Skip to Content
Technical Articles
Author's profile photo Ravish Ramakrishna Shetty

How to Setup Direct connection from your On Prem to SAP Logistics Business Network Freight Collaboration Option

Introduction

 

SAP Logistics Business Network, freight collaboration option improves supply chain efficiency  by connecting business partners on a collaborative network that supports jointly managing transactions, exchanging documents, and sharing insights across the value chain.

To enable document exchange, you have to setup connectivity to your On-Premise system.Your on-premise(S4 or SAP TM standalone) system can be connected to SAP Logistics Business Network based on below options

  1. Connection via middleware: either SAP Process Integration (PI) or SAP Cloud Platform Integration (CPI)
  2. Direct connection (via SOAMANAGER) between SAP Logistics Business Network and your SAP TM or SAP S/4HANA system

This blog will elaborate option 2 by providing step-by-step guidance for you establish direct connection

 

Setting up the connection

 

To begin the setup, you must have administrator rights in SAP TM as well as SAP Logistics Business Network tenant.

Below is a list of steps that must be performed:

1.      Generate the key pairs certificates (Key Pairs) with Identity Authentication service

2.      Import the IAS Certificate into the SAP TM in STRUST

3.      Import SAP Logistics Business Network Certificate into SAP TM using STRUST

4.      Create System Connection in SAP Logistics Business Network Shipper Tenant

5.      Setup Webservices using SOAMANAGER for inbound services to SAP Logistics Business Network from SAP TM

6.      Setup the outbound system connection in SAP Logistics Business Network

 

1. Generate the Key Pairs Certificates from Identity Authentication Service

 

Communication between SAP Logistics Business Network and SAP TM system is based on B2B messages using SOAP protocol.  Messages are authenticated using client certificates. These certificates must be requested.

  • You have already purchased an Identity Authentication service You can purchase such a service tenant here: < https://www.sapstore.com/solutions/40132/SAP-Cloud-Platform-Identity- Authentication>.
  • While subscribing to an SAP Logistics Business Network productive license, you have been provisioned with an Identity Authentication service tenant and details tenant, and a URL is sent to the S-User used for the license
  • If you have subscribed for a test SAP Logistics Business Network license and you have not purchased an Identity Authentication service tenant, you may request a key pair from SAP by raising an incident to the component SCN-LBN-INT. (In this case, you can skip the steps in this )

When using the Identity Authentication service, the certificates are signed by SAP Passport CA.

 

Perform the following steps to request the Key Pairs certificate:

  1. Obtain access to the Identity Authentication
  2. Follow the steps below to generate a *.p12 file from your Identity Authentication service tenant. Perform the following actions to generate a key The following process is only for an SAP Logistics Business Network productive license.
    1. Access the tenant’s administration console for the Identity Authentication service by using the console’
    2. Note the following points:
      1. The URL has the pattern https://<tenant ID>.accounts.ondemand.com/admin.
      2. The tenant ID is automatically generated by the The first administrator who created the tenant receives an activation email with a URL. This URL contains the tenant ID
      3. In case you need to know the IAS tenant Admin or the tenant details(URL) please raise an incident in component : BCIAMIDSLink to create Incident :

        https://launchpad.support.sap.com/#/incident/create

    3. Under Applications and Resources, choose Applications, click the pencil icon for Add Application, and assign the new application the name CertificateGeneration, for example. Within the section “Client ID, Secrets and Certificate”, Click on Add “Certificates for API Authentication”
    4. Enter the Common Name, Password, and Confirmed Password and click on Generate. The browser downloads the certificate to your local

 Key Pair

The result is that you will have a signed certificate – a *.p12 file.

 

2. Import the IAS Certificate into the SAP TM  in STRUST

 

  1. (Optional)Convert the signed certificate -a*.p12 file to a PSE file. Follow the steps outlined in 2148457 – How to convert the keypair of a PKCS#12 / PFX container into a PSE file
    • Note
      • In the newer S/4 releases, *.p12 file can be directly uploaded to STRUST. So no need to convert *.p12 file.

Note:  You can download CRYPTOLIB software using link:  SAP Cryptographic Software

  1. IN SAP TM, go to SM30 using table STRUSTSSL. Create new SSL client for SAP Logistics Business Network

       3. IN SAP TM, go to transaction STRUST. Choose the SSL Client Identifier from above then run the following action:

    •  PSE -> Import

  •  Save as “SSL Client” -> replace existing PSE

3. Import SAP Logistics Business Network Certificate into SAP TM Using STRUST

 

The procedure has no explicit dependency to the onboarding process. However, it is recommended that you have procured the SAP Logistics Business Network license prior to performing any steps identified here.

