Troubleshooting the ABAP Agent

Prerequisites

Before troubleshooting, confirm the following are in place:

• Windows: Windows 10 version 1903+ or Windows Server 2022+

• SAP: NetWeaver 7.4.8+ with SCMON capability

• ABAP Addon: Installed on QAS system via SAINT transaction (provides /TRICE/ namespace RFCs)

• Network: RFC access to SAP systems (port 33xx) and HTTPS access to SeaLights API endpoints

• Agent Config: Valid config.toml with correct RFC, pipeline, and SeaLights settings

Agent Logs

After initial onboarding, the agent's core operations (build mapping, build modifications, footprint collection) run as Windows Scheduled Tasks in the background. There is no interactive console output for these tasks. Logs are the primary tool for diagnosing issues once the agent is onboarded and running.

Log File Location

Log files are written to:

{userData}/public/{PIPELINE_NAME}/{TASK_NAME}_{DATE}.log

Where:

• {userData} is the userdata path configured in the [settings] section of config.toml (default: ../userData relative to the install directory).

• {PIPELINE_NAME} is the pipeline name as defined in [[pipeline]] in config.toml.

• {TASK_NAME} is the agent action: INIT_BUILD_MAP, BUILD_MODS, or FOOTPRINTS.

• {DATE} is the date the log was created.

Example paths:

Log Levels

The log level is configured in the [logging] section of config.toml:

For troubleshooting, temporarily increase the log level to debug or trace to capture detailed RFC calls, HTTP requests, and data processing steps. Remember to set it back to info after resolving the issue to avoid excessive log growth. You will need to restart any scheduled jobs currently running.

What to Look For

When a scheduled task fails or produces unexpected results, check the corresponding log file for:

• [error] lines — direct error messages with exception details and source file references.

• RFC errors — connection, authorization, and data retrieval failures (see SAP System Errors below).

• HTTP errors — SeaLights API communication failures, SSL issues, or token problems (see SeaLights Backend Errors below).

• Repeated restarts — if the same task keeps restarting and logging the same error, it indicates a persistent configuration or authorization issue that requires manual intervention.

Log Rotation

Logs are rotated daily. Old log files are automatically purged after the configured retentionperiod (default: 14 days) when the purgelogs task is scheduled:

Diagnosing SAP Authorization Role Issues

The agent requires the SAP role /TRICE/SL_AUTHS assigned to the RFC user. This role contains the following authorization objects:

/TRICE/OBJ — SeaLights Custom Authorization

S_RFC — RFC Function Module Access

S_TABU_NAM — Table Name Access

S_TABU_RFC — RFC Table Access

SAP System Errors

These errors originate from the SAP system side — RFC connectivity, user credentials, and authorization configuration. Use slabapcli rfc test --name <rfc_name> as a first diagnostic step.

E-001: RFC Communication Failure

Error message:

Cause:

• The hostname configured for the RFC connection in config.toml is incorrect or unreachable.

• The target SAP system is currently down or unreachable.

• The RFC connection was unexpectedly disconnected (network issue, firewall, SAP router).

Resolution:

1. Verify the hostname and sysnr values in the [[rfc]] section of config.toml.

2. Confirm the SAP system is running (SM51 or ping the host).

3. Check network connectivity and firewall rules for RFC port 33<sysnr>.

4. If using a SAP router, verify the router string in config.toml.

5. Test the connection: slabapcli rfc test --name <rfc_name>.

E-002: RFC Logon Failure

Error message:

Cause:

The client, username, or password specified in config.toml for the RFC connection is incorrect.

Resolution:

1. Verify the client, username, and password values in the [[rfc]] section.

2. Remember that username and password are stored encrypted — use slabapcli rfc set to re-enter credentials if needed.

3. Check that the SAP user account is not locked (transaction SU01).

4. Confirm the user is authorized for the specified client.

5. Test the connection: slabapcli rfc test --name <rfc_name>.

E-003: RFC Authorization Missing — RFCPING

Error message:

Cause:

The RFC user is missing authorization object S_RFC with field RFC_NAME = RFCPING.

Resolution:

Add to the user's authorization role:

Activate the role and regenerate the user's authorization profile (transaction SU01 > User tab > compare/regenerate, or PFCG to maintain the role).

E-004: RFC Invalid Handle — Missing Function Metadata Authorization

Error message:

Cause:

The RFC user is missing authorization for one or both of these function modules:

• DDIF_FIELDINFO_GET

• RFC_GET_FUNCTION_INTERFACE

Without these, the agent cannot retrieve function module metadata needed to make subsequent RFC calls.

