Configuration of the S/4 HANA System

Contents

• Persona
• Prerequisites
• Resources
• Application of Relevant SAP Notes
• Generation of Signed Client Certificate (CSR) and PSE
• Generation of S/4 Technical User Credentials
• Import Certificate Response from BDC Formation into S/4 HANA System
• RFC Destination Setup in S/4 HANA System
• Register Outbound Connection in SAP S/4 HANA System
• Cloud Connector Configuration
• Determine Instance Number for S/4 PCE System

Persona

This lesson provides a view-only overview for configuring the S/4 system in preparation for inclusion in the SAP Business Data Cloud Formation. It also describes some back and forth with S/4 and the parameters/configuration from the SAP Business Data Cloud components.

Prerequisites

• Productive S/4HANA Private Cloud Edition system which is already available on Unified Customer Landscape.
• If the S/4HANA Private Cloud Edition system does not appear in UCL, then you need to check if the Lifecycle Status of the S/4 PCE system is set to value LIVE in Cloud Reporting Tool (SPC). For example, for a customer called CUSTOMER_1 open SPC as follows: https://spc.ondemand.com/open?SYS=S4PCE_SYSTEM_NUMBER_OF_CUSTOMER_1. Then, navigate to the Tenants tab and look up the S/4 tenant that the customer wants to use. Here, the Lifecycle Status of the S/4 PCE system in question must be set to value LIVE.
• All compatible versions of the S/4 systems are listed in this SAP Note.

Resources

Here are some additional useful documents for the steps involved:

• ABAP Platform documentation of transaction STRUST

• SSL Client PSEs

• Creating Identities

• Creating PSEs

• Signing PSEs

• Adding trusted CAs to the certificate list

Application of Relevant SAP Notes

1. The umbrella SAP Note has to be applied to S/4 system in the preparation. These notes install the new Push Framework and the Tenant Mapping™ modules in the S/4 system.

Generation of Signed Client Certificate (CSR) and PSE

2. Call the transaction strust in the system as shown in the following image.
   

   

3. Open the tab Environment > SSL Client Identities of System as shown in the following image. Here, we need to define the client identity of the system.
   

   

4. Select Choose.
   

   

5. Select New Entries.
   

   

6. Add a new entry in the table with a name of your choice. Save and Exit. Choose a meaningful string name to identify the entry.
   
   

7. Select the newly created PSE node and right-click Create. Information on how to create the PSE (Private Secure Environment) can be found here.
   

   

8. In the pop-up that appears, choose Revise DN (Distiniguished Name) by choosing the edit button (pencil icon).
   

   

9. Enter the component of the Distinguished Name (DN) of the system in the corresponding fields and choose Enter. There are various attributes with fixed and variable values.

Sample subject patterns which need to be defined in the CSR

Here is a sample subject pattern:

CN=staging, L=, OU=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX, OU=SAP Cloud Platform Clients, O=SAP SE, C=DE

Additional Consideration:

For cf-eu10-canary, an additional key value pair needs to be included as shown here:

CN=staging, L=, OU=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX, OU=Canary, OU=SAP Cloud Platform Clients, O=SAP SE, C=DE

C, O, OU will be static. Only the OU will change per regional deployment of BDC/FOS- you must be aware in which region (EU/US) the formation is being created.

OU is the Global Account ID of BDC(FOS) and is different per landscape:

• cf-eu10-canary: e48c7cf9-a4e0-4dcc-bc62-4a3d88f58bb0
• cf-eu10 (Live): 3c869ade-ce89-4ee1-a2ff-a6e617e56fdf
• cf-us10 (Live): 7ebe6a33-3f74-47a7-998b-e16fa688d739
• cf-jp10 (Live) (not yet operational): 7f8747f0-f87e-4283-8aa4-34bdac27a895

For example, if EU-10 and US-10 have different provider subaccounts, you would need to refer to documentation matrix broken down per region + hyperscaler. The only tenant specific information would be in L.

The following is how another sample subject might look like:

• CN=staging, L=850432635, OU=3c869ade-ce89-4ee1-a2ff-a6e617e56fdf, OU=SAP Cloud Platform Clients, O=SAP SE, C=DE

Additional Consideration:

For cf-eu10-canary, an additional key value pair needs to be included as shown in the following image. Hence, a sample subject would be as follows:

CN=staging, L=, OU=e48c7cf9-a4e0-4dcc-bc62-4a3d88f58bb0, OU=Canary, OU=SAP Cloud Platform Clients, O=SAP SE, C=DE

In certain cases, S/4 System ID might have a “$” in the beginning, for example, "$0204398045”. We need to remove “$” from the beginning and use the remaining part only.



