SAP Connector Guide > Part II: SAP Connector Administration > SAP Connector Administration > SAP Table Connector Administration
  

SAP Table Connector Administration

Before users can use an SAP table connection to process SAP table data, an SAP Administrator must perform the following tasks:
  1. 1. Verify if the required licences are enabled.
  2. 2. Download and install the Microsoft Visual C++ redistributable.
  3. 3. Download and configure the SAP libraries for SAP Table read and write.
  4. 4. Configure the sapnwrfc.ini file.
  5. 5. Configure SAP user authorization.
  6. 6. Install transport files.
  7. 7. Configure HTTPS.
After the administrator has performed the configuration, users can set up and use an SAP table connection in Data Synchronization and Mapping Configuration tasks.

Step 1. Verifying if the Required Licences are Available for SAP Table Connector

You must verify if the required licences for SAP Table Connector are available before you create an SAP table connection and process SAP table data.
    1. In the Informatica Cloud page, click the Administer tab.
    2. Under Connector Licences, verify if the SAP Table Connector licence is enabled.

Step 2. Downloading and Installing the Microsoft Visual C++ Redistributable

If you do not have Microsoft Visual C++ (VC++) installed, download and install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package on the Windows machine that hosts the Secure Agent. You can then run applications developed with VC++.
Perform the following steps to install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package:
    1. Click the following URL:
    http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
    2. Scroll down and find the Affected Software section.
    3. Download and install the package titled Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package (KB973544). Use the following URL to download the package:
    https://www.microsoft.com/en-us/download/details.aspx?id=14431
    For more information, see the following SAP Notes: 1375494 and 1025361

Step 3. Downloading and Configuring the Libraries for Table Read and Write

Before you can use an SAP Table connection, download and configure the SAP libraries. Install and configure the SAP libraries on the Secure Agent machine.
The libraries that you use are based on whether you want to read from SAP tables or write to SAP tables.

Downloading and Configuring Libraries to Read from SAP Tables

To read data from SAP tables, you must download the SAP JCo libraries and configure them on the machine where the Secure Agent runs. Contact SAP Customer Support if you encounter any issues with downloading the libraries.
    1. Go to the SAP Service Marketplace: http://service.sap.com/connectors
    Note: You will need SAP credentials to access the Service Marketplace.
    2. Download the 64-bit SAP JCo libraries based on the operating system on which the Secure Agent runs:
    Secure Agent System
    SAP File Name
    Windows
    sapjco3.jar
    sapjco3.dll
    Linux
    sapjco3.jar
    libsapjco3.so
    Verify that you download the most recent version of the libraries.
    3. Copy the JCo libraries to the following directory:
    <Informatica Secure Agent installation directory>\apps\Data_Integration_Server\ext\deploy_to_main\bin\rdtm-extra\tpl\sap
    Create the deploy_to_main\bin\rdtm-extra\tpl\sap directory if it does not already exist.
    Note: If you upgrade from a 32-bit operating system, the Secure Agent copies the 32-bit SAP JCo libraries to the directory. You must replace the 32-bit JCo libraries with 64-bit JCo libraries. If you upgrade from a 64-bit operating system, you do not need to perform this step. The Secure Agent copies the 64-bit SAP JCo libraries to the directory.
    4. Configure the JAVA_LIBS property in Informatica Cloud.
    1. a. Log in to Informatica Cloud.
    2. b. Click Configure > Runtime Environments to access the Runtime Environments page.
    3. c. To the left of the agent name, click Edit Secure Agent.
    4. d. From the Service list, select Data Integration Server.
    5. e. From the Type list, select Tomcat JRE.
    6. f. Enter the JAVA_LIBS value based on the operating system on which the Secure Agent runs.
      7. Operating System
      Value
      Windows
      ../bin/rdtm-extra/tpl/sap/sapjco3.jar;../bin/rdtm/javalib/sap/sap-adapter-common.jar
      Linux
      ../bin/rdtm-extra/tpl/sap/sapjco3.jar:../bin/rdtm/javalib/sap/sap-adapter-common.jar
    7. g. Click OK to save the changes.
    8. h. Repeat steps 2 through 7 on every machine where you installed the Secure Agent.
    5. Restart the Secure Agent.

