Skip to Content

Overview

SAP recently introduced a cloud service called SAP Localization Hub, Digital Compliance Service for India to support companies, doing business in India, connect to the Indian Government for submitting GST specific information.

The following block diagram outlines how the communication takes place:

 

This blog talks about the steps that need to be performed to enable SAP Cloud Platform Integration to connect Digital Compliance Service with a GSP.

Glossary:

GST: Goods and Services Tax
GSP: GST Suvidha Provider
DCH: Digital Compliance Service for India solution
SLH: SAP Localization Hub

 

Welcome email

When you buy the Digital Compliance Service license, you get 2 Cloud Platform Integration tenant with it. One tenant serves for development, while the other should be used for production. For each tenant, you get a welcome email outlining the details about the tenant.

This mail is only sent to the people mentioned when the contract is signed:

 

Setting up users, authorizations and roles

 To add more users to Cloud Platform Integration, use the URL to access the cloud platform cockpit from the welcome email and go to the subaccounts view:

Now click on the sub-account of the tenant where you want to provide access:
Please note that each Cloud Integration tenant has its own sub-account and access needs to be provided to each user at a sub-account level.

Now click on Security –> Authorizations. Go to the Users tab:

Create the following 5 categories of users:

Roles added Actions allowed
ESBMessaging.send Any user having this role can be configured in the destination used by the DCS to connect to a Cloud Integration endpoint. This role authorizes the user to run any integration flow on the tenant.
AuthGroup.Administrator Allows a user to perform all operational tasks like managing deploy/undeploy security artifacts, edit the keystore, map users to certificate, manage/deploy/undeploy integration flows, view logs (except message payload), manage message queue (except view message payload), manage data store (except view data store content), manage log levels, manage message locks, etc.
AuthGroup.IntegrationDeveloper Allows a user to develop integration content, copy content from the discover view, configure the integration flow, manage resources, update content package, deploy/undeploy integration content, manage credentials and security material, view logs, manage log levels, etc.
NodeManager.deploysecuritycontent Allows a user to only manage security material, including the keystore of the tenant.
AuthGroup.BusinessExpert Is an end user of the integration process. The corresponding user has access to view the message payloads.

Note: Detailed information of the assignment of each of the above roles can be found at: https://cloudintegration.hana.ondemand.com/PI/help > Operations Guide for SAP Cloud Platform Integration > User Management for Cloud Integration > Managing Users and Roles Assignments > Defining Authorizations

Assign the above roles to the user accordingly.

 

Working with Cloud Platform Integration

In order to work with Cloud Platform Integration, you need to access a web based tooling UI, which can be launched by using the following link:

<management-url>/itspaces

You can also find it in the welcome email under Web UI URL.

It is the single interface where you can perform all the following:

  • Access pre-delivered content from SAP
  • Build your content
  • Deploy your content
  • Monitor deployed artifacts
  • Perform operational tasks

Based on the role provided to your user, your views and the operations that you can perform, will differ.

 The following is a screenshot of the Discover View – it lists all the content pre-delivered from SAP. Here you will find ready to use content for common usecases – after doing small configurations, like endpoints, certificates, users, etc, it can be run for production scenarios. Unless you need customization, you do not need to perform any additional modelling on this content.

 

 If you want to build an own content or add customization/adjustments to the pre-delivered content, you can use the next view, which we call the Design View. This view allows you to build or update content using a visual BPMN modeler, as can be seen from the screenshot below.

 

 The last tab is the Operations View/Monitor. It is used to perform the operational tasks on your tenant, like:

  • Monitor message processing
  • Monitor deployed artifacts
  • Manage security material
  • Manage data stores
  • Manage JMS queues
  • Manage locks
  • Work with the tenant keystore
  • Define log levels
  • View Logs and traces
  • Perform connectivity tests to backend systems
  • Map users to certificates

 

Finding the Cloud Integration content

You can get the integration package for connecting to the GSP in 2 ways:

 

From the GSP

You get the content directly from the GSP. The content shall be provided as a zip file containing the content package. You need to import this content into the design view of your development tenant. Go to the Design view.

 

Click on Import and browse to the location where you stored the zip file that you received from the GSP:

 

The package gets added successfully to the list of packages in the design view.

 

From the pre-delivered content in the discover view

Here you shall find a template that needs to be adapted to work for a GSP.
Go to the Web tooling interface and browse to the Discover view. Click on ALL and search for “Integration from Digital Compliance Service to GST Suvidha Provider and eSign Application Service Provider”

Now Open the package and go to the Artifacts tab to see the integration flows bundled with the package.

In order to start working on the integration flow, you need to Copy the content package to the design view: Click on Copy.

