SAP system authentication on Amazon
Before an SAP system can make calls to Amazon on behalf of SAP users, the SAP system must
authenticate itself to Amazon. Amazon SDK for SAP ABAP supports the following three methods of authentication
that are selected in the SDK profile settings in IMG
.
Amazon SDK for SAP ABAP - BTP edition can only be authenticated with the Secret access key authentication method using SAP Credential Store.
Topics
Amazon EC2 instance metadata authentication
SAP systems running on Amazon EC2 can acquire short-lived, automatically-rotating credentials from Amazon EC2 instance metadata. For more information, see Using credentials for Amazon EC2 instance metadata.
We strongly recommend this method of authentication while using SDK for SAP ABAP. To enable, the Basis administrator must enable outbound HTTP communication. No further Basis configuration is required.
Note
This method of authentication applies only if your SAP systems are running on Amazon EC2. SAP systems hosted on-premises or in other cloud environments cannot authenticate using this method.
Secret access key authentication
With this method, you use an Access Key ID and a Secret Access Key to authenticate your SAP system on Amazon. The SAP system logs into Amazon using an IAM user. For more information, see Managing Access Keys for IAM Users.
The Basis administrator receives an Access Key ID and a Secret Access Key from the Amazon IAM administrator. Your SAP system must be configured to store the Access Key ID and Secret Access Key.
-
Secure, store, and forward (SSF)
-
Use the SSF functionality to authenticate Amazon SDK for SAP ABAP. For more information, see Digital Signatures and Encryption
. -
You can also test SSF’s
envelope
anddevelope
functionality with theSSF02
report. For more information, see Testing the SSF Installation. -
The steps for configuring SSF for SDK for SAP ABAP are described in the
/AWS1/IMG
transaction. Go to Technical Prerequisites, and then select Additional Settings for On-Premises Systems.
-
-
SAP Credential Store
-
Use SAP Credential Store to authenticate Amazon SDK for SAP ABAP - BTP edition. For more information, see What Is SAP Credential Store?
-
See Using SAP Credential Store for configuration steps.
-
Certificate-based authentication using IAM Roles Anywhere
An X.509 certificate issued by your certificate authority (CA) can be used for
authentication with Amazon Identity and Access Management Roles Anywhere. The certificate must be configured in
STRUST
. The CA must be registered with IAM Roles Anywhere as a trust anchor,
and a profile must be created to specify the roles and policies that IAM Roles Anywhere
would assume. For more information, see Creating a trust anchor and
profile in Amazon Identity and Access Management Roles Anywhere.
For detailed steps on how to use IAM Roles Anywhere with SDK for SAP ABAP, see Using certificates with IAM Roles Anywhere.
Note
Certificate revocation is only supported through the use of imported certificate revocation lists. For more information, see Revocation.
Next step
After authenticating your SAP system in Amazon, SDK for SAP ABAP automatically performs an
sts:assumeRole
to assume the appropriate IAM role for the SAP user’s business
function.