Downloading and Configuring Libraries to Write to SAP Tables

Download and configure the SAP NetWeaver RFC SDK 7.20 libraries. Contact SAP Customer Support if you encounter any issues with downloading the libraries.
Note: If you performed this step for an SAP IDoc or RFC/BAPI connection, you do not need to do it again.
    1. Go to the SAP Service Marketplace: http://service.sap.com
    Note: You must have SAP credentials to access the Service Marketplace.
    2. Download Unicode SAP NetWeaver RFC SDK 7.20 libraries that are specific to the operating system that hosts the Secure Agent process.
    The following table lists the libraries corresponding to the different operating systems:
    Operating System
    Unicode SAP NetWeaver RFC SDK Libraries
    Linux.64
    • - libicuuc.so.34
    • - libsapucum.so
    • - libicudata.so.34
    • - libicui18n.so.34
    • - libsapnwrfc.so
    • - libicudecnumber.so
    Windows EM64T
    • - libsapucum.dll
    • - libicudecnumber.dll
    • - sapnwrfc.dll
    • - icuin34.dll
    • - icuuc34.dll
    • - icudt34.dll
    3. Copy the SAP NetWeaver RFC SDK 7.20 libraries to the following directory:
    <Informatica Secure Agent installation directory>\apps\Data_Integration_Server\ext\deploy_to_main\bin\rdtm
    Create the deploy_to_main\bin\rdtm directory if it does not already exist.
    Note: If you upgrade from a 32-bit operating system, the Secure Agent copies the 32-bit SAP NetWeaver RFC SDK 7.20 libraries to the directory. You must replace the 32-bit libraries with 64-bit libraries. If you upgrade from a 64-bit operating system, you do not need to perform this step. The Secure Agent copies the 64-bit SAP NetWeaver RFC SDK 7.20 libraries to the directory.
    4. Set the following permissions for each NetWeaver RFC SDK library:
    5. Download the 64-bit SAP JCo libraries based on the operating system on which the Secure Agent runs:
    Secure Agent System
    SAP File Name
    Windows
    sapjco3.jar
    sapjco3.dll
    Linux
    sapjco3.jar
    libsapjco3.so
    Verify that you download the most recent version of the libraries.
    6. Copy the JCo libraries to the following directory:
    <Informatica Secure Agent installation directory>\apps\Data_Integration_Server\ext\deploy_to_main\bin\rdtm-extra\tpl\sap
    Create the deploy_to_main\bin\rdtm-extra\tpl\sap directory if it does not already exist.
    Note: If you upgrade from a 32-bit operating system, the Secure Agent copies the 32-bit SAP JCo libraries to the directory. You must replace the 32-bit JCo libraries with 64-bit JCo libraries. If you upgrade from a 64-bit operating system, you do not need to perform this step. The Secure Agent copies the 64-bit SAP JCo libraries to the directory.
    7. Configure the JAVA_LIBS property in Informatica Cloud.
    1. a. Log in to Informatica Cloud.
    2. b. Click Configure > Runtime Environments to access the Runtime Environments page.
    3. c. To the left of the agent name, click Edit Secure Agent.
    4. d. From the Service list, select Data Integration Server.
    5. e. From the Type list, select Tomcat JRE.
    6. f. Enter the JAVA_LIBS value based on the operating system on which the Secure Agent runs.
      7. Operating System
      Value
      Windows
      ../bin/rdtm-extra/tpl/sap/sapjco3.jar;../bin/rdtm/javalib/sap/sap-adapter-common.jar
      Linux
      ../bin/rdtm-extra/tpl/sap/sapjco3.jar:../bin/rdtm/javalib/sap/sap-adapter-common.jar
    7. g. Click OK to save the changes.
    8. h. Repeat steps 2 through 7 on every machine where you installed the Secure Agent.
    8. Restart the Secure Agent.