Resolution:

Add to the user's authorization role:

E-005: SeaLights Custom Authorization Missing

Error message:

Cause:

The RFC user is missing the SeaLights custom authorization object /TRICE/OBJ with field /TRICE/CMP = CORE and activity 16 (Execute).

This object is part of the ABAP Addon and controls access to the SeaLights custom RFCs in the /TRICE/ namespace.

Resolution:

Add to the user's authorization role:

Ensure the ABAP Addon is installed on the target system (via SAINT transaction) — this object is only available after addon installation.

E-006: Table Read Authorization Missing

Error message:

Cause:

The RFC user's authorization role is missing one or both of:

1. Authorization object S_TABU_RFC with field ACTVT = 33 (Read via RFC).

2. Authorization object S_TABU_NAM with the required table names.

The agent reads the following SAP tables during build mapping and footprint collection:

Resolution:

Add both authorization objects to the role:

Object 1 — S_TABU_RFC:

Object 2 — S_TABU_NAM:

E-007: PHD Database Error — ST03 Data Not Available

Error message:

Cause:

The ST03 workload statistics collector is not running on the SAP PRD system. During build mapping, the agent reads Performance History Data (PHD) from the PRD system to determine which packages and modules are actively used. When ST03 data is not available, the PHD database file is empty or corrupted, causing this error.

How to diagnose:

The buildmap process restarts repeatedly and this error appears in the agent logs each time.

Resolution:

1. Log in to the SAP PRD system and run transaction ST03 (or ST03N).

2. Verify that the workload statistics collector is active. If not, start it.

3. Ensure data has been collected for the retention period configured in config.toml under [rfcdata.prd] retentionperiod.

4. After ST03 is running and data is available, delete the corrupted PHD database file from {userData}/{pipeline}/ and re-run the buildmap: slabapcli buildmap run --pipeline <name>.

Alternatively, if ST03 cannot be enabled on the PRD system, export ST03 data manually from the SAP GUI and use the PHD import feature:

ABAP Addon Not Installed

If you see NO_SEALIGHTS_AUTHORIZATION or errors referencing /TRICE/ function modules:

1. Verify the addon is installed: check transaction SAINT on the target SAP system.

2. The addon package files (*.SAR, *.PAT) are provided in the abap_addon/ directory of the agent distribution.

3. The addon must be installed on both QAS and PRD systems referenced in the pipeline.

SeaLights Connection Errors

These errors relate to the agent's communication with the SeaLights API. Use slabapcli sealights test as a first diagnostic step.

E-008: SSL Certificate Verification Failed

Error message (from slabapcli sealights test):

Cause:

The agent cannot verify the SSL certificate of the SeaLights API endpoint. This typically occurs when:

• The agent host is behind a corporate proxy or firewall that performs SSL inspection (man-in-the-middle).

• The SeaLights API uses a certificate signed by an internal or private Certificate Authority not in the system's trust store.

• The Windows certificate store is missing intermediate or root CA certificates.

Resolution:

Add the following section to config.toml to disable SSL certificate verification:

Note: Disabling SSL verification reduces transport security. Use this as a workaround in controlled environments. The preferred long-term fix is to install the required CA certificates into the Windows trust store.

SeaLights API Connectivity

Test the connection to the SeaLights backend:

If this fails, check:

• The token in [sealights] configuration is valid and not expired.

• HTTPS outbound access to SeaLights API endpoints is not blocked.

• If using a proxy, verify [proxy] settings in config.toml.

• If the error mentions SSL certificate verification, see E-008.

General Troubleshooting

Verifying Configuration

List the current agent configuration to confirm settings are loaded correctly:

Windows Task Scheduler Issues

The agent schedules background tasks via Windows Task Scheduler. If tasks are not running:

1. Open Task Scheduler (taskschd.msc) and look for SeaLights tasks.

2. Verify the agent was run with administrative privileges.

3. Check the task history for failure reasons.

4. Re-schedule: slabapcli buildmods run --pipeline <name>.

Quick Diagnostic Checklist

Use this checklist when onboarding a new SAP system:

• ABAP Addon is installed on SAP system

• SAP system is reachable from the agent host (ping/telnet port 33xx)

• RFC user exists and is not locked (SU01)

• Role /TRICE/SL_AUTHS is assigned to the RFC user

• Authorization profile is regenerated after role assignment

• ST03 process is enabled on SAP system

• SCMON process is enabled on SAP system

• slabapcli rfc test succeeds for every onboarded RFC