As a UX specialist in the SAP S/4HANA Regional Implementation Group, my team and I often get to work with customers keen to leverage the significant capabilities of SAP Build Work Zone, standard edition and Joule.
With so much interest in Joule and so many use cases available, our aim is to make it easier for you to configure your use cases efficiently and support your business users as they start to use Joule every day.
Good news! In this blog we cover simple checks to ensure that your SAP Build Work Zone, standard edition, and Joule architecture is correctly configured and working properly before you onboard your business users.
Performing these checks will allow you to become more confident and leverage the significant benefits of Joule.
NOTE 1: There are 2 different build plans for SAP Build Work Zone, standard edition. Further details on the foundation and standard plans can be found here: SAP Note: 3704047 – Comparison of Joule functionalities while using SAP Build Work Zone, standard edition using foundation plan or standard plan. This blog is based on SAP Build Work Zone, standard edition, standard plan. Troubleshooting options may differ between the foundation and standard build plans.
NOTE 2: The simple tests detailed here are intended to be run AFTER SAP Build Work Zone, standard edition and Joule have been fully configured.
Architecture
Below, you can see the relationship of SAP Build Work Zone, standard edition, Joule, SAP Business Technology Platform (SAP BTP), SAP Cloud Identity Service, (CIS), SAP Identity Authentication Services (IAS) and SAP Identity Provisioning Services (IPS) and SAP S/4HANA Cloud Private Edition.
Understanding this architecture is critical to testing and troubleshooting your landscape!
Prerequisites
Make sure that you have met all prerequisites before you expose content to your launchpad. It is essential that SAP Build Work Zone, standard edition and Joule have been configured correctly as per the following:
SAP Help: Joule Onboarding Guide
SAP Build Work Zone, standard edition, standard edition – integration with Joule
Joule for SAP S/4HANA Cloud Private Edition – A Comprehensive Setup Guide
SAP Note: 3523238 – Navigational and Transactional capabilities with Joule in SAP S/4HANA Cloud
1. Introduction
You can test if Joule has been technically correctly configured by prompting Joule to fetch information from the backend system, e.g. ‘Display Sales Order 911’ as in the example below:
Sample Joule capability
Based on the reply from Joule, you can proceed as follows:
– If Joule provides answers with specific sales orders -> the technical configuration is fine
– If Joule does not provide answers, this could have multiple causes:
Principal Propagation is not working. In this case you can troubleshoot using the following tools:
(a) SAP S/4HANA Cloud Private Edition transactions:
– SMICM (use trace level 3 to capture most detail)
– CERTRULE (check rule-based mappings)
Refer to SAP Note: 2351619 – How to take SMICM trace?
(b) SAP Cloud Connector logs
SAP Identity Provisioning service jobs have not run correctly or have run with errors
SAP Build Work Zone, standard edition or content exposure is not correct
Timeouts in the backend
Role assignment is not correct
Other errors
In the following sections we will go through the steps associated with checking the above in more detail.
2. Principal Propagation
Principal Propagation is the authentication mechanism that SAP Build Work Zone, standard edition, Joule use to authenticate users, and it is essential that it is configured properly. You can check if your Principal Propagation configuration is correct as follows:
SAP Business Application Studio: test a destination with Principal Propagation configured using curl command as described in this blog : How to check the connectivity to your backend system in Business Application Studio
Test from Joule as mentioned in the Introduction section of this blog
Refer to How to troubleshoot Cloud Connector principal propagation over HTTPS
NOTE: We are currently updating our Principal Propagation enablement content, check back here for details!
3. SAP Cloud Connector
When you are testing Principal Propagation (in #2), you could consider to temporarily turn on SAP Cloud Connector logs (at a suitably appropriate time of low system usage) which will detect errors such as:
Principal Propagation and authentication issues
Backend server connectivity issues (e.g., incorrect hostname or protocol, expired certificates)
Service issues (e.g., inactive or not found)
In the example below, you can see that authentication has failed due to an expired certificate.
SAP Cloud Connector – expired certificate
If an error does not show up as expected, you can consider increasing the trace level of the logs as shown below. For SSL issues, a TLS trace has to be active, and for other issues, you need to look at the tunnel trace.
