EDUCAÇÃO E TECNOLOGIA

Part 3: SAP S/4HANA Backend Configuration to Communicate with SAP BTP

This is part of a series of articles, which describe the steps to integrate an extension workflow using SAP Workflow Management on Business Technology Platform (BTP Workflow) into a Flexible Workflow in SAP S/4HANA OP.

Part 1: Integrating an Extension Workflow on SAP BTP into a Flexible Workflow
Part 2: SAP BTP Cockpit Configuration  for Usage of SAP Workflow Management
Part 3: SAP S/4HANA Backend Configuration to Communicate with SAP BTP
Part 4: User and Roles for SAP BTP Workflow and Flexible Workflow
Part 5: Configure Cloud Connector for Workflow Integration
Part 6: Workflow Scenario with Extension Step
Part 7: Flexible Workflow in Integration Scenario
Part 8: Extension Workflow using SAP Workflow Management on SAP BTP
Part 9: End-to-End Test of Workflow Integration Scenario
Part 10: Problem Solving of Workflow Integration Scenario

1. Get Server Name
2. Certificate Issues
… 2.1. Create PSE Folder
… 2.2. Create PSE
… 2.3. Create, Sign and Upload Backend Certificate to your PSE
… 2.4. Add SAP BTP Certificate
3. Customizing
… 3.1. Create bgRFC Inbound Destination
… 3.2. Consumer Type Activation
… 3.3. Maintain Destination to External Server
… 3.4. Maintain OAuth 2.0 Client
… 3.5. Activate OData Service


Use the backend system.

  • Run transaction RZ11 to view parameter values
  • Display parameter SAPLOCALHOSTFULL (case sensitive!)
  • Remember current value as localhost

Get name for https connection:

  • Run transaction SICF
  • Run (F8)
  • Menu >> Goto >> Port Information
  • Consider Host Name and Service columns for HTTPS-Protocol-line and remember as https host and https port

top


The following activities are done to create a trusted connection between backend and SAP BTP.

On backend system create a folder, create, sign and upload a certificate into this folder (for the backend system) and add the SAP BTP certificate, which was downloaded in Part 2: SAP BTP Cockpit Configuration  for Usage of SAP Workflow Management Follow the instructions in the next sections.

2.1. Create PSE Folder

In backend system

  • Run Transaction STRUST
  • Switch to change mode
  • Menu: Environment >> SSL Client Identities

  • Add a new line with any PSE ID and save, remember PSE description for the next step

  • There is a new entry SSL client <PSE description>

2.2. Create PSE

Switch to your new Folder (PSE) from section above via double-click (same transaction STRUST as before in change mode).

At the moment the icon besides the PSE folder name is a red cross:

  • Use the context menu of the new PSE folder >> Create
  • Insert values:
    • Name: value localhost from first section on this page
    • Org. (Opt): e.g. your department, optional value
    • Comp./Org.: e.g. your company
    • CA: Owner of the certificate
    • other meaningful values see below:

2.3. Create, Sign and Upload Backend Certificate to your PSE

Same place as before (STRUST transaction in change mode, PSE folder)

On the right side follow the next steps:

  • Create new certificate request, use buttons as shown in the screenshot:

  • Create (button below)

  • Use this generated string and let it sign by a proper Authority
  • Afterwards upload the signed certificate

  • New popup opens. Upload your signed string.
  • Set checkbox for trusting your own root certificate
  • Save

2.4. Add SAP BTP Certificate

Same place as before (STRUST transaction in change mode, PSE folder)

  • On the bottom of section Certificate push button Import certificate

  • Enter your certificate’s file path and name in tab File >> OK
  • Push Button Add to Certificate List
  • Save

Repeat these steps for all certificates from certificate chain of SAP BTP.

top


In backend system:

All of the following activities can be reached via transaction SPRO. Follow the path in screenshot, but be aware, that the path can slightly differ:

3.1. Create bgRFC Inbound Destination

Use same named menu in SPRO transaction or run transaction SBGRFCCONF

Intention, see documentation in SPRO: “The API calls to the connected SAP Cloud Platform Workflow tenant are done by scheduling an asynchronous background processing of Remote Function Calls (bgRFC). You must therefore configure a bgRFC inbound destination.”

  • Tab Define Inbound Dest.
  • Create the destination  BC_CPWF_INBOUND_DEST in case it does not exist. There is no need to assign any queue prefix or a logon group.

