Supply Chain Management Blogs by SAP
Expand your SAP SCM knowledge and stay informed about supply chain management technology and solutions with blog posts by SAP. Follow and stay connected.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Setup Connection from your Cloud Integration to SAP Logistics Business Network

RavishShettyR
Product and Topic Expert
Product and Topic Expert
‎2021 May 10 11:51 AM
13,072

Introduction


SAP Logistics Business Network, freight collaboration option improves supply chain efficiency  by connecting business partners on a collaborative network that supports jointly managing transactions, exchanging documents, and sharing insights across the value chain.

To enable document exchange, you have to setup connectivity to your On-Premise system. Your on-premise(SAP S/4HANA or SAP TM standalone) system can be connected to SAP Logistics Business Network based on below options

    1. Connection via middleware: either SAP Process Integration(PI) or SAP Cloud Integration

    1. Direct connection (via SOAMANAGER) between SAP Logistics Business Networkand your SAP TM or SAP S/4HANA system


This blog will elaborate option 1 with connection via SAP Cloud Integration by providing step-by-step guidance for you establish connection.

Important Update (21/08/2024)

We've migrated our existing integration platform (based on SAP BTP Neo environment) and the URL/host mentioned in this blog has changed. Sub-account details to be added in your SAP Cloud Connector configuration have also changed as a new integration platform is used. We urge you to migrate to our new integration platform (based on SAP BTP Multi-Cloud environment) as the support for existing platform will be stopped on May 16, 2025. You can read more about the same here. There's a detailed migration guide available there which also holds the new URL endpoints and host information. The destination URL/host/sub-account information for cloud connector configurations mentioned in this blog are not yet updated to the new integration platform. Please refer to our Migration Guide for Premium Users for the new endpoint details. 

Standard Integration Content Now Available

SAP Business Networks for Logistics team published a standard integration content for customers with a Cloud Integration subscription to connect to SAP BN4L from backend SAP S/4HANA systems. You can import the package and simply configure inbound and outbound scenarios rather than developing your own integration content. The iflows are marked as SAP-to-SAP integration. There's a detailed configuration guide also available to help you setup the iflows.

 

1. Generate the key pairs certificates(Key Pairs) with Identity Authentication Service

 



Communication between SAP Logistics Business Network and SAP TM or SAP S/4HANA is based on B2B messages using SOAP protocol.  Messages are authenticated using client certificates. These certificates must be requested.


    • While subscribing to an SAP Logistics Business Network productive license, you have been provisioned with an Identity Authentication service tenant and details tenant, and a URL is sent to the S-User used for the license

    • If you have subscribed for a test SAP Logistics Business Network license and you have not purchased an Identity Authentication service tenant, you may request a key pair from SAP by raising an incident to the component SBN-LBN-INT. (In this case, you can skip the steps in this )




When using the Identity Authentication service, the certificates are signed by SAP Passport CA.

Perform the following steps to request the Key Pairs certificate:

    1. Obtain access to the Identity Authentication tenant

    1. Follow the steps below to generate a *.p12 file from your Identity Authentication service tenant. Perform the following actions to generate a key The following process is only for an SAP Logistics Business Network productive license.

        • Access the tenant’s administration console for the Identity Authentication service by using the console’

        • Note the following points:


            • The tenant ID is automatically generated by the first administrator who created the tenant receives an activation email with a URL. This URL contains the tenant ID




        • Under Applications and Resources, choose Applications, click the pencil icon for Add Application, and assign the new application the name CertificateGeneration, for example. Within the section “Client ID, Secrets and Certificate”, Click on Add “Certificates for API Authentication”

        • Enter the Common NamePassword, and Confirmed Passwordand click on Generate. The browser downloads *.P12 file to your local folder. Ensure that you note down the password




Top

2. Import IAS Certificate to SAP Logistics Business Network



    1. From *.P12 file extract leaf certificate via application KeyStore Explorer application . You may down the key store explorer from website (https://keystore-explorer.org )

    1. After installing the application drag and drop p12 file into the keystore application. Enter the p12 file password . Export the p12 leaf certificate as shown in the image.

    1. Logon to SAP Logistics Business Network application. Navigate to system connection app. Create a new connection of type SAP TM – SAP S/4HANA. In the “Inbound to Network”, click on Add and upload the exported p12 leaf certificate.

    1. In the system connection app, navigate to "Outbound from Network" tab, then click on "Configure Connection". In the right panel, click on "EDIT, select Active Authentication Type as "Client Certificate", then Click on “Certificate Chain”. This will download a *.P7B file into your web browser's download folder. This certificate will be used to authenticate flow from SAP Logistics Business Network to your SAP Cloud Integration instance.

