Connecting to SAP

Introduction

This document explains how to set up a secure connection between the Redwood Cloud and SAP systems.

This connection is routed through a Redwood Platform Agent acting as a Secure Gateway. The Secure Gateway communicates with the customer's Redwood Cloud environment through a dedicated, encrypted connection via exchange of credentials known only to the customer specific environment. Figure 1 shows the Redwood SaaS architecture when Secure Gateway is deployed.

Figure 1: Redwood SaaS Architecture with Secure Gateway

The general process for configuring connection to an SAP system via the Secure Gateway is as follows:

Have a Secure Gateway configured as described in the 'Configuring Secure Gateway' manual.
Define a connection to the managed SAP system

To complete these tasks you will need access to the following people within your organization:

System Administrator (for installing Platform Agents)
SAP Basis Administrator (for SAP system connect string information)

Define Connections to the Managed SAP Systems

To connect to an SAP system and test the Secure Gateway connection, you will need the SAP Basis Administrator to provide the information shown below:

SAP System Hostname or IP address
SAP Instance Number
Client Number
Username
Password

SAP Connection Setup Wizard

Once connected to the correct Redwood environment you start by selecting the 'Environment' group in the navigation bar then right click on the 'Process Servers' icon or select the '+' icon on the toolbar. Then select 'SAP System' to open the Wizard.

You can do connection checks during each step to make sure you filled in the right information and the connection is working. In case of a more advanced configuration or more Clients are required you can click on 'Advanced' or start as explained in the next chapter.

Figure 2: SAP Connection setup Application and Message Server via Wizard

Advanced SAP System Setup

The advanced SAP Connection configuration is based on 2 steps. First you define the SAP system using a RFC Connect String followed by the XBP connection configuration in the XBP tab (see the next chapter). Once connected to the correct Redwood environment you start by selecting the 'Environment' group in the navigation bar then right click on the 'SAP' icon or select the '+' icon on the toolbar. Next complete the information in the dialogue relating to the SAP system you want to connect to as per Figure 3:

Figure 3: Setting up a connection to the SAP System

Use the following format for the connect string:

Application Server:

ASHOST=HOSTNAME
SYSNR=NN

Message Server:

MSHOST=HOSTNAME
MSSERV=36NN
R3NAME=SID
GROUP=LOGONGROUP

Where:

HOSTNAME is the Hostname (FQDN) or IP address of the SAP System.
NN is the instance number of the SAP system
R3NAME is the SID of the SAP system, such as NSP
GROUP is the logon group name
- Ensure Ext. RFC-enabled is checked for the logon group according to SAP Note 2508036, use transaction SMLG, ensure Fav.Typ is set to either W or R.

See Figure 3 how this can look like in case of a fully qualified domain name.

Press the 'Check connection' button to test the connection. Successful check will result in a confirmation message. Before saving you are required to setup an XBP connection

SNC:

ASHOST=pr1.example.com SYSNR=00
SNC_MODE=1
SNC_PARTNERNAME="p:CN=SERVERS,OU=SAPR3,DC=EXAMPLE,DC=COM"
SNC_QOP=3
SNC_MYNAME="p:CN=connector,OU=SNC,DC=EXAMPLE,DC=COM"

Parameter	Description	Mandatory	Example
`ASHOST`	Specifies the FQDN or IP address of the SAP system, when not set, the connector will use the hostname in the certificate		`ASHOST=pr1.example.com`
`SYSNR`	Specifies the system number of the SAP System		`SYSNR=30`
`SNC_MODE`	Activates SNC for the connection	<span title="Mandatory">✓</span>	`SNC_MODE=1`
`SNC_PARTNERNAME`	Specifies the DN of the user or a Kerberos name	<span title="Mandatory">✓</span>	`SNC_PARTNERNAME="p:CN=SERVERS,OU=SAPR3,DC=EXAMPLE,DC=COM"`
`SNC_SSO`	Enables SSO (default)		`SNC_SSO=1`
`SNC_QOP`	Specifies how secure the connection is 1=Auth only, 3=Integrity, 3=Privacy, 8=Default, 9=Maximum		`SNC_QOP=3`
`SNC_MYNAME`	Specifies the DN or Kerberos name of the PSE to use		`SNC_MYNAME="p:CN=connector,OU=SNC,DC=EXAMPLE,DC=COM"`
`SNC_LIB`	Specifies the location of the `sapcrypto` library		SNC_LIB="C:/redwood/sapcrypto.dll"

Set up XBP Connection(s)

In order to automate SAP workload you also need to set up an XBP connection to the SAP system. For this you will need a username and password for the client you wish to connect as per the table earlier. Click on the 'XBP' tab and then the 'Add' button to add a new XBP connection as per Figure 4:

Figure 4: Adding a new XBP connection

Press 'Check Connection Settings' to test if the XBP connection is working (see Figure 4). Note that you can configure multiple XBP connections per SAP system. If both the SAP System and XBP connections checks work, your SAP configuration is set up correctly and can be saved. This will automatically create and start the SAP Process Server and Queue. You are now ready to start automating SAP workload!

