Our number one question we are getting in our daily work is how to connect a SAP system with a cloud service or a HTTP-based service.
Here we want to describe all aspects of this task.
¶ Definition of a Successful Connection
In this article we want to concentrate on the connection itself and the security aspects, mainly using SSL certificates for https connections. All other aspects like authentication methods and functional things are part of other articles. Therefore we consider a connection set-up “successful", when the targeted server (hosting the external service) returns any answer. The answer should have a HTTP status 200 or 202. But the successful answer can also be a HTTP status 404 (not found) or HTTP status 405 etc. At this point the IT infrastructure team has done its job and the functional teams must continue.
¶ System Architecture
There are several options for connecting SAP systems to external HTTP-based services. In the end you want to get a connection from SAP to the external service. We call this “SAP Outbound”. From a security perspective SAP Outbound connections are easy to handle, because there is nothing visible (no server, no port) from the internet. Port openings are done only SAP Outbound looking.
¶ Direct
SAP → External Service
In Detail, where names in brackets means optional: SAP → [Proxy] → [Firewall 1] → [Firewall 2] → External Service
In SAP ABAP a http client is created at runtime, which connects to the external service. Between the SAP system and the target server there may only be a proxy server and 1 or more firewalls.
¶ Connection via SAP BTP (Business Technology Platform)
SAP → SAP BTP → External Service
In Detail, where names in brackets means optional: SAP → [Proxy] → [Firewall 1] → [Firewall 2] → SAP BTP → External Service
SAP BTP is a cloud service from SAP SE. It is the successor of the on-premise SAP XI / PI / PO server.
¶ Connection via SAP XI / SAP PI / SAP PO
SAP → SAP XI/PI/PO → External Service
In Detail, where names in brackets means optional: SAP → SAP XI/PI/PO → [Proxy] → [Firewall 1] → [Firewall 2] → External Service
¶ Connection via EAI Server (Enterprise Application Integration)
SAP → EAI Server → External Service
Connection via an EAI server. The EAI server can be hosted on-premise or in the cloud.
¶ Connection via an API Manager
SAP → API Manager → External Service
Connection via an API Manager. API Manager server or services are focussed on JSON REST APIs and providing a security layer with OAuth and scopes for service access.
¶ SAP Transactions
With the following SAP transactions you should be able to get any SAP Outbound connection “connecting”.
¶ SM59 - Connection Set-up and Test
SAP transaction SM59 is still called “Configuration of RFC Connections”. However in this article we only look at “HTTP Connections to External Server” = Type G. Type H connections “HTTP Connections to ABAP Systems” are similar, but not in the focus here. The SAP RFC (unsecure!) protocol is normally not used and not recommended.
Note: For connections using SAP PI/XI/PO and for some EAI servers the SAP RFC protocol is used for the connection between SAP and the middleware server. Without any additional option like a VPN tunnel this part of the connection is unsecure.
¶ STRUST - SSL Certificates for HTTPS Connections
SAP transaction STRUST is the secure store for certificates. In our scenario we use public SSL certificates, which must be imported to a client storage area.
¶ SMICM - The SAP ABAP Web Server
SAP transaction SMICM is mainly meant for SAP Inbound connections. For SAP Outbound connections it must be used for checking the general availability of the HTTP and HTTPS services (ports are irrelevant), for reloading the certificate storage (after STRUST certificate import, not needed anymore on latest S/4HANA systems) and for tracing connection errors.
¶ Set-up and Testing the Connection
As example we take the VAT Check Service provided by the Austrian Tax Office.
This is a XML web service reachable only secure at https://finanzonline.bmf.gv.at/fon/ws/uidAbfrage/. Therefore we need to set-up a connection from our SAP system to the domain https://finanzonline.bmf.gv.at. Sometimes it is needed to take the full address, even for the connection test. This example works with just the domain, too. This is obvious, because the website (public and with login) is on the same domain.
¶ Connection Set-up
Transaction SM59
Create a new connection of type G.
