Before you begin

Ensure that you meet all these requirements in you SAP Server before starting configuring your CxLink Datalakes in your server.

Topics

• Prerequisites for Connectivity
• Prerequisites for SAP
• Prerequisites in AWS

---

Prerequisites for Connectivity

Your SAP server must be able to access the necessary AWS Services to work with CxLink Datalakes. Ensure that communications are opened between your SAP Server and the following endpoints:

AWS Region

Remember to change aws_region to the region where your resources are hosted. If you plan to use resources in multiple AWS Regions, open the proper connections per each region.

• iam.amazonaws.com
• s3.amazonaws.com
• s3.aws_region.amazonaws.com
• s3-aws_region.amazonaws.com
• kms.aws_region.amazonaws.com
• kinesis.aws_region.amazonaws.com
• sts.aws_region.amazonaws.com

Optionally, if you plan to leverage the SAP STRUST Certificate Management to CxLink Datalakes, ensure connectivity to the following endpoints to download the Root and CA certificates:

• www.amazontrust.com
• dl.cacerts.digicert.com

---

Prerequisites for SAP

Ensure that you meet the following requirements before you install the SAP ABAP Suite Add-on:

• SAP Authorization with enough permissions to install an Add-on in client 000. SAP Help Page

• SAP Installation Tool (SAINT/SPAM) SP58 or higher installed

• SAP ICM HTTP and HTTPS services Active and Running

• SAP Cryptographic Library. Minimum CommonCryptoLib version 8.4.38, recommended 8.4.49. SAP Note 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB)

• If you plan to use KMS to encrypt, the following SAP parameters should be set in Default or Instance Profile:

  ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
  ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
  icm/HTTPS/client_sni_enabled = TRUE
  ssl/client_sni_enabled = TRUE
  

• Ensure that all external endpoints certificates are installed on the SAP STRUST transaction. To understand why this is needed, read and follow the steps defined in the SAP Certificates Guide.

---

Prerequisites in AWS

The following resources are mandatory to be created before CxLink configuration in your AWS Account:

• Create an Amazon S3 Bucket to store the output data files by following the guidelines described in the AWS Documentation page Creating a bucket

• (Optional, but recommended) Create an Amazon VPC Endpoint for Amazon S3 to ensure your data is sent through the AWS Backbone instead of the public internet by following the guidelines described in the AWS Documentation Page Amazon VPC Endpoints for Amazon S3

• Create an Amazon Kinesis Data Stream to store the output data files by following the guidelines described in the AWS Documentation page Step 1: Create a Data Stream

• (Optional, but recommended) Create an Amazon VPC Interface Endpoint for Amazon Kinesis Data Streams to ensure your data is sent through the AWS Backbone instead of the public internet by following the guidelines described in the AWS Documentation Page Using Amazon Kinesis Data Streams with Interface VPC Endpoints

• Create an IAM Policy by following steps described in Creating IAM policies (console). You can use the below instance profile example as a template.

  IAM Policy Template

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "Read AWS existing resources",
              "Effect": "Allow",
              "Action": [
                  "kinesis:ListStreams",
                  "s3:ListAllMyBuckets"
              ],
              "Resource": "*"
          }
          {
              "Sid": "Store objects to S3 bucket",
              "Effect": "Allow",
              "Action": "s3:PutObject",
              "Resource": [
                  "arn:aws:s3:::<bucket_name>",
                  "arn:aws:s3:::<bucket_name>/*",
              ]
          },
          {
              "Sid": "Put object/s to Amazon Kinesis Data Stream",
              "Effect": "Allow",
              "Action": [
                  "kinesis:PutRecord",
                  "kinesis:PutRecords",
              ],
              "Resource": [
                  "arn:aws:kinesis:<aws_region>:<aws_account_id>:stream/<kinesis_data_stream_name>"
              ]
          },
          // If you plan to use a bucket with KMS 
          {
              "Sid": "Use Encryption Key",
              "Effect": "Allow",
              "Action": [
                  "kms:Encrypt",
                  "kms:GenerateDataKey"
              ],
              "Resource": [
                  "arn:aws:kms:<aws_region>:<aws_account_id>:key/<kms_key_id>"
              ]
          }
          // Set one of the authentication methods:
          // If you plan to use IAM User for authentication
          {
              "Action": "iam:GetUser",
              "Effect": "Allow",
              "Resource": "arn:aws:iam::<your_aws_account>:user/<iam_user_name>"
          },
          // If you plan to use Instance Profile for authentication
          {
              "Action": "iam:GetInstanceProfile",
              "Effect": "Allow",
              "Resource": "arn:aws:iam::<your_aws_account>:instance_profile/<instance_profile_name>"
          },
      ]
  }
  

• Attach the created policy to the EC2 Instance Profile or to an existing IAM User.

  • To attach the policy to the EC2 Instance Profile, follow the guidelines described in AWS Documentation Page IAM roles for Amazon EC2

  • To attach the policy to an IAM User, follow the guidelines described in Create and attach a policy to an IAM user