SAP TechEd 2006 - Day 3
I went to five sessions today:
Session: Designing a Web Infrastructure for a SAP Netweaver Platform
Session: Web Page Composer: A New Way to Create and Publish Web Pages in the Portal
Session: SAP Corporate Portal as an Example for a Company Wide Intranet
Session: SPNego Login Module for Windows Integrated Authentication
Session: Undocumented KM Tips & Tricks
Beware: The following are hastily-typed stream-of-consciousness notes written in 15-minute spaces between sessions.
Session: Designing a Web Infrastructure for a SAP Netweaver Platform
Some of this session was common to the session on improving WAN performance from Wednesday, but went into useful architectural detail that will be useful for our internal project. There was good detail on the configuration and use of the Apache web server (v2.2) as an application gateway and reverse proxy for an external-facing Netweaver solution, forwarding traffic on to a SAP Web Dispatcher in the DMZ and from there on to the Portal. There were useful security tips, such as only forwarding URLs with /irj, /portal and /webdynpro in them, thus not giving external access to /nwa - the Netweaver Administrator. I also made contact with the architect of the Netweaver Applications over WAN architect, so I can follow up this technology for potentially delivering high performance SAP access over WAN lines to our offices in Malaysia and the USA. Other useful hints included the idea of a terminal server in the DMZ for very low bandwidth connections.
Session: Web Page Composer: A New Way to Create and Publish Web Pages in the Portal
This was more of a preview session than anything else, as the feature will not be available until NW04 SP20 (NW04s SP12), but this takes the basic capabilities offered by KM and makes them usable to deliver proper websites. Essentially, this is the technology used to produce the SAP Developer Network site (http://www.sdn.sap.com), but could also be very useful for companies looking for an intranet or internet solution, which to be honest is a bit of a stretch for KM on its own at the moment. Highlights include a WYSIWYG page composer - content elements from KM can be dragged and dropped onto a page composition template, and the resulting page can be published with a single static URL - which makes indexing by Google that much easier. Use of the light framework page also means that the browser back/forward buttons work correctly. It’s a shame we’re going to have to wait for a while to be able to play with it, as several customers I can think of could use this right now, and have been looking for something like this from SAP for a while.
Session: SAP Corporate Portal as an Example for a Company Wide Intranet
SAP are eating their own dogfood! SAP have had their own portal, based on a customised version of NW04(s?) for about a year now. The business case was easy - it was virtually mandated from the top. The customisations they’ve had to make are going to be contributed to the mainstream product. User data comes from CUA and HR, and initial role assignment also comes from HR, though users (through personalisation) can select certain roles for themselves - for example, they can choose their own region and business unit to be changed from the default. This is nice, and reflects the open culture in SAP (and indeed, on our own - non-SAP - intranet we can browse to see what other countries and business units are up to). To support 40,000 users 24/7, they have some serious hardware split across 2 data centres, and about as many boxes dedicated to TREX search as are in the rest of the solution. There is a lot of use of Collaboration Rooms, seen as fairly dynamic short-term content; anything of particular use can be taken from a Collaboration and moved into the more managed space of global KM content.
Interestingly, ESS and MSS is presented through the portal using the fancy new icon-based pages to get to the services - but the actual services themselves are still done old-skool using SAP GUI for HTML (Web GUI) - Manager’s Desktop, etc.
Session: SPNego Login Module for Windows Integrated Authentication
Bad news: IISProxy for Windows-integrated authentication (i.e. single sign-on from Windows into the Portal) is being retired in December. The good news is that there is a replacement technology which does not require a Windows server in the landscape (so maybe you can repurpose that IISProxy server as a Duet server…).
The new system works as a JAAS Login Module on the Netweaver Java AS. Users must not only be logged into a domain, but need to be connected to it at the tim eof authentication - in other words, simply logging on to a disconnected workstation using cached credentials won’t do the job. On the initial HTTP request, a 401 “Not authorised” message comes back, which prompts the browser (IE, or Firefox with a plugin - not supported) to ask the domain controller for a double-encrypted authentication token for the web server in question. The browser decrypts one layer, and sends the result back to the J2EE server where it checks the token against the domain controller using the Kerberos protocol (port 81, UDP). On authentication success, then the user information is pulled from the AD server as usual over LDAP (port 389). Other user stores (ABAP, other LDAPs) are supported “on request”.
