WDEDOC - SAP Document Compliance

Development Framework– V2021-07

Daniel Bianchin, SAP
July, 2021

PUBLIC
• Introduction and Baseline • SAP BTP Integration • Q&A

• Architectural Components • SAP BTP Custom Domain

• Framework • Peppol
• Introduction
• Process Manager • Programming Model

• Application Interface • Automation and Integration

Framework
• Runtime
• Web Services Runtime
• Security

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Introduction and Baseline
 CUSTOMS POLICE + AGENCIES GOVERNMENT BANKS + TAX OFFICES

Logistics Execution Business Operations Tax Payments Financial Transactions

• Deliveries / • Dangerous Goods • Transaction Control • Debt Control
Shipments • Regulated • Registrations • Transactions
• Exports Businesses • Calculations authorizations
• Customs • Approvals • Justifications

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

“Compliance” is everywhere…
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5
Accompanying the evolution of compliance requirements

2005 Today Trends

• Transactional registration replacing ex
• Electronic invoice registration • All steps subject to validations pos facto reporting
• Mainly L2 for B2B • L3 • Strong controls driven by semantic
analysis
• Ex pos facto reporting • B2-G, R, B and C
• Tax Office calculates taxes payments
• Semantic control • Reporting limited to special use cases
• Reduction of ex post facto • Emerging concerns of data sovereignty

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

 Library of predefined
Open Framework
processes

SAP Document Compliance

A Combination of an Open Compliance Framework + Library of
predefined country specific processes.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

 Where we are today

• 2100+ Global Broad Coverage “Governance”: SAP Team:

Customers − Peppol • 100% handled by • Local and Global PMs
• Processing millions of − Latam the customer • SAP Product Support
transactions globally • Self-service for (no extra-cost)
− Europe
• Adopted by all digital signatures − SAP Professional
− APJ
industries Services
− Partners Ecosystem
− Trainings Available
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8
Local Solutions

• Australia • Germany • Netherlands • South Korea

• Austria • Greece • New Zealand • Spain
• Belgium • Hungary • Norway • Sweden
• Brazil • India • Peru • Taiwan (China)
• Chile • Italy • Poland • Thailand
• Colombia • Ireland • Portugal • Turkey
• Denmark • Mexico • Singapore
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9
 SAP Approach

Far more than invoicing… No Interfaces Direct link to Tax Office,

• Comprehensive, dynamic, • Integral part, automatic and silent Customs, etc…
everchanging component of SAP S/4 HANA, SAP • No 3rd party required
ERP and industry solution.
• For any compliance process • End-to-end security
• Maintained and supported by SAP
• Extensible y configurable • Semantic consistency among SAP DC,
LO, SD, FI and legal report
representations.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Challenge - Multiple representation of the same document

Sales Document Accounting Document XML Human Readable Form

(e.g. VF03) (+ Legal Reporting) • “Single source of Truth” • Must be created from
• Most Information stored • Transferred from Sales • Easily processed as XML
in the source module • Simplified tax data model vendors • Replaceable by
• detailed pricing • Support for BOMs, stylesheets.
• Insufficient for some
implemented using regulations Variants Configurations, • Likely to be retired
conditions techniques. etc… not well supported soon…
from standards side.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

 Rationale behind SAP Document Compliance Architecture

Standardization Business Process Governance per-se Security from Design

• Strong framework with Integration • Openness • SAP BTP Integration
reusable components developed to comply with
• “Source Document” • Direct Integration with
highest security
• Multiple solutions can Concept ecosystem requirements for
be implemented in • End-to-end Monitoring
• Seamless integration - Governments
parallel.
end-to-end. • High level of security - Financial Service
• No disruption among granularity Providers
solutions
- Customers

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

 Catalog of Functionalities in Scope

Source Data Electronic Storage Triggering

Determination • Signatures • Activation Logic to trigger
• Dynamic information to • Receipts compliance process
generate the compliance • Data Enrichments • Business Process
process • Archiving Integration

Reconciliation
Automation Source Data
Process Management Conversions Technical Integration
technical
• Status Management • Semantics • PKI Infrastructure
Integration Storage
• History • Syntax • End-to-end Integrity
• Audit • Compressions • Technical Interoperability
• Actions • Encodings

triggering
Automation Reconciliation
Rendering
• Submission + Resubmission • Technical
• Error Handling • Fiscal Calculations
• High Performance

Process
Management
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13
 Source Document Concept

Contract Rebate
Accounting Agreements
periodic
processing
Sales Order / Industry specific PO Self Invoicing
Delivery billing (e.g. IS-U)

Agency (Broker)
Operations
External Sources

Retail Operations

Financial
Subledgers
Real Estate

Billing
Financial Invoices
Process Document Compliance
Processing Proceed with logistics….

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

 Framework Features Overview at a Glance – 1 / 2

Comprehensive Full Process Documentation Storage Process Auditing

Operations and Automation and Archiving • Users, date, time,
Monitoring • Communications • Save all send and details, content if
• Central “Cockpit” • Error handling received documents available, approvals
• Single Access point • Signatures and rejections.
• UI-Navigation to • Archiving
Business process

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

 Framework Features Overview at a Glance – 2 / 2

Multi-Compliance SAP Business Process Metadata Driven Multi-Level Grouping

• Run multiple Integrations Process configuration • Allows transactional
Compliance • Compliance • Process flow integration as well
processes for the processes run managed by as packed-based
integration
same transaction silently among SAP configuration tables
S/4HANA • Navigation among
• Generate several levels.
different documents transactions
• Nesting of
for one transaction. processes
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16
 Strong focus on Standardization

Processes Format Security Communication

• Process-Manager • Most regulations • “Secure development • All protocols
module takes care of exploit benefits of environment welcome
process XML approach”
• Business Monitoring
configuration • Comprehensive and
• Other formats also not affected by
“Globally” proven
natively supported technical details.
Signing tools.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

Standards: Processes, Formats and Content

OASIS UBL 2.1

(ISO 19845 2015) ISO 20022 2013

Sales /
Logistics UNECE ISO
UN / CEFACT
CII and more… Materials GS1

Financial Units √ √
Standards
Currencies √
B2B
UN EDIFACT
Procurement Countries √
and Logistics
Tax Affectation √

ebXML
Industry
Specific
SAP xCBL 3.0 e.g.: STAR, CID-X,
PID-X, etc..

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

Sample Process Flow – Invoicing In Chile

Vendor Tax Office Customer

email
Outgoing Invoice

Invoices

Outgoing DTE
Incoming envelope

Outgoing envelope
(“Summary”) Validation
Incoming Invoice

Incoming envelope
Acceptance & Rejection
Database
email
Invoice acceptance
Information Acceptance & Rejection Vendor Invoice
Management*

Incoming Invoice
Sales Records
Reconciliation

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC *automation for Chile is not configured out-of-the-box 19
Architectural Components
Architectural Component Overview

SAP Business Technology Platform

Business Process
Sales & Distribution | Materials
Management | Finance Cloud Integration

SAP Document Compliance Content

Framework

Nodes
Application Interface
Framework

Data Store
Web Services Runtime

Secure Store Secure Store

Anonymous Standard System.jks

* *

SAP Cloud Platform Custom Domain

SAP Cloud Connector

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

What is an “eDocument” in SAP Document Compliance?

Governments define regulation requiring Since electronic compliance processes

companies to run specific processes. typically contain one main electronic document,
both the electronic compliance process and the
eDocument is the name assigned to an main document are referred to as
instance of an electronic compliance process, “eDocument”:
e.g.:
electronic Document ≈ Compliance Process
• Register Invoice
The eDocument contains not just all the
• Register Transport business documents but also responses, audit
data and all related electronic digital signatures
• Register Sales Order
to support internal or external audit processes:
The compliance process in general is blocking
• Repudiation
the business process and requires to save
audit information. • Integrity
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 22
 Architectural components: flexibility + reusability

Processes (e.g. “Spain Bundle Processing”) Document (e.g. “Peru Credit Note”)
• How the execution will happen, including actions, • Mostly XML files exchanged in the context of a process.
eventual errors and “variations” during the execution. • Are generated from a “Source Document” concept,
provided from framework level, e.g.: SD/FI Document,
• Processes could be registrations, approval, updates,
FI Document, Shipment, Goods Issue, SII Document,
etc.. etc…

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

 Actions dynamically determined for the Compliance process

A Sample
Compliance Process

Compliance
Processes for a
Country

• SAP Document Compliance works in a fully automated

way without human interaction (including retries and
notifications).
• The Cockpit is a tool that allows process analysis,
audit, navigation to Business doc, visualize the
technical representation, etc...

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24

General Installation Instructions

1- Search for Overview or Master note for solution in SAP Community Page

2- Install SAP ERP

3- Install specific 4- SAP BTP
- Document
solution Integration
Compliance

• License • Install Solution • Subscribe

• Upgrade to Latest relevant notes • Follow Implement
eDocument • Import BC sets configuration Guide for
Framework • Perform manual configuration
• Customize Business configurations
Add-In • Configure customer
• Configure eDoc for specifics
SAP ERP
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25
Implementation Support

SAP Customizing Implementation Guide

→ General Application Functions
→ eDocument

• General Settings: Framework and Generic

Configurations (including solution)

• Country/Region: eDocument Process

Specific Settings

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26

Integration Content

api.sap.com

Integration content and documentation

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27

Menu

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

eDocument Framework
Why a Framework?

High level of overlapping Simplifies implementation of High degree :

requirements among countries: new eDocument Processes
(regulations) • Consistency
• All common functionalities
are moved from country- • Mapping • Usability
specific into framework level
• Process Configuration • Security

• Signatures

..and that’s pretty much it!

