Enabling change & deployment management in SAP Cloud ALM for SAP S/4HANA and SAP S/4HANA Cloud, private edition

Change enablement and deployment orchestration is still a key to keep the production environment stable and reliable. In SAP Cloud ALM software changes can be managed via features. The business transaction feature holds the change documentation together with the change containers – mainly transport requests.

In this blog post you will learn more about how to enable deployment management in SAP Cloud ALM for SAP S/4HANA and SAP S/4HANA Cloud, private edition. SAP Cloud ALM integrates into Change and Transport System (CTS) which leads to the fact that all SAP NetWeaver Application Server for ABAP systems on-premise can be managed.

First you need to check whether the systems you’d like to connect to SAP Cloud ALM meet the following prerequisites:

  • SAP_BASIS 7.40 SP20 or higher (accordingly 7.50 SP04) and ST-PI 7.40 SP16 or higher should be installed. Please install the respective versions in case your systems do not meet the requirements.
  • Check that the profile parameter icm/HTTPS/client_sni_enabled is set to TRUE. For more information, refer to SAP Note 510007. Transaction code RZ11 can be used to check for the parameter setting.
  • Check that DigiCert Global Root CA is imported in STRUST under SSL Client (Anonymous) and SSL Client (Standard). Go to transaction code STRUST in each ABAP system to be connected (client 000) to check for the Certificates.

Certificates%20in%20STRUST

Certificate in STRUST

In case the Certificate is not imported yet you need to do the following:

Download and Import the Certificate

You need to import the DigiCert Root CA certificate to both the SSL Client (Anonymous) as well as the SSL Client (Standard) in the transaction STRUST in your ABAP system.

1) Download the certificate from https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.

2) Log on to your ABAP systems (client 000) you want to connect to SAP Cloud ALM.

3) Go to transaction STRUST.

4) Switch to change mode (Ctrl+F1).

5) Double-click on “SSL client SSL Client (Anonymous)” in the navigation tree on the left side.

6) Click More / Menu “Certificate” > “Import”.

  • Use the file path selector to select your DigiCert Root CA certificate downloaded before.
  • Click the button with the green check-mark.

Import%20Certificate

Import Certificate

7) Click More / Menu “Edit” > “Add certificate”.

Add%20Certificate

Add Certificate

8) Double-click on “SSL client SSL Client (Standard)” in the navigation tree on the left side.

9) Make sure the certificate information are still visible in the “Certificate” area in the lower right panel

10) Click menu “Edit” > “Add certificate”.

11) Click the “Save” button.

Prerequisites

Your user has the role Global Account Administrator in the global account that was created when you requested SAP Cloud ALM, and is a member of the subaccount containing your SAP Cloud ALM subscription.

You can verify that you have the necessary authorization by navigating to your global account and checking whether the Security menu is available. If you don’t have this role, the global account administrator can assign it to you by following the steps described in Add Members to Your Global Account.

Your user has the role Org Manager in your Cloud Foundry organization.

You can verify that you have the necessary authorization by navigating to your subaccount and choosing Cloud Foundry Org Members. If you don’t have this role, the org manager can assign it to you by following the steps described in Add Org Members Using the Cockpit. If Cloud Foundry is not available in the menu, you can enable it by following the steps described in Create Orgs.

Note: If you’ve requested SAP Cloud ALM, your user has automatically received the required authorizations during the creation of the global account and the subaccount.

Procedure

Carry out the following steps to enable SAP Cloud ALM API:

Create a Space

1) Open the SAP BTP cockpit.

2) Select the global account that contains your SAP Cloud ALM entitlement, which was created when you requested SAP Cloud ALM.

3 )Under Subaccounts, select the subaccount that contains your SAP Cloud ALM subscription.

4) Choose Cloud Foundry > Spaces.

5) Choose Create Space in case no space available yet.

Create%20Space

6) Enter a space name, such as sap_cloud_alm_space, and select the roles that you want to assign to your user for this space. To perform the following steps, your user needs at least Space Developer.

