Cloud Integration – Usage of the Elster Adapter
This blog describes the Elster ERiC libraries used in the new Elster adapter provided in SAP Cloud Integration. The adapter is planned for the March-24-2019 update. In the blog the End-to-end configuration and the monitoring options are described, links to further information sources are given. Furthermore the current restrictions are listed.
ERiC@SAP: What is ERiC?
In the areas of HR (employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)) and FI (advanced return for tax on sales/purchases (UStA)), electronic reporting data is transferred to the clearing house of the fiscal authority block for communication with the tax authorities.
Technical background: For the transfer, the data is summarized in an XML file, signed, and encrypted. The data is then transferred to the clearing house of the fiscal authority block.
The XML file is generated in the HR or FI system. From this system, the data is then transferred to the middleware used (Business Connector, PO/PI, or Cloud Integration). The signature, encryption, and transfer of the data from the employer’s network to the clearing house is done using the middleware.
Previous Solution – Open Interface
The standards used for the signature and encryption were published by the tax authority, as is the case for social insurance, and it was made possible for the software manufacturer to implement and deliver all components for the transfer using its own program components in its software solution. The solution is referenced to as an “open interface” in the ELSTER environment.
This model allows for a clear distinction between the software solutions involved and the parties responsible.
New Solution – ERiC
To support manufacturers when creating software products for communication with the tax authorities, the tax authorities have also been providing software components since the introduction of electronic communication. The software manufacturers can integrate these components into their products to minimize the implementation effort.
Initially Java-based program components were provided by the tax authority, now only fully compiled program components (C libraries) are provided. These are known as EriC (Elster Rich Client) libraries.
To make technical or subject-specific changes to the ERiC libraries, the tax authority updates the ERiC libraries twice a year (usually in May and November). The ERiC release in May delivers only technical changes but the subject-specific changes are provided with the main release in November. Therefore, you can find the bases necessary for the advance return for tax on sales/purchases (UStA) and the employment tax notification (LStA) for the subsequent year in the November release. This means that it is mandatory to include this ERiC main release in the manufacturer’s software. It must be delivered as soon as possible so that the ERiC libraries required for the new year can be used at the start of the year.
The new Elster Adapter provided in Cloud Integration uses those libraries to support the communication with the German tax authority. The ERiC libraries are updated automatically in Cloud Integration, there is no need for any manual action be the user of the integration scenario.
What changes does ERiC result in for the employer in the HR/FI system?
For the changeover to ERiC, some changes have to be made to the programs for transferring the tax notifications and to the HR/FI system.
The changeover from the previous solution to ERiC is done using Customizing in the HR/FI system. A prerequisite for this is that the ERiC-based solution has been imported or set up on the middleware used (Business Connector, PO/PI, Cloud Integration).
How does the ELSTER ERiC solution for Cloud Integration work?
The Cloud Integration solution for the Elster integration is based on two components. First of all, it is based on a newly created Elster adapter. It provides the latest ERiC libraries on the Cloud Integration tenant and offers an interface for using the functions contained in the libraries. The second component is the HR or FI-specific content that contains the integration flows for the communicating.
- The HR or FI application system sends tax data to the Cloud Integration tenant. The transfer is done using a HTTPS connection that was maintained using transaction SM59 in the application system.
- The HR or FI integration flow on the Cloud Integration tenant receives the tax data from the application system, sets the parameters required for calling the ERiC libraries (tax type, certificates, etc.), and passes on the data for transfer to the Elster adapter.
- The Elster adapter validates the XML data. This data is then signed, encrypted, and sent to the tax authority. The response provided by the tax authority is then received by the HR or FI integration flow, decrypted, and returned to the calling HR or FI application system.
In the Elster integration scenario in the Cloud Integration system, the following security relevant aspects are relevant:
- For the communication between the HR-/FI-system and the SAP Cloud Integration system, HTTPS is used. HTTPS is also used by ERiC for sending the data to the authority system.
- The message payload is received by and processed in the cloud integration system as configured in the integration flow. The message payload data is only processed in memory in the cloud integration system. The message payloads are not stored in the cloud system, neither in the database nor in the system log files.
