Technical Articles
How To Integrate SAP Marketing With SAP JAM (Part-2)
Prerequisite
This blog is a successor to this blog. I highly suggest you read the first one before you read this part.
Configurations
In first part of this blog series, we finished initial customizing step, imported and exported certain certifications and for the last we set up SAML 2.0 Configuration in SAP Marketing backend.
We’ll carry on where we left off in the second part.
6. Check SSFA
In this activity, we make sure that the system uses the correct encryption algorithm for the certificates.
Go to transaction code SSFA and check the entry where “SSF Application” field is entered as “Collaboration Integration Library:oAuth Appl”.
When you find this entry, double click on the entry to display details and check if the following entries are entered correctly:
| Parameter | Value |
| SSF Application | Collaboration Integration Library:oAuth Appl. |
| Security Product | SAPSECULIB |
| SSF Format | International Standard PKCS#1 (Standard padding) |
| Private Address Book | SAPCLBOAU100.pse |
| SSF Profile Name | SAPCLBOAU100.pse |
| SSF Profile ID (OPT) | |
| Hash Algorithm | SHA1 |
| Encryption Algorithm | AES128-CBC |
| Distribute PSE (Only SAPSECULIB) | X |
Note that if you cannot find such an entry in this customizing table, choose “New Entries” first and maintain above values and save your entries. The system should ask you a customizing request. Assign the customizing request you’re using for SAP Jam integration.
7. Export Certificates Required for SAP Jam Admin Settings
In this activity, we are going to export two certificates we have to import to SAP Jam through SAP Jam Admin console.
Kindly note that if you have any other SAP Marketing backend system you want to integrate SAP Jam with, you need to perform this step for each SAP Marketing backend system.
7.1. Issuing Certificates for SSF CLBOAU
This part describes how to issue the SSF CLBOAU certificate.
Go to transaction STRUST, switch to change mode and find folder named “SSF Collaboration Integration Library: oAuth Appl.”
Right click on the folder. If you can see the option “Create”, click on that and maintain below values in the pop-up dialog.:
| Parameter | Value |
| Name | Use proposed default(make sure no symbol in the name. You even have to delete “:” symbol proposed in the default name otherwise it keeps giving error ) |
| Org. (optional) | Use proposed default |
| Company./Org. | Use proposed default |
| CA | Use proposed default |
| Algorithm | RSA |
| Key Strength | 1024 |
| Signature Algorithm | Use proposed default |
After you maintain the values above hit “Enter” to continue. You have now successfully issued SSF CLBOAU certificate.
In case you don’t see “Create” option when you click on the folder “SSF Collaboration Integration Library: oAuth Appl.”, that means SSF CLBOAU certificate has been already issued. You can skip to 7.2 Exporting SSF Certificate CLBOAU step below in this case.
7.2. Exporting SSF Certificate CLBOAU
While you are in STRUST transaction and in change mode, double click on folder “SSF Collaboration Integration Library: oAuth Appl.””
On the right side, under “Own Certificate” section, double click on Subject line.
Certificate details should now be filled out under “Certificate” section at the bottom. Click on “Export Certificate” icon to start the export process.
Choose Base64 as file format. And pick a folder you want to save the file to. Enter file name as “clboau.txt”. After providing a folder and file name, hit Enter to complete export process.
Now file should be saved to your local folder that you provided with the name “clboau.txt”.
7.3. Exporting SSF SAML2 Service Provider Certificate
At this step, you are going to export SSF SAML2 Service Provider Signature certificate.
This step is fundamentally same as previous step 7.2. Exporting SSF Certificate CLBOAU
There are only two difference compared to previous step:
– This time, you start with double click on “SSF SAML2 Service Provider – Signature” folder instead of “SSF Collaboration Integration Library: oAuth Appl.””
– And while you’re exporting the certificate, this time you provide the file name as “serviceprovider.txt” instead of “”clboau.txt”.
The rest of the activities are exactly same as previous step.
At the end of this section, you have successfully exported two certificates that you will need for SAP Jam Admin settings.
8. Registering Identity Provider
In SAP Jam, each back-end system and each client you want to connect must be published as an identity provider (IdP). This section describes how to register your identity provider in SAP Jam.
Log in to SAP Jam tenant as company admin and proceed as shown in the following screenshots
Kindly note that you have to have admin authorization to continue this step
You have successfully reigstered your IdP in SAP Jam Admin Panel.
9. Setting Up the OAuth Client
You have to register each application that you want to use for each SAP Marketing system and client. In this step, you register your application as an OAuth client in SAP Jam
Log in to SAP Jam tenant as company admin and proceed as shown in the following screenshots
Kindly note that you have to have admin authorization to continue this step
You have successfully added a new OAuth client. Now find your new OAuth client in the list of “OAuth “Clients” tab and click on “View”.
In details, you will find your consumer key you require to complete step 11. Define Application Settings. Store this consumer key to a notepad.
10. Defining Server Settings
In this step, you customize the server settings for SAP Jam in the Marketing system.
