Using Secret Access Key Authentication with SSF Encryption - Amazon SDK for SAP ABAP
PrerequisitesProcedure
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Secret Access Key Authentication with SSF Encryption

On-premises SAP systems (or systems running in other clouds) can be authenticated on Amazon by using secret access key authentication with Amazon Identity and Access Management. SAP's Secure Store and Forward Mechanism (SSF) is used to encrypt and securely store Amazon credentials (Access Key ID and a Secret Access Key) of an IAM user. The SAP system logs into Amazon using an IAM user, see Managing Access Keys for IAM Users for information.

Prerequisites

The following prerequisites must be met before commencing the configuration:

  • IAM roles for SAP users must be created by the IAM administrator. The roles must have permissions to call the required Amazon Web Services services. For more information, see Best practices for IAM Security.

  • Create authorization to run /AWS1/IMG transaction. For more information, see Authorizations for configuration.

Procedure

Follow along these instructions to configure SSF-encrypted credential storage:

Step 1 – Define an SSF application for Credential Storage

  1. Execute transaction code SE16 to define an SSF application.

  2. Enter SSFAPPLIC table name, and select New Entries.

  3. Enter following details:

    • APPLIC: ZAWS1 (name for the SSF application).

    • DESCRIPT: SSF Encryption for the Amazon SDK for SAP ABAP (description).

    • Choose Selected(X) option for the remaining fields.

  4. Select Save.

Step 2 – Set the encryption parameters for the SSF application

  1. Execute the transaction code /n/AWS1/IMG to launch the Implementation Guide (IMG) for Amazon SDK for SAP ABAP.

  2. Expand the IMG node Amazon SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems.

  3. Execute the Set SSF Parameters IMG activity.

  4. Select New Entries, and choose the SSF application created in the previous step. Select Save.

  5. Modify the hash algorithm to SHA256 (or higher), and the encryption algorithm to AES256-CBC. Retain the other settings as default, and select Save.

These encryption settings will be used to securely encrypt Amazon credentials.

Step 3 – Create PSE for SSF Application

  1. Execute the /n/AWS1/IMG transaction, and select Amazon SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems.

  2. Execute the IMG activity Create PSE for SSF Application, which will direct you to the STRUST transaction. Select Edit.

  3. Right-select the SSF application created in Step 1 – Define an SSF application by using SAP's Secure Store and Forward (SSF), and choose Create. Retain all other default settings, and select Continue. Ensure you choose RSA and not DSA as the algorithm.

Step 4 – Assign an SSF application to the Amazon SDK for SAP ABAP

  1. Execute the /n/AWS1/IMG transaction, and select Amazon SDK for SAP ABAP Settings > Technical Prerequisites > Additional Settings for On-Premises systems.

  2. Execute the IMG activity Assign an SSF application to the Amazon SDK for SAP ABAP.

  3. Select New Entries and enter the SSF application created in Step 1 – Define an SSF application for Credential Storage. Select Save.

Step 5 – Configure SDK profile to use SSF-encrypted credentials

  1. Execute the /n/AWS1/IMG transaction, and select Amazon SDK for SAP ABAP Settings > Application Configurations.

  2. Execute the IMG activity SDK Profile.

  3. Select New Entries. Enter profile name and description. Select Save.

  4. Highlight the entry that you created and click on the Authentication And Settings tree branch.

  5. Select New Entries and enter following details:

    • SID: The system ID of the SAP system.

    • Client: The client of the SAP system.

    • Scenario ID: Select the DEFAULT scenario created by your Basis administrator.

    • Amazon Region: Amazon Region that you want to make calls to.

    • Authentication Method: Select Credentials from SSF Storage from the dropdown and select Save. Select Set Credentials and enter the Access Key ID and Secret Access Key of the IAM user.

    • Disable IAM roles: Keep this as default i.e. unchecked.

    • Select Save.

  6. Click on the IAM Role Mapping tree branch. Select New Entries. Enter sequence number, name for logical IAM role and IAM Role ARN provided by the Amazon IAM Administrator. Select Save.

For more information, see Application configuration.