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 30

Components at high level

Web Services SAP BTP

Runtime Integration

eDocument
Framework
Application
• Source Document Interface
• Process Manager
Framework
• eDocument Interface SAP
• Cockpit
Document
Compliance

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 31

 Deep dive into Architecture
Application Interface Framework:
Transformation

WS-Runtime Integration

Application log Integration

SAP eDocument Framework:

Cockpit

 Process Manager

Interface Adaptor (AIF/DC)

WS-Runtime
Application Interface Framework • SAP S/4 or ERP Communication to
SAP CPI
eDocument Framework
SAP BTP Integration
• Security Mediation
Web Services Runtime / ICM (ICF)
• Internet Com. management
SAP Business Technology Platform Integration
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 32
eDocument Framework Components

Trigger & Source Process Manager Interface Adaptor Cockpit Configuration

Document
• Process Execution • Integrates other • Process specific
▪ Activates Compliance components status configuration
Process • Normalized steps
and behaviors • Transformations • Define generic
▪ Feeds process with data
from source application • Interfaces actions
determination
• Versioning

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 33

+ S/4 HANA + C TPS31 – BTE functions
Source Types: SAP Document Compliance List - SAP Document Compliance - Accounting Document - FI-CA Document - Goods Issue Posting - Goods
+ SAP ERP Receipt Posting - Inbound Delivery - Invoice Verification - IS-U Print Document - Shipment - Sales/Purchase/Daily Ledger - Outbound Delivery - Real
SAP ERP Process Country App ABAP FM estate document - Billing Document without Accounting Data - Billing Document - Billing Document (accounting data in FICA) – Incoming Source File -
+ Industry Solution
Convergent Invoicing Document

EDOTYPEV – eDoc Types EDOCOUNTRYCH T003EDOCV – eDoc type for FI doc type EDOINTTYPEV - communication EDOCOMPANYACTIV EDOSRCTYPEV - communication

eDoc Types Country ABAP Class Country FI doc eDoc Type Company Code eDoc Interface Type Company Source Type Source eDoc structure Source ABAP class
Type Type (comm) Type

EDOC_PROCMGR - Process Manager

cockpit STATUS STEP PROCESS FLAG ACTION

Process status Process step ABAP class ABAP Method Process Process flag Process action action variant
EDOPROCFUNCASGV – Func

Process Function
STATUS FOR TYPES STEP VERSION FLAG POSITION STEPS FOR ACTION

EDOMETASTATUSV - Process Process eDoc status Process step Version Process version flag Position Process Action Action version Seq step
Type variant

SAP eDocument Framework

Status

Proces Status cockpit

s status STEP VERSION RESULT STEP VERSION VARIANT STEP VARIANT FLAG CHECK

Process step Version result Process step Version variant Process step Version variant
EDOMETASTATDETV - eDoc
Type Status STEP VARIANT FLAG CHANGE
STATUS DETERMINATION
eDoc Process cockpit Process step Version result
Process version eDoc Flags
Type Status status
Type

EDOINTERFACEV EDOPROCSTEPDETV – eDoc Int steps EDOMAPCLASSDETV – Mapping Class

SAP eDocument Interface
eDoc Interface process version eDoc Interface eDoc Type Source Type Process step process version eDoc Interface eDoc Type Source Type ABAP Mapping

EDOINTVERSIONV – eDoc Int V. EDOPROCSPINTDETV – SAP Document Compliance Interface EDOINTAIFV - EDOINTV – WS-R Link EDOSOASERV – WS-R Log Port

eDoc Interface version process Version Step eDoc variant eDoc Interface eDoc Version AIF namespace AIF Interface eDoc Interface Proxy ref Proxy ref Logical Port
Type Interface

SAP BTP – Recipients (tax offices or 3rd parties for

Web Services Runtime Trx SOAMANAGER– connection configuration
WS Proxy Logical Port Authentication iFlow
Integration Suite iFlow
validation, signing, etc…)
AIF

Trx /AIF/CUST – AIF Customization

NAMESPACE

AIF namespace AIF AIF interf

AIF INTERFACE

version WS
SAP Application Interface Framework
eDoc names
AIF NAMESPACE ERROR HANDLING

AIF interf versio Tabl program nam

esp
AIF INTERFACE ENGINE

AIF interf versio

n
Proxy /
XML
XML
form
AIF INTERFACE ERROR HANDLING

namespac
e
AIF
interf
versi
on
fiel
ds
nam
esp
AIF INTERFACE ACTIONS

AIF interf versi

on
acti
on
name Proxy Mapping pace n e
space structures ace Comm at ace

generic config
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 34
eDocument Process Manager
What is the “Process Manager”

Specialized “Finite State Machine”

• Input triggers process status change

Regulations define interactions leading to

predefined results.

Supports the generic definition of compliance

processes and is regulation and technology
agnostic.

No ABAP coding involved in the definition

All common activities supported at framework

level.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 36

 Process Manager - Main Components at a Glance

Processes + Version Actions Status

• Define the process flow as • “Submit”, “Display”, “Send to • Exists for processes and
described in a particular regulation. Customer” documents
• BPM using “Finite State Machine” • Analyzed after each action
• Controlled by status
• May support variations for the management based on document history.
same regulation
• Can be automated or triggered • Determines the next steps in the
• Appear as a leaf node in the process
cockpit. manually in the cockpit
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 37
Purpose of the Process Manager

Streamline execution of a Offer commonly used coding in Replace Coding by

process step: the framework; avoid numerous Configuration
▫ Execute the process step only copies of (almost) the same – Changes in status handling can
after the check, if the step is coding be done without coding (also a
allowed plus for customers)
▫ Allow status changes only as a
– Better overview of the status
result of a process step
checks and status changes
▪ Leave existing functionality in-
tact

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 38

Process Manager - New Process Definition

SUNAT_RESP

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 39

Streamlined Process Steps Processing

Process End
• Action Step Variant • Process Processing
Triggering • Check The Step • Set Status
Process • Save to
Status Database
Process
Result
Step Variant

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 40

Turn On the Process Manager for a Country

DB Table EDOCOUNTRYTCH

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 41

Configuration: Define the Variants of a Process Step

Process Steps can have variants (stored in an input parameter to a process step) – as before.

New: Values for variants are well-defined.

Enter allowed values -

also <empty> if valid value.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 42

Configuration for Using the Process Manager

Configuration is accessilbe via view cluster EDOC_PROCMGR.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 43

 eDocument Framework – Process Manager Configuration Steps
14
STATUS FOR TYPES
7
Process eDoc status FLAG POSITION
Type
Process version flag Position

13
11
STATUS DETERMINATION
STEPS FOR ACTION
Process version eDoc Flags
Process Action Action version Seq step Type
variant
12
6
STATUS
FLAG
Process status
Process flag

10
ACTION 1
PROCESS
Process action action variant
Process

2
STEP
Process step ABAP class ABAP Method 4
STEP VERSION VARIANT

Process step Version variant

8
STEP VARIANT FLAG CHECK
3
Process step Version variant
STEP VERSION

Process step Version

9
STEP VARIANT FLAG CHANGE

Process step Version result

5
STEP VERSION RESULT

Process step Version result

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 44

Configuration: Entry Criteria for Executing a Process Step & Determination
of Variant for Process Step (1)

Depending on the process status (i.e. value of status flags)

the process step in the given variant is allowed to be executed.

Detail

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 45

Configuration: Entry Criteria for Executing a Process Step & Determination
of Variant for Process Step (2)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 46

Configuration: Entry Criteria for Executing a Process Step & Determination
of Variant for Process Step (3)

Avoid asking the step status within the process method, but handle different processing with
variants!

Refinement of a variant is possible depending on

step status.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 47

Sequence Number

E.g., in the ‚Status Flag View‘

If several entries match, the

entry with the lowest sequence
number is applied.

Recommended: Sequence
numbers 10, 20, 30, etc. (for the
same key) to leave space for
upcoming changes in-between

• Recommended: Make entries exclusive (several entries cannot

match)

• (technically: sequence number is needed to make a unique key)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 48

Configuration: Process Method

Assign the so-called process method

(i.e.: the method of the country class that should be executed during the process step)
to the process step:

Naming Convention: process_<step>

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 49

Configuration: Define Result of a Process Step

Process Steps can have a result (export parameter) – as before.

New: values for result are well-defined.

Enter allowed values -

e.g., <empty> if valid value.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 50

Configuration: Change of step Status
at the End of a Process Step (1)

Define how depending on the result (parameter) the step status changes:

Detail

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 51

Configuration: Change of step Status
at the End of a Process Step (2)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 52

Definition of an Action

Note: Actions are global

(belong to the SAP Document Compliance Framework)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 53

SAP Document Compliance Action Variants

An SAP Document Compliance Action can also have variants.

