# SAP® Integration

Teamscale can integrate with SAP® systems in order to use the analyses provided by Teamscale in the area of ABAP® custom code development. The following is relevant for ABAP developers, quality engineers for ABAP, and SAP NetWeaver® system administrators who want to configure Teamscale, or those of them who want to connect to Teamscale from an SAP system. It covers the SAP and ABAP specific configuration steps and usage scenarios, especially those tasks, which are done within an SAP system. This chapter is irrelevant for all who have nothing to do with custom code development for SAP.

The required configuration steps on the SAP system are independent of clients on the SAP system (in german »mandantenunabhängig«). Therefore, it is not required to transport our add-on to specific clients.

SAP Java Connector (SAP JCo)

A prerequisite for Teamscale to communicate with SAP systems is the SAP Java Connector (SAP JCo) library. SAP's licencing restrictions do not permit redistribution of this library with Teamscale. However, SAP JCo is licensed without additional fees as part of a licensed SAP solution or component license. To connect Teamscale to your SAP system, you need to manually download the library from SAP and put it into Teamscale's library folder. For detailed information on the installation process, please refer to Installation of the SAP Java Connector (JCo)

# Installation of the SAP Java Connector

  1. Download the SAP Java Connector (SAP JCo). SAP JCo is available through the SAP Service Marketplace (opens new window) for registered SAP customers. Download the most recent version (>= 3.0) for the platform running Teamscale. When SAP JCo is needed for deploying our docker container, use the version for Linux for Intel compatible processors.
  2. Uncompress the contained library files into a temporary directory.
  3. Copy the library files (the Java library (sapjco3.jar) and the native library file for the specific platform (sapjco3.dll for Windows, libsapjco3.so for Linux, or libsapjco3.dylib for macOS) to a directory named lib-ext.
  • For Teamscale zip distributions, thelib-ext directory must be within the Teamscale installation directory.
  • For Teamscale Docker distributions, the lib-ext directory must be mounted directly in the volumes section of the docker-compose.yml file to the directory /opt/teamscale/lib-ext, see below. Please consider setting the appropriate access rights (see How to install Teamscale with Docker).

 


    volumes: [
      /path-on-host/lib-ext:/opt/teamscale/lib-ext
      ]
  1. (Re-)start Teamscale to load the SAP JCo library. You can confirm that the JCo library has been successfully loaded on the System > System Information view.

# Teamscale Connector for SAP NetWeaver® AS ABAP®

The Teamscale Connector for SAP NetWeaver® AS ABAP® provides the connection between Teamscale and SAP NetWeaver AS ABAP based systems. The connector has to be transported to the SAP NetWeaver system and provides the following main functions:

  • An RFC-based interface, which is used by Teamscale to incrementally extract source code from the SAP system for code analysis within Teamscale

  • Execution of SAP Code Inspector (SCI) and export of the inspection results to Teamscale

  • Extraction of test coverage and usage data for Teamscale to support Test Gap analysis and usage analysis

  • A plug-in for the ABAP Workbench and the Change and Transport System to access Teamscale results from the SAP system. This is realized by a custom SAP Code Inspector test case which shows messages for findings identified in Teamscale.

The Teamscale Connector for SAP NetWeaver® AS ABAP® is compatible with SAP NetWeaver AS ABAP 7.0 EHP2 and later versions. It should work on earlier versions, but this has not been tested.

# Installation of the SAP Connector

An archive file containing the latest release of the Teamscale Connector for SAP NetWeaver® AS ABAP® can be downloaded via https://www.cqse.eu/get-abap (opens new window). Download either the .zip or .tar.gz source code file.

For transport, place the K* and R* files from the archive in the cofiles and data directories of the transdir of your host machine (typically /usr/sap/trans on Unix/Linux or C:\\usr\\sap\\trans on Windows) and import the transport (transaction STMS ). Enable special conditions »Overwrite Originals« and »Ignore Invalid Component Version«:

SAP Transport Import Options

Basically, no further configuration in the SAP system is required. One exception is the use of Secure Network Communications (SNC).

# User and Role for RFC Access

Teamscale connects to the SAP application server via RFC (remote function call) to retrieve the source code, which should be analyzed as well as some metadata (for example test coverage). The called functions are in function group /CQSE/TEAMSCALE_CONNCT_RFC . Additional functions reside in /CQSE/TEAMSCALE_TIA_RFC . Hence, a (technical) SAP user is required, which will be used by Teamscale to connect to the SAP system.

# Role and Required Access Rights

The SAP user for Teamscale must have an appropriate role assigned. The required authorizations are listed here:

# Authorizations for SAP Teamscale User

Authorization ObjectFieldValue
S_RFCRFC_TYPEFUGR (Function Group)
RFC_NAMERFC_METADATA /CQSE/TEAMSCALE_CONNCT_RFC /CQSE/TEAMSCALE_TIA_RFC
S_RFCRFC_TYPEFUNC (Function Module)
RFC_NAMEBGRFC_CHECK_UNIT_STATE_SERVER BGRFC_DEST_CONFIRM BGRFC_DEST_SHIP DDIF_FIELDINFO_GET RFCPING RFC_GET_FUNCTION_INTERFACE
S_BTCH_JOBJOBACTIONRELE (Release Jobs)
JOBGROUP*
S_COV_ADMACTVT02 (Change)
S_DEVELOPDEVCLASS*
OBJTYPE*
OBJNAME*
P_GROUP*
ACTVT03 (Display)

The authorizations are required for basic RFC access (including background RFC execution), read access to development objects (source code) and scheduling and releasing (own) batch jobs for asynchronous exports and for enabling test coverage analysis. Depending on which asynchronous mode - bgRFC or batch (BTC) jobs - is chosen, the respective authorizations of the other are not needed.

