Skip to Content
Product Information

Cloud Integration – Usage of the Elster Adapter

This blog describes the Elster ERiC libraries used in the new Elster adapter provided in SAP Cloud Platform Integration. The adapter is planned for the March-24-2019 update. In the blog the End-to-end configuration and the monitoring options are described, links to further information sources are given. Furthermore the current restrictions are listed.

ERiC@SAP: What is ERiC?

In the areas of HR (employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)) and FI (advanced return for tax on sales/purchases (UStA)), electronic reporting data is transferred to the clearing house of the fiscal authority block for communication with the tax authorities.

Technical background: For the transfer, the data is summarized in an XML file, signed, and encrypted. The data is then transferred to the clearing house of the fiscal authority block.

The XML file is generated in the HR or FI system. From this system, the data is then transferred to the middleware used (Business Connector, PO/PI, or CPI). The signature, encryption, and transfer of the data from the employer’s network to the clearing house is done using the middleware.

Previous Solution – Open Interface

The standards used for the signature and encryption were published by the tax authority, as is the case for social insurance, and it was made possible for the software manufacturer to implement and deliver all components for the transfer using its own program components in its software solution. The solution is referenced to as an “open interface” in the ELSTER environment.

This model allows for a clear distinction between the software solutions involved and the parties responsible.

New Solution – ERiC

To support manufacturers when creating software products for communication with the tax authorities, the tax authorities have also been providing software components since the introduction of electronic communication. The software manufacturers can integrate these components into their products to minimize the implementation effort.

Initially Java-based program components were provided by the tax authority, now only fully compiled program components (C libraries) are provided. These are known as EriC (Elster Rich Client) libraries.

To make technical or subject-specific changes to the ERiC libraries, the tax authority updates the ERiC libraries twice a year (usually in May and November). The ERiC release in May delivers only technical changes but the subject-specific changes are provided with the main release in November. Therefore, you can find the bases necessary for the advance return for tax on sales/purchases (UStA) and the employment tax notification (LStA) for the subsequent year in the November release. This means that it is mandatory to include this ERiC main release in the manufacturer’s software. It must be delivered as soon as possible so that the ERiC libraries required for the new year can be used at the start of the year.

The new Elster Adapter provided in Cloud Platform Integration uses those libraries to support the communication with the German tax authority. The ERiC libraries are updated automatically in Cloud Integration, there is no need for any manual action be the user of the integration scenario.

What changes does ERiC result in for the employer in the HR/FI system?

For the changeover to ERiC, some changes have to be made to the programs for transferring the tax notifications and to the HR/FI system.

The changeover from the previous solution to ERiC is done using Customizing in the HR/FI system. A prerequisite for this is that the ERiC-based solution has been imported or set up on the middleware used (BC, PO/PI, CPI).

 

How does the ELSTER ERiC solution for Cloud Integration work?

The Cloud Integration solution for the Elster integration is based on two components. First of all, it is based on a newly created Elster adapter. It provides the latest ERiC libraries on the Cloud Integration tenant and offers an interface for using the functions contained in the libraries. The second component is the HR or FI-specific content that contains the integration flows for the communicating.

Communication procedure:

  1. The HR or FI application system sends tax data to the Cloud Platform Integration tenant. The transfer is done using a HTTPS connection that was maintained using transaction SM59 in the application system.
  2. The HR or FI integration flow on the Cloud Platform Integration tenant receives the tax data from the application system, sets the parameters required for calling the ERiC libraries (tax type, certificates, etc.), and passes on the data for transfer to the Elster adapter.
  3. The Elster adapter validates the XML data. This data is then signed, encrypted, and sent to the tax authority. The response provided by the tax authority is then received by the HR or FI integration flow, decrypted, and returned to the calling HR or FI application system.

Security Aspects

In the Elster integration scenario in the Cloud Integration system, the following security relevant aspects are relevant:

  • For the communication between the HR-/FI-system and the SAP Cloud Platform Integration system, HTTPS is used. HTTPS is also used by ERiC for sending the data to the authority system.
  • The message payload is received by and processed in the cloud integration system as configured in the integration flow. The message payload data is only processed in memory in the cloud integration system. The message payloads are not stored in the cloud system, neither in the database nor in the system log files.
  • During processing of the message a message processing log is written and stored in the cloud integration system database for monitoring purpose. The message processing log only contains administrative data, like timestamps and the message ID, and the status of the message processing, but no message payload data. The message processing log is stored for 30 days and then automatically deleted. The access to the message processing log data is restricted to users with the Tenant Administrator or the Integration Developer role assigned in this integration tenant.
  • In case of an error during message processing, the error message is stored in the SAP Cloud Platform Integration system in the message processing log and in the system log file. The system log file is stored for 7 days and automatically deleted afterwards. The access to the system log is restricted to the Tenant Administrator and the Integration Developer of the respective integration tenant.
  • If the log level for the integration artifact is set to TRACE (see blog Enabling Trace for Message Processing) for error analysis, also the payload is stored in the systems database. The access to this payload data is restricted to users with the Business Expert role assigned in this integration tenant. The trace data is stored for 1 hour only and automatically deleted afterwards.

