You can troubleshoot issues with the on-premises or any cloud edition of ABAP SDK for Google Cloud by using SAP application logs to review error and log messages.
Check software requirements and prerequisites
Make sure that all system software are running at the required minimum versions and that all ABAP SDK for Google Cloud prerequisites have been met.
For information about the SDK installation prerequisites, see Before you begin.
Read the SAP support documentation
If you have an SAP user account, you can find the resolution to many SAP software issues by reading the SAP Notes and SAP Knowledge Base Articles that are available in the SAP ONE Support Launchpad.
Logging
When logging is configured, the ABAP SDK for Google Cloud logs error messages to SAP application logs. For more information about logging, see Application logging.
To view log messages, follow these steps:
- In the SAP GUI, enter transaction code
SLG1
. - Enter the log object name and subobject name.
- Select a valid date and time range.
- Run the transaction. All logs messages generated by the SDK are displayed.
A log message typically consists of the following two entries:
- Entering: provides information about the code location where exactly the error occurred. For troubleshooting, you can use this code location as a breakpoint while debugging.
- Error message: provides information about an error that occurred while performing an operation.
Debugging
If you have the required authorization, then you can debug the API client classes.
To debug the API client classes, use one of the following options:
Add a breakpoint to the constructor of the class
/GOOG/CL_HTTP_CLIENT
, and then run your program.Or, add a breakpoint to the method that are you are using, and then run your program.
HTTP trace
While troubleshooting errors, you can enable the HTTP trace in
transaction SMICM
or ST05
.
To limit the impact on performance, disable HTTP trace as soon as you are done.
Common configuration issues
/GOOG/MSG 461: Insufficient privileges for execution
Issue: User is not able to perform SDK configurations, run utility programs, or demo programs.
Cause: Authorizations are missing for the user.
Resolution: Identify your missing authorizations that are
required for the SDK using transaction SU53
.
To get those required authorizations for your user id,
contact your SAP security administrators. For more information, see Manage authorizations.
/GOOG/MSG: 403 - Permission iam.serviceAccountTokenCreator
denied on resource (or it may not exist)
iam.serviceAccountTokenCreator
denied on resource (or it may not exist)Issue: For your SAP system hosted on a Compute Engine VM, when you use the token based authentication method, you are not able to access the Google Cloud APIs.
Cause: For your SAP system hosted on a Compute Engine VM, in the client key configuration, the specified service account is created in a different Google Cloud project than the project that contains your SAP host VM.
Resolution: To resolve this issue, perform the following steps:
- In the Google Cloud project that contains your SAP host VM, grant the
service account of the host VM, the
Service Account Token Creator
role. For more information about the steps, see Grant a single role. - In the Google Cloud project that contains your SAP host VM:
- Create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs. For information about how to create a service account, see Create a service account.
- In the client key configuration for the SDK, specify this service account.
- In the other project that contains the Google Cloud APIs:
- Add the service account as a principle.
- Grant appropriate roles to connect to the Google Cloud APIs. For more information about API specific predefined roles, see IAM basic and predefined roles reference.
For more information, see Authenticate by using access tokens.
Common operational issues
When consuming Google Cloud APIs through the client stub public methods, developers might encounter errors and exceptions. These errors and exceptions are broadly classified into two categories:
- Errors and exceptions triggered by the ABAP SDK for Google Cloud
- Errors returned by Google Cloud APIs
This section covers errors and exceptions triggered by the SDK. For errors returned by APIs, we recommend that you check the corresponding API's public documentation.
/GOOG/MSG : 461 - Bad Request: Client key is not found in /GOOG/CLIENT_KEY table
Issue: You are not able to instantiate an API client stub object.
Cause: The client key table /GOOG/CLIENT_KEY
does not contain a
valid client key.
Resolution: In the client key table /GOOG/CLIENT_KEY
, maintain a
valid client key.
When instantiating an API client stub, pass a valid client key with the
importing parameter iv_key_name
.
You configure client key using the details specific to your authentication method. For information about authentication methods see, Authentication.
