the connection between your SAP ABAP on-premise system and SAP Cloud ALM.

The Cloud Connector acts as a reverse invoke proxy between the on-premise network and SAP BTP. This means after connecting the subaccount to the Cloud Connector the tunnel between SAP BTP and the on-premise landscape is triggered by the BTP destination service in the connected subaccount. The Cloud Connector is not designed to act in the opposite direction. 

The connectivity from On-premise to Cloud is only possible for ABAP cloud systems, HANA Cloud databases, and specific SAP BTP services like K8s clusters. It cannot used for SAP BTP services like SAP Cloud ALM.

For more information see Cloud Connector FAQ > Features > "Can I use the Cloud Connector from on-premise to cloud for any protocol?"

Runtime (Data Collection)

Data collection is triggered periodically by the scheduled job "CALM Scheduler <Setup name in /SDF/ALM_SETUP>" (Report /SDF/CALM_SCHEDULER) as tasks via asynchronous RFCs.

  1. Check the scheduler (Report /SDF/CALM_SCHEDULER) is running in the correct client.
  2. Check the job logs of the scheduler.
    In case there are not enough resources probably not all tasks were executed.
  3. The result of the last execution is persisted in table /SDF/CALM_SCHED, for instance-specific collectors in table /SDF/CALM_INST
  4. Each application can write more logging information in the application log (SLG1) for object /SDF/CALM.

Additionally, the job "CALM Heartbeat <Setup name in /SDF/ALM_SETUP>" (Report /SDF/CALM_HEARTBEAT) is scheduled.

Data collection for Business Process Monitoring is triggered periodically by the jobs:

  • CRBPA:DC_CONTROLLER(<Setup name in /SDF/ALM_SETUP>)(Report /SDF/CRBPA_DC_CONTROLLER)
  • CRBPA:AUTODISCOVERY(<Setup name in /SDF/ALM_SETUP>)(Report /SDF/CRBPA_AUTODISCOVERY)