This document shows how to set up authentication to access Google Cloud when your SAP system is running on a host that is on premises, on another cloud provider, in another environment outside of Google Cloud, or managed by SAP through the SAP RISE program.
For authentication to Google Cloud, you use Google Cloud signed JSON Web Tokens (JWT) to obtain access tokens from Google Cloud. The high-level configuration steps are as follows:
- Create a service account for JWT based authentication to Google Cloud.
- Configure security settings for Google Cloud on the SAP LT Replication Server host.
- Create another service account for authorization to access BigQuery.
- Create ABAP configurations.
Create a service account for JWT based token retrieval
For JWT based authentication to Google Cloud, BigQuery Connector for SAP needs an IAM service account.
Create a service account
To create a service account for JWT based token retrieval, complete the following steps:
In the Google Cloud console, go to the IAM & Admin Service accounts page.
If prompted, select your Google Cloud project.
Click Create Service Account.
Specify a name for the service account and, optionally, a description.
Click Create and Continue.
In the Grant this service account access to project panel, select the Service Account Token Creator role.
Click Continue.
As appropriate, grant other users access to the service account.
Click Done. The service account appears in the list of service accounts for the Google Cloud project.
Create a service account key
You need to create a P12 service account key for the service account used for JWT based token retrieval.
To create a service account key, complete the following steps:
In the Google Cloud console, go to the IAM & Admin Service accounts page.
Select your Google Cloud project.
Click the email address of the service account that you created for JWT based token retrieval in the previous section, Create a service account.
Under the service account name, click the Keys tab.
Click the Add Key drop-down menu, and then select Create new key to create a service account key.
Accept P12 as the key type and click Create.
A private key is saved to your computer.
Make a note of the password for the private key file,
notasecret.Provide the private key and password to your SAP administrator to import the private key into
STRUST, as described in Import the service account key into STRUST.
Enable JWT signing for the service account on the SAP LT Replication Server host
To enable JWT signing for the service account that you created for JWT based
token retrieval, you need to add the parameter
JWT_SERVC_ACCT to the table /GOOG/BQ_PARAM and configure the service account.
To enable JWT signing for a service account, complete the following steps:
In the SAP GUI, enter the
/GOOG/SLT_SETTINGStransaction preceded by/n:/n/GOOG/SLT_SETTINGSFrom the Settings Table drop-down menu in the launch screen for the
/GOOG/SLT_SETTINGStransaction, select Parameters.Click the Execute icon. The BigQuery Settings Maintenance - Parameters screen displays.
Click the Insert Row icon.
In the displayed row, specify the following settings:
- In the Parameter Name field, enter
JWT_SERVC_ACCT. The parameter description is automatically populated. - In the Parameter Value field, enter the email address of the service account that you created for JWT based token retrieval in the previous section, Create a service account.
- In the Parameter Name field, enter
Click Save.
Your settings are stored as a record in the
/GOOG/BQ_PARAMconfiguration table and the Changed By, Changed On, and Changed At fields are automatically populated.
Configure security settings for Google Cloud on the SAP LT Replication Server host
This section describes how to configure security settings for Google Cloud
on the SAP LT Replication Server host, which involves creating an SSF Application entry
and importing the service account key into STRUST.
Create a new Secure Store and Forward (SSF) Application
In the table SSFAPPLIC, the ZG_JWT entry is imported as
part of the BigQuery Connector for SAP transport. In case, the ZG_JWT entry
is not imported, you need to create a new entry with the name ZG_JWT
by using transaction SE16.
To create a new entry in the table SSFAPPLIC, complete the following steps:
- In the SAP GUI, enter transaction code
SE16. - In the Table Name field, enter
SSFAPPLIC, and then create a new entry. - For the APPLIC field, enter
ZG_JWT. - Except the B_INCCERTS, B_DETACHED, B_ASKPWD, and B_DISTRIB fields, select all other fields.
- In the DESCRIPT field, enter
JWT Signature for GCP. Save the new entry.
This entry becomes a new node in transaction
STRUST, where you import the service account key.
Enable the STRUST node
Use transaction SSFA to enable the STRUST node for JWT Signature for GCP.
To enable the STRUST node, complete the following steps:
- In the SAP GUI, enter transaction
SSFA. - Click New Entries.
In the SSF Application drop-down list, select
JWT Signature for GCP. This is the new entry that you created in the tableSSFAPPLIC.The following screenshot shows the application-specific SSF parameters that are automatically populated by SAP.