The role can be defined manually, e.g. using transaction PFCG , or the predefined role /CQSE/TEAMSCALE_RFC can be used.

# RFC User for Teamscale

The SAP user for Teamscale can be created in the usual way users are crated in the SAP system, e.g. using transaction SU01 .

WARNING

Use a system user, not a dialog user. The role described before (e.g., /CQSE/TEAMSCALE_RFC ) must be assigned to this user.
Using a dialog user might result in connection timeouts as dialog connections are by default terminated after 10 minutes without user interaction. The initial extraction of the source as well as the retrieval of SAP Code Inspector results might take longer

Time Zone Settings

It is highly recommended that the user time zone of the SAP user for Teamscale is the same as the SAP system time zone. If the user time zone differs from the system time zone, the continuous export of code changes might not work correctly and code changes might not be visible or only with a longer delay. The time zone setting of the user can be checked / edited in transaction SU01 .

Additionally, it is highly recommended that the system time zone in SAP NetWeaver is the same as the time zone of the operating system.

# SAP Connection Configuration in Teamscale

This section describes the basic configuration to configure a SAP connection.
The settings need to be done in the web interface of Teamscale. For configuration, switch to the Admin perspective and there to the page Settings .

# Configuring Repository Clone Directory

First, you should check if a suiting directory is specified in section Git / Repository Clone Directory. Teamscale will save the (historized) code exports in sub-directories of this directory and access them for analysis there. Under the hood, this is realized by a local Git repository which is managed by Teamscale automatically. Usually, the Teamscale repository clone directory will be specified by the system administrator of the Teamscale server, you should check with them to define the proper location. It can be specified as absolute or relative path and defaults to a folder named repo within the JVM process working directory. In case of a relative path, the location is relative to the parent of the Teamscale storage directory (parameter database.directory of the teamscale.properties configuration file.

# Configuring SAP ABAP System Connection

Under SAP / SAP ABAP System Connection the parameters to connect to an SAP NetWeaver system must be specified. For every SAP system, a separate connection configuration must be added. To add a new connection, press the Add button. In the opening dialog, a unique connection ID must be specified, for example the three letter SAP system name could be used. After this, a new configuration section is added, in which the parameters must be specified.

The first options are the parameters for the RFC connection. The required parameters mainly depend on the connection type, i. e. if the connection to the SAP system is direct or via logon balancing. Further options specify the logon data (client, user, password). This table describes these parameters:

# System and Logon Parameters for SAP Connection

SAP ABAP application serverMandatory parameter for direct connection: The full qualified host name of the SAP NetWeaver application server, e.g., saphost.me.com
Instance numberMandatory parameter for direct connection: The instance number (formerly called system number) of the SAP NetWeaver application server, e.g., 00
System IDMandatory parameter for logon balancing connection: 3-letter SAP system ID, e.g., NSP
SAP message serverMandatory parameter for logon balancing connection: URL of SAP message server
GroupMandatory parameter for logon balancing connection: Group of SAP NetWeaver application servers (e.g., public)
SAP message server portOptional parameter for logon balancing connection: Port of message server, typically 36xx where xx refers to the instance number
SAP router stringOptional parameter for connection to systems behind an SAP Router: SAP router string contains the chain of SAP routers and their port numbers and has the form (\H\<host>[\S\<port>])+
SAP clientMandatory parameter: Defines the client used for logon (e. g. 001)
Logon userMandatory parameter for password-based authentication: The SAP user name which should be used by Teamscale
Logon passwordMandatory parameter for password-based authentication: Password of the user

Further options of the SAP ABAP System Connection parameters control the code retrieval of Teamscale from the SAP system. These specify which code should be retrieved, how often it should be updated and if other result data should be included (e.g., test coverage data). This table describes these parameters. The most important parameters specify the exported objects and schedule the update intervals.

# SAP Code Retrieval Parameters

See also: Code Inspector Options

Include objects in default custom namespacesSpecifies if ABAP source code objects within the default custom namespaces Y... / Z... should be exported to Teamscale.
Further custom namespacesComma-separated list of further custom namespaces like /ABC/, /DEF/ for which ABAP code should be exported.
Schedule incremental code update Defines in which interval continuous code changes are retrieved from the SAP system.
Schedule full code updateDefines in which interval a full synchronization of the code base is performed.
Execute full update asynchronouslyIf enabled, full export is scheduled asynchronously using the background RFC (bgRFC) protocol.
Name of the inbound queueOnly required if Execute full update asynchronously is enabled, specifies the name of the inbound bgRFC queue in the SAP system.
Enable ABAP exports archiveIf enabled, the exported code changes are archived as Zip files on the disk.
Include programs generated from BW objectsIf enabled, source code objects generated from SAP BW objects should be included in the code / coverage retrieval.
This is used for test gap analysis. Note the version prerequisites at the end of this Section.
Include code coverage data in incremental exportsSpecifies if coverage data is retrieved for each incremental export for all objects in the selected namespaces regardless of the code changes.
Include code coverage data in full exportsSpecifies if the coverage data is retrieved during a full export for all objects in the selected namespaces.
Clear table COVRES after the exportIf enabled, the table COVRES which holds coverage data will be cleared after retrieving the coverage data.

