Principal Propagation with SAP Cloud Platform
1 like•2,944 views
The document discusses principal propagation with SAP Cloud Platform Automation Core, highlighting the benefits of automation such as repeatability and scalability. It emphasizes the importance of platform agnosticism, established technological principles, and the future assurance of technology solutions. The document also details the configuration and integration processes for using SAP systems with the cloud platform and the complexities involved with certificate handling and trust setups.
Principal Propagation with SAP Cloud Platform
- 1. Principal Propagation with SAP Cloud Platform
- 2. Automation Core • Technology improvements mean computing tasks previously requiring interaction with people, can be fully automated. • Automation brings repeatability, reduced error rates, easy scalability of service provision. Platform Agnostic • Future interoperability and open standards will mean businesses can swap easily between cloud providers. • It is key that solutions are designed to operate in such a platform agnostic manner outside the bounds of normal technical architecture design (i.e. no fixed O/S choices or fixed DB platforms). Established Technological Principals • Solutions today, should be built using already established technological principals. • Using bleeding edge rarely produces the perceived benefits in places such as core business systems, without significant buy-‐in from business leaders. • Pre-‐empting standards not already widely adopted, could produce a “Beta-‐Max” scenario. Future Assurance • Technology solutions should deliver for a minimum timeframe within the context of the lifecycle of the related business system. • Example: Re-‐writing scripts during any platform migration should not just use the coolest scripting language, they should use a commonly known language widely used and understood. Drivers
- 3. • Permits federated authentication (single-‐sign-‐on) into customer SAP systems via an IdP such as SAP IDM. • Authentication to on-‐premise SAP IDM is possible. • Subsequent SAP system can authenticate against the IDM generated SAP logon ticket (MYSAPSSO2 cookie) or SAML2 token. • SAP Cloud Platform (SCP) users (S-‐users) can use SAP Cloud Platform services such as Web IDE, authenticating into the customer SAP systems against their respective SAP system account in the IdP (usually their corporate identity). About Principal Propagation
- 4. • SAP Cloud Platform a.k.a. SCP (previously called SAP HANA Cloud). • A PaaS set of tools, utilities and cloud capabilities for use with SAP and non-‐ SAP products, all provided in the cloud. • Accessed over the internet. • Is the future of SAP software integration and will provide the basis for many SAP SaaS applications also. • Can be accessed from “on-‐premise” (or your cloud provider) using the SAP Cloud Connector (SCC), which acts as a reverse proxy. About SAP Cloud Platform
- 5. SCP SAP Cloud Platform Developer with S-‐user account. Destinations: BE1:1234 SAP Cloud Connector Sub-‐ Account: ABC123 BE1:1234 = https://be1.corp Trust Store CA Cert System Cert BE1 SSL Cert Chain Cloud “On-‐Premise” (Cloud be cloud hosted IaaS) IdP (SAP IDM) UME Developer corporate identity and account. BE1 – SAP (https://be1.corp) Optional Web Dispatcher Trust Store SCC CA Cert Target ICF Service ICM (+Web Dispatcher) Parameters: login/certificate_mapping_rulebased=”1“ icm/trusted_reverse_proxy_0=<SCC System CA> icm/HTTPS/verify_client=1 ICM Trust Store SCC CA Cert SSL HTTP HEADER SCC Cert Chain x.509 Client Cert SAML Token Customise: STRUST CERTRULE RZ10 Wdisp SSL Chain Architecture Overview
- 6. SCP: • Create S-‐user account(s). • Create destination to back-‐end SAP system via SCC with Principal Propagation enabled and pointing to your IdP. IdP: • SAML: Configure SAML token creation for SCP users after authentication. SCC: • Sub-‐Account: Register SCP sub-‐accounts for incoming connections from SCP. • On-‐Premise: Configure trust store with back-‐end SAP system SSL server cert and optional Web Disp SSL cert. • On-‐Premise: Configure Principal Propagation user x.509 client cert creation upon SAML token receipt. BE1: • ICM: Transaction STRUST to trust the SCC client x.509 cert. • AUTH: Transaction CERTRULE to map SCC dynamic x.509 client cert CN to SAP system user accounts. • ICM: Transaction RZ10 to configure ICM params to enable trusting of client x.509 certs forwarded in HTTP header. Optional Web Dispatcher: • ICM: Adding SCC client x.509 cert to the SAPSSLS PSE. • ICM: DEFAULT.PFL to configure ICM params to enable trusting of client x.509 certs forwarded in HTTP header. Areas for Configuration
- 7. • Principal Propagation should enable smooth efficient access to back-‐end SAP systems via the SAP Cloud Connector from the SAP Cloud Platform. • A secure setup is always recommended, paying attention to SAP recommendations for the SCC networking and HA. • The future direction of SAP integration will need to use the SCC more and more. Example: SAP Analytics Coud. • The Principal Propagation trust setup is complex and involves multiple certificates, leaving you open to the probability of certificate expiration causing an outage. Summary
- 8. SAP Notes: • SAP note 2462533 -‐ Configuring Principal Propagation to an ABAP System. • SAP note 2052899 -‐ ICM -‐ Multiple Trusted Reverse Proxies • SAP note 2461375 -‐ How to connect SAP Cloud Platform Identity Authentication Service to on-‐premise user store SAP Guides: • SCC secure setup recommendations: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-‐ US/e7ea82a4bb571014a4ceb61cb7e3d31f.html • Configure Principal Propagation for an ABAP system: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-‐ US/a8bb87a72d094e0d981d2b1f67df7bc3.html References
- 9. Thank You