Last Changed: 27th of January 2022

while the Installation and (Basis) Configuration of SolMan 7.2 is really a complex task, it shows that the correct Implementation of the Diagnostic Agent become an even more complex task.

Blog – SAP MacGyver – Installing SAP SolMan 7.2

---

connect (correctly) Diagnostic Agent properly

It is always beneficial to start with a complete new Installation, before spending too much time fixing an existing Setup. This allows you to use the latest Version of the SAP JVM8, SAP Host Agent 7.22 and the current 7.53 SAP Kernel. Despite the Version you install, once the Installation is finished the Diagnostic Agent get the latest Version for the connected SolMan 7.2

First Install/Update the SAP Host Agent to the latest Version and make sure the parameters in the file host_profile are set correctly to support the SSL configuration.

Note 3076443 – SAP Host Agent 7.22 PL53
Note 3093121 – SAP Host Agent 7.22 PL54
Note 3138653 – SAP JVM 8.1 Patch Collection 84 (build 8.1.084)

SAP Help – Configuring SSL for SAP Host Agent on UNIX

# executed as root with switch to user sapadm
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x is!seCret -r /usr/sap/hostctrl/exe/sec/server-csr.p10 "CN=server.domain.ext, O=SAP AG, OU=IDNA, C=DE"
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x is!seCret -O sapadm
server:/usr/sap/hostctrl/exe/sec #
# send the certification request (server-csr.p10) and get the response (server-csr.p7b)
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x is!seCret -c server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x is!seCret -v
server:/usr/sap/hostctrl/exe/sec # dir
-rwxrwxr-x 1 sapadm sapsys 5239 Oct  6 14:53 SAPSSLS.pse
-rwxrwxr-x 1 sapadm sapsys  115 Oct  6 14:51 cred_v2
-rwxrwxr-x 1 sapadm sapsys  964 Oct  6 14:51 server-csr.p10
-rwxrwxr-x 1 root   root   6559 Oct  6 14:52 server-csr.p7b
server:/usr/sap/hostctrl/exe/sec #

server:/usr/sap/hostctrl/exe # vi host_profile
# add the following Information and restart with ./saphostexec -restart
SECUDIR = /usr/sap/hostctrl/exe/sec
ccms/enable_agent = 1
saphostagent/ssl_setup = true
service/admin_users = sapadm dasadm
service/http/hostname = server.domain.ext
ssl/server_pse = /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
# enable SSL - ./saphostexec -install -setup slplugin -passwd
# update SHA - ./saphostexec -upgrade -archive SAPHOSTAGENT54_54-80004822.SAR

Secondly, Install the Diagnostic Agent with SWPM 1.0 SP32 (or higher)
Note 1680045 – Release Note for SWPM 1.0 (recommended: SWPM 1.0 SP32)

./sapinst SAPINST_EXECUTE_PRODUCT_ID=NW_DiagnosticsAgent:GENERIC.IND.PD

The Port of the JAVA SCS Instance is NOT the P4 or P4S Port, as it is the internal SCS Port. Try not to skip the Phase, as later on the script sdmsetup.sh generates additionally mismatches in the SDM configuration.

Connection Information for the Diagnostic Agent

the (internal) SCS Port of the SolMan JAVA Instance has 4 Digits

check the activated SAP JAVA Ports

Note 1907909 – How to connect Diagnostics Agent to Solution Manager system directly by using smdsetup script

