Secure File Transfer with the AWS SDK for SAP ABAP

Introduction

Customers running SAP workloads will often exchange data with external sources using protocols such as SSH File Transfer Protocol (SFTP), File Transfer Protocol Secure (FTPS), File Transfer Protocol (FTP) and Applicability Statement 2 (AS2).

Examples of types of data exchanged include purchase orders, invoices, inventory lists, bank statements and payroll data which typically contain sensitive information that must be protected during the data transfer process. It’s common for the data exchange to be deeply embedded into the end to end business process and therefore critical that it happens in a timely and secure manner.

To achieve this, customers will host and manage their own file transfer services to securely exchange files with external entities and applications. This requires managing of infrastructure, patching servers and File Transfer software, monitoring for security issues, uptime and availability, building mechanisms to provision users and audit their activity, and building custom scripts to handle the file transfers. Overall, this requires a high level of heavy lifting for a customer to maintain a secure file transfer solution.

In this blog, we’ll show how you can use AWS SDK for SAP ABAP with AWS services including AWS Transfer Family, Amazon Simple Storage Service (Amazon S3), Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) to securely transfer files between an SAP system and external entities using SFTP and remove the heavy lifting associated with the approach described above.

We will cover three common scenarios.

The first scenario involves inbound file transfer to SAP, where an external entity or application pushes the file to SAP system using SFTP protocol.
The second scenario is the outbound file transfer from SAP, where an SAP system pushes the file to external entity or application which can then be downloaded using the SFTP protocol.
The third scenario involves file transfer from SAP system to a remote SFTP server using SFTP protocol.

Transfer Family offers fully managed support for transfer of files over SFTP, AS2, FTPS, and FTP directly into and out of Amazon S3 or Amazon Elastic File System (Amazon EFS). You can seamlessly migrate, automate, and monitor your file transfer workflows by maintaining existing client-side configurations for authentication, access, and firewalls. There are no upfront costs, and you pay only for the use of the AWS services based on usage.

Prerequisites

For this walkthrough, you should have the following prerequisites in place:

SAP S/4HANA or SAP Business Suite with SAP NetWeaver ABAP 7.40 or above
An AWS account
Install and configure SDK for SAP ABAP (see this blog)
Transfer Family SFTP server (see this blog)
An Amazon SNS topic (see this documentation)
An Amazon SQS queue (see this documentation)
IAM roles configured as per Best practices for IAM Security
Appropriate SAP Authorizations for SDK for SAP ABAP
ABAP programming knowledge

Inbound file transfer to SAP

The following architecture shows how you can use the SDK for SAP ABAP and AWS services for inbound file transfer to SAP. Here the Transfer Family acts as SFTP server and the external application acts as SFTP client.

External entity or application authenticates and uploads file to Transfer Family endpoint using SFTP protocol.
Transfer Family stores the file in an S3 bucket. The uploaded object in S3 bucket is scanned for virus and malware using Amazon S3 Event Notifications. Refer this blog on the solution to scan objects uploaded to S3 bucket with ClamAV®. The solution creates a tag named “scan-status” for the uploaded S3 object and the value of the tag will be “CLEAN” or “INFECTED” depending on the scan results.

Transfer Family invokes a managed workflow custom file-processing step with target as AWS Lambda function. The Lambda function processes the workflow event and sends a message to an Amazon SQS queue. The message contains the S3 bucket name and the object name. The following Python code shows how to send a message to an Amazon SQS queue and return the status (SUCCESS or FAILURE) to Transfer Family managed workflow step.

import json
import boto3
import os

transfer = boto3.client('transfer')
sqs = boto3.client('sqs')

def lambda_handler(event, context):

    queueurl = sqs.get_queue_url(QueueName=os.environ['QUEUE_NAME'])
    status='SUCCESS'
    
    try:
        message = sqs.send_message(
            QueueUrl=queueurl["QueueUrl"],
            MessageBody=(json.dumps(event['fileLocation']))
        )
    except ClientError as error:
        status='FAILURE'

