Hi all,
This is my second one on this community and I fell happy in doing so.
This blog gives you an idea and technical overview on connectivity of your cloud solutions from SAP that are integrated with existing customer SAP on premise (OP) products, such as SAP ERP on BASIS perspective. We shall refer these solutions that run partially in a cloud (ByD) and in a customer's datacenter (SAP ERP) as hybrid applications or SAP Cloud solution in this blog.
The cloud solutions from SAP include,
SAP Business ByDesign, SAP Cloud for Customer, SAP Cloud for Travel and Expense, SAP Cloud for Financials, SAP Cloud for Sales, SAP Cloud for Service, SAP Cloud for Social Engagement, SAP Cloud Applications Studio, SAP Cloud for Marketing.
The below configuration can also be used to connect
Technical Connectivity types/ Integration scenarios:
So they are typically described in detail in specific individual product documentation.
But the Third technical connectivity which deals with network technology for network and on Premise location integration, is mostly standard-based and implemented according to common best practices even though it has many ways to do it. With this in mind, in this blog we will be seeing the generic technical connectivity for all Cloud to customer on premise datacenter spanning integration scenarios. We assume that customers have already established network operations for their company, meaning they have a company network infrastructure and Internet access capacity.
On-Premise-Cloud application integration scenarios require communication over the Internet that is both secure, trusted and authenticated to prevent unauthorized access to business critical SAP on premise back-end systems of our customers. A "trust relationship" needs to be built up between the OP and Cloud site and the data transport has to be encrypted.
There are 2 actions that is going to happen in this cloud – On premise integration is,
So in order to implement a Best practice integration from Cloud to on premise we need to have,
So the Security (Data Security) Part can further be divided into security during Data Access, Data Transfer and Data Storage.
Data Storage security is taken care by implementing DR solutions and by taking backups.
But the Data access and Data Transfer security in our scenario is taken care by proper implementation of Network infrastructure and method to integrate the cloud – OP connectivity.
Speaking of methods to integrate the cloud and On-Premise SAP system, based on security we can divide into 3 types,
Here the Communication between On-Premise and the cloud application are established directly.
Means our Backend is published directly in the internet through a public IP and Hostname So that SAP Cloud can access the On-premise server.
And also the internet should be enabled in the SAP On-premise server so that the On-premise server can access the SAP Cloud.
Here the reverse proxy is either not used or acts only as network traffic router or maybe as a simple firewall. Network connections are not terminated at the reverse proxy but only at the SAP back-end application. Decryption and authentication of the SAP Cloud application happen only in the SAP back-end. Other than between SAP Cloud and SAP back-end, no further component trust relationships are needed. However, a network port is opened to the Internet and any attack would need to be defended against by the SAP back-end itself.
This is not recommended as we are directly exposing our Backend to internet and also there is a need to enable internet in our Backend server which is also a vulnerability.
Here we will be having SAP Web Dispatcher as our reverse proxy. And our SAP Back-end application will be established as a secured web dispatcher URL (HTTPS) so that SAP Cloud can access the On-premise server.
For On premise to access the SAP Cloud, the web dispatcher acts as reverse proxy such that the requirements are fulfilled and configurations are done so that SAP cloud is accessible inside the organizations network through the web dispatcher URL (HTTP).
Common Secure Socket Layer (SSL) traffic encryption is used and SSL connection session states are terminated in the reverse proxy. Traffic is then forwarded to the SAP back-end by means of unencrypted http traffic. This configuration allows the reverse proxy to become a defense point against outside attacks.
There are many reverse proxy products added a range of sophisticated security defense features. Those features can be applied in this case.
For our scenario we are taking SAP Web Dispatcher as our reverse proxy here.
This is similar to the above (Terminate SSL) except for that fact that the communication between reverse proxy and backend is also encrypted.
Now we shall see the steps to integrate the SAP Cloud with On –premise (SAP Backend) using SAP web Dispatcher as our reverse proxy. Using this steps we can configure type 2 terminate SSL or Type 3 Re-Encrypt.
Pre-Requisite to do this:
Steps to configure:
Import the response by clicking import CA response and paste the response you received from IT.
