32. How to check Import Prerequisites to install SAP ADD ON or DO SP Updates?

Considering Ariba CIG Add on for example.

Most of the projects use Ariba CIG Add on. It's widely used in both ECC and S/4 HANA Systems.

We have below note for uninstallation.

Note 3243704 - Uninstalling Add-ons 'ARIBA CLOUD INT SAP S/4HANA 1.0', 'ARIBA CLOUD INT SAP ERP 1.0'

However, SAP doesn't release explicit KBA & Release notes (21.04.2026) for Installation. We could see many generic articles/issue fix related ones.

Consider I'm gonna install Ariba add on ARBCI1 10S - SP25 in S/4HANA 2023 FPS00 System.

For S/4HANA, It's ARBCI1 10S, For ECC, It's ARBCI1 100.

In our case, we can manually have prerequisites confirmation via below ways.

1) Check PAM Information - Mandatory

It confirms that Product "ARIBA CLOUD INT SAP S/4HANA 1.0" is compatible for S/4HANA 2023.

2) Check "Import Prerequisites in Package condition" manually for corresponding installation package.

S/4HANA 2023 FPS00 - Have SP00 -> EA-PS 808, Basis 758, S4CORE 108.

Hence, it's fully compatible. 

3) If Stack XML, then we can trust MP generation itself since only compatible packages will be shown.

In 80% cases, SP update packages such as SP1,2,..25 would be valid only. We just need to crosscheck installation prerequisites only.

For example - Checking SP25 prerequisites, It's just have SP24 only.

In simple words, All SP versions (From Lower to Latest) will be supported irrespective of S4CORE releases - S4CORE 100 to 109.

20% case - there might be an additional import prerequisite condition for some SP version due to compatibility nature/support of further versions.

4) Additional - You can just load installation package in SPAM/SAINT as well to crosscheck "Import prerequisites". 

Final note:

PAM check is mandatory for initial check.
Direct checking in Software center is an simple confirmation method. 
Direct checking in Maintenance Planner is an Assurance - in addition to XML generation.

✨Above step helps a lot in most of the cases where there is no release notes available and your project planned to install that add on.

I have done an manual checks for best practice as well as used generated XML in Maintenance planner and run with SUM/SAINT to install the add on. Ensure to update SPAM/SAINT version to latest before any operations to avoid surprises.

Note 3377364 - S/4HANA, on-premise 2023 Compatible SAP Solution extensions

Hope above info helps !

Ever stuck in SUM error due to SPAM/SAINT package archives failures?

Refer below tick.

24. SPAMCHK_INI - SPAM/SAINT Package upload failures & Manual file uploads during SUM

Thanks for visiting !!!

31. How to tackle SAP_ABA is in undefined state error during SUM Run ?

Most of the basis peoples who have played with SUM run will definitely experienced this error once.

Subjected error usually occurs if we didn't reset previous SUM Run properly.

Even I have tried SUM run for practice - deleted directory directly without proper reset and faced subjected error while trying to run SUM once again.

Let's have a quick tips.

While we perform SUM Run, UVERS table status will change FROM "+" - "can be upgraded" status TO "U" - "Upgrade running" status.

✨"+" status usually denotes that Previous upgraded completed successfully and system can be upgraded newly further.

Assume that we decided to Stop SUM update. Then, status will be set back to "+" - if we performed reset properly. If not, it stays with "U" status triggering this "Undefined state" error.

Before SUM Run:

(Sample snap)

During SUM Run:

(Sample snap)

Usual resolution would be below ones.

Step 1) If SUM directory backup taken before deletion, Restore SUM directory using backup. Do an proper reset. SUM reset can be done till it reaches downtime phase.

1.1 -  If you already reached Preprocessing/Execution (before SUM Downtime) phase in previous SUM run, then it's necessary to restore SUM directory and do SUM reset which will deal and delete shadow tables, others whichever created during SUM run. If you don't have backup, Step 2&3 might help but there would be some consequences since SUM was not properly reset despite it's reached Preprocessing/Execution phase (before downtime).

Step 2&3 - Mostly valid for Preparation RoadMap Cases - Extraction, Configuration, Checks.

Step 2) If there is no backup,  Reset the table buffer. It will set back to "+" state.

AL12 - Edit - Reset buffer - Table buffer - enter UVERS - click on Invalidate.

Step 3) If table buffer reset doesn't help, just restart SUM instance. It will clear table buffer caches.

Above steps usually resolve in 99% cases.

1% case, It won't work. I have tried above steps multiple times in one of my scenario but it didn't work. (Not sure what happened)

Since I'm confident that I haven't changed anything w.r.t my system operations/updates, I have manually changed PUTSTATUS to "+". I can able to run SUM newly without any issues.

