Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Using the Internet Communication Framework (ICF)

Objectives

After completing this lesson, you will be able to:

Explain the importance of the ICF for handling HTTP requests
Describe what constitutes an ICF service
Illustrate the idea of the ICF recorder
Perform changes to SAP GUI for HTML settings
List prerequisites for the use of SAP integrated ITS

The Internet Communication Framework (ICF)

The Internet Communication Framework (ICF) is an environment for handling Web requests in ABAP work processes of an SAP system (in its role as a Web server and a Web client) The ICF is the bridge between the kernel of the SAP system and the application program written in ABAP. The ICF consists of ABAP classes and interfaces, the objects and methods of which can be accessed in a Web Dynpro ABAP application, for example.

ICF provides a way for different systems to communicate with each other over the internet/intranet using standard protocols (such as HTTP and SMTP). As of AS ABAP 7.40, no additional programming libraries (for AS ABAP) are required from SAP. However, for the HTTPS protocol, certain configuration steps need to be performed (see SAP Note 510007 – Additional considerations for setting up SSL on Application Server ABAP). Your system platform only must be configured to be internet capable. This scenario allows for the most flexible setup of the overall communication requirements.

The ICF allows a response to a request to be generated using an application. An HTTP request is sent from a client (such as a Web browser) to the server. It is then forwarded to an application by the ICF. Here, data is collected and sent back to the client as a response by the ICF. The response data is then displayed in the browser.

Note

The following provides more information about using the SAP system as a Web server (HTTP(S) server). For information about the Web client role of the SAP system, see the online documentation.

The application logic that is to be called by an HTTP request from the intranet or internet is implemented by the HTTP request handler in each case. An HTTP request handler is a program (or, more precisely, an ABAP class) that is identified using a URL, and which receives HTTP requests that use this URL. The task of the HTTP request handler is to receive the data that is sent by a request (for example, coded into the URL as "query string" information), to perform a number of handler-specific processes, and to generate a response to this HTTP request. Customers can also create these HTTP request handlers themselves, although SAP does provide some. An example for an SAP HTTP request handler is the handler CL_HTTP_EXT_BSP for the Business Server Pages (BSP) which can be used to develop simple Web applications.

If an HTTP request is received by the ICM that is to be processed in a work process, the task handler of the work process takes control. It then starts the ICF controller (see the following figure).

An HTTP(S) request is processed in the following steps (this example uses an ABAP application that must be processed by a dialog work process):

The request is sent from the user’s Web browser to the ICM using the HTTP(S) protocol.
The ICM stores the data received in a memory pipe (in the shared memory) and informs the ABAP dispatcher.
The ABAP dispatcher adds the ICM request to the dispatcher queue, creates a new context (if there is no context that is processed statefully), and selects a dialog work process for processing.
The task handler in the work process reads the data from the memory pipe and transfers it to the ICF controller, which is implemented using function module HTTP_DISPATCH_REQUEST.
The ICF controller transfers the request to the ICF manager, which is implemented by the ABAP class CL_HTTP_SERVER. The ICF controller creates a server control block and fills it with the HTTP request data that it requested from the ICM.
The client is then authenticated, whereby several logon options are available.
The HTTP request handler determined previously is called (this can process the request data, call further applications, access the response object, and so on). Once the HTTP request handler has performed all tasks, it returns control to the ICF controller.
The task handler writes the response back to the memory pipe (response serialization) and signals to the ICM that it has finished processing the request.
The ICM returns the response to the Web Browser.

For a detailed explanations of the individual steps, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Connectivity → Components of SAP Communication Technology → Communication Between ABAP and Non-ABAP Technologies → Internet Communication Framework → Architecture → Server Architecture.

From a technical point of view, there is an ABAP class behind an HTTP request handler. This class implements the interface IF_HTTP_EXTENSION and the method HANDLE_REQUEST. SAP delivers classes of this type; customers can, of course, also create their own classes with the Class Builder (transaction SE24, integrated into the Object Navigator, transaction SE80).

Internet Communication Framework

Properties and Maintenance of ICF Services

The task of ICF services is to link a particular URL with an HTTP request handler. An ICF service therefore creates a connection between a URL to which an HTTP request is sent and development objects that process this request.

An SAP system (with AS ABAP) already contains various services directly after it is installed. The exact scope depends of course on the system type (SAP ECC, SAP S/4HANA Server, and so on) and the release. You can obtain an overview of all available services using the central maintenance transaction for ICF services, transaction SICF. All available services are displayed in a hierarchical structure in transaction SICF. The complete path for a service (such as /sap/bc/icf/info) ultimately determines (together with the protocol, server name, and port) the URL under which the service can be called. The following part of this lesson explains some of the aspects that are relevant for administrators in more detail.

Activation Concept

ICF services can be active or inactive, which is indicated by different colors in transaction SICF:

Status of ICF Services

Status	Color in SICF	Meaning
Active	Black	Service can be called
Inactive	Gray	Service explicitly deactivated
Inactive	Blue	Service implicitly deactivated

For implicitly deactivated services, there is always a higher-level service in the ICF tree that has been explicitly deactivated. If you activate that service (displayed in gray), all lower-level services that are implicitly deactivated (displayed in blue) will be activated. When you activate a node (by choosing the menu path Service/Host → Activate or using the context menu that appears when you click the secondary mouse button), you can choose whether you want to explicitly activate the selected service only (Yes) or all of the lower-level subservices (Yes with the tree icon).

If you try to call an inactive service, the system will display a message stating that access to this page is forbidden. Activated ICF services are a security risk since they can be accessed directly using HTTP(S) or SMTP from the intranet or internet (depending on your network configuration). You should therefore restrict access using suitable measures, such as by activating only the required ICF services and assigning the relevant authorizations to users.

Hint

At the time of installation, all ICF services are inactive so that no ICF service can initially be used. For the behavior of ICF nodes after the implementation of Support Packages, see SAP Note 1447439 – ICF: Services are no longer deactivated after transport and SAP Note 1555208 – ICF services become inactive after upgrade or SP update.