Now you have successfully imported the SSL certificate- your HTTPS connection should now be secured.
Open the Web Dispatcher profile directory in E:\usr\sap\(SID)\SYS\profile
Open the profile file and add the below entries
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTP, HOST=WEBDISPHOSTNAME, PORT=8000
icm/server_port_1 = PROT=HTTPS, HOST=WEBDISPHOSTNAME, PORT=44300
The above entry will allow us to access the web dispatcher though port 8000 for HTTP and 44300 for HTTPS
And now maintain the re-direction parameter for ECC Backend,
#-----------------------------------------------------------------------
# Backend System Configuration
#-----------------------------------------------------------------------
wdisp/system_1 = SID=SID, NR=(ECC instance NO) , MSHOST=ECCHOSTNAME, MSPORT=(ECCMSPORT), SSL_ENCRIPT=0, SRCSRV=*:44300
So now whenever you access the web dispatcher URL https://hostname.domain.com:44300/sapservice you will be re-directed to ECC backend services.
So you will be using the SAP Cloud URL directly in the Internet from your devices.
And you will be using the Web Dispatcher URL for SAP cloud inside your organization network (In The On-premise ECC server) considering no internet in the On-Premise server. We have to do the below configuration.
And for configuration to this to happen,
Create a profile file inside the Web Dispatcher profile directory (use notepad)– this will be the re-directing file and this is where the web dispatcher will act as reverse proxy.
Give a name for this profile as Create a profile file named PROFILE_SID_BYD.pfl
Make sure that the file is not in .txt format and it is in .pfl file.
Add the below entry,
#######################################
If %{SID} = BYD
SetHeader Host <SAP Cloud URL URL>
Save this file.
Now Open the Web Dispatcher Profile file and add the below entries,
#-----------------------------------------------------------------------
# Backend System Configuration
#-----------------------------------------------------------------------
icm/HTTP/mod_0 = PREFIX=/, FILE=$(DIR_PROFILE)\PROFILE_SID_BYD
wdisp/system_0 = SID=BYD, EXTSRV=https://sap_cloud_url.com, SSL_ENCRYPT=2, SRCSRV=*:8000
So after these you will be able to access the SAP Cloud Web page using Web dispatcher URL (http://webdisp_local_host.domain.com:8000) inside your On-Premise server.
So basically in my profile I have given the below routing
Any HTTP request through port 8000 (icm/server_port_0) will go to (wdisp/system _0)So here the web dispatcher will refer to parameter (icm/HTTP/mod_0) it will refer the profile file (PROFILE_YDV_BYD.pfl ) that we created first - where the routing between the SID=BYD and ByD URL is made.
If the web dispatcher system sees SID=BYD it will point to BYD URL (my.sapbydesign.com).
Any HTTPs request through port 44300 (icm/server_port_1) will got to (wdisp/system_1) ECC On-Premise server.
So now you have 3 certificates. (Baltimore, Verizon and *.sapbydesign).
And then in \sec directory, Take a copy of SAPSSLS.pse to SAPSSLS_copy.pse
Then delete the SAPSSLC.pse file.
And rename SAPSSLS_copy.pse to SAPSSLC.pse
Basically you are replacing the SAPSSLC.pse with SAPSSLS.pse
Select the option SAPSSLC.pse from manage PSE Drop down.
In the trusted certificates tab click “import certificate”
Now import the certificates Baltimore, Verizon and *.sapbydesign one by one in the mentioned order.
After import,
Baltimore:
Verizon:
*.sapbydesign.com:
So the above step by step configuration gives the complete configuration on network level technical integration between On-Premise and a SAP Cloud solution. This configuration part can also be used in an already existing Web Dispatcher landscape by taking only the SAP Cloud re-direction and integration part from this.
Note: If any of the details maintained here are of any similarity is purely coincidental.
Thanks for time in reading my blog,
Please gave a look at my previous blog on Configuration and setup HANA XS Apps with HANA DB SSO using below link,
https://blogs.sap.com/2018/11/12/configuration-and-setup-hana-xs-apps-with-hana-db-sso-basis-activit...