    1. Activate the connection.


Top

3. Import Certificates  to your SAP Cloud Integration



    1. Logon to your SAP Cloud Integration system. Navigate to Monitor and then to Key Store. Upload the*.p12 file (key pair). Provide an Alias name and note it down for later use. You have to enter the same password as used to generate the key pair.

    1. Extract the root and intermediate certificates of the runtime URL: https://l20398-iflmap.hcisbp.eu1.hana.ondemand.com via key store explorer and upload to the SAP Cloud Integrationtenant keystore


Additionally refer the below link on how to extract certificate using mac. https://stackoverflow.com/questions/25940396/how-to-export-certificate-from-chrome-on-a-mac

Top



4. Maintain SAP Cloud Integration Outbound SOAP Adapter



    1. In the iflow for sending out payloads to SAP Logistics Business Network, Create a SOAP adapter. Maintain


        • Authentication type: Client Certificate.

        • Private key alias: Alias name you have provided while uploading the *.p12 file




Top

5. Maintain SAP Cloud Integration Inbound SOAP Adapter


Within your inbound iflow in SAP Cloud Integration to receive LBN payload, create a SOAP adapter. Maintain below fields

    • Address: URL endpoint address

    • Service Definition: Manual

    • Message Exchange Pattern: One-way

    • Authorization: Client Certificate

    • Client Authorization:

        • Export the leaf certification from *.P7B file ( this file you would have downloaded from System connection app ) via key store explorer.

        • In the SOAP Adapter connection setting , within Client Certificate Authorization, Add the exported certificate






Additionally, if you are your using Cloud Integration BTP ( CF) , there are additional steps required (Further details refer blog:  https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection... )


    • Configure Client Certificate Based Authentication in the Service Instance in SAP Cloud Platform Cockpit



    • Configure Client Certificate in the Service Key in SAP Cloud Platform Cockpit



 

Configure Client Certificate Based Authentication in the Service Instance in SAP Cloud Platform Cockpit


If you like to use client certificate-based inbound authentication, you have to activate this option in the service instance in SAP Cloud Platform Cockpit. When creating the service instance to be used for client certificated-based authentication in the SAP Cloud Platform Cockpit, you need to specify client_x509 as grant type:

{

    "grant-types": ["client_x509"]

}


More details on creating service instances in Cloud Foundry can be found in the SAP online documentation at Creating a Service Instance in the Cloud Foundry Environment.

Configure Client Certificate in the Service Key in SAP Cloud Platform Cockpit


Configure the client certificate that will be used to send messages to the integration flow in the service key in the SAP Cloud Platform Cockpit.

After the service instance is available, a service key for the instance needs to be created. In the Create Service Key dialog provide a Name and in the Configuration Parameters add the encoded client certificate in the following JSON format:

{

    "X.509": "-----BEGIN CERTIFICATE-----MIIHyDCCBrCgAwIB[...]CAq8Tn7kSFDmVnrXe6v8hcQ==-----END CERTIFICATE-----"

}


Note that the client certificate is a PEM-encoded X.509 certificate. Remove all line breaks, otherwise the user interface will not accept the entry.

Note that you can create multiple service keys for one service instance with different client certificates. But a client certificate can be assigned to one service instance only once.

More details on defining service keys in the Cloud Foundry environment can be found in the SAP online documentation at Defining a Service Key for the Instance in the Cloud Foundry Environment.

 

 

 





Top

6. Maintain iflow endpoint of SAP Cloud Integration in System Connection


For communication from SAP Logistics Business Network to your Cloud Integration layer, you have to maintain the your SAP  Cloud Integration iflow endpoint in System connection app.

    1. Open System connection app and Navigate to connection you have created earlier steps

    1. In the Outbound from Network tab, click on “Add Destination” and maintain the endpoint for each “Service Interface Name” . Authentical details will be blank. ( You could have different endpoint for each service interface or the same endpoint. It depends on your implantation is SAP Cloud Integration )

    1. Click on Activate button


Top



Summary


By following above steps you would have established connection between your instance of SAP Cloud Integration with SAP Logistics Network.  You would have additionally do the required settings and mapping to connect underlying SAP or Non SAP system to your SAP Cloud Integration tenant. You may find the details in this help documentation. https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/7cfe913ba85d463a9c5fce101c3...




 

 

4 Comments
Popular Blog Posts