Additional parameters are required for secure RFC communication using Secure Network Communications (SNC)*, see here. Together with the ABAP code retrieval from the SAP system also the execution of SAP Code Inspector checks in the SAP system can be performed. The Code Inspector configuration in explained here.

# Namespace Configuration

The namespace parameters Include objects in default custom namespaces and Further custom namespaces specify the code base which should be retrieved from the SAP system. It is recommended to specify all custom namespaces, which are available for development, e.g., enable the retrieval of the default custom namespaces Y and Z as well as all further custom namespaces e.g. /ABC/ which are registered for your organization. Note that these parameters only define for which code Teamscale keeps track of the change history, but not which code gets analyzed. The actual selection of the analyzed code is specified in the project configuration).

# Update Intervals

The schedule parameters Schedule incremental code update and Schedule full code update define when code (and further data, e.g. coverage results) is retrieved from the SAP system. Two different intervals must be defined: The incremental update interval and the full synchronization interval. The incremental update only retrieves the objects which have changed since the last retrieval, thus the amount of transferred data is low and the execution time is very short (a few seconds only). A change to an object is observed, if an object gets activated. Here, intervals between 10 and 30 minutes are recommended. Longer intervals may result in an unwanted long delay of analysis results after activation of code changes, shorter intervals may lead to a too fine-grained change history.

The full synchronization interval controls when an export of all code objects (within the specified) namespaces is performed. Since in rare cases the code base can change without the incremental export recognizing the change, a regular synchronization export should be scheduled. This ensures that the exported code repository is synchronized with the actual code repository within the SAP system. Usually, no code change is visible during synchronization. Typically, such missed changes which are only visible in synchronization do not result from regular development but may be caused by special transport or upgrade activities. We recommend a daily update during night.

Both intervals are specified as cron (opens new window) expressions, for example */10 * * * * specifies an update of every 10 minutes, 0 1 * * * a nightly update at 1:00am. Typically it will take some minutes until the initial export occurs.

# Asynchronous Communication

The full code update can be also configured to be executed by asynchronous communication where the exeuction will run in a background job of the SAP system. Use this mode if the run-time of the code retrieval takes too long time. This is configured by the settings Execute full update asynchronously and Name of the inbound queue . Please refere to the detailed description here.

# BW Objects

Export of source code objects generated from SAP BW objects is supported from Teamscale release version 5.1.6 and Teamscale Connector for SAP NetWeaver AS ABAP version 1807 onwards.

# Connecting a Teamscale Project with SAP

After the SAP system connection is specified and the code retrieval was executed for the first time, projects for analyzing the ABAP code of the respective SAP NetWeaver system can be created.

The creation of projects follows the standard project configuration as described here where the ABAP connector and an ABAP-specific analysis profile must be used.

# ABAP Connector Configuration

Technically, Teamscale creates an ABAP repository directory inside the Teamscale repository clone directory. This directory contains a Git repository for every SAP system. To connect projects with these git repositories, we recommend to use our specific ABAP connector. In comparison to the plain Git connector, the ABAP connector simplifies selection of an SAP connection by providing a dropdown element that includes all available connections. Additionally, the ABAP connector is reduced to the essential configuration options. For example, the Default branch option from the Git connector is missing as ABAP Git repositories do not use branching.

ABAP Connector Configuration

Note that the settings to include/exclude source code are specified using the parameters Included file names and Excluded file names, which refer to the file paths within the internal Git repository of the ABAP source code. The path consists of the full package hierarchy and source code files suffixed with .abap. Furthermore, the slashes at custom namespaces are replaced by an exclamation mark, thus /XYZ/ is replaced with !XYZ!. This tables states some examples of ant patterns for including and excluding ABAP source code.

# Examples for ABAP Code File Include/Exclude Patterns

PatternMatched ABAP Source Code Objects
**.abapAll ABAP source code objects in configured namespaces (** matches any path)
$*/**.abapABAP source code within local packages (starting with $}, * matches all but the path/package separator slash)
ZPACKAGE/**.abapObjects within the top-level package ZPACKAGE and its sub-packages only. Will not match if ZPACKAGE has a super package
**/ZPACKAGE/**.abapObjects within the package ZPACKAGE and its sub-packages only, regardless if ZPACKAGE is a top-level package
**/!XYZ!*/**.abapObjects within packages in namespace /XYZ/ only
!XYZ!ROOT_PACKAGE/ **.abapObjects within the top-level package /XYZ/ROOT_PACKAGE and its sub-packages only
**/PROG/*.abapPrograms and program includes only
**/FUGR/**.abapFunction groups only
**/FUGR/ZSOME_FUGR/*.abapFunction group ZSOME_FUGR only
**/CLAS/**.abapGlobal classes only
**/CLAS/!XYZ!CL_BASE_**.abapGlobal classes where name starts with /XYZ/CL_BASE_ only
**/CLAS/*/*CCAU.abapABAPUnit test classes only (class addition suffixed with CCAU)
**/INTF/**.abapGlobal interfaces only

# ABAP Dictionary (DDIC) objects.

Besides the ABAP source code in *.abap files, also a textual representation of objects defined in the ABAP Dictionary (DDIC) is exported from the SAP system. The dictionary objects are stored in *.abap_ddic files. Adding these files to the project will allow to identify dependencies from ABAP source code to ABAP Dictionary objects and between dictionary objects when performing architecture conformance analysis. The textual representation of structures and database tables is the same as the representation used in the source code based editors of the ABAP Development Tools for Eclipse (available from SAP NetWeaver7.51 or 7.52 on, respectively). For older SAP NetWeaver versions and further dictionary objects, a similar notation is used in Teamscale. As in Teamscale the only purpose of the dictionary objects is to perform architecture conformance analysis, .abap_ddic files will only contain the required information to identify dependencies and omit further attributes.

