Skip to Content
Technical Articles
Author's profile photo Ravish Ramakrishna Shetty
Ravish Ramakrishna Shetty
May 10, 2021 7 minute read

How to Setup Connection from your Cloud Integration to SAP Logistics Business Network

Introduction

SAP Logistics Business Network, freight collaboration option improves supply chain efficiency  by connecting business partners on a collaborative network that supports jointly managing transactions, exchanging documents, and sharing insights across the value chain.

To enable document exchange, you have to setup connectivity to your On-Premise system. Your on-premise(SAP S/4HANA or SAP TM standalone) system can be connected to SAP Logistics Business Network based on below options

  1. Connection via middleware: either SAP Process Integration(PI) or SAP Cloud Integration
  2. Direct connection (via SOAMANAGER) between SAP Logistics Business Networkand your SAP TM or SAP S/4HANA system

This blog will elaborate option 1 with connection via SAP Cloud Integration by providing step-by-step guidance for you establish connection

 

1. Generate the key pairs certificates(Key Pairs) with Identity Authentication Service

Communication between SAP Logistics Business Network and SAP TM or SAP S/4HANA is based on B2B messages using SOAP protocol.  Messages are authenticated using client certificates. These certificates must be requested.

  • You have already purchased an Identity Authentication service You can purchase such a service tenant here: < https://www.sapstore.com/solutions/40132/SAP-Cloud-Platform-Identity- Authentication>.
  • While subscribing to an SAP Logistics Business Network productive license, you have been provisioned with an Identity Authentication service tenant and details tenant, and a URL is sent to the S-User used for the license
  • If you have subscribed for a test SAP Logistics Business Network license and you have not purchased an Identity Authentication service tenant, you may request a key pair from SAP by raising an incident to the component SBN-LBN-INT. (In this case, you can skip the steps in this )

When using the Identity Authentication service, the certificates are signed by SAP Passport CA.

Perform the following steps to request the Key Pairs certificate:

  1. Obtain access to the Identity Authentication tenant
  2. Follow the steps below to generate a *.p12 file from your Identity Authentication service tenant. Perform the following actions to generate a key The following process is only for an SAP Logistics Business Network productive license.
    • Access the tenant’s administration console for the Identity Authentication service by using the console’
    • Note the following points:
      • The URL has the pattern https://<tenant ID>.accounts.ondemand.com/admin.
      • The tenant ID is automatically generated by the first administrator who created the tenant receives an activation email with a URL. This URL contains the tenant ID
      • In case you need to know the IAS tenant Admin or the tenant details(URL) please raise an incident in component : BCIAMIDSLink to create Incident :https://launchpad.support.sap.com/#/incident/create
    • Under Applications and Resources, choose Applications, click the pencil icon for Add Application, and assign the new application the name CertificateGeneration, for example. Within the section “Client ID, Secrets and Certificate”, Click on Add “Certificates for API Authentication”
    • Enter the Common NamePassword, and Confirmed Passwordand click on Generate. The browser downloads *.P12 file to your local folder. Ensure that you note down the password

Top

2. Import IAS Certificate to SAP Logistics Business Network

  1. From *.P12 file extract leaf certificate via application KeyStore Explorer application . You may down the key store explorer from website (https://keystore-explorer.org )
  2. After installing the application drag and drop p12 file into the keystore application. Enter the p12 file password . Export the p12 leaf certificate as shown in the image.
  3. Logon to SAP Logistics Business Network application. Navigate to system connection app. Create a new connection of type SAP TM – SAP S/4HANA. In the “Inbound to Network”, click on Add and upload the exported p12 leaf certificate.
  4. In the system connection app, navigate to “Outbound from Network” tab, then click on “Configure Connection”. In the right panel, click on “EDIT, select Active Authentication Type as “Client Certificate”, then Click on “Certificate Chain”. This will download a *.P7B file into your web browser’s download folder. This certificate will be used to authenticate flow from SAP Logistics Business Network to your SAP Cloud Integration instance.
  5. Activate the connection.

