Skip to Content
Technical Articles
Author's profile photo Appala Naidu Uppada

B2B Capabilities in SAP Cloud Integration – Part 1

Introduction:

SAP Cloud Integration released B2B capabilities (available only with Enterprise licensed tenants) for enabling the B2B customers to securely transfer the EDI documents over AS2 protocol and provision a way to split, validate and convert the EDI documents to XML.

In this four-part blog series,

  • Part 1 focuses on setting up AS2 simulation tool to simulate B2B partners, to transfer EDI message to a simple integration flow developed on SAP Cloud Integration tenant.
  • Part 2 focuses on enhancing the above configured inbound scenario to securely transfer the EDI payload (using signing and encryption).
  • Part 3 focuses on enhancing the above scenario to split,validate and generate functional acknowledgement for the incoming bulk message and finally converting the split message to XML.
  • Part 4 focuses on creating an outbound scenario that converts IDoc message to EDI message.

Prerequisites:

  • You have obtained SAP Cloud Integration tenant with SAP Cloud Integration, enterprise edition / SAP Integration Suite, standard edition / SAP Integration Suite, premium edition
  • Message Broker is provisioned on the tenant. Refer the blog to provision a Message Broker.
  • Familiarized with AS2 protocol. For more details refer to the rfc guide.

    AS2 (Applicability Statement 2) is a specification about how to transport data securely and reliably over the Internet. Security is achieved by using digital certificates and encryption.

Follow the steps mentioned below to setup  AS2 mendelson tool to simulate the AS2 partners and exchange a simple AS2 message between mendelson tool and SAP Cloud Integration tenant.

1. AS2 Mendelson Tool Installation:

For simulating the AS2 partners, I would be using the AS2 Mendelson software. You are free to use other tools.

1.Download and install Mendelson from http://as2.mendelson-e-c.com/ 

2. After Installation, you should see AS2 and AS2Stop shortcuts created as shown below

3.Click on AS2 to start Mendelson AS2 server.

4.Enter http://localhost:8080/as2/HttpReceiver in your browser and you should see the below message.

 

2. Configuring Mendelson for simulating AS2 Partners:

In this step, we would be making the necessary configuration required to post an  AS2 message from the mendelson tool to SAP Cloud integration tenant. This would involve simulating a Sender Partner (mycompany) and Receiver Partner (ABCCompany) in the mendelson tool.

 

2.1 Configuring AS2 Local Station

There should be at least one AS2 partner configured as a local station that acts as an initiator to post the AS2 messages to other AS2 partners.

1.Run AS2.exe as Administrator

2. In File menu, choose Partner and perform the steps mentioned below:

3.Select Local station (the one with Home icon) and configure the properties. You may retain the default values.

4.Choose the MDN tab and enter the MDN URL as http://<IPAddress>:8080/as2/HttpReceiver

 

 

5.Click “Ok” to save configuration.

2.2   Configuring AS2 Partner

In this step, I am simulating an AS2 Partner called ABCCompany in the Mandelson tool. To test the connection between mendelson tool and SAP Cloud Integration tenant, the initial configuration does not include any security features (i.e. No Signature, No encryption ).

1.Choose mendelsontest and click on Clone to simulate a new AS2 partner ( mendelsontest0)

2.Edit the newly created partner. Here I have changed the partner name to ABCCompany.    Configure the basic properties like Name and AS2 Id

3.Configure Security settings as shown below

4.Configure Send settings as shown below.

Receipt URL: <Runtime URL of the SAP Cloud Integration tenant>/as2/as2

Payload subject: SimpleAS2

Payload content type: Application/EDI-X12

NOTE:  The Runtime URL can be obtained by connecting to the operations URL in the eclipse or through the Welcome Mail sent from SAP.

 

5. Configure MDN settings as shown below

6.Configure HTTP Authentication to post the AS2 messages on to Cloud integration tenant . The tenant does not accept any inbound messages coming without the authentication.

The user who has been assigned the ESBMessaging.send role on tenant iflmap application has to be mentioned in the Username field and provide the corresponding password of the user.

7.Configure proxy settings ( Optional )

If you are getting connection timeout error after all the above settings are done, it may mean that you need to configure the proxy.

Navigate to File->Preferences and set the proxy value as shown below.