  1. Access SAP Logistics Business Network Live URL: <https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/> and select the site information.

You will notice the lock symbol, click it to export the certificate.

 

 

 

2. Add SAP Logistics Business Network Certificates to PSE using STRUST

For each of the certificates

  • Go to transaction STRUST
  • Choose the SSL Client LBN (or what you set up).
  • Import certificate

 

  • Add to certificate list

  • Save
  • Then Restart ICM. Navigate the More-> Environment->ICM Monitor->
  • Once in SMICM, go to More->Administration-> ICM-> Global. Restart ICM.

 

4. Create System Connection in SAP Logistics Business Network Shipper Tenant

 

SAP Logistics Business Network tenant has been established as described in section 4. You have subscribed to the system role.

 

  1. From your P12 file extract the public certificate and upload in the system connection app to SAP Logistics Business Network. Export to a x.509 CER certificate file.

 

 

 

  1. Login to the shipper tenant, then go to System Connection.

 

  1. Click on Add , select the connection type – “SAP TM –  SAP S/4HANA”, maintain Connection ID and System ID
  2. Navigate to Inbound to Network then import the certificate, Save.

 

 

 

5. Setting Up Web Services Using SOAMANAGER for Inbound Services to SAP Logistics Business Network from SAP TM

 

The direct connection to SAP Logistics Business Network can be influenced by setting the default configuration to blank in SXMB_ADMIN. To do so, go to SXMB_ADMIN and set the following settings:

 

Additionally, the previous the settings in STRUST as described in the prior section must be setup.

Launch the transaction SOAMANAGER and maintain the consumer service for these interfaces as follows: Outbound interfaces:

  • TransportationOrderCancellationRequest_Out
  • TransportationOrderQuotationCancellationRequest_Out
  • TransportationOrderQuotationCreateRequest_Out
  • TransportationOrderQuotationNotification_Out
  • TransportationOrderRequest_Out
  • TransportationOrderChargeElementConfirmation_Out
  • TransportationOrderGenericTrackedProcessRequest_Out
  • AppointmentConfirmation_In

 

  1. In SOAMANAGER, choose the option Configure the Web services Configuration

 

2.  For each of the outbound interfaces above, configure the settings as in below:

 

 

3. Then create manual configuration to influence the settings

4. Specify the logical Port (this can be freely defined). Note to click Logical Port is default

 

5. Specify the Consumer Security settings. Note to specify the X.509 SSL Client PSE as defined in STRUST.

 

Note: You specify the SSL Client PSE from the setup in STRUST as outlined in the previous steps, which contains the private key for authentication in SAP Logistics Business Network.

6. On the HTTP settings tab, use the live SAP Logistics Business Network URL (https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1), and specify the transport bindings as shown below.

Usually while connecting to BTP, you require to provide your tenant host URL. However with SAP Logistics Business Network this is little different since we have a SAP Owned Cloud Integration Instance in the middle always.

So you should always configure this endpoint https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1 in your webservice

7. Under SOAP Protocol (or messaging settings), you can choose the following settings:

  1. The rest of the settings are blank.
  2. ALL OTHER SETTINGS MUST BE DEFAULT.
  3. SAVE AND ACTIVATE

6. Setting Up the Outbound System Connection from SAP Logistics Business Network to SAP TM

 

Prior to setting up the inbound system connection in SAP Logistics Business Network, you must have already created a subaccount and certificates have been loaded to the system connection.

6.1 Setting Up the System Connection in SAP Logistics Business Network

Usually with BTP(Cloud Foundry)- SAP S/4HANA integration you assign the S-User the administrator role. However in this case you are not directly connecting to your subaccount , rather to SAP Managed Cloud Integration instance (CPI).  Within this SAP Managed Cloud integration instance your S-User has to be maintained with right role. You will not have access to SAP Managed Cloud Integration instance.  Maintaining S-User is via the System Connections App as described below will add your S user to SAP Managed Cloud Integration instance with the right roles.

  1. Open System Connection for the shipper Tenant:

 

 

  1. Click Manage Cloud Connector. In the manage Cloud Connector Details, you can input the location ID (like the S4 Hana Client) and the SAP User (it should be either S User or P User in accounts.sap.com)which is  authorized in the cloud connector.

 

  1. .Go to the “Outbound from Network tab”, click on  ”Configure Connections”.  Under Authentication Details tab, enter the USER id and password to the backend SAP TM system

 

  1. In General tab click on edit and change the authentication type to “Cloud Connector with Basic Authentication”, Maintain the SAP User and location ID(as created in previous steps).  Under Authentication Details, enter the USER id   and password to the backend SAP TM system

 

5. Edit the interface to contain the system information, as in below. Note that this step is required for all outbound interfaces from SAP Logistics Business Network to SAP TM.