This is my second one on this community and I fell happy in doing so.
This blog gives you an idea and technical overview on connectivity of your cloud solutions from SAP that are integrated with existing customer SAP on premise (OP) products, such as SAP ERP on BASIS perspective. We shall refer these solutions that run partially in a cloud (ByD) and in a customer's datacenter (SAP ERP) as hybrid applications or SAP Cloud solution in this blog.
The cloud solutions from SAP include,
SAP Business ByDesign, SAP Cloud for Customer, SAP Cloud for Travel and Expense, SAP Cloud for Financials, SAP Cloud for Sales, SAP Cloud for Service, SAP Cloud for Social Engagement, SAP Cloud Applications Studio, SAP Cloud for Marketing.
The below configuration can also be used to connect
- the HCI – HANA Cloud Integrator (Which is used as Cloud to Cloud and Cloud to On-premise Connector/Integrator) to connect to On Premise SAP Server (SAP ERP).
- Directly connect the SAP Cloud Solution (ByD in this case) to On-Premise Server (SAP ERP).
Technical Connectivity types/ Integration scenarios:
- Business scenario integrations are very specific for individual use cases.
- Application connectivity is very specific to individual application and middleware components such as application level metadata and protocol transformations.
So they are typically described in detail in specific individual product documentation.
But the Third technical connectivity which deals with network technology for network and on Premise location integration, is mostly standard-based and implemented according to common best practices even though it has many ways to do it. With this in mind, in this blog we will be seeing the generic technical connectivity for all Cloud to customer on premise datacenter spanning integration scenarios. We assume that customers have already established network operations for their company, meaning they have a company network infrastructure and Internet access capacity.
On-Premise-Cloud application integration scenarios require communication over the Internet that is both secure, trusted and authenticated to prevent unauthorized access to business critical SAP on premise back-end systems of our customers. A "trust relationship" needs to be built up between the OP and Cloud site and the data transport has to be encrypted.
There are 2 actions that is going to happen in this cloud – On premise integration is,
- An SAP Cloud-based application is sending a request to the On-Premise customer site
- An On-Premise application is sending a request to the SAP Cloud
So in order to implement a Best practice integration from Cloud to on premise we need to have,
- A reliable network for availability of application.
- Security to protect the data sent over the network.
- And performance for good end user experience.
So the Security (Data Security) Part can further be divided into security during Data Access, Data Transfer and Data Storage.
Data Storage security is taken care by implementing DR solutions and by taking backups.
But the Data access and Data Transfer security in our scenario is taken care by proper implementation of Network infrastructure and method to integrate the cloud – OP connectivity.
Speaking of methods to integrate the cloud and On-Premise SAP system, based on security we can divide into 3 types,
- Route Through,
Here the Communication between On-Premise and the cloud application are established directly.
Means our Backend is published directly in the internet through a public IP and Hostname So that SAP Cloud can access the On-premise server.
And also the internet should be enabled in the SAP On-premise server so that the On-premise server can access the SAP Cloud.
Here the reverse proxy is either not used or acts only as network traffic router or maybe as a simple firewall. Network connections are not terminated at the reverse proxy but only at the SAP back-end application. Decryption and authentication of the SAP Cloud application happen only in the SAP back-end. Other than between SAP Cloud and SAP back-end, no further component trust relationships are needed. However, a network port is opened to the Internet and any attack would need to be defended against by the SAP back-end itself.
This is not recommended as we are directly exposing our Backend to internet and also there is a need to enable internet in our Backend server which is also a vulnerability.
- Terminate SSL:
Here we will be having SAP Web Dispatcher as our reverse proxy. And our SAP Back-end application will be established as a secured web dispatcher URL (HTTPS) so that SAP Cloud can access the On-premise server.
For On premise to access the SAP Cloud, the web dispatcher acts as reverse proxy such that the requirements are fulfilled and configurations are done so that SAP cloud is accessible inside the organizations network through the web dispatcher URL (HTTP).
Common Secure Socket Layer (SSL) traffic encryption is used and SSL connection session states are terminated in the reverse proxy. Traffic is then forwarded to the SAP back-end by means of unencrypted http traffic. This configuration allows the reverse proxy to become a defense point against outside attacks.