More details about different AS2 headers can be found in the AS2 rfc guide https://www.ietf.org/rfc/rfc4130.txt

2.3   Import SSL certificate from SAP Cloud Integration Tenant to Mendelson tool

This step is required to securely post the AS2 message from mendelson tool to SAP Cloud integration tenant.

NOTE: You need to have the AuthGroup.Administrator , AuthGroup.BusinessExpert ,AuthGroup.IntegrationDeveloper roles assigned to the user  on the tmn application.

 

For more details on task related roles, Refer SAP Cloud Integration Documentation https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/289ef3f8cfad442ea86fe0d5ddad8c42.html

 

Perform the below steps to import the root certificate:

1.Logon to Tenant Web UI URL .

2.Navigate to Monitor -> Key store.

3. Download the Root certificate as shown below

4. Import the root certificate on to the mendelson tool

a) In the mendelson tool navigate to File->Certificates -> SSL/TLS

b)  Click on Import Certificate

c) Browse the downloaded certificate and Click on Import

d) Check “Show root certificates” to view Root certificate

NOTE: Incase if the above step is not performed, you would get the SSLHandshake error as shown below.

 

3: Create a Simple AS2 Inbound Integration Flow

3.1 Configure and deploy a simple AS2 Integration flow

1.Create a simple integration flow with AS2 Sender and SFTP Receiver to receive Bulk Orders pushed from the mendelson tool and post it onto SFTP receiver.

2. Configure AS2 Sender adapter as shown below.

Keep other properties related to Security, MDN and Retry to the default values.

3. Save and Deploy the integration flow

4.Check the status of the integration flow by navigating to Monitor->Manage Integration Content.

NOTE: Sometimes, Integration flow may fail after deployment with the error saying “No runtime nodes have started for this tenant”. Refer the KBA article 2520573  for the cause and resolution of the issue.

5. A Message queue named after the integration flow is created under Monitoring->Manage Stores->Message Queues.

 

 4. Testing a simple AS2 message post from Mendelson to SAP Cloud Integration Tenant 

1.In the account cockpit page, assign the Send role to the user on the iflmap application as shown below. This user is same as the user that we configured in mendelson tool for HTTP Authentication.

2. In the Mendelson tool, Choose File->Send File to partner

3. Choose ABCCompany from the Receiver dropdown and select a ANSI X12 message in the file name and click OK

4.You should see a successful message in the mendelson tool as shown below

5.Double click on the message to see the message that was sent and the MDN received back.

6.On the tenant, Navigate to Monitor Message processing to see a Completed message with an MPL attachments (MDN Attachment )

 

Take away:

We have learnt on how to install and configure Mendelson tool to post AS2 message to  SAP Cloud Integration Tenant. We have also created a simple integration flow with AS2 Sender to receive messages from mendelson tool.

In the next part of this blog series, I would extend this simple AS2 inbound scenario to post AS2 message securely ( with Signing and Encryption ) and use the EDI Flow steps to transform the ANSI X12 bulk payload to split, validate and convert to IDOC document.

 

Next:

Part 2

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Russell Hergott
      Russell Hergott

      Very helpful blog.

      I downloaded the root certificate from the keystore and imported it into the Mendelson client.  When I execute Test Connection from the Send tab of the AS2 Partner I get the following:

       

      And when I attempt to send a file I get:

      This is the SSLHandshakeException 'unable to find valid certification path to requested target' error that you mention would happen if you neglect to import the certificate into the Mendelson client.

      I'm pretty sure I have followed your steps to the letter.  Any insight you might be able to provide would be greatly appreciated.

      Thank you!

      Russell

       

      Author's profile photo Appala Naidu Uppada
      Appala Naidu Uppada
      Blog Post Author

      Hi Russell,

      Request you to create an incident on LOD-HCI* as i would like to know few more details about the setup.

      Thanks,

      Appala

      Author's profile photo Russell Hergott
      Russell Hergott

      Hi Appala,

      I created an incident.  Vishnu was able to take a look at my setup and ultimately determined that I needed to add another certificate.  The missing certificate (VeriSign Universal Root) was identified by executing a connectivity test on the endpoint URL.  After adding the VeriSign  certificate to the Mendelson tool, I was able to successfully transmit the file to the integration flow.

      Would it make sense to update your blog to include checking for and adding additional certificate(s) to the Mendelson tool if certificate errors are encountered when only the Baltimore certificate is being used?

