Troubleshooting the on-premises or any cloud edition of ABAP SDK for Google Cloud

You can troubleshoot issues with the on-premises or any cloud edition of ABAP SDK for Google Cloud by using SAP application logs to review error and log messages.

Check software requirements and prerequisites

Make sure that all system software are running at the required minimum versions and that all ABAP SDK for Google Cloud prerequisites have been met.

For information about the SDK installation prerequisites, see Before you begin.

Read the SAP support documentation

If you have an SAP user account, you can find the resolution to many SAP software issues by reading the SAP Notes and SAP Knowledge Base Articles that are available in the SAP ONE Support Launchpad.

Logging

When logging is configured, the ABAP SDK for Google Cloud logs error messages to SAP application logs. For more information about logging, see Application logging.

To view log messages, follow these steps:

  1. In the SAP GUI, enter transaction code SLG1.
  2. Enter the log object name and subobject name.
  3. Select a valid date and time range.
  4. Run the transaction. All logs messages generated by the SDK are displayed.

A log message typically consists of the following two entries:

  • Entering: provides information about the code location where exactly the error occurred. For troubleshooting, you can use this code location as a breakpoint while debugging.
  • Error message: provides information about an error that occurred while performing an operation.

Debugging

If you have the required authorization, then you can debug the API client classes.

To debug the API client classes, use one of the following options:

  • Add a breakpoint to the constructor of the class /GOOG/CL_HTTP_CLIENT, and then run your program.

  • Or, add a breakpoint to the method that are you are using, and then run your program.

HTTP trace

While troubleshooting errors, you can enable the HTTP trace in transaction SMICM or ST05. To limit the impact on performance, disable HTTP trace as soon as you are done.

Common configuration issues

/GOOG/MSG 461: Insufficient privileges for execution

Issue: User is not able to perform SDK configurations, run utility programs, or demo programs.

Cause: Authorizations are missing for the user.

Resolution: Identify your missing authorizations that are required for the SDK using transaction SU53. To get those required authorizations for your user id, contact your SAP security administrators. For more information, see Manage authorizations.

/GOOG/MSG: 403 - Permission iam.serviceAccountTokenCreator denied on resource (or it may not exist)

Issue: For your SAP system hosted on a Compute Engine VM, when you use the token based authentication method, you are not able to access the Google Cloud APIs.

Cause: For your SAP system hosted on a Compute Engine VM, in the client key configuration, the specified service account is created in a different Google Cloud project than the project that contains your SAP host VM.

Resolution: To resolve this issue, perform the following steps:

  1. In the Google Cloud project that contains your SAP host VM, grant the service account of the host VM, the Service Account Token Creator role. For more information about the steps, see Grant a single role.
  2. In the Google Cloud project that contains your SAP host VM:
    1. Create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs. For information about how to create a service account, see Create a service account.
    2. In the client key configuration for the SDK, specify this service account.
  3. In the other project that contains the Google Cloud APIs:
    1. Add the service account as a principle.
    2. Grant appropriate roles to connect to the Google Cloud APIs. For more information about API specific predefined roles, see IAM basic and predefined roles reference.

For more information, see Authenticate using tokens for SAP on Compute Engine VM.

Common operational issues

When consuming Google Cloud APIs through the client stub public methods, developers might encounter errors and exceptions. These errors and exceptions are broadly classified into two categories:

  • Errors and exceptions triggered by the ABAP SDK for Google Cloud
  • Errors returned by Google Cloud APIs

This section covers errors and exceptions triggered by the SDK. For errors returned by APIs, we recommend that you check the corresponding API's public documentation.

/GOOG/MSG : 461 - Bad Request: Client key is not found in /GOOG/CLIENT_KEY table

Issue: You are not able to instantiate an API client stub object.

Cause: The client key table /GOOG/CLIENT_KEY does not contain a valid client key.

Resolution: In the client key table /GOOG/CLIENT_KEY, maintain a valid client key. When instantiating an API client stub, pass a valid client key with the importing parameter iv_key_name.

You configure client key using the details specific to your authentication method. For information about authentication methods and related client key configuration, see, Authentication.

For information about how pass a client key with the importing parameter iv_key_name, see Constructor.

/GOOG/MSG : 461 - Log Object not maintained in TCode SLG0

Issue: You are not able to instantiate an API client stub object.

Cause: An invalid default log object is maintained in the table /GOOG/LOG_CONFIG or an invalid log object is passed to the importing parameter iv_log_object.

