SAP Connector Guide > Part II: SAP Connector Administration > SAP Connector Administration > SAP Table Connector Administration

SAP Table Connector Administration

Before users can use an SAP Table connection to process SAP table data, an SAP Administrator must perform the following tasks:

1. Download and install the Microsoft Visual C++ redistributable.
2. Download and configure the SAP libraries for SAP Table read and write.
3. Configure the sapnwrfc.ini file.
4. Configure SAP user authorization.
5. Install transport files.
6. Configure HTTPS.

After the administrator has performed the configuration, users can set up and use an SAP table connection in Data Synchronization and Mapping Configuration tasks.

Step 1. Downloading and Installing the Microsoft Visual C++ Redistributable

If you do not have Microsoft Visual C++ (VC++) installed, download and install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package on the Windows machine that hosts the Secure Agent. You can then run applications developed with VC++.

Perform the following steps to install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package:

1. Click the following URL:

http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx

2. Scroll down and find the Affected Software section.

3. Click the following link to download and install the package:

Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package (KB973544)

For more information, see the following SAP Notes: 1375494 and 1025361

Step 2. Downloading and Configuring the Libraries for Table Read and Write

Before you can use an SAP Table connection, download and configure the SAP libraries. Install and configure the SAP libraries on the Secure Agent machine.

The libraries that you use are based on whether you want to read from SAP tables or write to SAP tables.

Downloading and Configuring Libraries to Read from SAP Tables

To read data from SAP tables, you must download the SAP JCo libraries and configure them on the machine where the Secure Agent runs. You must also configure the PATH system variable and the JAVA_LIBS property. Contact SAP Customer Support if you encounter any issues when you download the libraries.

1. Go to the SAP Service Marketplace: http://service.sap.com/connectors.

Note: You will need SAP credentials to access the Service Marketplace.

2. Download the appropriate installer for 32-bit or 64-bit SAP JCo libraries and unzip the following file:

Secure Agent System	SAP File Name
Windows	sapjco3-NTintel-3.0.11.zip
Linux	sapjco3-linuxintel-3.0.11.tgz

Note: If the Secure Agent runs on a 32-bit machine, download the 32-bit SAP JCo libraries. If the Secure Agent runs on a 64-bit machine, download the 64-bit SAP JCo libraries. Verify that you download the most recent version of the libraries.

3. Set the PATH environment variable to the location of the unzipped file.

4. Copy the sapjco3.jar file to the following directory: <Informatica Secure Agent installation directory>\main\bin\rdtm-extra\tpl\sap

Before you copy the jar file, you must create the tpl\sap directory within the rdtm-extra directory if the tpl\sap directory does not already exist.

Note: If you had created the 300620 plugin folder earlier, you must delete the sapjco3.jar file from the plugin folder after you upgrade the SAP Connector. The 300620 folder will contain the tpl.properties file. You must retain the tpl.properties file in the plugin folder.

5. Configure the JAVA_LIBS property in Informatica Cloud.

a. Log in to Informatica Cloud.
b. Click Configure > Runtime Environments to access the Runtime Environments page.
c. To the left of the agent name, click Edit Secure Agent.
d. From the Type list, select Tomcat JRE.
e. Enter the JAVA_LIBS value based on the operating system on which the Secure Agent runs.

Operating System	Value
Windows	../bin/rdtm-extra/tpl/sap/sapjco3.jar;../bin/rdtm/javalib/sap/sap-adapter-common.jar
Linux	../bin/rdtm-extra/tpl/sap/sapjco3.jar:../bin/rdtm/javalib/sap/sap-adapter-common.jar

f. Click OK to save the changes.
g. Restart the Secure Agent.
h. Repeat steps a through g on every machine where you installed the Secure Agent.

6. Restart the Secure Agent.

Downloading and Configuring Libraries to Write to SAP Tables

Download and configure the SAP NetWeaver RFC SDK 7.20 libraries. Contact SAP Customer Support if you encounter any issues when you download the libraries.

Note: If you performed this step for an SAP IDoc or RFC/BAPI connection, you do not need to do it again.

1. Remove the classic SAP RFC SDK 7.20 libraries.

2. Go to the SAP Service Marketplace: http://service.sap.com

Note: You must have SAP credentials to access the Service Marketplace.

3. Download Unicode SAP NetWeaver RFC SDK 7.20 libraries that are specific to the operating system that hosts the Secure Agent process and the Windows 32-bit SAP NetWeaver RFC SDK libraries.