Mass Processing of ICF Services

The reports RS_ICF_SERV_ADMIN_TASKS and RS_ICF_SERV_MASS_PROCESSING provide the option of executing various actions in relation to the services of the Internet Communication Framework. For example, report RS_ICF_SERV_ADMIN_TASKS offers to determine all active HTTP services (or all inactive services) in the system and to write the result to a CSV file. Report RS_ICF_SERV_MASS_PROCESSING in turn offers to activating (or deactivate) ICF services that are listed in a CSV file for all virtual hosts. For more details, see SAP Note 1498575 – Mass processing of ICF services.

Properties and Inheritance

An ICF service is characterized by properties that you maintain in transaction SICF. By double-clicking a service, you access the Create/Change a Service screen on which you can configure the following settings:

Service Data tab

An inheritance principle applies to the properties of an ICF service: In transaction SICF, you do not need to maintain properties for each individual service. You can do this simply for the higher service nodes (for example, /sap/bc/bsp). All lower-level services are then assigned these properties, provided that other values have not been entered explicitly for them.
This inheritance process is not always required. You can use the Ignore inherited settings indicator to control whether this inheritance logic is interrupted. In addition, you can choose the Display Inheritance button in the application toolbar to show the properties for the current service that are inherited from higher-level ICF services.
Under Load Balancing, you can enter a logon group (from transaction SMLG) using the input help (F4). When you use the SAP Web Dispatcher, requests sent to this service are forwarded only to the ABAP instances of the logon group defined.
If you enter a value in the Authorization field, the system will check whether the user has this authorization (for authorization object S_ICF, fields ICF_FIELD and ICF_VALUE) at runtime.
Once the time defined in Session Timeout has expired, a stateful application is terminated (if the value is 00:00:00, the value of the profile parameter rdisp/plugin_auto_logout (default value: 30 minutes) is used).
If you set Compression to Yes, the SAP system will compress the response (using the gzip technique), provided that the caller can control decompression.
If you set GUI Interface to Yes, the screen images that are generated in the application by processing conventional dynpros will be converted to a format that allows them to be displayed graphically in a Web browser.
Note
This function (as well as the screen that can be accessed with GUI Configuration) is required for the integrated SAP ITS, which is explained in more detail below.
The Support Accessibility indicator specifies that an accessibility mode is called if the application has one. However, it cannot be guaranteed that this is the case.

Logon Data tab

There are various ways for an HTTP request to log onto the AS ABAP, and you can configure these for each individual service node. With the Standard default setting for field Procedure, the following check procedures are used in exactly this sequence:

Logon Through HTTP Fields
Logon Through SSL Certificate (logon using the client certificate)
SAP Logon/Assertion Ticket
SAP Assertion Ticket
Basic Authentication (logon using the SAP user and password)
SAP RFC Logon
SAML bearer token
OIDC bearer token
SPNEGO Authentication
SAML Logon
OIDC Logon
Logon Through Service Data (logon using the anonymous data entered in the service)

By choosing Alternative Logon Procedure as Procedure, you can select any logon procedure (in the Logon Procedure List that appears) and change the check sequence.

With Required with Logon Data as Procedure, only those entries specified in the service under Logon Data (client, user, password, and language) are used for the check. You should enter only those users that have been created in transaction SU01 as service users. In case that you enter a dialog user, the system issues a warning message.

If you select Required with SSL Certificate finally, logon will occur exclusively with an X.509 client certificate.

Note

For the Standard and Alternative Logon Procedure, you can select the Use All Logon Procedures checkbox to specify whether the respective check sequence is to run until one of the logon procedures is successful, or whether the caller is to receive a negative confirmation as soon as the first logon procedure fails.

Depending on the procedure selected, you can configure additional settings (for example, you can require SSL, that is, the HTTPS protocol).

Handler List tab

Here, you list the HTTP handlers in the sequence in which they are to be executed. An HTTP request handler is an ABAP class that implements the interface IF_HTTP_EXTENSION. This interface contains the method HANDLE-REQUEST, which is called by the ICF.

Error Pages tab

On the Error Pages tab, you can specify which response pages are to be sent to the caller in the following situations:

Logon Errors (HTTP 401: logon failed)
Appl. Errors (HTTP 500: An error occurred in the application, for example, ABAP short dump)
Logoff Page
Not Accessible (HTTP 404: not found)

In each case, either an explicit response page can be sent to the Web browser or the caller can be redirected to another URL. In the Logon Errors area, you can also enable a direct system logon in case that an error occurs.

Note

Under the /sap/public node, services are defined that are required for system-internal services. These differ from the other services in the tree since no credentials are maintained. You therefore do not need to log on to the SAP system to use these services. The actions are carried out under the SAPSYS system user. Therefore, customers are not permitted to create their own services under the /sap/public node.

Administration tab

The Administration tab contains administration data such as the user who has created and who has last changed a service.

In addition, you can flag services to be administration services. Administration-relevant ICF services should be especially protected against unauthorized accesses. To do this, these services can be grouped together under a separate virtual host (such as SAP_ADMIN_VH), which is reached by its own port and can be given special access restrictions.

For more information, see SAP Note 1778777 – Development of an admin application and SAP Note 1748112 – Making admin services accessible through their own port (which contains a PDF attachment concerning the Separation of HTTP Administration Requests Using a Dedicated Port.

Hint

If logon data is defined for an ICF service that is then transported, the logon data will be deleted during transport. This is due to security reasons. Furthermore, it is not possible to guarantee that the respective user exists in the target system. The user must therefore be maintained in the target systems. For more information, see SAP Note 732218 — ICF: Logon data from SICF is not transported. Also for security reasons, ICF services that have been transported to a target system are initially inactive and must be activate explicitly (see also SAP Note 517484 — Inactive services in the Internet Communication Framework).

Activate ICF Services

Business Example

Your company uses many Web browser-based functions offered by SAP S/4HANA.

As an administrator, you are responsible for activating services that allow HTTP communication between Web browsers and an SAP S/4HANA Server system.

