The Onapsis Blog

The world of business-critical application security and compliance is dynamic, with new developments happening on a continuous basis. Read our blog posts for recommendations, insights and observations on the latest news for safeguarding your SAP® and Oracle® applications.

Changing Properties in SAP NetWeaver Java

Changing Properties in SAP NetWeaver Java

The purpose of this blog post is to explain the different types of properties existing in an SAP NetWeaver for Java system, as well as the different hierarchies along with their release versions. The SAP provided tools to modify Java properties will also be presented with a simple description of access and usage. This post will also provide a set of recommendations for changing each type of property, depending on the SAP NetWeaver version and system state.

Different Types of Java Properties

System Properties

When we talk about the system properties in an SAP NetWeaver Java system, we refer to all the properties related to underlying configurations, such as Kernel and Services modules and also JVM parameters, including memory management. It also includes particular configurations for Java applications in this category, if any. To sum it up, the system properties are in charge of all the configurations of the architecture and the applications running in the system.

Examples of key system properties:

  • Service: servlet_jsp. Property: EnableInvokerServletGlobally
  • JVM: debuggable
  • Kernel: MaxThreadCount

UME Properties

This type of property is related to the User Management Engine (UME), which centralizes the administration of the users of the system created in different data sources, for example, LDAP directory or SAP NetWeaver ABAP database, as well as the SAP NetWeaver Java database. The UME is integrated with the rest of the system as a service and therefore can be administered with the same administration tools.

The following image illustrates the UME architecture. Individual Persistence Adapters are used to communicate with each of the different data sources.

Changing properties in SAP NetWeaver Java

There are several configuration aspects covered by UME properties:

  • User administration: mainly administration tasks.
  • Security settings: such as a password policy.
  • Self-service scenarios
  • Security logging
  • etc.

UME properties are part of the service com.sap.security.core.ume.service as well.

Changes in SAP Architecture

Both types of properties can be defined on different hierarchy levels. There are a few differences in SAP architecture, depending on the NetWeaver version.

SAP NetWeaver 7.0X

There are only two levels of configuration: Global and Instance level. Each level is divided into Dispatcher and Servers categories. Every property has a Default value and might have a Custom value. The Default value is taken into account unless the user sets a Custom value, and this will be the value for the property at that level. The Global configuration is inherited to the Instance configuration.

SAP NetWeaver 7.10 and Higher

A new level, Template, is added to the configuration hierarchy between Global and Instance levels.

The active values of lower levels are inherited from the default or custom values set on upper levels. A unique custom value may be set at any level, breaking the inheritance from above, while continuing inheritance of the new value below.

Changing properties in SAP NetWeaver Java

It is possible to have more than one template with different configurations but just one will be active, and will be the one used by all the instances in the system. Also, in this architecture, there is no differentiation between Dispatcher and Server on each level. The Default and the Custom values are still present and work the same as before: the Default value of the property is used unless overridden by a Custom value.

Changing Properties in Different NetWeaver Versions Depending on Their Type

There are several links to SAP documentation and forums which recommend different methods to change properties in a Java system, depending on their type (System or UME property), the SAP NetWeaver version and the status of the system (online or offline). The following section summarizes all that information to provide more transparency into using the right tool under the given conditions.

SAP Provided Tools

There are different tools provided by SAP for changing both System and UME properties:

  • The well known configtool (Configuration Tool): is useful to make modifications when the system is offline. It is also capable of changing the Global Cluster configuration. The configtool script is located inside folder: 
    • <SAP_install_dir>/<system_name>/<instance_name>/j2ee/configtool
  • The NetWeaver Administrator: is a tool for administration, configuration and monitoring the system. It is also the prefered method for making modifications to System properties when the system is online. It is accessed using a web browser from URL:
    • http(s)://<AS_Java_hostname>:<http(s)_port>/nwa
  • The User Management: is a dedicated application to administer the UME when the system is online. It is integrated in the SAP Netweaver Administrator (NWA) and in the SAP Netweaver Portal (NWP). But it can also run as a stand-alone (UM) application. There is a different way to access User Management for each flavor:
    • NWA: http(s)://<AS_Java_hostname>:<http(s)_port>/nwa/identity. Choose (User Management) Configuration and open the Expert Mode.
    • NWP: http(s)://<AS_Java_hostname>:<http(s)_port>/irj. Choose System Administration → System Configuration → UME Configuration.
    • UM: http(s)://<AS_Java_hostname>:<http(s)_port>/useradmin. Choose (User Management) Configuration

