Requisites Before Installation

Prerequisites #

Overview #

This section of the AWS Connector Configuration process explains in detail the prerequisites that needs to be met by your SAP Server before you start with the installation process of the Add-on.

Topics #


1. Ensure connectivity from your server to AWS Endpoints #

Before you can start using AWS Connector for SAP, you will need to ensure that your SAP server is able to reach the AWS Services Endpoints.

More Information: https://docs.aws.amazon.com/general/latest/gr/rande.html#view-service-endpoints

All communications from the SAP Server to AWS will be done through HTTPS protocol so network connectivity should be granted to at least the following list of endpoints.

  • Open connection to AWS Core Services Endpoints

    Some services need access to the root service endpoint before they can be redirected to the region where your resources are located. For that, you need to grant access to the following list of services to grant the proper communication from your SAP Server to AWS Services.

    Service Endpoint URL
    IAM iam.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/iam-service.html
    S3 s3.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/s3.html
  • Open connection to AWS Regional Services Endpoints

    The rest of AWS Services accessed from SAP should have granted access to the regional AWS Endpoints. All endpoints will have the following sintax:

    *<service_name>.<aws_region>*.amazonaws.com
    

    For instance, if your resources are stored in eu-west-1 region

    Service Endpoint URL
    S3 s3.eu-west-1.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/s3.html
    SNS sns.eu-west-1.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/sns.html
    SQS sqs.eu-west-1.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/sqs-service.html
    Lambda lambda.eu-west-1.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/lambda-service.html
    Athena athena.eu-west-1.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/athena.html
    DynamoDB dynamodb.eu-west-1.amazonaws.com:443 https://docs.aws.amazon.com/general/latest/gr/ddb.html

    And any additional service needed and supported by AWS Connector.

  • Open Connection to CA and Issuer Certificate Endpoints

    Every certificate has a CA and a Issuer that grant that the certificate is valid. These certificates must also be present in your SAP Server. AWS Connector for SAP can handle the Amazon SSL certificates automatically, but to do that, access to the following links should also be granted.

    Type Provider Endpoint
    Issuer Certificates Amazon Trust www.amazontrust.com:443
    CA certificates Digicert dl.cacerts.digicert.com:443
  • Test connectivity

    To ensure that the connectivity has been properly granted, you can use one of the following tools to perform some tests.

    telnet <endpoint> <port>
    

    Example

    # telnet s3.eu-west-1.amazonaws.com 443
    
    Trying 52.218.62.35...
    Connected to s3.eu-west-1.amazonaws.com.
    Escape character is '^]'.
    

    Press Ctrl+C to close

    Common errors

    • Name or service not known. Ensure that your server can resolve public DNS names.
    # telnet s3.eu-west-1.amazonaws.com 443
    
    telnet: s3.eu-west-1.amazonaws.com: Name or service not known
    s3.eu-west-1.amazonaws.com: Unknown host
    
    • Trying to connect …. Server can resolve name, but server cannot reach the HTTPS port of the destination.
    # telnet s3.eu-west-1.amazonaws.com 443
    
    Trying 52.218.98.59...
    

    Reference Guide: https://curl.se/docs/manual.html

    curl -v https://<endpoint>:<port>
    

    Example

    # curl -v http://s3.eu-west-1.amazonaws.com
    
    *   Trying 52.218.20.148:80...
    * Connected to s3.eu-west-1.amazonaws.com (52.218.20.148) port 80 (#0)
    > GET / HTTP/1.1
    > Host: s3.eu-west-1.amazonaws.com
    > User-Agent: curl/7.69.1
    > Accept: */*
    > 
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 307 Temporary Redirect
    < x-amz-id-2: JH/CXZvDWKZ/byo+HOIK8lSdXh/LnfzEvQBM+o0vWnQ02t6WxARttqzQMhu+IFsqSaJCYZj2E8g=
    < x-amz-request-id: A2FE83DB7EE23B7E
    < Date: Tue, 13 Oct 2020 16:42:25 GMT
    < Location: https://aws.amazon.com/s3/
    < Content-Length: 0
    < Server: AmazonS3
    < 
    * Connection #0 to host s3.eu-west-1.amazonaws.com left intact
    

    Known Errors

    • Name can not be resolved. Ensure that your server can resolve public DNS names.
    # curl -v http://s3.eu-west-1.amazonaws.com
    
    * Could not resolve host: s3.eu-west-1.amazonaws.com
    * Closing connection 0
    curl: (6) Could not resolve host: s3.eu-west-1.amazonaws.com
    
    • Trying to connect …. Server can resolve name, but server cannot reach the HTTPS port of the destination.
    # curl -v http://s3.eu-west-1.amazonaws.com
    
    *   Trying 52.218.98.59:443...
    