In terms of config, a user needs setting up on the Domain to represent the J2EE server, and this contains a multi-valued field which has all the DNS names the J2EE is known by. The SPNego module itself references a krb.conf file, and this file can contain a list of domain controllers for fail-over purposes. Need to be aware during config that everything is case sensitive.
In terms of issues, the major one is of support - this is a solution which combines Microsoft and SAP technologies, so the IT guys running the Microsoft side need to be bought into the solution and actively engaged in its support. This is actually an enormous issue in many organisations. In one case, it took 6 months just to do that part of the config…
Session: Undocumented KM Tips & Tricks
This session had been moved from its original location, so I was a few minutes late, and there were no handouts. There was some interesting stuff in there, but it was essentially a pretty rushed presentation of “here are some really cool things I did with KM, but I can’t tell you how to do them because they were done for customers”. Still - it was a good insight into some of the things possible with KM, Flex UI, collection renderers, etc.
There was a “Google advanced search”-styled advanced TREX search, waste-basket functionality for KM (using a “deleted” property and a collection renderer - not sure if WebDAV access would respect the waste bin). SP18 apparently introduces mass property changes for KM docs, which could be handy. There was a demo of “transactional” capability - i.e. making a set of different changes to various documents, but committing or aborting all of those changes as a unit. Mention was made of the possibility of exposing the KM API as web services, leading to interesting possibilities with SOA, Web Dynpro integration, AJAX consumption, etc.
TechEd 2006 - Day 2
Session: Creating Visual Composer Applications
I went into this hands-on session hoping to learn how to quickly create new transactional applications in the portal, and also to see a bit of the new Flex-based interface. I discovered that Visual Composer (VC) has a fairly powerful expression language for assigning and displaying data values, and also has “data storage nodes”, which are the graphical equivalent of local variables. However, it seems that the focus of VC for the time being is on analytic apps rather than transactional - in other words, presenting forms where the user can enter query or filter values, and then producing tables or graphs as a result.
Unfortunately, there is no real debugging or troubleshooting support at the moment, which is one of the main reasons that it would be inappropriate (though not impossible) to develop transactional applications. Web services can now be consumed as models (as well as SAP functions, OLAP data sources, BI and JDBC databases), which gives a very powerful reporting platform. Layout element visibility can be controlled by logical expressions. User interface can be Adobe Flex or Web Dynpro. Oddly enough, the SAP-specific Web Dynpro UI can only be used with Web Service models, but the SAP agnostic Flex can call SAP models. For further integration there are iWay provided connectors for Siebel, Peoplesoft, etc.
SAP’s recommendation is to keep using BI Web Designer for BI-only apps, but to use Visual Composer for analytical apps which use BI as well as ERP, etc.
Session: SAP Roadmap to Java EE 5
As Shai mentioned in his keynote speech, SAP are one of the first vendors to achieve Java EE5 certification - although the product will not be released as GA until mid-2007, which is slightly less useful. Even so, kudos to them - there are only three Java EE5 certified products right now, and the other two are Sun (who wrote the tests) and TmaxSoft (a Korean company who seem to deal almost entirely with the Korean public sector). So anyway, this session looks interesting, especially since I’ve been playing with a bunch of Java EE5 technologies on the side - annotations, persistence API and JSF in particular.
The development platform has been upgraded to Eclipse 3.2 with WTP 1.5 (again, leading the field), and the philosophy is less one of modifying Eclipse for SAP (as was the case with the 2.x version) and more one of supplying SAP plugins for Eclipse 3.2 which can coexist with those from other vendors. SAP extended WTP 1.5 (which was based on J2EE 1.4 standards) for Java EE 5, but it is not yet clear whether they will give these extensions back to the community from which they got WTP 1.5.
