This blog post describes how to connect from CPI to your on-premise mail server by using the SAP Cloud Connector. First we will create a virtual mapping in the SAP Cloud Connector. Then we will use the virtual mapping in the adapter configuration in CPI . And lastly we will establish the trust by uploading the server certificate in the truststore. This blog post will show the configuration process by using the IMAP(S)protocol. Similarly this configuration works for POP3(S) and SMTP(S).
The following overview shows the main parts of the communication:
- Cloud Application (CPI) – connects to the on-premise mail server
- The SAP Cloud Connector – enables the cloud application to access the mail server
- The on-premise mail server
Connecting to the mail server
CPI provides three different ways to commuicate with the mail server. In this blog we will use StartTLS and IMAPS. In a previous blog post we described how to connect to the mail server without encryption in the mail adapter configuration, which is unproblematic because the SAP Cloud Connector communication is encrypted by default. However, it might be necessary to use startTLS or IMAPS due to the supported options of the mail server (i.e. the mail server supports IMAPS only) or to ensure an encrypted communication in the on-premise network (from SAP Cloud Connector to the mail server).
Protection Off: The communication is not encrypted.
StartTLS: The initial communication is not encrypted but the communication will be upgraded to an encrypted communication. If you choose StartTLS mandatory, CPI will ensure that the connection is upgraded. If optional is selected, the communication will be continued even if no TLS connection is possible.
IMAPS: The communication is encrypted from the beginning. Usually the communication via IMAPS has a dedicated port.
Configure the Cloud Connector
To connect from CPI to the on-premise mail server, we need to create a virtual mapping in the SAP Cloud Connector. In the following we will create a mapping that allows us to connect via startTLS and IMAPS.
Create a virtual mapping for startTLS
For a StartTLS connection we will create a mapping with TCP protocol to our on-premise mail server. For the virutal host we will use the same hostname as the actual host to avoid mismatches of the host and the hostname in the certificate during the handshake.
Create a virtual mapping for IMAPS
For our IMAPS connection we create another virtual mapping. This time we will create a mapping with TCP SSL and the SSL port 993.
Now we will configure the CPI mail sender adapter to connect to the on-premise mail server. To do so we will use the on-premise proxy and the virtual hosts defined in the SAP Cloud Connector.
In the CPI mail sender adapter we will use the following configuration. For the address we are use the virtual host and port that we defined during the mapping-creation in the SAP Cloud Connector.
For IMAPS we choose the following configuration. In this configuration we will use no protection (Off) instead of IMAPS.
To establish a secure communication between client and server, the client requires the server certificate in its truststore.
Setup trust for StartTLS
For the StartTLS configuration, the handshake is done between CPI and the mail server. To set up the trust in CPI, you need to ensure that the trustchain can be validated. This requires to import the root and all intermediate certificates in the keystore. How to import the certificates in the CPI keystore is described in this blog post.
Setup trust for IMAPS
For the IMAPS configuration, the handshake will be done between the Cloud Connector and the mail server. To set up the trust in cloud connector the root- and all intermediate certificates need to be imported in the Cloud Connector truststore. The truststore is available in the Configuration – On Premise.
Testing the connection
To test our connection we can deploy the integration flow or use the CPI connection test. Here we will use the connection test: After providing the connection details to the connection test, the mail server should be reached successfully.
Note: The support for the on-premise proxy type in the connection tests will be available with the release 3.20 and is expected to be available by the end of January 2020.
“Connection not allowed by ruleset”
This error indicates that the virtual host that you use, is not configured in the cloud connector. In this case you should check that the mapping is configured in the cloud connector and that you are using the right Location ID.
This error indicates, that you are using the proper virutal mapping, but the mapped on-premise host is not reachable. In this case you should check if the cloud connector is able to reach the system by checking the availability of your on-premise system. For that you can use the Check availability on the mapping entry ()
“Connection dropped by server?”
This error indicates, that the on-premise (mail)server closed the connection. To get a better understanding of the problem, you should check the ljs trace of the cloud connector. You can find it in the Log and Trace Files section in the SAP Cloud Connector.
In this blog post you learned how to configure CPI and the SAP Cloud Connector to use your on-premise mail server in CPI. Depending on your mail server configuration, you might have to use one configuration over the other. If your mail server supports both configurations, it’s up to you which you choose.