The right way to maintain the URL here is http://<host>:<port>/<path>

And the host and port should be the virtual host maintained in the cloud connector. As we will call cloud connector from LBN. Additionally, the URL you maintain here will always start with http irrespective of the port. So we differentiate HTTPS or HTTP only based on the port and configuration maintained in the cloud connector.

 

 

  1. Then click Activate.

 

6.2 Setting Up the Cloud Connector

Perquisite is you have administration access to Cloud Connector.

  1. Obtain URL TO CLOUD CONNECTOR
  2. Create a new entry  for subaccount a46089868 with below entries
      • Note :
        • Subaccount a46089868 points to SAP Managed Cloud Integration System. So you MUST use this subaccount ID to establish connection with your cloud connector
        • DONOT enter your SAP Logistics Business Network Subaccount ID
    • Region: Europe(Rot)   ( hana.ondemand.com)
    • Subaccount: a46089868
    • Subaccount User: Enter the SAP user   ( As maintained in 6.1 step 4 )
    • Password: Enter the password for SAP user
    • LoacationID: Enter Location ID ( Mandatory) ( As maintained in 6.1 step 4 )

 

 

Once completed, you should see something like below:

If the above already exists, you will see it as in below:

  1. Go to the detail and choose Cloud to OnPremise.
  2. Add the new mapping virtual to internal system. This should point to the ICM setting of your SAP TM system. You can go to transaction SMICM to obtain this.( Menu SMICM -> Goto -> Services )

 

NOTE:  You should create an entry for both HTTP and HTTPS connection.

 

  1. For each of the mapping, ensure that Resources Accessible are specified with the following settings:

Enabled: On

Status:  leave Blank

URL Path:  /

Access Policy:  Path and subparts

6.3 Perform Configuration for Inbound Services in SAP TM

Requisite is You have authorization to transaction SOAMANAGER.

You must set up the endpoints for all the inbound interfaces in SAP Logistics Business Network as follows:

  • TransportationOrderConfirmation_In
  • TransportationOrderQuotationConfirmation_In
  • TransportationOrderChargeElementRequest_In
  • InvoiceRequest_In
  • TransportationEventBulkNotification_In
  • TransportationOrderChargeElementRequest_In
  • AppointmentConfirmation_In

For each of the interface, you will create configuration using SOAManager. The following settings would be necessary:

 

 

Testing the Connection

By performing all the above steps, your connection is established to SAP Logistics Business Network. You can test the connection by sending a document for example, Send Freight order for confirmation and check if the document has reached SAP Logistics Business Network You can view the message flow via SRT_MONI in your SAP TM system and also via Manage Message log in SAP Logistics Business Network

Assigned Tags

      20 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rohit Mahajan
      Rohit Mahajan

      Hi Ravish,

       

      Thanks for Information and it is very very helpful.  There is one change required.

       

      1. IN SAP TM, go to SM30 using table STRUSTSL. Create new SSL client for SAP Logistics Business Network

      It Should be STRUSTSSL.

       

      Best Regards,

      Rohit

      Author's profile photo Ravish Shetty R
      Ravish Shetty R
      Blog Post Author

      Hi Rohit, Thank you for the feedback. I have updated the document.

       

      Author's profile photo Venu Ravipati
      Venu Ravipati

      Hi Ravish,

      Thank you for the great blog. We are setting up direct connectivity from S/4 to LBN and your blog is very helpful.

      We see one issue. While testing and sending a message from S/4 to LBN, the message is getting triggered in sxmb_moni (for mediated connectivity). Do we need any additional configuration in S/4 to set up message trigger for direct connectivity instead of mediated connectivity?

      Many thanks in advance,

      Venu

      Author's profile photo Harikrishnan Panakkal
      Harikrishnan Panakkal

      in SOAMANAGER, you may set logical port as default(click 'Set Log.Port Default' button for respective logical port).

      Author's profile photo Vinod Patil
      Vinod Patil

      Thanks for nice blog. Please explain the step of SXMB_ADMIN? We don’t see any messages in sxmb_moni?

      Author's profile photo Ravish Shetty R
      Ravish Shetty R
      Blog Post Author

      I think sxmb_admin is not needed. Just use transaction, SOAMANAGER, you may set logical port as default(click 'Set Log.Port Default' button for respective logical port).

      Author's profile photo Rodrigo Jordao
      Rodrigo Jordao

      Is there a blog post for option 1?