This table contains typical examples for including and excluding ABAP Dictionary objects:

# Examples for ABAP Dictionary File Patterns

PatternMatched ABAP Dictionary Objects
**.abap_ddicAll ABAP Dictionary objects in configured namespaces (** matches any path)
**/DOMA/*.abap_ddicDomains
**/DTEL/*.abap_ddicData elements
**/STRU/*.abap_ddicData structures
**/TABL/*.abap_ddicDatabase tables
**/TTYP/*.abap_ddicTable types
**/VIEW/*.abap_ddicDatabase views

Of course, these path patterns can also be combined with package specifications, similar to the ABAP source code files. The include/exclude pattern for dictionary objects must be added to the list of include/exclude patterns besides the patterns for the ABAP code.

# Asynchronous Full Export

By default, all updates of the ABAP code are retrieved by synchronous communication from the SAP system. The full synchronization update, where the entire code of the configured namespaces is exported, can be alternatively configured to use asynchronous communication.

Asynchronous communication is used to avoid a long run-time of the export job what would block other maintenance jobs and/or result in communication timeouts. A long run-time is to expect especially if SAP Code Inspector check execution is configured.

There are two possibilities to achieve the asynchronous export, and both are fully managed by Teamscale:

  1. Recommended: A batch (BTC) job is scheduled and released in the SAP system. Jobs are monitored in transaction SM37. It only requires that the RFC user for Teamscale is authorized for RELE (release) activity at authorization object S_BTCH_JOB.
  2. The SAP NetWeaver bgRFC protocol is used for asynchronous communication. For details refer to this article on help.sap.com (opens new window). This variant should only be used if the batch job scheduling is not possible. As bgRFC jobs are executed in a dialog process in the SAP system, time-outs are possible. It is required that bgRFC is configured accordingly in the SAP system.

In the asynchronous mode, a full synchronization update will only schedule a background job in the SAP system first. Teamscale is not waiting for the update job to finish and closes the connection to the SAP system immediately after scheduling the job. The collection of the source code and meta-data and especially the execution of SAP Code Inspector checks is then executed in the background on the SAP system. When the background job finishes, the results will be stored in table. For retrieving the results, Teamscale is polling the SAP system regularly if the scheduled jobs are finished and results are available. If so, the result data is retrieved from the SAP system and the internal ABAP repository of Teamscale gets updated.

The incremental update, which only contains changed objects, is always in synchronous communication mode. Also the initial code retrieval is done synchronously but will not execute SAP Code Inspector to make the entire code base visible in Teamscale without a too long delay.

# Asynchronous Export Configuration in Teamscale

The main configuration in Teamscale is made by the option Execute full update asynchronously of the SAP ABAP System Connection settings. By default, this will schedule batch jobs in the SAP system to perform the full export.

If bgRFC protocol should be used instead of batch job scheduling, the option Use background RFC (bgRFC) protocol must be enabled, too and a name matching the inbound queue prefix (as specified in the SAP system in SBGRFCCONF under Define Inbound Dest., see below) must be specified.

Furthermore, the scheduling interval of the polling job for retrieving the finished results can be specified in the SAP ABAP System Connections - Global Settings of the admin settings in field Schedule for requesting results of asynchronous ABAP exports. In addition, it is configurable in the global options how long scheduled jobs are polled from Teamscale if no results could be retrieved for a long time, this is configured in parameter Maximum wait time.

# bgRFC Configuration in the SAP System

BTC Jobs are recommended

By default, this is not required. This is only necessary if the bgRFC protocol should be used instead of batch (BTC) jobs.

To be able to use the asynchronous communication by bgRFC protocol, the bgRFC queue used by Teamscale must be configured in the SAP system. This is done in transaction SBGRFCCONF . The following needs to be configured in SBGRFCCONF :

  • In tab Define Supervisor Dest., a bgRFC supervisor destination must be defined. If this is not yet the case, a new one can be created using the create button. The destination requires a name and to specify a bgRFC supervisor user (the user can be created directly in the opening dialog).

    # Define Supervisor Destination in SBGRFCCONF

    Define Supervisor Destination in SBGRFCCONF

  • In tab Define Inbound Dest., a destination must be defined as an inbound destination and an identifying prefix must be assigned. A matching name must be used in the Teamscale connection settings, as described in the next section.

    # Define Destination Scheduler in SBGRFCCONF

    Define Destination Scheduler in SBGRFCCONF

  • In tab Scheduler: Destination, a scheduler for the before defined destination must be defined. A new one can be crated using the create button.

    # Define Inbound Destination in SBGRFCCONF

    Define Inbound Destination in

The settings must be saved (CTRL+S) before leaving this transaction.