SAP Cloud Connector – trace levels
You should also turn on SAP Cloud Connector Alerting so you can be kept informed about critical system issues (expiring certificates, disk space, CPU load etc…) BEFORE THEY OCCUR.
THIS IS ESPECIALLY IMPORTANT IN YOUR PRODUCTION LANDSCAPE!!!!!
EXAMPLE: By turning on Alerts for expiring certificates, an email alert would be sent 30 days before a certificate expires, so a new certificate can be generated and used, thereby preventing any connectivity issues:
Refer to SAP BTP Connectivity – Alerting
4. Check your content exposure
You have already run transaction code /UI2/CDM3_EXP_SCOPE to expose your chosen roles to SAP BTP. Refer to:
SAP Help: Manage Launchpad Content for Exposure
Blog: Joule for SAP S/4HANA Cloud Private Edition – A Comprehensive Setup Guide
Now, you can check if your content has been successfully exposed and is ready for consumption by SAP Business Technology Platform (SAP BTP).
Exposure is available in two versions: the current Version 1 and the new Version 2 as follows:
Version 1 is based on legacy target mappings
Version 2 provides a seamless end-to-end app model, extending from the SAP Fiori Apps Reference Library to business user usage. Version 2 is based on Launchpad App Descriptor Items (LADIs) and is the long-term, future-proof successor to Version 1.
NOTE: Since apps have different IDs in version 2, there is no compatible upgrade path from version 1 to version 2. Implementing integration using version 2 requires initiating a new project.
Depending on whether you are using Version 1 or Version 2, the following URLs can be used to test your content exposure to SAP BTP:
Version 1 http://<your-server-name>:<your-port-number>/sap/bc/ui2/cdm3/entities
Version 2 http://<your-server-name>:<your-port-number>/sap/bc/http/ui2/flp_content_exposure/entities
Version 1 and 2 have different URLs, 1 is based on classical tiles and target mappings and 2 is based on LADIs.
The URLs must be run in the browser (not via SAP BTP) and expose content in JSON format. Below, you can see that SAP Fiori App F0233A using semantic object ‘OutboundDelivery’ and action ‘displayFactSheet’ has successfully been exposed from a backend SAP S/4HANA Cloud Private Edition system and can be read by SAP BTP.
Test the url directly in a browser (not via SAP BTP) with the system user configured in the design time destination (JOULE_ADMIN in the configuration guide).
Testing content exposureRefer to:
SAP Note: 3345119 – Expose Launchpad Content to SAP BTP – Exposure Version 2
SAP Help: Manage Launchpad Content for Exposure
5. SAP Build Work Zone, standard edition
Now you can check your Content Channel, and the associated destinations work correctly
Check that the Design Time and Runtime destinations (‘jouledt’ and ‘joulert’) work successfully:Destination TestsExample: An incorrect Design Time destination will cause errors importing roles from SAP S/4HANA Cloud Private Edition. NOTE: The Ping does *not* fully check the entire destination. If it is “red” you know something is wrong, but “green” does not mean that everything is fine
You can check if your Content Channel synchronization works successfully (NOTE: the synchronization will not work if the destination pings in (a) have not been successfully executed). Click on the ‘Synch’ button to consume content exposed from SAP S/4HANA Cloud Private Edition:
Click on the ‘Report’ link to check that there are no synch errors:
Check the Content Explorer to ensure that content exposed through a channel has been successfully consumed by SAP BTP- From the Site Manager page, select Content Manager and then Content Explorer:
Chose the Channel through which your content was consumed by SAP Build Work Zone, standard edition:
Here you can see the content consumed through your selected channel. In this example, you can see that 31 roles have been exposed from SAP S/4HANA Cloud Private Edition and consumed by SAP BTP.