Caution - You can do it on own risk

In general, Before starting SUM run,

Crosscheck whether SPAM/SAINT status is in green status. You can only do SUM operations if SPAM/SAINT is in GREEN 

Crosscheck whether PUTSTATUS is in "+" or not.

Note 1790486 - SAP_ABA is in an undefined state that is not safe to be upgraded vers36

Additional comments on Step 1.1:

SAP set this as mandatory condition in Note 1790486 till vers34. However, Removed in vers35 and made step 2 & 3 as common resolution.

Vers 34:

Vers 36:

✨However, As I stated in Step 1.1, It's best practice and necessary to restore SUM directory and perform SUM reset if previous SUM run already reached Preprocessing or Execution (before downtime phase)

Ever uploaded older package for SPAM/SAINT update and wondered why you have uploaded?

Refer below tick.

18. Doing SPAM/SAINT Import ? Seeking Older version files ?

Thanks for visiting !!!

30. Maintenance Planner - Solution Manager Java Verification Error case?

This tick is created just to highlight the issue I ran into.

I have faced error related to CA Introscope BCI VIA SM 8 during Solution Manager Java verification.

Note:

CA Introscope BCI VIA SM 8 has been part of the Java stack until SAP Solution Manager 7.2 SPS 11. Component is out of maintenance and there is no successor, it is no longer part of the stack as of SPS 12.

When we are updating or upgrading our Solution Manager to SPS 12 and above, SUM will ask the action for this component. We can feel free to select "Delete" option.

Similar information will be available in Solution Manager 7.2 Master guide (i Note section ) 

My scenario:

I'm having Solution Manager Java 7.2 SPS14 system.

I have generated SysInfoExport XML via SUM and uploaded in Maintenance Planner via "Manual Addition".

Not sure what happened, It ended up with Solution Manager Java SPS00 Initial Stack with Verification error Red - Might be Generated SysINFO file is corrupted one.

However, When I tried to manually verify (without automatic MP feature) to change SPS14, Solution Manager showed the below error.

Required Component "CA - INTROSCOPE BCI VIA SM 8" is missing for the Product Component Solution Manager 7.2

Is Solution Manager 7.2 SPS00 installed?

Above error statement was clear-cut one. Actual error was slightly different (confusable) when I faced.

Maintenance Planner (MP) detects as Solman Java SP00 - Initial Stack only which usually have CA - INTROSCOPE BCI VIA SM 8.

Hence, MP asks whether Solman SP00 installed in the system or not actually since it didn't find "CA - INTROSCOPE BCI VIA SM 8" in installed list.

🌟This error occurrence possibility is higher since it can show in any cases if verification gone wrong and <Solman Java SPS12. There is no SAP KBA exist (20.04.2026) separately stating this error.

Resolution 1:

Enable "Expert Options" in "Personalize" menu and edit the system

We need to disable "Allow Automatic MP feature" in verification if MP picks/shows wrong system by default (Yes/No) - Like I got Solman SP00 installed or not.

Once Automatic MP feature disabled, I have deleted wrong version SP00 and add my required system version SP14.

Save verification - Crosscheck components once.

It's just usual Solution Manager Java SPS14. It worked fine.

Resolution 2:

I have also generated System Info XML with duplicate SID_BACKUP once again since existing file might be corrupted ones despite I have done verification. Just want to be 100% sure.

Newer SysInfoExport XML is fine. Once uploaded, It showed correct system version SPS14.

Note 2287046 - How to Generate the System Info XML and upload in Maintenance Planner - Refer "For Java Stacks" Section

Note 2293050 - SUM: Generating a System Information XML File for SAP System - Maintenance Planner

Hope you like this tick !

Thanks for visiting !!!

29. Manual ICM restart required post changing certificates/Import CA response in STRUST?

Most of the basis persons confusion?

Let's discuss with three cases.

Case 1:

From Netweaver AS ABAP 710  plus AS ABAP 702 and above, Manual ICM Restart IS NO LONGER REQUIRED. It will be updated at runtime automatically without any interruption of services.

Note 510007 - Additional considerations about setting up SSL on Application Server ABAP vers209

Changes made to ICM SSL PSEs in STRUST mentioned below will be updated at runtime and reloaded by ICM without any interruption of services.

1) Importing the certification response of a CA

2) Changes to the Certificate List of trust anchors - Say Addition/Removal in Certification lists

In simple words,

⭐We will receive a message - "SSL PSE was saved ICM was notified"  at bottom when saving PSE in STRUST.

This confirmation sufficient that our updated certificate is known to the system. It will be used for next SSL Communications/Authentication commits.