TIP

To check the state of queued jobs in the SAP system, transaction SBGRFCMON can be used.

# Secure RFC Communication (optional)

If the RFC communication between Teamscale and SAP NetWeaver should be secured (encrypted), Teamscale can also connect via Secure Network Communications (SNC) to the SAP system. In order to use it, a respective configuration of the SAP system and the Teamscale server is required.

# SNC Configuration of the SAP System

To enable SNC, the SAP system must be configured accordingly. In the following a rough outline of the configuration is stated. As the configuration steps vary depending on the SAP version and on the individual configuration needs for a customer SAP system, please refer to this article on help.sap.com (opens new window) for detailed instructions on how to set-up SNC. Furthermore, there is a very helpful SAP Community blog post (opens new window).

The recommended SNC configuration steps for an SAP NetWeaver system are as follows:

  1. Ensure that the following instance parameters (transaction RZ10 ) are set: snc/enable = 1 snc/identity/as = snc_name where snc_name is the SNC name of the SAP system, something like p:CN=SID, O=ACompany, C=EN .

  2. The SAP Cryptographic Library must be installed, see SAP Note 1848999 (opens new window).

  3. With the command line tool sapgenpse of SAP Cryptographic Library, a Personal Security Environment (PSE, stored in a file) for Teamscale must be created. This can be done by executing sapgenpse on the application server (or any other sever where the SAP Cryptographic Library is available). For example, enter the following command:

    sapgenpse gen_pse -v -p teamscale.pse

    During creation of the PSE, the tool will ask for the name of the PSE owner, here the SNC name for Teamscale should be supplied (something like p:CN=TEAMSCALE, O=ACompany, C=EN ). Afterwards, the client certificate (*.crt file) must be exported, again by using sapgenpse :

    sapgenpse export_own_cert -v teamscale.pse\ -o TEAMSCALE.crt

    This file contains the X.509 client certificate which can be also used for logon instead of user name and password, see below.

  4. In transaction STRUST the following configuration is required:

    • The PSE SNC (SAPCryptolib) must have been created. A respective entry should already exist after the SNC instance parameters were set and the SAP system was restarted. The SNC name should be the same as specified in snc/identity/as

    • The client certificate created previously (e.g. TEAMSCALE.crt ) must be imported and added to the PSE SNC (SAPCryptolib). Base64 file format should be used.

    • The own (server) certificate of SNC (SAPCryptolib) must be exported to a file, e.g. SNC.crt (again, use Base64 file format).

  5. The server certificate (e.g. SNC.crt ) must be imported in the client PSE file (e.g. teamscale.pse ) and the credentials file cred_v2 , which will be used on the Teamscale server, must be created from the client PSE file. For both steps, again the command line tool sapgenpse is used, see the following examples:

    sapgenpse maintain_pk -v -a SNC.crt -p teamscale.pse

    sapgenpse seclogin -p teamscale.pse -O root

  6. The Access Control List (ACL) for SNC restrictions must allow RFC communication with the client: In view VSNCSYSACL (transaction SM30 ), an entry for work area external (E) with the SCN name of the client (Teamscale), e.g. p:CN=TEAMSCALE, O=ACompany, C=EN, must be added.

  7. If you want to use the client X.509 certificate also for logon instead of user name and password, the certificate must be mapped to the SAPTeamscale user. To do so, an entry in view VUSREXTID (transaction SM30 ) must be added, again for the SNC name of the client.

# SNC Configuration on the Teamscale Server

On the Teamscale server, the following configuration steps are required:

  1. The library files from SAP Cryptographic Library must be saved on the Teamscale server, SAP Cryptographic Library can be downloaded from SAP Support Launchpad (opens new window) for the required operating system, search for COMMONCRYPTOLIB 8.

  2. The cred_v2 file must be moved to a directory on the Teamscale server. The file should be only accessible for the operating system user running Teamscale.

  3. The environment variable SECUDIRmust have been defined pointing to the directory containing cred_v2 .

  4. If the X.509 client certificate should be used for logon (SSO mechanism), the client certificate file (e.g. TEAMSCALE.crt ) must be saved on the Teamscale server.

# SNC Configuration in Teamscale

In the Settings page of the Admin perspective, you have to specify the path to the directory containing the library files of SAP Cryptographic Library under SAP / [SAP ABAP System Connections - Global Settings].

Under SAP ABAP System Connection SNC must be enabled and the SNC options must be specified:

# SNC Parameters for SAP Connection Overview

Enable Secure Network Communications (SNC)Tick to enable SNC
SNC name of the communication partner serverThe SNC name of the SAP system, something like p:CN=SNC, O=ACompany, C=EN
Own SNC name of the callerThe client SNC name of Teamscale, something like p:CN=TEAMSCALE, O=ACompany, C=EN
Enable the SSO mechanism of SNCEnable logon by X.509 certificate instead of user name/password
Path to X.509 certificatePath to *.crt file holding the X.509 client certificate, only required if SSO mechanism is enabled

# Additional Analysis Configuration for SAP

This section describes additional configuration steps required for specific analyses in Teamscale, namely the upload of SAP Code Inspector findings and the usage of coverage results for test gap analysis.

# Integrating SAP Code Inspector

Messages resulting from checks of SAP Code Inspector(SCI) can be also shown as findings in Teamscale. Thus all findings management features of Teamscale(e.g. working with baselines, tolerated findings, the definition of tasks, ...) are also available for SCI messages. Once configured, no further manual actions are required by developers to get results of the SCI tests.

