terça-feira, 30 de agosto de 2022

Common Connectivity Issues: SAP Logistics Business Network – Freight Collaboration and SAP S/4HANA

 

Introduction

Customers trying to connect with SAP Logistics Business Network Freight Collaboration (LBN FC) from their SAP S/4HANA backend system or SAP Transportation Management often faces several connectivity issues. These B2B integration errors are mostly due to some misconfigurations either at LBN or at SAP S/4HANA backend system. This blog tries to capture the common connectivity errors we see that customers make when trying to connect to/from LBN using B2B SOAP messages from/to their backend system. For the sake of simplification, we’ll consider all backend systems as SAP S/4HANA in this blog.

Issue Index

Capturing the list of issues mentioned in this blog below

Inbound to LBN (S/4HANA to LBN)

1. Missing LBN Id in PreferredCarrierParty (StandardID with schemaAgencyId=310 and schemeID=LBN)
2. Relationship of Ordering Party (shipper) LBN Id: 1001000XXXX and Carrier Party LBN Id: 1001000YYYYY has not yet been established
3. Ordering Party LBN Id could not be validated
4. SSL Handshake Error

Outbound from LBN (LBN to S/4HANA)

1. java.lang.NullPointerException: while trying to invoke the method java.lang.CharSequence.length() of a null object loaded from field java.util.regex.Matcher.text of an object loaded from local variable ‘this’
2. 401 Unauthorized
3. 503 Service Unavailable – There is no SAP Cloud Connector (SCC) connected to your subaccount
4. 403: Forbidden when communicating with S/4 Services
5. Response was of unexpected text/html ContentType
6. Invalid SOAP Envelope name
7. 405 Method Not Allowed
8. org.apache.cxf.binding.soap.SoapFault: Server Error
9. org.apache.cxf.binding.soap.SoapFault: Authorization missing for service

Pre-Requisites

You’ve established connectivity between LBN and your backend SAP S/4HANA. You can follow LBN Application Help or the other blogs published to achieve the same.

Identifying the error

The following diagram depicts the various integration possibilities between LBN and customer’s backend system for inbound and outbound communications. This blog talks about the possible error scenarios in the following connections. Since we deal with a minimum of 3 systems – SAP S/4HANA or SAP PI/PO, SAP Cloud Connector, SAP LBN – we can assume that there’s a configuration error at either one of these places whenever you come across an error.

Inbound%20to%20LBN

Outbound%20from%20LBN

How to keep a track of the message flow in each system? You can check the following monitoring tools to check the status of message in each system.

  1. Tcode – SXI_MONITOR in SAP S/4HANA and SAP PI/PO system if you’re using Option 1 for inbound/outbound communication.
  2. In SAP PI/PO system, there’s an additional JAVA system used for integration as well. Please check the message monitor there as well. Start Integration Builder -> Configuration and Monitoring Home -> Message Monitor. Even if the messages completed from the previous step and not found in LBN’s Message Integration Logs (or vice-versa), you can check here for more details.
  3. Tcode – SRT_MONI in SAP S/4HANA system if you’re using Option 2 or 3 (direct SOAMANAGER configuration)
  4. Monitoring tool of the intermediate integration system if you’re using Option 2.
  5. Manage Integration Logs in LBN to check the logs in LBN integration System. This app is available for both shipper and carrier and the relevant parties involved in a message can see it in their app.
  6. Monitor tab in the subaccount added in your cloud connector for outbound from LBN

In the inbound scenario, if the messages are not triggered out of the system and you can’t find it in srt/sxi monitor, the issue is within the TM configurations. Please check the necessary configurations needed to be maintained for each services documented in LBN Application Help or the consolidated SAP Note for LBN customers. Listing them below:

If the messages are successfully sent out of S/4HANA and not received in LBN, you can check the Manage Integration Logs for error details. If the error is not self-explanatory, you can check this blog or reach out to LBN team via incidents.

For the outbound scenarios, a general thumb rule is, if the error is thrown from your backend S/4HANA system and the message can be tracked in cloud connector logs, it’s usually a pending configuration issue.

