How to Setup Direct connection from your On Prem to SAP Logistics Business Network Freight Collaboration Option
SAP Logistics Business Network, freight collaboration option improves supply chain efficiency by connecting business partners on a collaborative network that supports jointly managing transactions, exchanging documents, and sharing insights across the value chain.
To enable document exchange, you have to setup connectivity to your On-Premise system.Your on-premise(S4 or SAP TM standalone) system can be connected to SAP Logistics Business Network based on below options
- Connection via middleware: either SAP Process Integration (PI) or SAP Cloud Platform Integration (CPI)
- Direct connection (via SOAMANAGER) between SAP Logistics Business Network and your SAP TM or SAP S/4HANA system
This blog will elaborate option 2 by providing step-by-step guidance for you establish direct connection
Setting up the connection
To begin the setup, you must have administrator rights in SAP TM as well as SAP Logistics Business Network tenant.
Below is a list of steps that must be performed:
1. Generate the Key Pairs Certificates from Identity Authentication Service
Communication between SAP Logistics Business Network and SAP TM system is based on B2B messages using SOAP protocol. Messages are authenticated using client certificates. These certificates must be requested.
- You have already purchased an Identity Authentication service You can purchase such a service tenant here: < https://www.sapstore.com/solutions/40132/SAP-Cloud-Platform-Identity- Authentication>.
- While subscribing to an SAP Logistics Business Network productive license, you have been provisioned with an Identity Authentication service tenant and details tenant, and a URL is sent to the S-User used for the license
- If you have subscribed for a test SAP Logistics Business Network license and you have not purchased an Identity Authentication service tenant, you may request a key pair from SAP by raising an incident to the component SCN-LBN-INT. (In this case, you can skip the steps in this )
When using the Identity Authentication service, the certificates are signed by SAP Passport CA.
Perform the following steps to request the Key Pairs certificate:
- Obtain access to the Identity Authentication
- Follow the steps below to generate a *.p12 file from your Identity Authentication service tenant. Perform the following actions to generate a key The following process is only for an SAP Logistics Business Network productive license.
- Access the tenant’s administration console for the Identity Authentication service by using the console’
- Note the following points:
- The URL has the pattern https://<tenant ID>.accounts.ondemand.com/admin.
- The tenant ID is automatically generated by the The first administrator who created the tenant receives an activation email with a URL. This URL contains the tenant ID
- In case you need to know the IAS tenant Admin or the tenant details(URL) please raise an incident in component : BC–IAM–IDSLink to create Incident :https://launchpad.support.sap.com/#/incident/create
- Under Applications and Resources, choose Applications, click the pencil icon for Add Application, and assign the new application the name CertificateGeneration, for example. Within the section “Client ID, Secrets and Certificate”, Click on Add “Certificates for API Authentication”
- Enter the Common Name, Password, and Confirmed Password and click on Generate. The browser downloads the certificate to your local
The result is that you will have a signed certificate – a *.p12 file.
2. Import the IAS Certificate into the SAP TM in STRUST
- (Optional)Convert the signed certificate -a*.p12 file to a PSE file. Follow the steps outlined in 2148457 – How to convert the keypair of a PKCS#12 / PFX container into a PSE file
- In the newer S/4 releases, *.p12 file can be directly uploaded to STRUST. So no need to convert *.p12 file.
Note: You can download CRYPTOLIB software using link: SAP Cryptographic Software
- IN SAP TM, go to SM30 using table STRUSTSSL. Create new SSL client for SAP Logistics Business Network
3. IN SAP TM, go to transaction STRUST. Choose the SSL Client Identifier from above then run the following action:
- PSE -> Import
- Save as “SSL Client” -> replace existing PSE
3. Import SAP Logistics Business Network Certificate into SAP TM Using STRUST
The procedure has no explicit dependency to the onboarding process. However, it is recommended that you have procured the SAP Logistics Business Network license prior to performing any steps identified here.
- Access SAP Logistics Business Network Live URL: <https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/> and select the site information.
You will notice the lock symbol, click it to export the certificate.
2. Add SAP Logistics Business Network Certificates to PSE using STRUST
For each of the certificates
- Go to transaction STRUST
- Choose the SSL Client LBN (or what you set up).
- Import certificate
- Add to certificate list
- Then Restart ICM. Navigate the More-> Environment->ICM Monitor->
- Once in SMICM, go to More->Administration-> ICM-> Global. Restart ICM.
4. Create System Connection in SAP Logistics Business Network Shipper Tenant
SAP Logistics Business Network tenant has been established as described in section 4. You have subscribed to the system role.
- From your P12 file extract the public certificate and upload in the system connection app to SAP Logistics Business Network. Export to a x.509 CER certificate file.
- Login to the shipper tenant, then go to System Connection.
- Click on Add , select the connection type – “SAP TM – SAP S/4HANA”, maintain Connection ID and System ID
- Navigate to Inbound to Network then import the certificate, Save.
5. Setting Up Web Services Using SOAMANAGER for Inbound Services to SAP Logistics Business Network from SAP TM
The direct connection to SAP Logistics Business Network can be influenced by setting the default configuration to blank in SXMB_ADMIN. To do so, go to SXMB_ADMIN and set the following settings:
Additionally, the previous the settings in STRUST as described in the prior section must be setup.
