Note: This blog is the second part of a tutorial series. If you arrived here without reading the first part, please do so before you continue, and then come back here again. Part I describes principal propagation between an application frontend running on Microsoft Azure, calling a Web Service deployed to SAP Business Technology Platform (BTP). Part II (this blog) extends the scenario by propagating the Azure-authenticated user via BTP and SAP Cloud Connector to an SAP Gateway system for displaying the user's data. Part III adds a business application to the scenario by implementing a chatbot in Microsoft Teams with the Microsoft Bot Framework V4 SDK, SAP BTP Integration Suite, and Core Data Services in the SAP Gateway system. A live demo of this scenario is available on episode #31 of the great SAP on Azure Video podcast series (starting at min 23:30) from hobruche , goran-condric, and roboban. Part IV uses a “low-code” approach for implementing the chatbot of part III with Microsoft Power Platform, demonstrated in episode #40 of the SAP on Azure Video Podcast series. Part V looks at different aspects for production readiness, such as API management, monitoring and alerting (live demo available on episode #83 in the SAP on Azure video podcast series). Part VI turns the scenario into the opposite direction by propagating the SAP-authenticated user of a BTP business application to call the Microsoft Graph API and retrieve the user’s Microsoft Outlook events. Finally, part VII looks at principal propagation from Microsoft Power Platform to SAP in the context of making Remote Function Calls (RFCs) and using Business Application Programming Interfaces (BAPIs) with the Kerberos protocol. See episode 142 of the SAP on Azure video podcast series for a live demo of this scenario. |
ODataQueryResult result = ODataQueryBuilder
.withEntity("/sap/opu/odata/SAP/ZAZURESAP_PP_SRV", "SalesOrderSet")
.withoutMetadata()
.build()
.execute(DESTINATION_NAME);
jdoe@contoso.onmicrosoft.com
. Most likely, this user name is not known to an SAP system. Therefore, a mapping to the user's email address (e.g. jdoe@contoso.com) registered in Azure AD has been configured in step 31 of part I, when you set the SAML configuration for the enterprise app registration. You could have also set the subject name identifier (NameID) in the Azure AD-generated SAML assertion to any other value found in the directory. If there were something like an "SAP ID" (e.g. "JDOE", which many customers maintain in their AD), you could have mapped it to the NameID, and carry this identfier all the way to the SAP system for login.git clone https://github.com/raepple/azure-scp-principal-propagation.git
cd azure-scp-principal-propagation
git checkout part2
Step | Description | Screenshot |
1 | Open a command line and change to the directory of your OpenSSL installation. Create a new subdirectory with name trustedca . | |
2 | Change to the new subdirectory and create the following subdirectories: certs , private , crl and csr | |
3 | Copy the corporate root CA configuration file trustedca.cnf from the code repository to the trustedca directory. Next, generate the root CA signing key with the command openssl genrsa -aes256 -out trustedca.key 4096 You will be asked twice to provide and confirm a pass phrase for the generated private key. | |
4 | Generate the self-signed CA root certificate with the command openssl req -key trustedca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out trustedca.crt Below are suggested values for the new certificate's Distinguished Name (DN):
| |
5 | Create a few files needed by your new corporate root CA to manage the issuance of new certificates:copy NUL index echo 1000 > serial echo 1000 > crlnumber | |
6 | You are now ready to generate the intermediate CA key pair and certificate for SCC with the command openssl genrsa -aes256 -out private\scc.key 2048 | |
7 | The intermediate CA certificate for SCC must be signed by your new root CA. Therefore you create a Certificate Signing Request (CSR) with the following command: openssl req -key private\scc.key -new -sha256 -out csr\scc.csr Below are suggested values for the new certificate's Distinguished Name (DN):
You can leave the 'extra' attributes for the certificate request blank:
| |
8 | Sign the SCC intermediate CA certificate request with your root CA key using the command openssl ca -batch -config trustedca.cnf -notext -in csr/scc.csr -out certs/scc.crt | |
9 | For later upload to SCC, convert the intermediate CA key pair and certificate into a PKCS12-formatted file with the command openssl pkcs12 -export -clcerts -in certs/scc.crt -inkey private/scc.key -out certs/scc.p12 Remember the export password for the file. You will need it later when you import the key pair in SCC. |
Step | Description | Screenshot |
10 | Start your SCC instance by launching go.bat (on Windows) from the installation directory. Login to your SCC instance (https://localhost:8443 if you run it on your local machine). If you have a new installation, the userAdministrator has the initial password manage , and you have to change it upon first login. You may also see a warning in your browser saying the the connection is not trustworthy (due to a mismatch of the CN name in the SSL certificate), but can safely ignore it. | |
11 | Enter the connection parameters for your BTP subaccount. In my case, I've connected SCC to my BTP trial subaccount on the us10 landscape. Make sure you select the correct region and ID for your subaccount. The ID can be obtained from SAP Cloud Platform Cockpit when you enter your subaccount and click on the Information symbol of the subaccount tile. | |