For information about how pass a client key with the
importing parameter iv_key_name
, see Constructor.
/GOOG/MSG : 461 - Log Object not maintained in TCode SLG0
Issue: You are not able to instantiate an API client stub object.
Cause: An invalid default log object is maintained in the table
/GOOG/LOG_CONFIG
or an invalid log object is passed to the importing parameter iv_log_object
.
Resolution: Make sure that a valid log object exists in the SAP system.
For information about logging, see Application logging.
For information about how to pass a log object, see see Constructor.
/GOOG/MSG : 461 - Log SubObject not maintained in TCode SLG0
Issue: You are not able to instantiate an API client stub object.
Cause: An invalid default log subobject is maintained in the table
/GOOG/LOG_CONFIG
or an invalid log subobject is passed to the importing parameter iv_log_subobject
.
Resolution: Make sure that a valid log subobject exists in the SAP system.
For information about logging, see Application logging.
For information about how to pass a log subobject, see see Constructor.
/GOOG/MSG : 461 - Destination does not exist exception occurred in reading RFC destination
Issue: You are not able to instantiate an API client stub object.
Cause: In table /GOOG/SERVIC_MAP
, for the
specified client key, an RFC destination does not exist in the SAP system.
Resolution: Create the required RFC destinations. For more information, see Configure RFC destinations.
/GOOG/MSG : 461 - Invalid RFC Destination GOOGLE_API exception occurred in reading RFC destination
Issue: You are not able to connect to GOOGLE_API.
Cause: This issue can be due to any of the following causes:
- RFC connection type is not
G - HTTP connection to external server
. 443
service no. is not specified.- Default SSL Client (Standard) is inactive.
Resolution: For the required RFC destinations, do the following:
- Update the RFC connection type to
G - HTTP connection to external server
. - Make sure that the service no. is
443
. - For the SSL Certificate field, make sure that the option DFAULT SSL Client (Standard) is selected.
- For SAP on Google Cloud environment, if you have created an RFC destination
for a metadata server, make sure that the service no. is
80
.
For information about how to create RFC destinations, see:
/GOOG/MSG : 461 - ERROR_MESSAGE exception occurred during the request creation
Issue: You are not able to connect to the Google Cloud APIs.
Cause: SAP system is not able to create HTTP client object.
Resolution: Make sure that your ICM is configured to communicate through HTTP with external server. For more information, see Validate Internet Communication Manager (ICM).
/GOOG/MSG: 461 - Secret Manager Client Key not maintained in table /GOOG/CLIENT_KEY ERROR_MESSAGE
Issue: You are not able to connect to Google Cloud APIs using the
Secret Manager authorization class /GOOG/CL_AUTH_API_KEY_SM
.
Cause: In the client key configuration, Authorization Parameter 1
or
Authorization Parameter 2
is missing.
Resolution In the client key table, update the required
Authorization Parameter 1
or
Authorization Parameter 2
. For more information, see Configure client key for Secret Manager access.
/GOOG/MSG: 461 - SSF Application APPLICATION_NAME is not set up in the system ERROR_MESSAGE
Issue: You are not able to connect to Google Cloud APIs using the
SSF authorization class /GOOG/CL_AUTH_API_KEY_SSF
.
Cause: In the client key configuration, Authorization Parameter 1
is missing.
Resolution In the client key table, update the required
Authorization Parameter 1
. For more information, see Configure client key for SSF.
/GOOG/MSG: 461 - Method call of /GOOG/IF_AUTH~GET_ACCESS_TOKEN failed; the class CLASS_NAME does not exist
Issue: You are not able to connect to Google Cloud APIs using the configuration maintained in the client key table.
Cause: Authorization Class
is not correct in the client key table.
Resolution: Maintain the correct Authorization Class
.
For more information, see Authenticate by using access token.
/GOOG/MSG: 404 - Not Found
Issue: You are not able to connect to Google Cloud APIs. The API endpoint is not reachable.
Cause: The RFC destinations that the SDK uses to connect to Google Cloud APIs are not configured correctly. For example, an invalid endpoint is configured in RFC destinations.
