Connectivity Configurations

Objectives

After completing this lesson, you will be able to:

  • Describe how to extract and upload certificates

Certificates

Before communication from and to your SAP back-end system can take place, authentication with public and private keys, or certificates, must take place.

Communication from and to your SAP back-end system is based on B2B messages using SOAP and REST protocols. For authentication at SAP Business Network for Logistics, client certificates are used. Therefore, these certificates must be requested as a prerequisite. Several possible ways in which such key pairs (public and private key, sometimes also just called certificates) can be generated are listed below. A *.p12 file will be generated as a result. You may use any of the options.

Select each option to learn more about it.

Configuring Inbound to SAP Business Network for Logistics

Extracting a Client Certificate from a *.p12 File

Use the *.p12 file and KeyStore Explorer (https://keystore-explorer.org/) to extract the public certificate as follows:

  1. Open the *.p12 file and export the client certificate, which should have your company's common name (CN). Make sure that your company's certificate is extracted and not one of the CA certificates.
  2. Export the certificate in X.509 format and save as a *.cer file.

If you have created a new PSE in STRUST, the certificate can also be downloaded from the corresponding PSE within STRUST.

Useful link:

Export/import a PSE from/to STRUST

Uploading the Certificate to SAP Business Network for Logistics via System Connection App

Perform the following steps:

  1. Create a connection.
  2. Upload the certificate to SAP Business Network for Logistics. You can refer to the application help here: Authenticating Inbound Messages to SAP Logistics Business Network.
  3. Download the certificate chain. With this step, SAP Business Network for Logistics provides you with the certificate needed to authenticate inbound communication. Refer to the application help here: Using Client Certificate Authentication. The .p7b file will be downloaded.

Configuring in SAP Process Integration or SAP Cloud Integration to Maintain Certificate and Links

This is a prerequisite for SAP Process Integration:

Configuring Business Systems with Integration Enginehttps://help.sap.com/viewer/6dbe2ddcde6a4087858c533f8032445b/7.5.16/en-US/48a9bc5d7e28674be10000000a421937.html
Configuring the Use of SSL on the AS Java (connectivity via SAP Process Integration)https://help.sap.com/viewer/a42446bded624585958a36a71903a4a7/7.5.5/en-US/4a015cc68d863132e10000000a421937.html

Uploading Certificates

Depending on which method you choose, you need to upload the certificate to SAP Process Integration, SAP Cloud Integration, SAP Transportation Management (SAP TM) standalone, or Transportation Management embedded in SAP S/4HANA.

Click each of the following options to know the relevant steps.

Maintaining an LBN Endpoint

Depending on your middleware – either SAP Process Integration or SAP Cloud Integration – you have to follow one of the following related sections:

  • Maintaining an LBN Endpoint in SAP Process Integration
  • Maintaining an LBN Endpoint in SAP Cloud Integration

Maintaining an LBN Endpoint in SAP Process Integration

In the target URL of your integration system, maintain the following URL to forward the messages to the SAP Cloud Integration system: https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1.

  • You must configure the following interfaces in your integration system:

    Outbound interfaces

  • TransportationOrderCancellationRequest_Out
  • TransportationOrderQuotationCancellationRequest_Out
  • TransportationOrderQuotationCreateRequest_Out
  • TransportationOrderQuotationNotification_Out
  • TransportationOrderRequest_Out
  • TransportationOrderChargeElementConfirmation_Out
  • TransportationOrderGenericTrackedProcessRequest_Out
  • TransportationOrderBookingWaybillNotification_Out
  • LocationBulkReplicationRequest_Out
  • The sample configuration is just a high-level overview on one message type without message mapping on SAP Process Integration. Several other options to configure the message routing are outlined below.

Receiver Determination:

  • The interface and interface namespace are required for the message type to be forwarded to SAP Business Network for Logistics.
  • You must specify the receiver communication component representing SAP Business Network for Logistics (with or without a routing condition).

Receiver Agreement:

  • For the determined receiver and interface, specify the technical communication channel that is connected to SAP Business Network for Logistics.

Receiver Communication Channel:

  • Select the SOAP adapter type.
  • The receiver communication channel needs to have the following target URL: https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1
  • The keystore entry and keystore view must reference the certification key that should be used for authentication at SAP Business Network for Logistics.
  • If a connection to SAP Business Network for Logistics can only be established via a proxy, specify your company's proxy settings.

Configuring Outbound from SAP Business Network for Logistics

You must set up the endpoints for all the inbound interfaces in SAP Business Network for Logistics as follows:

  • TransportationOrderConfirmation_In
  • TransportationOrderQuotationConfirmation_In
  • TransportationOrderChargeElementRequest_In
  • InvoiceRequest_In
  • TransportationEventBulkNotification_In
  • TransportationOrderChargeElementRequest_In

During this step, you need to decide on which of the following methods you will use:

  • Connecting via a reverse proxy
  • Connecting via the Cloud Connector
  • Connecting via Basic Authentication

To help you decide which setup you need, you may refer to the document Outbound/On-Premise: Reverse Proxy or SAP Cloud Connector on SAP Help Portal.

