Using Secret Access Key Authentication with SSF Encryption
On-premises SAP systems (or systems running in other clouds) can be authenticated on AWS by using secret access key authentication with AWS Identity and Access Management. SAP's Secure Store and Forward Mechanism
Prerequisites
The following prerequisites must be met before commencing the configuration:
-
IAM roles for SAP users must be created by the IAM administrator. The roles must have permissions to call the required AWS services. For more information, see Best practices for IAM Security.
-
Create authorization to run
/AWS1/IMGtransaction. For more information, see Authorizations for configuration.
Procedure
Follow along these instructions to configure SSF-encrypted credential storage:
Steps
Step 1 – Define an SSF application for Credential Storage
-
Execute transaction code
SE16to define an SSF application. -
Enter
SSFAPPLICtable name, and select New Entries. -
Enter following details:
-
APPLIC:
ZAWS1(name for the SSF application). -
DESCRIPT:
SSF Encryption for the AWS SDK for SAP ABAP(description). -
Choose
Selected(X)option for the remaining fields.
-
-
Select Save.
Step 2 – Set the encryption parameters for the SSF application
-
Execute the transaction code
/n/AWS1/IMGto launch the Implementation Guide (IMG) for AWS SDK for SAP ABAP. -
Expand the IMG node AWS SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems.
-
Execute the Set SSF Parameters IMG activity.
-
Select New Entries, and choose the SSF application created in the previous step. Select Save.
-
Modify the hash algorithm to SHA256 (or higher), and the encryption algorithm to AES256-CBC. Retain the other settings as default, and select Save.
These encryption settings will be used to securely encrypt AWS credentials.
Step 3 – Create PSE for SSF Application
-
Execute the
/n/AWS1/IMGtransaction, and select AWS SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems. -
Execute the IMG activity Create PSE for SSF Application, which will direct you to the
STRUST transaction. Select Edit. -
Right-select the SSF application created in Step 1 – Define an SSF application by using SAP's Secure Store and Forward (SSF), and choose Create. Retain all other default settings, and select Continue. Ensure you choose
RSAand not DSA as the algorithm.
Step 4 – Assign an SSF application to the AWS SDK for SAP ABAP
-
Execute the
/n/AWS1/IMGtransaction, and select AWS SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems. -
Execute the IMG activity Assign an SSF application to the AWS SDK for SAP ABAP.
-
Select New Entries and enter the SSF application created in Step 1 – Define an SSF application for Credential Storage. Select Save.
Step 5 – Configure SDK profile to use SSF-encrypted credentials
-
Execute the
/n/AWS1/IMGtransaction, and select AWS SDK for SAP ABAP Settings > Application Configurations. -
Execute the IMG activity SDK Profile.
-
Select New Entries. Enter profile name and description. Select Save.
-
Highlight the entry that you created and click on the Authentication And Settings tree branch.
-
Select New Entries and enter following details:
-
SID: The system ID of the SAP system.
-
Client: The client of the SAP system.
-
Scenario ID: Select the
DEFAULTscenario created by your Basis administrator. -
AWS Region: AWS Region that you want to make calls to.
-
Authentication Method: Select
Credentials from SSF Storagefrom the dropdown and select Save. Select Set Credentials and enter the Access Key ID and Secret Access Key of the IAM user. -
Disable IAM roles: Keep this as default i.e. unchecked.
-
Select Save.
-
-
Click on the IAM Role Mapping tree branch. Select New Entries. Enter sequence number, name for logical IAM role and IAM Role ARN provided by the AWS IAM Administrator. Select Save.
For more information, see Application configuration.