SAP Permissions Required for XBP

Redwood executes SAP jobs using the SAP XBP API. Each ABAP stack you want to interact with needs a privileged SAP RFC user. Redwood recommends it to be a System user for normal batch processing and a Dialog user if this user also has to be used as the Step user. The following sections describe the privileges required by the RFC user to interact with the ABAP stack of SAP Systems. To assign the following privileges, navigate to Tools > Administration > User Maintenance > Role Administration > Roles (SAP transaction PFCG) in the SAP UI.

Required Permissions

Objectname	Fieldname	Value(s)	Comment
S_RFC	ACTVT	16 (or *)
S_RFC	RFC_NAME	* (or BATG, FRFC, OCSB, RFC1, RFC_METADATA_GET, SALX, SCCA, SDIFRUNTIME, SDTX, SG00, SRFC, SXBP, SXMI, SYST, SVAR_RFC, SXBP_VAR, SYSU)
S_RFC	RFC_TYPE	FUGR,FUBA
S_ADMI_FCD	S_ADMI_FCD	SP01, SP0R, SPAD	SPAM when retrieving spool from processes with non-default client
S_BTCH_ADM	BTCADMIN	*
S_BTCH_JOB	JOBACTION	*
S_BTCH_JOB	JOBGROUP	*
S_BTCH_NAM	BTCUNAME	*
S_OC_DOC	ACTVT	24 (or *)	For archiving spool lists
S_OC_ROLE	OFFADMI	ADMINISTRATOR (or *)	For sending spool lists to recipients or archiving spool lists
S_OC_SEND	COM_MODE	* (or specified methods)	For sending spool lists to recipients
S_OC_SEND	NUMBER	* (or desired value)
S_PROGRAM	P_ACTION	*	For the required authorization group
S_PROGRAM	P_GROUP	BTCSubmit
S_RZL_ADM	ACTVT	01
S_SPO_ACT	SPOACTION	*
S_SPO_ACT	SPOAUTH	*
S_SPO_DEV	SPODEVICE	*
S_TABU_DIS	ACTVT	03	For importing BW InfoPackage groups
S_TABU_DIS	DICBERCLS	*
S_XMI_LOG	XMILOGACC	*
S_XMI_PROD	EXTCOMPANY	REDWOOD (or *)
S_XMI_PROD	EXTPRODUCT	*
S_XMI_PROD	INTERFACE	*

Optional Permissions

Objectname	Fieldname	Value(s)	Comment
S_RS_ALL			For BW Process Chains, choose Edit > Insert authorization(s) > From profile, fill in S_RS_ALL
S_DEVELOP	ACTVT	16	For BW Process Chains
S_DEVELOP	DEVCLASS	*	For BW Process Chains
S_DEVELOP	OBJNAME	*	For BW Process Chains
S_DEVELOP	OBJTYPE	PROG	For BW Process Chains
S_DEVELOP	P_GROUP	*	For BW Process Chains
S_DEVELOP	ACTVT	03	For Industry Solutions (ISU)
S_DEVELOP	DEVCLASS	EE20	For Industry Solutions (ISU)
S_DEVELOP	OBJNAME	*	For Industry Solutions (ISU)
S_DEVELOP	OBJTYPE	*	For Industry Solutions (ISU)
S_DEVELOP	P_GROUP	*	For Industry Solutions (ISU)
S_RFC_ADM	ACTVT	All	For SAP Applications (BAE), add to role SAP_BC_REDWOOD_COMM_EXT_SDL
S_RFC_ADM	ICF_VALUE	*
S_RFC_ADM	RFCDEST	CRONACLE*, REDWOOD
S_RFC_ADM	RFCTYPE	All

Optional RFC Objects

Optional RFC's:

SXMB: For retrieving SAP syslog with the GetSupportFiles functionality
/REDWOOD/1XBP, /REDWOOD/2XBP: If you are using XBP transports
/REDWOOD/1ISU, /REDWOOD/2ISU: If you are using ISU transports
BAPI_CM_PROFILES_GET (type FUNC): If you want to use SAP_SynchronizeInterceptingCriteria
RSBC, RSAB, RSPC_API: For BW Process Chains