Common Connectivity Issues

Inbound to LBN (S/4HANA -> SAP LBN)

If the messages are successfully sent out of S/4HANA and not received in the LBN tenant, you can check for the error in Manage Integration Logs app. Please note that if the message payload doesn’t contain the shipper LBN Id, the shipper customer won’t be able to see any error at all. Also, any issues related to authentication can’t be seen in LBN as well. Here you need to check the logs in your backend srt/sxi monitors to get the actual error. You should find the errored messages and the detailed logs in Manage Integration Logs app as shown below:

MIL%20Overview%20app

MIL%20Detailed%20View

1. Missing LBN Id in PreferredCarrierParty (StandardID with schemaAgencyId=310 and schemeID=LBN)

Inbound processing in endpoint at /lbn/b2b/soap/v1 failed with message “Fault:javax.script.ScriptException: java.lang.Exception: java.lang.IllegalStateException: Missing LBN Id in PreferredCarrierParty (StandardID with schemaAgencyId=310 and schemeID=LBN)@ line 261 in AnalyzeInboundMessage.groovy”, caused by “IllegalStateException:Missing LBN Id in PreferredCarrierParty (StandardID with schemaAgencyId=310 and schemeID=LBN)”

This error is quite self-explanatory. As the name suggests, LBN can’t find a carrier LBN Id maintained in the payload. In the case of a B2B message, LBN expects the carrier to be sent in the MessageHeader.  In an A2A message such as tracking, the LBN Id is expected to come within the carrier placeholder.

2. Relationship of Ordering Party (shipper) LBN Id: 1001000XXXX and Carrier Party LBN Id: 1001000YYYYY has not yet been established

Inbound processing in endpoint at /lbn/b2b/soap/v1 failed with message “Fault:javax.script.ScriptException: java.lang.Exception: java.lang.IllegalStateException: Relationship of Ordering Party (shipper) LBN Id: 1001000XXXX and Carrier Party LBN Id: 1001000YYYY has not yet been established@ line 134 in SetMessageHeaderExchangePropertyPartnerDirectory.groovy”, caused by “IllegalStateException:Relationship of Ordering Party (shipper) LBN Id: 1001000XXXX and Carrier Party LBN Id: 1001000YYYY has not yet been established”

3. Ordering Party LBN Id could not be validated

Fault:javax.script.ScriptException: java.lang.Exception: java.lang.IllegalStateException: Ordering Party LBN Id could not be validated. Check the PID: 69dc489f-8afd-4129-9966-c712a1822edd and Ordering Party LBN Id: 1001000XXXX@ line ZZZ in SetMessageHeaderExchangePropertyPartnerDirectory.groovy”

LBN authenticates inbound SOAP messages using the client certificate uploaded in shipper’s System Connections app. LBN maintains a mapping between the client certificate and the shipper LBN id in the integration layer. The above validation error is thrown when customers are trying to send a message to LBN using another certificate configured for a different shipper LBN tenant (almost always this is when customers try to re-use a single certificate for their multiple shipper tenants or a misconfiguration at the backend for test and production tenants).

4. SSL Handshake Error

This issue generally occurs when the new SSL client created by customer is missing LBN integrations system’s root certificates (Option 3 in the Inbound Communication diagram)
For the other inbound connection scenarios as well (Option 1 and 2), you can use the above blog to fetch the root certificates and update your PI system/intermediate integration system.

Outbound from LBN (S/4HANA -> SAP LBN)

1. java.lang.NullPointerException: while trying to invoke the method java.lang.CharSequence.length() of a null object loaded from field java.util.regex.Matcher.text of an object loaded from local variable ‘this’

java.lang.NullPointerException: while trying to invoke the method java.lang.CharSequence.length() of a null object loaded from field java.util.regex.Matcher.text of an object loaded from local variable ‘this’
In System Connections application, shipper hasn’t maintained a Destination Detail for the specific service interface or ‘Default’ interface. Once maintained, this issue should be resolved.

2. 401 Unauthorized

org.apache.cxf.interceptor.Fault: Could not send Message., cause: org.apache.cxf.transport.http.HTTPException: HTTP response ‘401: Unauthorized. <InvalidClientException><error>invalid_client</error><error_description>The client certificate is not configured in a service key of a Process Integration Runtime service instance. Client certificate: &apos;xxx

This specific error occurs when customer chooses to authenticate the outbound calls from LBN to their intermediate integration system using client certificate that’s provided by SAP LBN. And this certificate got expired and shipper hasn’t updated it yet. Once updated this issue should get resolved.