Development tool support is impressive - a live demo produced an auto-generated class O/R mapped to an existing DB schema (using a tool called Dali), a Session bean to do things with it and web services access to this bean all in about 15 minutes. The session also gave a good overview of the capabilities of Java 1.5 and how they have enabled many of the features in Java EE 5 - Annotations, Dependency Injection, and Configuration by Exception (i.e. no code = sensible defaults).
A beta copy of the SAP Java EE 5 app server and the Robust Java JVM was handed out - this is a bare Java EE app server - no Web Dynpro, no Portal, etc, but nevertheless it’s a great accelerator for developing & debugging Java EE 5 apps.
JSF was compared with Java Web Dynpro - basically, there is no compelling reason to use JSF if Web Dynpro is available - but it’s there if needed. JSF pages can be called from Web Dynpro and vice-versa.
If only SAP could give the WTP extensions back to the community, it would make them much better known in the Java space and would help to accelerate adoption of NetWeaver as a platform.
Session: Duet Developer’s Guide to building Duet Applications
This “Advanced” session should have been an in-depth look at how new services might be created for Duet, possibly with a link to some developer tools or tutorials. What it actually turned out to be was a15 minutes of marketing, followed by 30 minutes of architecture copied from yesterday’s “Beginners” session, followed by a little bit about delivering reports by email (which, at a high level, sounds a bit like BI information broadcasting) and 3 slides covering how Duet app development might look if you ever got hold of the tools, which is unlikely for some time yet. This could have been the technical highlight of Tech Ed, but turned out to be a complete waste of time for someone who’d already been to the beginners’ overview session yesterday.
Session: UI Design Roadmap for SAP NetWeaver Tools
This was a useful overview of how SAP usability design is done - fairly conceptual and a little bit lightweight (forgiven, for this is a beginners’ session), coupled with the long overdue admission the SAP need to make all of their product lines a lot more consistent. This work is being done - but it’s a tough job.
Session: Identity Management in Heterogeneous System Landscapes, the SAP solution
Apart from discussing the Siemens directory server and identity management solution in the later stages, this lecture turned out to be a 1.5 hour tutorial on how to set up CUA and LDAP synchronisation. Since I’ve just spent several months doing this at Vodafone, I left early.
Session: SAML Authentication
I dived into this session near to the end, having left the ID management session. Essentially, SAML is an alternative to X.509 certificates for single sign-on into SAP WebAS (Java and/or ABAP). Although SAP do not support the creation of SAML assertions, they can happily consume them, and third party access management systems (including RSA ClearTrust) can produce them, so this promises to be a nice way of doing standards-compliant SSO into a portal if you’re not on a LAN. If you are on a Windows LAN, then SPNego (Kerberos) is probably your best bet.
Session: Service Orientation Made by SAP
This was one of the SDN-voted sessions, i.e. one of the few not presented by a SAP staffer, but in this case by someone from a German SAP consultancy with about 2,000 people - in other words, not so different in size from Axon. I must admit, I’m finally starting to get the point of SOA, having been a bit of a sceptic (to say the least) before coming to TechEd. Although, as the man said, the term SOA means different things to different people, the important thing is that it’s not just “web services”, although they are a necessary component. It’s a similar kind of paradigm shift to Object Orientation (and just as over-hyped), but essentially it’s about agile orchestration of business processes using web services which themselves are from a solid core. Granularity is a key thing here - it’s not appropriate (and certainly not performant) just to make all objects and functions available as web services. The key is to look at it from the business process point of view and look at what services are needed to make business processes work (e.g. “approve shopping cart”) and make the web services available at this level. This seems to be where the SAP Enterprise Service Repository is coming from, although I’ve not seen it yet.
The other key realisation is that SOA is not a technology-bound thing. The technology is all there, ready waitng and mature. It needs top-level management buy-in to get people to start adopting it and using it. Take interfaces as an example - we really shouldn’t be talking about FTPing files around to be picked up by a batch process any more. Frankly, that sort of thing is embarassing. Interfaces are a prime candidate for service orientation - in fact, across system boundaries is where this sort of thing makes a lot of sense, and this is of course where XI is targeted.
