SAP Group Reporting Data Collection is a companion app of SAP S/4HANA for group reporting. It is designed to provide agile and flexible data collection capability and let you collect additional financial or non-financial data required for consolidation.
This article will give you a clear understanding of the overall architecture of SAP Group Reporting Data Collection.
It will then guide you through the required configuration steps to integrate with SAP S/4HANA for group reporting On-Premise edition.
Technical Architecture
From a tech perspective, SAP Group Reporting Data Collection a set of cloud native apps deployed on SAP Business Technology Platform (SAP BTP), which connects to SAP S/4HANA – the apps aren’t part of SAP S/4HANA. Our native cloud app follows SAP Cloud Application Programming Model, exposing SAP Fiori user interface, and relying on a backend which handles business objects.
SAP Group Reporting Data Collection uses services available on SAP BTP, such as the “SAP HANA services as database” to store all your configured items. Our app can also be integrated with services like “Audit Log” or “Personal Data Manager” to ensure regulatory and GDPR compliance.
Communication with the SAP S/4HANA backend rely on the “Connectivity” and “Destination” services. With these services, you can define the location of the SAP S/4HANA instance linked to your subscription, and establish a tunnel to access it.
The integration with SAP S/4HANA is achieved through Remote Function Call and public APIs, such as Reported Financial Data for Group Reporting – Bulk Import, Master Data for Group Reporting – Read or Transaction Data for Group Reporting – Read. SAP Group Reporting Data Collection is always used in combination with SAP S/4HANA for group reporting is mandatory, as all the master data and financials figures are stored in SAP S/4HANA (in the ACDOCU table).
You access the apps in a “provider-subscriber” mode. We in SAP manage a subaccount where the apps are deployed, and where the required services are instantiated. From your own subaccount, you can subscribe to the apps, and manage your dedicated configuration (the forms you created, your data mapping definitions).
Configuration
The following steps will guide through the configuration required for SAP Group Reporting Data Collection.
For more details, you can access all our documentation from the SAP Help Portal: https://help.sap.com/viewer/product/SAP_Group_Reporting_Data_Collection/1.0/en-US
Note: following configuration has been done by using the SAP S/4HANA 2020, Fully Activated Appliance from the Cloud Appliance Library
PuTTy has been used as tool to connect to the Application Server OS and execute command lines.
Prerequisite
- You need to have a subaccount for the Cloud Foundry environment
- This subaccount must be in one of the region supported by GRDC. You can check the following help page for details: https://help.sap.com/docs/SAP_Group_Reporting_Data_Collection/e29950571a2b4065b1dacaf881c67413/50034...
For more information, see the SAP Business Technology Patform Basic Platform Concepts Regions documentation: https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/350356d1dc314d3199dca15bd2a....
Deployment Overview
In the case of integration with an On Premise instance of S/4HANA, it will require to use the SAP Cloud Connector which will act as a reverse proxy to access your instance.
Communication with the S/4HANA backend use both HTTPS and RFC SNC protocol. It will require specific configuration for each of them
The configuration will require to:
- Ensure that Secure Network Communication (SNC) is enabled
- Establish trust between Cloud Connector and Application Server
- Using certificates exchange
- Maintaining Access Control List in Application server for Cloud Connector
- Maintain certificate mapping rules to extract identity
Principal Propagation
A big part of the configuration is to allow Principal Propagation. This mean that the identity of the user connected to SAP Group Reporting Data Collection will be sent along while calling SAP S/4HANA backend.
User connected to SAP Group Reporting Data Collection get a JSON Web Token emitted by the User Account and Authentication service from the SAP Business Technology Platform
While calling SAP S/4HANA backend, this token will be sent to the Cloud Connector. It will extract the identity of the user (principal propagation can based on email address or login name according to your configuration) and encapsulate it into a x.509 certificate.
This certificate is then sent to the SAP S/4HANA backend where the user will be authenticated using rules defines in the backend.
Prepare On-Premise
Enable SNC
This is done through transaction SNCWIZARD
you will have to restart the Application Server after modifying this
- /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function RestartSystem
Prepare Cloud Connector (for HTTPS)
We have to configure three certificates in Cloud Connector.