There are many reverse proxy products added a range of sophisticated security defense features. Those features can be applied in this case.
For our scenario we are taking SAP Web Dispatcher as our reverse proxy here.
- Re-Encrypt:
This is similar to the above (Terminate SSL) except for that fact that the communication between reverse proxy and backend is also encrypted.
Now we shall see the steps to integrate the SAP Cloud with On –premise (SAP Backend) using SAP web Dispatcher as our reverse proxy. Using this steps we can configure type 2 terminate SSL or Type 3 Re-Encrypt.
Pre-Requisite to do this:
- Web Dispatcher availability.
- Basic knowledge of web dispatcher – installation and configuration.
- SSL Certificate for Web Dispatcher from a CA.
- Network level support from port opening and accessing.
Steps to configure:
- Install of web dispatcher in DMZ Zone.
- Network side configuration such as,
- Assigning public IP and desired Host name (This hostname.domain.com will be the one you will be accessing for ECC as well as SAP Cloud application).
- Considering all ports are blocked at network level. Opening of http Message Server port of ECC from web dispatcher to ECC system. You can get this port no from TCODE –SMMS.
- Click Goto- Parameter – Display. There look for the below parameter: ms/server_port_0. Here 8100 is the message server port.
- Also in this scenario, we can re-direct to different system in our landscape through ports from which webdispatcher is accessed. For eg: ECC backend – 44300- when we enter hostname.domain.com:44300 it will rediredt to ECC. SAP Cloud solution – 8000- we we enter http://webdisp_local_host.domain.com:8000 it should go to SAP Cloud Web Page. So open the ports 44300 and 8000 to be accessable.
- Also make sure that the SAP Cloud web page is accessble in Browser in Web Dispatcher Server. For this allow internet access to SAP Cloud URL for port 443. Above all is required for smooth configuration.
- Import of SSL Certificate from a CA. This can be done by many ways: importing wild card, Certificate request and response etc.
- Go to web Dispatcher Admin URL, login with webadm. Now go to “PSE Management” in SSL and Trust configuration.
- First create PSE in the SAPSSLS.pse – SAP server standard. Type CN=hostname.domain.com – public URL through which you want to access the On-Prem server. Then click create
- Then click the Create CA request,
- Copy the request and provide the certificate request to IT team in notepad file.
- From your IT team after they have obtained the certificate response from the CA they will provide you with certificate response file.
Import the response by clicking import CA response and paste the response you received from IT.
Now you have successfully imported the SSL certificate- your HTTPS connection should now be secured.
- Web Dispatcher Configuration for System Re-direction - considering two systems to re-direct (SAP ECC backend and SAP Cloud).
- Maintaining of ICM ports.
Open the Web Dispatcher profile directory in E:\usr\sap\(SID)\SYS\profile
Open the profile file and add the below entries
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTP, HOST=WEBDISPHOSTNAME, PORT=8000
icm/server_port_1 = PROT=HTTPS, HOST=WEBDISPHOSTNAME, PORT=44300
The above entry will allow us to access the web dispatcher though port 8000 for HTTP and 44300 for HTTPS
And now maintain the re-direction parameter for ECC Backend,
#-----------------------------------------------------------------------
# Backend System Configuration
#-----------------------------------------------------------------------
wdisp/system_1 = SID=SID, NR=(ECC instance NO) , MSHOST=ECCHOSTNAME, MSPORT=(ECCMSPORT), SSL_ENCRIPT=0, SRCSRV=*:44300
So now whenever you access the web dispatcher URL https://hostname.domain.com:44300/sapservice you will be re-directed to ECC backend services.
- And now we shall see the Web Dispatcher configuration to re-direct to SAP Cloud URL in our organization internal network where there will be no internet.
So you will be using the SAP Cloud URL directly in the Internet from your devices.
And you will be using the Web Dispatcher URL for SAP cloud inside your organization network (In The On-premise ECC server) considering no internet in the On-Premise server. We have to do the below configuration.