The following table lists the libraries corresponding to the different operating systems:

Operating System	Unicode SAP NetWeaver RFC SDK Libraries
Linux.64	- libicuuc.so.34 - libsapucum.so - libicudata.so.34 - libicui18n.so.34 - libsapnwrfc.so - libicudecnumber.so
Linux.32	- libicuuc.so.34 - libsapucum.so - libicudata.so.34 - libicui18n.so.34 - libsapnwrfc.so - libicudecnumber.so
Windows EM64T	- libsapucum.dll - libicudecnumber.dll - sapnwrfc.dll - icuin34.dll - icuuc34.dll - icudt34.dll
Windows 32-bit	- libsapucum.dll - libicudecnumber.dll - sapnwrfc.dll - icuin34.dll - icuuc34.dll - icudt34.dll

4. Copy the NetWeaver RFC SDK libraries to the following directory:

<Informatica Secure Agent installation directory>\main\bin\rdtm

5. Set the following permissions for each NetWeaver RFC SDK library:

- Read, write, and execute permissions for the current user.
- Read and execute permissions for all other users.

Step 3. Configuring sapnwrfc.ini

SAP uses the communications protocol, Remote Function Call (RFC), to communicate with other systems. SAP stores RFC-specific parameters and connection information in a file named sapnwrfc.ini. To enable the Secure Agent to connect to the SAP system as an RFC client, create and configure the sapnwrfc.ini file on the machines that host the Secure Agent.

When you read data from SAP tables, if you define the path and file name of the saprfc.ini file in the SAP connection, the Secure Agent will use the saprfc.ini file. However, if you define only the path of the saprfc.ini file in the connection, the Secure Agent will first verify if an sapnwrfc.ini file exists in the specified path. If the sapnwrfc.ini file exists, the Secure Agent will use the sapnwrfc.ini file. Else, it will use the saprfc.ini file.

Note: Informatica will deprecate the saprfc.ini file in a future release. Therefore, Informatica recommends that you create and use an sapnwrfc.ini file instead of the saprfc.ini file.

To process data through RFC/BAPIs, read IDocs, write IDocs, and write data to SAP tables, you cannot use the saprfc.ini file. You must create and configure the sapnwrfc.ini file.

Use a DOS editor or WordPad to configure the sapnwrfc.ini file. Notepad can introduce errors to the sapnwrfc.ini file.

After you create the sapnwrfc.ini file, copy the file to the following directory:

<Informatica Secure Agent installation directory>\main\bin\rdtm

Configure the Connection Entries in the sapnwrfc.ini File

Use the sapnwrfc.ini file to configure the connections that you want to use.

You can configure the following types of connections in the sapnwrfc.ini file:

Connection to a specific SAP application server
Connection to use SAP load balancing
Connection to an RFC server program registered at an SAP gateway

sapnwrfc.ini Parameters

The following table describes the parameters that you can define for various connection types in the sapnwrfc.ini file.

sapnwrfc.ini Parameter	Description	Applicable Connection Types
DEST	Logical name of the SAP system for the connection. All DEST entries must be unique. You must have only one DEST entry for each SAP system. For SAP versions 4.6C and later, use up to 32 characters. For earlier versions, use up to eight characters.	Use this parameter for the following types of connections: - Connection to a specific SAP application server - Connection to use load balancing - Connection to an RFC server program registered at an SAP gateway
ASHOST	Host name or IP address of the SAP application. The Secure Agent uses this entry to attach to the application server.	Use this parameter to create a connection to a specific SAP application server.
SYSNR	SAP system number.	Use this parameter to create a connection to a specific SAP application server.
R3NAME	Name of the SAP system.	Use this parameter to create a connection to use SAP load balancing.
MSHOST	Host name of the SAP message server.	Use this parameter to create a connection to use SAP load balancing.
GROUP	Group name of the SAP application server.	Use this parameter to create a connection to use SAP load balancing.
PROGRAM_ID	Program ID. The Program ID must be the same as the Program ID for the logical system that you define in the SAP system to send or receive IDocs.	Use this parameter to create a connection to an RFC server program registered at an SAP gateway.
GWHOST	Host name of the SAP gateway.	Use this parameter to create a connection to an RFC server program registered at an SAP gateway.
GWSERV	Server name of the SAP gateway.	Use this parameter to create a connection to an RFC server program registered at an SAP gateway.
TRACE	Debugs RFC connection-related problems. Set one of the following values based on the level of detail that you want in the trace: - 0. Off - 1. Brief - 2. Verbose - 3. Full	Use this parameter for the following types of connections: - Connection to a specific SAP application server - Connection to use load balancing - Connection to an RFC server program registered at an SAP gateway

Sample sapnwrfc.ini File

The following snippet shows a sample sapnwrfc.ini file:

/*===================================================================*/
/* Connection to an RFC server program registered at an SAP gateway */
/*===================================================================*/
DEST=<destination in RfcRegisterServer>
PROGRAM_ID=<program-ID, optional; default: destination>
GWHOST=<host name of the SAP gateway>
GWSERV=<service name of the SAP gateway>
*===================================================================*/
/* Connection to a specific SAP application server */
/*===================================================================*/
DEST=<destination in RfcOpenConnection>
ASHOST=<Host name of the application server.>
SYSNR=<The back-end system number.>
/*===================================================================*/
/* Connection to use SAP load balancing */
/* The application server will be determined at run time. */
/*===================================================================*/
DEST=<destination in RfcOpenConnection>
R3NAME=<name of SAP system, optional; default: destination>
MSHOST=<host name of the message server>
GROUP=<group name of the application servers, optional; default: PUBLIC>

Step 4. Configuring SAP User Authorization

Configure the SAP user account to process SAP table data.