Go to transaction CLB2_PLATF. Click on “New Entries”. Under “Server Communication” folder select the line with the following values:
| Field name | Entry Value |
| Service Provider Type | Jam |
| Server | Jam productive |
| Name of Local Service Provider | cubetree.com |
And maintain following values:
| Field name | Entry Value |
| Server URL | Enter your Jam URL |
|
Proxy Host Proxy Port |
This is the proxy information you entered in chapter HTTPS Proxy. The values for the Proxy Host and Proxy Port fields should be determined by ICF, so the integration scenario normally work without entering values. So I suggest leaving these fields empty first. If you have trouble later though, you can fill these fields with proxy host and proxy port information that you obtained from your BASIS administrator |
| SSL Application ID | ANONYM |
Save entries and assign a customizing request that you’re going to use for SAP Jam integration. Double click on “Authentication Method” sub-folder to maintain following values.
| Context | Description | Authentication |
| APPLI | Application context | OAUTH_10_SHA1 |
| APPUSR | Application context with user authentication | OAUTH_10_SHA1_3 |
| NONE | No authentication | NONE |
| USER | User context | SAML_20 |
Save your entries again under same customizing request.
11. Define Application Settings
In this step you will define application-specific settings for your Marketing system.
Go to transaction CLB2_APPLI_PLATF. When the customizing view shows up, there should be an existing entry with following values (if not, maintain it with following values):
| Column | Value |
| Application ID | DEFAULT |
| Service Provider Type | Jam |
| Server | Jam productive |
Select the line with the above values and, double-click on “Server Settings” sub folder on the left folder structure. In the “Server Settings” group box, enter the following values
| Field name | Entry Value |
| Ext. Application ID |
Enter the name of the OAuth client on the SAP Jam side you defined in chapter 9. Setting Up the OAuth Client. In our example, it is JAM_TRT_500 |
| Consumer Key | Enter the consumer key you retrieved from SAP Jam as described in chapter 9. Setting Up the OAuth Client. |
| HTTP Timeout |
Enter a value, if you need to set a timeout – for example, the UI technology has a shorter connection timeout than the REST call. For this field, you can set a value lower than the value for the default UI timeout. And you can leave this empty. |
Save your entries and assign these changes to a customizing request that you are usng for SAP Jam integration.
12. Testing API Calls
To execute a basic test, you can use ABAP report RCLB2_DEMO_GENERIC.
Go to transaction SE38 and enter “RCLB2_DEMO_GENERIC” as program name and execute the report.
Maintain the following values for the selection fields:
| Service Provider Type | Jam |
| Application ID | DEFAULT |
| Request Method | GET HTTP GET |
| Service Endpoint Input Alternative | Manually Entered Endpoint (Radio Button) |
| Endpoint | api/v1/OData |
| Authentication Context | NONE |
After maintaining above values, execute the report.
If you have a successful response, an XML output like below should return.
Now we’re all set and ready to start collaboration on campaigns in SAP Marketing
Summary
With a SAP Jam integration, you can have following options on campaigns:
- Select an existing SAP Jam (external, internal and even sub-group) group and assign it to your campaign
- Remove assignment of SAP Jam group from campaign. During removal, you have even option to delete SAP Jam group completely or just remove assignment to campaign but keep SAP Jam group itself
- You can create a SAP Jam group from scratch for your campaign.
Kindly note that when you create SAP Jam group directly from SAP Marketing, you create external SAP Jam groups. This might not be desired for some cases where only internal SAP Jam groups should be involved for campaigns. In that case, you have to ensure that you create an internal SAP Jam group in SAP Jam first and assign it to the campaign later.
Enjoy your collaboration and exchange of information between your teams, units, departments now!
Great Blog Hakan! Very detailed description 🙂
Thanks Tobias Schneider . Glad you liked it
One of the very detailed and nicest blog on SAP Marketing Community. Thanks Hakan Köse .
Waiting for next one:)
Thanks
Saurabh
Hi Saurabh Kabra ,
Thanks for the kind words. Appreciated 🙂
By the way I remember we talked about user profile pictures on SAP Marketing Cloud in this discussion. I was expecting the same for SAP Marketing On-Premise version as well. However I am still with an empty profile picture 🙂
Do you have any idea why it's not working for on-premise version?
Regards,
Hakan Köse
Hi Hakan Köse ,
Can you please trace your network call since i see that in marketing cloud service with path as "sap/bc/ui2/smi/rest_tunnel/Jam/api/v1/OData/Members('<UserDetail>')/ProfilePhoto/$value is responsible for bringing profile picture.
URL: https://<MarketingHost>/sap/bc/ui2/smi/rest_tunnel/Jam/api/v1/OData/Members('T9GEg1ZPZjivM4dCiY1V06')/ProfilePhoto/$value
Thanks
Saurabh
Hi Saurabh Kabra ,
Thanks for the information. I tried with that call but I had a response like below:
URL -> https://<hostname>:<portnumber>/sap/bc/ui2/smi/rest_tunnel/Jam/api/v1/OData/Members('g4L572CvBmpnnYxQMMKNIA)/ProfilePhoto/$value
Response:
Bad request!
Your browser (or proxy) sent a request that this server could not understand.
If you think this is a server error, please contact the webmaster.
Error 400
localhost
Apache
Hi Hakan,
Sorry but i am not sure why this errors comes though.
I think this link https://help.sap.com/doc/saphelp_tm92/9.2/de-DE/5f/15589b47a64df3a52531fba5c2fedb/frameset.htm may be useful it talks about CLB2_TUNNEL which can be verified, Else may be SAP can look into this issue.
Thanks
Saurabh
Hi Saurabh Kabra ,
I opened up the incident and SAP Support told me about me a transactıon named /UI2/FLP_CUS_CONF. The setting is disabled by default. To make it available, you need to create a new entry in this table below:
Key should be USER_IMAGE and value should be true. After savıng this setting, my SAP JAM profile picture shows up on SAP Marketıng UI
This is new. Thanks for the update, It will definitely help other as well. 🙂