And for configuration to this to happen,
Create a profile file inside the Web Dispatcher profile directory (use notepad)– this will be the re-directing file and this is where the web dispatcher will act as reverse proxy.
Give a name for this profile as Create a profile file named PROFILE_SID_BYD.pfl
Make sure that the file is not in .txt format and it is in .pfl file.
Add the below entry,
#######################################
If %{SID} = BYD
SetHeader Host <SAP Cloud URL URL>
Save this file.
Now Open the Web Dispatcher Profile file and add the below entries,
#-----------------------------------------------------------------------
# Backend System Configuration
#-----------------------------------------------------------------------
icm/HTTP/mod_0 = PREFIX=/, FILE=$(DIR_PROFILE)\PROFILE_SID_BYD
wdisp/system_0 = SID=BYD, EXTSRV=https://sap_cloud_url.com, SSL_ENCRYPT=2, SRCSRV=*:8000
So after these you will be able to access the SAP Cloud Web page using Web dispatcher URL (http://webdisp_local_host.domain.com:8000) inside your On-Premise server.
So basically in my profile I have given the below routing
Any HTTP request through port 8000 (icm/server_port_0) will go to (wdisp/system _0)So here the web dispatcher will refer to parameter (icm/HTTP/mod_0) it will refer the profile file (PROFILE_YDV_BYD.pfl ) that we created first - where the routing between the SID=BYD and ByD URL is made.
If the web dispatcher system sees SID=BYD it will point to BYD URL (my.sapbydesign.com).
Any HTTPs request through port 44300 (icm/server_port_1) will got to (wdisp/system_1) ECC On-Premise server.
- Now creating the Trust relationship between the SAP Web Dispatcher and SAP Cloud (here referring as ByD) by exchanging the certificates between them.
- Provide the CA response that you obtained from CA/IT team in the step 3 to ByD (SAP Cloud solutions) team, so they shall import that certificate in ByD (SAP Cloud) system.
- Now go to ByD URL,
- Click secure in the URL and click certificate in that pop up,
- Then download these certificates (Baltimore, Verizon and *.sapbydesign) in base 64 format.
So now you have 3 certificates. (Baltimore, Verizon and *.sapbydesign).
- Then backup the sec directory in web dispatcher. E:\usr\sap\SID\W00\sec
And then in \sec directory, Take a copy of SAPSSLS.pse to SAPSSLS_copy.pse
Then delete the SAPSSLC.pse file.
And rename SAPSSLS_copy.pse to SAPSSLC.pse
Basically you are replacing the SAPSSLC.pse with SAPSSLS.pse
- Now go to Web Dispatcher Admin URL, login with webadm. Now go to “PSE Management” in SSL and Trust configuration.
Select the option SAPSSLC.pse from manage PSE Drop down.
In the trusted certificates tab click “import certificate”
Now import the certificates Baltimore, Verizon and *.sapbydesign one by one in the mentioned order.
After import,
Baltimore:
Verizon:
*.sapbydesign.com:
- Now all the configuration part is over now to use the below URLs to establish communication between On-Premise (ECC) and SAP Cloud.
- Give the URL https://hostname.domain.com:44300/sapservice to SAP Cloud (ByD) team so they will maintain this URL in SAP Cloud so data can be sent from SAP Cloud to On-premise. This URL can also be used to access the ECC On-Premise over internet.
- And maintain this URL parameter http://webdisp_local_host.domain.com:8000/sapcloudservices in On-Premise system (RFC and other configuration with SAP Cloud credentials) where ever it is required so that On-Premise system can send data to SAP Cloud.
So the above step by step configuration gives the complete configuration on network level technical integration between On-Premise and a SAP Cloud solution. This configuration part can also be used in an already existing Web Dispatcher landscape by taking only the SAP Cloud re-direction and integration part from this.
Note: If any of the details maintained here are of any similarity is purely coincidental.
Thanks for time in reading my blog,
Please gave a look at my previous blog on Configuration and setup HANA XS Apps with HANA DB SSO using below link,
https://blogs.sap.com/2018/11/12/configuration-and-setup-hana-xs-apps-with-hana-db-sso-basis-activit...
- SAP Managed Tags:
2 Comments