E.g., the kind of notification received from the authority:

Action – UPDATESTATUS
Variant – AT (Impossible to Deliver Notice)

Note: Actions variants are country-specific

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 54

Define which Process Steps are triggered by an Action

Included Process Step: the process step is included (called from) another process step.
This is done via communicate_process_step() – as before.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 55

Process Status of an SAP Document Compliance (1)

Independent from the Process Manager

(turned ON or OFF)

With „SAP Document Compliance

Framework 8‘ the value table for the Process
Status (DB field SAP Document Compliance-
PROC_STATUS, DTE EDOC_STATUS)
changed and is now client-independent:

DB table EDOSTATUS is replaced by

EDOPROCSTATUS

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 56

Process Status of an SAP Document Compliance (3)

With Process Manager („ON“): Derive Process Status from

step Status (Flags)

Detail

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 57

Process Status of an SAP Document Compliance (4)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 58

Application Interface Framework
SAP Document Compliance – on Premise edition

Cockpit

SAP BTP Web Services eDocument eDocument Source

Integration Suite Runtime Framework Local Solution Document

Process audit
AIF
(history)

Security
Compliance
process status Business XML storage
management Data
Technical Mapping
transformation
Communication Compliance
standardization process Business
choreography Process Business
Communication
execution data storage process Transaction
relationships

Technical Local
Automation Standardized
logging specifics Monitoring

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 60

Application Interface Framework

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 61

AIF Namespaces

▪ Transaction /AIF/CUST: Customizing

▪ AIF customizing for SAP Document Compliance is delivered as BC Set

▪ Namespace Definition
▪ Interface Development > Define Namespace
▪ /EDO: Global namespace for SAP Document Compliance
▪ /EDXXX: Country-specific namespace
▫ Examples: /EDOIT for Italy, /EDOPE for Peru, /EDSII for Spain SII etc.

– Namespaces starting with “/” are reserved for SAP

▪ Since AIF 702, reserved namespaces cannot be modified by the customer and are locked
▪ Namespace can be unlocked for manual changes
▫ SAP Note 2178382 - eDocument: AIF Namespace Locked

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 62

AIF Interface Customizing (1)

▪ Interface Definition
▪ Interface Development > Define Interfaces
– Interface Versions
▪ When a new XML layout is published, we use a new
interface version for the same interface pair
– Structures
▪ SAP Data Structure: Source structure of mapping
▪ Raw Data Structure: Target structure of mapping
▪ Record Type in Raw Structure: Sub-structure in target
structure that contains the content
▫ For response interfaces, the record type must be empty!

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 63

AIF Interface Customizing (2)

– Functions
▪ Check Function Module: To check (or process) data in
destination structure
▫ SAP Document Compliance request interfaces use
EDOC_AIF_GENERIC_CHECK
▫ Not used for response interfaces

▪ Init Function Before Mapping: To manipulate source

and/or target structure before mapping
▫ SAP Document Compliance request interfaces use
EDOC_AIF_INIT_REQUEST_MAPPING
▫ SAP Document Compliance response interfaces use
EDOC_AIF_INIT_RESPONSE_MAPPING

▪ Init Function Before Processing: Not used

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 64

AIF Interface Customizing (3)

– Proxy Class and Method

▪ Define the direction of the interface (inbound or
outbound)
▫ SAP Document Compliance Framework only uses
synchronous outbound interfaces
▪ Synchronous interfaces require two AIF interfaces for
the same proxy class
▫ One for the request, one for the response
– Interface Naming Convention
▪ <RESPONSE_INTF_NAME> =
<REQUEST_INTF_NAME> + R
▪ Example: INVOICE (request) and INVOICER (response)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 65

AIF Interface Engines

– Define Interface Engines

▪ Interface Development > Additional Interface Properties > Specify Interface Engines
– Types
▪ Application: Assigns functionality to buttons in AIF Error Monitor (e.g. enables Restart button)
▪ Persistence: Defines how the message content is persisted
▪ Selection: Defines from where the messages are selected for display in the AIF Error Monitor
▪ Logging: Defines from where the log messages are retrieved in the AIF Error Monitor

Interface Engines SAP Document Compliance SAP Document Compliance

Request Interfaces Response Interfaces
Application Proxy XML

Persistence XML XML

Selection AIF Index Tables AIF Index Tables

Logging AIF Application Log AIF Application Log

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 66

AIF Mapping (1)

▪ Instead of the AIF structure mapping, SAP

Document Compliance uses mapping classes
▪ More flexibility & easier ramp-up of new developers
▪ Init Mapping function modules serve as hooks for
the mapping method call
▪ Mapping class is determined in view
EDOMAPCLASSDETV
▪ Mapping method naming convention:
MAP_<INTF_NAME><INTF_VERS>
▫ Examples: MAP_INVOICE1, MAP_INVOICER1

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 67

AIF Mapping (2)

▪ AIF Fix Values

▪ Interface Development > Define Fix Values
▪ Fix values are delivered by SAP
▪ If customers need to adapt fix values manually, they need to
unlock the namespace

▪ AIF Value Mappings

▪ Transaction /AIF/VMAP
▪ Entries are customer-specific and have to be created as a
manual step

▪ After mapping, XML values can be adapted

▪ BAdI EDOC_ADAPTOR, method SET_OUTPUT_DATA
▪ Implementation is country-specific (BAdI Filter)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 68

AIF Actions

– Actions
▪ Callback functions/hook during the interface processing
▫ All SAP Document Compliance interfaces use action GENERIC_ACTION from namespace /EDO
▫ Action calls the SAP Document Compliance Process Manager and updates the SAP Document Compliance status

▪ Definition: Interface Development > Define Actions

▪ Assignment: Interface Development > Define Structure Mappings > Assign Actions

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 69

AIF Interface Types for document types(1)

– Interface Types are assigned in view EDOINTTYPEV

▪ AIF_XML: Generate only the XML but don’t send it (manual download)
▫ Interface Connector implementation uses function module /AIF/FILE_TRANSFORM_DATA
▪ AIF_PROXY: Generate the XML and send it with the proxy
▫ Interface Connector implementation uses function module /AIF/SEND_WITH_PROXY
▪ CUSTOM: For Basic Enablement / customer-specific implementation without AIF

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 70

AIF Interface Types for document types(2)

AIF_PROXY

AIF_XML

Value Mapping 1 FM Action 1 FM

Initial Check Send
Mapping Mapping Value Mapping 2 FM FM with Processing Action 2 FM
FM Proxy
Value Mapping N FM Action N FM
AIF

Mapping BAdI Process

Method SET_OUTPUT_DATA Manager

SAP Document Compliance

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 71

AIF Monitoring and Error Handling: Selection Screen (1)

▪ Transaction /AIF/ERR
– Monitoring and Error Handling

– Selection by
– Application (AIF)
– Namespace (country-specific)
– Interface (namespace-specific)
– Version

– SAP Document Compliance specific selection

– SAP Document Compliance GUID
– Source type (FI_INVOICE, SD_INVOICE,…)
– Source key (generic or source type specific)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 72

AIF Monitoring and Error Handling: Selection Screen (2)

– Generic selection by
– Creation Date and Creation Time
– Message GUID
– Buttons available for quick selection

– Status selection
– Selection by message status
– Default: Application Errors & Technical Errors
– Buttons available for quick selection

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 73

AIF Monitoring and Error Handling: Main Screen

Screen Layout

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 74

AIF Monitoring and Error Handling: Data Messages View

Messages ordered by
 Interface GUID
 Source Type
 Source Key

Message status
 In process
 Successful
 With Error

Available Actions
 Restart in case of transmission error
 Cancel (deactivated)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 75

AIF Monitoring and Error Handling: Log Messages View

Detailed Error Information

 Standard Mode

 Technical Mode (choose push button )

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 76

AIF Monitoring and Error Handling: Data Structure View

Display Message Structure

Source Structure Target Structure ( >

)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 77

AIF Monitoring and Error Handling: Data Content View

Display Message Content

 Double-click on data structure in Data Structure View to see content

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 78

Web Services Runtime
Web Service Runtime in a Nutshell

Abstraction layer to support Web Services

interoperability in ABAP environment

Allows wizard based definition of

governmental web services definitions

SAP BTP
eDocument AIF eDocument WS-Runtime ICM Integration Tax Office

ABAP XML

The main component is the “Proxy”, and it is

configured in transaction SOAMANAGER.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 80

Web Services Runtime

It is responsible to manage the Web Service configuration in ABAP environments.

All service configurations are executed in transaction SOAMANAGER

Monitoring is executed using transaction SRT_UTIL (transaction SRT_Tools is also available).

AIF and SAP Document Compliance implement only simple web services, no need to configure the
complete WS Runtime environment.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 81

SAP BTP Integration
 SAP BTP Integration
Integrate Cloud Applications into your Application Landscape with Ease

Seamlessly connects cloud applications with other cloud and

on-premises apps, both from SAP and third-party providers.

Key Capabilities Cloud apps On-premise

apps
▪ Prepackaged content to integration SAP and non-SAP apps
▪ Web based tool for modeling and monitoring integrations
▪ Strong security focus including data isolation
▪ Choice of application, B2B and technical protocol connectors
– incl. adapter SDK SAP BTP Integration
Key Benefits
▪ Cloud-native technology with subscription-based usage Public authorities
Business
▪ Safeguard and accelerate your integration projects with out-of-the box Partners
integration content
▪ Suited for citizen integrators and system integrators
Mobile Social
▪ Enhanced productivity, reliability and quicker access to data apps networks
▪ Complements SAP Process Orchestration
▪ Open to partners for developing content and connectivity adapters

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 83

SAP API Business Hub
Accelerator for Digital Transformations

Search, discover, experience and consume to right APIs from SAP and select partners for your
digital transformation projects

Catalog API Sandbox Prepackaged Easy Consumption

Central Place for APIs One click-test experience for accelerators Integration with Developer
from SAP and its developers via API Sandbox Integration packages IDE and Code Generations
Partners to integrate APIs

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 84

 SAP Cloud Platform Data Centers
Certified Data Centers and Operations 2018
live planned

Moscow This is the current state of the planning

Toronto Amsterdam and may be changed at any time

St. Leon-Rot Tokyo

Arizona Shanghai
Virginia Dubai

Riyadh
▪ World-class tier-3 and 4
▪ Strong isolation on
Sao Paolo infrastructure layer
Planned
with completely
Riyadh, Saudi Arabia Q1/2018 Sydney isolated tenants
▪ List of Data Centers