    Reference Guide: https://nmap.org/book/man.html

    nmap -p <port> --script ssl-cert <endpoint>
    

    Example

    # nmap -p 443 --script ssl-cert s3.eu-west-1.amazonaws.com
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-13 20:14 CEST
    Nmap scan report for s3.eu-west-1.amazonaws.com (52.218.24.219)
    Host is up (0.044s latency).
    rDNS record for 52.218.24.219: s3-eu-west-1.amazonaws.com
    
    PORT    STATE SERVICE
    443/tcp open  https
    | ssl-cert: Subject: commonName=*.s3-eu-west-1.amazonaws.com/organizationName=Amazon.com, Inc./stateOrProvinceName=Washington/countryName=US
    | Subject Alternative Name: DNS:s3-eu-west-1.amazonaws.com, DNS:*.s3-eu-west-1.amazonaws.com, DNS:s3.eu-west-1.amazonaws.com, DNS:*.s3.eu-west-1.amazonaws.com, DNS:s3.dualstack.eu-west-1.amazonaws.com, DNS:*.s3.dualstack.eu-west-1.amazonaws.com, DNS:*.s3.amazonaws.com, DNS:*.s3-control.eu-west-1.amazonaws.com, DNS:s3-control.eu-west-1.amazonaws.com, DNS:*.s3-control.dualstack.eu-west-1.amazonaws.com, DNS:s3-control.dualstack.eu-west-1.amazonaws.com, DNS:*.s3-accesspoint.eu-west-1.amazonaws.com, DNS:*.s3-accesspoint.dualstack.eu-west-1.amazonaws.com, DNS:*.s3.eu-west-1.vpce.amazonaws.com
    | Issuer: commonName=DigiCert Baltimore CA-2 G2/organizationName=DigiCert Inc/countryName=US
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-08-04T00:00:00
    | Not valid after:  2021-08-09T12:00:00
    | MD5:   e160 590c b4d7 9780 4129 6a54 bfe2 e45d
    |_SHA-1: 5e7c be8d abc2 1f27 d666 bd6c 7e2b 04eb 5628 2317
    
    Nmap done: 1 IP address (1 host up) scanned in 6.26 seconds
    

2. Create or Prepare the needed AWS Resources in your account #

AWS Connector for SAP will use an IAM User to connect to the AWS Services. This IAM User will have an IAM Policy with all the permissions needed to access the AWS Resources always following the least privilege principle.

  • Creating the IAM User and Policy

    The following guide will help you to create the proper AWS resources in IAM.

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation panel, choose Users and then choose Add user.

    3. Type the user name for the new user.

    4. Select Programmatic access. This creates an access key for each new user. You can view or download the access keys when you get to the Final page.

    5. Choose Next: Permissions.

    6. Choose Attach existing policies to user directly

    7. Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the AWS Documentation Creating IAM policies (console). Use the below policy as an example to create your IAM Policy.

      1. Specify a name and a description (optional) for the Policy.

      2. Add the proper permissions. Use the following policy as an example.

        Attention required. The following example allows the SAP Server to access a specific Amazon S3 bucket and encrypt/decrypt the data stored on it with a specific key.

        {
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket",
                "ec2:DescribeRegions",
                "kms:ListKeys",
                "kms:ListAliases"
            ],
            "Resource": "*"
            },
            {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<SAPSID>_*",
                "arn:aws:s3::: <SAPSID>_*/*"
            ]
            },
            {
            "Effect": "Allow",
            "Action": ["kms:Decrypt", "kms:Encrypt", "kms:GetKeyPolicy"],
            "Resource": [
                "arn:aws:kms:<YOUR_AWS_REGION>:<YOUR_AWS_ACCOUNT>:key/<KEY_ID_OR_ALIAS>"
            ]
            }
        ]
        }
        
      3. Create Policy and close the browser tag.

      4. Back to the user creation. Select the newly created policy.

    8. Next:Tags.

    9. Add your tags if required.

    10. Next:Review

    11. Create User if all data is correct.

    12. Note down or download the credentials created. Will be used during configuration process.


3. Prepare your SAP Server to use AWS Connector for SAP #

As part of AWS Connector for SAP implementation, as in any SAP Netweaver based server, there is a requirement to establish SSL (Secure Sockets Layer) security for an ABAP-based system that requires secure, encrypted communications. SSL (Secure Sockets Layer) is a communication method whereby secure communication between system entities is accomplished by the use of encryption facilitated by X.509 certificates published by Certificate Authorities (CA) in tandem with public and private decryption keys.

For your SAP Server to connect to AWS Services you will need to ensure that it meets all requirements from SAP to enable SSL communications.

You can find a detailed guide in how to configure SSL in ABAP System in the following SAP Help Guide: https://help.sap.com/viewer/e73bba71770e4c0ca5fb2a3c17e8e229/7.5.9/en-US/4923501ebf5a1902e10000000a42189c.html

All communications from the SAP Server to AWS will be done through HTTPS protocol and using SSL (Secure Sockets Layer), a communication method whereby secure communication between system entities is accomplished by the use of encryption facilitated by X.509 certificates published by Certificate Authorities (CA) in tandem with public and private decryption keys.