      1. Connection via middleware: either SAP Process Integration (PI) or SAP Cloud Platform Integration (CPI)

       

      Author's profile photo Ravish Shetty R
      Ravish Shetty R
      Blog Post Author

      https://blogs.sap.com/2021/05/10/how-to-setup-connection-from-your-cloud-integration-to-sap-logistics-business-network/

       

      This is the link

      Author's profile photo Mo Iqbal
      Mo Iqbal

      Hi Guys,

      Can someone please help me and let me know how the data will move from SAP's LBN to customer's LBN System?

      I am really struggling to find that information as I have followed the blog and the config guide but still the message is not appearing in our LBN System.

      I used the endpoint : https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1 in the CPI and the messages are successfully going to this endpoint but not visible in our test LBN system.

      Am I missing something? Do we need to do anything else?

      Ravish Shetty R, Harikrishnan Panakkal Rodrigo Jordao  - Can you please help with the above and also let me know when to use the SAP's latest API and can we configure that in S/4 HANA On-Premise as well?

      Author's profile photo Ravish Shetty R
      Ravish Shetty R
      Blog Post Author

      Hi ,

      LBN is a cloud network product .So there is no Customer LBN vs SAP LBN.  If you have subscribed you would get a productive and a test tenant, that is managed by Your BTP account.

      If you are able to send payloads to the above mentioned end point

      - check if you see any error logs in your sender system(CPI or S4)

      - log in to your LBN account. Open “Manage integration log” application. Check for any errors.
      - if you are not able to figure out, report an incident to SCM-LBN-INT component

      Author's profile photo Mo Iqbal
      Mo Iqbal

      Thanks Ravish Shetty R.

      As far as I know I have done everything mentioned in your blog and the Config guide and I am able to successfully send the message to the mentioned endpoint but there is no error neither in S/4/CPI nor in the LBN which is really strange and really wonder where the messages are going after showing the status as "COMPLETED" in CPI and "DELIVERED" in S/4.

      We have also raised an incident with SAP with a high priority but sadly there is no update from past one week.

      Is it possible for you to help? Can I reach out to you directly if that is OK with you?

      Author's profile photo Thirukumaran Rajendran
      Thirukumaran Rajendran

      Hi, Thanks for the nice document on all steps...

      Author's profile photo Patrick Dörr
      Patrick Dörr

      Thanks Ravish Shetty R for all the details? Are these also valid steps incl. IAS Certificate Purchase in case of a direkt connection to LBN to you GTT Option Version 2? thanks Patrick

      Author's profile photo Ravish Ramakrishna Shetty
      Ravish Ramakrishna Shetty
      Blog Post Author

      HI Partick,

      If you are using LBN GTT for integration with IDOC, then above steps are not relevant. You can get further details here. https://github.com/SAP-samples/logistics-business-network-gtt-samples

       

      Author's profile photo Patrick Dörr
      Patrick Dörr

      Hi Ravish, the way s4-backend > GTT works fine but i need webservices for the way back.

      Author's profile photo Ravish Ramakrishna Shetty
      Ravish Ramakrishna Shetty
      Blog Post Author

      HI Patrick,

       

      For GTT, the flow back to S/4 is directly via cloud connector. Below link might be helpful.

      https://help.sap.com/docs/SAP_LBN_GTT_OPTION/d0802f41861a4f81a3610d873fdcf148/c4245b613c944259b3c073cfabe5c56c.html?locale=en-US

       

      Author's profile photo Pushkar Joshi
      Pushkar Joshi

      HI Ravi

      Is there any possibility with Below to avoid Certificate based Authentication

      1. Direct connection (via SOAMANAGER) between SAP Logistics Business Network and your SAP TM or SAP S/4HANA system

      Is there any way we can directly use the username and password while configuring the Outbound Web services in SOAMANAGER

      Thanks and Regards

      Pushkar Joshi

       

      Author's profile photo Ravish Ramakrishna Shetty
      Ravish Ramakrishna Shetty
      Blog Post Author

      HI Pushkar,

      LBN does not support username/pwd for now. It is only certificate based .

      BR, Ravish.

      Author's profile photo Rafael Castillo
      Rafael Castillo

      Hi Ravis.

      I perform all the configuration of the Direct connection guide (via SOAMANAGER) between SAP Logistics Business Network and your SAP TM or SAP S/4HANA system based on the CN certificate of the GTT URL but when I try to ping the SOAMANAGER the response It is 401 unauthorized but I am assigning all the lbn roles to the technical user through the role collection. Could you please tell me if the certificate should be that of the CN of the gtt or that of the technical user?
      The URL must be configured in SOAMANAGER: HTTPS://<URL GTT>/cxf/lbn/b2b/soap/v1 for all consumer services?

      Author's profile photo Ravish Ramakrishna Shetty
      Ravish Ramakrishna Shetty
      Blog Post Author

      The configuration above is for LBN FC . For GTT the integration is based on IDOC