Warning! Missing Authorization To establish a connection to SAP the access to general authority objects (RFC) must be available. Make sure to gain access to the general authority objects. For more information, refer to the knowledge base article SAP User Rights.

Creating an SAP connection #

  1. In the main window of the Designer, navigate to the menu bar and select Server > Manage Sources. The window “Manage Sources” opens.
    BC-Create-Connection-1
  2. Click [Add] to add a new SAP connection or click pen to edit an existing connection. The window “Change Source” opens.
    BC-Create-Connection-2
  3. Enter a name of your added connection.

The “Change Source” window contains the connection details and is divided into four sections:

Fill out the connection details to establish an SAP connection.

Tip: Values to fill out the fields can be found in the SAP logon pad in the Properties or acquired from SAP Basis team.

General #

XU-Create-Connection-3-A

System

There are two possibilities to connect to an SAP source system:

  • connect via Single Application Server
    • Host: host name or IP address of the application server (Property Host)
    • Instance No: a two-digit number between 00 and 99 (Property SystemNumber)
  • connect via Load Balancing (message server)
    • Message Server: name or IP address of the message server (Property MessageServer)
    • Group: property LogonGroup, usually PUBLIC
    • SID: three-digit System ID (Property SID e.g., MSS) For more information, see SAP Documentation: Load Balancing.

Access via SAP Router

If you access the SAP source system (Application server or Message server) via an SAP router, set the router string before the host name.
Example:
If the application server is “hamlet” and the router string is /H/lear.theobald-software.com/H/, set the host property to /H/lear.theobald-software.com/H/hamlet.

For more information, see SAP Documentation: SAP-Router.

Client and Language

  • Client: a three-digit number of the SAP client between 000 and 999, e.g., 800.
  • Language: the logon language for the SAP system, e.g., EN for English or DE for German.

Authentication #

The following authentication methods are supported:

  • Plain: SAP username and password (system or dialogue user).
  • Secure Network Communication (SNC): username and password, basic authentication, SSO with Kerberos, SSO with digital certificates.
  • SAP Log On Ticket: see SAP Log On Ticket.

XU-Authentication

Plain Authenthication #

Enter your SAP username and password.

Request SAP credentials from caller when running extractions
If this option is active, SAP credentials entered in the User and Password fields are not applied. Instead, SAP credentials need to be provided via basic authentication when running an extraction. Caching the result of extractions is inactive. In Xtract Universal this option triggers an input prompt for SAP credentials, when running an extraction in the Designer, see Running an Extraction.

Note: The option Request SAP credentials from caller when running extractions requires extractions to be called via HTTPS - unrestricted.

Secure Network Communication (SNC) #

Secure Network Connection (SNC) enables authentication and transport encryption between SAP systems and between SAP systems and third-party tools like Xtract Universal and Board Connector.

  1. Check the SAP parameter snc/gssapi_lib to determine, which library is used for encryption in your SAP system. Your SAP Basis has to import and configure the same library on the application server and on the machine that runs Xtract Universal or Board Connector.
  2. Enter the complete path to the library location in the SNC library field e.g., C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll.
  3. Enter the SAP Partner Name configured for the SAP application server e.g., p:SAPserviceERP/do_not_care@THEOBALD.LOCAL.

For more information on SNC, see the knowledge base article Enabling Secure Network Communication (SNC) via X.509 certificate.

XU-Authentication

Use static SAP credentials / Windows service account
This option activates SNC without SSO. If available, the SAP credentials in the fields User and Password are used for authentication. The Windows Active Directory user used to open the connection is the service account under which the XU windows service runs.

Request SAP credentials from caller
This option activates SNC with user and password. If this option is active, SAP credentials entered in the User and Password fields are not applied. Instead, SAP credentials need to be provided via basic authentication when running an extraction.

SSO - Log in as caller via External ID
This option activates SSO with External ID. SSO with External ID uses a Personal Security Environment (PSE) to create a trust relationship between the SAP application server and the service account that runs Board Connector. This allows Board Connector to impersonate any SAP user.
For more information, see the knowledge base article SSO with External ID.

