How to Setup Direct connection from your On Prem to SAP Logistics Business Network Freight Collaboration Option
SAP Logistics Business Network, freight collaboration option improves supply chain efficiency by connecting business partners on a collaborative network that supports jointly managing transactions, exchanging documents, and sharing insights across the value chain.
To enable document exchange, you have to setup connectivity to your On-Premise system.Your on-premise(S4 or SAP TM standalone) system can be connected to SAP Logistics Business Network based on below options
- Connection via middleware: either SAP Process Integration (PI) or SAP Cloud Platform Integration (CPI)
- Direct connection (via SOAMANAGER) between SAP Logistics Business Network and your SAP TM or SAP S/4HANA system
This blog will elaborate option 2 by providing step-by-step guidance for you establish direct connection
Setting up the connection
To begin the setup, you must have administrator rights in SAP TM as well as SAP Logistics Business Network tenant.
Below is a list of steps that must be performed:
1. Generate the key pairs certificates (Key Pairs) with Identity Authentication service
2. Import the IAS Certificate into the SAP TM in STRUST
3. Import SAP Logistics Business Network Certificate into SAP TM using STRUST
4. Create System Connection in SAP Logistics Business Network Shipper Tenant
5. Setup Webservices using SOAMANAGER for inbound services to SAP Logistics Business Network from SAP TM
6. Setup the outbound system connection in SAP Logistics Business Network
1. Generate the Key Pairs Certificates from Identity Authentication Service
Communication between SAP Logistics Business Network and SAP TM system is based on B2B messages using SOAP protocol. Messages are authenticated using client certificates. These certificates must be requested.
- You have already purchased an Identity Authentication service You can purchase such a service tenant here: < https://www.sapstore.com/solutions/40132/SAP-Cloud-Platform-Identity- Authentication>.
- While subscribing to an SAP Logistics Business Network productive license, you have been provisioned with an Identity Authentication service tenant and details tenant, and a URL is sent to the S-User used for the license
- If you have subscribed for a test SAP Logistics Business Network license and you have not purchased an Identity Authentication service tenant, you may request a key pair from SAP by raising an incident to the component SCN-LBN-INT. (In this case, you can skip the steps in this )
When using the Identity Authentication service, the certificates are signed by SAP Passport CA.
Perform the following steps to request the Key Pairs certificate:
- Obtain access to the Identity Authentication
- Follow the steps below to generate a *.p12 file from your Identity Authentication service tenant. Perform the following actions to generate a key The following process is only for an SAP Logistics Business Network productive license.
- Access the tenant’s administration console for the Identity Authentication service by using the console’
- Note the following points:
- The URL has the pattern https://<tenant ID>.accounts.ondemand.com/admin.
- The tenant ID is automatically generated by the The first administrator who created the tenant receives an activation email with a URL. This URL contains the tenant ID
- In case you need to know the IAS tenant Admin or the tenant details(URL) please raise an incident in component : BC–IAM–IDSLink to create Incident :https://launchpad.support.sap.com/#/incident/create
- Under Applications and Resources, choose Applications, click the pencil icon for Add Application, and assign the new application the name CertificateGeneration, for example. Within the section “Client ID, Secrets and Certificate”, Click on Add “Certificates for API Authentication”
- Enter the Common Name, Password, and Confirmed Password and click on Generate. The browser downloads the certificate to your local
The result is that you will have a signed certificate – a *.p12 file.
2. Import the IAS Certificate into the SAP TM in STRUST
- (Optional)Convert the signed certificate -a*.p12 file to a PSE file. Follow the steps outlined in 2148457 – How to convert the keypair of a PKCS#12 / PFX container into a PSE file
- In the newer S/4 releases, *.p12 file can be directly uploaded to STRUST. So no need to convert *.p12 file.
Note: You can download CRYPTOLIB software using link: SAP Cryptographic Software
- IN SAP TM, go to SM30 using table STRUSTSSL. Create new SSL client for SAP Logistics Business Network
3. IN SAP TM, go to transaction STRUST. Choose the SSL Client Identifier from above then run the following action:
- PSE -> Import
- Save as “SSL Client” -> replace existing PSE
3. Import SAP Logistics Business Network Certificate into SAP TM Using STRUST
The procedure has no explicit dependency to the onboarding process. However, it is recommended that you have procured the SAP Logistics Business Network license prior to performing any steps identified here.
- Access SAP Logistics Business Network Live URL: <https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/> and select the site information.
You will notice the lock symbol, click it to export the certificate.
2. Add SAP Logistics Business Network Certificates to PSE using STRUST
For each of the certificates
- Go to transaction STRUST
- Choose the SSL Client LBN (or what you set up).
- Import certificate
- Add to certificate list
- Then Restart ICM. Navigate the More-> Environment->ICM Monitor->
- Once in SMICM, go to More->Administration-> ICM-> Global. Restart ICM.