The following table describes the required authorization to read from SAP tables:

Read Object Name	Required Authorization
S_BTCH_JOB	DELE, LIST, PLAN, SHOW. Set Job Operation to RELE.
S_PROGRAM	BTCSUBMIT, SUBMIT
S_RFC	SYST, SDTX, SDIFRUNTIME, /INFADI/TBLRDR
S_TABU_DIS	&_SAP_ALL

The following table describes the required authorization to write to SAP tables:

Write Object Name	Required Authorization
S_RFC	/INFATRAN/ZPMW
S_TABU_DIS	&_SAP_ALL

Step 5. Installing SAP Table Connection Transport Files

Install the SAP Table connection transport files on the SAP machines that you want to access. Before you install the transports on your production system, install and test the transports in a development system.

Installing Transport Files

Install transport files from a Secure Agent directory to read from a Unicode or non-Unicode SAP system. The transport files are for SAP version ECC 5.0 or later. To install transport files for an earlier version or to write to an SAP system, contact Informatica Global Customer Support.

1. Find the transport files in the following directory on the Secure Agent machine: <Informatica Secure Agent Installation Directory>\main\bin\rdtm\sap-transport\SAPTableReader.

2. Copy the cofile transport file to the Cofile directory in the SAP transport management directory on each SAP machine that you want to access.

The cofile transport file uses the following naming convention: TABLE_READER_K<number>.G00.

3. Remove "TABLE_READER_" from the file name to rename the cofile.

For example, for a cofile transport file named TABLE_READER_K900721.G00, rename the file to K900721.G00.

4. Copy the data transport file to the Data directory in the SAP transport management directory on each SAP machine that you want to access.

The data transport file uses the following naming convention: TABLE_READER_R<number>.G00.

5. Remove "TABLE_READER_" from the file name to rename the file.

6. To import the transports to SAP, in the STMS, click Extras > Other Requests > Add and add the transport request to the system queue.

7. In the Add Transport Request to Import Queue dialog box, enter the request number for the cofile transport.

The request number inverts the order of the renamed cofile as follows: G00K<number>.

For example, for a cofile transport file renamed as K900721.G00, enter the request number as G00K900721.

8. In the Request area of the import queue, select the transport request number that you added, and click Import.

9. If you are upgrading from a previous version of the Informatica Transports, select the Override Originals option.

Step 6: Configuring HTTPS

To connect to SAP through HTTPS and read SAP table sources, you must configure the machine that hosts the Secure Agent and the machine that hosts the SAP system. You must also enable HTTPS when you configure an SAP Table connection in Informatica Cloud.

Perform the following configuration tasks on the Secure agent and SAP systems:

HTTPS Configuration on the Secure Agent System: To configure HTTPS on the machine that hosts the Secure Agent, perform the following tasks:
HTTPS Configuration on the SAP System: To configure HTTPS on the machine that hosts the SAP system, perform the following tasks:

Prerequisites

Before you create an OpenSSL certificate, verify the following prerequisites:

• Download OpenSSL from https://www.openssl.org/community/binaries.html. Install Win64OpenSSL_Light-1_0_2d.exe to a local directory on the Secure Agent machine.

The openssl.exe, ssleay32.dll, libeay32.dll, and openssl.cfg files are available in the <OpenSSL Installation Directory>.

• Based on the operating system of the machine that hosts the Secure Agent and the SAP system, download the latest available patch of the SAPGENPSE Cryptography tool from the SAP Service Marketplace. For information, see Downloading the SAP Cryptographic Library.

Typically, the SAPGENPSE files are extracted to the nt-x86_64 directory.

•Configure the following SAP Parameters: icm/server_port, ssl/ssl_lib, sec/libsapsecu, ssf/ssfapi_lib, ssf/name, icm/HTTPS/verify_client, ssl/client_pse, and wdisp/ssl_encrypt. For information, see the SAP documentation.

Create an OpenSSL Certificate

Create a self-signed certificate using OpenSSL.