Task 1: Activate ICF Services

Activate and Call ICF Services

Steps

In your training environment, launch the following URL: https://<server with domain>:<ICM HTTPS port>/sap/bc/bsp/sap/it00.
1. In your training environment (WTS), start a Web browser of your choice.
2. Enter the following URL:
  - Q team: https://s4qhost.wdf.sap.corp:44321/sap/bc/bsp/sap/it00
  - P team: https://s4phost.wdf.sap.corp:44331/sap/bc/bsp/sap/it00
3. If necessary, log on with the credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number). In the case that you are asked to save your password, choose Never.
4. You should get the message Service cannot be reached or Forbidden.
5. Keep this Web browser session open.
In your SAP S/4HANA system, activate the ICF services
- /default_host/sap/bc
- /default_host/sap/public/bc
including all subservices (if they are not yet active).
1. Log on to your SAP system using credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SICF.
3. Accept the default values and choose Execute.
4. In the tree structure, navigate to the /default_host/sap/bc node.
5. If this service has not yet been activated, right-click this node and choose Activate Service (or choose the menu path Service/Host → Activate). Then choose Yes (with the tree icon) to activate node /default_host/sap/bc and all of its subservices. This may take some time.
6. Repeat the last two substeps with the service /default_host/sap/public/bc.
  Hint
  You may need to deactivate this service first before you can activate it with all subnodes.
Launch the following URL again: https://<server with domain>:<ICM HTTPS port>/sap/bc/bsp/sap/it00.
1. In the still open Web browser session from the first step, choose Refresh (or Reload).
2. If necessary, log on with the credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number). In the case that you are asked to save your password, choose Never.
  Note
  BSP application it00 is a test application for BSP developers. The first start may take some seconds.
Within BSP application it00, start the function 6. MIMEs → 2. Accessing SAP Icons in MIME Repository. Then check the Internet Server Cache (of the ICM process that has processed your request).
1. Following the previous step, within BSP application it00 (in the Web browser), navigate to the menu option 6. MIMEs → 2. Accessing SAP Icons in MIME Repository.
  Result
  The system displays the SAP icons stored in the MIME repository (implemented in the AS ABAP database) as graphics in GIF format. Note that it takes some seconds until all icons are displayed.
2. In your SAP system, start transaction SMICM on the application server that has processed this request.
3. Choose the menu path Goto → HTTP Plug-In → Server Cache → Display.
  Result
  The system displays (with a preview option when double-clicking an entry) the objects held in the Internet Server Cache (ISC).
4. Now delete the temporary cache in your Web browser (for example, in Edge, choose ... → Settings → Privacy, search and services, in section Clear browsing data choose Choose what to clear, then select (at least) Cached images and files for the Time rangeLast hour and confirm your changes with Clear now.
5. In the BSP application it00 that is still running in your Web browser, call the function 6. MIMEs → 6.2. Accessing SAP Icons in MIME Repository again (you may again provide your credentials). You can see the difference between reading from the database and reading from the ISC (now the objects should be displayed faster compared to the previous step).
Optional: From transaction SICF, start the Web Dynpro ABAP application /default_host/sap/bc/webdynpro/sap/OTHELLO.
1. Following the previous step, in your SAP system. start transaction SICF.
2. Accept the default values and choose Execute.
3. Navigate to the /default_host/sap/bc/webdynpro/sap/OTHELLO node.
4. Right-click the node and choose Test Service. When prompted, log on with the credentials of your training user. The first start may take some time. Have fun!

Result

All services under /default_host/sap/bc can now be called from the intranet and, if the network settings allow, from the internet.

Note

The activation of all services under /default_host/sap/bc has been done for the sake of simplicity. In "real life", you should activate only those services that are to be accessed via http(s).

Task 2: Mass Activation of ICF Services

Determine all active HTTP services in your SAP S/4HANA system and write the result to a CSV file. Then deactivate some of the activated services. Finally, use the CSV file to activate all ICF services for all virtual hosts listed in this CSV file and check the results.

Steps

Use report RS_ICF_SERV_ADMIN_TASKS to determine all active HTTP services in your SAP S/4HANA system and to write the result to a CSV file on file system level of your WTS.
1. If you have not yet already done so, log on to your training system with the credentials of your training user provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SA38.
3. Enter and execute program RS_ICF_SERV_ADMIN_TASKS.
4. On the selection screen, select the option Export active services to CSV File, keep the other settings unchanged and choose Execute.
5. On popup Downloading CSV File, use the value help to change the default store location (such as <user default directory>\My Documents\SAP\SAPGUI) to N:\(My )Documents and keep the file name (such as ICF_<SID>_<date>_<time>_SNP_ACT.csv) unchanged. Confirm your selection with Save.
6. Back on popup Downloading CSV File, choose Generate.
7. Optional: Feel free to open this file on your WTS for example with the help of the File Explorer and Microsoft Excel to check its content.
Deactivate some active ICF services (such as /default_host/sap/bc/bsp).
1. Continue working in your SAP system using the training user provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SICF.
3. Accept the default values and choose Execute.
4. Navigate to the /default_host/sap/bc/bsp node.
5. Right-click this node and choose Deactivate Service (or choose Service/Host → Deactivate from the menu).
6. Confirm the following popup with Yes.
7. Keep this session open.
Use report RS_ICF_SERV_MASS_PROCESSING to activate all ICF services for all virtual hosts that are listed in the CSV file you have created above. Check the results.
1. Following the previous step, in a new session, start transaction SA38.
2. Select and execute program RS_ICF_SERV_MASS_PROCESSING.
3. On the selection screen, select the option Activate ICF services for all virtual hosts listed in CSV file.
4. Choose Execute and confirm the following popup with Yes.
5. On popup Upload CSV file, select the file that you have downloaded in a previous step (such as N:\(My )Documents\ICF_<SID>_<date>_<time>_SNP_ACT.csv) by using the value help.
6. Back on popup Upload CSV file, choose Continue.
7. Check the log output (ignore error messages about nodes that do not exist – these messages may come from external aliases).
8. In the still open session for transaction SICF, choose Refresh (on the application toolbar).
9. Navigate to the /default_host/sap/bc/bsp node again and check that is has been activated again.