12 | Import the intermediate CA certificate as you new system certficate by selecting Configuration from the left-side navigation menu. Select the tab On Premise and click on the Import button to install the new System Certificate. Choose P12 Certificate for the Certificate Type, select the file scc.p12 from the certs subfolder of your OpenSSL root CA directory, and enter the export password. Click Import. | |
13 | Scroll down on the Configuration screen to the CA Certificate section. Again, click on the Import button, select the scc.p12 file, and import it. | |
14 | Next, select the Cloud To On-Premise settings of your subaccount from the navigation menu, stay on the Access Control tab, and click on Add ("+"). | |
15 | Click through the wizard with the following selections:
Click Finish. You should see a new entry in the table for your SAP Gateway system. Verify that the Check Result shows Reachable. In the Resources table, click on Add ("+"). | |
16 | For the sake of simplicity you will allow the root path (" / ") with subpaths to be accessed from the Cloud. In a production environment you would restrict the access to resources to only a subset, e.g. /sap/opu/odata ).Click Save. | |
17 | Select the tab Principal Propagation and click on the Synchronize button to import the trust configuration for the JWT signing key from your BTP subaccount. | |
18 | For a quick test of the principal propagation settings in the next section, go back to the Configuration settings in the main navigation menu. Select the On Premise tab and scroll down to the Principal Propagation settings. Click on the Create a sample certificate button. For the CN name, enter the e-mail address of your test user. Click Generate. Remember the folder where the generated file scc_sample_cert.der is downloaded. You will need this file to create the user mapping rule in the next section. |
Step | Description | Screenshot |
19 | Login to the SAP Gateway system with SAP GUI and start transaction STRUST. Select SSL Server Standard from the PSE list. Click on the button Import certificate. In the file dialog window, select the trustedca.crt root CA certificate from the trustedca subdirectory of your OpenSSL installation. Click Enter, and then Add to Certificate List.Repeat this step to import the SCC intermediate CA certificate by clicking on the Import certificate button again. Now select the scc.crt file from the trustedca\certs subdirectoy of your OpenSSL installation. Click Enter and then Add to Certificate List. | |
20 | The certificate list of the SSL Server Standard PSE now contains the two certificates (root and intermediate) of the corporate CA. Click Save. | |
21 | Verify and maintain the required SSL profile parameters for principal propagation by starting transaction RZ11. Enter the Parameter Name icm/HTTPS/verify_client an click Display. This parameter specifies whether or not a client (here SCC) must send a certificate. | |
22 | Check that the Current Value is set to 1. Otherwise, click on the Change Value button and set it to 1. With the value set to 1, the server asks the client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, for example, basic authentication. Next, go to the profile parameter management with transaction code RZ10 | |
23 | Select the instance profile with name <SID>_<Instance-Name>_<Hostname>, e.g. NPL_D00_VHCALNPLCI in my case, from the Profile list, choose Extended maintenance, and click on the Change button. | |
24 | Add the following new parameter to the instance profile by clicking on the Create Parameter (F5) button. Parameter name: icm/HTTPS/trust_client_with_issuer Parameter value: CN=Trusted CA, OU=Trusted CA, O=Contoso Ltd, SP=BW, C=DE This parameter controls the trust relationship between SCC and the Internet Communication Manager (ICM) to accept X.509 client certificates issued by the corporate Root CA. Note: The parameter value depends on the input for the DN in step 4. It may be different in your case if you chose other values. I'd recommend to copy & paste the value from the Configuration screen in SCC. Important: Before saving the new parameter, change the "ST" element of the DN into "SP". Click on Copy, then Back (F3). | |
25 | Add another new parameter to the instance profile by clicking on the Create Parameter (F5) button. This parameter controls the trust relationship between SCC and the Internet Communication Manager (ICM) to accept X.509 client certificates issued to SCC. Parameter name: icm/HTTPS/trust_client_with_subject Parameter value: OU=SCC, O=Contoso Ltd, C=DE, SP=BW, CN=SCC Note: The parameter value depends on the input for the DN in step 7. It may be different in your case if you chose other values. I'd recommend to copy & paste the value from the Configuration screen in SCC. Important: Before saving the new parameter, change the "ST" element of the DN into "SP". Click on Copy, then Back (F3). | |
26 | Add another new parameter to the instance profile by clicking on the Create Parameter (F5) button. This parameter controls how the CN name in the incoming client certificates generated by SCC are mapped to users in your SAP system. Parameter name: login/certificate_mapping_rulebased Parameter value: 1 Click on Copy, then Back (F3). | |
27 | Finally, check that the new parameters were added to your instance profile. Click the Change/Display button and confirm to save the changes to the profile. Click Back (F3). | |
28 | Click Save to activate the profile changes. Note: You can ignore any warnings or consistency checks when saving and activating the new profile changes. At this time, you may want to restart your SAP instance to make the changes effective. | |
29 | Login to your SAP instance again and configure the rule based certificate mapping with transaction code CERTRULE. Switch to the edit mode by clicking on the Display/Change button. Then click on the Import certificate button to upload the generated client certificate from step 18 ( scc_sample_cert.der ) .Add a new mapping rule for this certificate by clicking on the Rule button. | |