- System Certificate
- CA Certificate and
- User Certificate
Login to Cloud Connector and go to Tab "On Premise" of the Configuration section
Create System and CA certificates (if required, you can use self-signed certificates at this stage)
in Principal Propagation section, define Subject Pattern as CN=${email}
Prepare Cloud Connector (for SNC)
In order to achieve the Secure Network Communication, the Cloud Connector will have to get access to a cryptographic library (SAP CryptoLib in our example) and its own Personal Security Environment (PSE)
In order to enable the Cloud Connector for that, you can perform the following steps
- Create dedicated folder for SCC PSE
- mkdir -p /usr/sap/SCC/sec
- Define environment variable
- stop service : service scc_daemon stop
- update file vi /usr/local/sbin/rcscc_daemon
- Add lines before "# INIT_SECTION_END"
- export SECUDIR=/usr/sap/SCC/sec
- Add lines before "# INIT_SECTION_END"
This is the lazy way : configuration will be lost if you update your Cloud Connector
For a more sustainable way, you can check following note : 2845890
- restart service : service scc_daemon start
- Maintain path to SAP Cryptographic Library
- /usr/sap/HDB/SYS/exe/hdb/libsapcrypto.so
- Maintain "My Name" for SNC
- Will be used to maintain Access Control List
Configure SAP S/4HANA On-premise backend
To do the necessary configurations, we need to perform the following steps:
- Import the System certificate downloaded from the Cloud connector into the SSL Server standard (Transaction code – STRUST)
- Define the rule-based mapping by importing the Sample certificate downloaded from Cloud connector. (Transaction code – CERTRULE)
- Maintain the reverse proxy parameters in the Default Profile. (Transaction code – RZ10)
- Restart the ICM and check the profile parameters. (Transaction code – SMICM)
A good reference for this is the following blog entry: https://blogs.sap.com/2020/12/23/principal-propagation-setup-with-sap-s-4hana-on-premise-system-and-...
Certificate Exchange for RFC SNC
Export SNC SAPCryptolib Certificate (as snc_s4h.crt)
Create PSE for Cloud Connector :
- Fix environement variable for the whole process
- export SECUDIR=/usr/sap/SCC/sec
- Create PSE
- /usr/sap/S4H/SYS/exe/uc/linuxx86_64/sapgenpse get_pse -v -p SCC.pse
- when requested for Distinguished name of PSE owner, enter CN=SCC
- Export certificate of PSE, it will be used in STRUST
- /usr/sap/S4H/SYS/exe/uc/linuxx86_64/sapgenpse export_own_cert -o SCC_SNC2.crt -p SCC.pse
- Import certificate of SNC SAPCryptolib PSE (you have to export it prior to this)
- /usr/sap/S4H/SYS/exe/uc/linuxx86_64/sapgenpse maintain_pk -v -a snc_s4h.crt -p SCC.pse
- Create credential file for account running the Cloud Connector
- /usr/sap/S4H/SYS/exe/uc/linuxx86_64/sapgenpse seclogin -p SCC.pse -O sccadmin
Tips : once files SCC.pse and cred_v2 are created : give read access to sccadmin
- chmod 644 cred_v2
- chmod 644 SCC.pse
Add SCC PSE certificate (SCC_SNC2.crt) to SNC SAPCryptolib PSE using STRUST transaction
Maintain Access Control List for SNC connections
The ABAP uses an additional security measure to protect access. To enable the SNC communication for the Cloud Connector you need to maintain the ACL for SNC connections.
These settings are done through transaction SNC0
Configure the Cloud Connector
Once preparation of the landscape is achieved, you can go with configuration of the Cloud Connector.
First, you have to add the Subaccount from which you will subscribed to SAP Group Reporting Data Collection.
From the "Cloud To On-Premise" section, go to Maintain Access Control and add required mappings as detailed in https://help.sap.com/viewer/e29950571a2b4065b1dacaf881c67413/1.0/en-US/b2d3a4028641456cac64c9cc11bf6...
The result should look as follow:
Tips : SNC Partner Name can be found through transaction RZ10 - Parameter snc/identity/as
Enable services of SAP S/4HANA
To enable communication through SOAP web services, you must activate the SAP Application Interface Framework content and create an inbound web service.
OData services need to be configured in SAP S/4HANA.
Configuration on Cloud Platform
Subscribe to SAP Group Reporting Data Collection
your first step here, will be (if it is not done yet) to subscribe to SAP Group Reporting Data Collection.
For this step, you need to get the correct Entitlement for GRDC
Entitlements are automatically handled through the CRM when you order our Material Number: 8007701
Create Destinations
To connect to SAP S/4HANA, you need to set up destinations using the destination service in SAP Business Technology Platform Cockpit.
They will rely on the mappings created in the Cloud Connector.
Refer to: https://help.sap.com/viewer/e29950571a2b4065b1dacaf881c67413/1.0/en-US/ca59c5b3af2c448296fe1b32bac0c...
The result should be like the following:
Defining and Bundling Roles on SAP Business Technology Platform
Security must be maintained in SAP Business Technology Platform sub account for SAP Group Reporting Data Collection.
Refer to: https://help.sap.com/viewer/e29950571a2b4065b1dacaf881c67413/1.0/en-US/c3401bd8e9354359a777b264d0b16...
Refresh Trust Configuration in Cloud Connector
Once all the steps has been done, you have to establish trust between your subaccount and the Cloud Connector.
It will allow the Cloud Connector to trust the JSON Web Token emitted by the User Account and Authentication service.
To do so, go back to the "Cloud to On-Premise" section from the Cloud Connector.
Under Principal Propagation tab, click on Synchronize
That's all Folks
If you reached this steps, you should have a working instance of SAP Group Reporting Data Collection, fully integrated with your SAP S/4HANA instance.
So have a look to our User Guides and start leveraging all the great capabilities of this product 😉
- SAP Managed Tags:
5 Comments