ICF Aliases

In the ICF, you can link from one ICF service to another existing service ("alias"). A distinction is made between internal and external aliases:

On the Define Services screen in transaction SICF, when you create a service and choose Alias to Existing Service, you create an internal alias.
Instead of defining an HTTP request handler, use the Target tab to specify (by double-clicking) the target handler to which the alias is to refer in the HTTP service tree. This allows you, for example, to call the existing and unchanged service with alternative settings (such as logon data and logon procedure).
Note
If possible, customers should not create internal aliases to SAP services (which are always in the /sap/ namespace).
To allow services to be called with any meaningful, non-technical names, customers should use external aliases. For this, switch to the Maintain external aliases view in transaction SICF. Unlike an internal alias, an external alias can contain a forward slash ("/") in its name; otherwise, both procedures are handled in the same way (besides of transport settings).

Maintain ICF Aliases

Business Example

Your company uses many Web browser-based functions offered by SAP S/4HANA.

As an administrator, you want to make existing ICF services available under a meaningful, non-technical name.

Task 1: Create an External Alias

Create a new ICF service as an external alias to an existing service.

Steps

Use the wizard to create new ICF service /adm/myinfo that links to /sap/bc/icf/info as an external alias.
1. Log on to your SAP system with the credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SICF.
3. Accept the default values and choose Execute.
4. Choose External Aliases from the application toolbar to switch to the Maintain external aliases screen.
5. From the tree structure, select default_host.
6. Choose Wizard – External Alias from the application toolbar (or choose the menu path External Alias → Wizard – External Alias).
7. The wizard leads you through the following steps, whereby you access the following page by choosing Continue.
  1. Step Start: First, information about external aliases appears.
  2. Step General Data: In the External Alias field, enter /adm/myinfo and in the Description 1 field, enter a description of your choice.
  3. Step Select Destination Handler: As the target handler, double-click the service /default_host/sap/bc/icf/info (you may need to expand the tree structure for this).
  4. Step Complete: Choose Complete.
At WTS level, close all of your Web browser windows. What do you notice when you test the new service /adm/myinfo in transaction SICF?
1. Make sure that all of your Web browser sessions in your training environment at WTS level are closed.
2. Following the previous step, in the hierarchy display in transaction SICF (Maintain external aliases view), right-click your new node default_host → /adm/myinfo (you may need to expand the tree structure for this) and choose Test Ext. Alias.
3. Note that you must first log on (with the credentials of your training user) before you can view the test page (including information from the application server in the top line).
  Note
  If you are not prompted to enter your credentials, close all of your browser windows and repeat substeps b) and c)
  In case of that you are asked to save your password, choose No or Never.
In the /adm/myinfo service, enter the logon data of the training user assigned to you by the instructor.
1. Following the previous step, in the hierarchy display in transaction SICF (Maintain external aliases view), double-click your /adm/myIinfo node. If necessary, switch to change mode (by choosing Change in the application toolbar).
2. On the Logon Data tab page, select Required with Logon Data from the Procedure dropdown box.
3. In the Logon Data area, enter the credentials for your course user (for example train-##, where ## denotes your group number).
  Note
  In an operational scenario, enter service users with appropriate authorizations.
4. Store (Save) your entries and confirm the warning Do not use dialog users if possible. Then choose back to switch to the Maintain external aliases screen. Keep this session open.
Check that you can now call the /adm/myinfo service without having to log on.
1. Close all of your Web browser windows.
2. In the hierarchy display in transaction SICF (Maintain external aliases view), right-click your /adm/myinfo external alias and choose Test Ext. Alias again. The system now should not prompt you to enter your credentials.

Result

Your SAP system provides a new /adm/myinfo service with provided logon data.

Task 2: Optional: Create an Internal Reference

Create a new service as an internal reference to an existing service.

Steps

Without using the wizard, create an ICF service /default_host/adm/myping that links to /default_host/sap/public/ping as an internal reference.
Note
Note that you first require an independent service adm below which you enter myping as an internal reference. Remember to activate your new service.
1. Following the previous task, continue working in your SAP system using the credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SICF.
3. On the start screen of transaction SICF, accept the default values and choose Execute.
4. In the hierarchy display, right-click the top node default_host.
5. Choose New Subelement (or select the node and choose the menu path Service/Host → Create Service).
6. Confirm the message about the namespace concept with Continue.
7. In the Create a Service Element window, enter adm as the Name of New Service Element and choose Standalone service as the Type of New Service Node.
8. Choose Input (Enter).
9. On the subsequent Create/Change a Service screen, enter a description in field Description 1. Leave all other fields unchanged and store (save) your changes (for the object directory entry choose Local Object).
10. Confirm the warning that the new service has no handler class with Continue, and go back one screen (to the hierarchy display in transaction SICF).
11. Expand the service tree and select your new adm node, click the right mouse button, and choose New Subelement.
12. In the same way as before, create the element myping, but now as an Alias to an existing service.
13. On the Create/Change a Service Call screen, enter a text in field Description 1.
14. On the Target tab page, navigate to the /default_host/sap/public/ping node and double-click this line.
  Make sure that the service /default host/sap/public/ping is acitve. If not, activate it first.
15. Store (Save) your changes and go back one screen (to the hierarchy display in transaction SICF).
16. Go back one screen (to the hierarchy display in transaction SICF).
17. To activate your changes, select the /default_host/adm/myping node in the service tree and choose Activate Link with the secondary mouse button.
18. Confirm the popup with Yes.
Test the new /default_host/adm/myping service in transaction SICF.
1. Following the previous step, in the hierarchy display in transaction SICF, right-click your new /default_host/adm/myping node and choose Test Link.
  Result
  The message Server reached. appears.
  Hint
  It may take a while for the SAP system to recognize the new alias. If the AS ABAP does not recognize the URL as a correct URL, try again later.
Optional: Determine all ICF services that link to the /sap/public/ping service.
1. Following the previous step, in the Define Services screen of transaction SICF, navigate to the node /default_host/sap/public/ping. With the secondary mouse button, choose References to Service (or choose the menu pathService/Host → Alias References).
  Result
  The system displays a list that contains all internal and external references that link to /sap/public/ping. Your entry /default_host/adm/myping also appears as an internal link to this service.