Resolution: Make sure that a valid log object exists in the SAP system.

For information about logging, see Application logging.

For information about how to pass a log object, see see Constructor.

/GOOG/MSG : 461 - Log SubObject not maintained in TCode SLG0

Issue: You are not able to instantiate an API client stub object.

Cause: An invalid default log subobject is maintained in the table /GOOG/LOG_CONFIG or an invalid log subobject is passed to the importing parameter iv_log_subobject.

Resolution: Make sure that a valid log subobject exists in the SAP system.

For information about logging, see Application logging.

For information about how to pass a log subobject, see see Constructor.

/GOOG/MSG : 461 - Destination does not exist exception occurred in reading RFC destination

Issue: You are not able to instantiate an API client stub object.

Cause: In table /GOOG/SERVIC_MAP, for the specified client key, an RFC destination does not exist in the SAP system.

Resolution: Create the required RFC destinations. For more information, see Configure RFC destinations.

/GOOG/MSG : 461 - Invalid RFC Destination GOOGLE_API exception occurred in reading RFC destination

Issue: You are not able to connect to GOOGLE_API.

Cause: This issue can be due to any of the following causes:

  • RFC connection type is not G - HTTP connection to external server.
  • 443 service no. is not specified.
  • Default SSL Client (Standard) is inactive.

Resolution: For the required RFC destinations, do the following:

  • Update the RFC connection type to G - HTTP connection to external server.
  • Make sure that the service no. is 443.
  • For the SSL Certificate field, make sure that the option DFAULT SSL Client (Standard) is selected.
  • For SAP on Google Cloud environment, if you have created an RFC destination for a metadata server, make sure that the service no. is 80.

For information about how to create RFC destinations, see:

/GOOG/MSG : 461 - ERROR_MESSAGE exception occurred during the request creation

Issue: You are not able to connect to the Google Cloud APIs.

Cause: SAP system is not able to create HTTP client object.

Resolution: Make sure that your ICM is configured to communicate through HTTP with external server. For more information, see Validate Internet Communication Manager (ICM).

/GOOG/MSG: 461 - Secret Manager Client Key not maintained in table /GOOG/CLIENT_KEY ERROR_MESSAGE

Issue: You are not able to connect to Google Cloud APIs using the Secret Manager authorization class /GOOG/CL_AUTH_API_KEY_SM.

Cause: In the client key configuration, Authorization Parameter 1 or Authorization Parameter 2 is missing.

Resolution In the client key table, update the required Authorization Parameter 1 or Authorization Parameter 2. For more information, see Configure client key for Secret Manager access.

/GOOG/MSG: 461 - SSF Application APPLICATION_NAME is not set up in the system ERROR_MESSAGE

Issue: You are not able to connect to Google Cloud APIs using the SSF authorization class /GOOG/CL_AUTH_API_KEY_SSF.

Cause: In the client key configuration, Authorization Parameter 1 is missing.

Resolution In the client key table, update the required Authorization Parameter 1. For more information, see Configure client key for SSF.

/GOOG/MSG: 461 - Method call of /GOOG/IF_AUTH~GET_ACCESS_TOKEN failed; the class CLASS_NAME does not exist

Issue: You are not able to connect to Google Cloud APIs using the configuration maintained in the client key table.

Cause: Authorization Class is not correct in the client key table.

Resolution: Maintain the correct Authorization Class. For more information, see Authenticate using token.

/GOOG/MSG: 404 - Not Found

Issue: You are not able to connect to Google Cloud APIs. The API endpoint is not reachable.

Cause: The RFC destinations that the SDK uses to connect to Google Cloud APIs are not configured correctly. For example, an invalid endpoint is configured in RFC destinations.

Resolution: Check if the RFC destinations are correctly configured. For more information, see Configure RFC destination.

DESCRIPTION_OF_ISSUE while signing JWT using profile KEY_FILE_NAME.pse. Check JWT config in STRUST

Issue: You are not able to connect to Google Cloud APIs.

Cause: The JWT configuration and service account key settings are not configured correctly in STRUST.

Resolution: Confirm that the JWT configuration and service account key are configured as explained in Authentication.

Bad Request invalid_grant. Invalid JWT Signature

Issue: You are not able to connect to Google Cloud APIs.

Cause: The PSE or P12 key file imported into STRUST does not belong to the service account that you used for signing the JWT.

Resolution: Make sure that you import the correct service account key file into STRUST. For information about importing the service account key into STRUST, see Import the service account key into STRUST.