Save the new entry.
A new node
SSF JWT Signature for GCPis enabled in transactionSTRUST. Now you import the service account key into this node.
Import the service account key into STRUST
To import the service account key into STRUST, complete the following steps:
In the SAP GUI, enter transaction code
STRUST.Verify the new node in transaction
STRUSTisSSF JWT Signature for GCP.Import the private key file:
- Select PSE > Import from the menu bar.
- Depending on your source system type, select the appropriate private key:
- S4/HANA
- Select the P12 private key.
- Enter the file password
notasecret, and then click OK.
- ECC
- Select the PSE private key. You need to convert the P12 private key that you downloaded earlier into a PSE private key. For more information about converting a P12 key into a PSE key, see Convert P12 key into PSE key.
- Enter the file PIN that you created during the private key conversion from P12 key to PSE key, and then click OK.
- S4/HANA
Select PSE > Save as.
Select the SSF Application option button, and in the corresponding field, select the new SSF Application node that you created in Create a new Secure Store and Forward (SSF) Application.
Save the new entry.
The service key is attached to the SSF application node
SSF JWT Signature for GCP.
Convert the P12 private key into PSE key
If your source system is SAP NetWeaver 7.0x (SAP ECC), then you need to convert the P12 key into a PSE key.
To convert the P12 key into a PSE key, complete the following steps:
Go to the path:
/usr/sap/SID/SYS/exe/run/
Replace SID with the SAP system ID.
Run the following command after replacing the placeholders:
sapgenpse import_p12 -p PSE_PATH_AND_FILE_NAME P12_PATH_AND_FILE_NAME.p12
Replace the following:
PSE_PATH_AND_FILE_NAME: specify the path and filename for the PSE fileP12_PATH_AND_FILE_NAME: specify the path and filename for the P12 key file
Enter the password of P12 private key file,
notasecret.Create a new PIN for the PSE private key and re-enter your PIN.
Make a note of the PIN, you need to provide this PIN when importing the PSE private key file into
STRUST.
For information from SAP about about how to convert a P12 key into a PSE key, see:
- SAP Note 2148457 - How to convert the keypair of a PKCS#12 / PFX container into a PSE file
- SAP Note 2976401 - "import_p12: Error creating PSE" error during converting keypair of PKCS#12 / PFX container into PSE file
Create a service account for authorization to access BigQuery
The section describes the process of creating a service account, adding it to the BigQuery project with the necessary roles, and setting up TLS/SSL certificates for secure communication.
Create a service account
BigQuery Connector for SAP needs an IAM service account for authentication and authorization to access BigQuery.
This service account must be a principal in the Google Cloud project that contains your BigQuery dataset. If you create the service account in the same project as the BigQuery dataset, the service account is added as a principal to the project automatically.
If you create the service account in a project other than the project that contains the BigQuery dataset, you need to add the service account to the BigQuery dataset project in an additional step.
To create a service account, complete the following steps:
In the Google Cloud console, go to the IAM & Admin Service accounts page.
If prompted, select your Google Cloud project.
Click Create Service Account.
Specify a name for the service account and, optionally, a description.
Click Create and Continue.
If you are creating the service account in the same project as the BigQuery dataset, in the Grant this service account access to project panel, select the following roles:
- BigQuery Data Editor
- BigQuery Job User
If you are creating the service account in a different project than the BigQuery dataset, do not grant any roles to the service account.
Click Continue.
As appropriate, grant other users access to the service account.
Click Done. The service account appears in the list of service accounts for the project.
If you created the service account in a different project than the project that contains the BigQuery dataset, note the name of the service account. You specify the name when you add the service account to the BigQuery project. For more information, see Add the service account to the BigQuery project.
The service account is now listed as a principal on the IAM Permissions page of the Google Cloud project in which the service account was created.
Add the service account to the BigQuery project
If you created the service account for BigQuery Connector for SAP in a project other than the project that contains the target BigQuery dataset, you need to add the service account to the BigQuery dataset project.
If you created the service account in the same project as the BigQuery dataset, you can skip this step.
To add an existing service account to the BigQuery dataset project, complete the following steps:
In the Google Cloud console, go to the IAM Permissions page:
Confirm that the name of the project that contains the target BigQuery dataset is displayed near the top of the page. For example:
Permissions for project "
PROJECT_NAME"If it is not, switch projects.