Click each tab to view information on it.

Configuration in SAP Back-End Systems via SOA Manager

Setting Up Trust

Web Service Runtime (SAP ABAP)

ABAP Web Services

SAP NetWeaver Application Server for ABAP provides a standardized architecture and a set of tools for creating Web services and related objects. Existing BAPIs or remote-enabled function modules can be used for setting up Web services, or you can develop new Web services in the Object Navigator of SAP NetWeaver AS for ABAP. There are predefined settings for securing Web services or the transports being used. ABAP Web services can be used for communication between SAP systems and between SAP and non-SAP systems. When using the Web Service runtime, this is a direct connection from the SAP back-end system to SAP Business Network for Logistics with no middleware involved.

Configuring HTTPS at Transport Level with X.509 Certificate Authentication

For information on how to configure HTTPS at transport level, see the following document on SAP Help Portal: Configuring HTTPS at Transport Level with X.509 Certificate Authentication.

Using a New PSE in SAP Back-End System

Create a new PSE in STRUST that contains the relevant private key and certificates required for communicating with SAP Business Network for Logistics. To do so, perform the following steps:

  1. Go to the transaction STRUST.
  2. In the menu bar, under the option Environment, choose SSL Client Identities.
  3. Create a new entry for SAP Business Network for Logistics.
  4. Save your settings.

Trust Manager

For information on how to establish trust relationships with the trust manager, see the following document on SAP Help Portal: Trust Manager.

You already have a signed key pair (*.p12 file) that you can import, or you create a new PSE.

To import the key pair, perform the following actions:

  1. Go to the transaction STRUST.
  2. Choose PSE from the menu options.
  3. Choose Import.

    Once you have imported the key pair, carry out the following steps:

    1. Go to the menu option PSE.
    2. Save as SSL Client.
    3. Select the newly created folder (as defined in above step).

    As a result, you have now imported a separate certificate that is later used for authentication in SAP Business Network for Logistics.

    For further information, refer also to SAP Knowledge Base Article (KBA) 1850809: Reorder a certificate chain using Netweaver Administrator.

  4. Download the runtime SSL certificate from the following URL:https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com.
  5. Select the site information.
  6. Choose the certificate and save the root and intermediate certificate to *.cer format.
  7. From the *.p7b file (which you downloaded and saved in previous chapters), extract the root and intermediate *.cer files.

    In the example shown in the image to the right, these are the DigiCert Globa Root G2 and DigiCert Global CA G2 certificates. You can do this via the KeyStore Explorer tool (https://keystore-explorer.org/).

  8. Add SAP Business Network for Logistics SSL certificates to the STRUST PSE.

    For each of the certificates, perform the following steps:

    1. Select your PSE.
    2. Import the certificate.
    3. Choose Add to Certificate List.
    4. Choose Save.

    Additional information is available in SAP Note 1473710 at: STRUST: How to Export/Import a PSE from/to STRUST.

    Once you have added the certificates, you have to restart the Internet Communication Manager (ICM) services by performing the following steps:

    1. Go to transaction SMICM.
    2. Choose Administration.
    3. Choose ICM.
    4. Choose Exit Soft.
    5. Choose Global .

Configuring Endpoints via SOA Manager

Launch the transaction SOA MANAGER and maintain the consumer service for these interfaces as follows:

Outbound interfaces:

  • TransportationOrderCancellationRequest_Out
  • TransportationOrderQuotationCancellationRequest_Out
  • TransportationOrderQuotationCreateRequest_Out
  • TransportationOrderQuotationNotification_Out
  • TransportationOrderRequest_Out
  • TransportationOrderChargeElementConfirmation_Out
  • TransportationOrderGenericTrackedProcessRequest_Out
  • LocationBulkReplicationRequest_Out

To do so, perform the following steps:

  1. Go to the transaction SOA MANAGER.
  2. Choose Web Service Configuration and search for the outbound interface. Select it and then enter edit mode.
  3. On the Consumer Security tab, specify the authentication settings by selecting X.509 SSL Client Certificate and specifying the STRUST PSE.
    Note
    You specify the SSL Client PSE from the setup in STRUST as outlined in the previous steps, which contains the private key for authentication in SAP Business Network for Logistics.
  4. On the Messaging tab, specify the messaging settings according to the below sample setup:
  5. On the Transport Settings tab, use the live SAP Business Network for Logistics URL (https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1), and specify the transport bindings as shown in the below sample setup:

Log in to track your progress & complete quizzes