Check roles exposed from SAP S/4HANA Cloud Private Edition have been successfully consumed by SAP BTP:
Check that your test user has the correctly exposed roles assigned:
NOTE: If you do not see any roles here, check the following:
The test user has the necessary roles in SAP S/4HANA Cloud Private Edition
Roles have been exposed via Content Exposure
SAP Identity Provisioning service jobs have run and completed successfully
Refer to:
SAP Build Work Zone, standard edition, standard edition – troubleshooting
5. Identity Provisioning service
The navigation service of SAP Build Work Zone, standard edition uses the SAP Identity Provisioning service (IPS). IPS provisions identities and their authorizations between source and target systems. To use the navigational capabilities in Joule, you need to configure SAP S/4HANA Cloud Private Edition as the source and SAP Build Work Zone, standard edition, standard edition as the target system in IPS. Here, you confirm successful provisioning by reviewing logs and status of synchronizing jobs.
– In SAP Cloud Identity Services, view Identity Provisioning -> Provisioning Logs:
Provisioning logs
– Now you can see the Job Execution Logs and check them to ensure there are no errors:
Execution logs
– In this example, you can see that user BPINST cannot be provisioned correctly by SAP IPS as it has NO email address -> this user will experience issues with SAP Build Work Zone, standard edition and Joule.
Example execution log
6. Joule Welcome
Once all the above tests have been successfully executed, you can run Joule. If Joule has been configured correctly then there will be a welcome screen with Joule skills showing as in the example below:
Joule debugger console
Click on the debug icon shown above to check there are no errors in the debugger console:
Now you can go ahead and start using Joule and leverage its business value!
7.Help! I have tried all the above checks and still have problems
Don’t worry! There are lots of great troubleshooting tools.
a) Check if the related Fiori apps on the SAP S/4HANA Fiori Launchpad are working without issues:
App Support: Troubleshoot configuration and authorization errors for apps in the SAP Fiori launchpad.
Refer to:
App SupportSetting Up App Support
App Inspector: Troubleshoot configuration and authorization errors for apps available through the SAP Fiori Launchpad
Refer to:
App InspectorSetting Up App Inspector
b) In Joule, you have the Debug button (click on the ‘Debug’ button show below):
Highlights service issues and general errorsActive conversation with JouleResponse Payload: Shows aggregated JSON response for each Joule interactionRequests Logs: Shows requests and responses grouped by prompt
Joule debug console
c) SAP Cloud Connector Logs. These logs can have the following use cases:
Principal propagation and authentication troubleshootingBackend server connectivity (e.g., incorrect hostname or protocol, expired certificates)Service issues (e.g., inactive or not found)
The logs can be accessed in the SAP Cloud Connector as shown:
SAP Cloud Connector logs
Refer to SAP Help: Cloud Connector Trace and Logging
d) SAP Gateway Error Log
Transaction /IWFND/ERROR_LOGShows service errors (e.g., forbidden, not found, inconsistent calls)
SAP Gateway Tracing Tools
Transaction /IWFND/TRACESTroubleshoot service issues, capture header and payload data
Internet Communication Manager Monitor
Transaction SMICMDetailed HTTP calls (by increasing trace level to level 3)Helps to identify authentication and SSL issues
Refer to SAP Help: Gateway Tracing Tools
Still stuck? Refer to SAP Help: Joule – Monitoring and Troubleshooting which includes details on raising SAP incidents.
