(optional) Additional Configurations

Additional Configurations for AWS Connector for SAP #

Overview #

This section provides information of additional configurations that can be performed in your SAP Server. These configurations are not mandatory to use AWS Connector for SAP but can help you to improve the user experience.

Topics #


1. Configure Automatic Amazon SSL Certificates Lifecycle Management #

If you decided to leverage the SSL Certificate management to your SAP server, you will need to follow this steps. Linke AWS Connector can take care of this certificate management automatically using report /LNKAWS/AWS_STRUST provided with the Add-on.

If you need additional information, please review SSL Certificates section in SAP Prerequisites

Procedure #

Follow the next steps to configure AWS Connector for automatic certificates management.

Create commands #

  • SAP Server needs to be able to execute openssl and wget commands from command line to download the certificates. wget will take care of the Amazon CA Root certificates, while openssl will download the AWS services certificates.

    Attention Required. Check Prepare your operating system section to ensure that your operating system is ready to download certificates.

    Follow the specific instructions for your operating system platform.

    Linux Operating Systems
    1. Open SM69 transaction and create a New command
    2. Indicate the following parameters per each command:
    • openssl

    • Command Name: ZOPENSSL

    • Operating System Command: openssl

    • wget

    • Command Name: WGET

    • Operating System Command: wget

    Leave the rest as default and Save.

    1. Repeat the process to create both services.
    Windows Operating Systems
    1. Create new entries for both commands in the /LNKAWS/CONST table (SM30) by setting the full path to where your openssl and wget executables are located in the Low field.

    Entry 1

    Program name: /LNKAWS/AWS_STRUST
    Field_name: PATH
    Counter: 1
    Sign: I (Select specified values)
    Options: EQ Equal to (= Low)
    Lower: <full_path>
    

    Entry 2

    Program name: /LNKAWS/OPENSSL_FILE
    Field_name: PATH
    Counter: 1
    Sign: I (Select specified values)
    Options: EQ Equal to (= Low)
    Lower: <full_path_to_openssl_executable>
    

    Entry 3

    Program name: /LNKAWS/WGET_FILE
    Field_name: PATH
    Counter: 2
    Sign: I (Select specified values)
    Options: EQ Equal to (= Low)
    Lower: <full_path_to_wget_executable>
    

    In the following example the executables are located in the \\<server>\sapmnt\trans\ directory /LNKAWS/CONST

    1. Open sm69 transaction and create a New command

    2. Indicate the following parameters per command:

    • openssl

      • Command Name: ZOPENSSL
      • Operating System Command: <full_path_to_openssl_executable>. Indicate the same path set in the /LNKAWS/CONST table.
    • wget

      • Command Name: WGET
      • Operating System Command: <full_path_to_wget_executable>. Indicate the same path set in the /LNKAWS/CONST table.

      Leave the rest as default and Save.

    1. Repeat the process to create both services.

Schedule job #

  • AWS certificates can be invalidated or expire. If that happens, new certificate(s) must be installed in STRUST to ensure AWS Connector can run properly. To ensure that the latest certificates are always stored in the STRUST transaction, schedule the following job in your SAP Server by following the next steps:

    1. Open transaction SM36

    2. Create a New Job.

    1. In the Define Background Job page, set /LNKAWS/LNKAWS_STRUST as the job name and click on the Steps button
    Image ALT
    1. In Create Step 1, set /LNKAWS/AWS_STRUST as the ABAP program name and Save
    Image ALT
    1. Go back to the main page by selecting Exit in the Step List Overview section.

    2. Press Start Condition, set the job periodicity and Save.

      Best Practice. It is recommended to schedule the job /LNKAWS/AWS_STRUST on a daily basis.


2. Configure AWS Connector for SAP to use Client Side Encryption #

You can use digital signatures and document encryption in your application to provide document security. Documents are then protected as independent objects using Secure Store and Forward (SSF) mechanisms. This means that the documents are secured regardless of where they are stored or how they are transported.

https://help.sap.com/saphelp_snc70/helpdata/EN/4d/bf6f77a2c5446a86e0152f1b309db6/content.htm?no_cache=true

The following actions are only required if you want to encrypt your data in the client side. Your SAP Server will use an encryption key stored in the STRUST transaction to encrypt/decrypt the data before it is sent to Amazon S3.

Image ALT

You can choose to use an automated encryption key created by AWS Connector in your SAP Server or to use a certificated of your own. Choose the scenario that best suits you.

  1. Use a SSL Encryption Key generated by AWS Connector for data encryption. #

    Information. This section is only a description of the automatic process. No manual action are required.

    If you select SSF will be automatically configured as soon as you create your first Bucket with the option Client Encrypt. AWS Connector creates an entry in Application-Specific SSF Parameter (table SSFAPPLIC) with key /LAWS/:

    Image ALT

    You will be able to find this same key in the SSF AWS Connector Section in the STRUST Transaction.

    Image ALT

  2. Set your own SSL certificate for data encryption. #

    To upload your own certificate, you will first need to enable Client Encrypt during bucket creation. Then the process will be the same as in the automatic procedure but we will substitute the automatically created key with your own certificate.

    Follow these steps to import your own certificate into the STRUST transaction

    • Run STRUST transaction.

    • Enter Edit mode to import the certificate.

  • Select the folder SSF AWS Connector and press Import certificate
Image ALT
  • In the new “Import Certificate” dialog, open the selector to find your own certificate.
Image ALT
  • Select your certificate file and accept.
Image ALT
  • Finally, back to the STRUST transaction, press “Add to Certificate List” and Save.
Image ALT