B2B Capabilities in SAP Cloud Integration – Part 1
SAP Cloud Integration released B2B capabilities (available only with Enterprise licensed tenants) for enabling the B2B customers to securely transfer the EDI documents over AS2 protocol and provision a way to split, validate and convert the EDI documents to XML.
In this four-part blog series,
- Part 1 focuses on setting up AS2 simulation tool to simulate B2B partners, to transfer EDI message to a simple integration flow developed on SAP Cloud Integration tenant.
- Part 2 focuses on enhancing the above configured inbound scenario to securely transfer the EDI payload (using signing and encryption).
- Part 3 focuses on enhancing the above scenario to split,validate and generate functional acknowledgement for the incoming bulk message and finally converting the split message to XML.
- Part 4 focuses on creating an outbound scenario that converts IDoc message to EDI message.
- You have obtained SAP Cloud Integration tenant with SAP Cloud Integration, enterprise edition / SAP Integration Suite, standard edition / SAP Integration Suite, premium edition
- Message Broker is provisioned on the tenant. Refer the blog to provision a Message Broker.
- Familiarized with AS2 protocol. For more details refer to the rfc guide.
AS2 (Applicability Statement 2) is a specification about how to transport data securely and reliably over the Internet. Security is achieved by using digital certificates and encryption.
Follow the steps mentioned below to setup AS2 mendelson tool to simulate the AS2 partners and exchange a simple AS2 message between mendelson tool and SAP Cloud Integration tenant.
1. AS2 Mendelson Tool Installation:
For simulating the AS2 partners, I would be using the AS2 Mendelson software. You are free to use other tools.
1.Download and install Mendelson from http://as2.mendelson-e-c.com/
2. After Installation, you should see AS2 and AS2Stop shortcuts created as shown below
3.Click on AS2 to start Mendelson AS2 server.
4.Enter http://localhost:8080/as2/HttpReceiver in your browser and you should see the below message.
2. Configuring Mendelson for simulating AS2 Partners:
In this step, we would be making the necessary configuration required to post an AS2 message from the mendelson tool to SAP Cloud integration tenant. This would involve simulating a Sender Partner (mycompany) and Receiver Partner (ABCCompany) in the mendelson tool.
2.1 Configuring AS2 Local Station
There should be at least one AS2 partner configured as a local station that acts as an initiator to post the AS2 messages to other AS2 partners.
1.Run AS2.exe as Administrator
2. In File menu, choose Partner and perform the steps mentioned below:
3.Select Local station (the one with Home icon) and configure the properties. You may retain the default values.
4.Choose the MDN tab and enter the MDN URL as http://<IPAddress>:8080/as2/HttpReceiver
5.Click “Ok” to save configuration.
2.2 Configuring AS2 Partner
In this step, I am simulating an AS2 Partner called ABCCompany in the Mandelson tool. To test the connection between mendelson tool and SAP Cloud Integration tenant, the initial configuration does not include any security features (i.e. No Signature, No encryption ).
1.Choose mendelsontest and click on Clone to simulate a new AS2 partner ( mendelsontest0)
2.Edit the newly created partner. Here I have changed the partner name to ABCCompany. Configure the basic properties like Name and AS2 Id
3.Configure Security settings as shown below
4.Configure Send settings as shown below.
Receipt URL: <Runtime URL of the SAP Cloud Integration tenant>/as2/as2
Payload subject: SimpleAS2
Payload content type: Application/EDI-X12
NOTE: The Runtime URL can be obtained by connecting to the operations URL in the eclipse or through the Welcome Mail sent from SAP.
5. Configure MDN settings as shown below
6.Configure HTTP Authentication to post the AS2 messages on to Cloud integration tenant . The tenant does not accept any inbound messages coming without the authentication.
The user who has been assigned the ESBMessaging.send role on tenant iflmap application has to be mentioned in the Username field and provide the corresponding password of the user.
7.Configure proxy settings ( Optional )
If you are getting connection timeout error after all the above settings are done, it may mean that you need to configure the proxy.
Navigate to File->Preferences and set the proxy value as shown below.
More details about different AS2 headers can be found in the AS2 rfc guide https://www.ietf.org/rfc/rfc4130.txt
2.3 Import SSL certificate from SAP Cloud Integration Tenant to Mendelson tool
This step is required to securely post the AS2 message from mendelson tool to SAP Cloud integration tenant.
NOTE: You need to have the AuthGroup.Administrator , AuthGroup.BusinessExpert ,AuthGroup.IntegrationDeveloper roles assigned to the user on the tmn application.
For more details on task related roles, Refer SAP Cloud Integration Documentation https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/289ef3f8cfad442ea86fe0d5ddad8c42.html
Perform the below steps to import the root certificate:
1.Logon to Tenant Web UI URL .
2.Navigate to Monitor -> Key store.
3. Download the Root certificate as shown below
4. Import the root certificate on to the mendelson tool
a) In the mendelson tool navigate to File->Certificates -> SSL/TLS
b) Click on Import Certificate
c) Browse the downloaded certificate and Click on Import
d) Check “Show root certificates” to view Root certificate
NOTE: Incase if the above step is not performed, you would get the SSLHandshake error as shown below.
3: Create a Simple AS2 Inbound Integration Flow
3.1 Configure and deploy a simple AS2 Integration flow
1.Create a simple integration flow with AS2 Sender and SFTP Receiver to receive Bulk Orders pushed from the mendelson tool and post it onto SFTP receiver.