30 | In the dialog window, select the proposed value for the Certificate Attr. field. To successfully map the user's ID from the Common Name (CN) in the certificate, which is the user's email address, select for Login As the value E-Mail. Click Continue (Enter). | |
31 | Click Save (Ctrl + S). You should see on the right side that the certificate could be successfully mapped based on the new rule, and that a user with the email exists. If this is not the case, check with transaction SU01 that a user with the E-Mail address from the certificate exists. |
Step | Description | Screenshot |
32 | Start the Gateway Service Builder by running transaction SEGW and create a new project (Ctrl + F5). Enter the following
Click Continue (Enter). | |
33 | On the new project, right-click on Data Model and select Import -> DDIC Structure. | |
34 | In the first step of the import wizard, enter SalesOrder for the new Entity Type Name, and import the ABAP Structure SEPM_ISOE. Click Next. | |
35 | Select the all parameters from the DDIC structure except MANDT. Click Next. | |
36 | Select SALESORDER as the key element for your new data model by activating the Is Key checkbox. Click Finish. | |
37 | The new Entity Types and Entity Sets have been created. Click Save. Next, select Project -> Generate or press Crtl+F3. In the new dialog window, leave all proposed default values unchanged for the runtime objects and click Continue (Enter). | |
38 | Select Local Object in the Create Object Directory Entry dialog. You should see a message saying Runtime objects generated. | |
39 | Expand the subfolder Service Maintenance on your new project, select the item GW_HUB, right-click on it, and choose Register from the context menu. | |
40 | In the Add Service dialog, leave all default values. Click on Local Object to set the Package Assignment to $TMP. Activate the checkbox Enable OAuth for Service. Click Continue (Enter). | |
41 | Double-click on the GW_HUB item again to check that the Registration Status turned to green. | |
42 | Now you need to implement the service method(s) fot the generated stubs. Open the subfolder Service Implementation, select the SalesOrderSet item, and right-click on the GetEntitySet (Query) method. From the context menu, select Go to ABAP Workbench. Confirm with Yes to save the changes, and click on Continue (Enter) on the Information popup. | |
43 | In ABAP Workbench, press Ctrl + F1 or the Display/Change button. | |
44 | Select the method SALESORDERSET_GET_ENTITYSET from the subfolder Methods -> Inherited Methods. Right-click on it and choose Redefine from the context menu. | |
45 | Replace the code of the SALESORDERSET_GET_ENTITYSET method with the code from the GitHub repository. You can find it here. The code adds an HTTP response header with name "current_user" which contains the currently logged in users name when the method is executed. You will inspect this header later during the scenario test to verify that the user from Azure AD has been propagated correctly. Click Save (Ctrl + S), then Activate (Ctrl + F3). Confirm the object activation popup dialog with Continue (Enter). |
Step | Description | Screenshot |
46 | Open a command line and change to the directory where you cloned the GitHub repository. Make sure that your are on the part2 branch by entering the command git status . | |
47 | Change to the SCP\service subfolder.Edit the file manifest.yml and replace the string <your-trial-org-name> with the value of your BTP trial subaccount’s org name, e.g. 98abcd76trial Replace the string <your-trial-org-landscape> with the value of your BTP trial subaccount’s landscape, e.g. eu10 or us10 This ensures a unique route to the service in the (trial) landscape. | |
48 | Create the service binding for the destination service with the command cf create-service destination lite service-destination | |
49 | Create the service binding for the connectivity service with the command cf create-service connectivity lite service-connectivity | |
50 | Build the BTP Web Service with the command mvn clean package . You should see a message saying the build succeeded. | |
51 | Login to your BTP subaccount. In the following steps we’ll use a trial account on the EU10 landscape with the command cf login -a https://api.cf.eu10.hana.ondemand.com | |
52 | Deploy the BTP Web Service with the command cf push You should see a message that the state of your service is running. | |
53 | Open the BTP Cockpit in your browser and login with your account admin. Navigate to your trial account and select Connectivity – Destinations from the left side navigation menu. Click New Destination. | |
54 | Enter the following configuration values:
Click Save. Note: The destination name is hardcoded in the Web Service implementation. If you change the name here you also have to change in the code. |
Step | Description | Screenshot |
55 | Follow the same steps from 43 to 55 as described in section Testing the scenario of part I. | |
56 | The last request in the Postman collection will send the response from the updated BTP Web Service. Besides the name of the propagated principal in BTP, the servlet also provides the name of the propagated principal in SAP Gateway. After making the OData call, the response to BTP from SAP Gateway includes the custom HTTP header current_user which is set to the value of sy_uname , under which the OData API is invoked:
If you see your SAP user name in the response header value like in the example above, this proves that you've successfully completed all tutorial steps from part I and II, and that the user logged on to Azure has been successfully propaged via BTP to the SAP system on-premise. Congratulations! |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
10 | |
10 | |
9 | |
7 | |
4 | |
4 | |
3 | |
3 | |
2 | |
2 |