If you want to know more about security aspects of SAP Cloud Platform Integration and how customer specific data is secured, check out the help chapter Security. Various aspects of privacy and data storage security are discussed there.

 

Overview for Setting up the ELSTER ERiC Scenario in Cloud Integration

Initial Configuration of the Cloud Integration Tenant

Setup and configure the Cloud Platform Integration tenant as described in the Get Started documentation for SAP Cloud Platform Integration.

Configure Integration Flow

  • Select the required Integration Package ‘SAP HR ELSTER ERIC for Germany’ in the content store (will be available after release of the Elster adapter planned for the March-24-2019 release).
  • Deploy the required integration flow as described in the configuration guide contained in the integration package.
  • Retrieve the inbound end point of the integration flow from the Monitoring -> Monitor Integration Content -> End Points.

Set up the HTTPS connection

To setup a secure HTTPS connection between the application system (HR/FI) and the Cloud Integration tenant add the load balancer root certificate to the HR/FI trust store. Find further details in the blog How to setup secure http inbound connection with client certificates.

Set up Authentication (two options)

For the setup of the authentication two options exist, Basic Authentication or Client Certificate-based Authentication.  The more secure option is to use Client Certificates.

Basic Authentication

Create an user in Cloud Integration and assign ESBMessaging.send role. More information can be found in the documentation chapter Defining Permissions for senders to Process Messages on the Runtime Node.

Client certificate-based authentication

Set up client certificate in HR/FI system and upload it in certificate-to-user mapping in Cloud Integration as described in the blog How to setup secure http inbound connection with client certificates.

Setup SM59 Destination

  • Create a SM59 Destination in the HR/FI application system.
  • Enter the end point retrieved for the integration flow from the Cloud Integration monitoring (see above)
  • Maintain logon details for the HTTPS connection (basis authentication or client certificate-based)

Upload Elster Certificates

Upload the ELSTER certificates (PFX file) to the key store monitor of the Cloud Platform Integration tenant.

Execute HR/FI Customizing

You can find detailed instructions for setting up the scenario in the Implementation Guide in the content provided.

 

Operation of the Elster Scenario

Update of ERiC Libraries

The Elster adapter is automatically updated with the latest libraries in Cloud Integration. No manual steps are necessary.

Monitoring

Message Processing Log (MPL)

The processing of data in the cloud platform integration tenant can be monitored in the Message Processing Monitor. Each message processing generates an MPL (Message Processing Log), which can be found in the monitoring under Monitor Message Processing.

In the case of an error, the message has the status Failed and you can find further error information in the status area of the message on the right-hand side. All ERiC related error messages are issued here, for example if the message validation or the encryption was not successful.

Default Trace

In the case of an error, further information can be found in the default trace of the Cloud Integration tenant. The default trace can be found in the monitoring of the cloud platform integration tenant in the area Access Logs -> System Log Files. The logs are in the most up-to-date files with the name ljs_trace_<ID>_<Timestamp>.log.

Notes/Restrictions

  • Note that the information above only applies to tax types UStA, LStA, LStB, and ELStAM, and not to the use of ERiC in connection with the E-Bilanz.
  • The ELSTER ERiC Cloud Integration scenario only supports tax types employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)), and FI (advance return for tax on sales/purchases (UStA)). The HR tax types are covered by the Integration Content SAP HR ELSTER ERIC for Germany. The Integration Content for FI is under development.
19 Comments
You must be Logged on to comment or reply to a post.
  • Hello, thanks a lot for this bunch of information!

    I got one question regarding the license modell of cloud plattform integration for ERiC.

    My customer acutally can use an SCI tennant for integration of SAP S4 with their C4C tennants because the SCI license was part of the C4C subscription.

    Would it be possible to also use their SCI tennant for ERiC integration or do they need to pay for the full SCI license? 

    Thanks in advance for an response!

    Best regards

    Robert

    •  

      Ususal Answer: Reach out for your sales rep

      My Guts felling (being a customer with an CPI Licenses tied to a C4C integration = Application License Model): Your customer will not be able to use that CPI tenant for ERiC integration. They are pretty clear in wording: On one side of the integration has to be the product (application) you paid the 7,5% CPI Application License for. S/4 –> ERiC would not fit into this

       

      Cheers Jens

      •  

        Hi,

        I just got the confirmation that it should be possible to reuse the existing tenant because the application license can be used as long as one endpoint of the connection is a SAP system. And this is the case for the Elster integration as well.

        BR,

        Mandy

        Comment: this is not correct, see below!  The C4C tenant cannot be re-used.

