Skip to main content

Celonis Product Documentation

Advanced SAP connection configuration

When configuring the connection between your SAP system and the Celonis Platform, the following configuration options are available:

The SAP Extractor supports connecting via an SAP Message Server. To use this functionality simply check the option 'Use Logon Group (SAP Load Balancing)' and configure the following options:

1) Enter the host name or IP of your SAP Message Server

22119941.png

2) Enter the port number of your SAP Message Server (36<INSTANCE NUMBER>)

22119942.png

3) Enter the Logon Group identifying your set of SAP application servers (e.g. PUBLIC)

22119943.png

Finally fill in the rest of the standard required connection fields and save the connection

This documentation references a blog post on the SAP forums (indicated in orange): https://blogs.sap.com/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc/

Additional to the settings in the blog article, it may be necessary to set snc/gssapi_lib in the profile.

Preparations in the SAP system
  1. To get started, we need to setup SNC on the SAP Server (Blog → Setup SNC on the ABAP Server)

  2. Save the certificate for your SAP Server's SNC PSE (Blog → Export Server Certificate)

Preparations on the extractor server
  1. To create our client PSE, from the extractor installation directory run the 'snc_create_pse.sh' script, providing your desired distinguished name and PSE password, e.g.:

    1. ./snc_create_pse.sh "CN=<YOUR_CHOSEN_CN>, OU=IT, O=CELONIS, C=DE" <your_chosen_password>

  2. Now add the certificate from step 2 above by running the 'snc_add_pse_cert.sh', providing the same PSE password provided when generating it e.g.:

    1. ./snc_add_pse_cert.sh ~/IDES.crt <your_chosen_password>

  3. As part of step 1 a client certificate is also generated named 'RFC.crt'. Import it into your SNC PSE on the SAP system (Blog → Import Client Certificate to Server PSE)

  4. Start the extractor using ./start_with_snc.sh (if started from outside of the extractor installation directory then please provide it as a parameter to the script)

  5. Use the distinguished name of the SAP Server's SNC PSE certificate as the SNC partner name in your Data Connection, e.g 'p:CN=IDES, OU=DEV, O=CELONIS, C=DE' (don't forget the p!)

Steps 2 - 3 can be repeated for each SAP Server you wish to connect to, afterwards just create separate Data Connections with the appropriate SNC partner names

Considerations when running as a Windows service

The provided 'install_with_snc.bat' will install a Windows service that bootstraps the extractor for SNC connections.

  1. Open the Administrative Tools > Services window on your Windows server

  2. Stop the service

  3. Open the Properties > Log On dialog

  4. Change the service user account to the user that ran 'snc_create_pse.bat'

  5. Start the service

  6. After allowing around 20-30 seconds for the service to start up, try the connection test

For pseudonymization, the extractor invokes the native SAP function CALCULATE_HASH_FOR_CHAR. By default the SHA1 algorithm is used. Starting from RFC Module version 1.8.2 two more algorithms are supported - SHA256 and SHA512. All of the pseudonymization happens on the SAP side, extraction runtime.

SHA 256 is supported out of the box, but for SHA512 an additional transport should be imported (attached below). This package is distributed separately from standard RFC Module because older SAP versions don't support the SHA512 method.

The algorithm is defined in the application-local.yml file. Make sure to uncomment the row before saving the change.

Restart the extractor for the changes to take effect.

35555075.png

The standard implementation of Celonis SAP Extractor assumes direct communication between the Extractor service and the RFC Module. However, some customers use PI/PO as mediator between all external parties and SAP systems, and therefore direct communication between the Extractor service and RFC Module is impossible.

To make this happen Celonis also supports extraction via PI/PO. In this scenario, the Extractor service will conduct all communications with the RFC module via PI/PO. We can communicate via RFC Adapters, or SOAP endpoints.

For the integration via SOAP Adapter, the customer should create adapters/endpoints in PI/PO and map them to the RFC Functions of our RFC package. Then they should generate WSDL files for these endpoints, which will later be used when setting up the connection between Celonis Platform and SAP.

The following Function Modules should be mapped:

  • /CELONIS/FM_NEW_EXTRACT

  • /CELONIS/FM_CANCEL_EXTRACT

  • /CELONIS/FM_CLEANUP_FILES

  • /CELONIS/FM_GET_JOB_STATUS

  • /CELONIS/FM_CONFIG_TEST

  • /CELONIS/FM_GET_EXTR_FILE_LIST

  • /CELONIS/FM_GET_EXTRACT_FILE

  • /CELONIS/FM_DELETE_JOB_LOG

  • /CELONIS/FM_GET_JOB_LOG

  • /CELONIS/FM_GET_SYS_INFO

  • /CELONIS/FM_GET_TABLE_LIST

  • /CELONIS/FM_GET_CHECKED_TABLES

  • /CELONIS/FM_GET_TABLE_METADATA

  • /CELONIS/FM_CL_NEW_EXTRACT (required only for real-time extractions)

  • /CELONIS/FM_CL_RM_EXTRACT (required only for real-time extractions)

  • /CELONIS/FM_CL_GET_TABLE_NAME (required only for real-time extractions)

These are part of the Function Groups: /CELONIS/EXTRACTION and /CELONIS/CL_EXTRACTION.

Note

RFC Module should be setup as usual on SAP side for PI/PO connection to work.

The diagrams below describe how the systems communicate with each other.

50727141.png
41195744.png

The generic SOAP PI/PO Extractor lets you to connect to SAP ECC through the PI/PO middleware using SOAP Adapters.

In SAP Connection form Select PI/PO as the middleware, SOAP as the adapter, and fill in the connection details as described here.

Note

You will need to get the WSDL files for the PI/PO SOAP endpoints from your SAP administration team.

41194012.png

The extractor is implemented the same way as the standard SAP on-premise Extractor with the exception that instead of the standard .jar file, the PI/PO extractor .jar file should be used.

  1. To download the on-premise extractor package and the SOAP PI/PO connector, go to the Download portal.

  2. Rename the connector-sap-soap-pipo.jar file to connector-sap.jar.

  3. Replace the .jar file in the extractor package with that of the PI/PO.

  4. Go ahead with the standard steps of Installing