Step 4. Configuring sapnwrfc.ini

SAP uses the communications protocol, Remote Function Call (RFC), to communicate with other systems. SAP stores RFC-specific parameters and connection information in a file named sapnwrfc.ini. To enable the Secure Agent to connect to the SAP system as an RFC client, create and configure the sapnwrfc.ini file on the machines that host the Secure Agent.
When you read data from SAP tables, if you define the path and file name of the saprfc.ini file in the SAP connection, the Secure Agent will use the saprfc.ini file. However, if you define only the path of the saprfc.ini file in the connection, the Secure Agent will first verify if an sapnwrfc.ini file exists in the specified path. If the sapnwrfc.ini file exists, the Secure Agent will use the sapnwrfc.ini file. Else, it will use the saprfc.ini file.
Note: Informatica will deprecate the saprfc.ini file in a future release. Therefore, Informatica recommends that you create and use an sapnwrfc.ini file instead of the saprfc.ini file.
To process data through RFC/BAPIs, read IDocs, write IDocs, and write data to SAP tables, you cannot use the saprfc.ini file. You must create and configure the sapnwrfc.ini file.
Use a DOS editor or WordPad to configure the sapnwrfc.ini file. Notepad can introduce errors to the sapnwrfc.ini file.
After you create the sapnwrfc.ini file, copy the file to the following directory and restart the Secure Agent:
<Informatica Secure Agent installation directory>\apps\Data_Integration_Server\ext\deploy_to_main\bin\rdtm\
Create the deploy_to_main\bin\rdtm directory if it does not already exist.
Note: If you are upgrading from an earlier version, you do not need to perform this step. The Secure Agent copies the sapnwrfc.ini file to the directory.

Configure the Connection Entries in the sapnwrfc.ini File

Use the sapnwrfc.ini file to configure the connections that you want to use.
You can configure the following types of connections in the sapnwrfc.ini file:
Connection to a specific SAP application server
Create this connection to enable communication between an RFC client and an SAP system. Each connection entry specifies one application server and one SAP system.
The following sample shows a connection entry for a specific SAP application server in the sapnwrfc.ini file:
DEST=sapr3
ASHOST=sapr3
SYSNR=00
Connection to use SAP load balancing
Create this connection to enable SAP to create an RFC connection to the application server with the least load at run time. Use this connection when you want to use SAP load balancing.
The following sample shows a connection entry for SAP load balancing in the sapnwrfc.ini file:
DEST=sapr3
R3NAME=ABV
MSHOST=infamessageserver.informatica.com
GROUP=INFADEV
Connection to an RFC server program registered at an SAP gateway
Create this connection to connect to an SAP system from which you want to receive outbound IDocs.
The following sample shows a connection entry for an RFC server program registered at an SAP gateway in the sapnwrfc.ini file:
DEST=sapr346CLSQA
PROGRAM_ID=PID_LSRECEIVE
GWHOST=sapr346c
GWSERV=sapgw00

sapnwrfc.ini Parameters

The following table describes the parameters that you can define for various connection types in the sapnwrfc.ini file.
sapnwrfc.ini Parameter
Description
Applicable Connection Types
DEST
Logical name of the SAP system for the connection.
All DEST entries must be unique. You must have only one DEST entry for each SAP system.
For SAP versions 4.6C and later, use up to 32 characters. For earlier versions, use up to eight characters.
Use this parameter for the following types of connections:
  • - Connection to a specific SAP application server
  • - Connection to use load balancing
  • - Connection to an RFC server program registered at an SAP gateway
ASHOST
Host name or IP address of the SAP application. The Secure Agent uses this entry to attach to the application server.
Use this parameter to create a connection to a specific SAP application server.
SYSNR
SAP system number.
Use this parameter to create a connection to a specific SAP application server.
R3NAME
Name of the SAP system.
Use this parameter to create a connection to use SAP load balancing.
MSHOST
Host name of the SAP message server.
Use this parameter to create a connection to use SAP load balancing.
GROUP
Group name of the SAP application server.
Use this parameter to create a connection to use SAP load balancing.
PROGRAM_ID
Program ID. The Program ID must be the same as the Program ID for the logical system that you define in the SAP system to send or receive IDocs.
Use this parameter to create a connection to an RFC server program registered at an SAP gateway.
GWHOST
Host name of the SAP gateway.
Use this parameter to create a connection to an RFC server program registered at an SAP gateway.
GWSERV
Server name of the SAP gateway.
Use this parameter to create a connection to an RFC server program registered at an SAP gateway.
TRACE
Debugs RFC connection-related problems.
Set one of the following values based on the level of detail that you want in the trace:
  • - 0. Off
  • - 1. Brief
  • - 2. Verbose
  • - 3. Full
Use this parameter for the following types of connections:
  • - Connection to a specific SAP application server
  • - Connection to use load balancing
  • - Connection to an RFC server program registered at an SAP gateway