Result

Your SAP system provides the new service /default_host/adm/myping.

ICF Service

ICF Recorder

The ICF recorder is the tool for recording and evaluating HTTP requests to the ICF. It enables developers and administrators to identify and correct the source of errors in failed service calls by recording HTTP requests.

You can use it to save recorded requests (without the passwords used) in the system database. This facilitates the evaluation process since it is usually no longer necessary to describe the error so that the problem can be reproduced. The problem can be executed multiple times using the database entry in order to further identify the root cause of the problem by debugging or work process traces. Once the problem has been corrected, the erroneous data can be used to check the corrections.

You can call the ICF recorder from the Define Services screen (see figure above) or from the Maintain external aliases screen in transaction SICF by choosing the menu path Edit → Recorder → Activate/Deactivate/Display Recording; you can also use transaction SICFRECORDER for the evaluation process. The basic steps are:

Activate the recording. You have to enter:
1. The URL path in ICF to be recorded (if you have previously selected a path, this is used as the default value)
2. The duration of the recording and the storage period in the database (Lifetime)
3. Whether the requests of one user (user-dependent, recommended) or all users of the current client are to be recorded
4. Whether you want to record the request only or the response as well
Call the services to be monitored (if necessary, using the selected user).
Deactivate the recording (to prevent performance losses).
Display and process the recorded requests.

In the administrator settings (available on the Define Services screen in transaction SICF under the menu path Goto → Settings), you can prevent the ICF recorder from being used system-wide. You can use authorization object S_ICFREC to control access to the request data using the ICF recorder.

(Optional) Record ICF Requests

Business Example

Your company uses many Web browser-based functions offered by SAP S/4HANA.

As an administrator, you want to analyze the request and system response of some of these functions in detail.

Task 1: ICF Recorder

Analyze HTTPS requests with the ICF recorder.

Steps

Activate the ICF recorder for service /default_host/sap/bc/bsp/sap/it00. The recording should contain requests, responses, and failed logons, be relevant to all users, and be stored for one day.
1. Log on to your SAP system using credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SICF.
3. Enter Service Nameit00, accept the other default values and choose Execute.
4. In the tree structure, select the /default_host/sap/bc/bsp/sap/it00 service with the primary mouse button and choose Edit → Recorder → Activate Recording from the menu.
5. In the Activate Recording dialog box, check the URL Path in ICF (it should read /sap/bc/bsp/sap/it00).
6. Deselect the User-Dependent checkbox.
7. In the Lifetime field, enter 1D(a)ys and 00:00:00 hours:minutes:seconds.
8. In area Recording Level, select the Failed logons field and the option Request + Response, then choose Activate.
9. The System Monitor Active button in the application toolbar indicates the changed operation mode. If you choose this button, the Monitor Current System Settings dialog box appears with details. Finally, close this dialog box but keep the session with transaction SICF open.
Close all open Web browser windows. Start the /default_host/sap/bc/bsp/sap/it00 service (either by using the Test Service function on the corresponding entry in the tree structure of transaction SICF (using the secondary mouse button) or by entering the corresponding URL in the web browser) and log on with...
Example
- ... an invalid user name.
- ... a valid user name but an incorrect password.
- ... valid credentials.
Once you have logged on successfully, call some of the functions of this service.
1. See the task description. The URL is https://<server with domain>:<ICM HTTPS port>/sap/bc/bsp/sap/it00.
Deactivate the ICF recorder for service/default_host/ sap/bc/bsp/sap/it00.
1. Following the previous step, continue to your open session in transaction SICF.
2. To deactivate the recording for /default_host/ sap/bc/bsp/sap/it00 only, first select this service with the primary mouse button in the tree structure of the Display Services screen of transaction SICF. Then choose Edit → Recorder → Deactivate Recording from the menu.
3. Accept the entries in the Deactivate Recording dialog box and choose Deactivate.
  Note
  A list may appear containing the active recordings for the selected server. If so, choose Deactivate again.
4. Provided that no other recordings are active in the system, the button for the system status in the application toolbar now displays the text System Monitor Inactive (and maybe a green flag instead of a red one before).
Display the recorded requests and responses.
1. Following the previous step, choose Edit → Recorder → Display Recording from the menu.
  Note
  Alternatively, start transaction SICFRECORDER.
2. To display an overview of all recordings, delete any entries in the Request Path field on the selection screen.
3. Select Logon error as well.
4. Switch the entry for Recording by User to *.
5. Do not change the other entries and choose Execute.
6. On the left of the screen, the system lists the services for which there are recordings (you may need to expand the tree structure). If you double-click an ICF service, the details of the requests and responses are displayed on the right of the screen (for this you may need to select a line and choose Display ... → Request or Display ... → Response).

ICF Recorder

SAP GUI for HTML

SAP GUI for HTML maps SAP screens to HTML pages. Technically, SAP GUI for HTML is realized as ICF service /sap/bc/gui/sap/its/webgui.

You start the SAP GUI for HTML by entering the URL http(s)://<server with domain>:<ICM port>/sap/bc/gui/sap/its/webgui. Alternatively, start transaction WEBGUI in SAP GUI for Windows or in SAP GUI for Java. The general remarks about the properties of an ICF service that are stated above (such as client, logon language, and so on) also apply here.

SAP GUI for HTML can also be used on touch based mobile devices such as Apple iPad and Android tablets. For more details, refer to SAP Note 2792965 – Touch support for tablet devices in SAPGUI for HTML.