    # call the SendWorkflowStepState API to notify the workflow about the
    # step's SUCCESS or FAILURE status
    response = transfer.send_workflow_step_state(
        WorkflowId=event['serviceMetadata']['executionDetails']['workflowId'],
        ExecutionId=event['serviceMetadata']['executionDetails']['executionId'],
        Token=event['token'],
        Status=status
   )
    
    return {
        'statusCode': 200,
        'body': json.dumps(response)
    }

In SAP system, the ABAP program running in background polls a SQS queue for messages using SDK for SAP ABAP. The following ABAP code example shows how to retrieve SQS queue URL and messages from the queue.

"Create Amazon SQS Client
DATA(lo_sqs) = /aws1/cl_sqs_factory=>create( lo_session ).

"Get SQS queue URL
DATA(lo_queue_url) = lo_sqs->getqueueurl(
  iv_queuename =  CONV string( lv_sqs_queue_name )
  ).
DATA(lv_queue_url) = lo_queue_url->get_queueurl( ).

"Receive messages from SQS queue
DATA(lo_sqs_messages) = lo_sqs->receivemessage(
  iv_queueurl                = lv_queue_url
  ).
DATA(lv_sqs_messages) = lo_sqs_messages->get_messages( ).

If there is a message in SQS queue, the ABAP program uses SDK for SAP ABAP to call the SQS API and read the message from the queue. The following ABAP code example shows how to retrieve message body and Receipt handle of the message. The receipt handle is used in step 7 to delete the message from queue.
```
"If there are messages in SQS, then process
IF lv_sqs_messages IS NOT INITIAL.

 LOOP AT lv_sqs_messages ASSIGNING FIELD-SYMBOL(<message>).
    lv_sqs_message_body = <message>->get_body( ).
    lv_sqs_msg_receipt_handle = <message>->get_receipthandle( ).
 ENDLOOP.

 "Custom logic here

ENDIF.
```

Using SDK for SAP ABAP, the ABAP program checks “scan-status” tag of uploaded S3 object. If the value of “scan-status” tag is “CLEAN”, then the object present in S3 bucket is read using SDK for SAP ABAP and backend business logic is executed. In this walkthrough, the ABAP program creates a product in SAP. The following ABAP code example shows how to retrieve tags of the S3 object.

"Create Amazon S3 client
DATA(lo_s3) = /aws1/cl_s3_factory=>create( lo_session ).

"Retrieve tags of S3 object to check if file is infected or "CLEAN
DATA(lo_s3tags) = lo_s3->getobjecttagging(
   iv_bucket = lv_sqs_message_data-bucket
   iv_key    = lv_sqs_message_data-key
      ).
DATA(lv_s3_tags) = lo_s3tags->get_tagset( ).

LOOP AT lv_s3_tags ASSIGNING FIELD-SYMBOL(<fs_s3_tag>).
  "Check if file is CLEAN or INFECTED and execute business logic
ENDLOOP.

If the product is created successfully in SAP system, then the ABAP program uses SDK for SAP ABAP to delete the message from SQS queue and delete the file from S3 bucket. Depending on your requirement, you may retain the file by moving it to another S3 bucket for further processing or transition it to another Amazon S3 storage class. The following ABAP code sample shows how to delete the message from SQS queue using queue URL obtained from step 4 and receipt handle of message obtained from step 5. The code also shows how you can delete the object from S3 bucket.
```
"Delete message from SQS queue
lo_sqs->deletemessage(
   iv_queueurl  = lv_queue_url
   iv_receipthandle = lv_sqs_msg_receipt_handle
   ).

"Delete processed file from S3
lo_s3->deleteobject(
    iv_bucket = lv_sqs_message_data-bucket
    iv_key    = lv_sqs_message_data-key
    ).
```

If uploaded file is tagged as “INFECTED”, ABAP program will send an email notification using SNS API, the message is deleted from queue using SQS API and the object is deleted from bucket using S3 API. You may execute a different business logic depending on your requirement.