Troubleshooting:
Blog: Common configuration issues: Joule for SAP S/4HANA Cloud Private EditionSAP Help: SAP Build Work Zone, standard edition, standard edition – TroubleshootingSAP Help: How to troubleshoot Cloud Connector principal propagation over HTTPSSAP Help: Joule ConstraintsSAP Note: 3649670 – Missing Joule icon in SAP Build Work Zone, standard edition Standard EditionSAP Note: 3666014 – Information required for JouleSAP Note: 3673511 – Troubleshooting for Joule page display issuesSAP Note: 3679363 – How to recognize a Joule response’s
Becoming an SAP Fiori for SAP S/4HANA guru
You’ll find much more on the community topic page for SAP Fiori for SAP S/4HANA
Other helpful links in the SAP Community:
Follow our tag SAP S/4HANA RIG for more from the SAP S/4HANA Customer Care and RIGSee all questions and answers about SAP Fiori for SAP S/4HANAFollow SAP Fiori for SAP S/4HANA for more blogs and updatesAsk a Question about SAP Fiori for SAP S/4HANA
As a UX specialist in the SAP S/4HANA Regional Implementation Group, my team and I often get to work with customers keen to leverage the significant capabilities of SAP Build Work Zone, standard edition and Joule.With so much interest in Joule and so many use cases available, our aim is to make it easier for you to configure your use cases efficiently and support your business users as they start to use Joule every day.Good news! In this blog we cover simple checks to ensure that your SAP Build Work Zone, standard edition, and Joule architecture is correctly configured and working properly before you onboard your business users.Performing these checks will allow you to become more confident and leverage the significant benefits of Joule.NOTE 1: There are 2 different build plans for SAP Build Work Zone, standard edition. Further details on the foundation and standard plans can be found here: SAP Note: 3704047 – Comparison of Joule functionalities while using SAP Build Work Zone, standard edition using foundation plan or standard plan. This blog is based on SAP Build Work Zone, standard edition, standard plan. Troubleshooting options may differ between the foundation and standard build plans.NOTE 2: The simple tests detailed here are intended to be run AFTER SAP Build Work Zone, standard edition and Joule have been fully configured. ArchitectureBelow, you can see the relationship of SAP Build Work Zone, standard edition, Joule, SAP Business Technology Platform (SAP BTP), SAP Cloud Identity Service, (CIS), SAP Identity Authentication Services (IAS) and SAP Identity Provisioning Services (IPS) and SAP S/4HANA Cloud Private Edition.Understanding this architecture is critical to testing and troubleshooting your landscape!PrerequisitesMake sure that you have met all prerequisites before you expose content to your launchpad. It is essential that SAP Build Work Zone, standard edition and Joule have been configured correctly as per the following:SAP Help: Joule Onboarding GuideSAP Build Work Zone, standard edition, standard edition – integration with JouleJoule for SAP S/4HANA Cloud Private Edition – A Comprehensive Setup GuideSAP Note: 3523238 – Navigational and Transactional capabilities with Joule in SAP S/4HANA Cloud1. IntroductionYou can test if Joule has been technically correctly configured by prompting Joule to fetch information from the backend system, e.g. ‘Display Sales Order 911’ as in the example below:Sample Joule capabilityBased on the reply from Joule, you can proceed as follows:- If Joule provides answers with specific sales orders -> the technical configuration is fine- If Joule does not provide answers, this could have multiple causes:Principal Propagation is not working. In this case you can troubleshoot using the following tools: (a) SAP S/4HANA Cloud Private Edition transactions: – SMICM (use trace level 3 to capture most detail) – CERTRULE (check rule-based mappings) Refer to SAP Note: 2351619 – How to take SMICM trace? (b) SAP Cloud Connector logsSAP Identity Provisioning service jobs have not run correctly or have run with errorsSAP Build Work Zone, standard edition or content exposure is not correctTimeouts in the backendRole assignment is not correctOther errorsIn the following sections we will go through the steps associated with checking the above in more detail. 2. Principal PropagationPrincipal Propagation is the authentication mechanism that SAP Build Work Zone, standard edition, Joule use to authenticate users, and it is essential that it is configured properly. You can check if your Principal Propagation configuration is correct as follows:SAP Business Application Studio: test a destination with Principal Propagation configured using curl command as described in this blog : How to check the connectivity to your backend system in Business Application StudioTest from Joule as mentioned in the Introduction section of this blogRefer to How to troubleshoot Cloud Connector principal propagation over HTTPSNOTE: We are currently updating our Principal Propagation enablement content, check back here for details! 