SP3 Released: B2B Add-On and Secure Connectivity Add-On
SAP has released SP3 for B2B Add-On & SFTP-PGP Add-On and lot of new enhancements are delivered.
Summary of previous SPs:
Major SP3 enhancements includes:
- Secure PGP Key Storage and Multiple Directory support for SFTP Adapter
- Alerts for SLA violation and negative acknowledgments
- AS2 attachment support, Log Viewer and Certificate based client Authentication
- TPM- SLA Definition, Parter Active/Inactive Mode,Usability enhancements
- EDI Content Manager and NRO enhancements
- Configuration guides (Application Help) is now available at http://help.sap.com/nw-b2b-addon
- Installation/Master/EDI Content/Security guides are available at folowing location on Service Market Place
- 1695520 : SMP Download location of Business to Business Add-On
- 1695522 : Compatibility matrix : Supported Process Integration releases
Let us have a look on the below information to find out “What is new”.
AS2 log Viewer
A new AS2 Log Viewer is provided in EDI Content Manager. It helps to view the errorneous cases (Negative MDNs, Wraning MDNs, HTTP 403 etc.) for both AS2 sender and receiver channels. Even in case if no XI Message gets generated (on sender AS2 channel) due to some error, AS2 Log Viewer shows the details of all errorneous incoming AS2 requests To PI.
AS2 certificate based client authentication
AS2 adapter now supports certificate based client authentication on receiver channel. On sender channel, it was already supported.
AS2 adapter supports multipart attachments on both sender and receiver channel. Incoming AS2 attachments can be now be processed as attachments to XI message and on the oubound side, attached XI message attachments can be sent to partner via AS2 receiver channel.
AS2 Alerts for Negative MDNs
Alerts can be configured for AS2 negative MDNs using standard PI Alerting framework
Trading Partner Management
SLA can be defined in minutes for functional acknowledgments (both incoming and outgoing-EDIFACT, EANCOM and X12) . Alerts can be defined for violated SLAs using standard PI Alerting framework.
Partner can be defined in Active or Inactive state. If a parter is inactive, messages in PI will not get processed and will be in error state. A new module need to be added either on sender or receiver channels. If it is added on sender channel and partner is inactive, it will result in a ,message loss and no XI message will get created. If it is added on receiver channel and partner is inactive, message will be in PI but in error state.
Lot of Usability enhancements were done and some were downnported to SP2 as well. It includes:
Enables Partner Profile parameters for monitoring (Local and Message Flow Monitor)
- TPM Content Access module provides an encoding module parameter (edi.encoding) in case incoming EDI message cannot be recognized with the default encoding.
- The enable.ediAckProfile parameter defined in TPM Content Access module provides inputs to EDI separator adapter. By default, the value is false.
VDA messages and partner details can also be defined in TPM.
NRO for Functional Acknowledgements
For a given partner, NRO can be defined and used for generating interchange no. of a functional acknowledgement. By default, generated acknowledgement uses the same interchange no. as of incoming document.
X12 Group Based Splitting
EDI Separator receiver channel can now split X12 batch messages based on different groups. Default behaviour is to split messages on each transaction set. EDI Separator sender channel is also enabled to receiver Group based splitted X12 messages. This option is also provided in TPM.
Earlier, EDI Separator receiver channel used to log the different status for monitoring functional acknowledgements (eg. Required, Generated and Sent). Now the behaviour is changed and it will not log the final “Sent” status as acknowledgement is sent to partner using another ICO. A new module is provided that need s to be added on receiver channel of other ICO and it will log the final status “Sent” for monitoring based on successful XI message delivery.
NRO for Functional Acknowledgements
NRO can be defined and used for generating interchange no. of a functional acknowledgement. By default, ack uses the same interchange no. of incoming document.
EDI Seperator receiver channel can use the encoding for reading and splitting the incoming document based on agreements definition in Trading Partner management.
EDI Content Manager
Test Conversion screen is made easy and end user has to only select the Control Key instead of Control Key scenario association table enteries. But still, user has to enter values in Control key Scenario association Table for runtime usage if TPM is not getting configured for Control Keys
Create Message (Renaming)
If your message definition is similar to any of the existing messages and you just want to rename an existing message instead of creating a new from scratch, Renaming option can be used.
