Technical Articles
How to Setup Connection from your Cloud Integration to SAP Logistics Business Network
Introduction
SAP Logistics Business Network, freight collaboration option improves supply chain efficiency by connecting business partners on a collaborative network that supports jointly managing transactions, exchanging documents, and sharing insights across the value chain.
To enable document exchange, you have to setup connectivity to your On-Premise system. Your on-premise(SAP S/4HANA or SAP TM standalone) system can be connected to SAP Logistics Business Network based on below options
- Connection via middleware: either SAP Process Integration(PI) or SAP Cloud Integration
- Direct connection (via SOAMANAGER) between SAP Logistics Business Networkand your SAP TM or SAP S/4HANA system
This blog will elaborate option 1 with connection via SAP Cloud Integration by providing step-by-step guidance for you establish connection
Setting up the connection
You must have administrator rights to SAP Logistics Business Network tenant and also to your SAP Cloud Integration tenant. Below list of activities have to be carried out to setup the connection
- Generate the key pairs certificates(Key Pairs) with Identity Authentication Service(IAS)
- Import IAS Certificate to Logistics Business Network
- Import Certificates to your SAP Cloud Integration
- Maintain SAP Cloud Integration Outbound SOAP adapter
- Maintain SAP Cloud Integration Inbound SOAP Adapter
- Maintain iflow endpoint of SAP Cloud Integration in System Connection
1. Generate the key pairs certificates(Key Pairs) with Identity Authentication Service
Communication between SAP Logistics Business Network and SAP TM or SAP S/4HANA is based on B2B messages using SOAP protocol. Messages are authenticated using client certificates. These certificates must be requested.
- You have already purchased an Identity Authentication service You can purchase such a service tenant here: < https://www.sapstore.com/solutions/40132/SAP-Cloud-Platform-Identity- Authentication>.
- While subscribing to an SAP Logistics Business Network productive license, you have been provisioned with an Identity Authentication service tenant and details tenant, and a URL is sent to the S-User used for the license
- If you have subscribed for a test SAP Logistics Business Network license and you have not purchased an Identity Authentication service tenant, you may request a key pair from SAP by raising an incident to the component SBN-LBN-INT. (In this case, you can skip the steps in this )
When using the Identity Authentication service, the certificates are signed by SAP Passport CA.
Perform the following steps to request the Key Pairs certificate:
- Obtain access to the Identity Authentication tenant
- Follow the steps below to generate a *.p12 file from your Identity Authentication service tenant. Perform the following actions to generate a key The following process is only for an SAP Logistics Business Network productive license.
- Access the tenant’s administration console for the Identity Authentication service by using the console’
- Note the following points:
- The URL has the pattern https://<tenant ID>.accounts.ondemand.com/admin.
- The tenant ID is automatically generated by the first administrator who created the tenant receives an activation email with a URL. This URL contains the tenant ID
- In case you need to know the IAS tenant Admin or the tenant details(URL) please raise an incident in component : BC–IAM–IDSLink to create Incident :https://launchpad.support.sap.com/#/incident/create
- Under Applications and Resources, choose Applications, click the pencil icon for Add Application, and assign the new application the name CertificateGeneration, for example. Within the section “Client ID, Secrets and Certificate”, Click on Add “Certificates for API Authentication”
- Enter the Common Name, Password, and Confirmed Passwordand click on Generate. The browser downloads *.P12 file to your local folder. Ensure that you note down the password
2. Import IAS Certificate to SAP Logistics Business Network
- From *.P12 file extract leaf certificate via application KeyStore Explorer application . You may down the key store explorer from website (https://keystore-explorer.org )
- After installing the application drag and drop p12 file into the keystore application. Enter the p12 file password . Export the p12 leaf certificate as shown in the image.
- Logon to SAP Logistics Business Network application. Navigate to system connection app. Create a new connection of type SAP TM – SAP S/4HANA. In the “Inbound to Network”, click on Add and upload the exported p12 leaf certificate.
- In the system connection app, navigate to “Outbound from Network” tab, then click on “Configure Connection”. In the right panel, click on “EDIT, select Active Authentication Type as “Client Certificate”, then Click on “Certificate Chain”. This will download a *.P7B file into your web browser’s download folder. This certificate will be used to authenticate flow from SAP Logistics Business Network to your SAP Cloud Integration instance.
- Activate the connection.
3. Import Certificates to your SAP Cloud Integration
- Logon to your SAP Cloud Integration system. Navigate to Monitor and then to Key Store. Upload the*.p12 file (key pair). Provide an Alias name and note it down for later use. You have to enter the same password as used to generate the key pair.