7) Choose Create.

Configure Entitlements

An entitlement is your right to provision and consume a resource.

1) Choose Entitlements and check for Service SAP Cloud ALM API. In case you are already entitled to that service you can move to Create a New Instance.

Note: You can increase your global quota, that is, your maximum allowed consumption of this service plan, in the control center.

2) If the service is missing you can click Configure Entitlements.

Configure%20Entitlement

Configure Entitlement

3) Choose Add Service Plans.

4) Add the required service plan as follows:

  • Select the entitlement SAP Cloud ALM API.
  • Under Available Plans, check the option standard.
  • Choose Add 1 Service Plan.

Add%20Service%20Plan

Add Service Plan

4) Choose Save.

Create a New Instance

1) Choose Cloud Foundry > Spaces.

2) Select the created or already existing space. You now see the application list of your created space.

3) Choose Services > Instances.

Choose%20Services%20-%20Instances

Choose Services – Instances

4) Choose the Create dropdown and click on Service Instance.

Create%20Service%20Instance

Create Service Instance

5) Under Basic Info provide the following details:

  • Service: SAP Cloud ALM API
  • Plan: standard
  • Instance Name: Enter a meaningful name, e.g. CALMFeatureDeployment

Instance%20Creation

Instance Creation

6) Choose Next.

7) When creating a service instance for feature deployment, the following configuration in json format is needed in order to assign the required scopes to the service instance.

  • Paste the following json code into the text editor:

          Source Code

{ "xs-security": { "xsappname": "CALMFeatureDeployment", "authorities": [ "$XSMASTERAPPNAME.imp-cdm-feature-manage-ui" ] } }
  • In the text editor it should look like this:

Source%20Code%20in%20text%20editor

Source Code in text editor

  • You can choose your own xsappname. Make sure it’s not already used in another service Instance and doesn’t contain spaces or special characters.
  • Authorities: Make sure to use exactly the string provided above.

8) Choose Create.

9) When your instance has been created, it’s added to the instance list. To show the details of the instance click on the newly created instance.

In the next chapter, you will be guided through the steps for creating a service key, which is later needed to maintain the HTTP destination.

Create a Service Key

The service key allows you to configure the transport management in the managed system so that it can connect to an SAP Cloud ALM API service instance.

1) Choose (Actions) and select Create Service Key.

Create%20Service%20Key

Create Service Key

2) Enter a name for your service key, such as sap_cloud_alm_key.

3) Choose Create.

4) Next to your newly created service key, choose (Actions) and select View.

View%20Service%20Key

View Service Key

5) You can now see your service key in JSON format.

  • The service key is structured in the following way:
    • Endpoints: e.g., alm.cloud.sap
    • OAuth URL: Service Key parameter
    • Client ID: Service key parameter clientid
    • Client secret: Service key parameter clientsecret

Copy this newly created service key in JSON format to the clipboard because it’s needed later in the Maintain HTTP Destination section of this guide.

Caution: Outside of the SAP BTP cockpit, service keys must be stored securely. If you need a service key, create the service key directly in the SAP BTP cockpit, and access it from there whenever you need it.

As prerequisite please make sure that your TMS is configured properly.

Required Authorizations

You need to consider two users in the managed ABAP system for the setup. Please note that the authorization steps are only needed for system client 000. For other clients these steps can’t be performed.

  • To run transaction /SDF/ALM_SETUP, the user needs the PFCG role SAP_SDF_ALM_SETUP.

Note: In this role, you need to maintain the authorization field S_BTCH_NAM > BTCUNAME either with “*” or with the user name of the user you plan to use as data collection background job user.

  • The user you specify as background user, requires the PFCG role SAP_SDF_ALM_METRIC_PUSH_FNDand the role SAP_BC_TRANSPORT_ADMINISTRATOR.

Note: Download the latest version of the role SAP_SDF_ALM_METRIC_PUSH_FND from SAP Note 3104662 .