      Thank you,

      Russell

      Author's profile photo Manan Gupta
      Manan Gupta

      Hi,

       

      I am facing the exact same issue but even with adding the Baltimore and VeriSign Universal Root certificates I am getting the same error. Any insights on how to proceed?

       

      Thanks,

      Manan

      Author's profile photo Ömer Kirdas
      Ömer Kirdas

      Hi,

       

      I have the same problem. Have you found a solution?

       

      Thank you,

      Ömer

      Author's profile photo Sandeep Kumar Dikshit
      Sandeep Kumar Dikshit

      Hi Appala,

       

      And we can exchange EDI messages over SFTP protocol as well, it's not just restricted to AS2.

       

      Regards,
      Sandeep

      Author's profile photo Rahul Yadav
      Rahul Yadav

      Hi Appala,

       

      Thanks for the wonderful blog. I am facing below error while pushing the data to SAP CPI from mendelson AS2. Have you encountered this error before.

      Does As2 has any protocol version restriction ?

      Regards,

      Rahul

      Author's profile photo Simon Becht
      Simon Becht

      Hi Rahul,

      in case you do not need SSL, you can also change https to http. That fixed it for me.

      Kind regards,
      Simon

      Author's profile photo Stephen Bentley
      Stephen Bentley

      Hi

      Did you just change the URL from https to http? When I try this, I get  error code, HTTP 301.

      I can't get https working at all, from Mendelson or even from our SAP PI system.

      Author's profile photo Simon Becht
      Simon Becht

      Hi Stephen,

      yeah, I just changed the URL.
      But 301 "Moved Permanently" could mean that in your case you still need to use HTTPS.

      Author's profile photo Peter Jonker
      Peter Jonker

      Hi Appala,

       

      I have the same problem with the Mendelson tool. I tried everything.  Uploading all certificates but still a SSL Handshake exception. Has anything changed in CPI ( I am using the trial account) that this doesn’t work (anymore) ?

       

      MessageHTTPUploader.performUpload: [SSLHandshakeException]: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

       

      [12:42:10] [mendelson_opensource_AS2-1594809725490-4@mycompanyAS2_ABCCompanyID] This is a mainly a negotiation problem on the protocol level. Your partner rejected your connection.
      [12:42:10] [mendelson_opensource_AS2-1594809725490-4@mycompanyAS2_ABCCompanyID] Either your partner expected a secure connection (HTTPS) and you tried a raw connection (HTTP) or vice versa.
      [12:42:10] [mendelson_opensource_AS2-1594809725490-4@mycompanyAS2_ABCCompanyID] It is also possible that your partner expects an other SSL/TLS protocol version or cipher than you offer.

       

      Hopefully you know an answer, because I am stuck now.

      Regards,

      Peter Jonker

      Author's profile photo Peter Jonker
      Peter Jonker

      I have found the solution myself.  I needed to upload ALL the SAP certificates from the keystore into Mendelson. Not only the root.

       

      Peter

      Author's profile photo Shoukat Ali
      Shoukat Ali

      even after uploading all the certificates from keystore, i still get this error

      MessageHTTPUploader.performUpload: [SSLException]: Connection reset[SocketException/Connection reset]

       

      is there anything else needed for connectivity? something sort of whitelisting Mendelson tool IP?

      Author's profile photo Yatanveer Singh
      Yatanveer Singh

      Do you plan to work on part 3 and 4 of your four-part blog series.

      Author's profile photo Dinesh M
      Dinesh M

      Hi All,

      One general query regarding the execution.

      This above method is without encryption and signing right? Then why are we mentioning Partner certificate name for partner (as Key1, Key2), Shouldn't this be None ?

       

      Could you also show the settings of Security and MDN in the CPI Sender channel please for getting more clarity?

      I hope private key is not required for MDN & Decrypt and Verify signature options are disabled in Security

      Thanks,

      Dinesh

      Author's profile photo Deepa Dhamodharan
      Deepa Dhamodharan

      Iam getting the same error- from mendelson- any help will be highly appreciated

      Either your partner expected a secure connection (HTTPS) and you tried a raw connection (HTTP) or vice versa.
      [8:55:12 PM] [mendelson_opensource_AS2-1638327189276-11 It is also possible that your partner expects an other SSL/TLS protocol version or cipher than you offer.