New Message Types for Tradacoms and Odette
A lot of new messages have been introduced for Odette and Tradacoms. Please refer EDI Content guide
Monitoring and search is enabled for sender, receiver and Transmission no.
File Name and Directory Name
File Path and Directory name can be set from environmental variables
File Name and Directory name can include variables present in message headers (eg. Trading partner Name, interchange no. etc.)
Multiple Directory Support
Multiple directory support and exclude mask functionality has been added (same as File Adapter)
Secure Keys Storage
Secure Connectivity add-on supports secure storage of storing and retrieval of PGP keys. After storing the keys, module parameters in PGP module can be configured to access the keys from secure storage. This secure storage UI can be accessed from a predefined URL or from the B2B Intgeration Cockpit.
is there any update for the matrix in sap note 1695522 available (SP03 is missing in the note)?
SP3 information in SAP note has been added now. There is no difference wrt. underlying PI releases for SP2/SP3.
did you already try the PGP secure key storage?
The secure key storage is no more mentioned in the release notes and also the documentation seems not to be complete - but it is possible to start the key store.
I uploaded a keyring. Now I try to use the encryption module. I use "useSecureStore" = True, and try to set the parameter "partnerPublicKey" but in the secure key storage I cannot see any key name, there is only the name of the keyring.
If you already used it, can you describe how I have to configure it?
You can upload the key and name it as you wish (leave it blank and it will use the file name). You have to provide the same name in the module. The Secure Store is the same as the file system but instead of storing the key in the file system we store it in the Secure Store and read the key contents.
Please provide a screenshot of the error/issue if my comments where not helpful.
thanks for the information. I tried to use key rings. When using keys, it works.
One more question: where are the keys saved? Is it also in the folder: usr/sap/<systemID>/<Instance ID>/sec? Is it the file SAPSSLS.pse?
We have a very strange error: after a system restart we have lost our keys (first restart) or get an older version of the key store entries (2nd restart) ...
The key is stored in an encoded manner, I'm not sure about the location in the file system.
The keys under PGP Secure store are lost/corrupt? Is it happening for every restart? Could you take a note of the properties of the key shown in the SecureStore UI and compare when you encounter the issue?
Could you provide heads up on the activities we need to take care while upgrading from SP01 to SP02 and SP02 to SP03 with respect to functionality and Technicalities.
Modules defined for SLA violations feature from TPM are used only in EDI separator adapters?
Can we use this modules in any other adapters for e.g; SAP to Partner scenario.
In the section Parter Inactive/Active you have mentioned :
"A new module need to be added either on sender or receiver channels"
Can you please help which is this modul? Is it TPMContentAccessModule ?
Thanks in advance.
It seems that the "PGP Secure Store" technically boils down to just being a file on the file system (i.e. a psf-file with multiple keys inside instead of having separate .asc and .pub files). In this regard I have three questions:
1) Is there an official/supported API to manage the psf-file or is it only managed via web UI in the cockpit?
2) What extra level of security does a psf-file add (as opposed to having asc-files directly on the file system protected by OS)?
3) Are there any plans to support storing PGP keys in the NetWeaver key store instead (centrally managed together with all other keys)?
Hi Michel, Hi all.
trying to configure mentioned PGP Secure Store. What I currently don't get is this: In Configuring the Encryption PGP Module - SAP Process Integration, secure connectivity add-on Configuration - SAP Library the helpfile talks about pwdOwnPrivateKey. But uploading the secret key to the PGP Secure Store did not ask about such a password.
I'm by no means an expert in this area and mainly followed this link to create myself a keypair https://alexcabal.com/creating-the-perfect-gpg-keypair/ Of course, within that process I specified a passphrase for the key (for the extra signing key, to be precise).
So when I then export the key via gpg -a --output C:\Temp\private_sign.asc --export-secret-keys <Signing KeyID> it would of course ask for the passphrase. But will the exported *.asc file still have that passphrase information or did I do something terribly wrong along the way 🙂