Connection of SAP BTP with on-premise SAP ERP

Destinations can be used with the Cloud Connector for a secure connection between SAP BTP and an on-premise system.

The SAP Business Technology Platform (BTP) is a cloud that is accessible from the Internet. One of the most important functions of most applications that run on the SAP BTP is the connection to an on-premise SAP system. This is necessary in order to load data or execute functions.

As an application running on the Internet should not establish a direct connection to the SAP system, the SAP Cloud Connector is used for this purpose. More details are described in the article on setting this up.

This article describes how the Cloud Connector and a destination must be configured in order to establish a connection to an internal system. The prerequisite for this is a configured Cloud Connector that has been connected to the subaccount. This is also described in the setup article.

Configuration in the SAP Cloud Connector

If you are connecting an EWM system, we recommend that you make the relevant settings in the EWM system beforehand. From a purely technical point of view, however, this configuration can also be carried out after completing these instructions.

To establish a secure connection from SAP BTP via the Cloud Connector to an SAP ERP or S/4 HANA system, this connection must be added in the Cloud Connector.

Note: The following configuration is an example of how to set up FlexGuide4, a Flexus product.

To do this, open the Cloud Connector and select “ABAP System” as the back-end type for “Cloud to On-Premise“.

The following additional settings must be selected:

• Protocol: HTTPS
• Internal Host: According to the SAP system settings
• Internal Port: According to the SAP system settings
• Virtual host: should differ from the internal host for increased security in order to mask it
• Virtual Port: should also differ from the internal port
• Allow principal propagation: activated
• Principal Type: X.509 Certificate
• Note: This applies to Cloud Connector version 2.15 or higher. For 2.14.2 or lower, “X.509 Certificate (Strict Usage)” must be selected
• System Certificate for Logon: deactivated(as recommended in the documentation)
• Host In Request Header: Use Virtual Host
• System ID: optional
• Description: optional
• Check Internal Host: activated

The “Check Internal Host” option triggers a check as to whether the Cloud Connector can reach the on-premise system via the TLS protocol. This check can also be triggered at any time by clicking on the “Check availability of internal host” action in the corresponding table row:

Once the connection to the SAP system has been successfully configured, resources must then be added. These resources are permitted interfaces that can be called from outside. This increases security, as not all SAP system interfaces can be called from outside.

For FlexGuide4 from Flexus, for example, transport orders and master data are loaded from the SAP system and updates to the transport orders are reported back. For SAP EWM, the data can be retrieved via an Application Programming Interface (API), which is an integral part of the product. To access data from other ERP modules, an adapter specially developed by Flexus for this purpose must be installed as an extension. This sets up an API for the relevant data of the module. Last but not least, it is also possible to load data from the Flexus product TLS Classic.

The following screenshot shows an example of the system for TLS Classic:

Depending on the source of the data, other URL paths must be defined when creating the resources:

• SAP EWM (two resources must be created here):
  /sap/opu/odata4/sap/api_warehouse_order_task_2/srvd_a2x/sap/
  /sap/opu/odata4/sap/api_warehouse_resource_2/srvd_a2x/sap/
• SAP WM: /flexus/flg4_adapter/v1/wm/
• TLS Classic: /flexus/tls4/rest/

It is also important that “Path And All Sub-Paths” is activated.

The Cloud Connector is now configured so that transport orders can be transferred from the SAP system to FlexGuide4 and updates can be written back to it.

However, the SAP Cloud Connector can be used to establish a connection not only to an internal SAP system, but also to non-SAP systems such as fleet managers. In the article on connecting the BTP with fleet managers provides further details.

Configuration in the SAP BTP Cockpit

As soon as the Cloud Connector is configured and can establish a connection to both the SAP BTP and the on-premise SAP system, a destination can be created. This is done in the SAP BTP Cockpit.

Destinations should be created at subaccount level in the SAP BTP Cockpit. To do this, click on it, whereupon the “Destinations” entry under “Connectivity” should be visible in the menu bar. Create a new destination by clicking on the “Create” button:

In the following pop-up, select the option “From Scratch”. The access data for the SAP system can now be stored securely in the destination. You can choose any name you like.

It is recommended to use a standardized naming for all destinations. For example, the name or type of the target system can be included. However, the name of the destination should have the same name across all stages, i.e. from a development sub-account to a quality assurance sub-account to a production sub-account. The reason for this is that in some Fiori apps, the destination is part of the configuration that cannot be changed between the stages. A few examples of sensible naming conventions are listed below:

• EMEA_SAP_ERP
• US_SAP_EWM
• AGV_FLEETMANAGER_HTTP
• AGV_FLEETMANAGER_HTTPS

The following key-value pairs should be specified as “Additional properties” when creating the new destination:

• sap-client: Number of the SAP client
• HTML5.DynamicDestination: true

Our experience with the latter setting has shown that it improves the functionality of the destination.