- During processing of the message a message processing log is written and stored in the cloud integration system database for monitoring purpose. The message processing log only contains administrative data, like timestamps and the message ID, and the status of the message processing, but no message payload data. The message processing log is stored for 30 days and then automatically deleted. The access to the message processing log data is restricted to users with the Tenant Administrator or the Integration Developer role assigned in this integration tenant.
- In case of an error during message processing, the error message is stored in the SAP Cloud Integration system in the message processing log and in the system log file. The system log file is stored for 7 days and automatically deleted afterwards. The access to the system log is restricted to the Tenant Administrator and the Integration Developer of the respective integration tenant.
- If the log level for the integration artifact is set to TRACE (see blog Enabling Trace for Message Processing) for error analysis, also the payload is stored in the systems database. The access to this payload data is restricted to users with the Business Expert role assigned in this integration tenant. The trace data is stored for 1 hour only and automatically deleted afterwards.
If you want to know more about security aspects of SAP Cloud Integration and how customer specific data is secured, check out the help chapter Security. Various aspects of privacy and data storage security are discussed there.
Overview for Setting up the ELSTER ERiC Scenario in Cloud Integration
Initial Configuration of the Cloud Integration Tenant
Setup and configure the Cloud Integration tenant as described in the Get Started documentation for SAP Cloud Integration.
Configure Integration Flow
- Select the required Integration Package ‘SAP HR ELSTER ERIC for Germany’ or ‘SAP Finance Applications Integration with ELSTER’ in the content store.
- Deploy the required integration flow as described in the configuration guide contained in the integration package.
- Retrieve the inbound end point of the integration flow from the Monitoring -> Monitor Integration Content -> End Points.
Set up the HTTPS connection
To setup a secure HTTPS connection between the application system (HR/FI) and the Cloud Integration tenant add the load balancer root certificate to the HR/FI trust store. Find further details in the blog How to setup secure http inbound connection with client certificates.
Set up Authentication (two options)
For the setup of the authentication two options exist, Basic Authentication or Client Certificate-based Authentication. The more secure option is to use Client Certificates.
Create an user in Cloud Integration and assign ESBMessaging.send role. More information can be found in the documentation chapter Defining Permissions for senders to Process Messages on the Runtime Node.
Client certificate-based authentication
Neo Environment: Set up client certificate in HR/FI system and upload it in certificate-to-user mapping in Cloud Integration as described in the blog How to setup secure http inbound connection with client certificates.
Cloud Foundry Environment: Set up client certificate in HR/FI system and upload it in the service key as described in the blog CF -How to setup secure http inbound connection with client certificates.
Setup SM59 Destination
- Create a SM59 Destination in the HR/FI application system.
- Enter the end point retrieved for the integration flow from the Cloud Integration monitoring (see above)
- Maintain logon details for the HTTPS connection (basis authentication or client certificate-based)
Upload Elster Certificates
Upload the ELSTER certificates (PFX file) to the key store monitor of the Cloud Integration tenant.
Execute HR/FI Customizing
You can find detailed instructions for setting up the scenario in the Implementation Guide in the content provided.
Operation of the Elster Scenario
Update of ERiC Libraries
The Elster adapter is automatically updated with the latest libraries in Cloud Integration. No manual steps are necessary.
Message Processing Log (MPL)
The processing of data in the cloud integration tenant can be monitored in the Message Processing Monitor. Each message processing generates an MPL (Message Processing Log), which can be found in the monitoring under Monitor Message Processing.
In the case of an error, the message has the status Failed and you can find further error information in the status area of the message on the right-hand side. All ERiC related error messages are issued here, for example if the message validation or the encryption was not successful.
In the case of an error, further information can be found in the default trace of the Cloud Integration tenant. The default trace can be found in the monitoring of the cloud integration tenant in the area Access Logs -> System Log Files. The logs are in the most up-to-date files with the name ljs_trace_<ID>_<Timestamp>.log.