IT operations ISO 27001 CERTIFIED

Quality management ISO 9001 CERTIFIED
ISO Energy efficiency GREEN IT CERTIFIED

24/7 99.99% Standards International account ISAE3402,SOC1/SSAE18,

Global support Platform availability Certified operations regulations SOC2 TESTIFIED
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 85
SAP BTP Integration - Key Store Self-Service
Manage security artifacts Cloud Integration Tenants via Keystore Monitor

▪ SAP owned keys and certificates

visible
▪ Downloading of public parts
▪ Uploading of externally created key
stores
▪ Showing expirations

Worth Knowing
▪ Only Tenant Administrators with specific role may maintain key pairs and certificates
▪ Tenant key store divided into 2 parts via naming conventions:
• SAP owned entries: starts with sap_ or hci.
• Customer owned entries: all others

Keystore Monitor now available for Tenant Adminstrator

Renewal of SAP managed keys
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 86
SAP BTP Integration
Light-weight orchestration capabilities

▪ Flexible design pipeline

▪ Independent and reusable
process steps
▪ 40+ different steps available
– Message Transformation
– Message Mapping
– Message Routing
– Security Elements
– Scripting
– Tasks
– Data Store Operations
– Events
– Many more…

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 87

SAP BTP Integration
Security

Secure ISO/IEC 27001 Certified Data Centers

SAP BTP Integration ◼ Hundreds of surveillance cameras with digital recording
F F ◼ Fully monitored doors
I I ◼ Tens of thousands of environmental sensors
R Tenant R 3rd party cloud
Tenant E
◼ Security and facility support team onsite 24x7
E
W W or on-premise ◼ Biometric access to secured areas
A A communication ◼ Multiple redundant internet connections from
L L
multiple carriers
L Data Storage L
Data Storage ◼ Redundant data storage in two data center locations
→ How Secure is the SAP Data Center?

Secure Provisioning and Infrastructure Secure Communication

◼ Multi-tenancy ◼ Transport level: HTTPS, SFTP, basic authentication
◼ Data isolation ◼ Payload level: Encryption, decryption, signing, signature verification
◼ Audit logs ◼ Cryptographic message syntax PKCS#7
◼ Roles based access ◼ XML digital signature (signing)
◼ Data privacy and protection ◼ WS security (encryption + signing)
◼ Data storage and backup ◼ PGP (encryption and signing)
◼ Secure storage of key stores in data base
◼ Encrypted data persistency

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 88

Documents Integrity

One of the key benefits of cloud integration

in the context of SAP Document Compliance
are its extensive signing capabilities:

• Signing sections for number ranges

• Multiple XML signature types

• Self service for key-pair maintenance

• Dynamic signer determination

• As an alternative if no prebuilt method is

sufficient, it is possible to sign using
Java/Groovy.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 89

 Downloading public certificates from your SAP BTP
Integration Worker Node
Export to file all the
certificates to your local
machine using a web
browser both for test and
productive tenants

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 90

 SAP ERP Trust Manager (STRUST)

It is required to store in the SAP ERP the certificates:

SSL Communication from SAP ERP to SAP Cloud Platform:

▪ upload the SAP BTP Integration public certificates to the Client SSL
Anonymous PSE.

iFlow Authentication (explained later):

▪ Generate your own certificate.
▪ Get it signed by a trusted CA (both SAP and customer)
▪ Upload to a Client SSL Standard PSE and use it in SOAMANAGER

→ Distribute + Save

ICM restart notification message should appear.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 91

How can I have my S/4HANA (etc…) certificates signed by a Trusted CA?

S/4HANA STRUST transaction

Import CA Intermediate
Create a PSE and root certificates to
(e.g. Client SLL Generate a Certificate Import CA Signed complete the complete
Standard) Sign Request Export as a *.csr File Certificate chain.

Trusted CA Company

Upload Certificate Sign Download Certificate

Request Signed by CA

Etc…

Trusted CA may have different requirements and ask you to provide company
specific data.

They may also take some time to analyze your company before issuing a
certificate.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 92

Detail of WS Runtime Configuration (SOAMANGER)

Follow the configuration guide:

• Web Service Configuration

• Proxy and Firewall configurations

• HTTPS and Secure Store

User ID /
Password not for
productive usage
is S* users!.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 93

Getting Transport Certificates–
1. Export to file all the
certificates to your local
machine using a web browser
both for “demo” and
https://arss.demo.firma-
productive Aruba
automatica.it/ArubaSignService/ArubaSignService environments.
https://arss-sap.actalis.it/ArubaSignService/ArubaSignService
2. Then go to the corresponding
SAP BTP Integration Tenants
and import them all.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 94

SAP BTP Custom Domain
Standard SAP Setup for Incoming Architecture

Shared SAP Custom Domain SSL Server

Test Productive
SDI SDI • A bundle of certificates must be uploaded to a
single SSL server.
Domain Name Registrar
• Test and productive SDI calls are routed to a
single SSL server.
SAP Custom Domain SSL Server
• A single SSL server allows access to test and
productive environments.
SAP BTP SAP BTP
Integration Integration • No testing is impacted.
Tenant Tenant

• Domain Name Registrar required to

differentiate productive and test requests.
SAP SAP
S/4 S/4
SAP S/4 HANA*
HANA HANA
DEV QA

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 96

 Incoming URLs
These iFlow URLs will be used during SDI Registration, Subdomain registration and
CNAME Mapping.
SAP BTP Integration Tenant mapping
Web Service
Process
Identification

Not standard
recommendation eu176281928.ssl.ondemand.com /cxf/ItalyReceiveNotification
test.sdi.mycompany.com/cxf/ItalyReceiveNotification

Iflow name

Could be either Company Domain Name or SAP Custom domain SSL Host Name

Optional Tax ID

* Suggested prefix does not represent any function impact,

Optional Environment : “test” | “prod”
and may be shortened in case of many Tax IDs.
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 97
 SAP Custom Domain routing configured for multiple
tenants with Sub Domains
SAP Cloud Platform Datacenter 050.040.030.020
Trusted CAs root
Load Balancer
certificates
https://
Test.sdi.myCompany.com
/cxf/ItalyReceiveNotification SAP Cloud Platform Global Account

SAP Cloud Platform Custom Domain Prod Subaccount

Integration Tenant
l0001-iflmap…
Registrar managed DNS entries SSL Host
Prod.myCompany.com ➔ eu176281928.ssl.ondemand.com eu176281928.ssl.ondemand.com
WS iFlow
Test. Sdi.myCompany.com ➔ eu176281928.ssl.ondemand.com ItalyReceiveNotification
eu176281928.ssl.ondemand.com ➔ 050.040.030.020 Trusted CAs root certificates

Request: https://050.040.030.020/cxf/mySampleIFlow
GET / HTTP/1.1 Canonical names Mapping table
Host: Test.sdi.myCompany.com Test Subaccount
Accept: ….(etc).
Integration Tenant
l0002-iflmap….

Custom Domain Canonical Names (CNAMES) WS iFlow

ItalyReceiveNotification
Prod.sdi..myCompany.com ➔ l0001-iflmap.hcisbp.eu1.hana.ondemand.com
Test.sdi.myCompany.com ➔ l0002-iflmap.hcisbp.eu1.hana.ondemand.com

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 98

Peppol
Foundational Motivation from European Commission

How do we solve interoperability issues for

electronic procurement?

➔ Ubiquitous Interoperability Framework:

Pan-European Public Procurement

Online

“PEPPOL is not an e-Procurement platform but instead provides a set of technical specifications that can be implemented in existing eProcurement solutions
and eBusiness exchange services to make them interoperable between disparate systems across Europe.
PEPPOL enables trading partners to exchange standards-based electronic documents over the PEPPOL network (based on a 4-corner model). These documents
include e-Orders, e-Advance Shipping Notes, eInvoices, eCatalogues, Message Level Responses, etc.
PEPPOL Access Points connect users to the PEPPOL network and exchange electronic documents based on the PEPPOL specifications. Buyers and suppliers are
free to choose their preferred single Access Point provider to connect to all PEPPOL participants already on the network. (‘Connect once, connect to all’).”

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 100
PEPPOL – Pan-European Public Procurement On-Line

In numerous European countries, the invoices are Holds a PEPPOL Certificate

sent to the receiver without government participation
in the scenario.

The endpoint is determined using the infrastructure

defined by PEPPOL (Pan-European Public
Procurement On Line).