SAP Tech Ed 2006 - Day One impressions
2006-10-19I started off Tech Ed by going to Shai’s keynote, then squeezed in four sessions, a chat with an exhibitor and a fruitless search for an exhibitor who wasn’t there.
Keynote - Shai Agassi
Exhibitor: VMware
Session: Advanced Portal Infrastructure
Session: Netweaver Mobile Roadmap
No Exhibitor: RSA
Session: Duet
Beware: The following are hastily-typed stream-of-consciousness notes written in 15-minute spaces between sessions.
Keynote - Shai Agassi
The first event in Tech Ed 2006 was Shai Agassi’s keynote speech. This was scheduled to start at 8.45, which was a pretty early start for me - being an hour ahead of my usual timezone in the UK. I got to the RAI conference centre at 8.30, and after a pleasantly quick registration I made my way through an ever larger group of halls to the enormous Hall 8, beyond which was a humongous arena with a big stage at one end with two enormous Powerpoint slides projected either side of a pretty large video projection of the podium. I have to stop describing it there, because I’m running out of synonyms for “big”. At about 9am, Shai came on stage - just as well this was 15 minutes later than advertised, as it took that long just to get from the RAI entrance hall to the arena.
The whole keynote was based on the metaphor of building a 2-floor house with a penthouse suite. There were four stages to business nirvana through Enterprise Services - setting the foundations, building the ground floor, adding a second floor, and finally enhancing the value of the place with a nice penthouse on top.
Things that must be in place - foundations
Basically, getting the foundations in place boils down to two things:
- There must be one version of the truth (i.e. everyone should implement MDM)
- Servers and processes should be consolidated (i.e. everyone should have an adaptive computing infrastructure)
What’s interesting is that Shai seemed to be saying that if you’re not here, you’re nowhere. Don’t even think about doing any of the stuff that follows without doing this.
I’m not sure I agree with the detail of what he’s saying, although I agree with the principles. One version of the truth is good, and that is why most people implement SAP in the first place - but I’m not sure that means having MDM. In fact, as far as I know, none of our customers uses MDM - but they would all say there is one version of the truth. This is just a matter of picking a “master” system for each set of data - it doesn’t mean that all of that data has to be in the same system. For example, I think that Active Directory is a perfectly good master system for user’s email addresses, logon IDs and favourite printers. SAP HR is a good place for their names, phone numbers and bank details. These can be linked on user ID or email address quite easily, without the need for an MDM system.
Similarly, consolidating servers makes good business sense - but even if every package is running on its own server, that doesn’t prevent the move to an Enterprise Services Architecture (ESA) - some might argue that knowing where the server (instead of it being virtualised all over the place) is makes ESA easier rather than harder.
Modernise the core
OK, so having set the foundations we now need to build the ground floor. Putting this in place gives you an ESA platform on which you can build business value.
The ground floor means just one thing: Everyone needs to be on mySAP ERP2005. “Honest, it’ll be stable for 5 years. We’ll just release enhancement packs. (Yes, I know we said the same about Netweaver ‘04, but…)”. Hmm. This will be a hard sell to the customers where we’ve been implementing ERP 2004 for the past year or two.
There is some method in this, er, thinking. Shai quoted a CEO as saying “Once SAP is in, you’re allowed to touch the core ERP system once every 5 years - preferably on a Saturday.” Then the killer: “But my boss want me to innovate every quarter.”
The idea is that ERP 2005 is service-enabled, and SAP are publishing more and more enterprise services from this core (this will be what many of the enhancement packs will involve). Making services available from core means core can remain stable while innovation happens on the SOA platform that results. So, you start with ERP 2005 on a NetWeaver ’04s platform. On top of this you add another layer of NetWeaver (04s? 7.10?) which is where you build all your ESA composite applications.
Optimise Business Usage
So, with the ground floor in place (your newly modernised ERP 2005 core), it’s time to add the first floor of service-enabled applications which the modern core makes possible. Three examples were given of how this new core has enabled a great acceleration in SAP’s delivery of new products and technology.
