Using Manual Migration

Objective

After completing this lesson, you will be able to address manual migration tasks such as security configurations and B2B integration.

Security Migration Topics

Using a cloud-based integration platform imposes dedicated security requirements on the software vendor (SAP) that hosts the platform, and on the customers who use the platform.

Customers who use Cloud Integration agree that a significant part of their (and their customers’) sensitive data is processed by and stored within an infrastructure not owned by themselves.

The core task of an integration platform is to serve as the transit place for messages that can contain sensitive customer data. First and foremost, these messages must be protected against eavesdropping and unauthorized access.

Therefore, the integration platform must fulfill the following main requirements:

The integration infrastructure is already designed and built in such a way that it meets the highest security standards. For more information on compliance, visit the SAP Trust Center.
You must guarantee that the technical system landscape, the communication between the components of the integration platform, and the storage locations of messages are secure.
The processes related to the usage of Cloud Integration meet the highest security standards.
These processes include processes at SAP related to the development and upgrade of the Cloud Integration software, the processes related to the provisioning and operation of the customers' virtual environment by the infrastructure provider, and the customer onboarding process during which customers set up secure connections between their infrastructure and SAP's integration platform.
Customers have several options to configure how messages are exchanged within an integration scenario so that the involved data is protected at the highest level.
When designing integration flows, customers can choose between several options to protect messages by establishing secure communication channels (transport-level security) and by configuring digital encryption and digital signing of messages (message-level security).

Managing Security Material in Cloud Integration

To securely transmit messages from a source system to a target system through middleware such as SAP Cloud Integration, several key types of security components must be stored and managed securely on each Cloud Integration tenant.

These security components can be categorized as follows:

Configure Inbound HTTP Connection
Sender adapters allow a sender system to send messages to Cloud Integration using the HTTP protocol with multiple user authentication options. These options include:
- Client certificate authentication.
- OAuth with client credentials grant.
- Basic authentication with client credentials from the service key.
- Basic authentication for a user registered with an identity provider.
An SAP BTP tenant administrator can generate the required service keys.
Security Material
On the Operations page of the Cloud Integration tenant, the Manage Security area provides an overview of security-related artifacts. Select the tile Security Material to open the area Manage Security Material, in which security materials can be created and uploaded.
Keystore Entries
The Cloud Integration Operations view contains the Keystore Monitor. The Keystore Monitor allows a tenant administrator to manage the tenant keystore and its entries (X.509 certificates and key pairs).
Access Policies
Access policies in SAP BTP are used to restrict actions that can be taken on an artifact and to limit data access at runtime. The policies can control access to integration flows, different API definitions, JMS message queues, global datastores, and variables. They provide granular control by assigning different access privileges to different users or groups.
Access policies can be defined by creating a custom role, defining access through the Web UI, and assigning the role to relevant users. Various actions including editing, copying, deleting, and configuring can be restricted under these policies. Access policies serve to protect business data and prevent unauthorized access.
JDBC Material
The Cloud Integration tenant's Operations page has a Manage Security area that shows security-related artifacts and manages JDBC (Java Database Connectivity) materials. You can access it through the JDBC Material tile.
There are two types of JDBC materials stored: JDBC Data Sources and JDBC Drivers. Data Sources enable creating and managing artifact connections to interact with databases, including information on the database type and relevant configuration parameters. JDBC Drivers are typically configured by the tenant administrator, allowing connection to a third-party vendor-managed database, which must be provided by the database vendor.
User Roles
A user account, representing an individual, can have various roles associated with it, which determine the user's permissions in organizations and spaces.
The role defines what features a user can access and what actions they can perform. User roles can be viewed in the Monitor view in the Manage Security section. Both SAP-defined and tenant administrator-defined roles are displayed. Roles can be added, modified, or deleted while actual assignment to users must be performed by an authorized administrator through the SAP BTP cockpit.

Managing Destinations in SAP BTP Cockpit

Destinations are key building blocks in SAP BTP and are used to define connections for outbound communication from your application to remote systems. These remote systems can be on-premise or in the cloud. Typically, Cloud Integration can directly access the virtual systems exposed by the Cloud Connector, except for the RFC channel. In Cloud Integration, for the RFC channel it’s necessary to configure a destination in SAP BTP cockpit.

Similar to destinations in SAP BTP, in SAP Process Orchestration, for some communication channels you can maintain RFC/HTTP destinations to reuse them as much as necessary, for example, when you want to connect SAP Process Orchestration to your ECC receiver.

A destination has a name, a URL, authentication details, and other configuration details specific to the requirement and type of destination.

For full help documentation regarding the use of the Destinations Editor (and other methods to maintain destinations), and the setup of the different destination types, see SAP BTP Connectivity - Initial Setup.

Using Security Material in Integration Flows

To ensure the security and protection of the message exchange, multiple solutions are possible. It’s possible to use methods to encrypt and decrypt the message content, and to digitally sign and verify the message. Another option to secure the communication on the transport level is by selecting the HTTPS or SFTP protocol and using specific authentication methods.

The security material deployed and managed in a Cloud Integration tenant is accessed at runtime by integration flows and APIs to implement two forms of security:

Transport-Level Security (TLS) involves the encryption of traffic communication between two systems across a network.
Transport-level security provides communication security and protection of data integrity and privacy between two communicating applications. It's used for web browsers and other applications that require data to be securely exchanged on a network.
Message-Level Security (MLS) involves the encryption of the actual message payload being transmitted, and they remain encrypted until the payload is explicitly decrypted using a valid key.
Message-level security allows you to digitally encrypt or decrypt, and sign or verify a message (or both). It can be used when the transport-level security can't be implemented, which happens if a legacy communication endpoint doesn't support this option.

For more information about Transport-Level Security or Message-Level Security on SAP Integration Suite, follow this link:https://help.sap.com/docs/cloud-integration/sap-cloud-integration/security-elements-transport-level-security?locale=en-US

Understand Trading Partner Management

Trading Partner Management

Trading Partner Management is a powerful capability within Integration Suite that streamlines the management and governance of business-to-business (B2B) relationships, agreements, and interactions with external trading partners. Trading Partner Management empowers organizations to tailor their B2B data exchange to meet specific needs, defining and configuring electronic data interchange protocols, standards, and APIs for each trading partner.

With Trading Partner Management, organizations can accommodate diverse B2B requirements, including:

Multiple communication protocols (AS2, SFTP, FTP, and so on.)
Various B2B standards (EDI, XML, JSON, and so on.)
APIs for seamless integration.

The intuitive user interface simplifies the complexity of B2B communication, enabling efficient management of trading partner relationships, agreements, and data exchange configurations.

This application achieves the goal by using the entities and artifacts provided by the other capabilities of SAP Integration Suite such as:

SAP Integration Advisor
SAP Cloud Integration

Features

The application helps you to:

Create and maintain trading partner profiles with their B2B requirements. This includes creating the profile of own company with all relevant information for setting up B2B scenarios such as contact person, identifiers, communication protocol and its parameters, and B2B standards.
Create a communication partner profile to maintain all your AS2 specific configurations.
Develop templates for trading partner agreements based on the requirements of your B2B scenarios.
Create trading partner agreements using the templates and also including the requirements of the trading partners.
Push the autogenerated runtime artifacts of the B2B scenarios as defined in the agreements into the Partner Directory of SAP Cloud Integration. This ensures that the B2B messages get processed individually by a single integration flow at runtime.
Deploy and run integration flows to conduct end-to-end business transactions.

Next lesson