Configuring SAP Cloud Integration

Objective

After completing this lesson, you will be able to configure SAP Cloud Integration by maintaining credentials, copying integration packages, configuring and deploying integration flows, and managing value mappings.

SAP Cloud Integration Configuration Steps

The process from choosing pre-packaged integration content to running it can be divided into four main steps:

Copy an integration package to your tenant workspace.
In the Discover view, search for an integration package and copy it to your workspace.
Configure integration flows.
In the Design view, configure relevant integration content, such as integration flows, value mappings, and so on. In case you need to reference credentials, you have to create them first in the Operations view.
Deploy integration content.
After you have configured integration content, you can deploy it from the Design view.
Monitor integration content.
After you have deployed integration flows, you can monitor messages sent through them from the Monitor/Operations view. From there, you can also undeploy integration content, in case this is necessary.

Additionally, you need to maintain credentials that are used for sending messages to the target system. As this is independent from a specific integration package, you could create credentials even before you copy the package, if you already know, what kind of credentials are needed. Otherwise, you can do it later, for instance in parallel when you configure the first integration flow. We start with creating the credentials so that we don't have to switch back and forth between different screens later on.

The following video demonstrates this process up to the Deployment step. The subsequent sections provide details on each individual step. The topic of Monitoring will be covered in a later chapter.

Credential Maintenance

Cloud Integration, as the middleware, receives and forwards messages. Authentication and hence the necessary credentials

For integration flows in this course, authentication and the required credentials are used in two places of the integration process (seen from the perspective of Cloud Integration).

Inbound connections: Another system (sender system) sends data to an integration flow. Cloud Integration needs to verify the credentials sent by the sender system.
Outbound connections: An Integration flow sends data to another system (receiver system). Cloud Integration needs to provide the credentials that the receiver system verifies.

The Configure dialog of an integration flow allows you to maintain inbound and outbound authentication parameters.

For inbound connections, this is the definition of a user role that is required to call the integration flow.
For outbound connections, this is the name of a credential or a private key alias to be used for authentication towards the receiver system.

Two screenshots showing the Configure dialog of an integration flow: Once on the Sender tab, with the Authorization and User Role fields highlighted and once on the Receiver tab, with the Authentication dropdown opened giving the choice of Basic authentication or Client Certificates highlighted.

The maintenance of the actual authorization and authentication details such as user names, passwords, assignment to roles, or the upload of certificates, is carried out in different places.

While outbound credentials are maintained within the Cloud Integration WebUI, for inbound connections, the steps vary depending on the underlying environment (Neo versus Cloud Foundry). The following sections guide you through the various options for setting up basic and certificate-based authentication. Other authentication methods are not discussed here, as they are not used with the prepackaged integration content of this course.

Maintaining Inbound Credentials in Integration Flows - Environment Independent

The actual authentication of inbound connections is handled by the hosting environment. Within the integration flow, you only define which authorization an authenticated user must have to be allowed to call the respective integration flow. Authorizations are reflected by user roles that can be assigned to specific users or groups/role collections.

On the Sender tab of an integration flow's Configure dialog, you can define which User Role a caller must have. Make sure that the Authorization dropdown is set to User Role for that and the desired user role is selected as shown in the following screenshot.

The Configure dialog of an integration flow on the Sender tab, with the Authorization and User Role fields highlighted.

The default user role is ESBMessaging.send. Additional roles can be defined, which will be discussed in the environment-specific sections, as well as the maintenance of users and their assignments.

Note

Although integration flows allow you to upload client certificates directly to the Sender tab by choosing the respective option from the Authorization dropdown, it is strongly recommended to not use this feature. There are better alternatives that are discussed in the environment-specific sections.

Maintaining Inbound Credentials - Neo Environment

In the Neo environment, roles and the assignments to users or groups are maintained in the BTP Cockpit. The relevant places are:

Roles: To create new or maintain existing roles, navigate to Applications → Subscriptions → Subscribed Java Applications → choose the "*iflmap" application → Roles
Role Assignment: To assign roles to users or groups, navigate to Security → Authorizations

Two screenshots for the SAP BTP Neo Cockpit showing how to subscribe to applications and assign roles to them.

You can find more details about Authorizing Users or User Groups on the SAP Help Portal.

After assigning the appropriate role to a particular user, this user can call integration flows that require the respective role after successful authentication. In test environments, this could be easily set up by using basic authentication with the user's user ID (usually S- or P-user) and the password.

In productive environments, client certificates are recommended. Instead of uploading client certificates to every integration flow, which could cause big maintenance efforts when the certificate needs to be renewed, this can be achieved with the Certificate-to-User Mapping.