Electronic documents are sent and received through SAP as a

a registered Service Provider. Solution

The service determines Offers both a sending

the receiver endpoint and a receiving Access
The use of PEPPOL is not restricted to B2G
dynamically Point
exchanges. It can also be used for B2B transactions
between private companies.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 101
 Core Peppol Infrastructure components

Formats Distributions Service Metadata The openPeppol

• UBL and UNECE • “Access Points” Roles Publishers Service Metadata
Format Standards and responsibilities • They describe Locator
Country Validations • 4 corners distribution capabilities of • “DNS” for Peppol
model participants
• Tax office issues a • Connects participant
validation using • “Participants” • Service executed by 3rd with SMP.
schematron language parties

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 102
Peppol Today

B2G and B2B Countries embracing the ▪ Order only ▪ Message Level
▪ Ordering Response
▪ Compulsory and optional profiles framework definition:
▪ Catalogue only ▪ Invoice
(formats) ▪ Austria, Belgium, Denmark, England, Response
France, Italy, Netherlands, Norway, ▪ Despatch Advice
▪ Reusing well-known ▪ Catalogue
Poland, Sweden, Germany ▪ Punch Out
communication standards (AS2/ Without
AS4) ▪ Australia + New Zealand ▪ Order Response
▪ Singapore Agreement

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 103
 Deployment

On-premise edition + SAP CPI Invoicing option for Peppol

e.g. Italy B2B (focus on premise) e.g. Germany xRechnung (focus on cloud)

Suite SD Bill FI
Suite SD Bill FI

SAP Document Compliance,

on-premise edition
Italy Connector Germany

SAP Document Compliance,

invoicing option for Peppol*
SAP Cloud Platform Integration iFlow
SAP Cloud IFlow
Platform

Recipient Business
Tax Office Partner

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 104
 Country Independent and reference processes (typical in Peppol)

Netherlands

Norway

New Zealand

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 105
Solution Development Intro
+ S/4 HANA + C TPS31 – BTE functions
Source Types: SAP Document Compliance List - SAP Document Compliance - Accounting Document - FI-CA Document - Goods Issue Posting - Goods
+ SAP ERP Receipt Posting - Inbound Delivery - Invoice Verification - IS-U Print Document - Shipment - Sales/Purchase/Daily Ledger - Outbound Delivery - Real
SAP ERP Process Country App ABAP FM estate document - Billing Document without Accounting Data - Billing Document - Billing Document (accounting data in FICA) – Incoming Source File -
+ Industry Solution
Convergent Invoicing Document
SAP DC Framework

EDOTYPEV – eDoc Types EDOCOUNTRYCH T003EDOCV – eDoc type for FI doc type EDOINTTYPEV - communication EDOCOMPANYACTIV EDOSRCTYPEV - communication

eDoc Types Country ABAP Class Country FI doc eDoc Type Company Code eDoc Interface Type Company Source Type Source eDoc structure Source ABAP class
Type Type (comm) Type

EDOC_PROCMGR - Process Manager

cockpit STATUS STEP PROCESS FLAG ACTION

Process status Process step ABAP class ABAP Method Process Process flag Process action action variant
EDOPROCFUNCASGV – Func

Process Function
STATUS FOR TYPES STEP VERSION FLAG POSITION STEPS FOR ACTION

EDOMETASTATUSV - Process Process eDoc status Process step Version Process version flag Position Process Action Action version Seq step
Status Type variant

Proces Status cockpit

s status STEP VERSION RESULT STEP VERSION VARIANT STEP VARIANT FLAG CHECK

Process step Version result Process step Version variant Process step Version variant
EDOMETASTATDETV - eDoc
Type Status STEP VARIANT FLAG CHANGE
STATUS DETERMINATION
eDoc Process cockpit Process step Version result
Process version eDoc Flags
Type Status status
Type

EDOINTERFACEV EDOPROCSTEPDETV – eDoc Int steps EDOMAPCLASSDETV – Mapping Class

SAP Document Compliance Interface
eDoc Interface process version eDoc Interface eDoc Type Source Type Process step process version eDoc Interface eDoc Type Source Type ABAP Mapping

EDOINTVERSIONV – eDoc Int V. EDOPROCSPINTDETV – SAP Document Compliance Interface EDOINTAIFV - EDOINTV – WS-R Link EDOSOASERV – WS-R Log Port

eDoc Interface version process Version Step eDoc variant eDoc Interface eDoc Version AIF namespace AIF Interface eDoc Interface Proxy ref Proxy ref Logical Port
Type Interface

Web Services Runtime Trx SOAMANAGER– connection configuration

SAP Cloud Platform - Integration Recipients (tax offices or 3rd parties for
validation, signing, etc…)
WS Proxy Logical Port Authentication iFlow iFlow
AIF

Trx /AIF/CUST – AIF Customization

NAMESPACE AIF INTERFACE AIF NAMESPACE ERROR HANDLING AIF INTERFACE ENGINE AIF INTERFACE ERROR HANDLING AIF INTERFACE ACTIONS

AIF namespace AIF AIF interf version WS eDoc names AIF interf versio Tabl program nam AIF interf versio Proxy / XML namespac AIF versi fiel nam AIF interf versi acti
name Proxy Mapping pace n e esp n XML form e interf on ds esp on on
space structures ace Comm at ace

generic config
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 107
Country Approach: Communication Models

S R
Tax Office or Validation Service Tax Office or Validation Service

Vendor Customer Vendor Customer Vendor Customer

Distribution 4-Corner Clearance

• Complex implementation • Small list of standards helping A/P • Invoice registration + parallel
A/R. distribution
• High security standards including
end-to-end integrity. • Easier implementation supported • Likely to evolve, challenges:
from the access point. A. Integrity problem
• Standard format helps A/P and A/R
process (reducing working capital • End-to-end Integrity? B. Payment terms
cost). • More POFs (points of failure) C. Distr. format not standard, MIRO??

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 108
New Solution Creation in a Nutshell - 4 Steps

Web Link
eDocument AIF
Service eDocument
Solution Interface
Proxy solution
• Country Class • Communication WSDL • Namespace • AIF
• Solution DB Tables • SAP BTP Integration • Interface • Web Service Proxy
• Document Types iFlow • Engine • S/4HANA (trigger)
• ABAP Classes • ABAP Consumer Proxy • Errors
• DB • Configure Proxy • Actions
• Solution
• AIF Communication
• Mapping
• Process Manager
• eDoc Interface
• Cockpit Customization
• Mapping Config.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 109
 BADI EDOC_PARTNER_CONNECTOR

ABAP Class Map Enh spot ES_DOCUMENT

IF_EDOC_PARTNER_CONNECTOR

BADI EDOC_INTERFACE_CONNECTOR

CL_EDOCUMENT IF_BADI_INTERFACE
IF_EDOC_INTERFACE_CONNECTOR

AIF Interface Connector BADI EDOC_ADAPTOR

Country
friends
WS Proxy Class IF_EDOC_ADAPTOR

CL_PROCESS_MANAGER Solution
Database Handler Enhancements Class
Mapping
Database Handler Interface

CL_EDOC_MAP_AIF

CL_SAP Document
IF_SAP Document Compliance_DB
CL_EDOC_MAP Compliance_DB

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 110
Triggering an eDocument Instance

Document Type Factory

• Supported source objects (e.g. SD Invoices) • Factory class is a generic functionality that
check based on the document type allows to run a custom logic to determine
the need to trigger an eDocument Instance
• This is called the “HOOK” connecting the
source object to the compliance process

• Different source application implement with

available tools:
• SAP Business Transaction Events → FI
• Accounting interface → SD

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 111
Sample Country or Solution Class

Compiles functionalities for the same country

Not required to have both

Most method inherited from CL_EDOCUMENT

Few methods redefined

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 112
Mapping Class

Transformation rules

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 113
Sample Source Document Class

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 114
Didactical interaction between eDocument Process and Source Document

Create
Create
Business Actions Finished
eDocument
Document

Business Application eDocument

Process: Peruvian Invoice

Register “Invoice” key: 0201292

Ref source doc key: 0201292
Source Type: SD Invoice
Source Document

Country/Solution
Display
MAP
Class
Class

Communicate
Submit

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 115
Document Content Creation at high level

Get Definition Adjust XSD or similar Generate ABAP Proxy Create iFlow
• Process + • Error handling • Fine tune definitions 1. Import enhanced
Documents • Integrity if required XSD for signing
• Could be XML or enhancements • Fill up content from 2. Implement interface
JSON (Base 64 + Zipping) source object
• Usually XSD or
WSDL files.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 116
3 Dimensions in Mapping

In order to product the message content

it must follow 3 basic rules: Semantics

• Regulation: Use case specific

content requirement.

• Syntax: normally achieved with

ABAP Proxies (WS-Runtime)
• UBL leading (ISO)
Document
• Semantics: Using AIF and S/4HANA
conversions
• ISO Regulation Syntax
• UNECE
• Country/Entity Specific

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 117
Request Transformation – AIF Integration Between Source Object and WS-
Runtime

Target Proxy from Tax Office

U
U

GET_SOURCE_DOCUMENT_DATA

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC

Source Data from Country/Solution Class & Source Object 118
Integration - Sample iFlow

Connectivity +
Confidentiality
Integrity
Authentication

Technical Error handling

tweaking

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 119
Background Information

„Programmatic Part“ of the Process Manager is mainly developed in

CL_EDOC_PROCESS.

CL_EDOC_PROCESS is defined as final (no country-specific subclasses).

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 120
Enable Call of Process Methods from the
Process Manager Class

Define class CL_EDOC_PROCESS to be a friend to the country class.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 121
Redefine Method DETERMINE_PREREQ_FOR_PROCESS

Method DETERMINE_PREREQ_FOR_PROCESS:

Determine the prerequisites for process determination

If the process determination for the country (existing method determine_process) needs other
values (e.g., SAP eDocument type, interface type) as a pre-requisite, provide the determination in
this new method.

Background:

The process needs to be determined earlier at the creation of the process instance (with existing
method prepare_eDocument).

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 122
Process Methods

Naming Convention: process_<step>

Definite Signature of Process Method:

Import Parameters:
IV_INTERFACE_GUID TYPE EDOC_INTERFACE_GUID
IV_PROCESS_STEP TYPE EDOC_PROCESS_STEP
IV_VARIANT TYPE EDOC_PROC_STEP_VARIANT
IS_DATA TYPE <specific to step>
or subset of these

Returning Parameter:
RV_RESULT TYPE EDOC_PROC_STEP_RESULT

Exception:
CX_EDOCUMENT

COMMIT WORK (AND WAIT) / ROLLBACK WORK: must not be used in

process methods

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 123
Process Methods for Re-Use

Process Methods (or parts of them) that are likely to be re-used in country-specific process
methods are provided by the SAP Document Compliance Framework:

Class CL_eDocument

Methods process_<step>_global

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 124
Creation of a Process

Creation of a SAP Document Compliance process from other document (e.g., invoice) call method
CREATE_EDocument of CL_EDOCUMENT as before.