- Note that the information above only applies to tax types UStA, LStA, LStB, and ELStAM, and not to the use of ERiC in connection with the E-Bilanz.
- The ELSTER ERiC Cloud Integration scenario only supports tax types employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)), and FI (advance return for tax on sales/purchases (UStA)). The HR tax types are covered by the Integration Content SAP HR ELSTER ERIC for Germany. The Integration Content for FI is under development, it is expected to be available mid of July 2019 under the name ‘SAP Finance Applications Integration with ELSTER’.
Hi Mandy Krimmel
Thanks for great blog in advance information related Elster adapter. 🙂
Hello, thanks a lot for this bunch of information!
I got one question regarding the license modell of cloud plattform integration for ERiC.
My customer acutally can use an SCI tennant for integration of SAP S4 with their C4C tennants because the SCI license was part of the C4C subscription.
Would it be possible to also use their SCI tennant for ERiC integration or do they need to pay for the full SCI license?
Thanks in advance for an response!
Ususal Answer: Reach out for your sales rep
My Guts felling (being a customer with an CPI Licenses tied to a C4C integration = Application License Model): Your customer will not be able to use that CPI tenant for ERiC integration. They are pretty clear in wording: On one side of the integration has to be the product (application) you paid the 7,5% CPI Application License for. S/4 --> ERiC would not fit into this
I just got the confirmation that it should be possible to reuse the existing tenant because the application license can be used as long as one endpoint of the connection is a SAP system. And this is the case for the Elster integration as well.
Comment: this is not correct, see below! The C4C tenant cannot be re-used.
Would love to hear that licensing is that flexible 🙂 However, I still have a doubt in the particular situation. OP said, the "CPI for SAP cloud applications" came with C4C. So I would assume "cloud application" in that case would be regarded as "C4C". The service description says:
If OP would have S/4 Cloud and S/4 being the "cloud application" I'll be in complete agreement.
Anyways, you certainly have the direct link within SAP. I'll more than happily stay corrected (did I mention I was that pain-in-the-neck-nit-gritty-kinda-person 😉 ?)
I now got the answer from the colleague responsible for the licensing and unfortunately you are correct. The C4C application licensed tenant cannot be re-used for the Elster integration. You need to purchase for example the PI edition to setup the Elster integration.
Thanks Mandy. On the plus side of this is that licensing details seem (for SAP *SCNR*) being quite straight forward for CPI application license.
do you have already any news?
News about what in particular? All questions in this mail thread are answered.
Thanks Mandy Krimmel for the valuable information. Just being a curious / nit-picking kind of person, I'd like to ask some questions about that paragraph "Update of ERiC Libraries"
Thanks again and kind regards
let me answer your questions:
this is great news. I would think a great deal of thought / planning went into figure 3 (sync / versioning of libraries and integration content). Seemed you cracked that nut.
Many thanks again for providing additional insights.
the blog states the ELSTER ERiC Clound Integration scenario also supports (advance return for tax on sales/purchases (UStA) which is sent out of FI. The only Integration Package delivered for CPI is called “SAP HR Integration with ELSTER ERiC for Germany”(https://api.sap.com/package/SAPHRELSTERERICforGermany?section=Overview) and says it supports LStA, LStB, and ELStAM. The documentation attached to the Integration Package does also not mention the FI part.
Are there any plans to deliver content also for FI (UStA), will it be delivered by separate a Integration Package and is there any info about a release date for this?
Quote from the blog above:
Thanks and kind regards
The FI Content is currently under development, the blog will be updated as soon as it is available.
Is there already a tendency when the solution is ready?
The application colleagues are working on this, but there is no official timeline available yet. I will update the blog as soon as I get some news.
The content for FI is planned for delivery mid of July 2019.
The name for the package is ‘SAP Finance Applications Integration with ELSTER’. It is now available in the content store for consumption.
Do I need special license for this? I have looked up in the pricing app, but i am not able to find an entry for this.
As written in one of the comments above you need a Cloud Platform Integration license to provision a Cloud Integration tenant. Search for SAP Cloud Platform Integration.
