Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Part 3: SAP S/4HANA Backend Configuration to Communicate with SAP BTP

MaKu
Advisor
Advisor
‎2021 Nov 29 11:00 AM
6,403
This is part of a series of articles, which describe the steps to integrate an extension workflow using SAP Workflow Management on Business Technology Platform (BTP Workflow) into a Flexible Workflow in SAP S/4HANA OP.

Part 1: Integrating an Extension Workflow on SAP BTP into a Flexible Workflow
Part 2: SAP BTP Cockpit Configuration  for Usage of SAP Workflow Management
Part 3: SAP S/4HANA Backend Configuration to Communicate with SAP BTP
Part 4: User and Roles for SAP BTP Workflow and Flexible Workflow
Part 5: Configure Cloud Connector for Workflow Integration
Part 6: Workflow Scenario with Extension Step
Part 7: Flexible Workflow in Integration Scenario
Part 8: Extension Workflow using SAP Workflow Management on SAP BTP
Part 9: End-to-End Test of Workflow Integration Scenario
Part 10: Problem Solving of Workflow Integration Scenario

Content


1. Get Server Name
2. Certificate Issues
... 2.1. Create PSE Folder
... 2.2. Create PSE
... 2.3. Create, Sign and Upload Backend Certificate to your PSE
... 2.4. Add SAP BTP Certificate
3. Customizing
... 3.1. Create bgRFC Inbound Destination
... 3.2. Consumer Type Activation
... 3.3. Maintain Destination to External Server
... 3.4. Maintain OAuth 2.0 Client
... 3.5. Activate OData Service




1. Get Server Name


Use the backend system.

  • Run transaction RZ11 to view parameter values

  • Display parameter SAPLOCALHOSTFULL (case sensitive!)

  • Remember current value as localhost


Get name for https connection:

  • Run transaction SICF

  • Run (F8)

  • Menu >> Goto >> Port Information

  • Consider Host Name and Service columns for HTTPS-Protocol-line and remember as https host and https port



top







2. Certificate Issues


The following activities are done to create a trusted connection between backend and SAP BTP.

On backend system create a folder, create, sign and upload a certificate into this folder (for the backend system) and add the SAP BTP certificate, which was downloaded in Part 2: SAP BTP Cockpit Configuration  for Usage of SAP Workflow Management Follow the instructions in the next sections.

2.1. Create PSE Folder


In backend system

  • Run Transaction STRUST

  • Switch to change mode

  • Menu: Environment >> SSL Client Identities





  • Add a new line with any PSE ID and save, remember PSE description for the next step





  • There is a new entry SSL client <PSE description>




2.2. Create PSE


Switch to your new Folder (PSE) from section above via double-click (same transaction STRUST as before in change mode).

At the moment the icon besides the PSE folder name is a red cross:

  • Use the context menu of the new PSE folder >> Create

  • Insert values:

    • Name: value localhost from first section on this page

    • Org. (Opt): e.g. your department, optional value

    • Comp./Org.: e.g. your company

    • CA: Owner of the certificate

    • other meaningful values see below:







  • Save


2.3. Create, Sign and Upload Backend Certificate to your PSE


Same place as before (STRUST transaction in change mode, PSE folder)

On the right side follow the next steps:

  • Create new certificate request, use buttons as shown in the screenshot:





  • Create (button below)





  • Use this generated string and let it sign by a proper Authority

  • Afterwards upload the signed certificate





  • New popup opens. Upload your signed string.

  • Set checkbox for trusting your own root certificate

  • Save


2.4. Add SAP BTP Certificate


Same place as before (STRUST transaction in change mode, PSE folder)

  • On the bottom of section Certificate push button Import certificate





Repeat these steps for all certificates from certificate chain of SAP BTP.

top







3. Customizing


In backend system:

All of the following activities can be reached via transaction SPRO. Follow the path in screenshot, but be aware, that the path can slightly differ:



3.1. Create bgRFC Inbound Destination


Use same named menu in SPRO transaction or run transaction SBGRFCCONF

Intention, see documentation in SPRO: "The API calls to the connected SAP Cloud Platform Workflow tenant are done by scheduling an asynchronous background processing of Remote Function Calls (bgRFC). You must therefore configure a bgRFC inbound destination."

  • Tab Define Inbound Dest.