Changing System Properties Online

As explained before, the hierarchy of the properties is different depending on the SAP NetWeaver version, also the SAP provided tools have changed their appearance and functionality.

The NetWeaver Administrator is used for both types of architectures to change System properties when the system is online but the path to get to the “System Properties” functionality is different:

In SAP Netweaver 7.0x: ‘NWA > Configuration > System Properties’

netweaver 1

It is not possible to change JMV Properties from there, only Kernel and Services properties. For each property the current value is displayed but it is possible to show all the values defined in the hierarchy by pressing button “Display All Values”:

netweaver 2
  • In SAP Netweaver >= 7.10: ‘NWA > Configuration > Infrastructure > Java System Properties’

This version of the NWA allows changes at Template and Instance level but not at Global level. Additional properties, as well as “Filters” and “Shared tables” tabs, are shown after clicking the button “Show Advanced Properties”. It is possible to Add, Remove or Modify properties with the respective button. And it is also possible to revert the Custom Value to the Default Value of the property with button “Restore Default”.

There is a special column “Changeable” which indicates that the property can be changed online and will take effect immediately.

Even though the SAP Netweaver Administrator allows to change System properties when the system is online, some of them will take effect only after the system is restarted.

Changing UME Properties Online

  • In SAP Netweaver 7.0x: Use the NWA as explained in the previous section. UME properties are part of the service com.sap.security.core.ume.service and should only be modified at Global level. It is required to restart the system after the modifications.
netweaver 5
  • In SAP Netweaver >= 7.10: for these versions there are two different tools that can be used.
    • The first one is the expert mode of the User Management tool (this blogpost will only show the access through the NWA). A pop-up will appear with a list of all the UME properties existing in the system with their Global value:
NW 1
  • The second tool is the NWA in the service com.sap.security.core.ume.service. SAP recommends to set all the UME properties at Global level to avoid inconsistencies with users but there might be some cases where it is possible to set different properties at Instance level. As explained in the previous section, there is a flag to indicate if the property is dynamic or not.

Even though the SAP NetWeaver Administrator and the User Management allow to change UME properties when the system is online, some of them will take effect only after the system is restarted.

Changing Properties Offline

Finally, there is a tool that works mainly the same for all SAP NetWeaver versions and that is going to be used when the system is offline: the Configtool. The Configtool is a standalone Java program that is present in every SAP system and it is started from the OS.

Once it is open it will show a tree with the same structure displayed in the NetWeaver Administrator and it will be different depending on the NetWeaver version, of course. The same recommendations about the hierarchy level where to make changes must be followed. Once the system is started, all the changes made in the configtool will take effect.

Conclusion

There are two types of properties: System and UME. There are also differences in the SAP NetWeaver architecture between versions and different tools to change each property according to that. The following chart summarizes which SAP tool to use to change each type of property depending on the NetWeaver version and the state of the system:

netweaver chart

Each aspect of the table has been explained along this blogpost.
There are around 40 modules in OP that check for different Java properties and run against all Netweaver versions. OP takes into account the hierarchy of each system architecture and the precedence of the property values in order to get only the current value for each one, despite the method that was used to set it.

References

View All SAP Security Notes

Request a
Business Risk Illustration

OPERATIONAL RESILIENCY ASSESSMENT

Prevent application downtime and costly business disruption

Request an Assessment
AUDIT EFFICIENCY ASSESSMENT

Eliminate resource consuming manual audit processes

Request an Assessment
CYBER RISK 
ASSESSMENT

Reduce vulnerabilities and misconfiguration to protect the business

Request an Assessment