"Create Amazon SNS client
DATA(lo_sns) = /aws1/cl_sns_factory=>create( lo_session ).

"Send a message using SNS that an infected file was uploaded
lo_sns->publish(
   iv_topicarn  =  lv_sns_arn
   iv_message   =  lv_msg
   iv_subject   =  lv_sub
   ).

" Delete message from SQS queue and delete file from S3

Outbound file transfer from SAP

The following architecture shows how you can use SDK for SAP ABAP and AWS services for outbound file transfer from SAP. Here Transfer Family acts as SFTP server and the external application acts as SFTP client.

ABAP program uses SDK for SAP ABAP to call Transfer Family API to retrieve home directory of Transfer Family user. The home directory will contain the path to S3 bucket name and optional folder under the S3 bucket. The following ABAP code example show how to retrieve home directory of Transfer family user.

"Create AWS Transfer Family client
DATA(lo_trn) = /aws1/cl_trn_factory=>create( lo_session ).

"Retrieve home directory of Transfer Family user where file is uploaded
DATA(lo_trn_desc_user) = lo_trn->describeuser(
     iv_serverid = CONV string( lv_trn_server_id )
     iv_username = CONV string( lv_trn_user )
     ).
DATA(lo_trn_user) = lo_trn_desc_user->get_user( ).

" If home directory of Transfer Family user is NOT set as "restricted, get_homedirectory method  will not be initial
DATA(lv_dir_mapping) = lo_trn_user->get_homedirectory( ).
IF lv_dir_mapping IS INITIAL.
   " This is the case when home directory of Transfer Family "user is set as restricted
   DATA(lo_trn_home_dir_maps) = lo_trn_user->get_homedirectorymappings( ).
   LOOP AT lo_trn_home_dir_maps ASSIGNING FIELD-SYMBOL(<lo_fs_trn_dir_map>).
        lv_dir_mapping  = <lo_fs_trn_dir_map>->get_target( ).
    ENDLOOP.
ENDIF.

ABAP program runs the business logic and uploads the file to the S3 bucket using SDK for SAP ABAP. In this walkthrough, we will upload the products data to the file.

"Create Amazon S3 client
DATA(lo_s3) = /aws1/cl_s3_factory=>create( lo_session ).

lo_s3->putobject(
    iv_bucket = lv_bucket
    iv_key    = lv_filename
    iv_body   = lv_file_content
    ).

The ABAP program uses SNS API to send an email notification to external entity using SDK for SAP ABAP.

"Create Amazon SNS client
DATA(lo_sns) = /aws1/cl_sns_factory=>create( lo_session ).

"Send a message to SNS topic
lo_sns->publish(
   iv_topicarn  =  lv_sns_arn
   iv_message   =  lv_msg
   iv_subject   =  lv_sub
   ).

The external entity authenticates and retrieves file from Transfer family endpoint using SFTP protocol.

File transfer from SAP to remote SFTP Server

The following architecture shows how you can use SDK for SAP ABAP and AWS services to transfer file from SAP system to a remote SFTP server. Here AWS Transfer Family acts as SFTP client to exchange files with remote SFTP server.

For this scenario, you’ll use SFTP connectors and StartFileTransfer API in SDK for SAP ABAP to exchange files with the remote server. SFTP connector is a fully-managed SFTP client to securely and reliably copy files between remote SFTP servers and Amazon S3. You can use SFTP Connectors to communicate with remote SFTP servers both in the cloud and on-premises.

As a prerequisite, you need to create a SFTP connector (see this documentation) to connect to the remote server. You have to use AWS Secrets Manager to store credentials of remote SFTP server. The files are stored in an S3 bucket.

The ABAP program runs the business logic to retrieve products from SAP system.

The ABAP program uploads file to S3 bucket using SDK for SAP ABAP.