Note

When the PSE was created, it also created the private key for the corresponding PSE. This results in a private key and a self-signed certificate which can be used to create a certificate signing request.

10. With the private key and the signed self-signed certificate, we will create a certificate signing request using Create Certificate Request. Double-click on the PSE node to open the dialog.
    

    

11. Keep the default for the signature algorithm (PSE Algorithm) and choose Enter.
    

    

12. A dialog appears with the contents of the CSR.

Tip

Make a note of (save) the CSR contents as this will be required later, when adding the S/4 System to the Formation in BTP.

Note

The Private Key stays in the PSE and only the CSR will be used outside. That is, as an input for the Formation.

13. Choose Continue.

    The generated CSR can be used later for the SAP BDC Formation. This Certificate Signing Request can be sent to the Certificate Signing Authority through SAP Business Data Cloud.

Generation of S/4 Technical User Credentials

14. Create a technical user (transaction SU01) for inbound communication for calling API and assign respective authorizations.

15. This is the technical user that is required for the BDC Formation. It must be created with all the relevant roles and authorizations by the S/4 admin. A password must also be chosen for the technical user and the type of the user is System.

For a more detailed guide about the technical user creation, please refer to Creation of S/4 Technical User lesson.

Import Certificate Response from BDC Formation into S/4 HANA System

Creation of the BDC Formation can be performed as described in the Basic Configuration of SAP Business Data Cloud lesson.

16. After the Formation is created, in the Formation tab in SAP for Me, view the configuration for the added S/4 system as shown in the following image.
    

    
    .

17. View the different parameters that are generated here as shown in the following image:

    • systemMapping: this configuration has to be imported in the Cloud Connector
    • additionalAtrributes -> S4AdditionalAttributes: Host, Port and Path Prefix are required for the configuration of the RFC destination in S/4 system
    • additionalAtrributes -> S4AdditionalAttributes: clientCertificate: The clientCertificate contents must be imported as the response for the PSE that was generated in the second step
    • authenticationMetadata: Required for the configuration of SCC (SAP Cloud Connector)
      
    

Tip

Save the contents of this Configuration Parameters because the different elements are required for the upcoming steps in the setup.
18. Copy the certificate contents and paste/import it as the response of the generated PSE.
    
    

Note

This certificate is complete up to Root CA.

Import Digicert Certificates

In the S/4HANA system, we need to import two Digicert certificates in the trusted certificates list.

19. The certificates can be downloaded from the Digicert website from the links below:

    • DigiCert Global Root CA
    • DigiCert Global Root G2
    • DigiCert TLS RSA4096 Root G5

20. In the transaction strust, choose Import certificate as shown in the following image and import each of the certificates that were downloaded in the previous step. You can do this by selecting the certificate from the saved location and then choosing Add to Certificate List. Save your changes.

    
    
    

RFC Destination Setup in S/4 HANA System

As mentioned in the earlier tip, the S4AdditionalAttributes: Host, Port and Path Prefix are required for the addition of the RFC destination. We take these property values and create a Destination in S4.

21. Open the S/4 system and start RFC transactions (Transaction SM59).

    

22. Choose Create.

    • Enter an RFC destination name. For example - BDC_RFC_S4

    • Choose Connection type as HTTP Connection to External Server (G)

    • Choose Enter

    
    

23. Enter a description:

    

24. Go to the Technical Settings tab and enter the Host, Port and Path Prefix that you noted previously.

    

25. If relevant, select the Logon & Security tab and enter the security settings as required.

    That is, make sure that the correct PSE ID (and not the Default one) is selected for the certificate that was imported while creating the PSE and that SSL is set to Active.

    

26. Go to the Special Options tab and check the following settings.

    • HTTP Version - HTTP 1.1
    • Compression - Inactive
    • Compressed Response - Yes
    

27. Save the RFC Destination.

Register Outbound Connection in SAP S/4 HANA System

Once RFC connection is created, an outbound connection must be registered in ABAP Integration: Monitoring and Support Cockpit in SAP S/4HANA Cloud Private Edition. It is an administration tool for different scenarios regarding the extraction of data from an SAP system.