Launch the transaction SOAMANAGER and maintain the consumer service for these interfaces as follows: Outbound interfaces:
- In SOAMANAGER, choose the option Configure the Web services Configuration
2. For each of the outbound interfaces above, configure the settings as in below:
3. Then create manual configuration to influence the settings
4. Specify the logical Port (this can be freely defined). Note to click Logical Port is default
5. Specify the Consumer Security settings. Note to specify the X.509 SSL Client PSE as defined in STRUST.
Note: You specify the SSL Client PSE from the setup in STRUST as outlined in the previous steps, which contains the private key for authentication in SAP Logistics Business Network.
6. On the HTTP settings tab, use the live SAP Logistics Business Network URL (https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1), and specify the transport bindings as shown below.
Usually while connecting to BTP, you require to provide your tenant host URL. However with SAP Logistics Business Network this is little different since we have a SAP Owned Cloud Integration Instance in the middle always.
So you should always configure this endpoint https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1 in your webservice
7. Under SOAP Protocol (or messaging settings), you can choose the following settings:
- The rest of the settings are blank.
- ALL OTHER SETTINGS MUST BE DEFAULT.
- SAVE AND ACTIVATE
6. Setting Up the Outbound System Connection from SAP Logistics Business Network to SAP TM
Prior to setting up the inbound system connection in SAP Logistics Business Network, you must have already created a subaccount and certificates have been loaded to the system connection.
6.1 Setting Up the System Connection in SAP Logistics Business Network
Usually with BTP(Cloud Foundry)- SAP S/4HANA integration you assign the S-User the administrator role. However in this case you are not directly connecting to your subaccount , rather to SAP Managed Cloud Integration instance (CPI). Within this SAP Managed Cloud integration instance your S-User has to be maintained with right role. You will not have access to SAP Managed Cloud Integration instance. Maintaining S-User is via the System Connections App as described below will add your S user to SAP Managed Cloud Integration instance with the right roles.
- Open System Connection for the shipper Tenant:
- Click Manage Cloud Connector. In the manage Cloud Connector Details, you can input the location ID (like the S4 Hana Client) and the SAP User (it should be either S User or P User in accounts.sap.com)which is authorized in the cloud connector. Set the status to “Released” for both Location ID and SAP User
- .Go to the “Outbound from Network tab”, click on ”Configure Connections”. Under Authentication Details tab, enter the USER id and password to the backend SAP TM system
- In General tab click on edit and change the authentication type to “Cloud Connector with Basic Authentication”, Maintain the SAP User and location ID(as created in previous steps). Under Authentication Details, enter the USER id and password to the backend SAP TM system
5. Edit the interface to contain the system information, as in below. Note that this step is required for all outbound interfaces from SAP Logistics Business Network to SAP TM.
The right way to maintain the URL here is http://<host>:<port>/<path>
And the host and port should be the virtual host maintained in the cloud connector. As we will call cloud connector from LBN. Additionally, the URL you maintain here will always start with http irrespective of the port. So we differentiate HTTPS or HTTP only based on the port and configuration maintained in the cloud connector.
- Then click Activate.
6.2 Setting Up the Cloud Connector
Perquisite is you have administration access to Cloud Connector.
- Obtain URL TO CLOUD CONNECTOR
- Create a new entry for subaccount a46089868 with below entries
- Note :
- Subaccount a46089868 points to SAP Managed Cloud Integration System. So you MUST use this subaccount ID to establish connection with your cloud connector
- DONOT enter your SAP Logistics Business Network Subaccount ID
- Note :
- Region: Europe(Rot) ( hana.ondemand.com)
- Subaccount: a46089868
- Subaccount User: Enter the SAP user ( As maintained in 6.1 step 4 )
- Password: Enter the password for SAP user
- LoacationID: Enter Location ID ( Mandatory) ( As maintained in 6.1 step 4 )
Once completed, you should see something like below:
If the above already exists, you will see it as in below:
- Go to the detail and choose Cloud to OnPremise.
- Add the new mapping virtual to internal system. This should point to the ICM setting of your SAP TM system. You can go to transaction SMICM to obtain this.( Menu SMICM -> Goto -> Services )
NOTE: You should create an entry for both HTTP and HTTPS connection.
- For each of the mapping, ensure that Resources Accessible are specified with the following settings:
Status: leave Blank
URL Path: /
Access Policy: Path and subparts
6.3 Perform Configuration for Inbound Services in SAP TM
Requisite is You have authorization to transaction SOAMANAGER.
You must set up the endpoints for all the inbound interfaces in SAP Logistics Business Network as follows:
For each of the interface, you will create configuration using SOAManager. The following settings would be necessary:
Note: please select Transport level security setting based on the url exposed by S4TM
Testing the Connection
By performing all the above steps, your connection is established to SAP Logistics Business Network. You can test the connection by sending a document for example, Send Freight order for confirmation and check if the document has reached SAP Logistics Business Network You can view the message flow via SRT_MONI in your SAP TM system and also via Manage Message log in SAP Logistics Business Network