3. SAP Cloud ConnectorWhen you are testing Principal Propagation (in #2), you could consider to temporarily turn on SAP Cloud Connector logs (at a suitably appropriate time of low system usage) which will detect errors such as:Principal Propagation and authentication issuesBackend server connectivity issues (e.g., incorrect hostname or protocol, expired certificates)Service issues (e.g., inactive or not found)In the example below, you can see that authentication has failed due to an expired certificate.SAP Cloud Connector – expired certificate If an error does not show up as expected, you can consider increasing the trace level of the logs as shown below. For SSL issues, a TLS trace has to be active, and for other issues, you need to look at the tunnel trace.SAP Cloud Connector – trace levelsYou should also turn on SAP Cloud Connector Alerting so you can be kept informed about critical system issues (expiring certificates, disk space, CPU load etc…) BEFORE THEY OCCUR.THIS IS ESPECIALLY IMPORTANT IN YOUR PRODUCTION LANDSCAPE!!!!!EXAMPLE: By turning on Alerts for expiring certificates, an email alert would be sent 30 days before a certificate expires, so a new certificate can be generated and used, thereby preventing any connectivity issues:Refer to SAP BTP Connectivity – Alerting 4. Check your content exposureYou have already run transaction code /UI2/CDM3_EXP_SCOPE to expose your chosen roles to SAP BTP. Refer to:SAP Help: Manage Launchpad Content for ExposureBlog: Joule for SAP S/4HANA Cloud Private Edition – A Comprehensive Setup GuideNow, you can check if your content has been successfully exposed and is ready for consumption by SAP Business Technology Platform (SAP BTP).Exposure is available in two versions: the current Version 1 and the new Version 2 as follows:Version 1 is based on legacy target mappingsVersion 2 provides a seamless end-to-end app model, extending from the SAP Fiori Apps Reference Library to business user usage. Version 2 is based on Launchpad App Descriptor Items (LADIs) and is the long-term, future-proof successor to Version 1.NOTE: Since apps have different IDs in version 2, there is no compatible upgrade path from version 1 to version 2. Implementing integration using version 2 requires initiating a new project.Depending on whether you are using Version 1 or Version 2, the following URLs can be used to test your content exposure to SAP BTP:Version 1 http://<your-server-name>:<your-port-number>/sap/bc/ui2/cdm3/entitiesVersion 2 http://<your-server-name>:<your-port-number>/sap/bc/http/ui2/flp_content_exposure/entitiesVersion 1 and 2 have different URLs, 1 is based on classical tiles and target mappings and 2 is based on LADIs.The URLs must be run in the browser (not via SAP BTP) and expose content in JSON format. Below, you can see that SAP Fiori App F0233A using semantic object ‘OutboundDelivery’ and action ‘displayFactSheet’ has successfully been exposed from a backend SAP S/4HANA Cloud Private Edition system and can be read by SAP BTP.Test the url directly in a browser (not via SAP BTP) with the system user configured in the design time destination (JOULE_ADMIN in the configuration guide).Testing content exposureRefer to:SAP Note: 3501486 – Launchpad Content Exposed with version 2 not updated in SAP Build Workzone, Standard editionSAP Note: 3345119 – Expose Launchpad Content to SAP BTP – Exposure Version 2SAP Help: Manage Launchpad Content for Exposure 5. SAP Build Work Zone, standard editionNow you can check your Content Channel, and the associated destinations work correctlyCheck that the Design Time and Runtime destinations (‘jouledt’ and ‘joulert’) work successfully:Destination TestsExample: An incorrect Design Time destination will cause errors importing roles from SAP S/4HANA Cloud Private Edition. NOTE: The Ping does *not* fully check the entire destination. If it is “red” you know something is wrong, but “green” does not mean that everything is fineYou can check if your Content Channel synchronization works successfully (NOTE: the synchronization will not work if the destination pings in (a) have not been successfully executed). Click on the ‘Synch’ button to consume content exposed from SAP S/4HANA Cloud Private Edition:Click on the ‘Report’ link to check that there are no synch errors: Check the Content Explorer to ensure that content exposed through a channel has been successfully consumed by SAP BTP- From the Site Manager page, select Content Manager and then Content Explorer:Chose the Channel through which your content was consumed by SAP Build Work Zone, standard edition:Here you can see the content consumed through your selected channel. In this example, you can