On the IAM page, click Add. The Add principals to "
PROJECT_NAME" dialog opens.In the Add principals to "
PROJECT_NAME" dialog, complete the following steps:- In the New principals field, specify the name of the service account.
- In the Select a role field, specify BigQuery Data Editor.
- Click ADD ANOTHER ROLE. The Select a role field displays again.
- In the Select a role field, specify BigQuery Job User.
- Click Save. The service account appears in the list of project principals on the IAM page.
The service account can now be used to access the BigQuery dataset in this project.
Set up TLS/SSL certificates and HTTPS
Communication between BigQuery Connector for SAP and the BigQuery API is secured by using TLS/SSL and HTTPS.
For connecting to Google services, follow the Google Trust Services advice. At a minimum, you must download all root CA certificates from the Google Trust Services repository.
To ensure that you're using the latest trusted root CA certificates, we recommend that you update your system's root certificate store every six months. Google announces new and removed root CA certificates at Google Trust Services. For receiving automatic notifications, subscribe to the RSS feed on Google Trust Services.
In the SAP GUI, use the
STRUSTtransaction to import the root CA certificates into theSSL client SSL Client (Standard)PSE folder.For more information from SAP, see SAP Help - Maintain PSE Certification list.
On the SAP LT Replication Server host, confirm that any firewall rules or proxies are configured to allow egress traffic from the HTTPS port to the BigQuery API.
Specifically, SAP LT Replication Server needs to be able to access the following Google Cloud APIs:
https://bigquery.googleapis.comhttps://iamcredentials.googleapis.com
If you want BigQuery Connector for SAP to access Google Cloud APIs through Private Service Connect endpoints in your VPC network, then you must configure RFC destinations and specify your Private Service Connect endpoints in those RFC destinations. For more information, see RFC destinations.
For more information from SAP about setting up TLS/SSL, see SAP Note 510007 - Additional considerations for setting up TLS/SSL on Application Server ABAP.
Create ABAP configurations
This section describes the essential ABAP configurations for enabling secure communication and data transfer.
Create RFC destinations
RFC destinations GOOG_OAUTH2_TOKEN, GOOG_IAMCREDENTIALS, and GOOG_BIGQUERY
are imported as part of the BigQuery Connector for SAP transport.
In case these RFC destinations
are not imported, then you need to create new RFC destinations
GOOG_OAUTH2_TOKEN, GOOG_IAMCREDENTIALS, and GOOG_BIGQUERY, by using
transaction SM59.
For information about creating RFC destinations, see Configure RFC destinations.
Specify access settings in /GOOG/CLIENT_KEY
Use transaction SM30 to specify settings for access to
Google Cloud. BigQuery Connector for SAP stores the settings
as a record in the /GOOG/CLIENT_KEY custom configuration table.
To specify the access settings, complete the following steps:
In the SAP GUI, enter transaction code
SM30.Select the
/GOOG/CLIENT_KEYconfiguration table.Enter values for the following table fields:
Field Data type Description Name String The name of this CLIENT_KEYconfiguration.Service Account Name String The name of the service account, in email address format, that was created for BigQuery Connector for SAP in the step Create a service account. For example:
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.Scope String The access scope. Specify the
https://www.googleapis.com/auth/cloud-platformAPI access scope, as recommended by Compute Engine.Project ID String The ID of the project that contains your target BigQuery dataset. Command name String Leave this field blank. Authorization Class String The authorization class. Specify
/GOOG/CL_GCP_AUTH_JWT.Authorization Field Not applicable Leave this field blank. Token Refresh Seconds Integer Leave this field blank.
Specify RFC destinations in /GOOG/SERVIC_MAP
Use transaction SM30 to specify RFC destinations in the service mapping
table /GOOG/SERVIC_MAP.
To specify the RFC destinations, complete the following steps:
In the SAP GUI, enter transaction code
SM30.In the
/GOOG/CLIENT_KEYtable that you created in the preceding section, note the value for the Name field.In the table
/GOOG/SERVIC_MAP, create entries with the following field values:
| Name | Service Name | RFC Destination |
|---|---|---|
| CLIENT_KEY_TABLE_NAME | googleapis.com/oauth2 |
GOOG_OAUTH2_TOKEN |
| CLIENT_KEY_TABLE_NAME | iamcredentials.googleapis.com |
GOOG_IAMCREDENTIALS |
Replace CLIENT_KEY_TABLE_NAME with the table name that you noted in the preceding step.