1. New user interfaces
There are now lots of ways to reject someone’s leave:
- Portal - using the Universal Worklist, as usual
- Project Muse - still Universal Worklist, but via SAP’s Flex-based “Business Browser”.
- Yahoo desktop widgets - I guess Google desktop widgets could also work
- Phone calls initiated from Workflow - seriously, that has potential. When a high priority work item arrives in your inbox, the system actually calls you and asks what you want to do about it - voice recognition and everything. Was this just smoke and mirrors?
- Or you can just carry on using SAP GUI - in Windows, Java or Web flavours
Amazingly, these options were all demonstrated “live” on stage, with Shai’s subordinate Jeff applying for leave and Shai rejecting all attempts.
2. BI Accelerator
This was quite an impressive demo. Up until now, BW queries have been against a database of aggregated warehoused data on disk. Being on disk, this can be slow for large datasets. Being large datasets, aggregation of data is used to get reasonable performance but at the expense of limiting the range of queries which can be performed.
Enter the BI Accelerator from Hewlett Packard - this is a blade-scalable hardware plugin for BI. It is based on TREX search technology and holds indexes for the entire data warehouse in memory - so no database software, no disk usage, no aggregates required for queries. The result is an enormous speed-up on queries, and no limit on the type of query. Shai demonstrated a query on 1 billion records in 3 seconds, using a mere 48 processor cores on a stack of blades.
OK, so the hardware cost here was a significant fraction of a million dollars, but in certain contexts that delivers good value for money compared to waiting overnight for data aggregation jobs to complete.
3. Enterprise Search
Enterprise search is SAP’s TREX on steroids - it can be used to search ERP data as well as documents and websites via the portal. A trial version of this is already available for download from http://sdn.sap.com/downloads. Not much was really said about this, other than that it is a good application of ESA - because everything in the ERP core is available through web services, an existing search engine such as TREX can simply access the ERP system over HTTP and index the resulting XML data.
Drive strategic innovation
So now we have our nice 2-story SAP building, it’s time to top it off with a penthouse. This turned out to boil down to just a couple of job descriptions.
What is currently the CIO (Chief Information Officer) job now becomes 2 jobs:
Chief Process Innovation Officer - owns the global process map. Global process owners (GPOs) report in - there usually seem to be about 7 GPOs in a corporation. This is where the meat is - creating new processes using an estblished set of services.
Chief IT Officer - responsible for server consolidation and producing a single version of the truth. The savings made here help enable process innovation.
Session: Improving “Portal over a WAN” Performance
Since it’s becoming more common for our customers to host their SAP systems in remote data centres, this session was quite interesting for me.
To start with, the presenters discussed the main factors which affect the performance of browser-based applications. Here are the bullet points:
- Latency is the big killer - therefore you need to reduce server roundtrips, or their effect.
- Multiple server round trips can come from opening a TCP socket and opening a SSL session - hence the important of Keep Alives in HTTP 1.1 keeping a socket open over multiple requests
- HTTP 1.1 specifies only 2 parallel connections (HTTP 1.0 defaults to 4 in most cases), but has many other benefits, including keep-alive & compression.
- “Request pipelining” exists on some browsers¹ (the presenters didn’t say which), and this can get around most of the latency and parallelism issues.
Next up, there was some discussion of a great new gadget from SAP to help speed things up, called “Netweaver Apps Delivery over WAN” or NW ADoW for short. This is a software appliance pair (one on the client network - the CFE & one on the server network - the SFE²) can give 10x speedup, mostly because of a new dictionary based compression method. This works by looking for common words & phrases in the traffic flowing between the two networks, and coding these as short byte sequences - only then is the resulting traffic compressed by gzip. This is combined with the usual Squid-style cacheing proxy which helps reduce latency - once one person on the client network has requested an image or JavaScript file, it is in the client-side cache for everyone else to use. ADoW is currently in pilot, available on a customer-by-customer basis.