/GOOG/MSG : 417 - Direct connect to googleapis.com/oauth:443 failed: NIEHOST_UNKNOWN (-2)

Issue: Authentication to Google Cloud failed with the error message /GOOG/MSG : 417 - Direct connect to googleapis.com/oauth:443 failed: NIEHOST_UNKNOWN (-2).

Cause: In the RFC destinations that ABAP SDK for Google Cloud uses to authenticate to Google Cloud, the target host is not valid.

Resolution: To resolve this issue, complete the following steps:

  1. Create an RFC destination using the sample RFC destination GOOG_OAUTH2_TOKEN. For information about creating RFC destinations, see RFC destinations.

  2. Make sure that your RFC destination uses the following values:

    • Host: oauth2.googleapis.com
    • Path Prefix: /token.

  3. If your SAP system uses a proxy to connect to the Internet, then maintain the required proxy details in the RFC destination.

OAuth RFC HTTP Destination not maintained in /GOOG/SERVIC_MAP

Issue: You are not able to connect to Google Cloud APIs.

Cause: The RFC destination for OAuth 2.0 is not available in the service mapping table /GOOG/SERVIC_MAP.

Resolution: Update the RFC destination for OAuth 2.0 in the service mapping table /GOOG/SERVIC_MAP. For information about specifying RFC destinations, see Specify RFC destinations in /GOOG/SERVIC_MAP.

/GOOG/MSG: 503 - HTTP Communication Failure - SSL client SSL Client (Standard)

Issue: HTTP Request to an API method failed.

Cause: For your SAP workload that is running on Google Cloud, in the RFC destinations that the SDK uses to connect to Google Cloud APIs for which the configuration is maintained in /GOOG/SERVIC_MAP table, the Target Host field value is incorrect.

Resolution: Check if the RFC destinations are correctly configured. For more information, see Configure RFC destination.

/GOOG/MSG: 503 - HTTP Communication Failure exception occurred during the request sending

Issue: HTTP Request to an API method failed.

Cause: This issue can be caused by connectivity issues.

Resolution: Validate your connection and make sure that your network is set up correctly, is running without errors, and is not congested.

To identify the network connectivity issue, check the ICM trace file using transaction SMICM. For more information, see 2351619 - How to take SMICM trace?.

/GOOG/MSG: 503 - HTTP Communication Failure exception occurred during the response receiving

Issue: HTTP Request to an API method failed.

This issue can be caused by the following circumstances:

SSL is not activated in your RFC destinations

Cause: In the RFC destinations that the SDK uses to connect to Google Cloud APIs, the security option for using SSL certificate is not activated.

Resolution: Check if the RFC destinations are correctly configured. For more information, see Configure RFC destination.

SSL handshake failed

Cause: When the SSL handshake failed between the SAP host and the Google Cloud API endpoint. This occurs when the certificate presented by the TLS server is not valid for the target hostname that is supplied by the SAP server, possibly because client-side sending of the optional TLS extension SNI is not implemented on your NetWeaver kernel.

Resolution: In transaction SMICM, look for the return code, SSLERR_SERVER_CERT_MISMATCH. If you find the return code SSLERR_SERVER_CERT_MISMATCH, then you need to enable sending of TLS extension SNI. Also, make sure that your NetWeaver kernel implements client-side sending of the optional TLS extension SNI.

To enable sending of TLS extension SNI, set the profile parameter icm/HTTPS/client_sni_enabled or ssl/client_sni_enabled to TRUE, depending upon your NetWeaver kernel version. For more information from SAP, see:

The caller does not have permission

Issue: Even though you are successfully authenticated, you cannot access the Google Cloud API resources.

Cause: You do not have the permission to view the API resource.

Resolution: To resolve this issue, complete the following steps:

  1. Make sure that the API resource is shared with your Google account credentials.
  2. Make a request to the API and check the response.

Google API_NAME API has not been used in project PROJECT_ID before or it is disabled

Issue: You cannot access the Google Cloud APIs using your OAuth 2.0 client credentials.

Cause: You are using a client ID created in one Google Cloud project to call an API that is enabled in another Google Cloud project.

A client ID from one Google Cloud project cannot be used to call APIs from another project, even if they are both under the same organization.

Resolution: Create a client ID in the Google Cloud project where the API is enabled. For more information, see Create OAuth 2.0 client ID credentials.

/GOOG/MSG : 461 - OAuth 2.0 Client Profile CLIENT_PROFILE_NAME is assigned to multiple OAuth 2.0 clients

Issue: You cannot access the Google Cloud APIs using your OAuth 2.0 client credentials.