For the content there is no license.
(slightly OT): since BC 4.8 assumably will not be supported beyond the end of 2020 SAP Cloud Platform integration seems to be a (the) valid alternative.
Has SAP already stated, what their "official" (on-premise) solution should be, after BC 4.8 will be out of support / not continued?
I can not give you an official statement for all scenarios with BC or PI, but in general it would always be the best alternative to implement a scenario in SAP Cloud Platform integration if at least one endpoint of the scenario is in the cloud.
In future more and more endpoints will be in the cloud, so using SAP Cloud Platform integration is a good choice for the future.
Thank you, Mandy Krimmel, for your very instructive blog post.
In which mode is the ELSTER service billed on CPI? Is the number of API calls crucial, or is it only the end-to-end connection that matters for the pricing?
the billing for CPI is done based on connections, this is not different for the Elster scenario.
More details can be found here: https://cloudplatform.sap.com/capabilities/product-info.SAP-Cloud-Platform-Integration.cceaaf2b-8ceb-4773-9044-6d8dad7a12eb.html#capabilitiesPricing
More than one sales/purchases tax groups
we have more than one sales/purchases tax groups.
First we have to copy the published package “SAP Finance Applications Integration with ELSTER”.
In total we have 3 different sales/purchases tax groups.
Is it possible to use one copied package “SAP Finance Applications Integration with ELSTER” for all 3 different sales/purchases tax groups or we have to copy it 3 times?
you can use one package for all tax groups. You just need to upload different certificates for the data exchange with the authority and maintain them in your FI Customizing for each sales/purchases tax group (see package documentation chapter 3. and 4.2.2).
Thanks Igor. I was hoping that but somehow i got in my mind we have to copy it than more once in that case.
We'll try it out!
in this blog is described how to setup the connection between ERP backend and elster scenario in CPI.
Setup SM59 Destination
In the configuration guide "SAP Finance Applications Integration with ELSTER Finance Tax Integration for Germany (UStVA) SAP Cloud Platform Integration Configuration"
is stated for SM59 connection under
4.1 Set up HTTPS Connection to CPI System
a) Target Host: < IFLMAP URL for the CPI tenant> Note: Make sure that you don't enter https:// in the field Target Host Example: 1234567890-iflmap.hcisbp.eu3.hana.ondemand.com
As we understood so far the cloud connector is the central component (single point of entry) between SCP - Cloud - onpremise and bidirectional.
Now it seems for elster we have to maintain a direct connection to CPI tenant. If its like that we have to consider some extra points with the networks like ports, firewalls etc.
What is the best practice to connect the Elster scenario (API) in CPI and the on premise ERP system?
Cloud Connector is used to connect from CPI towards an On-Premise System.
The connection from an On-Premise system to CPI is usually done via an outbound proxy in the on-premise landscape directly to the CPI tenant. The proxy is usually defined in the sm59 connection.
obviously there are some experts (also from SAP) they recommend to use the SAP web dispatcher to connect On-Premise System towards CPI. They’re saying it’s Best Practice and almost every company following this approach.
I never came across this in endless documentations, web sessions and courses. Now I’m confused.
The Elster scenario is the first we try to implement.
The the final goal is to tranfer all of our interfaces from our On-Premise PI System to the CPI.
We use the PI for internal and external interfaces, multiple internal and external systems (SAP and non SAP).
Can you kindly give some briefly updates?
For what is the SAP web dispatcher used for to connect On-Premise System towards CPI?
What are the pros and contra’s or better the use cases for this approach?
In what case is it advised to use SAP web dispatcher in this context? Why it make sense to-do this?
Is it really best practice and where can i read and learn more about this and the concept?
Many thanks in advance for your patience and effort
in your first comment you were refering to the Cloud Connector, not to the web dispatcher, these are different things.
The Cloud Connector is usually used to connect SAP Cloud systems to On-prem systems: https://help.sap.com/viewer/b865ed651e414196b39f8922db2122c7/Cloud/en-US/d751d065774e45e1b6bdbfdfd541da13.html
The cloud connector can be used against ABAB/java and external on-premise systems and is not restricted to http access.
