Skip to Content

SAP Hybris Marketing integration with AWS-SES Email provider

Applies to:

SAP Hybris Marketing:  For more information, visit

Summary:  This article explains SAP Hybris Marketing integration with AWS-SES which is used for email campaigns , newsletter and utilizes AWS-SES various features : such avoid SPAMs, Bounce, complaints etc

Authors: Akhilendra Pratap Singh

Company: Mindtree Bangalore

Created on: 15/06/2016

Author Bio


Akhilendra Pratap Singh is working as Sr. Functional Consultant at Mindtree Bangalore and has expertise in the areas of SAP SD, SAP CRM, SAP C4C and SAP Hybris Marketing . He is SAP SD and CRM Certified professional with around 16.5 years of experience.


SAP Hybris Marketing (1602 onwards) supports two email Service providers for Email Campaign management, namely: AWS-SES and SAP Mobile Service for Email. This paper will cover end to end integration of SAP Hybris Marketing with AWS- SES and is based on SAP Hybris Marketing 1511.

In order to set up the AWS- SES  email service provider, you will have to do configurations in:

  • SAP  Hybris Marketing Customizing
  • Amazon service for emails, notifications and queues and
  • Amazon Web Service Account for the Simple Email Service (SES) using http (not smtp)


  1. You have created an AWS account or has been setup by your BASIS team and you are provided with Login Id and Password.
  2. Login to with your credentials and configure a verified sender email address. You will need this when you define a sender profile later on.


     3. For the verified sender email address, edit the Notification Configuration and create a new Amazon SNS topic, eg  bounces and complaints. Give the new topic the same name as the feedback queue. For example : AMAZON_BOUNCE





4.. In the Sender Notification Configuration, assign the SNS topic and disable Email Feedback Forwarding.


After Saving the config  ARN will be generated as shown below:


5. In the SQS console, create a new queue with the same name you gave the feedback queue in technical configuration.



6. Subscribe to new queue to the SNS topic you created earlier.

   Go to your AWS -SES Account and click on Security Credentials



Now you should create an IAM Users required to send or used in Sender Profile. It’s advisable to use IAM users to send emails as you can control the permissions/ authorizations.

  • Steps  to create an IAM User


  • Enter the user Names and Click the check box to “Generate an access key for each users” and then click on create ,as shown below:


  • Security Credentials Created for IAM Users.


7. Now You have set an account up at Amazon AWS-SES and received  following parameters during account set-up:

  • Amazon Access Key ID (hash string)
  • Secret Access Key (hash string)
  • Feedback Queue Path : see below for details

          The Feedback Queue Path is the last individual portion of the queue URL at Amazon.

          For example, the path from is /NNNNNNNNNNNN/ABC.    is   /NNNNNNNNNNNN/ABC.

Identify Feedback Queue Path for you Hybris Mkt System :



8. Set up a Group so that you can assign Policies to Users. For Example “Administrator” and assign all the admin policies.


9. Select from the  Policies to attach it to  Group Created in above step and click next.


10. Assign Users to the Group



Steps for AWS-SES  HTTPS RFC connection setup  and  Download X.509 certificate for STRUST (SSL Certificates)


Following steps needs to be setup in SAP Hybris

  • Import Amazon SES SSL Certificates in the Trust Store
  • Download SSL Certificates for your AMAZON SES target host (you can download the SSL certificate by opening the target host URL in your internet browser and downloading the SSL certificate)
  • Import the certificate into the PSE as described in Creating the Anonymous SSL Client PSE. You find this topic under NetWeaver PlatformSAP NetWeaver 7.0Application HelpFunction-Oriented ViewSecurityNetwork and Transport Layer
  • SecurityTransport Layer Security on the AS ABAPConfiguring the SAP Web AS for Supporting SSLCreating the Anonymous SSL Client PSE.
  • Set SSL to Active for RFC destinations AMAZONMAIL, AMAZONBOUNCE.
  • Select the certificate list to which you uploaded the certificates.
  • Test the AMAZONMAIL RFC destination. If you receive an HTTP response code 404, then the set up is correct

Follow the below steps to Download Certificates and apply to  Hybris Mkt system

1.  Open URL: in Chrome and  Open developer tools , as shown below:


2. Navigate to Security tab.


3. Choose ‘view certificate’ and save the certificate locally:


4.Store it as Base-64 file:


5. Login in to Hybris Mkt System and Import the certificate in Strust:  ( tcode: strust)


6. Setup RFC connection: ( Tcode: SM59)


Check the Security options in Logon and Security TAB, it should be “ Anonymous SSL..”


7. Perform the connection test and you should get HTTP response 404, which confirms connectivity to Amazon Server has been established and now you can send email/ execute email campaign .


  • To maintain / change Access key and Secret access key of IAM user in Hybris MKt




  • You would not like that all the Target Group members (Contacts) should receive emails when you execute an email campaign , while you are working on Development System, To avoid that :
      • You should maintain multiple  test email id,(Tcode: ME_WHITELIST) whichare verified in AWS- SES (if you are still in Sand Box)


1) SAP Hybris Marketing Installation Guide1511

2) AWS Developers Guide

You must be Logged on to comment or reply to a post.
  • Hello,

    Thank you very much for this great and very detailed description of the configuration process on AMAZON side ūüôā

    One important point for everything to work correctly here is the following:

    When configuring the notification configuration, the SNS topic should NOT be assigned to the Delivery option.

