Before you begin
Ensure that you meet all these requirements in you SAP Server before starting configuring your CxLink Datalakes in your server.
Topics
Prerequisites for Connectivity
Your SAP server must be able to access the necessary AWS Services to work with CxLink Datalakes. Ensure that communications are opened between your SAP Server and the following endpoints:
AWS Region
Remember to change aws_region to the region where your resources are hosted. If you plan to use resources in multiple AWS Regions, open the proper connections per each region.
- iam.amazonaws.com
- s3.amazonaws.com
- s3.aws_region.amazonaws.com
- s3-aws_region.amazonaws.com
- kms.aws_region.amazonaws.com
- kinesis.aws_region.amazonaws.com
- sts.aws_region.amazonaws.com
Optionally, if you plan to leverage the SAP STRUST Certificate Management to CxLink Datalakes, ensure connectivity to the following endpoints to download the Root and CA certificates:
Prerequisites for SAP
Ensure that you meet the following requirements before you install the SAP ABAP Suite Add-on:
SAP Authorization with enough permissions to install an Add-on in client 000. SAP Help Page
SAP Installation Tool (SAINT/SPAM) SP58 or higher installed
SAP ICM HTTP and HTTPS services Active and Running
SAP Cryptographic Library. Minimum CommonCryptoLib version 8.4.38, recommended 8.4.49. SAP Note 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)
If you plan to use KMS to encrypt, the following SAP parameters should be set in Default or Instance Profile:
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH icm/HTTPS/client_sni_enabled = TRUE ssl/client_sni_enabled = TRUE
Ensure that all external endpoints certificates are installed on the SAP STRUST transaction. To understand why this is needed, read and follow the steps defined in the SAP Certificates Guide.
Prerequisites in AWS
The following resources are mandatory to be created before CxLink configuration in your AWS Account:
Create an Amazon S3 Bucket to store the documents by following the guidelines described in the AWS Documentation page Creating a bucket
Create an IAM Policy by following steps described in Creating IAM policies (console). You can use the below instance profile example as a template.
IAM Policy Template
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "kms:ListKeys", "kms:ListAliases"], "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetAccessPoint", "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:ListBucket", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutIntelligentTieringConfiguration", "s3:PutLifecycleConfiguration", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::<bucket_name>", "arn:aws:s3:::<bucket_name>/*" ] }, { "Action": ["iam:GetUser"], "Effect": "Allow", "Resource": "arn:aws:iam::<aws_account>:user/<iam_user_name>" }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ListAliases", "kms:ListKeys" ], "Effect": "Allow", "Resource": [ "arn:aws:kms:<aws_region>:<aws_account>:key/<key_id>", "arn:aws:kms:<aws_region>:<aws_account>:alias/<key_alias>" ] } ] }
Attach the created policy to the EC2 Instance Profile or to an existing IAM User.
To attach the policy to the EC2 Instance Profile, follow the guidelines described in AWS Documentation Page IAM roles for Amazon EC2
To attach the policy to an IAM User, follow the guidelines described in Create and attach a policy to an IAM user