The Web Dispatcher can be used for HTTP access as kind of load balancer in front of SAP on-prem systems: https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.52.6/en-US/4899ac3a7f020e27e10000000a421937.html
The web dispatcher is recommended if you want to balance the load between multiple application servers for web access. It cannot process non-HTTP requests.
For the connection from on-premise systems to the cloud usually the proxy server of the respective customer intranet is used.
I hope this makes things clearer?
maybe our problems coming from the circumstance that our CPI is running in the CF environment and your and the most other guides are posted for CPI in NEO environment?
So, is it possible to use the Elster scenario on CPI in CF environment or only on CPI on NEO environment?
Because if we try to configure the Client certificate-based authentication we end up to the point that's obviously not supported. Here is only Authorization=User Role an option in the flow.
Can we also choose the Client certificate-based authentication for Elster in the CPI, running in CF environment?
please see this blog for configuring client cert based authentication in CF: https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/
The Elster Finance setup guide is currently being extended to also cover CF.
I read this already but as you can see in my screenshot the iflow of the Elster scenario only support Authorization type 'User Role'. It is fix (grey) and we're not egible to change.
So that means for this scenario we're only able to use basic authentication even it is recommendet the certificate based authentication?
But user role means you can use it with client certificate authentication as explained in the blog. So, I don't get your concern?
User Role means this flow can be used with Basic Auth and also with Client Certificates.
This is also described in the blog.
For me it's not so clear why is it necessary/advise/helpful to use a web dispatcher in the Elster scenario. Obviously for us is the web dispatcher mandatory.
So'll wait until my colleagues finish the setup of web dispatcher.
I guess my comment is obsolete now, but for the sake of others I just add that for Elster integrations there are only calls from OnPremise towards CPI hence you dont need Could connector or WebDispatcher. The communication flow is: OnPrem SAP system -> OnPrem Proxy server (usually) -> CPI
However there could be other integrations which are making calls from CPI towards OnPremise and here you need to have Could connector. In case of http calls you can add WebDispacther to distribute the load. The flow would be then: CPI -> Cloud Connector -> WebDisp -> OnPrem SAP system. At least that is what we are using at the moment, but NOT for ELSTER integration since calls for ELSTER are done from OnPrem towards CPI and not the other way around.
Sie erwähnen "Beachten Sie, dass die obigen Informationen nur für die Steuerarten UStA , LStA, LStB und ELStAM gelten und nicht für die Nutzung von ERiC im Zusammenhang mit der E-Bilanz."
Ist mit einer Lösung für die Übertragung der eBilanz zu rechnen? Es geht doch "nur" um die Validierung der xbrl-Datei und den Versand über ERiC, der ja über die CPI schon für die beschriebenen Steuerarten möglich ist. Wieso wird die eBilanz da außen vor gehalten?
Herzlichen Dank vorab für eine Information dazu,
für E-Bilanz gibt es eine eigene Lösung, diese wird nicht über Cloud Integration realisiert. Informationen über die E-Bilanz Lösung finden Sie in Hinweis 1755173.
Danke für die Antowrt. Das Addon kenne ich, aber ich frage mich, warum eine integrierte Lösung über die CPI nicht möglich ist für die eBilanz? Die xbrl-Datei wird über SAP Query erstellt, aber kann dann anschließend nicht aus SAP heraus versandt werden. Warum muss das über das Excel-Addon passieren?
Für eine Auskunft dazu wäre ich sehr dankbar!
die verantwortlichen Kollegen evaluieren ein Anbindung über Cloud Integration, momentan ist das aber leider (noch) nicht möglich.
Sobald da etwas verfügbar sein wird, wird das in dem Hinweis zur E-Bilanz erwähnt werden.
Very useful information for setting up Elster via CPI.
The only concern I have about the whole pre-delivered solution is that the actual Elster endpoint to which data are sent to is kind of mystery for me, because it's not part of a manual setup and you can't see what the Elster endpoint actually is. Neither in the iFlow nor in the logs (even having Trace level).