The client certificates is provisioned by LBN’s integration system and usually has a validity of one year or less. LBN informs customers using the Cloud System Notifications for all product alerts. Customers need to subscribe to this in order to receive such notifications. We also have published a blog on how to update certificates if you’re using SAP Cloud Integration (SAP CPI) as the intermediate integration system. There’s also a new feature in LBN where customers can authenticate the calls to intermediate integration system using Basic authentication. This’ll help the customer to avoid the trouble of updating the certificate every year. Linking all these informations below:

3. 503 Service Unavailable – There is no SAP Cloud Connector (SCC) connected to your subaccount

org.apache.cxf.interceptor.Fault: Could not send Message., cause: org.apache.cxf.transport.http.HTTPException: HTTP response ‘503: Service Unavailable. There is no SAP Cloud Connector (SCC) connected to your subaccount. Requested opening of a tunnel for subaccount &quot;a46089868&quot; and SCC location ID &quot;LBN_S4_LocationID&quot;. Check the configuration on SCC and cloud side.’ when communicating with https://ADDRESS_IS_SET_VIA.HEADER

Usually 503 Service Unavailable issues are related to cloud connector misconfigurations. Cloud connector is an SAP solution that enables customers to facilitate inbound and outbound communications from their On-Premise ABAP systems with SAP’s own cloud solutions.

LBN uses the cloud connector to integrate outbound calls from LBN to customer’s SAP backend systems.In order to facilitate this, customers should add LBN’s integration subaccount (a46089868) in their cloud connector instance. This is because we use a common integration system to communicate to all the customers. This is clearly mentioned in the shipper admin guide and connectivity blog published (Step 6.2).

Customers often get confused and add their LBN shipper tenant subaccount, which results in a 503 service unavailable. Please follow the above blog and first maintain the configuration in System Connections app and then follow the steps to add LBN integration subaccount in your cloud connector. Once you add your S-User in System Connections app (Outbound from Network -> Configure Connections), LBN will add this S-User in our integration system’s sub-account with the necessary roles. This enables the S-User to add LBN’s integration sub-account in the customer’s cloud connector.

Please ensure that the S-User you’re using in System Connections and the one used for adding LBN integration sub-account in your cloud connector is the same.

Cloud%20Connector%20Configuration%20in%20System%20Connections
Adding%20LBN%20integration%20system%20sub-account%20in%20customer%20cloud%20connector

4. 403: Forbidden when communicating with S/4 Services

Type – 1: org.apache.cxf.interceptor.Fault: Could not send Message., cause: org.apache.cxf.transport.http.HTTPException: HTTP response ‘403: Forbidden. Access denied to resource /sap/bc/srt/xip/scmtms/torci/400/transportationorderconfirmation/transportationorderconfirmation_in on system xxxx-yy.zzzz.test:8001. In case this was a valid request, ensure to expose the resource correctly in your cloud connector.’ when communicating with https://ADDRESS_IS_SET_VIA.HEADER

Type – 2: org.apache.cxf.interceptor.Fault: Could not send Message., cause: org.apache.cxf.transport.http.HTTPException: HTTP response ‘403: Forbidden’ when communicating with http://xxxx-yy.zzzz.test:8001/sap/bc/srt/xip/scmtms/torci/400/transportationorderconfirmation/transportationorderconfirmation_in?MessageId=BF636364-1677-49BC-9721-66F4CE4C9D85

The Type-1 is mostly an issue with CloudConnector config. Type-2 could be either a configuration issue or a simple case of the technical user used for authentication not having necessary roles.
  • Type-1: First at cloud connector because the necessary resources are not exposed. In such cases we get the following error:Check if all the steps mentioned in this note is maintained correctly by the customer. https://launchpad.support.sap.com/#/notes/0002473005 – This is the configuration in Cloud Connector to maintain ‘Path and All Sub-Paths’
  • Type-2: In SOAMANAGER configurations for the inbound service (Option 3 in Outbound from LBN diagram), if the transport level security is maintained as ‘SSL’, ensure that the HTTPS port is used for the connection in Cloud to On-Prem configuration in your Cloud Connector.SOAMANAGER%20Inbound%20Service%20Config
    Use the virtual host name and port number from the HTTPS host in Cloud Connector when creating the destination detail the System Connections application (the protocol in destination detail ‘System Url’ can be ‘http’. Just ensure that the port and host name is used of the HTTPS one in cloud connector).Additional points:

    • Customer can also use the ‘None (http)’ security. Then the HTTP port should be configured in System Connections and Cloud Connector
    • You can use SMICM tcode to get the host and port number for CloudConnector/SysConShipper configs. In SMICM, Goto -> Services.
  • Useful transactions in S/4 to debug the authorization errors: ST01, STAUTHACCESS, SU53.

5. Response was of unexpected text/html ContentType

org.apache.cxf.interceptor.Fault: Response was of unexpected text/html ContentType. Incoming portion of HTML stream: (none)

Issue could be a typo in the service endpoint correctly, especially when other document types are getting forwarded to the same S/4HANA backend. (You can confirm this by checking whether communication to other service interfaces in the system is working in Manage Integration Logs).

Compare the path url maintained in your SOAMANAGER or PI system and the System URL matinained in Destination Detail in System Connections app.

Access%20URL%20from%20SOAMANAGER%20configuration

6. Invalid SOAP Envelope name

org.apache.cxf.binding.soap.SoapFault: Invalid SOAP Envelope name

In the destaination detail in System Connection app, customer must’ve maintained the SOAP binding url and not the actual service interface url (from SOAMANAGER transport binding for path and SMICM/Cloud Connector for host).

This is where you’ll find the SOAP binding url (which is the incorrect config). THIS IS THE INCORRECT CONFIG. PLEASE CHECK BELOW FOR THE CORRECT CONFIGURATION.

SOAP%20Binding

SOAP%20Binding%20URL

FOLLOWING IS THE CORRECT CONFIGURATION

Instead this should be taken from the Cloud Connector for host and SOAMANAGER binding -> Transport Settings for path url.

Binding
Binding%20url

7. 405 Method Not Allowed

org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter., cause: java.io.IOException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 405 Method Not Allowed”

This is most likely a caching issue and a restart of ICM should resolve.
PLEASE CONSULT WITH YOUR BASIS TEAM BEFORE DOING THIS STEP.

Go to transaction SMICM
Administration -> ICM -> Exit Soft -> Global

8. org.apache.cxf.binding.soap.SoapFault: Server Error

org.apache.cxf.binding.soap.SoapFault: Server Error

This mostly come when customers uses an intermediate SAP PI/PO system in between LBN and S/4HANA system.

Check if the connectivity to the PI system is achieved for other message types. (By checking in Manage Integration Logs). If there are other successful message types configured to the same destination url (compare the urls with Completed and Escalated scenario) the following is the most probable scenario:
This most likely is an issue at the customer’s PI system. Eg: the ESR message repository in SAP PI system might not have this payload. Customer must’ve missed to import the same in their production landscape for example. The SOAP message type is not present in the directory of the SAP PI system and hence the failure.

9. org.apache.cxf.binding.soap.SoapFault: Authorization missing for service

org.apache.cxf.binding.soap.SoapFault: Authorization missing for service “http://sap.com/xi/TMS/Global TransportationOrderConfirmation_In”, operation “TransportationOrderConfirmation”; more details in the web service error log on
provider side (UTC timestamp 20220822100416; Transaction ID eafeb020846549c98c35b7e8ef60cb85)
Technical user used for authentication doesn’t have the necessary roles. If the customer has another tenant-backend system setup already working, ask them to check and compare the roles.
Check SU53 for authorization errors
PFCG – Check the roles for the technical user and see if you can find the services.
SU56 – Check if the user buffer is valid for the technical user. If invalid, fix the same.

Conclusion

This blog attempts to capture some of the common connectivity issues that arise when trying to connect between SAP S/4HANA or SAP Transportation Management and SAP LBN. Let us know if this helped you to gain some insights into the errors that you face. If there are any additional error types that you want to capture, do mention it in the comments. We’ll try to update the blog with the same.


Source: https://blogs.sap.com/2022/08/24/common-connectivity-issues-sap-logistics-business-network-freight-collaboration-and-sap-s-4hana/

Nenhum comentário:

Postar um comentário