4. Create System Connection in SAP Logistics Business Network Shipper Tenant
SAP Logistics Business Network tenant has been established as described in section 4. You have subscribed to the system role.
- From your P12 file extract the public certificate and upload in the system connection app to SAP Logistics Business Network. Export to a x.509 CER certificate file.
- Login to the shipper tenant, then go to System Connection.
- Click on Add , select the connection type – “SAP TM – SAP S/4HANA”, maintain Connection ID and System ID
- Navigate to Inbound to Network then import the certificate, Save.
5. Setting Up Web Services Using SOAMANAGER for Inbound Services to SAP Logistics Business Network from SAP TM
The direct connection to SAP Logistics Business Network can be influenced by setting the default configuration to blank in SXMB_ADMIN. To do so, go to SXMB_ADMIN and set the following settings:
Additionally, the previous the settings in STRUST as described in the prior section must be setup.
Launch the transaction SOAMANAGER and maintain the consumer service for these interfaces as follows: Outbound interfaces:
- In SOAMANAGER, choose the option Configure the Web services Configuration
2. For each of the outbound interfaces above, configure the settings as in below:
3. Then create manual configuration to influence the settings
4. Specify the logical Port (this can be freely defined). Note to click Logical Port is default
5. Specify the Consumer Security settings. Note to specify the X.509 SSL Client PSE as defined in STRUST.
Note: You specify the SSL Client PSE from the setup in STRUST as outlined in the previous steps, which contains the private key for authentication in SAP Logistics Business Network.
6. On the HTTP settings tab, use the live SAP Logistics Business Network URL (https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1), and specify the transport bindings as shown below.
Usually while connecting to BTP, you require to provide your tenant host URL. However with SAP Logistics Business Network this is little different since we have a SAP Owned Cloud Integration Instance in the middle always.
So you should always configure this endpoint https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1 in your webservice
7. Under SOAP Protocol (or messaging settings), you can choose the following settings:
- The rest of the settings are blank.
- ALL OTHER SETTINGS MUST BE DEFAULT.
- SAVE AND ACTIVATE
6. Setting Up the Outbound System Connection from SAP Logistics Business Network to SAP TM
Prior to setting up the inbound system connection in SAP Logistics Business Network, you must have already created a subaccount and certificates have been loaded to the system connection.
6.1 Setting Up the System Connection in SAP Logistics Business Network
Usually with BTP(Cloud Foundry)- SAP S/4HANA integration you assign the S-User the administrator role. However in this case you are not directly connecting to your subaccount , rather to SAP Managed Cloud Integration instance (CPI). Within this SAP Managed Cloud integration instance your S-User has to be maintained with right role. You will not have access to SAP Managed Cloud Integration instance. Maintaining S-User is via the System Connections App as described below will add your S user to SAP Managed Cloud Integration instance with the right roles.
- Open System Connection for the shipper Tenant:
- Click Manage Cloud Connector. In the manage Cloud Connector Details, you can input the location ID (like the S4 Hana Client) and the SAP User (it should be either S User or P User in accounts.sap.com)which is authorized in the cloud connector.
- .Go to the “Outbound from Network tab”, click on ”Configure Connections”. Under Authentication Details tab, enter the USER id and password to the backend SAP TM system
- In General tab click on edit and change the authentication type to “Cloud Connector with Basic Authentication”, Maintain the SAP User and location ID(as created in previous steps). Under Authentication Details, enter the USER id and password to the backend SAP TM system
5. Edit the interface to contain the system information, as in below. Note that this step is required for all outbound interfaces from SAP Logistics Business Network to SAP TM.
The right way to maintain the URL here is http://<host>:<port>/<path>
And the host and port should be the virtual host maintained in the cloud connector. As we will call cloud connector from LBN. Additionally, the URL you maintain here will always start with http irrespective of the port. So we differentiate HTTPS or HTTP only based on the port and configuration maintained in the cloud connector.
- Then click Activate.
6.2 Setting Up the Cloud Connector
Perquisite is you have administration access to Cloud Connector.
- Obtain URL TO CLOUD CONNECTOR
- Create a new entry for subaccount a46089868 with below entries
- Note :
- Subaccount a46089868 points to SAP Managed Cloud Integration System. So you MUST use this subaccount ID to establish connection with your cloud connector
- DONOT enter your SAP Logistics Business Network Subaccount ID
- Note :
- Region: Europe(Rot) ( hana.ondemand.com)
- Subaccount: a46089868
- Subaccount User: Enter the SAP user ( As maintained in 6.1 step 4 )
- Password: Enter the password for SAP user
- LoacationID: Enter Location ID ( Mandatory) ( As maintained in 6.1 step 4 )
Once completed, you should see something like below:
If the above already exists, you will see it as in below:
- Go to the detail and choose Cloud to OnPremise.
- Add the new mapping virtual to internal system. This should point to the ICM setting of your SAP TM system. You can go to transaction SMICM to obtain this.( Menu SMICM -> Goto -> Services )
NOTE: You should create an entry for both HTTP and HTTPS connection.