• No authorization check of the SAP Document Compliance authorization object

• No exception raised, put errors in application log, error flag set

• Use variant ‚HOOK‘ of action ‚CREATE‘ and variant ‚HOOK‘ for the ‚CREATE‘ process step

Otherwise: call action ‚CREATE‘ (with other variant)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 125
The Action ‚SUBMIT‘ and alike

The actíon SUBMIT consists usually now of 4 process steps:

New step TRIGG_SEND ‚Trigger the Sending of a document’:

• serves only as a ‚wrapper‘ to call the interface trigger (method trigger_interface).

• since there will be also a save_to_db() for this step, ensure that document values are most
current (note: trigger implementation work on different instances of the document) by using
existing method load_from_db()

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 126
Attributes Managed by the Process Manager

Process-relevant Attributes of the document (also of DB table SAP Document Compliance) are
managed now by the process manager class CL_EDOC_PROCESS:
MS_PROCESS_ATTR
• PROCESS
• PROCESS_
VERSION
• STATUS
• PROC_STATUS
• LAST_PROCSTEP
• LAST_PROCSTEP_VARIANT

Access them via lo_eDocument> mo_process->ms_process_attr

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 127
Integration, Automation and
Enhancements
Automation

SAP Document Compliance is mostly a

“background” functionality. Dynamic
Cockpit Variant
eDocument Cockpit is mostly used to
error analysis.

Background jobs take care of process

automation

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 129
Simple enhancements via BADI → ES_EDOCUMENT

Handy methods to
tweak existing
implementation

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 130
Incoming process at high level

✓ ✓
Triggering Validation Forwarding to Compliance
Compliance • Integrity business process Process
Process • Validity • Correlation / Matching Conclusion
• External event triggers • Posting to business • Notification to
process creation application Business Partner
• Or File based • Update + Finish
Process

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 131
Incoming Integration

Many country solutions offer out-of-the-box

incoming invoice integration via OpenText
Vendor Invoice Management

• Invoice acceptance and rejection can be

fully automated

Integration to incoming process offered as an

open integration from eDocument
Framework:

• VIM mapping can be implemented

• Other options: BAPI, IDoc, etc, etc…

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 132
Incoming processing Open Text
VIM

AIF ALE / IDOC

Incoming connector supports generic

forwarding of incoming data to other eDocument
Process
Instance
applications
Custom
BAPI ABAP
As an example, for Invoices, there are many Batch Input

options:
Etc….

• ALE messages INVOIC_CREATE or

ACC_INVOICE_RECIEPT

• BAPI
BAPI_INCOMINGINVOICE_CREATE1

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 133
Simple enhancements via BADI → ES_EDOC_INCOMING

Map incoming data

+
Cockpit Navigation

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 134
Incoming processing

View EDOINCOMSOLV can be configured to Enhancement filters the solution

forward a process to an incoming solution
Solutions are created in table
EDOINCOMSOLDEFV

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 135
Steps to for inbound processing

Configure steps Implement BADI Update Process

• CREATE, DELETE, INCOM_... • PROVIDE_DATA with the • After running the inbound process
• Implement corresponding filter to feed the call
PROCESS_INCOMING_SEND incoming processing application CL_EDOC_INCOM_RESPONSE-
forwarding call to BADI (copy- • NAVIGATE_TO_TARGET helps >PROCESS_RESPONSE with the
paste like) integration EDOC_COCKPIT with corresponding process variant,
the target application e.g. “ACCEPT” or “REJECT”.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 136
Automation via iFlow via Push or Pull iFlows

Iflows can be used to trigger eDocument processes.

Triggering can be implemented using RFCs or

sending filed to the file system.
• Country solutions like Brazil provide support for RFCs

SAP Cloud Connector is recommended

SAP
SAP BTP
Cloud S/4 HANA
CI
Connector
Reading emails is a very
Pulling messages from ABAP is also possible common scenario

S/4 SAP
HANA BTP CI
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 137
Internal triggering – custom option

Inherit CL_EDOC_FACTORY Regular process activation is Factory table EDOFACTORYV

supported via configuration in allows to configure Source
SPRO Document to custom
determination classes

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 138
Inbound triggering from files and pulling from iFlows

Transaction EDOC_INBOUND_UPLOAD uploads Transaction EDOC_INBOUND_MSG processes the

file to the app server file systems incoming messages from app server or via iFlow.
Folders are configured in table Tables EDOMSGTYPE and EDOMSGTYPEPULL
EDOMSGTYPEUPLDV and via FILE/SF01 configure processing
transactions

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 139
Runtime Environment
SAP BTP Integration - Runtime
Environment

➢ Composed of a cluster of virtual processes

➢ Message processing tasks for a tenant are performed within a
dedicated Java Virtual Machine
➢ An SAP BTP Integration cluster for a tenant (shortly referred to
as tenant cluster) is composed of one (or more) tenant
management nodes and one or more runtime nodes
➢ Tenant clusters of different participants (customers) are strictly
separated from each other and are unable to interfere
➢ physical resources of the cloud platform are portioned per
tenant
➢ The individual processes are also referred to as nodes of the
cluster

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 141
SAP BTP Integration - Virtual System Landscape

➢ Factory : Externally available landscape for productive usage. Depending on the related data center, there are different URLs for Europe, the US
and Asia-Pacific.
• Virtual Server Names
Europe : https://hana.ondemand.com
IP Address : 155.56.128.0/17 ( min 155.56.128.1 max 155.56.255.254)

USA : https://us1.hana.ondemand.com
IP Address : 65.221.12.0/24 (min 65.221.12.1, max 65.221.12.254),
206.112.73.0/24 (min 206.112.73.1, max 206.112.73.254)

Asia-Pacific : https://ap1.hana.ondemand.com

IP Address : 210.80.140.0/24

➢ Trail : Externally available landscape for testing and demo purposes.

• Virtual Server Names and IP address are same as for factory data center for Europe

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 142
SAP BTP Integration - Cluster Nodes

➢ An SAP BTP Integration cluster is composed of different kinds of nodes:

• Tenant management node( Performs tenant-specific management tasks)
▪ starting tenant-specific runtime nodes
▪ deployment of artifacts (integration flows or keystores)
• Runtime node (or worker node)
▪ Processes messages for a tenant
▪ Services required for message processing like for example routing or mapping, are implemented as subsystems of the node

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 143
SAP Document Compliance Cockpit Monitor

Provides
generic
monitoring for
all SAP
Document
Compliance
based solutions.

The cockpit
covers
execution and
monitoring.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 144
AIF Monitor

Provides access
to technical
interfaces
monitoring.
• Message
Monitoring
• Data Structure
• Errors
• Field level info

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 145
WS Runtime (SRT_TOOLS | SRT_UTIL)

Provides access to
communication level data.

Supports tracing, call stack,

etc…

Allows to see SAP Cloud

Platform error messages
directly.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 146
SAP Internet Communication Manager (SMICM)

This is the SAP ERP Web Server

HTTPS Service:

It is required to access the datacenter

Monitoring via Traces and Logs

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 147
SAP BTP Integration Message Monitoring - Overview

• Available via Web, APIs and Solution Manager

• Each one has particular benefits.

• Messages are removed from the system after a determined period of time.

• Monitoring layer is updated asynchronously.

• Using a JDBC connection from the tenant pool.

• Multithreaded applications are represented with one iFlow

• There is no thread level monitoring.
• If planning to use “multicast” patterns consider resources consumption (CPU, memory and JDBC
connections!)

• Attachments can be added to the message processing log.

• With additional authorizations and configuration also the step by step payload can be saved.
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 148
SAP BTP Integration PI Message Monitoring – Web - Overview

Default tool
▪ Support basic search capabilities
▪ Covers status, logs, artifacts, attachments
and tracing.

Unlike Eclipse, provides a short

summary on the status.

Overview screen provides some

summary on status.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 149
SAP BTP Integration PI Message Monitoring – Web – Search Capabilities

Artifact name or type

1- Select
Predefined or
Custom

2- Flexible range

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 150
SAP BTP Integration PI Message Monitoring | Message Monitoring APIS

• Message Processing Log

• + Customer Header Property MessageProcessingLog

• + Error Information
• + Adapter Attributes CustomHeaderProperties

MessageStoreEntries ErrorInformation AdapterAttributes Attachments

Attachments Properties

Properties

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 151
SAP BTP Integration PI Message Monitoring | Message Monitoring APIS

• Large number of search and filtering capabilities

• Implemented with OData syntax
• By far the most comprehensive solution for monitoring

• Allows flexible navigation between entities

• Also supports correlation navigation

• Customers must implement UX layer.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 152
SAP BTP Integration PI Message Monitoring | Message Monitoring APIS

Payload based Search

▪ Odata API Based
▪ Developers must save the values using Groovy Script.
▪ Can be accessed using OData def messageLog =
– Includes Log expansion for navigation messageLogFactory.getMessageLog(message);
messageLog.addCustomHeaderProperty(“customer",
“0120320");
return message;

…/MessageProcessingLogCustomHeaderProperties?$filter
=%20Name%20eq%20%27customer%27%20and%20Value%20eq%20
% 0120320%27&$expand=Log

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 153
Considerations using persistency

Some eDoc solution implement persistency using SAP BTP Integration Data Stores.

Data Stores is a relational database based technology.

An SAP BTP Integration tenant has a predefined :

• Number of database connections

• Memory Model

• Number of Worker Nodes

Stress testing is recommended during the implementation projects.