Sample sapnwrfc.ini File

The following snippet shows a sample sapnwrfc.ini file:
/*===================================================================*/
/* Connection to an RFC server program registered at an SAP gateway */
/*===================================================================*/
DEST=<destination in RfcRegisterServer>
PROGRAM_ID=<program-ID, optional; default: destination>
GWHOST=<host name of the SAP gateway>
GWSERV=<service name of the SAP gateway>
*===================================================================*/
/* Connection to a specific SAP application server */
/*===================================================================*/
DEST=<destination in RfcOpenConnection>
ASHOST=<Host name of the application server.>
SYSNR=<The back-end system number.>
/*===================================================================*/
/* Connection to use SAP load balancing */
/* The application server will be determined at run time. */
/*===================================================================*/
DEST=<destination in RfcOpenConnection>
R3NAME=<name of SAP system, optional; default: destination>
MSHOST=<host name of the message server>
GROUP=<group name of the application servers, optional; default: PUBLIC>

Step 5. Configuring SAP User Authorization

Configure the SAP user account to process SAP table data.
The following table describes the required authorization to read from SAP tables:
Read Object Name
Required Authorization
S_BTCH_JOB
DELE, LIST, PLAN, SHOW.
Set Job Operation to RELE.
S_PROGRAM
BTCSUBMIT, SUBMIT
S_RFC
SYST, SDTX, SDIFRUNTIME, /INFADI/TBLRDR
S_TABU_DIS
&_SAP_ALL
The following table describes the required authorization to write to SAP tables:
Write Object Name
Required Authorization
S_RFC
/INFATRAN/ZPMW
S_TABU_DIS
&_SAP_ALL

Step 6. Installing SAP Table Connection Transport Files

Install the SAP Table connection transport files on the SAP machines that you want to access. Before you install the transports on your production system, install and test the transports in a development system.
Install the following data file and cofile to read data from SAP tables:
Optionally, you can install the following data file and cofile if you want to configure the Secure Agent as a whitelisted host in the SAP system:

Installing Transport Files

Install transport files from a Secure Agent directory to read from a Unicode or non-Unicode SAP system. The transport files are for SAP version ECC 5.0 or later. To install transport files to write to an SAP system, contact Informatica Global Customer Support.
    1. Find the transport files in the following directory on the Secure Agent machine:
    <Informatica Secure Agent installation directory>\downloads\package-SAPConnector.32\package\rdtm\sap-transport\SAPTableReader
    2. Copy the cofile transport file to the Cofile directory in the SAP transport management directory on each SAP machine that you want to access.
    The cofile transport file uses the following naming convention: TABLE_READER_K<number>.G00.
    3. Remove "TABLE_READER_" from the file name to rename the cofile.
    For example, for a cofile transport file named TABLE_READER_K900745.G00, rename the file to K900745.G00.
    4. Copy the data transport file to the Data directory in the SAP transport management directory on each SAP machine that you want to access.
    The data transport file uses the following naming convention: TABLE_READER_R<number>.G00.
    5. Remove "TABLE_READER_" from the file name to rename the file.
    6. To import the transports to SAP, in the STMS, click Extras > Other Requests > Add and add the transport request to the system queue.
    7. In the Add Transport Request to Import Queue dialog box, enter the request number for the cofile transport.
    The request number inverts the order of the renamed cofile as follows: G00K<number>.
    For example, for a cofile transport file renamed as K900745.G00, enter the request number as G00K900745.
    8. In the Request area of the import queue, select the transport request number that you added, and click Import.
    9. If you are upgrading from a previous version of the Informatica Transports, select the Overwrite Originals option.

