There are many Blogs which talks about SAP ABAP System (ERP/Hybris ..) direct connectivity to Cloud Platform Integration. This blogs will help you out how to setup ERP connectivity with HANA Cloud Platform Integration using Webdispatcher.
We have the below 3 options to integrate. All are supported by SAP.
ERP -> Cloud Platform Integration (Direct)
ERP -> Webdispatcher -> Cloud Platform Integration
ERP -> PI -> Webdispatcher -> Cloud Platform Integration
Due to security concerns you may not wish to open the outbound port from your SAP ABAP system. Though its an outbound connection with secure port 443. We haven’t discuss why the outbound is not allowed / safe to open (You can refer network security guide for more information)
In this blog we will learn how to Integrate SAP ERP with Cloud Platform Integration using Webdispatcher
Traffic Flow : ERP -> Webdispatcher -> Cloud Platform Integration
Section 1: Outbound Call from SAP Webdispatcher to Cloud Platform Integration
We all know The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system.
But most of us are not aware that Webdispatcher can acts an outbound connection from your ERP to outside world (let it be HANA Cloud Platform Integration, Facebook, Gmail, (Vendor Mgment Ariba, Pool 4 tool and any consuming webservice)
Section 1.1: Pre-requisite
- The required addons are installed on your SAP ABAP system based on the Cloud Platform Integration solution (Example: Successfactor addons, & C4C addons)
- SAP Web-dispatcher is installed and available
- Port opening from SAP ABAP to Webdispatcher (http port: 9060)
- SAP Webdispatcher has an CA signed certificate (CA should be supported by Cloud Platform Integration) – Example: SAPSSLS.PSE
- Configure the SAP web-dispatcher with a free port (9060), which will listen from ABAP.to Webdispatcher – Refer the Section 1.3
Section 1.2 ABAP Side Settings (ABAP to Webdispatcher Connectivity)
You have two options to connect
- RFC connectivity (SM59) : The program calls the created RFC
- SOAMANAGER Services : Creating the logical port which the program calls.
In both cases the config remains same. You would be calling the webdispatcher instead of the Cloud Platform Integration iflow link
Create an SM59 type H connection
Target Host : Webdispatcher hostname (Instead of Cloud Platform Integration tenant :XXXXx-tmn.hci.eu1.hana.ondemand.com)
Target Port : Webdispatcher port (9066) (Instead of Cloud Platform Integration port :443)
Path Prefix : Cloud Platform Integration iflow path of the service you are calling (/cxf/……)
- You dont need any certificate to be imported to ABAP system in strust if you are using HTTP Port)
Section 1.3 : Webdispatcher Configuration
- IP/Port opening from Webdispatcher to your Cloud Platform Integration tenant over 443 (Network Team)
- Configuration of SAP Webdispatcher profile
- Importing Cloud Platform Integration Certficate in SAP Webdispatcher & Configurring CA signed SAP webdispatcher Client Certificate
- Import the SAP Webdispatcher CA signed client certificate in to Cloud Platform Integration iflow
1) IP/Port opening from Webdispatcher to your Cloud Platform Integration tenant over 443
Contact your Network Team
2) Configuration of SAP webdispatcher Profile
Goto the below folder and create an text file like profile_HCI_TT1 (you can choose any name)
content of the file <profile_HCI_TT1> SetHeader Host <tenand url>
Edit the SAP Webdispatcher profile
icm/HTTP/mod_0 = PREFIX=/,FILE=E:\usr\sap\ADQ\SYS\profile\profile_HCI_TT1.txt (This will allow the webdispatcher to read the above file
wdisp/system_0 = SID=TT1, EXTSRV=https://XXXX-iflmap.hcisbp.eu1.hana.ondemand.com, SRCURL=/cxf/, SSL_ENCRYPT=2
wdisp/system_1 = SID=ERP, MSHOST=ERP_ABAP SYSTEM, MSPORT=8101, SSL_ENCRYPT=0, SRCURL= /, SRCSRV=*:9066
The above two parameters will accept the connection from ABAP system over 9066 and forwards it to TT1 SID. We have set TT1 to the host of Cloud Platform Integration it will forwards to HANA Cloud Platform Integration Cloud
wdisp/system_conflict_resolution = 1 (This will parameter will resolve the conflicts related to SIDs)
3) Importing Cloud Platform Integration Certficate in SAP Webdispatcher & Configuring CA signed SAP webdispatcher Client Certificate
3.1) Most of the customer will have CA signed server certificate (SAPSSLS.pse) But they wont be having an CA signed client certificate. But SAP Cloud Platform Integration only accepts CA signed calls from Client. We have two options
- Purchase a CA signed Client certificate for SAP Webdispatcher
- Work around yet supported by SAP -> Copy the SAPSSLS.pse to SAPSSLC.pse
SAPSSLC.pse looks like below
3.2) Login to your tenant link and download the certificate as below. Make sure you download all the certificate include (root and intermediate).
Import the certificate in to your SAP webdispatcher http://<webdispatcher>:<port>/sap/wdisp/admin
Tab: PSE Management -> Under SAPSSLC.pse
Restart your Webdispatcher.
4) Import the SAP Webdispatcher CA signed client certificate in to Cloud Platform Integration Iflow
change the authentication from user based to client certificate and import the SAP Webdispatcher CA signed client certificate in to each iflow.
Test your connection from SM59 -> Test connection -> Result
Status HTTP Reponse : 500 is successfull
Note: Cloud Platform Integration doesn’t support ping operation and you will get message like below
An internal error occurred. For error details check MPL ID AFlk1QZuxZMx5Uve3JZ36zUjGH4p in message monitoring or use the URL https://XXX-tmn.hci.eu1.hana.ondemand.com:443/itspaces/#/shell/monitoring/MessageDetails/%7B%22messageGuid%22%3A%22AFlk1QZuxZMx5Uve3JZ36zUjGH4p%22%7D to directly access the error information
But when you execute the program which call the RFC connection the connection will be successfull.
Note: SAP recommends to use direct connectivity from ERP -> Cloud Platform Integration. However they also support / recommend using webdispatcher / PI
Error you might faced during the above configuration. The below are the areas to check
- Make sure all relevant ports are opened
- Certificate Import and Validity (Webdispatcher / Cloud Platform Integration Tenant LInk)
- ABAP to Webdispatcher connectivity / Port opening)
- Make sure the program is able to call RFC connection / SOA manager logical port
- Activate smicm trace to 3
- Activate webdispatcher trace to 3
- Rerun the program
- You are not exposing your productive landscape.
- No need to purchase multiple CA signed client certificate for each landscape involved in integration (You can buy 1 CA signed client SAP webdispatcher certfiicate and all your backend system use the same webdispatcher to connect your Cloud Platform Integration)
Note: We are not covering the issues coming from Cloud Platform Integration -> (Successfactor cloud, C4C Cloud, etc)