Enabling notifications for SAP S/4HANA on-premise implementations would have been a common configuration step thus far. Now with the release of SAP Launchpad service, SAP Notification Service and SAP Mobile Start (the native entry point to SAP Universe), there will be a growing need from customers to enable notifications on their site as well as for their mobile devices. In this blog I would like to explain how to set up the cloud notification channel and receive notifications on SAP Launchpad service and on SAP Mobile Start.
While this blog is written in the context of SAP Mobile Start, the steps will equally apply if you just want to set up notifications on SAP Launchpad service.
This blog post is structured as follows:
The SAP Fiori notification framework works on three layers.
First a notification provider has to be registered in the backend. Many notification providers exist in standard, the most used are the Workflow provider, the situation provider and the demo provider for testing, you also can create your own.
The notification provider will send the notification to the notification hub. The hub will distribute the notification to the active channels. The web channel is used for the on-premise launchpad, a mail channel exists also and the new cloud channel will send the notification to the BTP Launchpad service.
At the client level, there is the notification center where you can configure which notification type you want to receive, it is updated with the notification types you receive. It consists in a shell plugin in the on-premise launchpad and in the BTP Launchpad Service site.
When the cloud channel is activated in SAP S/4HANA it will send the notification to the SAP Launchpad service through the Notification Service and it will be shown in the site to which the user has access.
SAP Mobile Start consumes a site defined in the SAP Launchpad service. Within the SAP Mobile Services, the notification will be pushed as a native notification to all the devices the user is registered with (if you're connected with a phone and a tablet, you'll get the notification on both devices).
To enable the notifications for SAP Mobile Start we need to configure the cloud notification channel for the SAP Launchpad service.
It consists of the following steps which I will explain in detail later:
Open the Launchpad service from your service subscriptions and edit your Site settings. Make sure to check the “Show Notifications” option.
In the Site Directory, click on the gear icon under your site.
In the “Display on Screen” block set “Show Notification" to yes.
In the Launchpad service, go in the Site Manager Settings.
In the tab SAP S/4HANA Notifications, click on Generate.
The host under the technical setting will be used in SAP S/4HANA to create the RFC destination to the Notification service.
The general settings contain the Oath2.0 credentials.
The Authorization server Settings contain the endpoints for authorization.
You’ll need this information to set up the cloud notification mechanism in SAP S/4HANA.
When the Notification Service needs to perform callbacks (e.g., execute a quick action on the notification), it will search for a destination with the following parameters. In your SAP BTP sub-account navigate to the destinations and make sure to add the following parameters to the runtime destination.
Note: add the OData V4 path to the allow list in the SAP Cloud Connector (prefix /sap/opu/odata4/)
In transaction SM59, create an RFC destination type G (HTTP connection to external server):
In Logon and security make sure that SSL is active with DFAULT SSL Client.
In Special option, select HTTP version 1.1
Leave all other options as default.
Open the notification host url in a browser, e.g., https://notifications.cfapps.eu10.hana.ondemand.com/
Open the debug tool (F12 or right click, inspect), here with Chrome, and navigate to the security tab.
Click on "View certificate".
In the detail tab click on "copy to file" and start the Certificate Export Wizard.
Save it as a CER file, DER or Base64 encoded.
In SAP S/4HANA execute the transaction STRUST and go in change mode.
In the left panel select the SSL Client (Standard) node.
In the central panel, import the certificate with the first button on the left.
Choose your certificate and add it with “Add to Certificate List”.
Save and exit.
After this operation, restart the ICM server.
In SAP S/4HANA execute the transaction SMICM.
From the menu choose More - Administration - ICM - Exit Soft - Global.
Your RFC destination to the Notification Service is now ready to use.
These steps will ensure the authentication against the Notification Service.
Import the trusted root certificate of the OAuth 2.0 token endpoint.
Copy the url of the Token endpoint from the Site Manager settings.
Example: <subdomain>.authentication.eu10.hana.ondemand.com/oauth/token
And execute it in a browser. Here with Chrome.
Cancel the authentication popup and open the debug tool (F12 or right click and select “inspect”).
Navigate to the security tab.
Click on View Certificate.
In the certificate path tab select the root certificate and click on view certificate again.
Then on the detail tab, you can click on "copy to file" and start the Certificate export Wizard
Save it as a .CER file. DER or BASE64 encoded.