Same behavior exists for WebDispatcher PSE updates as well. If we do addition/removal of certificates or apply CA response from Web Dispatcher Administration Interface, then manual sapwebdisp process restart not required. It will load/update at runtime automatically.

Case 2:

Changes to ICM SSL PSEs of standalone programs that are not maintained through STRUST may require restart of the corresponding affect programs (Say - saphostagent, sldreg,..etc.,)

Case 3: (Additional)

*** There was no explicit statements stated that ICM restart required for below scenario in both note 2148372 vers3 & 510007 vers209 & 1473710 vers11 - 20.04.2026. Hence, It should reflect/update at runtime only ***

 "Replace main PSE file certificate itself - Say Importing PSE (.PFX) file in STRUST and saving as - new SAPSSLS.PSE, SAPSSLC.PSE - Usually applicable on post installation steps/cases"

For safer side, crosscheck whether "ICM notified message" shown or not. If it's not shown, then do manual ICM restart once.

I have faced one glitch - Replaced PSE file (with pfx) and saved as SAPSSLS PSE (did ICM restart as well). It doesn't update/shown latest certificate in Fiori Launchpad - Security- Certificate Info. It still took older certificate for SSL and showed "Connection Insecure" due to expired existing certificates. Post system restart, It took the updated one. Hence, Just be cautious and have restart as an backup plan when replacing SAPSSLS PSE file.

Note 2148372 - How to create own SSL Client PSE vers3

Note 1473710 - STRUST: How to Export or Import PSE from/to STRUST vers11

Hope you like this cases !

Thanks for visiting !!!

28. Service Start Failed - Job /org/freedesktop/ errors during SAP Installation ?

All Basis persons who have done SAP Installations will definitely experience this error.

Main Error:

StartService
FAIL: Service start failed: systemdI_msg_handler: job '/org/freedesktop/systemd1/job/673403' cancelled with 'failed'

Let's discuss three cases which usually happens/results in this above error.

Case 1:

Linux /var/log/messages file will have the below error message.

"SELinux is preventing /usr/bin/bash from execute access on the file /usr/sap/hostctrl/exe/saphostexec"

It's usually caused by SELinux Enforcing mode only.

Note 3253160 - SAP Host Agent or  instance fails due to SELinux vers3

Resolution is simple.

✨Set SELinux to "permissive" mode.

This info would be available in corresponding OS Installation Release notes as well.

Example:

2772999 - Red Hat Enterprise Linux 8 - Installation vers29

2936683 - Oracle Linux 8: SAP Installation and Upgrades vers8

You can use "getenforce" command to check whether policy set to Enforce/Permissive/Disabled.

If enforce, It won't allow to EXECUTE any programs/executables. Hence, Subjected error will be shown.

Use "setenforce Permissive" for temporary change.

Use /etc/selinux/config and change Permissive for Permanent change.

Case 2:

SAP service (SAP<SID>_00.service) will have the below error message.

"Unable to open() the lock file /tmp/.sapstartsrv00_sapstartsrv.log"

Note 3587376 - Linux: Service start failed: systemdI_msg_handler vers2

Resolution is simple.

✨Set permission - sudo chmod 1777 /tmp

Case 3:

In above two cases, we will see those errors in log files which we can easily resolve the issue. However, for case 3, there is no such explicit error visible in log files. Common statement would be there - "/org/freedesktop/ cancelled with failed".

Just check case 1 and case 2 first, If everything fine, then error could be due to FS containing the directory (which process access) mounted with noexec.

Example:

Consider Host Agent Installation. It would fail since FS directory (/usr/sap/hostctrl) is mounted with "noexec" option.

/dev/mapper/usr_sap_lv /usr/sap xfs rw,seclabel,noexec,relatime,attr2,inode64,logbufs=8,logbsize=32k,sunit=8,swidth=8,noquota 0 0

"noexec" option disables program executions from the filesystem.

Note 3383055  - Linux: SAP Host Agent installation fails with systemdI_msg_handler vers3

Resolution is simple.

💫Check with linux team and remove "noexec" option on Host Agent related filesystem from /etc/fstab and execute mount -a to activate the change.

*** It's simple tick but 3 cases in single link would help a lot to revise concepts quickly ***

There would be another error which can occur rarely since usually linux team would be sharp to avoid this error. Let's have this as case 4.

Case 4:

Main Error:

StartService

FAIL: Service start failed: systemdI_msg_handler: job '/org/freedesktop/systemd1/job/184239' canceled with 'dependency'

SWPM logs itself will have error - Failed to mount /sapmnt, /hana/shared, etc.,

Linux team/Server team needs to resolve this filesystem issue.

Note 3531973 - "Service start failed" error during SWPM installation with message "canceled with 'dependency'"

Thanks for visiting !!!

27. How to perform HANA DB Upgrade Compatibility checks ?

We would have definitely performed HANA DB revision updates - atleast 6 months once in production projects.

Let's have a look on procedures quickly.  Yes, I have raised my hand first before you 😜

Usually, It would come under HANA DB and OS compatibility check only.

Scenario 1:

Assume, I'm having the below system.

SAP: S/4HANA 2023 FPS00

HANA DB:  2.0 Rev 079.07

OS: SuSE Linux 15 SP6

I'm planning to do HANA DB upgrade 2.0 Rev 088

Check 1:

Note 2235581 - Supported Operating Systems for SAP HANA vers91

15 SP6 (HANA 2.0 SPS05, SPS07 and SPS08, starting with revision 59.12, revision 77 and revision 80)

Our HANA DB target version 2.00.088 compatible/supported to run on SuSE Linux 15 SP6.

Starting with Revision 80 denotes - Suitable to run 088 as well.

For detailed information, Refer below tick.

6. Whether Current OS will support target HANA DB upgrade version or OS update required

Check 2:

  For Update paths, Check note 1948334 - Database update Paths for SAP HANA Maintenance Revisions.

Upgrade from 2.00.079.07 to >= 2.00.079.08 & >=088 supported.

Hence, we can upgrade HANA DB to our target rev 088. It's fully compatible.

Additional Check: 

Feel free to check Release notes - Corresponding system - SAP HANA Database requirements menu.

Note 3307222 - S/4HANA 2023 Release Information

Note 3351047 - S/4HANA 2023 Feature Package Stack 00 Release Info.

It's just additional info since we would have already surpassed minimum DB version. Latest HANA DB version itself supported irrespective of S4HANA Release.

Hence, we can perform HANA DB upgrade without any issues. No need to touch OS.

Steps:

1) Stop HANA DB - Remove Auto Start if configured

2) Perform HANA DB upgrade via hdblcm

3) Start HANA DB - Enable Auto Start if required

That's it !

Scenario 2:

Assume, I'm having the below system.

SAP: S/4HANA 2023 FPS00

HANA DB:  2.0 Rev 079.07

OS: SuSE Linux 15 SP4

Same system config but OS is running under 15 SP4. SuSE Linux 15 SP4 supports all Rev 07X version.

Now, I'm planning to do HANA DB upgrade 2.0 Rev 088

Check 1:

Note 2235581 - Supported Operating Systems for SAP HANA

15 SP4 (HANA 2.0 SPS05, SPS06 and SPS07, starting with revision 59.02, revision 63 and revision 70)

Now, OS is not supported to run Rev 088. OS upgrade required (15 SP5 or 15 SP6)

Check 2:

Upgrade path remains same as we checked in Scenario 1.

Upgrade from 2.00.079.07 to >= 2.00.079.08 & >=088 supported.

Steps:

1) Stop HANA DB - Remove Auto Start if configured

2) Perform OS upgrade with the help of Linux team

3) Keep DB down - Don't start DB post OS upgrade

4) Once OS upgraded, Perform DB upgrade via hdblcm offline

      It will proceed without any issues. Infact, first step of hdblcm update process is stopping DB only.

5) Once DB upgrade completed, Start HANA DB.

      Usually, hdblcm itself will start once upgrade completed. If not started, start manually.

6) Enable Auto Start if required

7) All others will reside as it is - including hdbuserstore lists, ABAP<->HANA DB Connectivity.

Scenario 3: 

(This Scenario released exclusively for Neil Aspin Visitor. Thanks for posting query)

Scenario 2 - Step 3 - Reason: Why I mentioned DB should be in stopped state post OS upgrade before starting DB upgrade?

In most of the cases >80%, Current DB version itself would be supported with Upgraded OS version due to wide compatibility nature of HANA DB - Say Starting with Rev 0XX. Hence, In those cases (including my scenario 2), we can feel free to start DB and then plan for HANA DB upgrade.

Assume, If my OS upgraded to SuSE Linux 15 SP6, Current DB version 2.00.079.07 supported to run with 15SP6, Hence, Post OS upgrade, we can start HANA DB. Take your time and then upgrade DB to 2.0 Rev 88.

However, In 20% cases, Upgraded OS won't support current DB version as per compatibility matrix.

Assume, I'm having the below system.

Netweaver 7.5 ABAP System

Current HANA DB version :  2.0 Rev 063

OS: SuSE Linux 15 SP4

Now, I'm planning to update to 2.0 Rev 88 - SuSE Linux 15 SP6.