Resolution: Check if the RFC destinations are correctly configured. For more information, see Configure RFC destination.
DESCRIPTION_OF_ISSUE while signing JWT using profile KEY_FILE_NAME.pse. Check JWT config in STRUST
STRUST
Issue: You are not able to connect to Google Cloud APIs.
Cause: The JWT configuration and service account key settings are not
configured correctly in STRUST
.
Resolution: Confirm that the JWT configuration and service account key are configured as explained in Authenticate by using JSON Web Tokens.
Bad Request invalid_grant. Invalid JWT Signature
Issue: You are not able to connect to Google Cloud APIs.
Cause: The PSE or P12 key file imported into STRUST
does not belong to the
service account that you used for signing the JWT.
Resolution: Make sure that you import the correct service account key
file into STRUST
. For information about importing the service account key into
STRUST
, see Import the service account key into STRUST.
/GOOG/MSG : 417 - Direct connect to googleapis.com/oauth:443 failed: NIEHOST_UNKNOWN (-2)
Issue: Authentication to Google Cloud failed with the error
message /GOOG/MSG : 417 - Direct connect to googleapis.com/oauth:443 failed: NIEHOST_UNKNOWN (-2)
.
Cause: In the RFC destinations that ABAP SDK for Google Cloud uses to authenticate to Google Cloud, the target host is not valid.
Resolution: To resolve this issue, complete the following steps:
Create an RFC destination using the sample RFC destination
GOOG_OAUTH2_TOKEN
. For information about creating RFC destinations, see RFC destinations.Make sure that your RFC destination uses the following values:
- Host:
oauth2.googleapis.com
- Path Prefix:
/token
.
- Host:
If your SAP system uses a proxy to connect to the Internet, then maintain the required proxy details in the RFC destination.
OAuth RFC HTTP Destination not maintained in /GOOG/SERVIC_MAP
/GOOG/SERVIC_MAP
Issue: You are not able to connect to Google Cloud APIs.
Cause: The RFC destination for OAuth 2.0 is not available
in the service mapping table /GOOG/SERVIC_MAP
.
Resolution: Update the RFC destination for OAuth 2.0 in the service mapping
table /GOOG/SERVIC_MAP
. For information about
specifying RFC destinations, see Specify RFC destinations in /GOOG/SERVIC_MAP
.
/GOOG/MSG: 503 - HTTP Communication Failure - SSL client SSL Client (Standard)
Issue: HTTP Request to an API method failed.
Cause: For your SAP workload that is running on Google Cloud, in the
RFC destinations that the SDK uses to connect to Google Cloud APIs
for which the configuration is maintained in /GOOG/SERVIC_MAP
table,
the Target Host field value is incorrect.
Resolution: Check if the RFC destinations are correctly configured. For more information, see Configure RFC destination.
/GOOG/MSG: 503 - HTTP Communication Failure exception occurred during the request sending
Issue: HTTP Request to an API method failed.
Cause: This issue can be caused by connectivity issues.
Resolution: Validate your connection and make sure that your network is set up correctly, is running without errors, and is not congested.
To identify
the network connectivity issue, check the ICM trace file using transaction
SMICM
. For more information, see 2351619 - How to take SMICM trace?.
/GOOG/MSG: 503 - HTTP Communication Failure exception occurred during the response receiving
Issue: HTTP Request to an API method failed.
This issue can be caused by the following circumstances:
SSL is not activated in your RFC destinations
Cause: In the RFC destinations that the SDK uses to connect to Google Cloud APIs, the security option for using SSL certificate is not activated.
Resolution: Check if the RFC destinations are correctly configured. For more information, see Configure RFC destination.
SSL handshake failed
Cause: When the SSL handshake failed between the SAP host and the Google Cloud API endpoint. This occurs when the certificate presented by the TLS server is not valid for the target hostname that is supplied by the SAP server, possibly because client-side sending of the optional TLS extension SNI is not implemented on your NetWeaver kernel.