see that 31 roles have been exposed from SAP S/4HANA Cloud Private Edition and consumed by SAP BTP. Check roles exposed from SAP S/4HANA Cloud Private Edition have been successfully consumed by SAP BTP:Check that your test user has the correctly exposed roles assigned: NOTE: If you do not see any roles here, check the following:The test user has the necessary roles in SAP S/4HANA Cloud Private EditionRoles have been exposed via Content ExposureSAP Identity Provisioning service jobs have run and completed successfullyRefer to:SAP Build Work Zone, standard edition, standard edition – troubleshootingIntegration Guide: SAP Build Work Zone, standard edition, Standard Edition Integration with SAP S/4HANA 5. Identity Provisioning serviceThe navigation service of SAP Build Work Zone, standard edition uses the SAP Identity Provisioning service (IPS). IPS provisions identities and their authorizations between source and target systems. To use the navigational capabilities in Joule, you need to configure SAP S/4HANA Cloud Private Edition as the source and SAP Build Work Zone, standard edition, standard edition as the target system in IPS. Here, you confirm successful provisioning by reviewing logs and status of synchronizing jobs.- In SAP Cloud Identity Services, view Identity Provisioning -> Provisioning Logs:Provisioning logs- Now you can see the Job Execution Logs and check them to ensure there are no errors:Execution logs – In this example, you can see that user BPINST cannot be provisioned correctly by SAP IPS as it has NO email address -> this user will experience issues with SAP Build Work Zone, standard edition and Joule.Example execution log6. Joule WelcomeOnce all the above tests have been successfully executed, you can run Joule. If Joule has been configured correctly then there will be a welcome screen with Joule skills showing as in the example below:Joule debugger consoleClick on the debug icon shown above to check there are no errors in the debugger console:Now you can go ahead and start using Joule and leverage its business value! 7.Help! I have tried all the above checks and still have problemsDon’t worry! There are lots of great troubleshooting tools.a) Check if the related Fiori apps on the SAP S/4HANA Fiori Launchpad are working without issues: App Support: Troubleshoot configuration and authorization errors for apps in the SAP Fiori launchpad. Refer to:App SupportSetting Up App Support App Inspector: Troubleshoot configuration and authorization errors for apps available through the SAP Fiori Launchpad Refer to:App InspectorSetting Up App Inspectorb) In Joule, you have the Debug button (click on the ‘Debug’ button show below):Highlights service issues and general errorsActive conversation with JouleResponse Payload: Shows aggregated JSON response for each Joule interactionRequests Logs: Shows requests and responses grouped by promptJoule debug console c) SAP Cloud Connector Logs. These logs can have the following use cases:Principal propagation and authentication troubleshootingBackend server connectivity (e.g., incorrect hostname or protocol, expired certificates)Service issues (e.g., inactive or not found) The logs can be accessed in the SAP Cloud Connector as shown:SAP Cloud Connector logsRefer to SAP Help: Cloud Connector Trace and Loggingd) SAP Gateway Error LogTransaction /IWFND/ERROR_LOGShows service errors (e.g., forbidden, not found, inconsistent calls) SAP Gateway Tracing ToolsTransaction /IWFND/TRACESTroubleshoot service issues, capture header and payload data Internet Communication Manager MonitorTransaction SMICMDetailed HTTP calls (by increasing trace level to level 3)Helps to identify authentication and SSL issues Refer to SAP Help: Gateway Tracing ToolsStill stuck? Refer to SAP Help: Joule – Monitoring and Troubleshooting which includes details on raising SAP incidents.Troubleshooting:Blog: Common configuration issues: Joule for SAP S/4HANA Cloud Private EditionSAP Help: SAP Build Work Zone, standard edition, standard edition – TroubleshootingSAP Help: How to troubleshoot Cloud Connector principal propagation over HTTPSSAP Help: Joule ConstraintsSAP Note: 3649670 – Missing Joule icon in SAP Build Work Zone, standard edition Standard EditionSAP Note: 3666014 – Information required for JouleSAP Note: 3673511 – Troubleshooting for Joule page display issuesSAP Note: 3679363 – How to recognize a Joule response’sBecoming an SAP Fiori for SAP S/4HANA guruYou’ll find much more on the community topic page for SAP Fiori for SAP S/4HANAOther helpful links in the SAP Community:Follow our tag SAP S/4HANA RIG for more from the SAP S/4HANA Customer Care and RIGSee all questions and answers about SAP Fiori for SAP S/4HANAFollow SAP Fiori for SAP S/4HANA for more blogs and updatesAsk a Question about SAP Fiori for SAP S/4HANA Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
