SEC_TRACE_ANALYZER: HTTP Request Tracer and Recorder

Posted by — May 12, 2026 in SAP PROGRAM Leave a reply

The SEC_TRACE_ANALYZER report enables you to comfortably trace HTTP communications. The report traces the ICF service and the user under which the service was called. Unlike tracing in SM50, you do not need to know the work process number under which your scenario has been run.

In addition, the report enables you to have all the tracing functions you need in one place.

The report does not introduce a new tracing environment. The report just reuses existing tracing tools, namely, kernel trace, ICM trace and ICF recorder. The report combines the steps described in the following SAP Notes:

  • 507994 Generating plug-in trace files for troubleshooting
  • 724804 Using the ICF recorder for troubleshooting
  • 495911 Trace analysis for logon problems
  • 1370207 Creating work process trace files

Integration

This trace only works on the current application server. The HTTP requests must be executed on the current application server.

Note: Sometimes error responses are not traced. For example, ICM redirected the HTTP client, but the client did not send the authentication credentials to the new URL. ICF sends an HTTP 401 return code and an error stating that authentication data is missing.

The only way to see the request or response is to look into the ICM trace (see SAP Notes 1318906 or 507994) or the ICF recorder (see SAP Note 724804).

Activities

Setting Up the Trace

  1. Configure the basic options.
    Set the ICF service, the trace level, and timeout. Set your target directory for downloads.
  • ICF Service
    • Choose the ICF service for which you want to record traces. Choosing /sap/bc traces all requests sent to this URL and any services in the service hierarchy. Wild cards like /sap/bc/* are not supported and result in the tracing not working.
  • Level
    • 1 = Errors only
    • 2 = Trace execution paths and some details
    • 3 = Verbose, includes messages, too
      • Recommended value is 2.
  • Timeout
    • Set how long in hours, minutes, and seconds your trace response should record until it is automatically deactivated.
  • Target directory for download
    • Enter a path to download the trace file.
  1. Determine if you want to limit the trace to specific users and clients.
    We recommend that you limit the size of traces by being as specific as possible. Trace specific users on specific clients for specific ICF services.
  • Logon Trace (got HTTP 401)
    • Choose this option to trace authentication problems, usually indicated by an HTTP 401 return code. Dummy user is used to read the traces of all sessions that haven’t been authenticated, for example, because of a failed authentication attempt.
  • Client dependent
    • Choose this option to activate the trace response HTTP request and response recording inside the current client only.
    • Clear this option to activate tracing for the whole application server and for all clients in the application server.
    • Client-independent tracing (option unchecked) always records the requests of all users for the given ICF service. When you attempt to read the trace file, supply a specific user, whose traces you want to read.
  • User
    • This option is only available for client-dependent tracing.
    • Select a user whose traces you want to record. Enter [ALL] to see traces of all users including unauthenticated sessions.
  1. Determine if you want to record HTTP requests and responses or set the ICM trace level.
  • Record Requests
    • Select this option to enable the ICF Recorder to record requests and responses. The recorder is activated when the trace is activated.
    • In conjunction with option Logon Trace, the logon procedure is recorded as well. In the ICF Recorder, you can see the logon return codes.
    • These options together are extremely helpful when analyzing all kinds of logon problems. Sometimes you get a HTTP 401 response but no trace is written; for example, no authorization data was sent. The only way to analyze such issues is to use the ICF Recorder.
    • To see the recorded requests, choose Show ICF Recordings.
  • Set ICMAN
    • Trace Level Sets the trace level of the ICM. This is the same function as in transaction SMICM under the menu Goto > Trace Level.
  1. Determine if you want to reset the trace files.
    Only reset the trace files if you are sure that no one else in the system is trying to evaluate traces at the same time. Resetting the trace files deletes the trace data other users are collecting.
    To delete the trace history when activating a new trace, choose the Reset Trace Files option.

Gathering Traces

  • Start report SEC_TRACE_ANALYZER.
  • Choose Activate.
  • Perform the activity that led to the problem you want to troubleshoot.
  • Choose Deactivate.
  • Review the results. Choose Show to view the results in the system or choose Download to view the files locally

You May Also Like

RSSOEXTCOM: External Communication Settings

HRALXSYNC: Object Synchronization and Repair

RSAU_TRANSFER: File-Based Transports of SAL Configuration

REGENERATE_SAP_APP: Create Full Authorizations for Applications

Leave a Reply?