The Certificate-to-User Mapping allows you to map a client certificate to a particular user ID with a particular role assigned. That enables clients to use client certificates for authentication while still getting the right authorization assigned. The Certificate-to-User Mapping can be maintained within Cloud Integration in the Monitoring/Operations area:

Two screenshots, showing the navigation to the certificate to user mapping and the mapping screen itself.

You can find more details on setting up inbound connections in the Neo environment in the SAP Help Portal.

Maintaining Inbound Credentials - Cloud Foundry Environment

In the Cloud Foundry environment, additional roles can be maintained in the Cloud Integration WebUI, in the Monitoring area, via the User Roles tile. The following screenshot shows the navigation path and the maintenance screen with the pre-defined role ESBMessaging.send and a custom role CustomMessagingSend:

Screenshots showing the maintenance screen and navigation to the User Roles feature in Cloud Integration WebUI.

The assignment of roles to users, role collections, or service keys is carried out in the BTP Cockpit from the respective subaccount.

You can assign this role to Identity Provider (IdP) users using the menu Security → Users, Roles, or Role Collections.

Note

Please note that the name of the default role in the cockpit is only MessagingSend without the "ESB" prefix and the dot in the name when assigning it to IdP users!

An alternative to IdP users are service keys. Service keys can be compared to technical users. You can create them under the process integration runtime instance and can use them for basic authentication as well as client certificates.

To create service keys, navigate to Services → Instances and Subscriptions and select your process integration runtime instance or create a new one. Make sure that the configuration parameters of the instance contain the grant type "Client_credentials" and the respective role that your integration flows require. This can be done via the From or the JSON input. A sample JSON containing the default role and the custom role could look as follows:

Code Snippet

12345678910
{
  "grant-types": [
    "client_credentials"
  ],
  "redirect-uris": [],
  "roles": [
    "ESBMessaging.send", "CustomMessagingSend"
  ],
  "token-validity": 3600
}

Note

When defining the default role for service keys, the name is spelled exactly as in Cloud Integration WebUI: ESBMessaging.Send.

You can create new Service Keys in the respective section, as the following screenshot shows. As Key Type, you can choose between the following three options:

ClientId/Secret: Generates a clientid and a clientsecret that can be used as a username and password for basic authentication.
Certificate: Generates a new client certificate including the certificates of the issuing certificate authorities, and the key pair in the Base64 format. Hence, this can be used as a client certificate in another system. (Converting the file format might be required, for instance to a p12-file that can store all these pieces of information in a single file.)
External Certificate: Allows you to upload an existing certificate that must be trusted by the Load Balancer.

The following screenshot shows a brief summary of the most relevant options when using service keys, with the configuration parameters on instance level (A), a sample service key for basic authentication (B), and a service key for client certificate-based authentication (C):

A screenshoot showing a brief summary of the most relevant options when using service keys,

You can find more details on setting up inbound connections in the Cloud Foundry environment on the SAP Help Portal.

Maintaining Outbound Credentials

Authentication credentials towards receiver systems are not maintained directly inside integration flows. Instead, the integration flow only references the credentials. The authentication method can be controlled with the Authentication parameter within the Configure dialog.

The Configure dialog of an integration flow on the receiver tab, with the Authentication dropdown fields highlighted.

There are two options for the integration flows of this course:

For Basic Authentication, a second field Credential Name is displayed. This field needs to be filled with the name of a previously created security artifact. This artifact contains the username and the password for authenticating against the respective receiver system. It can be created in the Operations/Monitoring view under Manage Security → Security Material.
If Client Certificate is chosen, a second field Private Key Alias is displayed. This field needs to be filled with the name of a key pair from the keystore that can also be found in the Operations/Monitoring view under Keystore.
Each Cloud Integration tenant is delivered with a default key pair provided by SAP with the name: sap_cloudintegrationcertificate. By selecting it in the keystore and choosing Download → Certificate Chain, you can download the certificate chain for maintaining the receiver system.

Note

You can find more information about the SAP provided client certificate in Knowledge Base Article 3035435.

Copy the Integration Package

Similar to browsing pre-packaged integration content on the SAP Business Accelerator Hub, you can use the Discover view of your Cloud Integration tenant to locate a desired package and copy it to your workspace for configuration and deployment.

For this course, the package SAP Cloud for Customer Integration with SAP S/4HANA is used. When searching for the package, note that the package name still refers to SAP Cloud for Customer. Moreover, pay attention that there are two similarly named packages with SAP S/4HANA and SAP S/4HANA Cloud. This course focuses on SAP S/4HANA; without the Cloud.

To copy the package, select it on the search result list, which navigates you to the Overview page. The Copy button is located in the upper-right corner:

The overview page of the package SAP Cloud for Customer Integration with SAP S/4HANA in the Discover view of SAP Cloud Integration. The Copy button can be found in the upper right corner.