Resolution: In transaction SMICM
, look for the return code,
SSLERR_SERVER_CERT_MISMATCH
. If you find the return code
SSLERR_SERVER_CERT_MISMATCH
, then you need to enable sending of TLS extension
SNI. Also, make sure that your NetWeaver kernel implements client-side sending
of the optional TLS extension SNI.
To enable sending of TLS extension SNI, set the profile parameter
icm/HTTPS/client_sni_enabled
or ssl/client_sni_enabled
to TRUE
, depending
upon your NetWeaver kernel version. For more information from SAP, see:
- SAP Note 510007 - Additional considerations for setting up SSL on Application Server ABAP
- SAP Note 2582368 - SapSSL update for client-side sending of TLS extension SNI by saphttp, sapkprotp
- SAP Note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client
The caller does not have permission
Issue: Even though you are successfully authenticated, you cannot access the Google Cloud API resources.
Cause: You do not have the permission to view the API resource.
Resolution: To resolve this issue, complete the following steps:
- Make sure that the API resource is shared with your Google account credentials.
- Make a request to the API and check the response.
Google API_NAME API has not been used in project PROJECT_ID before or it is disabled
Issue: You cannot access the Google Cloud APIs using your OAuth 2.0 client credentials.
Cause: You are using a client ID created in one Google Cloud project to call an API that is enabled in another Google Cloud project.
A client ID from one Google Cloud project cannot be used to call APIs from another project, even if they are both under the same organization.
Resolution: Create a client ID in the Google Cloud project where the API is enabled. For more information, see Create OAuth 2.0 client ID credentials.
/GOOG/MSG : 461 - OAuth 2.0 Client Profile CLIENT_PROFILE_NAME is assigned to multiple OAuth 2.0 clients
Issue: You cannot access the Google Cloud APIs using your OAuth 2.0 client credentials.
Cause: You are calling a Google Cloud API
using an OAuth 2.0 profile that is assigned to more than one OAuth 2.0 client.
However, the OAuth 2.0 client configuration name is not specified in the
Authorization Parameter 2
field of the client key table /GOOG/CLIENT_KEY
.
Resolution: To assign an OAuth 2.0 profile to more than one OAuth 2.0 client,
you must define a unique configuration name for each OAuth 2.0 client, and
specify the configuration name in the Authorization Parameter 2
field
of the client key table /GOOG/CLIENT_KEY
. For more information, see Multiple Google Cloud projects scenario.
/GOOG/MSG : 461 - No refresh token available for current user
Issue: You cannot access the Google Cloud APIs using your OAuth 2.0 client credentials.
Cause: You are calling a Google Cloud API using OAuth 2.0 client credentials without granting the OAuth 2.0 refresh token for the client ID.
Resolution: Request an OAuth 2.0 token for the client ID using your Google account credentials. For more information, see Request OAuth 2.0 access tokens.
Access blocked: This app's request is invalid (Error 400: redirect_uri_mismatch)
Issue: When you request OAuth 2.0 access tokens, the Sign in with Google
screen is displayed with the error message Access blocked: This app's request is invalid (Error 400: redirect_uri_mismatch)
.
Cause: The authorized redirect URI in the OAuth 2.0 client ID credentials is incorrect or not maintained.
Resolution: To resolve this issue, complete the following steps:
- In your SAP system, enter transaction code
OA2C_CONFIG
. The SAP login page opens in your default browser. - Log in with your SAP credentials.
- Select the required client ID.
- From the Redirection URI field, make a note of your SAP redirection URI.
In the Google Cloud console, go to Menu > APIs & Services > Credentials.
Select the client ID of your Web application.
In the Authorized redirect URIs field, enter the SAP redirection URI.
Save the changes.
/GOOG/MSG : 406 - IcmIConnCheckClientEnabled: Connect for protocol HTTP denied by configuration HTTP Response
Issue: You cannot access the Google Cloud APIs.
Cause: The HTTP port configuration is missing in your SAP system.
Resolution: Both HTTP and HTTPS ports must be created and be active in your SAP system.