Finally, there were some tips on making the most of your existing setup with some tuning:
- Make sure to turn on the Optimised version of EPCF in productive systems.
- HTTP analysis tools are available: HTTPWatch and HTTPLook are browser based. There is also WireShark (formerly known as Etherreal) for on-the-wire monitoring, but this makes it hard to check SSL traffic. My own personal favourite here is Charles (http://www.xk72.com/charles)
- Solution Manager Diagnostics provides an httpproxy tool which can record all traffic in a browser for later uploading to SMD where you can get very good analysis of bandwidth, latency, etc. This looked very impressive indeed - both client-side and server-side data are analysed to give an analysis of how much latency there is, and you can even view the resulting traffic flow in a GANNT chart.
¹ Pipelining can be enabled in Firefox - see http://www.hackaday.com/2004/12/26/speed-up-firefox/
² CFE = Client Front End, SFE = Server Front End
VMware
In between sessions I popped over to the VMWare booth for a chat. I’d wanted to run a copy of TREX inside a VMWare instance to get around some support issues with a platform we were running at the time, but when I raised a customer message with SAP they said they didn’t support running produciton systems on VMWare, mostly because Microsoft would not offer operating system support under VMWare.
Anyway, VMWare are now apparently negotiating with SAP over supportability. There are no technical issues - everything runs fine - this is purely a matter of there being official support.
Session: Advanced Portal Infrastructure
A lot of this session was to do with how to design a network for security - inner and outer DMZs, Apache reverse proxy as an application gateway, web dispatcher as a load balancer, etc.
A major point was made about the use of multiple portals in a deployment, federated at the point of consumption. For example, there would be a seperate portal for BI, because of strict dependencies of BI & Portal on particular service packs. There would be another portal for XSS for similar reasons. There would then be a corporate KM portal which also consumes BI & ESS in federated mode. This can also help with stability & scalability - if the BI server needs restarting, it doesn’t bring down ESS.
Usefully, it has been found in general that typically only 10-15% of named users are concurrent - this information can be used for sizing. The Quick Sizer is now much better for portal installations.
Session: Netweaver Mobile Roadmap
SAP still don’t quite get it, but they’re moving in the right direction. SAP definition of Mobile is “occasionally connected device”, primarily a laptop, so the focus is on desktop apps with a synchronisation engine. In future releases they will support J2ME CDC profile, which is a big step in the direction of recognising that to the rest of the world, “Mobile” means handheld device - primarily Blackberry, but also platforms such as Windows Mobile, Symbian, and of course J2ME running on these platforms.
No RSA
There is a Netweaver Partner Pavilion with various companies present - but no sign if RSA Security, unfortunately.
It’s a shame - I wanted to discuss RSA Access Manager integration now IISProxy (their current recommendation) is no longer supported by SAP as of December.
Session: Duet
Given an Exchange implementation and an SAP ERP server, all you need to add in to implement Duet is:
- Client add-in to Outlook
- A NW04 Java Add-on for the ERP system
- A new server, containing another NW04 J2EE stack to run SAP Duet services. This must be a Windows server, since it must also run MS Duet services.
The HP guy next to me was very happy at all the extra servers needed.
You can implement Duet in only 8 weeks (48 days - must be 6-day weeks) - so long as you’re surrounded by all the right experts (SAP, Microsoft, Duet) and infrastructure to start with.
Currently there are four scenarios:
- Use Outlook calendar for time recording
- Have BI reports delivered to your inbox
- Create leave requests in Outlook calendar
- Integrate employee information from SAP HR into the Outlook Contacts
Tweets- dhague: @liversedge Thursday could work, for sure.
- dhague: @Doctor_Hutch I would pay money to watch you & @bradwiggins go head-to-head on London hire bikes.
- dhague: @edda42 Oh, be careful what you wish for... :-)
- dhague: @mrinal I'm guessing they ported the Chess program from the ZX-81, which also ran in 1k http://bit.ly/92tqiP
- dhague: RT @maggiefox: The Wooster Collective documents street art around the world. #awesome http://www.woostercollective.com/