    For successful deliveries no topic should be assigned at all. Otherwise you will get errors in the application log during the bounce collection from AMAZON SQS. Only bounces and complaints should be assigned here.

    Best regards,


  • Hello Akhilendra and All,
    I would like to thank you for this much detailed blog
    We have followed each and every step as you have listed in your blog
    However at the end, I'm getting the below attached error when I try to do the connection test in RFC Destination AMAZONEMAIL, it doesn't give us 404 error but throws SSL handshake error 443.
    Just want some hints from you, if we have skipped some important steps or we are wrong some where.
    Your help here would be really appreciated.
    As we understood from your blog, to download the certificates

    As we understood from your blog, to download the certificates
    1) We opened below URL in chrome broswer ::
    When we open the site we get the below message . Is this right to get such a message ?

    The reason why we went for this URL is because in our console we got the URL and ARN as below, hence we changed the URL to
    Is this step which we did by opening the " eu-west-1 " url a correct one ?

    Is some certificate needs to be uploaded in AWS side as well ?



    • Please check transaction SMICM for more detailed error messages regarding SSL errors.

      Also on your SM59, AMAZONMAIL connection, did you set the Security Options on the "Logon&Security" tab to ANONYM SSL?


      Hi Bipin,

      I don't know if you could already solve that problem but we faced a similar problem. We had to change manually the proxy settings in the RFC connection. After that the connection test was ok.

      Hope that helps.

  • /
  • Thank you Akhilendra for your reply.

    While exporting the certificate from AWS website we selected the BASE-64 encoded X.509 format only.

    Unfortunately we still get the same SSL handshake error ? Do you think any steps we could have missed, from your post we have followed all the steps.

    We visited the site our chrome browser and exported the certificate to our desktop. Later this was imported to STRUST under node SSL client SSL Anonymous

    When we opened this site in the browser we got the message <unknownoperationException/>, is this fine ?

    Can you give us some Hint.

    Thanking you for your help and guidance



  • Hi Bipin,

    I have followed the same instructions and I get the same error when I test the RFC. The only difference from your settings and mine is the region. I am using and for the bounce queue I am using and these information matches with my SQS queue from Amazon.

    Have you figured out the issue yet? If yes, could you share your finding please.

    Thank you


    You can email me at:




    • Hello Anthony,

      Thank you for letting us know that you too are facing this problem.

      Not sure how to proceed, I have raised an Incident with SAP asking and seeking some inputs from them. I will surely keep you posted, if you get some information please let is know as well.

      What determines the region ? While configuring the AWS account you get the ARN key generated, mine came as West so i thought I should open the west website and download the certificate from there. Is this a correct approach ?

      Also what is the RFC destination Target host you have kept





  • Hi Bipin,

    Have you maintained the  Access Key ID , Secret Key Id & Feedback Queue Id in customizing settings .

    Use Tcode: "ME_AMAZONXS"  to Set Amazon SES Credentials 

    Feedback Queue format looks like:

    Feed back: /XX09200XXXX / Amazon_Bounce_Complaint_Notifications

    Above  details you will find  from SQS Queue


    Also , it's advisable to maintain IAM user ( with admin credentials) and use Access Key and Secret key of IAM user, though not mandatory.



  • Thanks for the posting. It's informative.

    Does Hybris support multiple AWS accounts to use SES? It seems to support to add multiple AMAZONSES. But only ONE AWS credential tab is provided, which means it does not support using multiple AWS accounts for SES. Is this correct?


  • Hi Bipin

    Did you resolve SSL handshake error ? Please post the solution if it is solved

    Hi Akhilendra,

    We are getting error in Amazon bounce RFC destination like Bipin(same screen) and we are getting 404 in Amazon mail

    Where did we go wrong in that case ?

    Any help would be appreciated





  • Hi ¬†Akhilendra,


    i'm completely new to the topic and have to configure Amazaon SES for Hybris Marketing Cloud.

    I have a question concerning the Feedback Queue. What do you mean by

    " In the SQS console, create a new queue with the same name you gave the feedback queue in technical configuration. " ? 

    What technical configuration do you mean ?




  • Hello,


    In SLG1 in hybris marketing; we are getting this log:

    Start collecting bounces from provider "sapAmazon".
    Please create an incident due to an internal error: "NOTIFICATION_TYPE"
    Please create an incident due to an internal error: "NOTIFICATION_TYPE"
    Processed 0 entries from queue.
    Finished collecting bounces from provider "sapAmazon".


    Does anyone have an idea what the problem could be?



  • Hi,


    After Subscribe the new queue to the SNS in AWS, do we need to  confirm the subscription and what need to mention in "Subscription confirmation URL".

    Is the above steps are mandatory for mkt system to recieve bounces



    Thirupaty Reddy V

  • Hi Akhilendra Pratap Singh,

    thanks for the nice blog! Sending e-mails works as expected.

    Is there a special configuration needed for getting the "EMAIL_OPENED" and "CLICK_THROUGH" events as interactions into Hybris Marketing.

    Because when I just have a look at the e-mail (e.g. in outlook) that seems to be not enough to receive the EMAIL_OPENED interaction.

    When I click a link in an e-mail I afterwards get the EMAIL_OPENED interaction but not the CLICK_THROUGH interaction.

    Best regards


  • Has anyone faced this error?

    API error: Code "403", Reason: "Forbidden", Message: "SignatureDoesNotMatch The request signature we cal", RequestID: "7d3d55...


    Regards, Renjith