The VM metadata is stored on a metadata server, which is only accessible through an HTTP port. Therefore, to access VM metadata, you must ensure that an HTTP port is active. You must also ensure that an HTTPS port is active for subsequent API calls.
To resolve this issue, complete the following steps:
In the SAP GUI, enter transaction code
SMICM
.On the menu bar, click Goto > Services.
Make sure that the HTTP and HTTPS ports are created and active. A green check in the Actv column indicates that the HTTP and HTTPS ports are active.
For information about configuring the HTTP and HTTPS ports, see HTTP(S) Settings in ICM.
/GOOG/MSG: 403 - Request had insufficient authentication scopes
Issue: API call failed with the error message /GOOG/MSG: 403 - Request
had insufficient authentication scopes
.
Cause: For your SAP workload that is running on Google Cloud, in the
table /GOOG/CLIENT_KEY
, the specified service account does not have the
required scope to access Google Cloud APIs.
Resolution: To resolve this issue, complete the following steps:
In the Google Cloud console, go to the Compute Engine VM instances page.
Click the VM instance where your SAP workload is running.
Click Stop, and then follow the instructions to stop the VM instance.
Click Edit.
For the associated service account, edit the Access scopes to allow full access to all Cloud APIs.
Click Save.
Click Start / Resume to restart the VM instance.
Error in HTTP Request: Invalid version (44)
Issue: You are not able to delete an object from a Cloud Storage bucket by using
the DELETE_OBJECTS
method of the /GOOG/CL_STORAGE_V1
class.
Your request failed with the error message Error in HTTP Request: Invalid version (44)
.
Cause: The name of the object that you're deleting contains spaces.
Resolution: Before calling the DELETE_OBJECTS
method of the /GOOG/CL_STORAGE_V1
class, you need to make
sure that the object name doesn't contain any spaces.
To resolve this issue, perform the following steps:
Call the
cl_http_utility=>escape_url( OBJECT_NAME )
method.Replace
OBJECT_NAME
with the object name that you need to delete.The method returns the object name after replacing any spaces in the name with
%20
, making it URL-safe.Call the
DELETE_OBJECTS
method of the/GOOG/CL_STORAGE_V1
class with the object name returned from the preceding step.
/GOOG/MSG: 405 - Error in HTTP Request: Invalid request line(9):
Issue: While creating a new Pub/Sub topic by
using the CREATE_TOPICS
method of the /GOOG/CL_PUBSUB_V1
class, your request failed with the error message /GOOG/MSG: 405 - Error in HTTP Request: Invalid request line(9):
.
Cause: The name of the Pub/Sub topic that you're creating contains spaces.
Resolution: You must remove any spaces from the Pub/Sub topic name.
Make sure that the Pub/Sub topic name adheres to the following rules:
- Start with a letter
- Not begin with
GOOG
- Not contain any space
- Contain between 3 and 255 characters
- Contain only the following characters: letters
[A-Za-z]
, numbers[0-9]
, dashes(-)
, periods.
, underscores_
, tildes~
, percent signs%
, and plus signs+
For more information on Pub/Sub topic naming guidelines, see Guidelines to name a topic, subscription, schema, or snapshot.
Error messages returned by Google Cloud APIs
Every API client stub has the exporting parameters that provide API return code and error messages.
ev_ret_code
contains the HTTP status codes. In case of an error returned by an API, this parameter contains a value4XX
.ev_err_resp
contains the error category and error message returned by an API.
The following example shows an API returned error when you create a new Pub/Sub topic with a topic name that already exists.
ERROR_TEXT
: ConflictERROR_DESCRIPTION
: Resource already exists in the project (resource=SAMPLE_TOPIC_01
)
Get support from the community
Ask your questions and discuss ABAP SDK for Google Cloud with the community on Cloud Forums.
Get support
If you need help resolving problems with the ABAP SDK for Google Cloud, then collect all available diagnostic information and contact Cloud Customer Care.
For more information about contacting Cloud Customer Care, see Getting support for SAP on Google Cloud.