In SAP S/4HANA execute the transaction STRUST.
Select the node SSL Client SSL (Anonymous).
If the node is not active (with a cross icon). Go in change mode and create it (right click, create).
In the central panel, import the certificate with the first button on the left.
Choose your certificate and add it with “Add to Certificate List”.
Save and exit.
If the OAuth 2.0 token endpoint can only be reached from the ABAP system via a proxy server, you have to configure the proxy in the ABAP system.
- In the ABAP system start transaction SICF and choose Execute (F8).
- In the menu Client choose Proxy settings.
- On the tab "HTTPS Protocol" enter the proxy server information.
- On the tab "Global Settings" mark Proxy Setting is Active.
In the proxy host name make sure that you are not using a prefix (http:// or https://). Also maintain the logon data if necessary.
In SAP S/4HANA execute the transaction SE80.
Select “Local Object” (*), enter your user name or any and from the root node right click and select
Create – More – Oauth 2.0 client profile.
Give it a name and choose type “DEFAULT”.
(*) If you wish to include this configuration in a transport request, you can select "Package" instead of "Local Object".
Make sure that Scopes tab is empty.
And in Admin tab check “no authorization check”
And save it.
Note: If you wish to enable the authorization check, assign the following authorizations to the users:
- Admin:
- S_TCODE:TCODE=OA2C_CONFIG;
- S_OA2C_ADM:ACTVT=*;
- S_OA2C_USE:PROFILE=*;ACTVT=*;
- Users (ex Worklow runtime user or whoever creates a notification)
- S_OA2C_USE:PROFILE=*;ACTVT=*;
Now start the transaction OA2C_CONFIG to configure the profile.
Click the “create” button, enter the Client Profile and give a name to the configuration, also give the OAuth 2.0 client id given in the Site Manager settings:
Transaction OA2C_CONFIG:
Then maintain the configuration profile parameters:
Enter the client credential coming from the Site Manager settings and the endpoints for authorization and token.
In the Access Settings, select:
Save your configuration.
In the IMG (transaction SPRO), navigate to:
Enter the RFC destination, the OAuth 2.0 client profile and configuration and execute.
In the IMG (transaction SPRO), navigate to:
Create a new entry for the SAP_CLOUD channel and mark it as active.
This step is optional for testing but recommended in a productive environment.
Not using the bgRFC will send the notification synchronously but in case of an error it won’t be possible to resend the notification.
In the IMG, navigate to:
Define an inbound destination IWNGW_NOTIF_CLOUD_BGRFC with a queue prefix, ex NGW_
This configuration is part of the SAP S/4HANA notification and is optional for on premise notification. But it is mandatory for the Notification Service.
In the IMG, navigate to
And enable caching sensitive data.
Also maintain the 2 previous steps. Read the IMG documentation for more information.
Register Notification Store in SSF
Add a new entry for the notification channel secured store with the value help, keep its default values and save.
Maintain Notification Store SSF settings
Maintain the certificate in the trust configuration. The node SSF Notification Channel Secure Store may not be active at the first time so you'll have to create it. In change mode, right click and select "create".
My recommendation is to follow the notification natural path for testing: first test on the on premise launchpad, then on the site from the SAP Launchpad service and finally on SAP Mobile Start.
You can use the demo program for creating a notification (transaction /n/IWNGW/BEP_DEMO), the transaction SWU3 and trigger the verification workflow. Once this works, move on to a real business scenario like an approval workflow.
When a notification will be sent for the first time to the Notification Service it will trigger an HTTP 422 error (seen with transaction /n/iwfnd/error_log) meaning that the notification type has not been created yet in the Notification Service(*). In that case, the program will create the notification type and send along the notification (part of SAP_GWFND 7.55 SP02 or note 3005409). Also implement the SAP note 3085259 that fix an issue with the first notification of a notification type and improves the logs.
(*)A notification type contains the metadata for a notification and need to be declared in the Notification Service.
You can track errors with transactions /n/iwfnd/error_log, SLG1 for object /IWNGW/, also debug the function module /IWNGW/FM_OUT_NOTIF_CLOUD that sends the cloud notifications (set an external break point for the Workflow runtime user or whoever send the notification).
Common issues I've seen while setting up the notifications:
Native notifications for SAP MobileStart are working out of the box.
The main configuration is on the SAP Launchpad service and the SAP S/4HANA cloud notification channel. You can find more information in the documentation.
