Additional Configurations for AWS Connector for SAP #
Overview #
This section provides information of additional configurations that can be performed in your SAP Server. These configurations are not mandatory to use AWS Connector for SAP but can help you to improve the user experience.
Topics #
- Configure Automatic Amazon SSL Certificates Lifecycle Management
- Configure AWS Connector for SAP to use Client Side Encryption
1. Configure Automatic Amazon SSL Certificates Lifecycle Management #
If you decided to leverage the SSL Certificate management to your SAP server, you will need to follow this steps. Linke AWS Connector can take care of this certificate management automatically using report /LNKAWS/AWS_STRUST provided with the Add-on.
If you need additional information, please review SSL Certificates section in SAP Prerequisites
Procedure #
Follow the next steps to configure AWS Connector for automatic certificates management.
Create commands #
-
SAP Server needs to be able to execute
opensslandwgetcommands from command line to download the certificates.wgetwill take care of the Amazon CA Root certificates, whileopensslwill download the AWS services certificates.Attention Required. Check Prepare your operating system section to ensure that your operating system is ready to download certificates.
Follow the specific instructions for your operating system platform.
Linux Operating Systems
- Open
SM69transaction and create a New command - Indicate the following parameters per each command:
-
openssl
-
Command Name: ZOPENSSL
-
Operating System Command: openssl
-
wget
-
Command Name: WGET
-
Operating System Command: wget
Leave the rest as default and Save.
- Repeat the process to create both services.
Windows Operating Systems
- Create new entries for both commands in the /LNKAWS/CONST table (SM30) by setting the full path to where your openssl and wget executables are located in the Low field.
Entry 1
Program name: /LNKAWS/AWS_STRUST Field_name: PATH Counter: 1 Sign: I (Select specified values) Options: EQ Equal to (= Low) Lower: <full_path>Entry 2
Program name: /LNKAWS/OPENSSL_FILE Field_name: PATH Counter: 1 Sign: I (Select specified values) Options: EQ Equal to (= Low) Lower: <full_path_to_openssl_executable>Entry 3
Program name: /LNKAWS/WGET_FILE Field_name: PATH Counter: 2 Sign: I (Select specified values) Options: EQ Equal to (= Low) Lower: <full_path_to_wget_executable>In the following example the executables are located in the
\\<server>\sapmnt\trans\directory
-
Open
sm69transaction and create a New command -
Indicate the following parameters per command:
-
openssl
- Command Name: ZOPENSSL
- Operating System Command: <full_path_to_openssl_executable>. Indicate the same path set in the /LNKAWS/CONST table.
-
wget
- Command Name: WGET
- Operating System Command: <full_path_to_wget_executable>. Indicate the same path set in the /LNKAWS/CONST table.
Leave the rest as default and Save.
- Repeat the process to create both services.
- Open
Schedule job #
-
AWS certificates can be invalidated or expire. If that happens, new certificate(s) must be installed in STRUST to ensure AWS Connector can run properly. To ensure that the latest certificates are always stored in the STRUST transaction, schedule the following job in your SAP Server by following the next steps:
-
Open transaction SM36
-
Create a New Job.
- In the Define Background Job page, set
/LNKAWS/LNKAWS_STRUSTas the job name and click on the Steps button
- In Create Step 1, set
/LNKAWS/AWS_STRUSTas the ABAP program name and Save
-
Go back to the main page by selecting Exit in the Step List Overview section.
-
Press Start Condition, set the job periodicity and Save.
Best Practice. It is recommended to schedule the job
/LNKAWS/AWS_STRUSTon a daily basis.
-
2. Configure AWS Connector for SAP to use Client Side Encryption #
You can use digital signatures and document encryption in your application to provide document security. Documents are then protected as independent objects using Secure Store and Forward (SSF) mechanisms. This means that the documents are secured regardless of where they are stored or how they are transported.
https://help.sap.com/saphelp_snc70/helpdata/EN/4d/bf6f77a2c5446a86e0152f1b309db6/content.htm?no_cache=true
The following actions are only required if you want to encrypt your data in the client side. Your SAP Server will use an encryption key stored in the STRUST transaction to encrypt/decrypt the data before it is sent to Amazon S3.
You can choose to use an automated encryption key created by AWS Connector in your SAP Server or to use a certificated of your own. Choose the scenario that best suits you.
-
Use a SSL Encryption Key generated by AWS Connector for data encryption. #
Information. This section is only a description of the automatic process. No manual action are required.
If you select
SSFwill be automatically configured as soon as you create your first Bucket with the optionClient Encrypt. AWS Connector creates an entry inApplication-SpecificSSF Parameter (tableSSFAPPLIC) with key/LAWS/:
You will be able to find this same key in the
SSF AWS ConnectorSection in the STRUST Transaction.
-
Set your own SSL certificate for data encryption. #
To upload your own certificate, you will first need to enable
Client Encryptduring bucket creation. Then the process will be the same as in the automatic procedure but we will substitute the automatically created key with your own certificate.Follow these steps to import your own certificate into the STRUST transaction
-
Run STRUST transaction.
-
Enter Edit mode to import the certificate.
-
- Select the folder SSF AWS Connector and press Import certificate
- In the new “Import Certificate” dialog, open the selector to find your own certificate.
- Select your certificate file and accept.
- Finally, back to the STRUST transaction, press “Add to Certificate List” and Save.