Because of the technical attributes of HTML or the Web browser, the use of SAP GUI for HTML is somewhat restricted as compared to the use of SAP GUI for Windows or SAP GUI for Java:

The controlling of an OLE automation server is not possible.
Keyboard navigation is limited as known from other web applications.
Office integration is view only.
Some controls offered in SAP GUI for Windows used for special purposes (such as the advanced ABAP Editor Control) are not available.

To see if a transaction is supported for use with SAP GUI for HTML, check the flags in transaction SE93 (display the transaction code in question and check section GUI support).

Note

For release-specific functionality and limitations of SAP GUI for HTML, refer to SAP Note 314568 – SAP GUI for HTML functionality / Limitations / Sp. Behaviour.

SAP GUI for HTML Settings

Within SAP GUI for HTML, users can access the SAP GUI for HTML Settings dialog via menu path More → GUI Actions and Settings → Settings.

The settings of a user are stored in the system database.

Note

The communication between the web browser and the application server instance is utilizing the ABAP Push Channels (APC) technology. Ensure that the ICF service /sap/bc/apc/sap/webgui_services is active.

Frontend Sub-Records (FESR) Logging

To troubleshoot SAP GUI for HTML related performance problems, SAP GUI for HTML offers Frontend Sub-Records (FESR) Logging. FESR Logging contains very detailed information about the duration of the browser-to-server communication. It can be enabled on the SAP GUI for HTML – Settings screen (see figure above), in area Tools → Performance → . From there, the logging results can also be displayed.

For more information, see SAP Note 2981366 – How to use FESR Logging in ITS WEBGUI (SAP GUI for HTML).

Prerequisites for SAP GUI for HTML

The following figure lists supported Web clients for SAP GUI for HTML.

For details, please check the Platform Availability Matrix at https://support.sap.com/pam. For more information on themes in SAP GUI for HTML, see SAP Note 1508958 – Look and Feel in the WEBGUI and SAP Note 2540597 – Supported Themes for SAPGUI for HTML.

Prerequisites for SAP GUI for HTML

The ICF service /sap/bc/gui/sap/its/webgui is active and the property GUI Interface is set to Yes.
The ICF service /sap/bc/apc/sap/webgui_services is active.
The SAP Internet Transaction Server (SAP ITS) is active.

Note

Depending on the release of software component SAP_BASIS in your SAP system, you have to activate further ICF services. For a detailed list, refer to SAP Note 2213657 – Which ICF services need to be activated in order to start SAP GUI for HTML (WebGUI/HTML-GUI)?.

Hint

For details on the SAP Internet Transaction Server (SAP ITS), see the next section.

(Optional) Administrate SAP GUI for HTML

Prerequisites

Business Example

As an administrator for an SAP S/4HANA system, you want to activate and configure the SAP GUI for HTML.

Task 1: Check Prerequisites

Steps

Verify that the ICF service /default_host/sap/bc/apc/sap/webgui_services is active.
1. Log on to your SAP system using credentials of your training user (for example user train-##, where ## denotes your group number) provided by your instructor.
2. Start transaction SICF. On the start screen of this transaction, keep the default settings unchanged and choose Execute.
3. In the tree structure navigate to the service /default_host/sap/bc/apc/sap/webgui_services and activate it if necessary (select it, click the right mouse button and choose Activate Service).
Result
The APC WebSocket protocol service relevant for the SAP GUI for HTML personalization is active.
Verify that the ICF service /default_host/sap/bc/gui/sap/its/webgui is active and intended for calling the GUI.
1. Following the previous step, in the tree structure navigate to the service /default_host/sap/bc/gui/sap/its/webgui and activate it if necessary (select it, click the right mouse button and choose Activate Service).
2. Double-click the service and make sure that the GUI Interface field on the Service Data tab page is set to Yes.
Result
The ICF service relevant for the SAP GUI for HTML is active.

Task 2: Launch and Personalize SAP GUI for HTML

Steps

Start the SAP GUI for HTML using transaction WEBGUI.
1. If you have not yet already done, log on to your SAP system using credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction WEBGUI. You may need to enter the credentials of your training user.
3. SAP GUI for HTML is started in a Web browser window. Note that a splash screen is displayed before the SAP GUI for HTML UI appears.
4. Access some functions of your SAP system via SAP GUI for HTML. Keep this Web browser session open.
Perform some personalization in SAP GUI for HTML, for example
- Change the theme.
- Enable the OK code (command) field.
- Enable icons on buttons.
1. Following the previous step, continue working in the browser window with SAP GUI for HTML.
2. To access the SAP GUI for HTML settings, from the application toolbar in SAP GUI for HTML choose Menu → Settings ....
3. Within the SAP GUI for HTML Settings screen, perform some changes, for example
  - Change the theme at Visual Design → Theme Selection → Select Theme.
  - Enable the OK code (command) field at Interaction Design → Visualization → Header Area → Show OK Code field.
  - Enable icons on buttons at Interaction Design → Visualization → Header Area → Show Buttons with Icons.
4. When done, choose Save. Note that some changes require a restart of SAP GUI for HTML.

Task 3: Perform Front-End Subrecord (FESR) Logging

Steps

Within SAP GUI for HTML, temporarily activate FESR logging.
1. Following the previous task, within the SAP GUI for HTML, on the application toolbar navigate to Menu → Settings ....
2. Within the SAP GUI for HTML Settings screen, navigate to Tools → Performance → Front-End Subrecord (FESR) Logging.
3. Activate Temporary FESR logging and choose Save.
Within SAP GUI for HTML, perform some actions.
1. Access some functions of your SAP system via SAP GUI for HTML (for example start some transactions from the user menu).
Within SAP GUI for HTML, deactivate FESR logging and analyze the log.
1. Within the SAP GUI for HTML, again on the application toolbar navigate to Menu → Settings ....
2. Within the SAP GUI for HTML Settings screen, navigate to Tools → Performance → Front-End Subrecord (FESR) Logging.
3. Deactivate Temporary FESR logging.
4. Choose Display FESR Log.
5. A table with the recorded steps is displayed.
  Note
  You can access a short explanation for the meaning of all values using the question mark icon at the top right part of thei popup.
6. Select one step and choose View Details.
7. Detailed information is displayed. You can change to other steps using the Previous Step and Next Step buttons.
8. When done, choose Close to close the details.
9. When done, choose Close to close the list.
10. Back in the SAP GUI for HTML Settings screen, ensure that Temporary FESR logging is still inactive and choose Save.
11. In SAP GUI for HTML, choose Menu → System → Log Off on the application toolbar to log off from SAP GUI for HTML and confirm a popup. Then close all Web browser sessions.