In case you are copying several times to create multiple working copies, you will be asked to give a unique identifier for the copied instance:

 

Using the Cloud Integration content

Now that you have got the content, you can either edit it to enhance it or configure it to add basic parameters.

Move to the Design View and search for the copied package. Open the package:

The Document tab lists all the guides that you will need to understand the pre-delivered content:

 

Go to the Artifacts tab and double-click on GST Integration Template (or the content that the GSP provided) to open it:

 

 

Editing the content

Edit allows you to change the integration flow to incorporate customizations and adjustments. In this process, you shall loose the eligibility to receive updates to the content whenever new updates to this integration flow is published by SAP.

To know more about standard content update governance, please read the following blog:

https://blogs.sap.com/2017/04/14/sap-cloud-platform-integration-standard-content-update-goverenance/

 

Once you click on Edit, a palette gets enabled on the left side of the canvas. Use the process steps from the palette to enhance your integration flow.

Once done, you have the option to Save or Deploy the integration flow.

 

 

Cloud Platform Integration learning material

Want to learn more about working with an integration flow. Refer to the following links:

  1. Discover view -> Cloud Integration.Lessons Learnt
  2. Cloud Integration Quick Start Guide
  3. SAP Cloud Integration Product Page
  4. Course on Cloud Integration at OpenSAP
  5. Cloud Integration learning material

 

Configuring the content

Configure allows you to enter the basic configuration parameters into the integration flow, like endpoints, certificates, users, etc. Since you do not update the integration flow, you remain eligible to receive updates to the integration flow when a new update is available. Make the required entries to the parameters.

Once you are done with configuring the parameters of the integration flow, you can save or deploy it.

Role: The above steps can be performed by a user having the AuthGroup.IntegrationDeveloper role assigned to himself.

 

Deploying your integration flow

Once you are done with editing or configuring your integration flow, you need to execute it. The integration flow needs to be deployed in order to be executed.

Click on Deploy.

OR

You will be informed that the integration flow is triggered for deployment. This indicates that there were no modelling errors in the integration flow.

The following message at the bottom of the screen confirms that the integration flow was successfully deployed:

Role: The above steps can be performed by a user having the AuthGroup.IntegrationDeveloper role assigned to himself

 

Checking the deployment status

Go to the Operations View -> Manage Integration Content.

Click on the first tile – it will list all the integration flows that are deployed on the tenant.

Ensure that the Status of the integration flow is set to Started.

If the bundle is not set to status Started, it will show Error. The Status Details section on the right pane will outline the reason for the error:

Role: The above steps can be performed by a tenant administrator.

 

Retrieving the HTTP Endpoint of the integration flow and configuring it in the DCS destination

Once the integration flow is deployed and started successfully, it exposes an HTTP endpoint that needs to be configured in the DCS destination in Cloud Platform Cockpit.

Open the integration flow in the design view and go to the sender HTTPS channel configuration:

Look for the value of the address field. Here it is set to /sapdcs/dcs2gsp.

The HTTP endpoint is: <Management-url>/http/<value of the address field in the HTTP sender channel>

Management-url can be found in the welcome email.

 

Now configure the same in the destination created in the Cloud Platform Cockpit:

Role: The retrieval of channel configuration to construct the HTTP endpoint can be performed by a user having the AuthGroup.IntegrationDeveloper role assigned to himself.

 

Setting up a Secure Connection

The below description assumes:

1)      Communication between Digital Compliance Service and Cloud Platform Integration happen using Basic authentication

2)      Communication between Cloud Platform Integration and the GST Suvidha Provider makes use of certificate based authentication.

The following diagram defines the set of actions that need to be performed in order to accomplish the above:

A) Establish a secure connection between Digital Compliance Service and Cloud Platform Integration happen using Basic authentication:

While you configure the Destination for communication between DCS and Cloud Integration, make a note of the user that is configured:

Making use of the steps mentioned under Setting up users, authorizations and roles, assign the role ESBMessaging.send to the user configured in the destination as highlighted above.

Now, in the sender HTTPS channel of your Cloud Integration scenario, make sure you used the following setting:

Authorization: User Role – this indicates that basic authentication is used.

User Role: indicates the role that the user must have to be able to be allowed to execute the process.

B) Ensuring that Cloud Platform Integration and GST Suvidha Provider (GSP) trust one another at runtime:
a)  Ensuring that the key used by Cloud Platform Integration to communicate with GST Suvidha      Provider (GSP) is signed by a Certifying Authority (CA) trusted by them(GSP):

Each Cloud Integration tenant has its own keypair that it uses to communicate for establishing a secure connection to the receiver.