Compatibility check:

15 SP6 (HANA 2.0 SPS05, SPS07 and SPS08, starting with revision 59.12, revision 77 and revision 80)

15 SP4 (HANA 2.0 SPS05, SPS06 and SPS07, starting with revision 59.02, revision 63 and revision 70)

15 SP4 doesn't support Rev 88. Planned Target OS - 15 SP6. 

Upgrade from Rev 63 to 88 possible.

Once OS upgraded to 15 SP6, we should not start HANA DB 2.0 Rev 63 since it will result in Service crash due to incompatibility. I have tried to start in my practice system and resulted in service crash after 15-20 mins.

Current DB 2.0 Rev 63 won't support OS 15 SP6. Even All Rev 06X itself not supported.

Hence, We can start hdblcm update directly (keeping hana db down) once OS upgraded in these scenarios. 

 
Final Point:

Usually, we will have single cutover with check points which we minimize business downtime by having both OS upgrade and DB upgrade one after another. Hence, I have mentioned to keep DB down as best practice despite current db version compatible or not post OS upgrade. It's valid for all cases to avoid confusions as well as valid procedure only. Also, As said earlier in Scenario 2 - Step 4, first step of hdblcm update process is stopping DB only in order to perform update. Hence, there won't be any issues.

Caution - Take full backup of DB & OS Snapshots before performing any activity

Hope you like this scenarios !

Ever tried running SUM Manually Prepared Directory?

Refer below tick.

4. Netweaver Java Update - When to use SUM Manually Prepared Directory?

Thanks for visiting !!!

26. How to deal "Unknown/Undetermined Adjustment mode" during SPAU Actions - SAP Upgrades ?

We would have definitely experienced this error once during SPAU actions.

I would be performing below steps to resolve the issue which helped a lot in few cases. You can also follow the same.

Below will be the standard procedures to check SPAU - "Unknown/Undetermined Adjustment Mode".

1) Re-download note via SNOTE or Upload Note manually again - Click "Check SAP Note" once downloaded. It will refresh note header/metadata.

2) Access SPAU - New transaction

3) Go to "Utilities" and choose "Determine Adjustment Mode" - Execute Blank

4) Relaunch SPAU transaction and Check Affected Note Status now.

5) If still issue persists, Run Report "SAPRUPGM" (After above 4 steps completion) and check now.

Note that SAPRUPGM will take several minutes to complete. Report SAPRUPGM will help to consolidate and finalize adjustment modes.

5) Request you to do Step 3 and 4 post running report SAPRUPGM as well (Re-computation)

6) If issue still persists post performing above 5 steps, As an final step, Implement latest version of Note Assistant 1668882.

In simple, "Check Note Assistant" should be "Green". Notes whichever shown inside note assistant should be implemented.

Updating SNOTE Assistant resolved adjustment mode issue in 2 cases for me.

7) Check note status now.

Additional:

1) If issue related to DYNP or FUNC, Check SAP Note 3495348 - Unknown Adjustment Mode is showing for DYNP or FUNC object in SPAU

2) If Obsolete SAP Note has "Unknown Status" and Note 1668882 already in latest version, then use SPAU_OLD transaction.

References:

1) General Article - https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/ff/bc563cd365f646e10000000a11405a/frameset.htm

2) Note 1889356 - Undetermined Adjustment Mode - SPAU having note with ? Question Mark vers5

3) Implement Note 1673013 if system version affected -  SPAU: Adjustment mode for SAP Notes cannot be determined (Older systems)

4) Note 3398573 - SAP Note has "unknown status" for Obsolete notes - SPAU vers3

Above consolidated steps are taken from multiple articles which above mentioned KBAs are major ones.

Let's try our best to tackle this error !!!

Special insights?

We can avoid dealing "Obsolete Notes - Reset" for SPDD before SUM asks for SPDD Adjustments if target is >= Basis 7.52. 

This can be done via "Allowing SUM to create Shadow System Development User" during INITSHD SUM phase. SUM will create Transport Request automatically and collect the objects for resetting SPDD obsolete notes.

In this way,  When we face SPDD Adjustment during ACT_UPG, there won't be any entries for notes dealing "Obsolete Reset". Other SPDD criterias still resides as usual to take action from our end.

All steps are ✨✨✨

Thanks for visiting !!!

25. Upgrade SAP CommonCryptoLib without Kernel - ABAP and HANA DB?

Usually, we will get vulnerability fixes for Commoncryptolib. Most of the basis peoples wondered whether we can upgrade SAP Common crypto library separately without touching Kernel of ABAP and HANA DB.

Here's the more insights below with one CVE Example.

Consider Note 3633049 - [CVE-2025-42940] SAP CommonCryptoLib vulnerability Memory Corruption vers 7

This vulnerability fix requires commoncryptolib update to 8.5.60 (or higher) 

Since it's common one, it affects both ABAP and HANA DB.

