System and System Line Configuration
This section provides all information which is relevant for the configuration of a System Line and a System of kind 'SAP'. It can be created and administrated in the Portal's menu System Lines.
There are different types of SAP objects which can be connected: As of now it is possible to connect SAP BW or SAP BAPI.
Prerequisites
Webservice Activation for SAP BW
To connect to SAP BW the QUERY_VIEW_DATA Service needs be activated and configured according to you authentication requirements. Go to the SAP BW system, run transaction 'SOAMANAGER' and select 'Simplified Web Service Configuration'. Search for webservice QUERY_VIEW_DATA, activate at least on of following authentication methods and save the configuration. Depending on the authentication type you want to use please select the following (see section Authentication Configuration):
- BASIC: activate checkbox "Basic"
- SAP Logon Ticket: activate SAP Logon Ticket (this requires further configuration, see Authentication Configuration)
- SAML2: activate SAP Logon Ticket (this requires further configuration, see Authentication Configuration)
SAP Libraries for RFC
For the best experience with SAP Handlers, make sure to install the SAP NetWeaver RFC SDK Version 7.50 or later. For SAP BAPI this is a requirement. The libraries can be downloaded from the SAP Support Portal.
Libraries:
| Operating system | Required libraries |
|---|---|
| Windows (64bit) | icudt50.dll |
| icuin50.dll | |
| icuuc50.dll | |
| libicudecnumber.dll | |
| libsapucum.dll | |
| libsapucum.lib | |
| sapnwrfc.dll | |
| sapnwrfc.lib | |
| ---------------- | ------------------- |
| Linux (64bit) | libicudata.so.50 |
| libicudecnumber.so | |
| libicui18n.so.50 | |
| libicuuc.so.50 | |
| libsapnwrfc.so | |
| libsapucum.so | |
| libicudecnumber.so |
System Line
The System Line configuration is equivalent to the other kinds of System Line configurations:
-
Kind: SAP
-
Authentication: Enabled
-
Short Name: As usual a descriptive and identifying name
System
The configuration for a specific SAP System is the same for both SAP BW and SAP BAPI.
System data
-
Short Name: A descriptive and identifying name
-
Location: Assign the System to a Location (has to be created and enabled before)
-
Authentication (further information in the section Authentication Configuration):
- Azure AD SAML
- Shared Basic Auth (User and Password)
- Per User Basic Auth (User and Password)
- SAP Logon Ticket
After providing the System data information and saving additional information is required:
Technical parameters:
- CLIENT: Target system client, e.g. '001'.
- HOST_NAME: Target system base URL / hostname.
- HTTP_PORT: The port for http-connections, default is
80<instance>. - HTTPS_PORT: The port for https-connections, default is
443<instance>. - INSTANCE: Target system instance, default is '00'.
- PROTOCOL: Protocol to be used, default is 'http'.
- SYSTEM_ID: Target system ID, e. g. NPL.
- WEBSERVICE_PATH: The path of the web service QUERY_VIEW_DATA. If not set, default path will be used.
Authentication Configuration
There are different options for the Authentication configuration.
Basic Authentication
Not recommended Basic authentication uses hard-coded user credentials (username & password). These credentials need to be stored in Virtual Data Platform.
SAP Logon Ticket
SAP allows trusted systems to generate 'SAP Logon Tickets' on behalf of a user. Virtual Data Platform can retrieve the user name from your companies Entra ID. Therefore your admin has to configure the corresponding property. The user-specific value of this property will be used for the SAP token creation.
Import Virtual Data Platform Certificate into SSF Logon Tickets
Create a certificate that is required to be
- available (including private key) on the computer's certificate store on which the VDP Agent is installed. It has to be on a computer being connected to the network your SAP system is located in
- used to register (excluding private key) a trusted system in the SAP system for Access Control (ACL)
For 1) please import the certificate into the certificate store of the computer the VDP Agent is running on. Make sure the system-user running the Agent is authorized to access the private key of the certificate.
For 2) use transaction "strustsso2" to import the certificate into the "SSF Logon Tickets". Afterwards the imported certificate has to be added to "Access Control List" (ACL). Important: Use System "VDP" and Client "001".
SAML (over Azure AD)
Please configure Azure AD SAML2 accoring to Microsoft documentation.
Set up Single Sign-On with SAML
Azure AD Configuration
If you followed the instructions you should see "SAP NetWeaver" in your app registrations. In Section "Expose an API" you need to add "VDP Global SignIn" with Client ID "a9aac0f8-b494-4245-a902-eb91c3ab6f48" to the "Authorized client applications" with an authorization for the impersonation scope.
In Azure Portal: Make sure that the "Identifier Format" of the "Unique User Identifier" (NameID) is set to "unspecified".
Either add all required users to your SAP NetWeaver Enterprise App Registration or go to the properties of the Enterprise App Registration and set "Assignment required?" to "No":
SAP Configuration
Make sure the profile parameter "login/create_sso2_ticket" is set to "2". You can check this setting in transaction SICF_SESSIONS:
Go to transaction "SICF" and activate the echo-service (path: sap/bc/echo/ and everything below). Make sure the service is running (by executing "test service") and that saml authentication is working for the service.
Go to SAML2 configuration (transaction "SAML2") of your local provider and make sure that in the Service Provider Settings the legacy system support is set to "On".
Make sure the SAP system is using valid certificates for HTTPS connections, otherwise VDP will reject the connection to the SAP-System.
After "Save and Enable" the System is available and can be connected by using Functions.