  • Ensure that all mandatory prerequisites are met before continuing with the AWS Connector for SAP installation.

    1. Check the minimum SAP Version required

      • SAP Netweaver 7.0 or higher (SAP Kernel release 720 or higher)
      • SAP S/4HANA 1609 or higher (SAP Kernel release 753 or higher)
      • BW/4HANA 1.0
      • BW/4HANA 2.0
      • SAP SLT on SAP Netweaver 7.40 or higher
      • EHP3 FOR SAP CRM 7.0
    2. The Change and Transport System (CTS) is configured correctly and there is enough free space in the transport directory (UNIX: /usr/sap/trans).

    3. You are using the latest version or at least SP58 of the SAP Add-On Installation Tool.

    4. Ensure that SAP Cryptographic Library is properly installed (minimum CommonCryptoLib version 8.4.38, recommended 8.4.49)

      More information: SAP Note 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)
    5. Check that your SAP Server is ready to run ABAP Webdynpros

      More information: SAP Note 1088717 - Active services for Web Dynpro ABAP in transaction SICF
    6. Both ICM Services HTTP and HTTPS must be configured and active

    7. You must be able to connect to client 000 with a user with enough privileges to install the AddOn.

    8. (optional) KMS Encryption profile parameters. If you want to use KMS for encryption, following parameters must be configured in the SAP default or instance profile.

      ssl / ciphersuites = 135: PFS: HIGH :: EC_P256: EC_HIGH
      ssl / client_ciphersuites = 150: PFS: HIGH :: EC_P256: EC_HIGH
      icm / HTTPS / client_sni_enabled = TRUE
      ssl / client_sni_enabled = TRUE
      
      More information: SAP Note 510007 - Additional considerations for setting up SSL on Application Server ABAP
    9. Connectivity to AWS services granted. See Ensure your server can reach AWS endpoints Section

    10. Import the Amazon SSL Certificates into the STRUST transaction (skip this step if you plan to automate this process with AWS Connector for SAP)

      To establish outgoing connections that use SSL, the AS ABAP must possess an SSL client PSE. There are different types of SSL client PSEs that the server can use (that is, standard, individual, or anonymous). The standard SSL client PSE is used by default, so we recommend creating this PSE, even if it is not explicitly being used at this time.

      For AS ABAP to establish connections with AWS Services the following parameters should be downloaded and stored in the STRUST transaction.

      Importing certificates to SAP STRUST transaction

      You can perform this action manually by downloading and adding the certificates to the STRUST transaction following SAP Note 2521098 - How to import a certificate in Abap using STRUST transaction

      Or you can leverage the process to SAP by configuring /LNKAWS/AWS_STRUST report to do it following instructions in Configure Add-On section.

      Certificate list

      Root Certificates
      AWS Core Services Certificates

      Additionally to the AWS Core certificates, the specific certificates for the region where your AWS resources are created must be downloaded also and stored in STRUST transaction.

      AWS Regional Service Endpoints Certificates

      Example if your resources are stored in eu-west-1 region.


4. (optional) Install required software in your server to download Amazon SSL Certificates #

This section describes the needed software needed to allow the SAP Server to download the proper Amazon SSL Certificates from its specific endpoints. AWS Connector will use the listed software packages to retrieve the certificate information to import them into the Strust transaction.

Attention Required. These steps are only required if you plan to manage the Amazon SSL Certificate (See Configure Automatic Amazon SSL Certificates Lifecycle Management for more information) through AWS Connector for SAP. If you plan to upload the certificates manually to STRUST transaction in your SAP, you can skip this section.

Ensure that the following packages are installed and accessible with the SAP Administrator User sidadm.

  1. Amazon S3 Endpoint certification retrieval (OpenSSL)

    Minimum version recommended Official Website
    1.1.0 https://www.openssl.org/

    Proxy Requirements.

    If the server must use a Proxy to access the internet, then, at least, OpenSSL version 1.1.0 is mandatory. If the operating system only supports older versions of OpenSSL, it can be bypassed by installing proxytunnel or similar software in the system.

    You can find your current OpenSSL version by executing the following command

    openssl version
    

    Output sample:

    OpenSSL 1.1.1h FIPS 22 Sep 2020
    
  2. CA and Issuer Certification retrieval (WGET)

    Minimum version recommended Official Website
    1.20 https://www.gnu.org/software/wget/

    You can find your current WGET version by executing the following command

    wget --version
    

    Output sample:

    GNU Wget 1.20.3 built on linux-gnu.
    
    -cares +digest +gpgme +https +ipv6 +iri +large-file +metalink +nls 
    +ntlm +opie +psl +ssl/gnutls