server:dasadm > cd /usr/sap/DAS/SMDA98/script/
server:dasadm > stopsap r3
server:dasadm > ./smdsetup.sh sldconf hostname:"sapms://server.domain.ext" port:"51801" user:"SMD_RFC" pwd:"is!seCret" use_ssl:"true"
server:dasadm > ./smdsetup.sh managingconf hostname:"sapms://server.domain.ext" port:"51805" user:"SMD_RFC" pwd:"is!seCret"
server:dasadm > startsap r3
server:dasadm > ls -lart ../SMDAgent/log/
drwxr-xr-x 9 dasadm sapsys   4096 Oct  6 18:47 ..
-rw-r--r-- 1 dasadm sapsys   6992 Oct  6 18:48 dpc.0.log
-rw-r--r-- 1 dasadm sapsys   7658 Oct  6 18:48 eem.0.log
-rw-r--r-- 1 dasadm sapsys   4749 Oct  6 18:49 smd.0.connector.listener.log
-rw-r--r-- 1 dasadm sapsys    689 Oct  6 18:49 e2emai.0.log
-rw-r--r-- 1 dasadm sapsys    622 Oct  6 18:49 e2edcc_iis.0.log
drwxr-xr-x 2 dasadm sapsys   4096 Oct  6 18:49 .
-rw-r--r-- 1 dasadm sapsys   9688 Oct  6 19:37 SMDAgentApplication.0.log
-rw-r--r-- 1 dasadm sapsys 109497 Oct  6 21:04 e2edcc_host.0.log
-rwxr-xr-x 1 dasadm sapsys 166874 Oct  6 21:04 SMDSystem.0.log
-rwxr-xr-x 1 dasadm sapsys 530335 Oct  6 21:04 smdagent_trace.0.trc
-rw-r--r-- 1 dasadm sapsys  31169 Oct  6 21:04 e2edcc_db.0.log
-rw-r--r-- 1 dasadm sapsys 142068 Oct  6 21:04 e2edcc.0.log
# if you not see all these files, then the script smdsetup.sh was executed incorrectly!

Check the SMD runtime properties for the correct SDM Agent Connection String

server:dasadm > more ../SMDAgent/configuration/runtime.properties
# correct the string, as the smdsetup.sh script creats wrong entries. These strings are correct.
# the P4 or P4S Port must be correctly defined, before you can use them
smd.agent.connection.url=ms\://server.domain.ext\:8019/P4
smd.agent.connection.url=p4s\://server.domain.ext\:51805
server:dasadm >

Optional Test, to see if the SAP Host Agent is “trustworthy”

/usr/sap/hostctrl/exe/sapcontrol -nr 99 -user "" "" -function ConfigureLogFileList add /tmp

---

Check in the Agent Administration that the Agent is available and you can trust the Agent.

https://server.domain.corp:5<nr>01/smd/AgentAdmin

/webdynpro/dispatcher/sap.com/tc~smd~server~agent~admin/SMDAgentAdminApplication

Connection Status – Agent Administration

If the Agent Administration cannot determine the Status, check the User/Passwords in the Agent Administration Application Tab.

com.sap.smd.agent.application.connectors
com.sap.smd.agent.application.global.configuration

com.sap.smd.agent.application.connectors

com.sap.smd.agent.application.global.configuration

Diagnostic Agents – Overview

Finally, the configuration should look like this (use the MSG Server Connection for the SolMan Configuration). With SolMan 7.1 SP14, you can switch to P4S (P4 SSL), and keep in mind that these type of connection is not suitable for cluster installations.

Diagnostic Agent Connectivity – MS/P4

Diagnostic Agent Connectivity – P4 SSL

Diagnostic Administration successfully enabled

Advanced Agent Administration

Wiki – Diagnostics Agent and HA Support

Configure Agents on-the-fly for FRUN

---

Starting with SP 14 for SolMan 7.2, you can update the cipher suites with elliptic curve algorithms ECDHE and ECDSA for outbound connections in SAP NetWeaver (NW) AS Java. The settings from the following Note are still possible, however it is suitable to switch them to the new values – SSLContext.properties

Note 2708581 – ECC Support for Outbound Connections in SAP NW AS Java
Note 3144145 – How to support Elliptic Curve Algorithms in Diagnostics Agent

# edit the following file and add the lines to the existing entry
/usr/sap/DAS/SMDA98/SMDAgent/smdagent.properties
smdagent.javaParameters=-DP4ClassLoad=P4Connection -Xmx256m -Xms256m -XX:MaxPermSize=128m
-Djdk.tls.client.protocols="TLSv1.2"
-Diaik.security.ssl.configFile=file:/usr/sap/DAS/SMDA98/SMDAgent/SSLContext.properties
#
# edit the following file and uncomment the line
/usr/sap/DAS/SYS/exe/jvm/linuxx86_64/sapjvm_8.1.080/sapjvm_8/jre/lib/security/java.security
crypto.policy=unlimited

You can check the correct configuration after restarting the Diagnostic Agent Service in the Advanced Settings of the Agent Administration Web Page against an existing which supports the new cipher settings, e.g.