Cause: You are calling a Google Cloud API using an OAuth 2.0 profile that is assigned to more than one OAuth 2.0 client. However, the OAuth 2.0 client configuration name is not specified in the Authorization Parameter 2 field of the client key table /GOOG/CLIENT_KEY.

Resolution: To assign an OAuth 2.0 profile to more than one OAuth 2.0 client, you must define a unique configuration name for each OAuth 2.0 client, and specify the configuration name in the Authorization Parameter 2 field of the client key table /GOOG/CLIENT_KEY. For more information, see Multiple Google Cloud projects scenario.

/GOOG/MSG : 461 - No refresh token available for current user

Issue: You cannot access the Google Cloud APIs using your OAuth 2.0 client credentials.

Cause: You are calling a Google Cloud API using OAuth 2.0 client credentials without granting the OAuth 2.0 refresh token for the client ID.

Resolution: Request an OAuth 2.0 token for the client ID using your Google account credentials. For more information, see Request OAuth 2.0 access tokens.

Access blocked: This app's request is invalid (Error 400: redirect_uri_mismatch)

Issue: When you request OAuth 2.0 access tokens, the Sign in with Google screen is displayed with the error message Access blocked: This app's request is invalid (Error 400: redirect_uri_mismatch).

Cause: The authorized redirect URI in the OAuth 2.0 client ID credentials is incorrect or not maintained.

Resolution: To resolve this issue, complete the following steps:

  1. In your SAP system, enter transaction code OA2C_CONFIG. The SAP login page opens in your default browser.
  2. Log in with your SAP credentials.
  3. Select the required client ID.
  4. From the Redirection URI field, make a note of your SAP redirection URI.

  5. In the Google Cloud console, go to Menu  > APIs & Services  > Credentials.

    Go to Credentials

  6. Select the client ID of your Web application.

  7. In the Authorized redirect URIs field, enter the SAP redirection URI.

  8. Save the changes.

/GOOG/MSG : 406 - IcmIConnCheckClientEnabled: Connect for protocol HTTP denied by configuration HTTP Response

Issue: You cannot access the Google Cloud APIs.

Cause: The HTTP port configuration is missing in your SAP system.

Resolution: Both HTTP and HTTPS ports must be created and be active in your SAP system.

The VM metadata is stored on a metadata server, which is only accessible through an HTTP port. Therefore, to access VM metadata, you must ensure that an HTTP port is active. You must also ensure that an HTTPS port is active for subsequent API calls.

To resolve this issue, complete the following steps:

  1. In the SAP GUI, enter transaction code SMICM.

  2. On the menu bar, click Goto > Services.

  3. Make sure that the HTTP and HTTPS ports are created and active. A green check in the Actv column indicates that the HTTP and HTTPS ports are active.

For information about configuring the HTTP and HTTPS ports, see HTTP(S) Settings in ICM.

Issue: /GOOG/MSG: 403 - Request had insufficient authentication scopes

Issue: API call failed with the error message /GOOG/MSG: 403 - Request had insufficient authentication scopes.

Cause: For your SAP workload that is running on Google Cloud, in the table /GOOG/CLIENT_KEY, the specified service account does not have the required scope to access Google Cloud APIs.

Resolution: To resolve this issue, complete the following steps:

  1. In the Google Cloud console, go to the Compute Engine VM instances page.

    Go to VM instances

  2. Click the VM instance where your SAP workload is running.

  3. Click Stop, and then follow the instructions to stop the VM instance.

  4. Click Edit.

  5. For the associated service account, edit the Access scopes to allow full access to all Cloud APIs.

  6. Click Save.

  7. Click Start / Resume to restart the VM instance.

Error messages returned by Google Cloud APIs

Every API client stub has the exporting parameters that provide API return code and error messages.

  • ev_ret_code contains the HTTP status codes. In case of an error returned by an API, this parameter contains a value 4XX.

  • ev_err_resp contains the error category and error message returned by an API.

The following example shows an API returned error when you create a new Pub/Sub topic with a topic name that already exists.

  • ERROR_TEXT: Conflict
  • ERROR_DESCRIPTION: Resource already exists in the project (resource=SAMPLE_TOPIC_01)

Get support from the community

Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.

Get support

If you need help resolving problems with the ABAP SDK for Google Cloud, then collect all available diagnostic information and contact Cloud Customer Care.

For more information about contacting Cloud Customer Care, see Getting support for SAP on Google Cloud.