Step 7: Configuring HTTPS

To connect to SAP through HTTPS and read SAP table sources, you must configure the machine that hosts the Secure Agent and the machine that hosts the SAP system. You must also enable HTTPS when you configure an SAP Table connection in Informatica Cloud.
Perform the following configuration tasks on the Secure agent and SAP systems:
HTTPS Configuration on the Secure Agent System
To configure HTTPS on the machine that hosts the Secure Agent, perform the following tasks:
  1. 1. Create a certificate using OpenSSL and JAVA KeyTool.
  2. 2. Convert the OpenSSL certificate (PKCS#12 certificate) to SAP specific format (PSE) using the SAPGENPSE tool.
Currently, self-signed certificates are supported
HTTPS Configuration on the SAP System
To configure HTTPS on the machine that hosts the SAP system, perform the following tasks:
  1. 1. Enable the HTTPS service on the SAP system.
  2. 2. Import the certificate in PSE format to the SAP system trust store.

Prerequisites

Before you create an OpenSSL certificate, verify the following prerequisites:

Create an OpenSSL Certificate

Create a self-signed certificate using OpenSSL.
    1. At the command prompt, set the OPENSSL_CONF variable to the absolute path to the openssl.cfg file. For example, enter the following command: set OPENSSL_CONF= C:\OpenSSL-Win64\bin\openssl.cfg
    2. Navigate the <openSSL installation directory>\bin directory.
    3. To generate a 2048-bit RSA private key, enter the following command: openssl.exe req -new -newkey rsa:2048 -sha1 -keyout <RSAkey File_Name>.key -out <RSAkey File_Name>.csr.
    4. When prompted, enter the following values:
    5. Enter the following extra attributes you want to send along with the certificate request:
    A RSA private key of 2048-bit size is created. The <RSAkey File_Name>.key and <RSAkey File_Name>.csr files are generated in the current location.
    6. To generate a self-signed key using the RSA private key, enter the following command: openssl x509 -req -days 11499 -in <RSAkey File_Name>.csr -signkey <RSAkey File_Name>.key –out <Certificate File_Name>.crt
    7. When prompted, enter the PEM pass phrase for the RSA private key.
    The <Certificate File_Name>.crt file is generated in the current location.
    8. Concatenate the contents of the <Certificate File_Name>.crt file and the <RSAkey File_Name>.key file to a .pem file.
    1. a. Open the <Certificate File_Name>.crt file and the <RSAkey File_Name>.key files in a Text editor.
    2. b. Create a file and save it as <PEM File_Name>.pem.
    3. c. Copy the contents of the <Certificate File_Name>.crt file and paste it in the .pem file.
    4. d. Copy the contents of the <RSAKey_Name>.key file and append it to the existing contents of the .pem file.
    5. e. Save the <PEM file name>.pem file.
    9. To create a PKCS#12 certificate, enter the following command at the command prompt: openssl pkcs12 -export -in <PEM File_Name>.pem -out <P12 File_Name>.p12 –name “domain name”.
    10. When prompted, enter the following details:
    The <P12 File_Name>.p12 file is generated in the current location.
    11. To create a Java keystore file, enter the following command: keytool -v -importkeystore -srckeystore <P12 File_Name>.p12 -srcstoretype PKCS12 -destkeystore <JKS File_Name>.jks -deststoretype JKS -srcalias "source alias" –destalias "destination alias".
    12. When prompted, enter the following details:
    The <JKS File_Name>.jks file is generated in the current location.
    Important: While enabling HTTPS in an SAP Table connection, you must specify the name and location of this keystore file. You must also specify the destination keystore password as the Keystore Password and the source keystore password as the Private Key Password.

Convert an OpenSSL Certificate to PSE Format

You can convert an OpenSSL certificate to PSE format using the SAPGENPSE tool.
    1. At the command prompt, navigate to the <SAPGENPSE Extraction Directory>.
    2. To generate a PSE file, enter the following command: sapgenpse import_p12 -p <PSE_Directory>\<PSE File_Name>.pse <P12 Certificate_Directory>\<P12 File_Name>.p12
    3. When prompted, enter the following details:
    The <PSE File_Name>.pse file is generated in the specified directory.
    4. To generate the certificate based on the PSE format, enter the following command: sapgenpse export_own_cert -p <PSE File_Directory>\<PSE File_Name>.pse -o <Certificate_Name>.crt
    5. When prompted, enter the PSE PIN number.
The <Certificate_Name>.crt file is generated in the current location. Import this certificate file to the SAP system trust store.