DATA(lo_s3) = /aws1/cl_s3_factory=>create( lo_session ).

lo_s3->putobject(
    iv_bucket = lv_bucket
    iv_key    = lv_filename
    iv_body   = lv_file_content
    ).

The ABAP program initiates file transfer from the S3 bucket to remote SFTP server using StartFileTransfer API of SDK for SAP ABAP. The API uses SFTP connector to authenticate to remote server and transfer the file.

"Create AWS Transfer Family client
DATA(lo_trn) = /aws1/cl_trn_factory=>create( lo_session ).

"Transfer file to External SFTP Server
DATA(lo_transfer_result) = lo_trn->startfiletransfer(
     iv_connectorid   = lv_connector_id
     it_sendfilepaths = lt_send_file_path
    ).

The ABAP program uses SNS API to send an email notification using SDK for SAP ABAP.

"Create Amazon SNS client
DATA(lo_sns) = /aws1/cl_sns_factory=>create( lo_session ).

"Send a message to SNS topic
lo_sns->publish(
   iv_topicarn  =  lv_sns_arn
   iv_message   =  lv_msg
   iv_subject   =  lv_sub
   ).

Benefits

The key benefits from using a solution based on the SDK for SAP ABAP and Transfer Family for secure data exchange between SAP and external systems include:-

Replacement of the undifferentiated heavy lifting of running your own Secure File Transfer Solutions with a fully managed highly available and scalable File Transfer solution.
A pay for what you use pricing model with no upfront or on-going software license costs.
The ability to enforce the data is encrypted in transit through the use of FTPS or SFTP.
The ability to encrypt the data at rest on Amazon S3 using Server-Side Encryption (SSE-S3) or Amazon KMS (SSE-KMS)
The ability to monitor end users’ activity using Amazon CloudWatch and AWS CloudTrail logs.
Use SFTP Connectors as a fully-managed SFTP client to communicate with remote SFTP servers from SAP systems.
The ability to enforce the scanning of incoming files for viruses and malware using AWS services and open source ClamAV to improve the security posture of the file transfer process.
Execute pre upload and post upload file processing tasks using AWS Transfer Family managed workflows.
No changes are required from the External Entity sending or receiving files.

Cost

The cost example assumes you have set up Transfer Family endpoint for SFTP access in US-East-1 region. In total, external users each download 1 GB/day and upload 1 GB/day of data over SFTP. SAP system uploads 1 GB/day and downloads 1 GB/day of data from S3 bucket.

AWS Service	Cost per month
SFTP Endpoint cost	219.00 USD [1 endpoint x 730 hours per month x 0.30 USD]
SFTP data upload cost	1.2 USD [1 GB x 30 days x 0.04 USD per GB]
SFTP data download cost	1.2 USD [1 GB x 30 days x 0.04 USD per GB]
S3 storage + request cost (3000 PUT and 3000 GET per month)	0.06 USD [(2 GB x 0.023 USD per GB)+(3000 x 0.000005 USD per request) +(3000 x 0.0000004 USD per request)]
SQS – Standard Queue	0.00 USD [Free for first 1 Million Requests/Month) 9.00 USD [100 GB x 0.09 USD per GB] outbound internet data transfer
SNS – Email Notifications	0.00 USD [Free for 1,000 notifications]
Lambda Invocations	0.00 USD [Free one million free requests per month]
SFTP Connector	12.1 USD [(100 calls x 0.001 USD per connector call)+(1 GB x 30 days x 0.40 USD per GB)]
Total Cost	242.56 USD

Conclusion

In this blog, we’ve shown how you can securely transfer files between SAP systems and external entities using SDK for SAP ABAP and AWS services and move away from having to manage your own secure file transfer solutions, reduce costs and improve the overall security posture of file transfer with the inclusion of automated scanning for viruses and malware.

To learn why thousands of customers trust AWS to run their mission-critical SAP workloads, visit the AWS for SAP page.

AWS for SAP