Make sure to check and meet the prerequisites like the ABAP software component SAP_GWFND version or implement SAP notes. And of course S/4HANA on premise notifications must fully work first !
At a high level view, notifications are not so complex but there are many traps, so handle carefully all the configuration steps and you should be safe. I hope that this blog will help you.
I look forward to your comments.
Stay up to date with latest news and post your questions or feedback about SAP Mobile Start in the Q&A area. Start by visiting your SAP Mobile Experience community page and click “follow”. We’ll be publishing more informative blog posts.
Want to be notified? Check your #communications to ensure you have your settings activated.
While this blog is written in the context of SAP Mobile Start, the steps will equally apply if you just want to set up notifications on SAP Launchpad service.
This blog post is structured as follows:
- Introduction to the SAP Fiori notification concept and the new cloud notification channel
- SAP Mobile Start high level architecture with a focus on the notification
- End to end configuration steps
- Finally some tips and lessons learnt for testing and troubleshooting
SAP Fiori Notification Concept
The SAP Fiori notification framework works on three layers.
First a notification provider has to be registered in the backend. Many notification providers exist in standard, the most used are the Workflow provider, the situation provider and the demo provider for testing, you also can create your own.
The notification provider will send the notification to the notification hub. The hub will distribute the notification to the active channels. The web channel is used for the on-premise launchpad, a mail channel exists also and the new cloud channel will send the notification to the BTP Launchpad service.
At the client level, there is the notification center where you can configure which notification type you want to receive, it is updated with the notification types you receive. It consists in a shell plugin in the on-premise launchpad and in the BTP Launchpad Service site.
SAP Mobile Start High Level Architecture
When the cloud channel is activated in SAP S/4HANA it will send the notification to the SAP Launchpad service through the Notification Service and it will be shown in the site to which the user has access.
SAP Mobile Start consumes a site defined in the SAP Launchpad service. Within the SAP Mobile Services, the notification will be pushed as a native notification to all the devices the user is registered with (if you're connected with a phone and a tablet, you'll get the notification on both devices).
To enable the notifications for SAP Mobile Start we need to configure the cloud notification channel for the SAP Launchpad service.
It consists of the following steps which I will explain in detail later:
- Select “Show Notification” in the Site settings
- Generate the notifications URLs in the Site Manager Settings
- Check the Runtime Destination in SAP BTP
- Configure the RFC destination for cloud notification in SAP S/4HANA with Oauth2.0
- Register and activate the cloud notification channel in SAP S/4HANA
- Enable the sensitive data cache in the HUB in SAP S/4HANA
Prerequisites
- Notifications are fully setup in your on-premise SAP S/AHANA system
- SAP S/4HANA is an embedded front-end server installation of NW 7.55
- SAP_GWFND component is on 7.54 SP06. For lower release in 755 (SP00 and SP01) implement SAP note 3005409
Select "Show Notifications" in the Site Settings
Open the Launchpad service from your service subscriptions and edit your Site settings. Make sure to check the “Show Notifications” option.
In the Site Directory, click on the gear icon under your site.
In the “Display on Screen” block set “Show Notification" to yes.
Generate the Notification URL
In the Launchpad service, go in the Site Manager Settings.
In the tab SAP S/4HANA Notifications, click on Generate.
The host under the technical setting will be used in SAP S/4HANA to create the RFC destination to the Notification service.
The general settings contain the Oath2.0 credentials.
The Authorization server Settings contain the endpoints for authorization.
You’ll need this information to set up the cloud notification mechanism in SAP S/4HANA.
Check the Runtime Destination in SAP BTP
When the Notification Service needs to perform callbacks (e.g., execute a quick action on the notification), it will search for a destination with the following parameters. In your SAP BTP sub-account navigate to the destinations and make sure to add the following parameters to the runtime destination.
| Parameter | Value |
| sap-client | <client> e.g., 400 |
| sap-sysid | <sysID> e.g., HE4 |
| NOTIF_SERVICEPATH | /sap/opu/odata4/iwngw/notification/default/iwngw/notification_srv/0001 |
Note: add the OData V4 path to the allow list in the SAP Cloud Connector (prefix /sap/opu/odata4/)
Create the RFC destination for cloud notifications in S/4HANA with OAuth 2.0
Create the RFC Destination
In transaction SM59, create an RFC destination type G (HTTP connection to external server):
- Type: G
- Host: host define in the site manager settings
- Path Prefix: /v2
In Logon and security make sure that SSL is active with DFAULT SSL Client.
