SAP ERP to SAP Cloud Platform Integration via Webdispatcher
There are many Blogs which talks about SAP ABAP System (ERP/Hybris ..) direct connectivity to Cloud Platform Integration. This blogs will help you out how to setup ERP connectivity with HANA Cloud Platform Integration using Webdispatcher.
We have the below 3 options to integrate. All are supported by SAP.
ERP -> Cloud Platform Integration (Direct)
ERP -> Webdispatcher -> Cloud Platform Integration
ERP -> PI -> Webdispatcher -> Cloud Platform Integration
Due to security concerns you may not wish to open the outbound port from your SAP ABAP system. Though its an outbound connection with secure port 443. We haven’t discuss why the outbound is not allowed / safe to open (You can refer network security guide for more information)
In this blog we will learn how to Integrate SAP ERP with Cloud Platform Integration using Webdispatcher
Traffic Flow : ERP -> Webdispatcher -> Cloud Platform Integration
Section 1: Outbound Call from SAP Webdispatcher to Cloud Platform Integration
We all know The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system.
But most of us are not aware that Webdispatcher can acts an outbound connection from your ERP to outside world (let it be HANA Cloud Platform Integration, Facebook, Gmail, (Vendor Mgment Ariba, Pool 4 tool and any consuming webservice)
Section 1.1: Pre-requisite
- The required addons are installed on your SAP ABAP system based on the Cloud Platform Integration solution (Example: Successfactor addons, & C4C addons)
- SAP Web-dispatcher is installed and available
- Port opening from SAP ABAP to Webdispatcher (http port: 9060)
- SAP Webdispatcher has an CA signed certificate (CA should be supported by Cloud Platform Integration) – Example: SAPSSLS.PSE
- Configure the SAP web-dispatcher with a free port (9060), which will listen from ABAP.to Webdispatcher – Refer the Section 1.3
Section 1.2 ABAP Side Settings (ABAP to Webdispatcher Connectivity)
You have two options to connect
- RFC connectivity (SM59) : The program calls the created RFC
- SOAMANAGER Services : Creating the logical port which the program calls.
In both cases the config remains same. You would be calling the webdispatcher instead of the Cloud Platform Integration iflow link
Create an SM59 type H connection
Target Host : Webdispatcher hostname (Instead of Cloud Platform Integration tenant :XXXXx-tmn.hci.eu1.hana.ondemand.com)
Target Port : Webdispatcher port (9066) (Instead of Cloud Platform Integration port :443)
Path Prefix : Cloud Platform Integration iflow path of the service you are calling (/cxf/……)
Note:
- You dont need any certificate to be imported to ABAP system in strust if you are using HTTP Port)
Section 1.3 : Webdispatcher Configuration
Steps Involved
- IP/Port opening from Webdispatcher to your Cloud Platform Integration tenant over 443 (Network Team)
- Configuration of SAP Webdispatcher profile
- Importing Cloud Platform Integration Certficate in SAP Webdispatcher & Configurring CA signed SAP webdispatcher Client Certificate
- Import the SAP Webdispatcher CA signed client certificate in to Cloud Platform Integration iflow
1) IP/Port opening from Webdispatcher to your Cloud Platform Integration tenant over 443
Contact your Network Team
2) Configuration of SAP webdispatcher Profile
Goto the below folder and create an text file like profile_HCI_TT1 (you can choose any name)
content of the file <profile_HCI_TT1> SetHeader Host <tenand url>
Edit the SAP Webdispatcher profile
icm/HTTP/mod_0 = PREFIX=/,FILE=E:\usr\sap\ADQ\SYS\profile\profile_HCI_TT1.txt (This will allow the webdispatcher to read the above file
wdisp/system_0 = SID=TT1, EXTSRV=https://XXXX-iflmap.hcisbp.eu1.hana.ondemand.com, SRCURL=/cxf/, SSL_ENCRYPT=2
wdisp/system_1 = SID=ERP, MSHOST=ERP_ABAP SYSTEM, MSPORT=8101, SSL_ENCRYPT=0, SRCURL= /, SRCSRV=*:9066
The above two parameters will accept the connection from ABAP system over 9066 and forwards it to TT1 SID. We have set TT1 to the host of Cloud Platform Integration it will forwards to HANA Cloud Platform Integration Cloud
wdisp/system_conflict_resolution = 1 (This will parameter will resolve the conflicts related to SIDs)
3) Importing Cloud Platform Integration Certficate in SAP Webdispatcher & Configuring CA signed SAP webdispatcher Client Certificate
3.1) Most of the customer will have CA signed server certificate (SAPSSLS.pse) But they wont be having an CA signed client certificate. But SAP Cloud Platform Integration only accepts CA signed calls from Client. We have two options
- Purchase a CA signed Client certificate for SAP Webdispatcher
- Work around yet supported by SAP -> Copy the SAPSSLS.pse to SAPSSLC.pse
SAPSSLC.pse looks like below
3.2) Login to your tenant link and download the certificate as below. Make sure you download all the certificate include (root and intermediate).