The integration of SAP Code Inspector findings in Teamscale requires that an appropriate Code Inspector variant is defined in the SAP system and that the SAP system connection settings and the project configuration in Teamscale is set up accordingly.

The integration of SAP Code Inspector findings also supports finding generated by the Code Pal for ABAP tool which can be installed in Code Inspector (Installation Instructions (opens new window)).

# Selecting/Defining a Code Inspector Check

Variant An appropriate Code Inspector variant must be specified, or you can use an existing variant. The variant defines, which checks are executed by Code Inspector. We recommend to enable all tests which might be relevant. A detailed selection of the messages which should lead to findings can be done in the Teamscale analysis profile. Tests which will produce a high amount of irrelevant messages should be excluded, otherwise the storage and backup size of Teamscale could increase heavily. Further, the execution time of the Code Inspector checks might be quite long, especially if the whole custom code base is checked. If the execution time is too long, you should also switch off irrelevant checks.

To specify a variant, execute transaction SCI and create a new check variant. You should consider to use a public variant as public variants can be made transportable, then the variant could be transported to further systems.

You can also ask our Teamscale support for a pre-defined check variant.

# Code Inspector Settings in SAP ABAP System Connection

# Parameters for SAP Code Inspector Execution during Code Retrieval

Name of the SAP Code Inspector variantName of an SAP Code Inspector variant which should be executed
Owner of the SAP Code Inspector variant Specifies the SAP user name of the variant owner (leave empty for public variants).
Code Inspector include specificationDefines for which code objects Code Inspector should be executed.
Code Inspector exclude specificationDefines exclusions of code objects for Code Inspector execution.

To execute SAP Code Inspector during code retrieval of Teamscale, this must be configured in the admin settings of SAP ABAP System Connection (see table above). The name of the executed Code Inspector variant must be specified in parameter Name of the SAP Code Inspector variant . If this is not a public variant, but a user variant, the SAP user name of the owner must be additionally specified in the parameter Name of the owner of the SAP Code Inspector variant .

The parameters Code Inspector include specification and Code Inspector exclude specification are used to restrict the code base checked by SAP Code Inspector. These includes/excludes are stated as a list of Ant patterns matching against the file paths of the ABAP source code objects as visible in Teamscale, this is similar to the patterns used for project configuration.

Note that the single star wild card (*, which matches a sequence of chars but not /) cannot be used in these patterns.

With this configuration, Code Inspector is executed in the SAP system during every code retrieval. During the incremental update, only the changed ABAP repository objects are checked by SAP Code Inspector, but during the full synchronization update, Code Inspector is executed for all ABAP repository objects in the specified namespaces. As the full synchronization may take a long time (up to a few hours for code bases of many million lines of code), we recommend to schedule the full synchronization update at most once every night.

Potential memory bottlenecks with Extended Program Check (SLIN) inspections

Please note that the SAP Code Inspector inspections in Extended Program Check (SLIN) use internal caching to store and reuse test results. If these inspections are activated in a Code Inspector variant, memory bottlenecks may be caused in case of very large ABAP programs that lead to failing (full) exports. A prominent example of a very long program (with more than 120k LOC) is the standalone version of the AbapGit report (opens new window). If included in the codebase, we recommend to exclude this report from SAP Code Inspector executions by using the following pattern in the Code Inspector exclude specification: **/PROG/*zabapgit*.abap.

# Code Inspector Settings in Project Configuration

To actually include findings from SAP Code Inspector in a Teamscale project, the following must be configured:

  • In the analysis profile, Code Inspector must be enabled as analysis tool, and analysis groups for Code Inspector must be added in the quality indicators.
  • Included file names of the Git connector must also include files with suffix .sci, e.g., by pattern **.sci.
  • Under the expert options of the Git connector, the Analysis report mapping rule **.sci -> SAP_CODE_INSPECTOR must be specified.

The latter two are set as defaults for new projects.

If all the above is correctly configured, findings from SAP Code Inspector should be visible in Teamscale like any other Teamscale-internal finding and are updated simultaneously with every code change. Note that during the incremental code update, only changed repository objects are analyzed by SAP Code Inspector. Findings from Code Inspector which affect unchanged objects will only be visible after the full synchronization update of the ABAP repository was performed.

# Test Gap Analysis Set Up For SAP

To perform test gap analysis, it is required that the SAP Coverage Analyzer (SCOV) is collecting coverage data from (test) executions. Depending on the actual system, either SCOV Lite (if available) or the regular SCOV has to be used as coverage analyzer. Teamscale will use SCOV Lite automatically, if the Teamscale user has the S_COV_ADM authorization object. SCOV Lite is the preferred method, as it has a smaller performance impact. If you want to use the regular SCOV, it is necessary to activate SCOV manually for every system.

# Manually Activating SCOV

This section describes how to manually activate the regular SCOV. Please make sure to check whether this is necessary for you.

User Rights of Processes

This will schedule the batch job RSCVR_TRIGGER_COLLECT to run every 45 minutes. By default, SAP NetWeaver configures this job to be executed by the user that activates SCOV. We suggest to edit this batch job and use a technical user instead in order to be independent of personal account availability and permissions.