In Special option, select HTTP version 1.1
Leave all other options as default.
Import the trusted certificate of the notification service
Open the notification host url in a browser, e.g., https://notifications.cfapps.eu10.hana.ondemand.com/
Open the debug tool (F12 or right click, inspect), here with Chrome, and navigate to the security tab.
Click on "View certificate".
In the detail tab click on "copy to file" and start the Certificate Export Wizard.
Save it as a CER file, DER or Base64 encoded.
In SAP S/4HANA execute the transaction STRUST and go in change mode.
In the left panel select the SSL Client (Standard) node.
In the central panel, import the certificate with the first button on the left.
Choose your certificate and add it with “Add to Certificate List”.
Save and exit.
After this operation, restart the ICM server.
In SAP S/4HANA execute the transaction SMICM.
From the menu choose More - Administration - ICM - Exit Soft - Global.
Your RFC destination to the Notification Service is now ready to use.
Configure the OAuth 2.0 Profile and Configuration
These steps will ensure the authentication against the Notification Service.
Prerequisite
Import the trusted root certificate of the OAuth 2.0 token endpoint.
Copy the url of the Token endpoint from the Site Manager settings.
Example: <subdomain>.authentication.eu10.hana.ondemand.com/oauth/token
And execute it in a browser. Here with Chrome.
Cancel the authentication popup and open the debug tool (F12 or right click and select “inspect”).
Navigate to the security tab.
Click on View Certificate.
In the certificate path tab select the root certificate and click on view certificate again.
Then on the detail tab, you can click on "copy to file" and start the Certificate export Wizard
Save it as a .CER file. DER or BASE64 encoded.
In SAP S/4HANA execute the transaction STRUST.
Select the node SSL Client SSL (Anonymous).
If the node is not active (with a cross icon). Go in change mode and create it (right click, create).
In the central panel, import the certificate with the first button on the left.
Choose your certificate and add it with “Add to Certificate List”.
Save and exit.
Note in case of use of a proxy server
If the OAuth 2.0 token endpoint can only be reached from the ABAP system via a proxy server, you have to configure the proxy in the ABAP system.
- In the ABAP system start transaction SICF and choose Execute (F8).
- In the menu Client choose Proxy settings.
- On the tab "HTTPS Protocol" enter the proxy server information.
- On the tab "Global Settings" mark Proxy Setting is Active.
In the proxy host name make sure that you are not using a prefix (http:// or https://). Also maintain the logon data if necessary.
Create the OAuth 2.0 Client Profile
In SAP S/4HANA execute the transaction SE80.
Select “Local Object” (*), enter your user name or any and from the root node right click and select
Create – More – Oauth 2.0 client profile.
Give it a name and choose type “DEFAULT”.
(*) If you wish to include this configuration in a transport request, you can select "Package" instead of "Local Object".
Make sure that Scopes tab is empty.
And in Admin tab check “no authorization check”
And save it.
Note: If you wish to enable the authorization check, assign the following authorizations to the users:
- Admin:
- S_TCODE:TCODE=OA2C_CONFIG;
- S_OA2C_ADM:ACTVT=*;
- S_OA2C_USE:PROFILE=*;ACTVT=*;
- Users (ex Worklow runtime user or whoever creates a notification)
- S_OA2C_USE:PROFILE=*;ACTVT=*;
Configure the OAuth 2.0 profile
Now start the transaction OA2C_CONFIG to configure the profile.
Click the “create” button, enter the Client Profile and give a name to the configuration, also give the OAuth 2.0 client id given in the Site Manager settings:
Transaction OA2C_CONFIG:
Then maintain the configuration profile parameters:
Enter the client credential coming from the Site Manager settings and the endpoints for authorization and token.
In the Access Settings, select:
- Client Authentication: basic
- Resources Access Authentication: Header Field
- Selected Grant type: Client Credential
- Grant Type: uncheck Authorization code and SAML 2.0 Bearer Assertion.
Save your configuration.
Register and Activate the Cloud Notification Channel
In the IMG (transaction SPRO), navigate to:
Enter the RFC destination, the OAuth 2.0 client profile and configuration and execute.