SAP BTP Integration also supports high performance enterprise messaging (JMS)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 154
Security
Motivation
I am not a in a technical role why should I be interested in
this complex deeply technical topic?
• Because you are personally representing your
company in front of the national tax authority.
• Because you are legally responsible for the data
presented.
• Because you need to define how security elements are
going to be handled in your company.
• Because you need to understand the purpose of every
step to determine how to proceed and who you trust.
• All in all, are you sharing your bank passwords with
everyone?

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 156
 Deep dive into our understanding of end-to-end security

Access Control Confidentiality Integrity

• Information must not be  Assure data was not
Authentication visible to others modified during
 Requires to trust in transmission or coming
XSS Scripting Authorizations service provider. from another source.
 Client is not known to  Sender is also
Authorization violation F i rewal l s
service provider guaranteed.
Repudiation SQL injection Encryption

Eavesdropping Denial of service Public key

i nf rastructu
Buffer overflow re
Tampering Authorization Availability
Spoofing Single Sign-On
 Only entitled client is able  Keep system safe from
Masquerading
Security monitors to execute the service. attacks
 Several options for
Secure authentication.
dev elopment
f ram ework

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 157
Security in the realm of SAP Document Compliance

Every single connection requires to comply with a number of security requirements.

Confidentiality Integrity Authorization

• Information must • Assure data was • Only entitled client

not be visible to not modified during is able to execute
others transmission or the service.
• Requires to trust in coming from • Several options for
service provider. another source. authentication.
• Client is not known • Sender is also
to service provider guaranteed.

How do I implement security in my cloud solution? Basic security for

newbies (like me)
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 158
Security Blocks involved in SAP Document Compliance (sample: Italy)

➢ Security mechanisms based on open, standard-based and interoperable solutions for integration in
existing infrastructures

Federation

Policy & Trust WS-Security WS-Trust KeyStore known_hosts Performance

Authorization SAP Cloud Platform Role (Basic)

Authentication Basic Certificate More…

Message Security WS-Security S/MIME

Document Security XML Sig WS-Security Sig XML Enc PKCS#7 PGP Digest

Transport Security SSL/TLS SSH

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 159
 Typical Content Encryption Techniques (Cryptography basics)

In Cryptography, many techniques rely on common technology based on shared “keys”:

Symmetric encryption Asymmetric encryption

• Sender encrypts the clear text with a • Sender encrypts the clear text with the public
symmetric key and receiver decrypts the key and receiver decrypts the cipher text with
cipher text with the same symmetric key the corresponding private key
• Problem: secure exchange of the symmetric • Public keys can be made public because it is
key very hard (or nearly impossible to calculate
the private key from the public key)

Asymmetric encryption assumes many senders

can encrypt with public keys, but only the single Private key (max 1)
receiver can decrypt with the private one. •Any Random number
•Owner keeps confidential.
•Private key files are protected with a password
A similar process is also used in the signing •Is used to decrypt and sign (explained later)

process (explained later), but the sender “signs” Public keys (max N)
with the single private key, and the receiver must •typically meant to be shared
•used to encrypt content
use a derived public key to verify. •Derived (mathematically) from a private key

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 160
Certificates Key

A certification authority issues a certificate

• binding a public key to a particular Data
confidentiality
distinguished name (common name,
country, organization, …)
Authorizations Avoid
• by signing the public key and the Control
(authentication) repudiation
distinguished name with the private
key of the issuer
The certificate contains also further information like
issuer, algorithm, … which is also signed.
Ensure
Usages
• for further detailed information see message
http://en.wikipedia.org/wiki/X.509 content eMail
integrity
Certificates can build certificate chains (issuer public key
and issuer DN is signed by an other issuer, and so on).

Making
Certificates which are signed by the private key Intermediate sure
corresponding to the public key of the certificates are authority
validation software is
called self-signed. The self signed certificate in a not corrupt
certificate chain is called root CA.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 161
Understanding trust relationship among companies (chains)

Global Trust
Corporation
Root CRT
(self signed)

signs…

I trust in
certificates signed
by…
Regional Trusted
Inc Intermediate
CRT

signs…
End-user I trust in…
Server
CRT

Client Should I trust in this service provider?

Service Provider
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 162
How does a certificate look like in a browser? 1 of 2

chain

Keys,
algorithms,
subject,
issuer,
expiration..

Download….
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 163
Main Certificate Components in detail…

* Codes change from platform to platform: e.g. S, ST, SP (for State)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 164
How does it look like on the file system? 2 of 2
R single root

I intermediates

E end user

I trust in this company,

because DigiCert also
trusts in them.

many….

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 165
 Web Server Trust relationships - What is a CSR file?

When a Web Server is installed, there is no way for clients or servers

to determine whether this is a reliable site or not.

In order to establish a trust relationship, the web server administrator

creates a key pair describing who they are, and sends the public key
to a certification company (“Trusted CA: Trusted Certification
Authority), to have it signed by them.

• This public key is initially not signed by any trusted CA (but the
same web server company: “Issued To:” = “Issued By:”) .

• It is referred to as a “Certificate Sign Request” file.

The complete process is
If the Trusted CA decides to sign it (after all due legal diligences), it is detailed later…
then installed in the web server and presented to anyone connecting
the server.

Note: web browsers contain lists of trusted CAs installed.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 166
A forest of file types for certificates

Private key files (*.key files)

• Owner keeps confidential

• Private key files are protected with password

Public key files (*.crt or *.cer)

• Are typically shared to let clients encrypt

Sign requests (*.csr)

• Files to be sent to trusted certification company

(CA)

Personal Information (*.pfx, *.p12)

• Pair of keys (keypair)

• Contains both the private key and public key
(two components in one single file)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 167
Should I trust in this service provider?

If a service provider is trusted, the certificate chain must be

stored on the client side for transport level security

Web
Client
Server

R Must be present on client R

I I
E

Key-pair.
Only public key is shared.
Only private key holder can
decrypt messages.
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 168
Should I allow this client to access my infrastructure?

The certificate chain must be stored on the client side, and presented to be authorized,

This flow is a standard procedure, and how SAP Cloud Platform works, but other
servers might differ, e.g. storing also the Intermediate keys on the server side.

Complete process flow is explained in the following slides.

Web
Client
Server

R Present… R
I
E

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 169
Authentication Options

BASIC Certificate OAuth* Based

• Username + Password • Some strange username
• A file (certificate) (called “token”) and a
• Client provides a username and password.
password • Must be signed by a
• SAP BTP Integration is connected mutually trusted CA. • Handled by customer SAP
during provisioning to SAP ID Cloud Platform subaccount
Service. resources directly.
• Expires every 2 years or so.
• SAP ID Services SLA is 0%, • No extra cost.
contradicted for productive • Suitable for single (or so…)
scenarios. clients connecting • Token expiration can be
configured and revoked.
• SAP Cloud Platform offers the
Identity and Authentication • Is relatively un-expensive. • Supported by S/4 Cloud
Services with 99.9% SLA.
• No additional point of failure • No additional point of failure in
• Appropriate for federate
authentication scenarios. in the architecture. the architecture.

* From a didactical approach

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 170
Integrity and source control (digital signature): What value do I get from
that?
You send…. Bill for €100 You send…. Bill for €100
for Pietro for Pietro

Tax authority receives…. Tax authority states you sent….

Bill for €200 Bill for €200

for Giovanni for Giovanni

Integrity Origin Authentication & non-Repudiation

• There are several options for repudiations
• Provides technical means to make sure (origin/destination + content)
nobody changes the information during the
exchange process. • In general, it protects all involved parties in
case one of them raises a repudiation
complain.
• If something is changed, the receiver can
recognize it was modified. • No other sender could have generated the
message.
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 171
What is a Digest (or “Hash”)?
Fix length digest or “hash”
“Life” 52d46ffedcf86c4d0859f4b77883cbe66ed1dd3e7162a72a355dc7a318ce01f4

= =

“Life” calculation 52d46ffedcf86c4d0859f4b77883cbe66ed1dd3e7162a72a355dc7a318ce01f4

“Live” b64ac05f17e64d037db81a98f51e2688216e292ae9748f979f04dfbac49fd7fc

“Pay € 1000 to Peter” f5c86e192753d1faa4a35ac55e8087ec4a751c8002aeca1655596b380a632ebe

(not possible!)

A digest or hash is a fixed length string that is generated Sender can share information that is not understandable to
from a source value using a publicly known algorithm. the receiver.

From the digest, it is not possible to know the source If the receiver changes the information, it is noticeable to
string. the sender.

Different source strings always* generate very different → Receiver unlikely to perform any wrongdoing.
digests.
Example use case: receiver signing on senders behalf.

*from a practical perspective

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 172
 Encoding

Moving information among different systems

and networks may affect it based on system Ciao!
specific configurations. ¡Hola!
नमस्कार!
In order to avoid this issue, all text
information is transformed into old ASCII
characters (understood worldwide) before Hello!
any transmission, preventing any conversion
error.
Hallo!
Encoding is not related to cryptology.
Здравствуйте!

This is known as Base64 encoding.

Example: 안녕!

• España → Espa☺a 您好！

• España → RXNwYcOxYQ== → España

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 173
Message exchange example

Client 3rd Party Signer

“Pay € 1000 to Peter”
Internet
(transport level security is everywhere but not depicted)

Hash

f5c86e192753d1faa4a35ac
Request signing Aksjf943nare987a4
55e8087ec4a751c8002aeca + encode rp9ray43n
1655596b380a632ebe

“Pay € 1000 to Peter”

+
QWtzamY5NDNuYXJlOTg3YTRycDly
YXk0M24= *
encrypt + Receiver
encode

Decode +
Send
OWRqbm5lRUVqcnNre decrypt
GplaXNGYWVsZHMwMj
RuYTBkZg==*
“Pay € 1000 to Peter”
+
Aksjf943nare987a4rp9ray43n

Verify
Signat. **

“Pay € 1000 to Peter”

* Didactical representation / **Verification is possible

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 174
 SAP Cloud Platform Custom Domain – Why we need it?