SAP Internet Transaction Server (SAP ITS)

SAP ITS Architecture

The SAP Internet Transaction Server (SAP ITS) is completely integrated in the infrastructure of the AS ABAP: It is accessed via the ICM process, implemented as a number of ICF services, and uses the database as an object storage location.

Besides the SAP GUI for HTML, SAP ITS also supports the Internet Application Components (IAC) programming model.

Hint

The HTML Business Templates mentioned on the figure above are relevant for selected IACs, but not for SAP GUI for HTML.

SAP ITS Configuration

The SAP ITS is automatically installed with the SAP kernel as part of AS ABAP 6.40 and above. To use the SAP ITS, the following prerequisites must be met:

Prerequisites for SAP ITS

The ICM process is operational and configured for HTTP(S).
Profile parameter itsp/enable is set to 1.
The required SAP ITS service is active in the ICF and the property GUI Interface is set to Yes.
The ICF service/sap/public/bc/its/mimes is active in the ICF and the property GUI Interface is set to Not specified.

For the SAP ITS, various profile parameters are relevant, which all begin with itsp/. Administrations can use the usual methods to call documentation for individual parameters (transaction RZ11) and change the assigned values permanently (transaction RZ10).

Two profile parameters are particularly significant in relation to the SAP ITS:

itsp/enable: You use this to deactivate (0) and activate (1) the SAP ITS. Even if the SAP ITS is active, it uses the system resources only when it is actually used. However, it can be useful to deactivate it for selected application servers (instances) so that no users can access the SAP system via the SAP GUI for HTML with these instances (for example, batch or update instances). Since the conversion of SAP screen images to HTML pages also requires CPU time, it is useful to reserve a number of dedicated instances for use with SAP GUI for HTML and to use a special logon group for load balancing between them.
em/global_area_MB: This parameter determines the memory commonly used by all ABAP work processes of the SAP kernel. The SAP ITS uses it for session information and the runtime version of the HTML Business templates. The required memory space depends on the number of sessions currently in use, as well as on the number and size of the templates used when users want to call and display services. If your users log onto the SAP ITS in different languages or with different Web browsers (for example, Microsoft Edge and Firefox), or if you require additional services that are not included in SAP GUI for HTML, the number of templates used will increase and you will have to adapt em/global_area_MB (see SAP Note 742048 – Integrated ITS, memory requirement in application server and SAP Note 885580 – Integrated ITS: Configuration Parameters).

Alongside these profile parameters, which are evaluated by the kernel and affect the entire SAP ITS, there are also service parameters, which affect the individual SAP ITS services. You maintain these settings in transaction SICF.

The basic behavior (such as logon, anonymous logon data, service options, security requirements, basic authorizations, and customized error pages) results from the properties of the SAP ITS services in the ICF, as is also the case with "normal" ICF services. You maintain other, SAP ITS-specific service parameters (that begin with ~) in transaction SICF on the Create/Change a Service screen. Choose the Service Data tab and in the Interactive Options area, choose GUI Configuration.

Hint

For more information about these parameters, see the online documentation for SAP S/4HANA (Product Assistance), area Enterprise Technology → ABAP Platform → UI Technologies → SAP GUI → SAP GUI Technology → SAP GUI for HTML. From here choose subentries

SAP ITS in SAP NetWeaver Application Server and
Configuration.

From subentry SAP ITS in SAP NetWeaver Application Server, you can also use a link leading to the documentation of the Internet Communication Framework.

Developers create new SAP ITS services with the Web Application Builder for ITS Services, a tool in the ABAP Development Workbench (transaction SE80; in the Repository Browser, select Internet Service). By default, services are published to the (implicitly available) site of the (integrated) SAP ITS. The SAP ITS service must also be created in the ICF, and can be accessed with the URL http(s)://<server with domain>:<ICM port>/<ICF path>/<ITS service name> (or by choosing Test Service for the service in question in transaction SICF).

Hint

After the installation or after an upgrade of an AS ABAP based SAP system, SAP ITS services may not be executable in the SAP ITS, or the services that start may not behave as they should in the current version because services are not automatically published to the SAP ITS after an installation or upgrade. SAP Note 790727 – Publishing all ITS-objects at the same time and 2206029 – ITS errors after an upgrade or change show how to solve this potential issue.

SAP ITS Monitoring

The administrator can use the tools integrated in the AS ABAP (such as transactions SM21, ST22, SMICM, and SICF) to monitor the SAP ITS. The SAP ITS does not have special trace files, but instead uses the standard developer trace files of the work processes dev_w*.trc. Developers can specially activate ICF and/or WebGUI tracing (in transaction SM50 (menu path Administration → Trace → Active Components) or with program RSTRC000, component WebGui).

They can also use transaction SITSPMON and program SITSPMON, which provides a detailed status summary of the SAP ITS.

The following list contains a number of selected monitoring functions for the SAP ITS:

Parameter: Status, message text, Feature Set version, and profile parameters
Memory Statistics: Overview and details about memory consumed by sessions and ABAP work processes
Template & Mime Cache: Status and invalidation of caches for HTML templates and MIME objects
Mutex Locks (from "mutual exclusion"): Technology for preventing simultaneous access to a resource by several processes

For more information on features of the SAP ITS, see SAP Note 890606 – SAP NetWeaver 2004s integrated ITS: New Features.

Active Services for Web Dynpro ABAP

SAP Note 1088717 – Active Services for Web Dynpro ABAP in SICF lists the services in transaction SICF which need to be activated for Web Dynpro ABAP applications, for the Web Dynpro ABAP development environment as well as for Web Dynpro ABAP applications for troubleshooting.