In the IMG (transaction SPRO), navigate to:
Create a new entry for the SAP_CLOUD channel and mark it as active.
Configure the bgRFC queue
This step is optional for testing but recommended in a productive environment.
Not using the bgRFC will send the notification synchronously but in case of an error it won’t be possible to resend the notification.
In the IMG, navigate to:
Define an inbound destination IWNGW_NOTIF_CLOUD_BGRFC with a queue prefix, ex NGW_
Enable and configure the sensitive data cache on the Hub
This configuration is part of the SAP S/4HANA notification and is optional for on premise notification. But it is mandatory for the Notification Service.
In the IMG, navigate to
And enable caching sensitive data.
Also maintain the 2 previous steps. Read the IMG documentation for more information.
Register Notification Store in SSF
Add a new entry for the notification channel secured store with the value help, keep its default values and save.
Maintain Notification Store SSF settings
Maintain the certificate in the trust configuration. The node SSF Notification Channel Secure Store may not be active at the first time so you'll have to create it. In change mode, right click and select "create".
Testing and Troubleshooting - Lessons Learnt
My recommendation is to follow the notification natural path for testing: first test on the on premise launchpad, then on the site from the SAP Launchpad service and finally on SAP Mobile Start.
You can use the demo program for creating a notification (transaction /n/IWNGW/BEP_DEMO), the transaction SWU3 and trigger the verification workflow. Once this works, move on to a real business scenario like an approval workflow.
When a notification will be sent for the first time to the Notification Service it will trigger an HTTP 422 error (seen with transaction /n/iwfnd/error_log) meaning that the notification type has not been created yet in the Notification Service(*). In that case, the program will create the notification type and send along the notification (part of SAP_GWFND 7.55 SP02 or note 3005409). Also implement the SAP note 3085259 that fix an issue with the first notification of a notification type and improves the logs.
(*)A notification type contains the metadata for a notification and need to be declared in the Notification Service.
You can track errors with transactions /n/iwfnd/error_log, SLG1 for object /IWNGW/, also debug the function module /IWNGW/FM_OUT_NOTIF_CLOUD that sends the cloud notifications (set an external break point for the Workflow runtime user or whoever send the notification).
Common issues I've seen while setting up the notifications:
- The certificate for the OAuth 2.0 token endpoint or the notification host is outdated or improperly set in the trust manager.
- The proxy settings are missing not maintained correctly.
- The ABAP user doesn’t have a mail address maintained, note the function is checking for a mail address set as “standard” so only one mail address will be used. You cannot map a generic ABAP user to several mail addresses.
- One of the recipients is missing a mail address: if an ABAP user is missing a mail address, the full process is stopped, and it doesn’t continue to the next user. This affects situation handling where x notifications need to be sent to x users or when a notification needs to be sent to several recipients. This is fixed in SAP_GWFND SP03, you also can apply the SAP note 3058232 for lower release.
- The OAuth 2.0 credentials are wrong. This can happen if someone clicks on “regenerate” the notification settings in the Site Manager Settings.
- In the case your SAP Launchpad service has been patched and a site was already existing, go in your Site settings, edit it, uncheck the "Show Notifications", save, edit it again, enable the "Show Notifications" and save again, this will rebuild the notification linkages.
- If you see the error "Notification properties are missing" while debugging the cloud notification FM you may have miss to enable and configure the sensitive data cache on the hub.
- The notifications are not properly setup in SAP S/4HANA, even they show up in the on-premise launchpad, they don't reach the cloud notification channel. In that case check the SAP note 2488945 - How to setup notifications in Fiori 2.0.
Summary
Native notifications for SAP MobileStart are working out of the box.
The main configuration is on the SAP Launchpad service and the SAP S/4HANA cloud notification channel. You can find more information in the documentation.
Make sure to check and meet the prerequisites like the ABAP software component SAP_GWFND version or implement SAP notes. And of course S/4HANA on premise notifications must fully work first !
At a high level view, notifications are not so complex but there are many traps, so handle carefully all the configuration steps and you should be safe. I hope that this blog will help you.
I look forward to your comments.
Stay up to date with latest news and post your questions or feedback about SAP Mobile Start in the Q&A area. Start by visiting your SAP Mobile Experience community page and click “follow”. We’ll be publishing more informative blog posts.
Want to be notified? Check your #communications to ensure you have your settings activated.
- SAP Managed Tags:
7 Comments