3.2. Consumer Type Activation

Use same named menu in SPRO transaction

Intention, see documentation in SPRO: “Each application using the proxy API for the integration of SAP Cloud Platform Workflow registers itself as consumer type within the proxy framework. This consumer type is used to determine the correct destination, which the proxy uses to process the requests of the application, for example, to start or cancel workflow instances on SAP Cloud Platform Workflow.”

  • Add DEFAULT entry and activate it

3.3. Maintain Destination to External Server

External Server means SAP BTP in our scenario.

Use same named menu in SPRO transaction or SM59.

Intention, see documentation in SPRO: “The APIs of SAP Cloud Platform Workflow service are called using REST and require an RFC destination to an external server (Type ‘G’). You must maintain such a destination for each connected instance of the workflow service.”

  • Create a new HTTP Connection to external server (use folder with type G)

  • Insert and remember a meaningful destination name and connection type G

  • General Area:
    • RFC Destination: prefilled with name from step before
    • Connection Type: G (prefilled)
    • Description 1: any description

  • Tab Technical Settings:

  • Tab Logon & Security:
    • Section Logon with User >> Radiobutton Do not Use a User
    • Section Logon with Ticket >> Radiobutton Do not Send Logon Ticket
    • No MQTT/AMQP values
    • Section Security Options
      • SSL: Radiobutton Active
      • SSL Certificate: Choose your PSE ID + PSE description from list, see former section Create PSE Folder

  • Tab Special Options:
    • Section Timeout: Radiobutton ICM Default Timeout
    • Section Status of HTTP Version: select HTTP 1.1
    • Section Compression Status: Compression radiobutton Inactive
    • Section Status of Compressed Response: Compressed Response radiobutton Yes
    • Section Type of Cookies Acceptance: Accept Cookies radiobutton No

At the end you should check, whether this new destination works well via button Connection Test. Then you see a popup for logging on. To get this popup is a successful test, push Cancel button.

Test result is Response 401 (Unauthorized). This is fine.

Hint: In case you don’t get the popup with logon data, check the following system parameters (transaction RZ11)

  • icm/HTTPS/client_sni_enabled >> TRUE
  • ssl/client_sni_enabled >> TRUE
  • ssl/ciphersuites >> 135:PFS:HIGH::EC_P256:EC_HIGH
  • ssl/client_ciphersuites >> 150:PFS:HIGH::EC_P256:EC_HIGH

3.4. Maintain OAuth 2.0 Client

Use same named menu in SPRO transaction or run transaction OA2C_CONFIG

Intention, see documentation in SPRO: “The APIs of SAP Cloud Platform Workflow service are called using REST and use OAuth 2.0 with client credentials flow. You must maintain an OAuth 2.0 client configuration for each connected instance of the workflow service with the information provided in the service key of the service instance. The service key can be obtained from the SAP Cloud Platform cockpit.” (replace SAP Cloud Platform with Business Technology Platform [BTP])

  • A browser window opens; eventually copy the URL to Google Chrome in case Internet Explorer starts (IE has not the full feature set, which we need here)
  • Button Create

  • Insert values:

  • Fill fields in Details area:
    • General Settings:
    • Authorization Server Settings:
    • Access Settings
      • Client Authentication: radiobutton Form Fields
      • Resource Access Authentication: radiobutton Header Field
      • Selected Grant Type: radiobutton Client Credentials
    • No more changes in fields

3.5. Activate OData Service

Use same named menu in SPRO transaction or run transaction /n/IWFND_MAINT_SERVICES (or SICF)

  • Search for Service SWF_CPWF_NOTIFICATION_SRV (in column External Service Name). If you can’t find this service:
    • Push button Add Service
    • Choose your system, where this service is supposed to be (in this scenario it is the same server as the backend system and therefore probably LOCAL)
    • Push button Get Services and search for SWF_CPWF_NOTIFICATION_SRV
    • Select the line and push button Add Selected Services
    • Assign a package and continue
    • Go back
  • In section ICF Nodes push button ICF Node >> Choose Activate >> node should have a green traffic light icon

  • Check availability of a system alias in section System Aliases

=> Conclusion: Having maintained all configurations in the SAP S/4HANA backend system, SAP BTP and backend know each other. What we still need are certain communications users, which need special authorizations. This is what we care about in the next part.

top


>> Next: User and Roles for SAP BTP Workflow and Flexible Workflow