Forum Discussion
Jason_26574
Nimbostratus
NimbostratusF5 Load Balancing with SAP PI
Hi all,
I have an issue that I could use some assistance with. First off, I'll start by saying that I'm a Basis Admin and not a F5 Admin, so I hope the lingo comes across okay.
We are moving from using the SAP Web Dispatcher to load balancing with our internal F5 devices. We've converted our ECC system over, and things seem to be working. Now, I'm attempting to do the same for our SAP PI systems.
Our Network Admin in charge of the F5s created a virtual server for us that takes HTTP traffic on port 80 and redirects to the SAP port 5$$00, which in our case is 50000. I then changed the Exchange Profile in SAP PI to use the new virtual server for our Integration Server, Repository, and Directory. Restarted the SAP PI system, and all seems to work except for one thing.
When you navigate to http:///rep, and try to access either the Integration Repository or the Integration Directory, the Java web app downloads and prompts for authentication, but then fails to authenticate because, and this is what I'm thinking, the virtual server is configured to only talk on a specific port (our case 50000), and the application is trying to authenticate on the SAP P4 port, which in our case is 50004. This is defined as the "rmiport" setting in the Exchange Profile of a PI system, and will be in the format 5$$04 where $$ is the system number.
Is there a way that my F5 Admin can configure the virtual server, so that the virtual server will listen on port 80, redirect to port 50000, and also redirect to port 50004 when a user tries to download / run the application?
Thanks for any and all help!
Jason
- Hi Jason, this is a great question. I hope others will also jump in and try to assist, but I'll do my best in the meantime :-)
First off, I'm wondering if you've applied note: 951910 to the PI instance in support of the load balanced setup. Because you were running WebDispatcher, you probably have applied this note, but I just want to make sure you have. It might also not be relevant in your particular setup, but it's a minor configuration change to support load balancing.
It would be really helpful to get an HTTPWatch trace from the browser to see what could be happening during the login and whether your hypothesis is true. Because an HTTPWatch trace may contain sensitive and private data relating to your organization, I'm not positive what the best way to proceed is, but , let me know about the note first, and then we can go from there. I'm not positive that the browser is trying to call port 5$$04, but if it is, we can help you with an iRULE or other configuration setup (perhaps another virtual server on the BIG-IP LTM) that can answer calls for 5$$04 as well.
Also, as one final question for you, in setting up the PI load balancing on the BIG-IP, how many instances of PI do you have across how many servers and are you applying any sort of persistence profile (cookie or source ip , etc)? 
bls9701_10560Jason,
We are utilizing the f5 for most things in PI, but for the integration directory and repository, we are utilizing the com.sap.aii.connect.directory.mshost and com.sap.aii.connect.repository.mshost parameters so that when it needs to connect to the RMI port, it will first hit the message server on port 81$$ which will send it to an app server on port 5$$04 for RMI since the message server has the built in capability for this.
Thanks,
Brian
Jason_26574Nojan / Brian,
Thanks for the quick replies!
Nojan, I saw that note yesterday, and briefly glanced through it, so I will spend some time with it today to make sure that the settings are set correctly according to SAP's best practices. As far as your last question, we're testing this in our QA environment, which is just 2 physical servers clustered, and each server has 3 Java server processes. Once we move into Production, we'll have 4 physical servers, 2 of which are clustered, and the last 2 will be standalone dialog instances. Each Prod server will have 3 Java server processes as well.
Brian, a question for you. The 2 parameters that you mentioned are missing from my setup. Did you specifically add them, and if so, where did you find out about these parameters? Also, do you have a parameter for the MS Port too, or does SAP automatically calculate this based on the system information?
Thanks,
Jason- Jason_26574Guys,
I followed the OSS note, which included importing a delta copy of all of the missing Exchange profile parameters, and once I made my changes and bounced the system, everything is working now with the F5 load-balancing in place.
Thanks for your help!
Jason - Really glad to hear Jason,
If you have any other issues, please be sure come back to DevCentral. - Ben_Chase_15007Lots of good support here for SAP-related LB. I am the person-of-many hats that is also responsible for managing the F5s that Jason mentioned. We're getting ready to do the portal pretty soon, and based on what I've read in other posts, I have a feeling it might be a little more complicated than just using a simple cookie persistence.
Are there any guides available yet or other data that would point me in the direction I need to get ready for load balancing the SAP portal on our LTMs?
Cheers,
Ben - This should get you what you need. If you have specific questions please feel free to reach out the the F5 SAP team.
F5 SAP Solutions
http://www.f5.com/sap
F5 SAP Deployment Guides & Best Practices
http://www.f5.com/pdf/deployment-guides/sap-portal-big-ip-v10-dg.pdf
http://www.f5.com/pdf/deployment-guides/sap-ecc-big-ip-v10-dg.pdf
http://www.f5.com/pdf/deployment-guides/f5-sap-dg.pdf
http://www.f5.com/pdf/deployment-guides/sap-pi-dg.pdf
http://www.f5.com/pdf/white-papers/nsag-wp.pdf
Rgds-Mike Schrock - Ben_Chase_15007Thanks - looks like v10 may be in our future. Typically I'm against running non-maintenance versions of code, but this may be an exception.
John_Clowers_16Ben,
Thank you for your post and question. I am providing you with our public documentation and deployment guides for SAP. This thread you have posted to is for load balancing PI and can be more complicated, but since it seems you are only trying to load balance Portal, then following the guides is very straightforward.
Please let us know if you need further assistance.
Regards,
John
shyam_desu_2200Hello Brian,
I see that you were able to use the message server port 8100 to be able to route the RMI calls through the message server.
We have a webdispatcher instead of an F5 as a load balancer, and even after setting the
m.sap.aii.connect.directory.mshost and m.sap.aii.connect.directory.rmiport, the client/browser still is trying to connect to port 5$$04.
So, can you please let me know if you are able to avoid opening port 50004 or 5$$04 on the firewall for access to Intergration repository or Integration Directory?
Thanks,
Shyam Desu
