AWS for SAP
AWS Transfer for SFTP for SAP file transfer workloads – part 2
Part 1 of this series demonstrated how to integrate SAP PI/PO systems with AWS Transfer for SFTP (AWS SFTP) and how to use the data that AWS SFTP stores in Amazon S3 for post-processing analytics. This post shows you how to integrate SAP Cloud Platform Integration (SAP CPI) with AWS SFTP and use the AWS analytics solutions shown in part 1 for post-processing analytics.
Architecture overview
SAP CPI is a pay-as-you-go subscription model offered by SAP. With capabilities similar to SAP PI/PO, SAP CPI offers pay-as-you-go exchange infrastructure to integrate processes and data. This includes SAP file workloads between cloud apps, third-party applications, and on-premises solutions with this open, flexible, on-demand integration system running as a core service on the SAP Cloud Platform.
The following diagram shows the high-level architecture of SAP CPI system integration with AWS SFTP. SAP systems are hosted on premises or in the AWS Cloud environment with SAP CPI connection.You can use AWS SFTP to store the SAP file workloads in S3 by enabling integration flow connection and perform post-processing functions using AWS Glue, Amazon Athena, and Amazon QuickSight.
To establish a connection with AWS SFTP, you must have the following SAP CPI authentication options:
- SAP CPI key-based authentication – Use key-based authentication in SAP to configure and integrate SAP CPI AWS SFTP.
- SAP CPI password-based authentication – Use AWS Secrets Manager to enable username- and password-based authentication. This integrates SAP CPI communication channels with AWS SFTP.
SAP CPI key-based authentication
Configure the SAP CPI tenant known host key file to store the SFTP key, hostname, key algorithm, and SSH key parameters. As shown in the following workflow diagram, the known host file will store the SFTP public key, hostname, and public key algorithm. SSH key pair is stored in the SAP CPI key store configuration to establish connection from SAP CPI tenant to SFTP server:
Known host file
To establish an SSH-based communication, the SAP CPI tenant needs the host key of the SFTP server.
- To extract the host key of the SFTP server, run the ssh-keyscan command on the AWS SFTP endpoint you created.
- Update the host key in the SAP CPI known hosts file. See the following code example where ssh-keyscan command is executed on AWS SFTP server domain to retrieve the host key value:
Update the server host key in the known_hosts CPI tenant file form
- In the CPI tool, select monitoring (operations view), security material option.
- Select the known_hosts entry, and download to your local machine
- Add the AWS SFTP server host key retrieved in the previous step in the known host file.
To avoid any corruption or deletion of existing host keys that could hamper other SAP CPI integration, add the host key at the end of the SAP CPI known host file.
As shown in below, upload the known host file from your local drive to SAP CPI Tenant.
- Choose Add feature, Known Hosts (SSH).
- Choose Deploy
For key-based authentication, you can generate a key pair using SAP CPI tools.
- From the SAP CPI monitoring page, in the tenant keystore, choose Create SSH key.
- For Key type, choose RSA.
- Define the key-specific values.
- Choose Deploy
When the deployment is complete, download the id_rsa public key from the keystore. Upload the id_rsa public key pair downloaded earlier to the AWS SFTP server SSH public key page.
For information about adding or rotating public keys for your AWS SFTP server, see rotating SSH keys documentation.
Testing connectivity
You can now test the connectivity between SAP CPI and the AWS SFTP server.
- In SAP CPI monitoring view, select Connectivity tests function.
- Choose SSH option, and enter the following details:
- For Host, enter s-6602732347fea.server.transfer.us-east-1.amazonaws.com (AWS SFTP endpoint). For more information, see Create an SFTP Server.
- For Port, enter 22.
- For Proxy Type, select None.
- For Timeout, enter your desired timeout value.
- For Authentication, choose public-key based.
- For User Name, enter kenny (AWS SFTP server user name created earlier).
- Select the check boxes for Check Host Key and Check Directory access.
- For Directory, select the S3 directory associated with AWS SFTP server.
- Choose Send.
This establishes the connection between SAP CPI and AWS SFTP and lists the current objects stored in the AWS SFTP server S3 directory. In the following diagram, SAP CPI lists the SAP material master files stored in S3 directory using STFP connection.
You can now use this SSH key pair based SAP CPI connection to create an integration flow between your SAP systems and AWS SFTP server for your file-transfer workloads.
SAP CPI password-based authentication
You can now configure SAP CPI integration with the AWS SFTP server using username- and password-based authentication.
If you are using a different AWS SFTP endpoint, follow the same known host file configuration process shown in the previous SAP CPI known host file configuration. To create username- and password-based authentication, see AWS Transfer for SFTP for SAP file transfer workloads – part 1.
- In SAP CPI monitoring view, choose Security material function.
- Choose Add feature, user-credentials.
- On the Add User Credentials page, enter the credentials and deploy the following entries:
- For Name, enter a credential name to retrieve your user name and password credentials in the SAP CPI integration flow.
- For Type, choose User Credentials.
- For User, enter the user name created for password-based authentication in part 1 of this series using Secrets Manager.
- For Password, enter the same password created as part of password-based authentication in part 1 of this series using Secrets Manager.
- Once deployed, verify the successful deployment of user credentials entry in the SAP CPI security material page.
Testing connectivity
To test the connection, create an integration flow in SAP CPI between your preferred HTTPS tool and AWS SFTP.
- In the SAP CPI design view, for address, enter s-66027032347fea.server.transfer.us-east-1.amazonaws.com (AWS SFTP endpoint).
- For Authentication, choose User Name/Password.
- For Credential Name, enter SFTP_KENNY (the credential name from the previous step).
- For Timeout, enter your desired value.
- For Maximum Reconnect Attempts, enter your desired value.
- For Reconnect Delay, enter your desired value.
You can retrieve the deployed integration flow URL from the SAP CPI manage integration content page.
This post uses SOAP UI to send the SAP MATMAS document using the HTTPS connection method. To send the file to the SAP CPI, upload the SAP material Idoc structure in the HTTPS tool. The integration flow processes the file to the S3 directory using AWS SFTP.
When the processing is complete, you should see the SAP MATMAS file stored in the S3 directory for post-processing activities.
Conclusion
You can migrate your SAP file transfer workloads and SAP export files to S3 seamlessly by using a fully managed AWS SFTP service. You don’t have to worry about managing and maintaining an SFTP server and data resilience for your mission-critical workloads.