Scribd
Upload
37 views

STEADS EnablementGuide v3

SAP ADS- Guide

Uploaded by

Isaac Rodriguez
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
37 views

STEADS EnablementGuide v3

SAP ADS- Guide

Uploaded by

Isaac Rodriguez
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 53

INTERNAL

SAP S/4HANA Cloud – STE/EX & PCE


SAP Forms By Adobe Enablement

Table of content
Technical Details......................................................................................................................................2
IP Address Whitelisting............................................................................................................................3
Prerequisites............................................................................................................................................3
Create Subaccount for Customer................................................................................................................4
Enable "SAP Forms by Adobe" service.........................................................................................................7
Configure SAP Forms by Adobe – Roles...............................................................................................9
Logon to SAP Cloud Connector..................................................................................................................10
Establish connection to subaccount:.................................................................................................11
Create a destination from Cloud To On-Premise:..............................................................................13
Add Resources to this connection:....................................................................................................15
Create a PSE for storing SCP SSL certificate SAP ABAP Backend System (Client 000)............................16
Sign the certificate.....................................................................................................................................20
S/4 HANA system must trust in BTP certificate.........................................................................................24
User ADS_AGENT...............................................................................................................................25
Create RFC Destination to SCP...................................................................................................................27
Create PDF Printer (SPAD).........................................................................................................................31
Activate ICF Services..................................................................................................................................32
SAP Customer SCP subaccount..................................................................................................................35
Configure SAP Forms by Adobe - Destination....................................................................................35
Execute connection test....................................................................................................................37
Update the SSL Certificate for a Subaccount in the Cloud Connector...................................................37
Final Check................................................................................................................................................39
Appendix...................................................................................................................................................40
Access SCP sub account via CAM...........................................................................................................41
Refresh Subaccount Certificate on Cloud Connector.............................................................................43
Configure Network Infrastructure.........................................................................................................45
Appendix...................................................................................................................................................46
Access SCP sub account via CAM...........................................................................................................46
Refresh Subaccount Certificate on Cloud Connector.............................................................................49
Configure Network Infrastructure.........................................................................................................51

Technical Details
- Client 000
 Any ABAP configuration is done in client 000

- SM59 Connection (HTTP)


 Certificate based SSL communication between S/4HANA ABAP and SCP subaccount
 ABAP certificate signed by Nexus

- ADS_AGENT user
 Service user
 Created via CAM
 Managed via CAM e.g. Password

IP Address Whitelisting
In order to enable a connection from S/4HANA backend system located in HEC environment to SCP
(Internet) IP whitelisting is required. Each SCP region comes with its own IP address range which needs
to be whitelisted in Load Balancer/Squid Proxy as shown below.

Prerequisites
 DELC creates ticket (XX-AMS-S4P-SET-APP) to trigger ADS enablement on SCP

 DELC provides the following information to CAS consultant:


 S/4 HANA Backend System to be connected to SCP

 SAP Cloud Connector


 SID/Hostname

- IP Address whitelisting for SCP


 Provide name of the SCP data center which has been whitelisted e.g. Rot, Sydney etc.
OR
 Confirm that URL *.hana.ondemand.com is whitelisted

 CAS consultant has access to Global HEC SCP account and is assigned as administrator
 CAS consultant has CAM profile “SAPIT HEC HCP ADS” Account” assigned
 HEC Delivery Team
 SAP Cloud Connector (DEV/PRD) installed
 Outbound load balancer installed
 Squid Proxy installed (not required in HEC1.0)
 IP Address whitelisting for SCP Region done
 SSL – enablement has been performed on the following software solutions by HEC:
 S/4 HANA Backend System to be connected to SCP
 SAP Cloud Connector

 CAS consultant has access to MCD-WTS


 CAS consultant has access to Service Marketplace and BCP

In case of HEC Premium Supplier – please follow the official SAP Guide:
https://help.sap.com/viewer/6d3eac5a9e3144a7b43932a1078c7628/Cloud/en-US/
fe4057a6fce742a197c9ace42fb1b60f.html
Create Subaccount for Customer.
Access the SAP Cloud Platform Link and select Global Accounts SAPECSSCP
https://hana.ondemand.com/ (this link could be open for your local computer)

You have to logon with your C-User.