Optional: Administrate SAP ITS

Task 1: Check Prerequisites

Steps

Check whether the integrated SAP ITS is active.
1. Log on to your SAP system using credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Verify that profile parameter itsp/enable is set to 1, either by:
  - Executing program RSPFPAR (transaction SA38 or transaction RSPFPAR) and selecting Profile Parametersitsp/e*.
  - Calling transaction SITSPMON (the parameter is located on tab Parameter)
  - Calling transaction RZ11 and displaying Parameter Nameitsp/enable.
  Note
  Note that all of these approaches are (application server) instance-specific.
Result
The integrated SAP ITS is active.
Verify that the ICF service /default_host/sap/public/bc/its/mimes is active and that Not Specified is entered for the GUI Interface.
1. Following the previous step, start transaction SICF.
2. Accept the default values and choose Execute.
3. In the tree structure, navigate to the service /default_host/sap/public/bc/its/mimes and activate it if necessary (select the service, click the right mouse button and choose Activate Service).
4. Double-click the service and make sure that the GUI Interface field on the Service Data tab page is set to Not specified.
Result
The MIME objects used by selected ICF services (of type IAC) are accessible.
Note
SAP GUI for HTML can handle MIME data but does not access the ICF service /default_host/sap/public/bc/its/mimes directly.

Task 2: Analyze Memory Usage

Steps

Analyze the memory consumption of the integrated SAP ITS.
1. Following the previous task, in your SAP system start transaction SITSPMON.
2. Switch to tab Memory Statistics.
3. Note the number in field Σ Sess. & Templ. of section Memory Consumption: Overview.
  Note
  This data is (application server) instance-specific. Note the options of the Server selection field. At the bottom of the screen, the memory consumption is also listed per session and per work process.
Result
You know the memory consumption by the integrated SAP ITS.

Task 3: Optional: Maintain Service Parameters

Steps

Use the wizard to create an external alias /adm/webgui that refers to /default_host/sap/bc/gui/sap/its/webgui.
1. If you have not yet already done, log on to your SAP system using credentials of your training user that is provided by your instructor (for example user train-##, where ## denotes your group number).
2. Start transaction SICF.
3. On the start screen of transaction SICF, select Hierarchy TypeALIAS, keep the other settings unchanged and choose Execute.
4. On the Maintain external aliases screen, select default_host.
5. Choose Wizard – External Alias from the application toolbar (or choose External Alias → Wizard – External Alias from the menu).
6. The wizard leads you through the following steps, whereby you access the following page by choosing Continue.
  1. Step Start: First, information about external aliases appears.
  2. Step General Data: In the External Alias field, enter /adm/webgui and in the Description 1 field, enter a description of your choice.
  3. Step Select Destination Handler: As the target handler, double-click the service /default_host/sap/bc/gui/sap/its/webgui (you may need to expand the tree structure for this).
  4. Step Complete: Choose Complete.
For the external alias /adm/webgui, ensure the following settings:
Setting Value
GUI Interface Yes
Service parameter ~webgui 1
Service parameter ~nosplash 1
When done, test external alias /adm/webgui and note the logon phase.
1. Following the previous step, continue working in the Maintain external aliases view of transaction SICF.
2. In the tree structure, navigate to the external alias /adm/webgui and double-click it.
3. Choose Change to enter the change mode.
4. On the Service Data tab page, for GUI Interface, choose Yes.
5. On the Service Data tab page, choose GUI Configuration.
6. In the Maintain Service Parameters dialog box, enter ~webgui in an empty row in the Parameter Name column, and enter 1 in the Value column.
7. In the Maintain Service Parameters dialog box, enter ~nosplash in an empty row in the Parameter Name column, and enter 1 in the Value column.
8. Confirm your entries by choosing Copy Parameter Set.
9. Back on the Change External Alias screen, choose Store.
10. Choose Back (F3) to return to screen Maintain external aliases.
11. Right-click the external alias /adm/webgui and choose Test Ext. Alias.
12. In the Web browser, enter the credentials of your training user and choose Log On (and select not / never to store the password – in case of being asked).
  Note
  Note that the splash screen does not occur any more when starting the SAP GUI for HTML.
13. Finally, log off from the SAP GUI for HTML (for example by choosing More → System → Log Off from the application toolbar of SAP GUI for HTML – you may need to confirm a popup) and close all Web browser screens.

Setting	Value
GUI Interface	Yes
Service parameter ~webgui	`1`
Service parameter ~nosplash	`1`

Additional Information on the Internet Communication Framework

Concerning the Internet Communication Framework (ICF), the following paths in SAP Online documentation and the following SAP Notes might be helpful for further information:

Online documentation for SAP S/4HANA (Product Assistance), area
- Enterprise Technology → ABAP Platform → Application Server ABAP - Infrastructure → Connectivity → Components of SAP Communication Technology → Communication Between ABAP and Non-ABAP Technologies → Internet Communication Framework
- Enterprise Technology → ABAP Platform → UI Technologies → SAP GUI → SAP GUI Technology → SAP GUI for HTML
SAP Note 517484 – Inactive services in the Internet Communication Framework
SAP Note 709038 – SAP Integrated ITS
SAP Note 698329 – Integrated ITS, WEBGUI/IAC logon fails
SAP Note 732218 – ICF: Logon data from SICF is not transported
SAP Note 2460180 – SSO failed in transaction NWBC, SOAMANAGER, SOLMAN_SETUP, SM_WORKCENTER, DBACockpit, ILM_SB etc.
SAP Note 1088717 – Active services for Web Dynpro ABAP in transaction SICF
SAP Note 1508958 – Look and Feel in the WEBGUI
SAP Note 1555208 – ICF services become inactive after upgrade or SP update
SAP Note 2661761 – ICF Services - what is mandatory and what can be deactivated?
SAP Note 2710306 – All ICF services under DEFAULT_HOST are Inactive
SAP Note 2658822 – Release notes for SAP GUI for HTML (short WEBGUI)

Next lesson