V) For ABAP:

You can feel free to download and overwrite latest Common Crypto Library itself.

💫 It's downward Compatible.

1) Note 2450794 - Updating CommonCryptoLib in a NetWeaver ABAP system vers7

Go to SAP Software center
Search - COMMONCRYPTOLIB
(Support Packages and Patches)
You can see latest packages available.

2) Note 2072638 - Dependencies between CommonCryptoLib and SAP Kernel Package vers8

⭐ For Kernel:

740, 741 and onwards

720 from Patch Level 600 on

721 from Patch Level 200 on

722 and onwards

CommonCryptoLib fixes can be patched independently from SAP Kernel Packages.

Usual Method:

Download and just overwrite in Global Sys or Sapmnt exe Kernel path directory.
/usr/sap/SID/SYS/exe/uc
which redirects to /sapmnt/SID/exe/uc - folder linux

In simple word, just do cdexe command in SIDADM user which usually routes to this path.

Once overwritten, Do a complete SAP System restart in which all files (including latest CCL) will be copied from this sapmnt/sys path to all primary and secondary application servers kernel exe path (say /usr/sap/SID/DXX/exe) with the help of SAPCPE program in backend.

This will be the usual method in which all files will be moved to corresponding app server kernel directory irrespective of app server count from Main Sys Kernel files.

Now, Even if you face some issues - say it didn't overwrite/moved to one app server, Just overwrite CCL files manually in the server as like you did for Sapmnt/sys path - Say /usr/sap/SID/DXX/exe

Additional info:

Just FYI (Don't consider) - You can also copy manually via Sapcpe command - sapcpe pf=/usr/sap/SID/SYS/Profile/InstanceProfile

However, SAP always recommend restart for smooth process in which sapcpe program will be done by default during restart - SAP Kernel procedure.

VV) For HANA:

Note 3683427 - SAP HANA Service Crash on Crypto::RootKeyManagerSsfs::getKeyDocForEncryption vers5

✨Don't manually upgrade CCL for HANA DB. CCL must be upgraded only in conjunction with SAP HANA database revision upgrade.

To fix/Overcome Vulnerability,
Apply SAP HANA 2:
Revisions >= 059.19 (SPS05)
Revisions >= 079.06 (SPS07)
Revisions >= 087.00 (SPS08)

 For testing purposes, I have tried to update CCL in HANA DB and resulted in Service crash stack as expected. Hence, it's not an myth.

VVV) How to identify which common crypto lib version exists on HANA DB?

We will always have Fixes and Features note for each CommonCryptoLib version.

Just check corresponding HANA DB version. We will get relevant Revision details.

You can also see that it's matches with our CVE fix as well

Hope you like this scenario !

Use - Google Search Side bar to visit notes

Paste note number to directly login portal

Search with words for google search

Thanks for visiting !!!

24. SPAMCHK_INI - SPAM/SAINT Package upload failures & Manual file uploads during SUM

This scenario deals with the PREP_PRE_CHECK/SPAMCHK_INI phase which SUM stuck and fails due to corrupted package of SPAM/SAINT (Partially downloaded).

Usually, when we do upgrades, we would have definitely selected latest SPAM/SAINT update file in Maintenance planner and downloaded the same. However, in some cases, downloaded file somehow in corrupted state (partially downloaded). Yes, It happened for me while downloading via Download Manager.

During SUM run, It fails with "Error while unpacking SAR Archives" due to corrupted ones.

Note 3003088 - SUM Phase SPAMCHK_INI: SPAM archive extraction  (Errors occurred while unpacking archives) vers 3

SPAM Archive extraction ended with errors (Errors occurred while unpacking the archive files)

Error code: No entry with key EPS file name of SPAM update package.PAT

As per note 3003088, SAP might have proposed workaround to do SPAM/SAINT update manually and then retry SUM step since there won't be an "Scan files" option at corresponding stage.

However, we can manually re-extract the file and retry SUM step. Let SUM update the same.

SUM expects uncarred - Filename.PAT file from the extraction. 

Assume our target version SPAM/SAINT file:

SAPKD75894

SPAM/SAINT Update - Version 758/0094

Quick steps:

 

1) SPAM/SAINT - Environment - Electronic Parcel - Inbox - Delete the uploaded/corrupted file of SPAM/SAINT 758 SP94 if exists. Status will change to D.

 

2) Delete existing extracted PAT file (if available) from EPS/in directory as well as your SUM file downloaded directory.

 

3) Now, Download package SAPKD75894 freshly from software center. Use SAPCAR to manually extract.