Configuration of PUSH data provider

The configuration of the PUSH data provider must be done in client 000 of all systems involved in the deployment management process, usually in development, test, and production system.

1) Log on to the respective ABAP system client 000.

2) Start transaction /n/SDF/ALM_SETUP.

If you start the transaction the first time, it will look like this:

ABAP%20Setup%20UI

ABAP Setup UI

Perform the following steps:

3) Target SAP Cloud ALM Destination

  • To create a new SAP Cloud ALM Destination, enter a name (e.g. SAP Cloud ALM) and confirm your input with the Enter.
  • To change an existing SAP Cloud ALM destination, select one from the F4 input help and press Enter.
  • By pressing Enter the subsequent fields are filled out automatically.

4) Maintain HTTP Destination

  • Choose Update Destination.
  • Copy the content of the JSON file you’ve created by following the steps in the Create a Service Key section of this guide. Choose Paste Service Keys and paste it into the text field popup.

Alternatively, you can enter the required fields for SAP Cloud ALM manually:

    • Token Endpoint: Enter the SAP Cloud ALM OAuth URL. Example for an OAuth URL: url + /oauth/token, e.g. calm-tenant.authentication.eu10.hana.ondemand.com/oauth/token
    • Client ID: Enter SAP Cloud ALM client ID.
    • Client Secret: Enter SAP Cloud ALM client secret.
    • Proxy User (if necessary)
    • Proxy Password (if necessary)
    • Proxy Host (if required by your network infrastructure. For SAP S/4HANA Cloud, private edition, enter value: proxy)
    • Proxy Port (if required by your network infrastructure. For SAP S/4HANA Cloud, private edition, enter value: 3128)
  • Choose Continue.

5) Enter Registration Target

  • Enter the target SAP Cloud ALM root URL depending on your region,                                        e.g.https://eu20.alm.cloud.sap.
  • Enter the background user you created to perform the data collection.
  • Choose Register to call SAP Cloud ALM and register the system.
  • Choose Continue.

If it’s successful, an LMS ID is retrieved and is displayed.

  • To unregister a system, choose Unregister.

Note: This stops all data collection.

6) Select the use cases related to SAP Cloud ALM Change & Deployment Management you want to collect and push data for. The push mechanism supports the following use-cases:

  • For the domain controller: CALM_CDM_TMS_LNDSCP
  • For development systems: CALM_CDM_TMS
  • All other systems (test or production): CALM_CDM_TMS_IMPORT

After you’ve selected the use case, choose Continue.

Further information about activating use cases:

CALM_CDM_TMS_LNDSCP CDM TMS Integration Transport Landscape

  • Reports the STMS landscape configuration to SAP Cloud ALM.
  • Only necessary to set up on one system per domain (that is the domain controller).
  • Currently supported landscapes:
    • Landscapes with at least two systems per route (also virtual systems)
    • Landscapes with basic consolidation and/or delivery targets (no target groups, delivery confirmation procedures, workflow-driven transports)
    • Landscapes with client-specific transport routes (CTC, optional)

CALM_CDM_TMS CDM TMS Integration Transport Assignment:

  • Reports transport requests to SAP Cloud ALM for assignment to features.
  • It’s only necessary to set up on source systems, specifically DEV systems.

CALM_CDM_TMS_IMPORT CDM TMS Integration Import Task

  • Queries to-be-imported transports from SAP Cloud ALM and triggers the import job.
  • It’s only necessary to set up on consolidation and target systems for import (that is, QA and PRD)

7) If everything is set up correctly, it should look like this:

Result%20screen

Result screen

Now you are ready to use Change & Deployment Management in SAP Cloud ALM for SAP S/4HANA and SAP S/4HANA Cloud, private edition. Assign transports to features in order to document your changes properly and move into the direction of continuous feature delivery.

Feature%20details

Feature details

Looking forward to receiving feedback. For latest updates and notifications you can follow me by clicking Moritz Gysler.