         

        •  

          Would love to hear that licensing is that flexible 🙂 However, I still have a doubt in the particular situation. OP said, the “CPI for SAP cloud applications” came with C4C. So I would assume “cloud application” in that case would be regarded as “C4C”. The service description says:

          SAP Cloud Platform Integration for SAP cloud applications integrates processes and data between associated SAP cloud applications on one end and third party, cloud applications and on-premise solutions on the other end.

          If OP would have S/4 Cloud and S/4 being the “cloud application” I’ll be in complete agreement.

          Anyways, you certainly have the direct link within SAP. I’ll more than happily stay corrected (did I mention I was that pain-in-the-neck-nit-gritty-kinda-person 😉 ?)

          •  

            Hi,

            I now got the answer from the colleague responsible for the licensing and unfortunately you are correct. The C4C application licensed tenant cannot be re-used for the Elster integration. You need to purchase for example the PI edition to setup the Elster integration.

            Best regards,

            Mandy

          • Thanks Mandy. On the plus side of this is that licensing details seem (for SAP *SCNR*) being quite straight forward for CPI application license.

             

            Cheers

            Jens

  •  

    Thanks Mandy Krimmel for the valuable information. Just being a curious / nit-picking kind of person, I’d like to ask some questions about that paragraph “Update of ERiC Libraries”

    1. So I got this right: You will internally host some instance where the ERiC client is running and CPI magically blackboxes this for me as a customer, right?
    2. There is no other service involved other than CPI license, right? So we don’t need such things as a custom domain like in Italy e-Invoicing or other stuff, right?
    3. When there are ERiC updates, how would you carry them out? Let’s say there’s a need to update the ERiC client and also need to update mapping because of new fields or the like: How would you synchronize those for the customer (as the customer will get an update available for the iFlows, but I would not think that while deploying the iFlow, automatically your ERiC client, burried somewhere in the guts of your infrastructure will also be updated – of course would be astonished if it would 🙂
    4. Talking license (see also figure 2) for those, not on enterprise license: How many connections would be needed? 2 or more connections?

     

    Thanks again and kind regards

    Jens

    •  

      Hi,

      let me answer your questions:

      1. correct
      2. no custom domain required, only a standard CPI tenant
      3. the update of the libraries will be done with the ‘normal’ update done every 4 weeks. If new fields or the like are required the application team responsible for the content package will also update the integration flow. The dependency between the ERiC libraries and the application sending a specific payload is handled via library version(s). Meaning in the integration flow there is a check done which version of the libraries is available in the Cloud Integration tenant and then the correct fields are sent by the application backend.
      4. Here I’m not that sure, but I think there are not more than 2 connections required. It is only one integration flow, but I dont know how often the application triggers this flow.

      BR,

      Mandy

      • Hi Mandy,

        this is great news. I would think a great deal of thought / planning went into figure 3 (sync / versioning of libraries and integration content). Seemed you cracked that nut.

        Many thanks again for providing additional insights.

        Cheers

        Jens

  • Hi all,

    the blog states the ELSTER ERiC Clound Integration scenario also supports (advance return for tax on sales/purchases (UStA) which is sent out of FI. The only Integration Package delivered for CPI is called “SAP HR Integration with ELSTER ERiC for Germany”(https://api.sap.com/package/SAPHRELSTERERICforGermany?section=Overview) and says it supports LStA, LStB, and ELStAM. The documentation attached to the Integration Package does also not mention the FI part.

    Are there any plans to deliver content also for FI (UStA), will it be delivered by separate a Integration Package and is there any info about a release date for this?

    Quote from the blog above:

      • Note that the information above only applies to tax types UStA, LStA, LStB, and ELStAM, and not to the use of ERiC in connection with the E-Bilanz.

      • The ELSTER ERiC Cloud Integration scenario only supports tax types employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)), and FI (advance return for tax on sales/purchases (UStA)). The HR tax types are covered by the Integration Content SAP HR ELSTER ERIC for Germany. The Integration Content for FI is under development.

    Thanks and kind regards

    Dominik

  • Hello,
    (slightly OT): since BC 4.8 assumably will not be supported beyond the end of 2020 SAP Cloud Platform integration seems to be a (the) valid alternative.

    Has SAP already stated, what their “official” (on-premise) solution should be, after BC 4.8 will be out of support / not continued?

    Kind regards,
    Thorsten

    • Hello,

      I can not give you an official statement for all scenarios with BC or PI, but in general it would always be the best alternative to implement a scenario in SAP Cloud Platform integration if at least one endpoint of the scenario is in the cloud.

      In future more and more endpoints will be in the cloud, so using SAP Cloud Platform integration is a good choice for the future.

      Best regards,

      Mandy

  • Hi all,

    Thank you, Mandy Krimmel, for your very instructive blog post.

    In which mode is the ELSTER service billed on CPI? Is the number of API calls crucial, or is it only the end-to-end connection that matters for the pricing?

    Best regards,
    Andreas