1. At the command prompt, set the OPENSSL_CONF variable to the absolute path to the openssl.cfg file. For example, enter the following command: set OPENSSL_CONF= C:\OpenSSL-Win64\bin\openssl.cfg

2. Navigate the <openSSL Installation Directory>\bin directory.

3. To generate a 2048-bit RSA private key, enter the following command: openssl.exe req -new -newkey rsa:2048 -sha1 -keyout <RSAkey File_Name>.key -out <RSAkey File_Name>.csr.

4. When prompted, enter the following values:

- Private key password (PEM pass phrase). Enter a phrase that you want to use to encrypt the secret key. Re-enter the password for verification.

Important: Make a note of this PEM password. You need to specify this value in some of the following steps.

- Two letter code for country name.
- State or province name.
- Locality name.
- Organization name
- Organization unit name.
- Common name (CN). Mandatory.

Important: Enter the fully qualified host name of the machine that hosts the Secure Agent.

- Email address.

5. Enter the following extra attributes you want to send along with the certificate request:

- Challenge password.
- Optional company name.

A RSA private key of 2048-bit size is created. The <RSAkey File_Name>.key and <RSAkey File_Name>.csr files are generated in the current location.

6. To generate a self-signed key using the RSA private key, enter the following command: openssl x509 -req -days 11499 -in <RSAkey File_Name>.csr -signkey <RSAkey File_Name>.key –out <Certificate File_Name>.crt

7. When prompted, enter the PEM pass phrase for the RSA private key.

The <Certificate File_Name>.crt file is generated in the current location.

8. Concatenate the contents of the <Certificate File_Name>.crt file and the <RSAkey File_Name>.key file to a .pem file.

a. Open the <Certificate File_Name>.crt file and the <RSAkey File_Name>.key files in a Text editor.
b. Create a file and save it as <PEM File_Name>.pem.
c. Copy the contents of the <Certificate File_Name>.crt file and paste it in the .pem file.
d. Copy the contents of the <RSAKey_Name>.key file and append it to the existing contents of the .pem file.
e. Save the <PEM file name>.pem file.

9. To create a PKCS#12 certificate, enter the following command at the command prompt: openssl pkcs12 -export -in <PEM File_Name>.pem -out <P12 File_Name>.p12 –name “domain name”.

10. When prompted, enter the following details:

- The PEM pass phrase for the .pem file.
- An export password for the P12 file. Re-enter the password for verification.

Important: Make a note of this export password for the P12 file. You need to specify this value in some of the following steps and while creating the SAP Table connection in Informatica Cloud.

The <P12 File_Name>.p12 file is generated in the current location.

11. To create a Java keystore file, enter the following command: keytool -v -importkeystore -srckeystore <P12 File_Name>.p12 -srcstoretype PKCS12 -destkeystore <JKS File_Name>.jks -deststoretype JKS -srcalias "source alias" –destalias "destination alias".

12. When prompted, enter the following details:

- Password for the destination keystore, the JKS file.

Important: Make a note of this password. You need to specify this password while creating the SAP Table connection in Informatica Cloud.

- Password for the source keystore, the P12 file. Enter the Export password for the P12 file.

The <JKS File_Name>.jks file is generated in the current location.

Important: While enabling HTTPS in an SAP Table connection, you must specify the name and location of this keystore file. You must also specify the destination keystore password as the Keystore Password and the source keystore password as the Private Key Password.

Convert an OpenSSL Certificate to PSE Format

You can convert an OpenSSL certificate to PSE format using the SAPGENPSE tool.

1. At the command prompt, navigate to the <SAPGENPSE Extraction Directory>.

2. To generate a PSE file, enter the following command: sapgenpse import_p12 -p <PSE_Directory>\<PSE File_Name>.pse <P12 Certificate_Directory>\<P12 File_Name>.p12

3. When prompted, enter the following details:

- Password for the P12 file. Enter the Export password for the P12 file.
- Personal identification number (PIN) to protect the PSE file. Re-enter the PIN for verification.

The <PSE File_Name>.pse file is generated in the specified directory.

4. To generate the certificate based on the PSE format, enter the following command: sapgenpse export_own_cert -p <PSE File_Directory>\<PSE File_Name>.pse -o <Certificate_Name>.crt

5. When prompted, enter the PSE PIN number.

The <Certificate_Name>.crt file is generated in the current location. Import this certificate file to the SAP system trust store.

Enable the HTTPS Service on SAP System

Enable the HTTPS service from the SMICM transaction.

For information, see HTTP(S) Settings in ICM.

Import a Certificate to SAP System Trust Store

1. Login to SAP and go to the STRUST transaction.

2. Select SSL Client (Standard) and specify the password. In the Import Certificatedialog, you may need to select Base64 format as the certificate file format.

3. Click the Import icon and select the <Certificate_Name>.crt file in PSE format.

Note: You may need to add a DNS entry of the agent host on the SAP app server if a user is on a different network.

4. Click Add to Certificate List.

5. Restart the ICM.

For more information, see Importing the Certificate From the File System.