Integration Flow Configuration

Integration flows typically contain parameters that will change from environment to environment, for example, the endpoint of the target system and corresponding credentials. These parameters can be maintained within the integration flow configuration that can be reached from the Design area inside a package, either by selecting the Actions menu → Configure or by opening the integration flow and choosing Configure from there.

Screenshot, showing the package screen with one integration flow and its Action menu where the Configure item is highlighted.

Note

The configuration of an integration flow does not modify it, therefore, it doesn't lose upgrade capability. Modifications of an integration flow are carried out by selecting Edit within the Design area.

Mass Configuration of Integration Flows

When selecting multiple integration flows by marking the checkbox at the beginning of each row, you can select the Actions button on top of the table to Mass Configure those integration flows. A dialog box opens listing the selected integration flows and the configuration screen next to it. Although you still have to work through the selected integration flows for maintaining the parameters, this feature helps to keep track when configuring multiple integration flows because they are displayed in a new window where you can quickly enter all relevant details without leaving the Configure dialog.

Two screenshots. The first one shows two selected integration flows in the Artifacts list with the Actions menu opened and the Configure entry highlighted. The second screenshot shows the mass configure dialog with the selected integration flows.

Hint

To avoid mixing up parameters of the sender and receiver tabs, it's recommended to use the Mass Configure feature with integration flows pointing into the same direction (from SAP Business Suite versus to SAP Business Suite) at a time.

Typical Sender and Receiver Channel Parameters

Configuration parameters of the integration flows used for the SAP Sales and Service Cloud integration with SAP S/4HANA are very similar.

The Sender tab contains parameters that are relevant for the sending system, such as the Address or path where the worker node listens for incoming messages and what Authorization is required to be allowed to send data to the integration flow.

The Receiver tab contains parameters of the target system, like the Host, Port and Authentication details. With the Proxy Type set to On-Premise, it's possible to specify that the target system is reachable via the Cloud Connector. For all other locations, Internet is used (even if the target system is located inside an on-premise network, but a reverse proxy is used).

The following screenshot shows the Configure dialog for the integration flow Replicate Business Partner from SAP Business Suite, where the sender is SAP S/4HANA and the receiver is an SAP Sales and Service Cloud tenant.

Showing the Configure dialog for the integration flow Replicate Business Partner from SAP Business Suite where the sender tab with SAP S/4HANA on the left and the receiver tab with an SAP Sales and Service Cloud tenant.

Note

A common pitfall when configuring integration flows is mixing up the sender and the receiver parameters. Always pay attention to the "direction" of the integration flow, that means, which system is the sender and which system is the receiver. If using the Mass Configure feature, always select integration flows of the same direction at once.

Cloud Integration Value Mappings

Value mappings do a similar job like code list mappings in SAP Sales and Service Cloud. However, due to data type limitations, code list mapping cannot be used in some cases and the mapping needs to be done inside the integration flow, or to be more precise, the message mapping within an integration flow. Moreover, they can be used when the source or target system do not offer such a feature.

There are two different kinds of mapping expressions:

fixValueMappings: Source and target values are maintained within the integration flow.
valueMapping: Source and target values are maintained outside of the integration flow in a Value Mapping artifact and can be used by several integration flows.

This section focuses on the second approach with a separate value mapping artifact. In order to make use of a value mapping, the message mapping must contain a valueMapping expression that specifies the source and target agency and identifier. This is used to address the correct mapping entries inside the value mapping artifact. Value mappings can be reused by multiple integration flows or message mappings while the mapping entries are maintained in a central place.

The following screenshot shows the value mapping coming with the package SAP Cloud for Customer Integration with SAP ERP.

SAP Cloud Integration value mapping editor with the list of available mappings, identified by source and target agencies and identifiers at the top and the actual mapping entries in a table below.

The agencies COD and ERP specify the source and target system, whereas the identifiers specify the code list or data type of the respective system that gets mapped. The actual mapping values can be found in the table under the list.

Value Mapping Versus Code List Mapping

Although SAP Sales and Service Cloud offers the code list mapping, some codes can't be mapped due to technical limitations of the interface or data type. In such cases, the value mapping on SAP Cloud Integration can solve the problem.

The mapping of ABC/Customer Classification between SAP Sales and Service Cloud and SAP ERP that can be seen in the previous screenshot is a good example for that:

The identifier in SAP ERP is called CustomerClassificationCode and can contain values with a length of 2 (for example, "07").
The identifier in SAP Sales and Service Cloud is called CustomerABCClassification and is limited by the data type of the field to a maximum length of 1 (for example, the value "A").

As the data type of the field in SAP Sales and Service Cloud does not allow values longer than 1, the system throws an error if such a value is received. Independent of maintained code list mapping entries, as the code list mapping can only be applied after the message has been read. But the correctness of data types is verified during reading the message. Hence, a value mapping inside SAP Cloud Integration must be used in this case.