Note that background jobs in SAP are always scheduled in the system time zone and do not respect the user time zone. Thus, errors may occur during SCOV activation if the user who activates SCOV has a different user time zone setting. The user time zone can be checked/modified in transaction SU01. It is recommended that a user with no specific user time zone setting performs the activation.

The coverage analyzer is configured via the transaction SCOV . Here it is important that both the coverage analyzer and the data collection for the server are activated. A detailed description of the activation can be found at http://help.sap.com/ (opens new window). No specific settings (e.g., test groups) need to be configured. This image shows the required configuration, the important parts are marked in yellow:

SCOV Activation

# Ensuring SCOV is Active

In order to make sure SCOV is functional and records data as expected, the start screen of transaction SCOV can be checked. Please ensure the following:

  • The General Status area has a green indicator next to Main Switch.

  • The Status of Current Application Server area has a green indicator next to Data Collectn.

  • The Messages area does not show errors.

  • The Last Data Collection is less than 45 minutes ago.

SCOV Activation Check

# Troubleshooting: No Coverage Information

If the results do not look as expected, most of the time it is enough to use the repair functionality that is included in SAP Coverage Analyzer. Execute transaction SCOV and run the consistency checks with repair option:

Image: sap-scov-repair

Afterwards, you can check the »Monitor« view for errors. If there are old errors, which are obsolete after the repair, these can be cleared by selecting a line and clicking »Completed« as shown here:

Image: sap-scov-monitor

In case of problems with the batch job RSCVR_TRIGGER_COLLECT , please make sure the user configured for the job does still exist and is not locked.

# Using SCOV Lite for Teamscale and UPL

If you would like to use Teamscale to analyze coverage information from a system that is already using Usage Procedure Logging (UPL), there are a few things to consider. Otherwise, these tools may interfere with each other and produce incorrect results. In essence, both the coverage-enabled Teamscale export and UPL use the same raw data created by SCOV Lite in the system table COVRES. However, when UPL extracts that data via the batch job /SDF/UPL_PERIODIC_EXT_JOB every 24 hours, it empties that table, whereas the Teamscale Connector does not.

This means the Teamscale export should run briefly before the UPL extraction job. In order to find out when that job is scheduled, you can either use transaction SM36 in the SAP system or have a look at the file job_status.csv in one of the exported zip files. Afterwards, adjust the scheduling of the incremental code update in your SAP System Connection to run a few minutes before that time. You may still have multiple updates per day, as long as one of them always runs shortly before the UPL extraction job. Coverage data is contained in the incremental updates, but not in full code updates.

# Integration of Teamscale in SAP Development Environment

The analysis results of Teamscale can be integrated in the SAP environment again. This will reduce switches between SAP and the web interface of Teamscale. Thus, the user will get most of the relevant information in his usual development environment. An integration is possible with the ABAP Development Tools for Eclipse (ADT), with SAP Code Inspector and hence with the ABAP Workbench. Finally, the SAP Transport Management System can check for Teamscale findings on transport releases.

# ABAP Development Tools for Eclipse

Teamscale can be integrated into Eclipse. Hence findings are shown directly in the IDE. This also works the ABAP Development Tools for Eclipse (ADT) and avoids unnecessary context switches between IDE and the analysis tool. For installation and configuration of the Eclipse plugin, please see this guide.

# SAP Code Inspector and ABAP Workbench Integration

The findings in Teamscale can be also shown the SAP Code Inspector (SCI), like the results of other Code Inspector checks. Thus, Teamscale findings can be handled within the ABAP Workbench in the same way as any other Code Inspector messages, e. g. by using the check functions available in SE80.

To achieve this, the Teamscale Connector for SAP NetWeaver® AS ABAP® contains an implementation of a custom SAP Code Inspector test which allows to import findings from Teamscale to the SAP NetWeaver system. To be able to execute the respective Code Inspector test Teamscale Findings, the following configuration steps are required:

# Test Activation

First, Code Inspector test Teamscale Findings must be activated:

  • In transaction SCI select the action Code Inspector → Management of → Tests (or Ctrl+Alt+F5).
  • There, mark the check boxes at the check classes /CQSE/CL_CI_CATEGORY_TEAMSCALE (category for Teamscale) and /CQSE/CL_CI_TEST_TS_FINDINGS (Teamscale findings test).
  • Save your changes.

# Definition of a Check Variant

Second, a Code Inspector check variant which contains the Teamscale findings test must be defined. Add a new or edit an existing check variant in transaction SCI and select the Teamscale Findings test:

Teamscale Findings SCI Test

Also the required parameters of this test must be specified:

# Teamscale Findings Parameters
Teamscale server URLURL of the Teamscale instance
Teamscale user nameName of the Teamscale user which should be used to retrieve the findings
User’s IDE access keyThe [access key](../../glossary/#access-key) of this user (must be generated in the user preferences of the Teamscale Web UI)
Teamscale project idThe identifier of the project in Teamscale for which findings should be retrieved
Only new findings since (label)Optional. If set, only findings which were introduced after the given baseline label are included (the baseline is managed in the Findings perspective of the Teamscale Web UI)
Only new findings since (date)Optional. If set, only findings introduced after the specified date are included (this parameter will be ignored if the »Only new findings since (label)« parameter is already set)
Also finds. in changed codeIf enabled and also one of the »Only new findings since« parameters is set not only new findings but also findings in code changed since the baseline are included

As of Teamscale Connector for SAP NetWeaver® AS ABAP® v19.07, you may leave the Teamscale project id parameter empty. This is especially relevant when executing the test in a central ATC check system, which is typically connected to may development systems, and therefore would have to reference different Teamscale projects. If no project ID is provided, the Teamscale Findings test will query Teamscale (version 5.2.1 or later) for projects that have the respective system ID configured in their project options.