¶ Tab "Technical Settings"
- Name and Description: Any text can be used
- Target Host: The destination server name or IP address. Example: finanzonline.bmf.gv.at
- Service No.: This is the port of the http service. For https services the default port is 443, for http services the default port is 80. If the external service uses the default ports, the field can stay empty.
- Path Prefix: The path of the external service. For the purpose of the connection test, this field can stay empty.
¶ Tab "Logon & Security"
You must use this tab only for HTTPS services. For HTTPS services the public SSL certificate must be uploaded with SAP transaction STRUST. See next chapter.
- SSL: Activate for HTTPS connections. Deactivate for unsecure HTTP connections.
- SSL Certificate: This is only relevant for HTTPS connections. Select the entry, where the SSL certificate was uploaded (or will be uploaded) in transaction STRUST. We recommend using
a) “DFAULT SSL Client (Standard)”. Alternatively you may use
b) “ANONYM SSL Client (Anonymous)”.
It is important to use a STRUST Client storage, because for SAP Outbound connections, SAP is the client, the requestor, the client proxy.
¶ Testing the Connection
You can test connections with the button “Connection Test” directly in transaction SM59.
Note: Testing the connection in your web browser does not help at all. It will just tell you, if you can connect from your notebook or from the server where the web browser was startet, will work. However we want to get a connection from a SAP server to the destination. So if you enter our example URL https://finanzonline.bmf.gv.at or https://finanzonline.bmf.gv.at/fon/ws/uidAbfrage/ you will most likely be able to connect. The public SSL certificate is imported into your browser automatically, by the way. In SAP we must do this manually with transaction STRUST.
¶ Pre-Conditions are (see next chapters for details)
- Save your connection settings
- SSL certificate uploaded in STRUST
- SMICM re-start for reading the SSL certificate into the SAP server (not needed for newer SAP systems)
- Proxy set-up for this particular SAP Outbound connection
- Firewall set-up for this particular SAP Outbound connection
¶ Start the connection test with the button “Connection Test”.
¶ Interpreting the test result
It is important to find out, what server gave the answer.
This is not always obvious. In chapter troubleshooting (see below) we collect typical error messages. At the end you must find out first, what server returned the answer and then you can find out, what it means and how to solve it.
- If the target server gives the answer, then the connection does generally work. The goal of “Connectivity” is reached! The next step will be to check the functionality of the call and the response from the external service.
- If the negative answer comes from the proxy server, you must check the settings there. Or you may not use a proxy at all.
- If the negative answer comes from a firewall, you must check the settings there.
- If no answer was given, you have got a timeout. If you use a proxy, check the proxy settings in your connection (in SM59). Otherwise the IT infrastructure team responsible for the firewalls must have a look.
¶ Connection Success for our Example
After pressing the button “Connection Test” the “Test Result” tab will be displayed. However more important are the other tabs.
For this web service we get the answer “HTTP Status = 405, Method Not Allowed”. This is a success message for the purpose of the connection test!
Why is this a success, you may ask. The connection test in SM50 always performs a HTTP method “GET” (same as a web browser, when entering an URL). The external web service however needs HTTP method “POST” and a payload (a XML request) in order to work.
Tab “Test Result”
Tab “Response Header Fields”
The response headers often contain the name or type of the target server. This is not the case in this example. However the http header “access-control-allow-origin=https://sso.finanzonline.bmf.gv.at" tells us, that the answer comes from our target destination https://finanzonline.bmf.gv.at
Tab “Response Body”
This tab is not really interesting. Better look at the next tab.
Here you see the response HTML formatted or a SAP internal error message, that the response cannot be displayed as html.
Tab “Response Text”
Here you see the response headers and the response body (if any) in text form.
In our example there was no response body.
¶ Connection Failure
1. Example, when removing the proxy in SM59 or proxy name or proxy port is wrong.
A typical proxy answer is “NIEHOST…”.
2. Example, when using wrong target host.
Used .gvv.at instead of .gv.at
3. Example, when the SSL certificate is missing in STRUST or not loaded into the web server
¶ SSL Certificate Upload with STRUST
Transaction STRUST
For securing HTTPS connections you must upload the public key pair certificate for the target domain. Nowadays sub-domains can have their own SSL certificate. Therefore you must use the certificate, which is used for you exact target domain. This may be a certificate with *.targetdomain.com or it could be sub.targetdomain.com
¶ Getting the SSL certificate
The SSL certificate can be downloaded from a web browser. Or the solution provider is sending you the SSL certificate.