Top

3. Import Certificates  to your SAP Cloud Integration

  1. Logon to your SAP Cloud Integration system. Navigate to Monitor and then to Key Store. Upload the*.p12 file (key pair). Provide an Alias name and note it down for later use. You have to enter the same password as used to generate the key pair.
  2. Extract the root and intermediate certificates of the runtime URL: https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com via key store explorer and upload to the SAP Cloud Integrationtenant keystore

Additionally refer the below link on how to extract certificate using mac. https://stackoverflow.com/questions/25940396/how-to-export-certificate-from-chrome-on-a-mac

Top

4. Maintain SAP Cloud Integration Outbound SOAP Adapter

  1. In the iflow for sending out payloads to SAP Logistics Business Network, Create a SOAP adapter. Maintain

Top

5. Maintain SAP Cloud Integration Inbound SOAP Adapter

Within your inbound iflow in SAP Cloud Integration to receive LBN payload, create a SOAP adapter. Maintain below fields

  • Address: URL endpoint address
  • Service Definition: Manual
  • Message Exchange Pattern: One-way
  • Authorization: Client Certificate
  • Client Authorization:
    • Export the leaf certification from *.P7B file ( this file you would have downloaded from System connection app ) via key store explorer.
    • In the SOAP Adapter connection setting , within Client Certificate Authorization, Add the exported certificate

Additionally, if you are your using Cloud Integration BTP ( CF) , there are additional steps required (Further details refer blog:  https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/ )

  • Configure Client Certificate Based Authentication in the Service Instance in SAP Cloud Platform Cockpit

  • Configure Client Certificate in the Service Key in SAP Cloud Platform Cockpit

Configure Client Certificate Based Authentication in the Service Instance in SAP Cloud Platform Cockpit

If you like to use client certificate-based inbound authentication, you have to activate this option in the service instance in SAP Cloud Platform Cockpit. When creating the service instance to be used for client certificated-based authentication in the SAP Cloud Platform Cockpit, you need to specify client_x509 as grant type:

{
    "grant-types": ["client_x509"]
}

More details on creating service instances in Cloud Foundry can be found in the SAP online documentation at Creating a Service Instance in the Cloud Foundry Environment.

Configure Client Certificate in the Service Key in SAP Cloud Platform Cockpit

Configure the client certificate that will be used to send messages to the integration flow in the service key in the SAP Cloud Platform Cockpit.

After the service instance is available, a service key for the instance needs to be created. In the Create Service Key dialog provide a Name and in the Configuration Parameters add the encoded client certificate in the following JSON format:

{
    "X.509": "-----BEGIN CERTIFICATE-----MIIHyDCCBrCgAwIB[...]CAq8Tn7kSFDmVnrXe6v8hcQ==-----END CERTIFICATE-----"
}

Note that the client certificate is a PEM-encoded X.509 certificate. Remove all line breaks, otherwise the user interface will not accept the entry.

Note that you can create multiple service keys for one service instance with different client certificates. But a client certificate can be assigned to one service instance only once.

More details on defining service keys in the Cloud Foundry environment can be found in the SAP online documentation at Defining a Service Key for the Instance in the Cloud Foundry Environment.

 

 

 

Top

6. Maintain iflow endpoint of SAP Cloud Integration in System Connection

For communication from SAP Logistics Business Network to your Cloud Integration layer, you have to maintain the your SAP  Cloud Integration iflow endpoint in System connection app.

  1. Open System connection app and Navigate to connection you have created earlier steps
  2. In the Outbound from Network tab, click on “Add Destination” and maintain the endpoint for each “Service Interface Name” . Authentical details will be blank. ( You could have different endpoint for each service interface or the same endpoint. It depends on your implantation is SAP Cloud Integration )
  3. Click on Activate button

Top

Summary

By following above steps you would have established connection between your instance of SAP Cloud Integration with SAP Logistics Network.  You would have additionally do the required settings and mapping to connect underlying SAP or Non SAP system to your SAP Cloud Integration tenant. You may find the details in this help documentation. https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/7cfe913ba85d463a9c5fce101c3ae460.html

 

 

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.