I believe Elster endpoint is just an adapter property and developer/consultant has no control over this setting. But on the other hand, since these are sensitive data being sent, the company should know where the message is actually sent to (to what exact Elster endpoint).
Or am I missing something?
There is no endpoint you can configure because the data is always sent to the german tax authority directly.
is there any way to do some further testing beside the mentioned Report in the guide?
If we will push some data from development HCM I'm afraid that this data will be pushed to the production Elster Systems?!
Good question! I'm very interested in the answer too.
here the answer from the application colleagues:
in addition to the report rputx7d0 it is also possible to test the complete process for LStA and LStB in systems that are not marked as productive clients in table T000.
This is done by using tag <Testmerker> in the XML. The tag is filled from the reports for LStA and LStB automatically. If this tag contains a value, the authority treats this data as test data. You can check the XML before sending it to the authority in transaction pb2a.
this was exactly what I was looking for!
Thank you very much !
I forgot to comment at the time, but I think I've seen this kind of advice before. Is the testmerker tag automatically populated if the sending SAP system is marked as a non-Production client in configuration?
The testmerker flag is automatically populated in the HR-System. We use table T000. In clients not classified with P (CCCATEGORY) the testmerker flag is set automatically.
very good blog. Thank you! Helped me out alot already.
I am facing some problems with the implementation of the UStVa (SAP Finance Applications Integration with ELSTER)
Not exactly sure, where the problem is coming from.
We are sending the UStVa with Report RFUMSV00 and Transaction FOTV to CPI. Message in CPI is generated and forwarded to Elster. But it doesn't work on the Elster adapter with following Error:
ERiC-Exception: Es traten Fehler beim Validieren des XML auf. Details stehen im Logfile (eric.log). (Fehlercode: ERIC_IO_READER_SCHEMA_VALIDIERUNGSFEHLER)
Do we have access to the eric.log file in CPI? Do you know where it is stored?
The only log you mentioned above ljs_trace_<ID>_<Timestamp>.log. shows error:
this detail is a bit misleading. As the error comes from the eric library we cannot change it. In Cloud Integration we provide all errors that are usually stored in the eric.log in the ljs_trace.
This means all details are already in the ljs_trace. This is the error:
XML-Datei wurde mit 1 Fehler(n) validiert.
EC(1000): Fehler: EDS-XML in Zeile 1 in Spalte 648: 'value '4903' does not match any member types of the union'|
Hi Mandy thank you very much! figured out the errors and could solve the issue. I have another problem though with with the customization of Report RFUMSV00 or with FOTV. Not sure yet.
I described it in another question. Do you mind take a quick look and maybe you know the answer already...
Thanks in advance and wish you a great weekend!
Hi Mandy, all,
Thank you very much for such GREAT blog/post
I am still learning. I was able to follow 90% of your post but I still have several doubts on how to set it.
My open questions:
Any support / guidance will be very much appreciated.
Thank you very much in advance!
I will try to answer your questions:
Certificates: You must upload the certificate from Elster in CI Integration Keystore.
(Chapter 3. In the implementation guide for SAP HR). No need to add the Elster certificate in STRUST in HR- or FI-system.
T50BK constants: You need only the ones described in chapter 4.2. Customizing V_T50BK. The other constants are old ones and are no longer used.
Besides the implementations guide and generic CI description you can open a ticket, if necessary. Use component PY-DE-BA (HR) or FI-GL-GL-F (FIN).
Thank you very much for your quick and nice reply! 🙂
Maybe I explained myself wrong, about the certificates to be uploaded I was speaking about the Configurations in Sender System (see below screenshot) 🙂
Is this necessary in an ECP environment? If yes, where they need to be uploaded? in STRUST (and where in STRUST)?
(For the ELSTER certificate, I already stored in the Integration Keystore as described in the instructions)
On the same hand, another question that came to my mind, is the PKC#7 encryption needed in an ECP environment for the outcoming file?
Thank you very much and please excuse me if they are "fool" questions!
Have a nice day ahead!!!
Configurations in Sender System