# Execute the Check Variant.

After the variant is saved, it can be executed like any other Code Inspector variant, e.g. by transaction SCI or from the ABAP Workbench (SE80 ) by the e.g. CheckCode Inspector / ABAP Test Cockpit (ATC) commands. Note that you must edit the DEFAULT Code Inspector variant if the Teamscale findings test should be executed when running these Check commands, unless you use command ABAP Test Cockpit (ATC) with ... .

The results are displayed in the Code Inspector results browser:

sap-sci-results

By clicking on the info button at the single messages (leaves in the tree), the Findings Details view of the Teamscale web UI opens, where e.g. more information of the finding can be viewed. Here, the finding can be assigned to a task or flagged as tolerated finding or false positive finding. (Note that the info buttons at other nodes than the leaves are without any meaningful function.)

# Integration with SAP Transport Management System

As described in the section before, the SAP Code Inspector test Teamscale Findings allows to retrieve findings from Teamscale and display these in the SAP system. Thus, Teamscale findings can be integrated in the SAP Transport Management System (TMS) like any other Code Inspector results. Basically two options for integration exist: Using the function of the ABAP Test Cockpit (ATC) for performing checks on transport release, or using a BAdI implementation which is included in the Teamscale Connector for SAP NetWeaver AS ABAP.

# Using the ATC Check on Transport Request Release

If ABAP Test Cockpit (ATC) is available on your system, it can be used to perform Code Inspector checks on transport request release (note that is not possible to perform checks at task release via ATC, but this is possible with the BAdI implementation (see next section).

To enable the ATC check on transport release, the following configuration is required:

  • Define a Code Inspector variant which executes the test Teamscale Findings as described in the previous section.

  • Ensure that checks on request release are globally activated: Transaction SE03 (Transport Organizer Tools), item »Administration / Global Customizing«, setting for »Check Objects when Request Released«.

  • In transaction ATC, item »ATC Administration / Setup / Basic Settings« configure the respective Code Inspector variant and the setting »ATC: Behavior on Release«. Choose »Inform on Errors« or »Block on Errors«. (The setting for »Code Inspector: Behavior on Release « in the ATC basic settings refers to the execution of the DEFAULT Code Inspector variant only)

    SAP Transport Integration

  • Save the settings.

# Using the BAdI Implementation for Checks on Transport Request or Task Release

The Teamscale Connector for SAP NetWeaver AS ABAP also includes an implementation of the BAdI CTS_REQUEST_CHECK to check transport requests and/or transport tasks on release. This is an alternative to the before mentioned use of ATC if ATC is not available or check on task release should be done.

This again uses the SAP Code Inspector test »Teamscale Findings«. If enabled, findings are displayed to the user:

sap-sci-results

He or she can then decide if the transport should be canceled or released anyway. Thus, there is no automatic blocking of the release, it always needs confirmation by the user.

To enable the BAdI-based check, the following configuration must be done:

  • Define a Code Inspector variant which executes the »Teamscale Findings« check as described in the previous section.

  • Add an entry to customizing table /CQSE/C_TSTRNCHK , e.g. by using transaction SE16 and command Create Entries ( F5 ). The parameter settings are described in the table below.

  • Save the new customizing entry.

CONFIG IDArbitrary configuration identifier.
CI VARIANT AT REQUEST RELEASESpecifies the Code Inspector variant which should be executed on request release. This variant typically only includes the »Teamscale Findings« test. Leave empty if no check should be performed on request release.
CI VARIANT AT TASK RELEASESpecifies the Code Inspector variant which should be executed on task release. This variant typically only includes the »Teamscale Findings« test. Leave empty if no check should be performed on task release.
CANCEL IN RFC ON FINDINGSIf enabled, the release will be always canceled (blocked) when the release is performed via an RFC call, e. g. from ADT for Eclipse, and Teamscale findings exist.

This is currently an experimental feature, we recommend to leave it disabled.

When disabled, transports are always released when called from RFC.

The BAdI-based check is active as long as an SAP Code Inspector variant is set in the customizing table /CQSE/C_TSTRNCHK. The check has no effect on code which is not included in the Teamscale project which is configured in the specified Code Inspector variants.

# Configuration of SAP System with SSL-Based Git Repositories

SSL needs to be properly configured in the SAP system to work with SSL-git repositories.

# SSL Configuration

  • Follow the abapGit SSL setup instructions (opens new window).
  • If the targeted host has restrictions with respect to accepted SSL ciphers, you may need some additional modifications. For example, if only TLSv1.2 with perfect forward security (ECDHE ciphers) is allowed, you need to enable this with profile parameters in the SAP system first:
    • Use transaction RZ10, select the DEFAULT profile and extended maintenance → change.
    • Create/modify the parameter ssl/client_ciphersuites and set it to 908:PFS:HIGH:MEDIUM:+e3DES. Be careful when copying this value directly from the web-browser into RZ10 as hidden characters may also be copied.

Finally, save and activate the changed profile (respective dialogs will appear). Then restart the SAP application server.

Further information can be found in this thread (opens new window) in the SAP forum.