We recommend always downloading the certificate with its chain (the certificates above).
Note: The SSL certificate for SAP Outbound connections are the Public Key Pair, which is used for encrypting the message (URL path, http headers, payload) before sending it to the target server. The target server contains the Private Key Pair in a secure storage and uses it to decrypt the incoming messages.
¶ Download a Public SSL certificate from your web browser
The download procedure depends on the web browser. In this example we are using Firefox on Ubuntu, because there are all options available.
- Enter the target URL and click on the security icon
2. Display the certificate information (View Certificate)
3. Download the certificate chain (PEM Chain)
¶ Uploading the SSL certificate in STRUST
Transaction STRUST
- Select the SSL store for uploading
2. Import the certificate into the Certificate List
3. Select the certificate file
4. Add the certificate to the Certificate List
5. Save the certificate
If the “Save” button is not available, just switch to change mode in STRUST using the icon at top left.
If the message “SSL PSE was saved (ICM was notified)” is shown after saving, you must re-start the SAP web server using transaction SMICM (see chapter below).
¶ Timing the replacement of SSL certificates
All SSL certificates have got a “valid to” date. At this date or some days earlier you will need to replace the Public SSL certificate in STRUST.
The difficult thing about this is, that in most cases we do not know, when a new Private Key Certificate will be installed on the target server.
If you cannot accept a period of time where the connection is broken because of a certificate change, you must get in contact with the provider of the external web service. The solution is, that you must get the new Public Key Certificate as soon as the SSL Key Pair is created. It is possible to upload 2 different certificates in STRUST for the same target domain. For example the current certificate for finanzonline.bmf.gv.at is valid until 18.06.2024. If we get the next certificate beginning of June 2024 with a validity period from e.g. 01.06.2024 until 30.05.2025 we can upload it in time and avoiding a broken connection to an external service.
¶ Re-Starting the SAP Web Server with SMICM
Whenever a certificate was changed in transaction STRUST, the SAP Web Server must be re-started. The Re-Start can be done at any time and does not require a downtime.
Note: On most SAP systems you will find a list of 10 services waiting for incoming http requests. The list is automatically extended, if no http service thread is available. For SAP Outbound Connections this list is not relevant.
Note: Since SAP S/4HANA Re-Starting is not necessary anymore. Please ask your SAP system administrator, if this is the case for your SAP system.
- Prepare the Re-Start
2. Perform the Re-Start
“Exit Soft” means, that currently running services will be finished first.
“Hard Shut Down” will immediately do the re-start.
“Local” means, that only the current application server will be re-startet
“Global” means, that all application servers will be re-started.
3. Confirm the Re-Start
4. Refresh the list
After a few seconds the re-start should be finished. Click on “Refresh” to see the service list disappear and soon appearing again.
5. Troubleshooting the Re-Start
Don't panic, if something goes wrong. Within seconds this can be solved.
a) Sometimes, when refreshing the list, a shortdump occurs. Just wait a few seconds and refresh again and the list will be shown again.
b) Sometimes the web server goes into maintenance mode. Just tell the server to leave the maintenance mode.
¶ The Role of the EPO Connector
The EPO Connector is an ABAP add-on, which allows you to implement SAP integrations with little effort. For SAP Outbound connections you can either use the connection, which is set-up in SAP transaction SM59 or do the similar connection in the SAP customizing of the EPO Connector. We recommend setting up all parameters directly in the EPO Connector set-up, because then all settings for a web service or a REST service are in one place. Additionally you do not have to worry about the “SM59 connections” when doing SAP system copies from production to test systems.
¶ Troubleshooting
If a new connection does not work after following this instruction, then look first at your connection architecture. You must find out at what point the connection fails.
Here we will collect error message, which may occur.
Please send an e-mail to support@epoconsulting.com if you have questions.