Skip to main content

Celonis Product Documentation

Advanced Connection Configurations

The SAP Extractor supports connecting via an SAP Message Server. To use this functionality simply check the option 'Use Logon Group (SAP Load Balancing)' and configure the following options:

1) Enter the host name or IP of your SAP Message Server

22119941.png

2) Enter the port number of your SAP Message Server (36<INSTANCE NUMBER>)

22119942.png

3) Enter the Logon Group identifying your set of SAP application servers (e.g. PUBLIC)

22119943.png

Finally fill in the rest of the standard required connection fields and save the connection

This documentation references a blog post on the SAP forums (indicated in orange): https://blogs.sap.com/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc/

Additional to the settings in the blog article, it may be necessary to set snc/gssapi_lib in the profile.

Preparations in the SAP system
  1. To get started, we need to setup SNC on the SAP Server (Blog → Setup SNC on the ABAP Server)

  2. Save the certificate for your SAP Server's SNC PSE (Blog → Export Server Certificate)

Preparations on the extractor server
  1. To create our client PSE, from the extractor installation directory run the 'snc_create_pse.sh' script, providing your desired distinguished name and PSE password, e.g.:

    1. ./snc_create_pse.sh "CN=<YOUR_CHOSEN_CN>, OU=IT, O=CELONIS, C=DE" <your_chosen_password>

  2. Now add add the certificate from step 2 above by running the 'snc_add_pse_cert.sh', providing the same PSE password provided when generating it e.g.:

    1. ./snc_add_pse_cert.sh ~/IDES.crt <your_chosen_password>

  3. As part of step 1 a client certificate is also generated named 'RFC.crt'. Import it into your SNC PSE on the SAP system (Blog → Import Client Certificate to Server PSE)

  4. Start the extractor using ./start_with_snc.sh (if started from outside of the extractor installation directory then please provide it as a parameter to the script)

  5. Use the distinguished name of the SAP Server's SNC PSE certificate as the SNC partner name in your Data Connection, e.g 'p:CN=IDES, OU=DEV, O=CELONIS, C=DE' (don't forget the p!)

Steps 2 - 3 can be repeated for each SAP Server you wish to connect to, afterwards just create separate Data Connections with the appropriate SNC partner names

Considerations when running as a Windows service

The provided 'install_with_snc.bat' will install a Windows service that bootstraps the extractor for SNC connections. Please ensure the service runs as the user that ran 'snc_create_pse.bat' script by following these steps:

  1. Open the Administrative Tools > Services window on your Windows server

  2. Stop the service

  3. Open the Properties > Log On dialog

  4. Change the service user account to the user that ran 'snc_create_pse.bat'

  5. Start the service

  6. After allowing around 20-30 seconds for the service to start up, try the connection test

Additionally, when

For pseudonymization, the extractor invokes the native SAP function CALCULATE_HASH_FOR_CHAR. By default the SHA1 algorithm is used. Starting from RFC Module version 1.8.2 two more algorithms are supported - SHA256 and SHA512. All of the pseudonymization happens on the SAP side, extraction runtime.

SHA 256 is supported out of the box, but for SHA512 an additional transport should be imported (attached below). This package is distributed separately from standard RFC Module because older SAP versions don't support the SHA512 method.

The algorithm is defined in the application-local.yml file. Make sure to uncomment the row before saving the change.

Restart the extractor for the changes to take effect.

35555075.png

File

Modified

ZIP ArchiveCelonis_RFC_Data_Extraction_SHA512_Extension.zip

Jun 19, 2020byCelonis

Labels

  • No labels

  • Edit Labels

Preview$itemLabel $itemLabel

The standard implementation of Celonis SAP Extractor assumes direct communication between the Extractor service and the RFC Module. However, some customers use PI/PO as mediator between all external parties and SAP systems, and therefore direct communication between the Extractor service and RFC Module is impossible.

To make this happen Celonis also supports extraction via PI/PO. In this scenario, the Extractor service will conduct all communications with the RFC module via PI/PO. We can communicate via RFC Adapters, or SOAP endpoints.

For the integration via SOAP Adapter, the customer should create adapters/endpoints in PI/PO and map them to the RFC Functions of our RFC package. Then they should generate WSDL files for these endpoints, which will later be used when setting up the connection between EMS and SAP.

The functions in the following Function Groups should be mapped:

  • /CELONIS/EXTRACTION

  • /CELONIS/CL_EXTRACTION (required only for the real-time)

Note

RFC Module should be setup as usual on SAP side for PI/PO connection to work.

The diagrams below describe how the systems communicate with each other.

50727141.png
41195744.png