Select the Subaccounts tab, check if the customer account for which you want to configure the ADS
already exists, if it already exists, use that account and if it does not exist, we proceed to create it by
clicking on the new Subaccount button.

 Display Name: S4_<External_ID>_000 e.g. S4_QS4TRD_000


 Description: ADS on SCP
 Environment: Neo
 Provider: SAP
 Region: Location of sub-account should be based on region of customers
S/4HANA ABAP system as follows
Region Data Center - SCP Region for Sub - Account
S/4HANA Backend System
Rot Frankfurt Amsterdam Moscow Dubai Riyadh Ashburn Chandler Sterling Colorado Springs Toronto São Paulo Sydney Tokyo
EMEA Rot x
Frankfurt x
Amsterdam x
Moscow x
MEA Dubai x
Riyadh x
NA Ashburn (East coast) x
Chandler (West coast) x
US East (Sterling) x
US West (Colorado Springs) x
Canada (Toronto) x
LA São Paulo x
APJ Sydney x
Tokyo x

Please save the technical Name for Subaccount for later use:
As a result of the previous process, you should see a new SCP subaccount with Customer name in
SAPECSSCP global account.

Add below user as member


 P1940388427 with Administrator & Developer authorization
 P2002227094 with Cloud Connector Admin authorization

Enable "SAP Forms by Adobe" service


Click Services tab->Digital Experience->SAP Forms by Adobe
Click “Enable”

Processing.
Enabled

Configure SAP Forms by Adobe – Roles


Once enabled, go to Roles & Destinations

Assign *.only.sap to both roles (ADSAdmin and ADSCaller)


Logon to SAP Cloud Connector
- Logon to HEC WTS
- Run Cloud Connector Admin UI via https://<Full qualified HEC host name>:8443
- Enter user “SCCADMIN”
- Enter PWD: Retrieve PWD from CAM as follows

Request Parameter: SAPFormsByAdobe – Enablement


Establish connection to subaccount:
Choose “Add Subaccount”

Enter sub-account details as follows


 Subaccount: Enter technical sub-account name as follows

 Subaccount User: P2002227094 à used to establish the tunnel between SCC and SCP/BTP
 Password: Retrieve password from CAM as follows
o Go to CAM via https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central#
o Choose Manage Passwords (1)
o Enter user P2002227094 (2)
o Choose Start (3)
o Request Password (4)
Request Parameter: SAPFormsByAdobe – Enablement

 Location ID: <SID of Cloud Connector> please specify the SID of Cloud Connector. Its necessary
to differentiate between to DEV / PRD Environment
Create a destination from Cloud To On-Premise:
 <SID> = SID of ABAP System. Example: SHDadsonscp
Add Resources to this connection:
Create a PSE for storing SCP SSL certificate
SAP ABAP Backend System (Client 000)

Any configuration activities are performed in client 000.

Go to your ABAB system in the TCODE STRUST STRUST

More->Environment->SSL Client Identities

Click Edit
New Entries
Add the Entry as shown in the image bellow and click in safe.
Enable the Edit mode and then right click on the SSL client ADS and create

*.only.sap
Sign the certificate
Generate CSR and open URL
Copy all certificate request
Open the following Link (this link must be open from the Citrix)

https://getcerts.wdf.global.corp.sap/pgwy/request/sapnetca_base64.html

Paste Your Certificate Request and select X.509 and them submit Application

Go to https://sapcerts.wdf.global.corp.sap and get the SAPNetCAG2.crt and SAP Global Root CA keys
and append them to the generated certificate response.
Import Certificate Response.

Paste the appended certificate response.

Then save changes.


S/4 HANA system must trust in BTP certificate
Go to the digicert link

https://www.digicert.com/digicert-root-certificates.htm

Download DigiCert Assured ID Root CA (DER/CRT) and DigiCert Assured ID Root G2(DER/CRT)

4.1 Import both Certificates


User ADS_AGENT

- Create user ADS_AGENT in client 000 via CAM as follows


 Run CAM via https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central#
 Choose “Create Technical User” (1)
 Choose access level “ADS_AGENT” (2)
 Enter request reason (3) “Request Parameter: SAPFormsByAdobe – Enablement”
 Choose “Generate new Password” (4)
 Choose “Adjust User” (5)
 Save PWD returned by CAM for later use
Create RFC Destination to SCP

Technical Settings

- HOST: adsformsprocessing-<technical ID of subaccount>.cert<Data_center>.hana.ondemand.com


- PORT: 443
- PATH PREFIX: /ads.web/AdobeDocumentServicesSec/Config?style=rpc

You will be need to create de “Host” for the RFC with the next formula.

To validate that extension “hana.ondemand.com” is added in the proxy see the Appendix 1.

adsformsprocessing-<Subaccount Technical name>.cert.<region>.hana.ondemand.com

example: adsformsprocessing-nemb72c9sm.cert.us4.hana.ondemand.com

How to get the region:

When you’re in the subaccount, the domain on the URL.

Port: 443

Go to Tcode SM59
Create new RFC

Type G

Host: adsformsprocessing-<technical_name>.cert.<Data_center>.hana.ondemand.com

Path Prefix (this will be the same for all cases): /ads.web/AdobeDocumentServicesSec/Config?style=rpc
Port: 443
Technical Settings.
Proxy Host (always the same): proxy
Proxy Service: 3128

For Hyper Scaler Customers, Proxy must be set. For other customers it depends on HEC setup.
Click tab Logon and Security

Logon & Security

- Choose “Do not Use a User”


- Select SSL Certificate

Click tab Special Options

HTTP 1.1
Save

Check Connection Test. It should get value 500


Create PDF Printer (SPAD)
Activate ICF Services

 Activate service /default_host/sap/bc/fp

 Update Logon Data


 Choose tab “Logon Data”

 Enter client “000”


 Enter user “ADS_AGENT”
 Enter PWD of ADS AGENT user from CAM as follows
 Activate service /default_host/sap/bc/fpads

 Update Logon Data


 Choose tab “Logon Data”

 Enter client “000”


 Enter user “ADS_AGENT”
 Enter PWD of ADS AGENT user from CAM
SAP Customer SCP subaccount

Configure SAP Forms by Adobe - Destination

Choose “New Destination”


Enter destination details as follows:

 Name: FP_ICF_DATA_<ABAP SID of backend system>; example: FP_ICF_DATA_SHD


 Location ID: Cloud Connector SID (defined earlier in Cloud Connector); example: CCD
 URL: Connection defined in Cloud Connector; example: https://SHDadsonscp:443
 User: ADS_AGENT
 Password: Retrieve ADS_AGENT user PWD from CAM
o Run CAM via https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central#
o Choose “Manage Passwords” (1)
o Choose “System ID” e.g. ZC2XS1 (External ID) (2)
o Enter “User” as ADS_AGENT (3)
o Choose “Start” (4)
o Choose “Request Password” (5)
Execute connection test

Update the SSL Certificate for a Subaccount in the Cloud Connector

Certificates used by the Cloud Connector are issued with a limited validity period. To prevent a
downtime while refreshing the certificate, you can update it for your subaccount directly from the
administration UI as follows:

- Logon to Cloud Connecor via Admin UI


 User: SCCADMIN
 Password: Retrieve password from CAM

- Choose relevant sub-account (1)


- Choose sub-account details (2)
- Check subaccount certificate status (3)
- Refresh certificate (4)

- User Name: Enter user P2002227094


- Password: Retrieve PWD from CAM as follows à refer to section “Establish connection to
subaccount:”
Final Check
In your ABAP system go to SA38 and run the report. FP_TEST_IA_01
Select “Execute”

Execute

PDF1->Print Preview
The PDF should be show like this and your ADS configuration will be completed.

Attached the Hand Over Document to the ticket and send in to the Delivery Coordinator.

Appendix
Access SCP sub account via CAM
CAM provides the ability to create a temporary user in the SCP sub-account created during ADS setup.

- Get technical ID of the sub account you would like to access


 Go to Global HEC SCP account
 Go to the relevant sub account
 Get technical ID
- Create user via CAM
 Enter technical ID of sub account as client
 Chose Apply
Refresh Subaccount Certificate on Cloud Connector

Prerequisite:

- CAM
 CAM profile “ECS Delivery AMS Basis” assigned (Access Level: ADS_AGENT)

Update certificate as follows


 Logon to SAP Cloud Connector Admin UI
 Select sub-account (1)
 Choose sub-account details (2)

 Choose “Refresh subaccount certificate”


 Go to CAM via https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central#
 Choose “Manage Passwords”
 Enter user P2002227094
 Choose “Start”
 Choose “Request Password”
Configure Network Infrastructure

The activities described below are required to allow outbound communication from HEC environment to
Internet where SAP Cloud Platform (SCP) is located.

The process is owned by HEC Delivery team, however, CAS team should have a high level understanding
of the activities.

For more information refer to HEC Delivery Service Engineering Wiki.

If Network Architecture: HEC 1.0

- Checklist
1. Install outbound Load Balancer if not available
2. Whitelist SCP IPs in Load Balancer
 Provide source IP e.g. Cloud Connector
 Provide target IP address e.g. IP address of the data center where the SCP sub-
account will be created
 Check data center of S/4HANA Backend System
 Based on the location of the S/4HANA Backend System choose the
nearest data center from table below and provide the corresponding IP
address

Region Data Center - SCP Region for Sub - Account IP Address for Netwo
S/4HANA Backend System
Rot Frankfurt Amsterdam Moscow Dubai Riyadh Ashburn Chandler Sterling Colorado Springs Toronto São Paulo Sydney Tokyo
EMEA Rot x 155.56.128.0/17
Frankfurt x 157.133.70.0/24, 157.1
Amsterdam x 157.133.141.0/24 and
Moscow x 157.133.2.0/24
MEA Dubai x 157.133.85.0/24
Riyadh x 157.133.93.0/24
NA Ashburn (East coast) x 65.221.12.0/24, 206.11
Chandler (West coast) x 64.95.110.0/24, 64.95.
US East (Sterling) x 169.145.117.0/24 and
US West (Colorado Springs) x 169.145.117.0/24 and
Canada (Toronto) x 157.133.54.0/24 and 1
LA São Paulo x 157.133.246.0/24
APJ Sydney x 210.80.140.0/24 and 1
Tokyo x 157.133.150.0/24

- Process
 HEC TL to raise SPC ticket to network team for load balancer setup including IP
whitelisting (component: NW_LB_RP)
If Network Architecture: HEC 2.0

- Checklist
1. Install outbound Load Balancer for internet proxy (squid proxy) if not available  not
relevant for hyper scaler
2. Make sure that CGS (Customer Gateway Server) points to outbound Load Balancer 
not relevant for hyper scaler
3. Install CGS internet proxy (squid proxy) if not available  not relevant for hyper scaler
4. Whitelist URL *.hana.ondemand.com in CGS internet proxy (squid proxy)

- Process
 TL to raise SPC ticket to network team for load balancer setup (component: NW_LB_RP)
 TL to raise SPC ticket to server management team for squid proxy setup including IP
whitelisting (component: NW_HEC_HYP_OUTBOUND-LB_HTTP)
 Customer should provide on premise IP ranges to TL
 TL puts on premise IP ranges into ticket to allow server management to
configure routing for on premise subnets

Appendix

Access SCP sub account via CAM


CAM provides the ability to create a temporary user in the SCP sub-account created during ADS setup.

- Get technical ID of the sub account you would like to access


 Go to Global HEC SCP account
 Go to the relevant sub account
 Get technical ID
- Create user via CAM
 Enter technical ID of sub account as client
 Chose Apply
Refresh Subaccount Certificate on Cloud Connector

Prerequisite:

- CAM
 CAM profile “ECS Delivery AMS Basis” assigned (Access Level: ADS_AGENT)

Update certificate as follows


 Logon to SAP Cloud Connector Admin UI
 Select sub-account (1)
 Choose sub-account details (2)

 Choose “Refresh subaccount certificate”


 Go to CAM via https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central#
 Choose “Manage Passwords”
 Enter user P2002227094
 Choose “Start”
 Choose “Request Password”
Configure Network Infrastructure

The activities described below are required to allow outbound communication from HEC environment to
Internet where SAP Cloud Platform (SCP) is located.

The process is owned by HEC Delivery team, however, CAS team should have a high level understanding
of the activities.

For more information refer to HEC Delivery Service Engineering Wiki.

If Network Architecture: HEC 1.0

- Checklist
3. Install outbound Load Balancer if not available
4. Whitelist SCP IPs in Load Balancer
 Provide source IP e.g. Cloud Connector
 Provide target IP address e.g. IP address of the data center where the SCP sub-
account will be created
 Check data center of S/4HANA Backend System
 Based on the location of the S/4HANA Backend System choose the
nearest data center from table below and provide the corresponding IP
address

Region Data Center - SCP Region for Sub - Account IP Address for Network Whitelisting
S/4HANA Backend System
Rot Frankfurt Amsterdam Moscow Dubai Riyadh Ashburn Chandler Sterling Colorado Springs Toronto São Paulo Sydney Tokyo
EMEA Rot x 155.56.128.0/17
Frankfurt x 157.133.70.0/24, 157.133.205.0/24 and 157.133.206.0/24
Amsterdam x 157.133.141.0/24 and 157.133.140.0/24
Moscow x 157.133.2.0/24
MEA Dubai x 157.133.85.0/24
Riyadh x 157.133.93.0/24
NA Ashburn (East coast) x 65.221.12.0/24, 206.112.73.0/24 and 157.133.18.0/24
Chandler (West coast) x 64.95.110.0/24, 64.95.111.0/24 and 157.133.25.0/25
US East (Sterling) x 169.145.117.0/24 and 169.145.118.0/24
US West (Colorado Springs) x 169.145.117.0/24 and 169.145.118.0/24
Canada (Toronto) x 157.133.54.0/24 and 157.133.62.0/24
LA São Paulo x 157.133.246.0/24
APJ Sydney x 210.80.140.0/24 and 157.133.96.0/23
Tokyo x 157.133.150.0/24

- Process
 HEC TL to raise SPC ticket to network team for load balancer setup including IP
whitelisting (component: NW_LB_RP)
If Network Architecture: HEC 2.0

- Checklist
5. Install outbound Load Balancer for internet proxy (squid proxy) if not available  not
relevant for hyper scaler
6. Make sure that CGS (Customer Gateway Server) points to outbound Load Balancer 
not relevant for hyper scaler
7. Install CGS internet proxy (squid proxy) if not available  not relevant for hyper scaler
8. Whitelist URL *.hana.ondemand.com in CGS internet proxy (squid proxy)

- Process
 TL to raise SPC ticket to network team for load balancer setup (component: NW_LB_RP)
 TL to raise SPC ticket to server management team for squid proxy setup including IP
whitelisting (component: NW_HEC_HYP_OUTBOUND-LB_HTTP)
 Customer should provide on premise IP ranges to TL
 TL puts on premise IP ranges into ticket to allow server management to
configure routing for on premise subnets

You might also like