Skip to main content
Version: 723.SP03

Security

CxLink Suite runs inside your SAP S/4HANA or SAP NetWeaver systems and uses the Internet Communication Framework (ICF) to handle the server-client communication. Therefore, securing a CxLink Suite application is identical to other NetWeaver solutions based on ICF.

Communication

As part of CxLink Suite implementation, as in any SAP S/4HANA or SAP Netweaver based server, there is a requirement to establish SSL (Secure Sockets Layer) security for an ABAP-based system that requires secure, encrypted communications. SSL (Secure Sockets Layer) is a communication method whereby secure communication between system entities is accomplished by the use of encryption facilitated by X.509 certificates published by Certificate Authorities (CA) in tandem with public and private decryption keys.

Cloud Provider certificates

For CxLink Suite to establish secure communication with the cloud storage providers, the cloud provider certificates must be imported into the SAP system. The certificates can be downloaded from the cloud provider website and imported into the SAP system using the STRUST transaction.

Refer to the cloud provider documentation for the certificate download instructions.

Firewall and Network Security

Communication with the cloud storage providers is done over HTTPS. As part of the security setup, the network security team should ensure that the firewall rules and proxies allow HTTPS connection to the cloud storage providers.

As per our recommendation for the CxLink Suite, the following security measures should be taken:

  • If your server is running on-premises, ensure that your server can reach the proper endpoints via a private network, such as VPN, direct connect or similar.
  • If your SAP server is running on a cloud provider, ensure that your server can reach the proper endpoints via the cloud provider backbone network by using services such as VPC endpoints, PrivateLink, or similar.

Authorization and authentication

CxLink Suite integrates nativelly with the Identity and Access Management (IAM) of the cloud storage providers. This means that the user access to the cloud storage provider is managed by the cloud provider IAM.

  • If your SAP system is running on-premises, you can use IAM credentials to access the cloud provider resources.
  • If your SAP system is running on a cloud provider, you can use the temporary credentials provided by the cloud provider IAM such as:
    • AWS Instance Profile
    • Azure Managed Identity
    • IBM Cloud Identity and Access Management

In any way, the SAP system access

Relative information at SAP NetWeaver 7.0 EHP2