Enable the HTTPS Service on SAP System

Enable the HTTPS service from the SMICM transaction.

Import a Certificate to SAP System Trust Store

    1. Login to SAP and go to the STRUST transaction.
    2. Select SSL Client (Standard) and specify the password. In the Import Certificatedialog, you may need to select Base64 format as the certificate file format.
    3. Click the Import icon and select the <Certificate_Name>.crt file in PSE format.
    Note: You may need to add a DNS entry of the agent host on the SAP app server if a user is on a different network.
    4. Click Add to Certificate List.
    5. Restart the ICM.

Step 8: Configuring the Secure Agent as a Whitelisted Host in SAP (Optional)

When you read SAP table data, you can configure the Secure Agent as a whitelisted host in the SAP system.
Perform the following steps to configure the Secure Agent as a whitelisted host in SAP:
  1. 1. Install the TABLE_READER_R900757.G00 and TABLE_READER_K900757.G00 transport files. For more information about installing the SAP Table Connector transport files, see Installing Transport Files.
  2. 2. In Informatica Cloud, configure the JVMOption property for the Secure Agent that you want to define as a whitelisted host in SAP. Set the value of the property to -Dsap_whitelist_check=1 if you want SAP to validate the Secure Agent. You can specify the value in any JVMOption field.
  3. 3. In SAP, use transaction SE16 to create an entry for the Secure Agent in the SAP HTTP_Whitelist table. SAP stores whitelist information in the HTTP_Whitelist table.
If you set the value of the JVMOption property to -Dsap_whitelist_check=1, when the Secure Agent runs a task or mapping to read SAP table data, SAP validates that a corresponding entry exists for the Secure Agent in the SAP HTTP_Whitelist table. If the entry exists, the task or mapping runs successfully. Otherwise, the task or mapping fails.

Configuring the JVMOption Property in Informatica Cloud

Configure the JVMOption property in Informatica Cloud to define the Secure Agent as a whitelisted host in the SAP system. You can specify the value in any JVMOption field.
    1. Log in to Informatica Cloud.
    2. Click Configure > Runtime Environments to access the Runtime Environments page.
    3. To the left of the agent name, click Edit Secure Agent.
    4. In the System Configuration Details section, from the Service list, select Data Integration Server.
    5. Edit any JVMOption field to add the following value: -Dsap_whitelist_check=1
    6. Repeat steps 2 through 5 for every Secure Agent that you want to define as a whitelisted host in SAP.

Creating an Entry for the Secure Agent in the SAP HTTP_Whitelist Table

SAP stores whitelist information in the HTTP_Whitelist table. Use transaction SE16 to create an entry for the Secure Agent in the SAP HTTP_Whitelist table and configure the Secure Agent as a whitelisted host in the SAP system.
    1. Go to transaction SE16.
    2. Configure properties to define the Secure Agent as a whitelisted host in SAP.
    The following table describes the properties that you must configure:
    Property
    Description
    MANDT
    Required. SAP client number.
    ENTRY TYPE
    Required. URL type to be compared with this entry.
    Enter 01 to indicate that the URL is a CSS theme URL.
    SORT KEY
    Required. Unique value to be used as the primary key.
    You can enter numbers and alphabets.
    PROTOCOL
    Protocol that SAP must validate.
    Enter HTTP or HTTPS.
    If you do not enter a value, SAP does not validate the protocol.
    HOST
    Host machine that SAP must validate.
    Enter the IP address of the machine that hosts the Secure Agent.
    PORT
    Port number that SAP must validate.
    Leave the Port field blank to indicate that SAP does not need to validate the port.
    URL
    URL that SAP must validate.
    Enter * to indicate that SAP does not need to validate the URL.
    3. Repeat steps 1 and 2 for every Secure Agent that you want to configure as a whitelisted host in SAP.