 

SAPCARXXX.EXE -xvf KD75894.SAR

 

You can download SAPCAR from Softwarecenter (Windows - SAPCAR_600-70009506) OR use existing Kernel SAPCAR itself. Just sapcar -xvr filename.SAR would do.

we will get our PAT file (I720020751259_0177772.PAT)

 

4) Copy extracted files in /EPS/in directory

 

5) Now, Use SPAM/SAINT - Load Packages - EPS files from Application Server

6)  Once done, check once whether it's uploaded as expected - C status - IN Environment - Electronic Parcel service - Go to - Inbox.

 

Yes, Now PAT file available in system. Retry SUM phase. This time, SUM will detect our extracted PAT file. It will proceed further as extraction itself is not required now. SUM will deal SPAM/SAINT update.

✨Usually, above steps applicable for any cases which "Scan files" option not available in failed phase and failure occurred due to missing packages/corrupted files. It also helps on missing single package upload even when Scan files option available. Just download and load packages -> Retry SUM instead of placing files in SUM download directory and rescanning all files once again which will save time.

I have proposed with manual extraction which won't leave a chance to trigger error once again. You can also try simple - SAR extraction first - Load Packages - SAR files from application server post deletion instead of manual extraction. If it worked, cheers !

Note 684564 - Re-importing a SPAM/SAINT update

Hope you like this scenario !

Thanks for visiting !!!

23. Quick info on most Popular Transparent Huge Page Alerts on HANA DB ?

Most of the basis peoples would have experienced this alert on HANA Studio/Cockpit. As part of "HANA DB - Recommended OS settings", we would have definitely crossed this THP information.

Let's discuss this with two cases.

Case 1: If your OS is SUSE >=15 SP5 or RHEL >=9.2

There are three values which we can set -> madvise, always, never

Value should always be "madvise" - Not "Always" for our case 1.

The word "Active" in note 2031375 vers10 resolution statement denotes that it shouldn't be "never" (disabled). It's an generic word. We should not confuse take this active word as an "always" value (denote).

As mentioned in Note 3523701 - Transparent Huge Pages (THP) Alert vers 5, reason for these alert is that the underlying check is not aware of these new allowance/changes in recommendation for SUSE >= 15 SP5 or RHEL >= 9.2.

 
Hence, we can ignore these alert ids 116 for time being. We can also disable the alert by following Note 3523701.
 
Further, an update to the alert handling will be made available in a future HANA revisions. You can revisit SAP Note 3523701 in future for the same.

✨In simple words, Just set "madvise" and ignore alerts if generated for our case 1 OS.

Note 2131662 clearly states that we need to set "madvise" only.

I have even seen scenario which no alerts generated for RHEL 9.2, However, After OS upgrade to 9.4, it generated alerts id 116. These are due to the condition that checks were not aware w.r.t OS/HANA. 

Case 2: If your OS is SUSE < 15 SP5 or RHEL 9.2

✨Value should always be "never" since older OS not suitable/compatible to handle Transparent Huge Pages.

We can check any older OS recommendation notes such as 1824819. It will state the same.

😌, I have handled these kind of alerts and explained to multiple basis persons without knowing what is THP at first?

Let's other basis peoples should not do the same.

Here's the simplest explanation which I understood.

1) Data is stored in memory - In memory HANA Database concept

2) A Set/Block of memory is Pages 

3) These pages will be increased/decreased for the DB operations accordingly.

4) However, HANA can't handle this kind of operations and crashed when doing commit.

SAP did some advancements in Case 1 OS to have "madvise" and avoid crashes during commits.

However, In  Case 2 - older OS, we need to set "never" to avoid crashes.

Hope you like this tick😊

Thanks for visiting !!!

22. How to deal RFC Error - "Direct connect to hostname failed" in RISE/ECS/Private Cloud system ?

Yes. "Direct connect to hostname failed" will be occurred due to Network/Firewall Blockage only.

It's just an basic connectivity port opening issues which applicable even for usual sap connectivity - Direct connect to  apps-support-com 443 failed

For on-premise systems, we will usually check with Network or Firewall team to unblock hostname and their port number.

 

Once port opened, we can do telnet/tnc to crossverify the same.

Telnet hostname port

Let's have an quick info on Rise/ECS scenarios as well.

Scenario:

 

⭐SAP strongly recommends to use proxy for RFCs especially connection to Non SAP/BTP Services/Third Party systems having Port 80/443. In other words, there should not be any SAP component or 3rd party add-on (without 80/443 port).

All BTP Subaccount services usually ends up with 443 only which in turns we need to use Proxy mandatorily.