Import the certificate in to your SAP webdispatcher http://<webdispatcher>:<port>/sap/wdisp/admin
Tab: PSE Management -> Under SAPSSLC.pse
Restart your Webdispatcher.
4) Import the SAP Webdispatcher CA signed client certificate in to Cloud Platform Integration Iflow
change the authentication from user based to client certificate and import the SAP Webdispatcher CA signed client certificate in to each iflow.
Test your connection from SM59 -> Test connection -> Result
Status HTTP Reponse : 500 is successfull
Note: Cloud Platform Integration doesn’t support ping operation and you will get message like below
An internal error occurred. For error details check MPL ID AFlk1QZuxZMx5Uve3JZ36zUjGH4p in message monitoring or use the URL https://XXX-tmn.hci.eu1.hana.ondemand.com:443/itspaces/#/shell/monitoring/MessageDetails/%7B%22messageGuid%22%3A%22AFlk1QZuxZMx5Uve3JZ36zUjGH4p%22%7D to directly access the error information
But when you execute the program which call the RFC connection the connection will be successfull.
Note: SAP recommends to use direct connectivity from ERP -> Cloud Platform Integration. However they also support / recommend using webdispatcher / PI
Error you might faced during the above configuration. The below are the areas to check
- Make sure all relevant ports are opened
- Certificate Import and Validity (Webdispatcher / Cloud Platform Integration Tenant LInk)
- ABAP to Webdispatcher connectivity / Port opening)
- Make sure the program is able to call RFC connection / SOA manager logical port
Troubleshooting
- Activate smicm trace to 3
- Activate webdispatcher trace to 3
- Rerun the program
Benefits:
- You are not exposing your productive landscape.
- No need to purchase multiple CA signed client certificate for each landscape involved in integration (You can buy 1 CA signed client SAP webdispatcher certfiicate and all your backend system use the same webdispatcher to connect your Cloud Platform Integration)
Note: We are not covering the issues coming from Cloud Platform Integration -> (Successfactor cloud, C4C Cloud, etc)
Regards
Iliyas.
Very nice document Iliyas... Thanks for sharing..
Good document!, for my http rules use this configuration (begin end):
begin
SetHeader HOST endpoint.hana.ondemand.com
end
and give the PSE client at the configuration line:
wdisp/system_0 = SID=TT1, EXTSRV=https:endpoint.hana.ondemand.com, SRCURL=/cxf/, SSL_ENCRYPT=2, SSL_CLIENT_PSE=/usr/sap/WXX/W00/sec/SAPSSLC_client.pse
Hi,
We are attempting to run this solution for a customer, the difference is we are only going only outbound and not inbound, and the test from ECC to the web dispatcher has to go through a proxy before getting to the WD. The issue is the traffic is not even hitting the Web Dispatcher and stopping at the proxy due to authentication. After running some trace/packet capture we found the username to authenticate with the proxy is correct but for some reason the password we supplied in SOAMANAGER (web service configuration) is not correct and doesn't appear to be using the password provided.
A packet capture helped us establish that the password is a random string or key instead of the supplied password in the proxy config of SOAMANAGER.
I don’t understand why we are seeing a string – as far as I can tell the password that is sending to the hardware proxy similar too CB58AB86F2644FA345DB8973256FE6D575AD – instead of the correct password.
Does anyone know why ECC tx SOAMANAGER would be sending the string instead of the password?
We ran the same test via RFC and this tested successfully WITH the correct password.
Your help is gratefully appreciated.
Nick
Dear Nick,
Apologise for the late reply. In SOAmanager Double click the consumer proxy (standard / custom) for which you want create the logical port.
create -> manual configuration this will allow you to set the password and the same password will used from sap to outside via webdisp. I am using this to transfer the data to del boomi
the internet proxy username/ password should be set at sicf -> client-> proxy settings.
regards
iliyas
Hello Sir,
Hope you doing great.
Want to integrate SAP ECC 6 ehp 7 with HCI, Using web dispatcher and hana cloud connector.
I create abap rfc using H . when i test the connection it give me login screen of hci. but when i put user and pass .the error 404 display
thanks
Hi Jawad,
404 is more related to the config at target side. Its asking username/password means its able to reach but may the HCI iflows were not available.
check accessing the HCI iflows directly.
Plus sm59 test connection will retrun 500 (as the ping is not supported by HCI) but when you run the pgrm/function module to call the hci via sm59 conn it will work.
Regards
Iliyas.
Thank you lliyas for this wonderful blog!!
We are trying to do this configuration for a customer. While doing the web service configuration in SOAMANAGER , when we are trying to ping the service , we get below error.
Regards,
Satish
Dear Iliyas,
We are planning to deploy Ariba. Currently we have SAP ERP, PI within internal network (not connect to internet directly). Between internal network and internet is DMZ which have 2 firewalls. We already installed Web Dispatcher (WD) in DMZ, then performed testing successful from Internet –> WD (DMZ) –> PI –> SAP ERP.
In this article, I understood that is possible to reverse way from SAP ERP –> PI –> WD (DMZ) –> Web application (Internet, 3th party system or cloud based application). My understanding is correct or not. If yes, can you please help to describe details how to configure to allow this scenario?
Thank you so much and best regards,