Warning! Missing Authorization To establish a connection to SAP the access to general authority objects (RFC) must be available. Make sure to gain access to the general authority objects. For more information, see the knowledge base article on SAP User Rights.
Creating an SAP connection #
In the main window of the Designer, navigate to the menu bar and select Server > Manage Sources. The window “Manage Sources” opens.
- Click [Add]. The window “SAP Source Details” opens.
- Enter a name of your added connection.
The “Change Source” window contains the connection details and is divided into four sections:
Fill out the connection details to establish an SAP connection.
Tip: Values to fill out the fields can be found in the SAP logon pad in the Properties or acquired from SAP Basis team.
There are two possibilities to connect to an SAP source system:
- connect via Single Application Server
- Host: host name or IP address of the application server (Property Host)
- Instance No: a two-digit number between 00 and 99 (Property SystemNumber)
- connect via Load Balancing (message server)
- Message Server: name or IP address of the message server (Property MessageServer)
- Group: property LogonGroup, usually PUBLIC
- SID: three-digit System ID (Property SID e.g., MSS) For more information, see SAP Documentation: Load Balancing.
Access via SAP Router
If you access the SAP source system (Application server or Message server) via an SAP router, set the router string before the host name.
If the application server is “hamlet” and the router string is
/H/lear.theobald-software.com/H/, set the host property to
For more information, see SAP Documentation: SAP-Router.
Client and Language
- Client: a three-digit number of the SAP client between 000 and 999, e.g., 800.
- Language: the logon language for the SAP system, e.g., EN for English or DE for German.
The following authentication methods are supported:
- Plain: SAP username and password (system or dialogue user).
- Secure Network Communication (SNC): username and password, basic authentication, SSO with Kerberos, SSO with digital certificates.
- SAP Log On Ticket: see SAP Log On Ticket.
Plain Authenthication #
Enter your SAP username and password.
Request SAP credentials from caller when running extractions
If this option is active, SAP credentials entered in the User and Password fields are not applied. Instead, SAP credentials need to be provided via basic authentication when executing an extraction. Caching the result of extractions is inactive. In Xtract Universal this option triggers an input prompt for SAP credentials, when running an extraction in the Designer, see Running an Extraction.
Note: The option Request SAP credentials from caller when running extractions requires extractions to be called via HTTPS - unrestricted.
Secure Network Communication (SNC) #
- Check the SAP parameter snc/gssapi_lib to determine, which library is used for encryption in your SAP system. Your SAP Basis has to import and configure the same library on the application server and on the machine that runs Xtract Universal or Board Connector.
- Enter the complete path to the library location in the SNC library field e.g.,
- Enter the SAP Partner Name configured for the SAP application server e.g.,
For more information on SNC, see the knowledge base article Enabling Secure Network Communication (SNC) via X.509 certificate.
Use static SAP credentials / Windows service account
This option activates SNC without SSO. If available, the SAP credentials in the fields User and Password are used for authentication. The Windows Active Directory user used to open the connection is the service account under which the XU windows service runs.
Request SAP credentials from caller
This option activates SNC with user and password. If this option is active, SAP credentials entered in the User and Password fields are not applied. Instead, SAP credentials need to be provided via basic authentication when executing an extraction.
Impersonate caller (Kerberos SSO)
This option activates Kerberos SSO. The Windows Active Directory user is used for authentication. For this scenario “HTTPS - Restricted to AD users with Designer read access” must be selected and configured in the Server Settings. For more information, see the knowledge base article SSO with Kerberos SNC.
Enroll certificate on behalf of caller (Certificate SSO)
This option activates Certificate SSO. The Certificate SSO authentication uses Certificate Enrollment (Enroll-On-Behalf-Of) via Active Directory Certificate Services for the Windows Active Directory user who calls the extraction.
- Enter the name of the certificate template and the thumbprint of the enrollment agent certificate.
- “HTTPS - Restricted to AD users with Designer read access” must be configured in the Server Settings.
- The SAP Secure Login Client must be installed on the machine that runs the XU or BC server.
For more information, see the knowledge base article SSO with Client Certificates.
SAP Logon Ticket #
You can use Single-Sign-On (SSO) with SAP Logon-Tickets for authentication. This connection is not encrypted.
For information on how to use an authentication with SAP Logon Tickets, refer to the knowledge base article SAP Log On Ticket.
Ticket issuer URL
Enter the URL of an Application Server Java (AS Java) that is configured to issue logon tickets. For more information, see SAP Documentation: Configuring the AS Java to Issue Logon Tickets.
Impersonate caller when running extractions
If this option is active, the connection is opened in the Windows Active Directory user context of the caller. Otherwise the connection is opened in the context of the service account under which the Windows service runs. For more information, see SAP Log On Ticket.
Tip: Uncheck the option Impersonate caller when running extractions to test the Kerberos authentication against the AS Java directly. As the final step you can add impersonation.
RFC Options #
Select a library and optionally define a trace directory for debug logging.
The RFC API (Remote Function Call) allows to establish an RFC connection to an SAP system from an external system that communicates as Client or Server with the SAP system.
There are two options for using RFC libraries:
- Use classic RFC library (librfc32.dll)
- Use NetWeaver RFC libraries (sapnwrfc.dll)
Note: When using the NetWeaver RFC library with DeltaQ or OHS extractions, the RFC destination in SM59 must be set to Unicode.
You can log debug information and save it locally. Fill the Trace directory field with a local path to a folder, where you want to save the debug information.
Warning!: Increase of used hard drive memory
A big amount of information is collected when debug logging is activated. This can decrease the capacity of your hard drives dramatically. Activate the debug logging only when necessary e.g., upon request of the support team.
Access Control #
Access control can be performed at the source level. This access control overrides the settings at server level.
For more information, see Access Management.
Test Connection #
Test Designer Connection
Click [Test Designer Connection] to test the connection between the Designer and SAP. A confirmation window opens.
Test Server Connection
Click [Test Server Connection] to test the connection between the Server and SAP. A confirmation window opens.
Editing the SAP Connection #
- In the main window of the Designer, navigate to the menu bar and select Server > Manage Sources.
The window “Manage Sources” opens.
- Check if the created SAP connection is listed.
- Click the [Edit] icon. The window “Change Source” opens.
- Edit the source settings.
Assigning an SAP Source to an Extraction #
An SAP source is assigned when creating an extraction. To change the source of an extraction follow the instructions below:
- Select an extraction from the list of extractions in the main window of the Designer.
- Click [Source]. The window “Change Source” opens.
- Select an SAP source from the dropdown list.
- Confirm your input with [OK].