Use a user-created RFC connection to create a virtual connection that allows Business Data Cloud Integration to connect to the cloud file storage system. In edit mode, you can create a virtual connection and system will add this virtual connection to the list of outbound connections.

Note

To use Monitor and Support Cockpit and perform expert functions, user must have a custom role created from template role SAP_DI_ABAP_USER.

28. Start ABAP Integration: Monitoring and Support Cockpit (transaction DHADM).

    

29. Choose the Outbound Connections in SAP Business Data Cloud Integration menu folder. In edit mode, choose Register.

    

30. In the pop-up box, use RFC Destination, created in this previous step, as Virtual Connection ID and Connection ID and press enter.

    

31. To test the connection, select the relevant connection and choose Test.

    

32. If the connection test is successful, you see the following message Connection is OK.

    

Cloud Connector Configuration

Add the subaccount in the SAP Cloud Connector (SCC)

Note

Documentation about installation of SAP Cloud connector can be found

33. Save the contents of authenticationMetadata token from the previous step as a file with name authentication.data. We need this token to add the BTP subaccount in SCC.

34. In the SCC Adminstration tool, choose the Connector and choose Add Subaccount.
    

    

35. Select the option to upload the metadata from a file.

    

Tip

If necessary, add a meaningful description for easier troubleshooting if support teams need to be notified. An example for a good description would be “#Name of S/4 PCE system# #Internal Hostname# Business Data Cloud”.

Caution

This is a time sensitive step. The contents of

36. Finish the setup. Subaccount gets successfully added.

    

Add the configuration parameters from the BDC Formation into SCC.

We have to prepare the account configuration file that can be imported in the SCC. The contents of the systemMapping parameter starting at the backends parameter must be saved in a file called account_config.json.

Note

The configuration has to be appended with brackets to match the required json format. This is a requirement for SCC. If you want to view a sample account_config.json file, refer to this
Code Snippet

Copy codeSwitch to dark mode

1234567891011121314151617
{"backends": [{
    "sid": "BDC",
    "authMode": "NONE_CERTIFICATE_LOCAL",
	"protocol": "TCP",
	"cloudhost": "kymaxxxxx",
	"localhost": "xxxxxx.devsys.net.sap",
	"localPort": "xxxx",
	"resources": [],
	"backendType": "abapSys",
	"description": "DESCRIPTION",
	"creationDate": 1730796401642,
	"hostInHeader": "virtual",
	"allowedClients": [],
    "blacklistedUser": []
    }
]}

37. Create a zipped folder for the account_config.json file with the configuration parameters.

Tip

The name of the file has to be account_config.json and the contents have to be prepared in the format as suggested previously. The name of the zipped folder is not relevant.

38. Using the Select Subaccount button, select the newly added BTP subaccount in SCC. Under the tab Cloud to On-Premise system, upload the account configuration file (zipped).

    

39. Browse to the zipped folder and upload it as shown in the image below.
    

    

Note

If this step fails, you can skip to the

40. Once the system mappings are imported, the access control to the on-premise system is still in Unchecked status.
    

    

41. Select the Check Internal Host checkbox and choose Save. The system changes to Reachable status.
    

    

Workaround

If the upload of the zipped file is not successful, then you can update the parameters manually. The contents of the systemMapping parameter from the previous step will also be required for the workaround.

42. Using the Select Subaccount button, select the newly added BTP subaccount in SCC. Under the tab Cloud to On-Premise system, use the Add (+) button to add the parameters manually.

    

43. Back-end Type must be set to ABAP System. Choose Next.

    

44. The Protocol must be set to TCP. Choose Next.

    

45. The Internal Host is the localHost name from the systemMapping parameter that was saved from the previous step. 3300 is the Gateway port.

    

46. The Virtual Host and Virtual Port values are the cloudHost and cloudPort values from the systemMapping parameter.

    

47. Select the Check Internal Host checkbox and choose Finish.

    

48. The destination added must be Reachable as shown in the following image.

    

Determine Instance Number for S/4 PCE System

49. For the creation of the SAP BDC Formation in a later step, you will be prompted to enter the S/4 PCE instance number. Note down the instance number for later use as follows.
    

    
    

Congratulations! You have successfully configured the S/4 system.