Mostly valid for - HTTP to External server type RFCs - Say Integration Suites/Biztalks/Logic Apps etc.,

For all Rise customers,

Proxy hostname would be "Proxy" itself

Port number would be "3128"

We need to raise service request - "Allow list Squid Proxy Access"- HTTP/HTTPS - Outbound to External" category to allow hostname and port number.

Example 1:

Assume we need to connect SAP System to Integration Suite - Outbound RFCs. Connection will be established via RFC. Once SR raised and ECS team completed their actions, we can create RFC and include proxy details - Proxy:3128 in RFC Connections to have successful connection.

 

Above condition applies to Cloud ALM as well. Port blockage on eu10-alm-cloud-sap - port 443 which same actions needs to be taken.

Note 3106170 -  SAP Cloud ALM: Registration error Connection Refused while connecting ABAP systems 

 

Note 3454314 - Request for SAP Private Cloud (formerly ECS/HEC) - Allowing SAP Cloud ALM Registration in RFCs to use Proxy is not yet added in allowlist URLs. It's recommended to add both URLs as mentioned in note 3454314.

Example 2:

In other cases which RFCs not used, such as using gateways, TCP/IPs with Program registration, we can use service request category - "Allowlist Hyperscaler LB access: Outbound to External"

If RFC, Ensure to have proxy - it's sufficient 99%

All the above mentioned related to Outbound RFCs which connection will be established from SAP system to Target.

However, Most basis peoples confuse this and open connections with "Allowlist Hyperscaler" despite it's not required as well as considers as Inbound.

Example 3:

Let's have short info on Inbound RFCs. 

Assume, I'm having one SAP System TC1

TC1 has two webdispatchers WD1 and WD2 (connected)

Azure load balancer exists to distribute loads 

SAP System uses load balancer for all HTTPS connection - Say Fiori Launchpad

Set in HTTPURLLOC

Users will open launchpad with load balancer url - which connects SAP System via WD1/WD2.

I'm having Rise Cloud connector as well which SAP Build Workzone Subaccount added (To fetch SAP system fiori apps and do researches)

Destinations for SAP System TC1 maintained in Build Workzone Subaccount as well as relevant connection information setup done in Access control - cloud connector with Load Balancer Information as well.

Now, Inbound RFCs flow will be below.
BTP Build Workzone (when launching fiori app) -> Cloud connector -> Via Load Balancer -> Via Web Dispatcher -> Reaches SAP System and fetches relevant data of fiori app -> Show results in BTP Fiori app 

We will allow only specific SICF services which uses fiori apps in WebDispatcher (Permit) as well as Cloud connector Access Control Resources (/sap/bc/xx) instead of allowing entire path.

In this way, Connection will be secured as well as relevant access will be allowed.

Hope you like this scenarios

Thanks for visiting !!! 

21. Why Transport Based Correction Instruction (TCI) ? Quick recap

Let's have an quick recap on TCI.

TCI Implementations will take place in SPAM Transaction. It's not New Add on to take place in SAINT. 

In simple, For minor/medium corrections, Corrections can be used. With the help of SNOTE, Corrections can be implemented.

To have a high number of corrections in single package which should relate/match to SP updates, It can't be done easily with increasing CI counts. Even SAP Portal sometimes stuck to load huge number of corrections if exists for single component SP version (Say Basis all versions).

✨Hence, SAP Introduced TCI way. TCI will be implemented in SPAM transaction technically. But, SAP simplified the same to complete via SNOTE itself to avoid direct implementation via SPAM. Importing in SPAM directly is not an recommended procedure except enabling TCI feature in older systems.

For latest SAP System versions, TCI handling feature for SNOTE would be already enabled since we have higher support packages. For older versions, TCI Enablement package can be imported in SPAM. This will make SNOTE to handle TCI notes. 

Once you enabled TCI feature for SNOTE Assistant/Transaction. You should use SNOTE to implement TCI notes as well as note corrections. 

For HTTP protocol, Manual download required. However, for Download Service, TCI will be automatically downloaded when downloading note itself.

Assume I'm implementing one SAP Note which has corrections as well as TCI. SAP asked to download TCI during note implementation via TCI not available error. I have uploaded the same.

⭐If TCI note implemented, SNOTE will use SPAM in backend and completes the import in addition to corrections. Once completed, It will change status in SNOTE transaction - Completely Implemented. It will be a simplified procedure as same as SNOTE Implementation. You can check SPAM logs post completing the same.

Exceptional case - If somehow TCI failed during note implementation and stuck in SPAM, we can feel free to check and resolve error in SPAM - continue note implementation. Usually, SNOTE status would be in "Incompletely Implemented" state. Post SPAM completion, SNOTE will change status automatically sometimes or continue/retry note implementation. It will change status to completely implemented.

Note 2543372 - Procedure to Implement TCI note

Thanks for visiting !!!