2. Configure AS2 Sender adapter as shown below.
Keep other properties related to Security, MDN and Retry to the default values.
3. Save and Deploy the integration flow
4.Check the status of the integration flow by navigating to Monitor->Manage Integration Content.
NOTE: Sometimes, Integration flow may fail after deployment with the error saying “No runtime nodes have started for this tenant”. Refer the KBA article 2520573 for the cause and resolution of the issue.
5. A Message queue named after the integration flow is created under Monitoring->Manage Stores->Message Queues.
4. Testing a simple AS2 message post from Mendelson to SAP Cloud Integration Tenant
1.In the account cockpit page, assign the Send role to the user on the iflmap application as shown below. This user is same as the user that we configured in mendelson tool for HTTP Authentication.
2. In the Mendelson tool, Choose File->Send File to partner
3. Choose ABCCompany from the Receiver dropdown and select a ANSI X12 message in the file name and click OK
4.You should see a successful message in the mendelson tool as shown below
5.Double click on the message to see the message that was sent and the MDN received back.
6.On the tenant, Navigate to Monitor Message processing to see a Completed message with an MPL attachments (MDN Attachment )
We have learnt on how to install and configure Mendelson tool to post AS2 message to SAP Cloud Integration Tenant. We have also created a simple integration flow with AS2 Sender to receive messages from mendelson tool.
In the next part of this blog series, I would extend this simple AS2 inbound scenario to post AS2 message securely ( with Signing and Encryption ) and use the EDI Flow steps to transform the ANSI X12 bulk payload to split, validate and convert to IDOC document.
Very helpful blog.
I downloaded the root certificate from the keystore and imported it into the Mendelson client. When I execute Test Connection from the Send tab of the AS2 Partner I get the following:
And when I attempt to send a file I get:
This is the SSLHandshakeException 'unable to find valid certification path to requested target' error that you mention would happen if you neglect to import the certificate into the Mendelson client.
I'm pretty sure I have followed your steps to the letter. Any insight you might be able to provide would be greatly appreciated.
Request you to create an incident on LOD-HCI* as i would like to know few more details about the setup.
I created an incident. Vishnu was able to take a look at my setup and ultimately determined that I needed to add another certificate. The missing certificate (VeriSign Universal Root) was identified by executing a connectivity test on the endpoint URL. After adding the VeriSign certificate to the Mendelson tool, I was able to successfully transmit the file to the integration flow.
Would it make sense to update your blog to include checking for and adding additional certificate(s) to the Mendelson tool if certificate errors are encountered when only the Baltimore certificate is being used?
I am facing the exact same issue but even with adding the Baltimore and VeriSign Universal Root certificates I am getting the same error. Any insights on how to proceed?
I have the same problem. Have you found a solution?
And we can exchange EDI messages over SFTP protocol as well, it's not just restricted to AS2.
Thanks for the wonderful blog. I am facing below error while pushing the data to SAP CPI from mendelson AS2. Have you encountered this error before.
Does As2 has any protocol version restriction ?
in case you do not need SSL, you can also change https to http. That fixed it for me.
Did you just change the URL from https to http? When I try this, I get error code, HTTP 301.
I can't get https working at all, from Mendelson or even from our SAP PI system.
yeah, I just changed the URL.
But 301 "Moved Permanently" could mean that in your case you still need to use HTTPS.
I have the same problem with the Mendelson tool. I tried everything. Uploading all certificates but still a SSL Handshake exception. Has anything changed in CPI ( I am using the trial account) that this doesn’t work (anymore) ?
MessageHTTPUploader.performUpload: [SSLHandshakeException]: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[12:42:10] [mendelson_opensource_AS2-1594809725490-4@mycompanyAS2_ABCCompanyID] This is a mainly a negotiation problem on the protocol level. Your partner rejected your connection.
[12:42:10] [mendelson_opensource_AS2-1594809725490-4@mycompanyAS2_ABCCompanyID] Either your partner expected a secure connection (HTTPS) and you tried a raw connection (HTTP) or vice versa.
[12:42:10] [mendelson_opensource_AS2-1594809725490-4@mycompanyAS2_ABCCompanyID] It is also possible that your partner expects an other SSL/TLS protocol version or cipher than you offer.
Hopefully you know an answer, because I am stuck now.
I have found the solution myself. I needed to upload ALL the SAP certificates from the keystore into Mendelson. Not only the root.
even after uploading all the certificates from keystore, i still get this error
MessageHTTPUploader.performUpload: [SSLException]: Connection reset[SocketException/Connection reset]
is there anything else needed for connectivity? something sort of whitelisting Mendelson tool IP?
Do you plan to work on part 3 and 4 of your four-part blog series.
One general query regarding the execution.
This above method is without encryption and signing right? Then why are we mentioning Partner certificate name for partner (as Key1, Key2), Shouldn't this be None ?
Could you also show the settings of Security and MDN in the CPI Sender channel please for getting more clarity?
I hope private key is not required for MDN & Decrypt and Verify signature options are disabled in Security
Iam getting the same error- from mendelson- any help will be highly appreciated
Either your partner expected a secure connection (HTTPS) and you tried a raw connection (HTTP) or vice versa.
[8:55:12 PM] [mendelson_opensource_AS2-1638327189276-11 It is also possible that your partner expects an other SSL/TLS protocol version or cipher than you offer.