SSO - Impersonate caller via Kerberos
This option activates Kerberos SSO. The Windows Active Directory user is used for authentication. For this scenario “HTTPS - Restricted to AD users with Designer read access” must be selected and configured in the Server Settings.
For more information, see the knowledge base article SSO with Kerberos SNC.

Note: The option “SSO - Impersonate caller via Kerberos” is not available for Board Cloud.

SSO - Enroll certificate on behalf of caller
This option activates Certificate SSO. The Certificate SSO authentication uses Certificate Enrollment (Enroll-On-Behalf-Of) via Active Directory Certificate Services for the Windows Active Directory user who calls the extraction. For this scenario “HTTPS - Restricted to AD users with Designer read access” must be configured in the Server Settings.
For more information, see the knowledge base article SSO with Client Certificates.

SAP Logon Ticket #

You can use Single-Sign-On (SSO) with SAP Logon-Tickets for authentication. This connection is not encrypted.
For information on how to use an authentication with SAP Logon Tickets, refer to the knowledge base article SAP Log On Ticket.

SAP-Logon-Ticket

Ticket issuer URL
Enter the URL of an Application Server Java (AS Java) that is configured to issue logon tickets. For more information, see SAP Documentation: Configuring the AS Java to Issue Logon Tickets.

Impersonate caller when running extractions
If this option is active, the connection is opened in the Windows Active Directory user context of the caller. Otherwise the connection is opened in the context of the service account under which the Windows service runs. For more information, see SAP Log On Ticket.

Tip: Uncheck the option Impersonate caller when running extractions to test the Kerberos authentication against the AS Java directly. As the final step you can add impersonation.

RFC Options #

Select a library and optionally define a trace directory for debug logging.

XU-Create-Connection-RFC-Options

RFC libraries

The RFC API (Remote Function Call) allows to establish an RFC connection to an SAP system from an external system that communicates as Client or Server with the SAP system.
There are two options for using RFC libraries:

  • Use classic RFC library (librfc32.dll)
  • Use NetWeaver RFC libraries (sapnwrfc.dll)

For more information on SAP libraries, see SAP Documentation: - RFC Libraries.
SAP does not support librfc32.dll anymore.

For some older SAP releases, e.g., R/3 4.6C, it is necessary to enter the user name in upper case when using the NetWeaver RFC library.

Note: When using the NetWeaver RFC library with DeltaQ or OHS extractions, the RFC destination in SM59 must be set to Unicode.

Trace Directory

You can log debug information and save it locally. Fill the Trace directory field with a local path to a folder, where you want to save the debug information.

Warning!: Increase of used hard drive memory
A big amount of information is collected when debug logging is activated. This can decrease the capacity of your hard drives dramatically. Activate the debug logging only when necessary e.g., upon request of the support team.

Access Control #

Access control can be performed at the source level. This access control overrides the settings at server level.
For more information, see Access Management.

XU-Create-Connection-AccessControl

Test Connection #

Test Designer Connection
Click [Test Designer Connection] to test the connection between the Designer and SAP. A confirmation window opens.

Test Server Connection
Click [Test Server Connection] to test the connection between the Server and SAP. A confirmation window opens.

Editing the SAP Connection #

  1. In the main window of the Designer, navigate to the menu bar and select Server > Manage Sources.
    The window “Manage Sources” opens.
  2. Check if the created SAP connection is listed. XU-Create-Connection-4
  3. Click the [Edit] icon. The window “Change Source” opens.
  4. Edit the source settings.

Assigning an SAP Source to an Extraction #

An SAP source is assigned when creating an extraction. To change the source of an extraction follow the instructions below:

  1. Select an extraction from the list of extractions in the main window of the Designer.
  2. Click [Source]. The window “Change Source” opens.
    Change-Source
  3. Select an SAP source from the dropdown list.
  4. Confirm your input with [OK].