SAP Cloud Platform Load Balancer has a

restricted list of globally renowned security
elements issuers.

The list of root certificates is as small as possible

also for performance reasons.

Italian Tax authority validates (..signs) customers

certificates and are not included in SAP Cloud
Platform datacenter load balancers.
• Notes:
In the context of SAP Document Compliance for • Another benefit of custom domains is the capability for
Italy, SAP Cloud Platform Custom Domain allows customers to map their desired address names (e.g.
myCompany.com).
customers to set up secure web service channel. • Custom domain can also be used to bypass the SAP Cloud
Platform load balancer trusted CAs requirements and sign-in
from SAP S/4HANA using self signed certificates.
• The custom domain quota represents the number of SSL hosts.
A quota of one custom domain corresponds to one SSL host.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 175
SAP Custom Domain Architecture
SAP Cloud Platform Datacenter 050.040.030.020
Trusted CAs root
Load Balancer
certificates

SAP Cloud Platform Global Account

SAP Cloud Platform Custom Domain Subaccount

SAP published DNS entry
eu176281928.ssl.ondemand.com ➔ Integration Tenant
050.040.030.020 l0001
SSL Host
eu176281928.ssl.ondemand.com WS iFlow
ItalyReceiveNotification

Trusted CAs certificates Host

bundle Key-Pair

Subaccount
Canonical names
Mapping table Integration Tenant
l0002

WS iFlow
ItalyReceiveNotification

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 176
Domain Name Registrar Company Role

It is a company is accredited by
Internet Corporation for
Assigned Names and Numbers
(ICANN)

Offer domain registration and

subdomains as part of the
service package.

Subdomains are optional to

map SDI calls to multiple SAP
Cloud Platform Tenants.

Registrars are typically ISPs or

Web Hosting companies.
https://www.icann.org/registrar-reports/accredited-list.html

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 177
 SAP ERP Trust Manager (STRUST)

It is required to store in the SAP ERP the certificates:

SSL Communication from SAP ERP to SAP Cloud Platform:

▪ upload the SAP BTP Integration public certificates to the Client SSL
Anonymous PSE.

iFlow Authentication (explained later):

▪ Generate your own certificate.
▪ Get it signed by a trusted CA (both SAP and customer)
▪ Upload to a Client SSL Standard PSE and use it in SOAMANAGER

→ Distribute + Save

ICM restart notification message should appear.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 178
How can I have my S/4HANA (etc…) certificates signed by a Trusted CA?

S/4HANA STRUST transaction

Import CA Intermediate
Create a PSE and root certificates to
(e.g. Client SLL Generate a Certificate Import CA Signed complete the complete
Standard) Sign Request Export as a *.csr File Certificate chain.

Trusted CA Company

Upload Certificate Sign Download Certificate

Request Signed by CA

Etc…

Trusted CA may have different requirements and ask you to provide company
specific data.

They may also take some time to analyze your company before issuing a
certificate.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 179
Detail of WS Runtime Configuration (SOAMANGER)

Follow the configuration guide:

• Web Service Configuration

• Proxy and Firewall configurations

• HTTPS and Secure Store

User ID /
Password not for
productive usage
is S* users!.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 180
Getting Transport Certificates–
1. Export to file all the
certificates to your local
machine using a web browser
both for “demo” and
https://arss.demo.firma-
productive Aruba
automatica.it/ArubaSignService/ArubaSignService environments.
https://arss-sap.actalis.it/ArubaSignService/ArubaSignService
2. Then go to the corresponding
SAP BTP Integration Tenants
and import them all.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 181
Standard SAP Setup for Incoming Architecture

Shared SAP Custom Domain SSL Server

Test Productive
SDI SDI • A bundle of certificates must be uploaded to a
single SSL server.
Domain Name Registrar
• Test and productive SDI calls are routed to a
single SSL server.
SAP Custom Domain SSL Server
• A single SSL server allows access to test and
productive environments.
SAP BTP SAP BTP
Integration Integration • No testing is impacted.
Tenant Tenant

• Domain Name Registrar required to

differentiate productive and test requests.
SAP SAP
S/4 S/4
SAP S/4 HANA*
HANA HANA
DEV QA

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 182
 Incoming URLs
These iFlow URLs will be used during SDI Registration, Subdomain registration and
CNAME Mapping.
SAP BTP Integration Tenant mapping
Web Service
Process
Identification

Not standard
recommendation eu176281928.ssl.ondemand.com /cxf/ItalyReceiveNotification
test.sdi.mycompany.com/cxf/ItalyReceiveNotification

Iflow name

Could be either Company Domain Name or SAP Custom domain SSL Host Name

Optional Tax ID

* Suggested prefix does not represent any function impact,

Optional Environment : “test” | “prod”
and may be shortened in case of many Tax IDs.
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 183
 SAP Custom Domain routing configured for multiple
tenants with Sub Domains
SAP Cloud Platform Datacenter 050.040.030.020
Trusted CAs root
Load Balancer
certificates
https://
Test.sdi.myCompany.com
/cxf/ItalyReceiveNotification SAP Cloud Platform Global Account

SAP Cloud Platform Custom Domain Prod Subaccount

Integration Tenant
l0001-iflmap…
Registrar managed DNS entries SSL Host
Prod.myCompany.com ➔ eu176281928.ssl.ondemand.com eu176281928.ssl.ondemand.com
WS iFlow
Test. Sdi.myCompany.com ➔ eu176281928.ssl.ondemand.com ItalyReceiveNotification
eu176281928.ssl.ondemand.com ➔ 050.040.030.020 Trusted CAs root certificates

Request: https://050.040.030.020/cxf/mySampleIFlow
GET / HTTP/1.1 Canonical names Mapping table
Host: Test.sdi.myCompany.com Test Subaccount
Accept: ….(etc).
Integration Tenant
l0002-iflmap….

Custom Domain Canonical Names (CNAMES) WS iFlow

ItalyReceiveNotification
Prod.sdi..myCompany.com ➔ l0001-iflmap.hcisbp.eu1.hana.ondemand.com
Test.sdi.myCompany.com ➔ l0002-iflmap.hcisbp.eu1.hana.ondemand.com

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 184
SAP Cloud Connector

SAP Cloud Platform Datacenter DMZ Web

Server
SAP Cloud Platform Global
Account
SAPSAP
Cloud Connector
Cloud pair
Connector
Database
SAP BTP Integration - Virtual / Real Internal Security
iFlow server and Services Mediation
port mapping mapping and
routing
SAP Cloud Platform
Infrastructure
Proxy

Firewall

Firewall
SAP ERP
Cloud connector
registration and
mapping table

2 Send tunneled http, Open permanent HTTPS

rfc, oData, etc… socket at startup
requests. 1
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 185
How can I consume a SAP BTP Integration service ? (Authorization)
Authorization control takes place in 2 steps, first authentication, and then roles determination
(authorization per se). Sample flow for certificate based authentication procedure:

Client SAP Cloud Platform Datacenter

Custom Domain or Load Balancer SAP BTP Integration

R Subject to User
R I E I
R E
Mapping
User Role
E
Negotiate Technology and Validation
present a certificate chain Verify Chain Verify Root iFlow Role
Determination

Secure Store Trusted CAs

R R R R R
R R
I I I I R R R R iFlow Execution
R
E E E E E
E E

Etc…

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 186
Standard Protocols for Security

There are several standard protocols that support multiple security features
• Usage/Adoption different across regions
• Industries also defined vertical protocols with more transactional focus.
• Standards for reliable messaging not widely adopted.
WS-Security PGP Others…

• Flexible in terms of • Uses a/symmetric combination AS1/2/3

technologies • Confidentiality, Authentication,
Integrity (Signature) and Industry Specifics: CID-X, PID-
• Integrity Compression X, RossettaNet
• Authentication • Supported in SAP BTP
Integration SAP supports multiple industry
• Encryption specific protocols
• Multiple protocols supported (e.g.
FTP)
• Multiple transport protocols

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 187
Security Configuration in SAP BTP CI

Self Service User Roles

Keystore

Keystore +
Credentials

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 188
Self-Service Keystore

Designed to meet the needs of digital identity

holders

No technical knowledge required

Now private ley download possible

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 189
SAP BTP Identity provider

Identity provider needs to be configured for

productive basic authentication usage of
interfaces.

Multiple authentication and identity providers

options available.

SAP BTP user name adoption can be

implemented via certificates or OAuth (only
S/4 Cloud)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 190
 &
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 191
 All solutions
• Master Notes
• Documentation
• Implementation
Support
Thank you.
Contact information:
Daniel Bianchin
SAP Globalization Product Management

Daniel.Bianchin@sap.com
Follow us

www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/trademark for additional trademark information and notices.
SAP folgen auf

www.sap.com/germany/contactsap

© 2021 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer,
ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.
In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP SE oder deren
Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte
können länderspezifische Unterschiede aufweisen.

Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich
zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler
oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und
Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich
geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer
zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu
veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte
und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit
und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine
Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche
vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von
den Erwartungen abweichen können. Dem Leser wird empfohlen, diesen vorausschauenden Aussagen kein übertriebenes Vertrauen
zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken
oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen
Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.
Zusätzliche Informationen zur Marke und Vermerke finden Sie auf der Seite www.sap.com/trademark