- For each of the mapping, ensure that Resources Accessible are specified with the following settings:
Status: leave Blank
URL Path: /
Access Policy: Path and subparts
6.3 Perform Configuration for Inbound Services in SAP TM
Requisite is You have authorization to transaction SOAMANAGER.
You must set up the endpoints for all the inbound interfaces in SAP Logistics Business Network as follows:
For each of the interface, you will create configuration using SOAManager. The following settings would be necessary:
Note: please select Transport level security setting based on the url exposed by S4TM
Testing the Connection
By performing all the above steps, your connection is established to SAP Logistics Business Network. You can test the connection by sending a document for example, Send Freight order for confirmation and check if the document has reached SAP Logistics Business Network You can view the message flow via SRT_MONI in your SAP TM system and also via Manage Message log in SAP Logistics Business Network
Thanks for Information and it is very very helpful. There is one change required.
It Should be STRUSTSSL.
Hi Rohit, Thank you for the feedback. I have updated the document.
Thank you for the great blog. We are setting up direct connectivity from S/4 to LBN and your blog is very helpful.
We see one issue. While testing and sending a message from S/4 to LBN, the message is getting triggered in sxmb_moni (for mediated connectivity). Do we need any additional configuration in S/4 to set up message trigger for direct connectivity instead of mediated connectivity?
Many thanks in advance,
in SOAMANAGER, you may set logical port as default(click 'Set Log.Port Default' button for respective logical port).
Thanks for nice blog. Please explain the step of SXMB_ADMIN? We don’t see any messages in sxmb_moni?
I think sxmb_admin is not needed. Just use transaction, SOAMANAGER, you may set logical port as default(click 'Set Log.Port Default' button for respective logical port).
Is there a blog post for option 1?
This is the link
Can someone please help me and let me know how the data will move from SAP's LBN to customer's LBN System?
I am really struggling to find that information as I have followed the blog and the config guide but still the message is not appearing in our LBN System.
I used the endpoint : https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1 in the CPI and the messages are successfully going to this endpoint but not visible in our test LBN system.
Am I missing something? Do we need to do anything else?
Ravish Shetty R, Harikrishnan Panakkal Rodrigo Jordao - Can you please help with the above and also let me know when to use the SAP's latest API and can we configure that in S/4 HANA On-Premise as well?
LBN is a cloud network product .So there is no Customer LBN vs SAP LBN. If you have subscribed you would get a productive and a test tenant, that is managed by Your BTP account.
If you are able to send payloads to the above mentioned end point
- check if you see any error logs in your sender system(CPI or S4)
- log in to your LBN account. Open “Manage integration log” application. Check for any errors.
- if you are not able to figure out, report an incident to SCM-LBN-INT component
Thanks Ravish Shetty R.
As far as I know I have done everything mentioned in your blog and the Config guide and I am able to successfully send the message to the mentioned endpoint but there is no error neither in S/4/CPI nor in the LBN which is really strange and really wonder where the messages are going after showing the status as "COMPLETED" in CPI and "DELIVERED" in S/4.
We have also raised an incident with SAP with a high priority but sadly there is no update from past one week.
Is it possible for you to help? Can I reach out to you directly if that is OK with you?
Hi, Thanks for the nice document on all steps...
Thanks Ravish Shetty R for all the details? Are these also valid steps incl. IAS Certificate Purchase in case of a direkt connection to LBN to you GTT Option Version 2? thanks Patrick
If you are using LBN GTT for integration with IDOC, then above steps are not relevant. You can get further details here. https://github.com/SAP-samples/logistics-business-network-gtt-samples
Hi Ravish, the way s4-backend > GTT works fine but i need webservices for the way back.
For GTT, the flow back to S/4 is directly via cloud connector. Below link might be helpful.
Is there any possibility with Below to avoid Certificate based Authentication
Is there any way we can directly use the username and password while configuring the Outbound Web services in SOAMANAGER
Thanks and Regards
LBN does not support username/pwd for now. It is only certificate based .
I perform all the configuration of the Direct connection guide (via SOAMANAGER) between SAP Logistics Business Network and your SAP TM or SAP S/4HANA system based on the CN certificate of the GTT URL but when I try to ping the SOAMANAGER the response It is 401 unauthorized but I am assigning all the lbn roles to the technical user through the role collection. Could you please tell me if the certificate should be that of the CN of the gtt or that of the technical user?
The URL must be configured in SOAMANAGER: HTTPS://<URL GTT>/cxf/lbn/b2b/soap/v1 for all consumer services?
The configuration above is for LBN FC . For GTT the integration is based on IDOC
Given that the Freight Booking Confirmation functionality has been recently included in LBN, I would suggest that you update blog with the below interfaces for SOAMANAGER as well:
Thanks and Regards,
Saravana Kumar Subbiah
Updated. Thank you for the feedback.