- Extract the root and intermediate certificates of the runtime URL: https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com via key store explorer and upload to the SAP Cloud Integrationtenant keystore
Additionally refer the below link on how to extract certificate using mac. https://stackoverflow.com/questions/25940396/how-to-export-certificate-from-chrome-on-a-mac
4. Maintain SAP Cloud Integration Outbound SOAP Adapter
- In the iflow for sending out payloads to SAP Logistics Business Network, Create a SOAP adapter. Maintain
- Address: https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com/cxf/lbn/b2b/soap/v1
- Authentication type: Client Certificate.
- Private key alias: Alias name you have provided while uploading the *.p12 file
5. Maintain SAP Cloud Integration Inbound SOAP Adapter
Within your inbound iflow in SAP Cloud Integration to receive LBN payload, create a SOAP adapter. Maintain below fields
- Address: URL endpoint address
- Service Definition: Manual
- Message Exchange Pattern: One-way
- Authorization: Client Certificate
- Client Authorization:
- Export the leaf certification from *.P7B file ( this file you would have downloaded from System connection app ) via key store explorer.
- In the SOAP Adapter connection setting , within Client Certificate Authorization, Add the exported certificate
- Export the leaf certification from *.P7B file ( this file you would have downloaded from System connection app ) via key store explorer.
Additionally, if you are your using Cloud Integration BTP ( CF) , there are additional steps required (Further details refer blog: https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/ )
-
Configure Client Certificate Based Authentication in the Service Instance in SAP Cloud Platform Cockpit
-
Configure Client Certificate in the Service Key in SAP Cloud Platform Cockpit
Configure Client Certificate Based Authentication in the Service Instance in SAP Cloud Platform Cockpit
If you like to use client certificate-based inbound authentication, you have to activate this option in the service instance in SAP Cloud Platform Cockpit. When creating the service instance to be used for client certificated-based authentication in the SAP Cloud Platform Cockpit, you need to specify client_x509 as grant type:
{
"grant-types": ["client_x509"]
}
More details on creating service instances in Cloud Foundry can be found in the SAP online documentation at Creating a Service Instance in the Cloud Foundry Environment.
Configure Client Certificate in the Service Key in SAP Cloud Platform Cockpit
Configure the client certificate that will be used to send messages to the integration flow in the service key in the SAP Cloud Platform Cockpit.
After the service instance is available, a service key for the instance needs to be created. In the Create Service Key dialog provide a Name and in the Configuration Parameters add the encoded client certificate in the following JSON format:
{
"X.509": "-----BEGIN CERTIFICATE-----MIIHyDCCBrCgAwIB[...]CAq8Tn7kSFDmVnrXe6v8hcQ==-----END CERTIFICATE-----"
}
Note that the client certificate is a PEM-encoded X.509 certificate. Remove all line breaks, otherwise the user interface will not accept the entry.
Note that you can create multiple service keys for one service instance with different client certificates. But a client certificate can be assigned to one service instance only once.
More details on defining service keys in the Cloud Foundry environment can be found in the SAP online documentation at Defining a Service Key for the Instance in the Cloud Foundry Environment.
6. Maintain iflow endpoint of SAP Cloud Integration in System Connection
For communication from SAP Logistics Business Network to your Cloud Integration layer, you have to maintain the your SAP Cloud Integration iflow endpoint in System connection app.
- Open System connection app and Navigate to connection you have created earlier steps
- In the Outbound from Network tab, click on “Add Destination” and maintain the endpoint for each “Service Interface Name” . Authentical details will be blank. ( You could have different endpoint for each service interface or the same endpoint. It depends on your implantation is SAP Cloud Integration )
- Click on Activate button
Summary
By following above steps you would have established connection between your instance of SAP Cloud Integration with SAP Logistics Network. You would have additionally do the required settings and mapping to connect underlying SAP or Non SAP system to your SAP Cloud Integration tenant. You may find the details in this help documentation. https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/7cfe913ba85d463a9c5fce101c3ae460.html
Hi @Ravish Ramakrishna Shetty
concerning chapter 1:
we are a little bewildered that you recommend to use an IAS tenant as Keypair Generator. This is out of any standard and looks quite random. This is not what the IAS is intended to be used for. You could also recommend people to use ABAP transaction STRUSTto do the same. IAS is an IDP and using it as keypair generator is misuse.
This looks a bit like driving a screw with a hammer. Better recommend something else (sapgenpse or openssl ?) or Cloud Integration's Setting Up the Key Pairs and Certificates | SAP Help Portal ?
BR, Lutz
Thank you for the feedback. Never knew that STRUST can be used to generate key pairs. But seems like a better option for customers.
https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-us/59/6b653a0c52425fe10000000a114084/content.htm?no_cache=true
Ravish Ramakrishna Shetty
Is the reason to recommend IAS to generate the keys, to get them automatically signed by SAP Root? If we use STRUST or CPI, we would need to get them signed by an external CA. Or can they be signed by an internal CA as well? Would LBN accept internal root CA certified certificates?