Check the SSL Context Properties with your Diagnostic Agent

Typical Error Messages assigned to this Task

com.sap.smd.agent.facade.hostagent.HostAgentNotAvailableException: HostAgent stub com.sap.smd.agent.wsclients.jax.saphostcontrol.SAPHostControlInterfaceexecuteOperation failed.

Exception: javax.naming.NoPermissionException: 

Exception during getInitialContext operation. Wrong security principal/credentials. [Root exception is com.sap.engine.services.security.exceptions.BaseLoginException: Login failed.]

CX_SOAP_CORE : Error when calling SOAP Runtime functions: 
SOAP-ENV:Serverjava.lang.NullPointerException: while trying to invoke the method javax.management.openmbean.CompositeData.get(java.lang.String) of a null object loaded from local variable 'point'java.lang.NullPointerException: while trying to invoke the method javax.management.openmbean.CompositeData.get(java.lang.String) of a null object loaded from local variable 'point' 

P4 connection to Solution Manager Diagnostics (SMD) server failed
Connecting to SMD server ms://server.domain.ext:8019/P4 failed

Unable to create SSLContext because of KeyStore Exception java.security.UnrecoverableKeyException: Cannot recover key.)
Unable to open SSL connection to host "itsm.services.sap:443"

SAP Notes assign to the Task/Topic (way too much “Jugend forscht”:

Note 1786051 – Configuration check for managed system returns “No FQDN found in Host”
Note 1799138 – Configuration check returns “The definition of Technical System ‘{SID}~{STACK}’ is not correct: ‘{SID}~{STACK}’ : Operating System ‘{OSName}’ of Host ‘{hostname}’ must have at least one Software Component Version” – SolMan
Note 1822831 – Web Service Soap Errors in solman_setup
Note 1862333 – Common Host Agent issues displayed in Agent Administration
Note 2183995 – Data Supplier Processing in SAP Solution Manager 7.2 in LMDB
Note 2187696 – CCMS agent disabled: AS Java System Overview gray lights
Note 2201640 – The definition of Technical System ‘<SID>~HANADB’ is not correct: ‘<SID>~HANADB’: Technical System must be installed on at least one Host.
Note 2414713 – The definition of Technical System <SID~TYPE> is not correct. No instance found under installed Technical System
Note 2436986 – Registration and Managed System Setup of SAP HANA in SAP Solution Manager
Note 2499629 – Manual activities in LMDB when switching the Outside Discovery by Diagnostic Agent to Outside Discovery by SAP Host Agent
Note 2554489 – Register AS ABAP system to SLD in RZ70 using HTTP connection with path prefix “/sld” doesn’t work
Note 2556432 – Switch Outside Discovery from Diagnostics Agent to SAP Host Agent
Note 2637838 – NWA “System Overview” shows grey lights and N/A status – Best Practices for Troubleshooting
Note 2836143 – How to directly register managed system to LMDB in SAP Solution Manager
Note 3054925 – Skip RFC connection error message in RZ70 when HTTP connection is maintained
Note 3073139 – SLD registration is deactivated due to incomplete calling parameters.
Note 3076443 – SAP Host Agent 7.22 PL53
Note 3090021 – Error ‘<SID>~ABAP’: Operating System ‘Linux~<version>’ of Host ‘<hostname>’ must have at least one Software Component Version
Note 3092345 – Define CA Introscope: wrong Diagnostics Agent
Note 2284059 – Update of SSL library within NW Java server
Note 2463712 – Diagnostics Agent TLS 1.2
Note 2538934 – Handshake is failing in AS Java when connecting to a server which only supports TLS_ECDHE ciphers
Note 2569156 – How to create, modify and validate SSLContext.properties file
Note 2616092 – System availability checks: Unable to open SSL connection to host “host:port”. KeyStore
Note 2708581 – ECC Support for Outbound Connections in SAP NW AS Java
Note 2817129 – The Diagnostic Agent continues to use TLS 1.1 even with the TLS 1.2 set in the parameters
Note 2893335 – AS Java TLS handshake failure – unsupported extension
Note 2849162 – Enable the Diagnostics Agent to Support Additional SSL Cipher Suites for IAIK-based Connections
Note 2951143 – java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer!

---

Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE
@SAPFirstGuidance

“Ihave no special talent, Iam only passionately curious.”