Using certificates with IAM Roles Anywhere

SAP system can be authenticated on AWS by using certificated-based authentication with AWS Identity and Access Management Roles Anywhere. You must setup the certificate in STRUST, and configure the SDK profile in /AWS1/IMG.

Prerequisites

The following prerequisites must be met before commencing setup for certification.

The X.509 certificate issued by your certificate authority (CA) must meet the following requirements.
- The signing certificate must be a v3 certificate.
- The chain must not exceed 5 certificates.
- The certificate must support RSA or ECDSA algorithms.
Register your CA with IAM Roles Anywhere as a trust anchor, and create a profile to specify the roles/policies for IAM Roles Anywhere. For more information, see Creating a trust anchor and profile in AWS Identity and Access Management Roles Anywhere.
IAM roles for SAP users must be created by the IAM administrator. The roles must have permissions to call the required AWS services. For more information, see Best practices for IAM Security.
Create authorization to run /AWS1/IMG transaction. For more information, see Authorizations for configuration.

Procedure

Follow along these instructions to setup certificate-based authentication.

Steps

Step 1 – Define an SSF application by using SAP's Secure Store and Forward (SSF)
Step 2 – Set SSF parameters
Step 3 – Create the PSE and certificate request
Step 4 – Import certificate response into the relevant PSE
Step 5 – Configuring SDK profile to use IAM Roles Anywhere

Step 1 – Define an SSF application by using SAP's Secure Store and Forward (SSF)

Run transaction code SE16 to define an SSF application.
Enter SSFAPPLIC table name, and select New Entries.
Enter a name for the SSF application in the APPLIC filed, a description in the DESCRIPT filed, and select Selected (X) option for the remaining fields.

Step 2 – Set SSF parameters

Run the /n/AWS1/IMG to launch AWS SDK for SAP ABAP Implementation Guide (IMG).
Select AWS SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises Systems.
Run the Set SSF Parameters IMG activity.
Select New Entries, and choose the SSF application created in the previous step. Select Save.
Modify the hash algorithm to SHA256, and the encryption algorithm to AES256-CBC. Retain the other settings as default, and select Save.

Step 3 – Create the PSE and certificate request

Run the /n/AWS1/IMG transaction, and select AWS SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems.
Run the Create PSE for SSF Application IMG activity.
Select Edit for the STRUST transaction.
Right-select the SSF application created in Step 1 – Define an SSF application by using SAP's Secure Store and Forward (SSF), and choose Create. Retain all other default settings, and select Continue.
Select Create Certificate Request. See the following image. Retain the default options, and select Continue. Copy or export the generated certificate request, and provide it to your CA. Your CA verifies the request, and responds with a signed public-key certificate.

The signing process varies based on your CA, and the technology used by them. See Issuing private end-entity certificates with AWS Private Certificate Authority for an example.

Step 4 – Import certificate response into the relevant PSE

Run the /n/AWS1/IMG transaction, and select AWS SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems.
Run the Create PSE for SSF Application IMG activity.
Select Edit for the STRUST transaction.
Choose the SSF application, and then select Import Certificate Response located in the PSE section below the subject. Either copy and paste the certificate response into text box or import the file from the file system. Select Continue > Save.
The certificate details can be viewed by selecting the subject twice. The information is displayed in the certificate section.

Step 5 – Configuring SDK profile to use IAM Roles Anywhere

Run the /n/AWS1/IMG transaction, and select AWS SDK for SAP ABAP Settings > Application Configurations.
Create a new SDK profile, and name it.
Choose IAM Roles Anywhere as the authentication method.
- In the left pane, select Authentication and Settings.
- Create a new entry, and enter the information for your SAP system, and AWS Region.
- Select IAM Roles Anywhere for the authentication method, and select Save.
- Select Enter Details, and in the pop-up window, choose the SSF application created in Step 1 – Define an SSF application by using SAP's Secure Store and Forward (SSF). Enter the Trust Anchor ARN, and Profile ARN that were created in Prerequisites. See the following image. Select Continue.
In the left pane, select IAM Role Mapping. Enter a name, and provide the IAM role's ARN provided by your IAM administrator.

For more information, see Application configuration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Secure operations

Credential Store