  • Create the destination  BC_CPWF_INBOUND_DEST in case it does not exist. There is no need to assign any queue prefix or a logon group.





  • Save


3.2. Consumer Type Activation


Use same named menu in SPRO transaction

Intention, see documentation in SPRO: "Each application using the proxy API for the integration of SAP Cloud Platform Workflow registers itself as consumer type within the proxy framework. This consumer type is used to determine the correct destination, which the proxy uses to process the requests of the application, for example, to start or cancel workflow instances on SAP Cloud Platform Workflow."

  • Add DEFAULT entry and activate it




3.3. Maintain Destination to External Server


External Server means SAP BTP in our scenario.

Use same named menu in SPRO transaction or SM59.

Intention, see documentation in SPRO: "The APIs of SAP Cloud Platform Workflow service are called using REST and require an RFC destination to an external server (Type 'G'). You must maintain such a destination for each connected instance of the workflow service."

  • Create a new HTTP Connection to external server (use folder with type G)





  • Insert and remember a meaningful destination name and connection type G





  • General Area:

    • RFC Destination: prefilled with name from step before

    • Connection Type: G (prefilled)

    • Description 1: any description










  • Tab Logon & Security:

    • Section Logon with User >> Radiobutton Do not Use a User

    • Section Logon with Ticket >> Radiobutton Do not Send Logon Ticket

    • No MQTT/AMQP values

    • Section Security Options

      • SSL: Radiobutton Active

      • SSL Certificate: Choose your PSE ID + PSE description from list, see former section Create PSE Folder









  • Tab Special Options:

    • Section Timeout: Radiobutton ICM Default Timeout

    • Section Status of HTTP Version: select HTTP 1.1

    • Section Compression Status: Compression radiobutton Inactive

    • Section Status of Compressed Response: Compressed Response radiobutton Yes

    • Section Type of Cookies Acceptance: Accept Cookies radiobutton No





At the end you should check, whether this new destination works well via button Connection Test. Then you see a popup for logging on. To get this popup is a successful test, push Cancel button.


Test result is Response 401 (Unauthorized). This is fine.


Hint: In case you don't get the popup with logon data, check the following system parameters (transaction RZ11)

  • icm/HTTPS/client_sni_enabled >> TRUE

  • ssl/client_sni_enabled >> TRUE

  • ssl/ciphersuites >> 135:PFS:HIGH::EC_P256:EC_HIGH

  • ssl/client_ciphersuites >> 150:PFS:HIGH::EC_P256:EC_HIGH


3.4. Maintain OAuth 2.0 Client


Use same named menu in SPRO transaction or run transaction OA2C_CONFIG

Intention, see documentation in SPRO: "The APIs of SAP Cloud Platform Workflow service are called using REST and use OAuth 2.0 with client credentials flow. You must maintain an OAuth 2.0 client configuration for each connected instance of the workflow service with the information provided in the service key of the service instance. The service key can be obtained from the SAP Cloud Platform cockpit." (replace SAP Cloud Platform with Business Technology Platform [BTP])

  • A browser window opens; eventually copy the URL to Google Chrome in case Internet Explorer starts (IE has not the full feature set, which we need here)

  • Button Create










3.5. Activate OData Service


Use same named menu in SPRO transaction or run transaction /n/IWFND/MAINT_SERVICES (or SICF)

  • Search for Service SWF_CPWF_NOTIFICATION_SRV (in column External Service Name). If you can't find this service:

    • Push button Add Service

    • Choose your system, where this service is supposed to be (in this scenario it is the same server as the backend system and therefore probably LOCAL)

    • Push button Get Services and search for SWF_CPWF_NOTIFICATION_SRV

    • Select the line and push button Add Selected Services

    • Assign a package and continue

    • Go back



  • In section ICF Nodes push button ICF Node >> Choose Activate >> node should have a green traffic light icon





  • Check availability of a system alias in section System Aliases



=> Conclusion: Having maintained all configurations in the SAP S/4HANA backend system, SAP BTP and backend know each other. What we still need are certain communications users, which need special authorizations. This is what we care about in the next part.

top





>> Next: User and Roles for SAP BTP Workflow and Flexible Workflow

1 Comment
JasonLu
Product and Topic Expert
Product and Topic Expert
‎2022 Jun 13 9:46 PM
0 Kudos
Thanks Manuela for the useful blog!
Labels in this area
Popular Blog Posts