  1. Check the on-boarding guide of your selected GSP for the list of trusted Certifying Authorities.
  2. If the signing authority of your Cloud Integration tenant’s own keypair is one of them, then you do not need to perform anything mentioned in this step. Proceed to step B-b.
  3. Else, you will need to provision a keypair signed by a signing/certifying authority that is trusted by your GSP.
  4. Upload this new key with an alias (say keyForGSP) into the tenant keystore.
    • In the web tooling interface, go to Operations View -> Manage Security -> Keystore:
    • Using a tool (like Portecle or KeystoreExplorer) bundle the newly provisioned keypair into a keystore file (.jks).
      PS. As of today, the keystore self-service does not allow to upload a certificate or key into the keystore. It only allows to upload a keystore. Hence for every artifact that we want to upload into the tenant keystore, we need to create a keystore and add that to the tenant keystore.
    • Now add this keystore to your tenant’s keystore:
    • For more details, please refer to the following blog: https://blogs.sap.com/2017/06/19/cloud-integration-keystore-monitor-now-available-for-tenant-administrator/
  5. In the HTTP receiver channel connecting to the GSP system, make sure to use the alias of this new keypair:

b)  Ensuring a trust is established at runtime between Cloud Integration and GSP during the SSL handshake: To ensure a trust is established during the SSL handshake, both the systems must have the root CA of the other’s keypair’s certifying authority(CA). In the step iv above, we ensured that the GSP system has the root CA of the keypair of the tenant (because we create a keypair signed by a CA trusted by the GSP). In this steps, we will add the rootCA of the certifying authority which signed the GSP system’s keypair:

Again, as in step iv, start by creating a keystore containing the rootCA of the GSP’s key’s certifying authority and add that keystore to the tenant keystore.


As of today, the keystore self-service does not allow to upload a certificate or key into the keystore. It only allows to upload a keystore. Hence for every artifact that we want to upload into the tenant keystore, we need to create a keystore and add that to the tenant keystore.

Role: The above steps can either be performed by the Tenant Admin (AuthGroup.Administrator) or a user having the NodeManager.deploysecuritycontent role assigned to himself.

 

Testing the secure connectivity to the GSP system

Before you run your actual scenario, it is important to test if the secure connection to the GSP system from Cloud Integration happens successfully.

Cloud Integration provides a utility that helps you test connectivity to any receiver system – this considers the security artifacts that are imported in the tenant keystore to make and test the connection

Go to the Operations View à Manage Security and click on Connectivity Tests:

Enter the following details in the form:

Host: The HTTP URL of the GSP system
Port: The port which is listening to the incoming HTTP requests Enable
Authenticate with Client Certificate Alias: The alias of the private key created for communication to the GSP system
Enable Validate Server Certificate

If the connection works successfully, you get the following screen.

Role: The above steps can be performed by a tenant administrator.

 

Moving content from development tenant to production tenant

Once you are done with validating the content in the development tenant, you need to move it to the production tenant to run it for productive scenarios/usecases.

It is always a good idea to move the entire package rather than just the artifact.

As of today, there is no automated content transport supported in Cloud Integration. As a result, the content needs to be transported manually.

Go to the development tenant and open the package that you want to move:

Click on Export on the top left in the package view to download a zip file containing all the content of the selected package.

Now go to the production tenant and browse to the Design view.

Click on Import and browse to the location where you stored the zip file from the development tenant:

The package gets added successfully to the list of packages in the design view.

If you are copying an update to the content, the content package may already be present on the Production tenant. In such a case, you shall be presented with a dialog box:

Clicking on Yes will overwrite the existing instance of the package. If you are pushing an update to the content, this should be fine.

However, there are cases where you would like to keep multiple copies of the same content in production and would not like to overwrite. Please refer to the following blog to see how this can be handled:

https://blogs.sap.com/2017/04/14/cloud-integration-maintaining-multiple-customized-versions-of-a-standard-content-package/

Role: The above steps can be performed by a user having the AuthGroup.IntegrationDeveloper role assigned to himself.

 

Steps to be repeated in the production tenant after moving the content 

You will need to repeat the following steps in the production tenant to be able to run the scenario successfully:

1)      Setting up users, authorizations and roles

2)      Deploying the copied integration flow

3)      Checking the deployment status

4)      Retrieving the HTTP Endpoint of the integration flow and configuring it in the DCS destination

5)      Setting up a Secure Connection

6)      Testing the secure connectivity to the GSP system

Role: All the above steps can be performed by a tenant administrator.

7)     Additionally, a user (having the AuthGroup.IntegrationDeveloper role) will need to configure the copied integration flow to point to the production endpoints and update the corresponding users, certificates and aliases before it is deployed.

 

 

 

 

 

 

 

 

 

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply