Configuring SAP

Creating an SAP job within the TA is similar to creating any other TA job. The differences are in the configuration prior to creating SAP jobs, and in the additional information required for a complete SAP job definition (such as job steps).

TA can launch CCMS jobs including ABAP programs, external programs, and external commands. For SAP Business Warehouse (BW), you can also schedule infopackages and process chains as TA jobs. You can define and maintain the details of a job definition for each step through TA. TA can also launch, monitor, and manage jobs that already exist in SAP.

Before creating SAP jobs within TA, certain parameters must be configured so that TA can communicate with the SAP instance.

The SAP adapter software is already installed as part of a normal installation of TA. However, you must perform these steps to license and configure the adapter before you can run SAP jobs. Each of these steps is described in this section.

To license and configure the adapter:

  1. Download and install the Java connector software provided by SAP, called the JCO 3.20 component. SAP JCO 3.20 is necessary for a Java application (like the TA) to work with SAP.

  2. Create or modify security policies to assign to user definitions that allow users to create and edit SAP jobs.

  3. Create one or more user definitions in TA with access to the SAP instance using SAP user names and passwords provided by the SAP administrator.

  4. Authorize TA users to run SAP jobs on behalf of these SAP runtime users.

  5. License the connection(s) to the SAP instance. You cannot define an SAP connection until you have applied the SAP license. Business Warehouse functions require an additional license.

  6. Define an SAP connection so the Master can communicate with the SAP instance.

  7. Configure the defaults for handling SAP jobs. Individual jobs can override the default system settings as necessary.

  8. Configure logging for the SAP process chain jobs.

Installing SAP JCO

The Master requires Java connector (JCO) software from SAP. SAP’s JCO middleware allows a Java application to communicate with an SAP system. Each operating system requires its own version of JCO, which can be downloaded from SAP.

To download SAP JCO:

  1. Download SAP JCO from the URL: https://support.sap.com/en/product/connectors/jco.html.

  2. Extract these files from the SAP JCO.zip file for the initial setup of SAP JCO 3.0.20:

    • sapjco3.jar (Windows and Linux)

    • sapjco3.dll (Linux: libsapjco3.so)

  3. Add this to your CLASSPATH environment variable after installing the JCO:

    • {sapjco-install-path}/sapjco3.jar file.

    • the path where JCO 3.x libraries are installed.

  4. Reboot your system if prompted.

Configuring Secure Network Communication

Secure Network Communication (SNC) secures Remote Function Call (RFC) connections to SAP Advanced Business Application Programming (ABAP) systems. SNC provides application-level, end-to-end security to ensure reliable, consistent, and secure connections. For more information, refer to SAP Note 2642538 - How to enable SNC from external java program to ABAP using standalone JCo3.

Defining a Security Policy

Access to the SAP environment is controlled by assigning an SAP security policy with specified privileges to designated user accounts. The scheduling administrator should create a new security policy in TA as described in the Users section of the Tidal Automation User Guide that, in addition to the normal user privileges, includes the capability to create and edit SAP jobs and events. A user whose assigned security policy does not include SAP privileges cannot create events and run SAP jobs.

You can create a new security policy or modify an existing security policy in TA that includes the authority to add, edit, view, and delete SAP jobs, variants, and events.

To grant access privileges:

  1. Click Security Policies in the Navigation pane to display the Security Policies pane.

  2. Double-click a security policy for the SAP privileges to display its Security Policy Definition dialog.

  3. Scroll down the list of function categories and double-click the SAP Jobs, SAP Events, or SAP Variants category to display the available functions.

  4. Click the desired job privileges, and click OK.

    A check mark appears next to the SAP function category indicating that one or more functions are selected within the category.

    If needed, you can create different security policies with varying authorized functions to provide different levels of access for a variety of users. For more information about the Security Policy Definition dialog, refer to Users.

Defining SAP Users

Before you can create SAP jobs, a user with access to the SAP instance must be defined in TA.

TA cannot run any SAP job unless it knows the user name(s) and password(s) defined in the SAP instance. TA then interacts with SAP as that defined user, exchanging information to monitor and control the execution of the SAP jobs through TA. Other users in TA are authorized to run SAP jobs on behalf of SAP runtime users.

Adding an SAP User to TA

To add an SAP user:

  1. Click Administration in the Navigation pane > Runtime Users to display the Users pane.

  2. Click Add or right-click and click Add Runtime User in the context menu to display the User Definition dialog.

  3. Enter the user name in the User Name field for the account provided by your SAP Administrator for use by TA. The Full Name field is optional. Use the Domain field for additional documentation, such as to distinguish users with the same name that use different passwords in different instances.

    Note: Be sure that the User Profile in SAP for the user you define to TA is configured to use formats that are supported by TA. SAP recognizes numerous date formats, but TA only supports the DD.MM.YYYY and the MM/DD/YYYY date formats. An unsupported date format within the SAP user profile will throw errors in TA jobs. You must also configure SAP’s User Profile to use decimal points instead of commas as a numeric separator. Comma separators are not supported by TA.

  4. Click Add in the Passwords tab to display the Change Password dialog.

  5. Choose SAP from the Password type list.

  6. Enter and confirm the password in the Password/Confirm Password fields.

    Note: If you have updated the passwords and are experiencing issues with running jobs or events, we recommend disabling and re-enabling the connection to ensure everything works properly.

  7. Click OK. The SAP record displays on the Passwords tab.

  8. Click OK to save the user record.

    Note: For more information about the Users pane, see the “Users” chapter in your Tidal Automation User Guide.

Authorizing TA Users to Run SAP Jobs

For TA users to work with SAP jobs, they must have a defined SAP user in their authorized runtime users list. If an SAP user is not added to a TA user’s authorized runtime users list, the user has no access to the SAP instance and cannot run SAP jobs. Similarly, you grant or deny access to specific SAP instances in the user’s authorized agents list.

Adding an SAP User To a User’s Authorized Runtime User List

To add a runtime user:

  1. Click Administration in the Navigation pane > Interactive Users to display the Users pane.

    Note: If TA users are not displayed, you do not have the appropriate rights to view users.

  2. Click Add or right-click and choose Add Interactive User from the context menu, to display the User Definition dialog.

  3. Double-click the name of a TA user account to display the User Definition dialog.

  4. Click the Runtime Users tab.

  5. Click the SAP users you want to include in this TA user’s authorized user list.

  6. Click the Agents tab to restrict this user’s access to specific instances.

  7. Click OK to save changes.