SAP destination data provider
The ImageMaster SAPDestinationDataProvider is a module designed for managing connections between SAP Messenger and ImageMaster client. The intention of this module is to create and manage the destinations, so the SAP system would be separate and independent from the business code. The module provides functions for adding, updating, and deleting SAP connections.
To provide SAP connection management functionality, the DestinationManager component uses the instance of DestinationDataProvider registered in the JCo environment to get the destination properties. The JCoDestinationManager is a global data structure where all SAP connections are located. The static functions of this class are used by the SAP Messenger Service to access the configured SAP connections. One instance of the JCo DestinationDataProvider exists per a Java VM.
Note that a destination instance may become invalid if the destination configuration has been changed or removed. In such a case the running operation will be terminated and the further usage of the invalidated destination will be blocked by JCoException with the key JCO_ERROR_DESTINATION_DATA_INVALID. The application may fetch an updated destination instance from the JCoDestinationManager if it is suitable for the application scenario.
The procedure of accessing SAP connections is the following:
-
A customer provided DestinationDataProvider (e.g. our ImageMaster implementation) class is registered in the environment. This class provides all connection information for the destinations.
(The DestinationDataProvider can also host destinations with authentication information but this option is insecure because in this case another application can access SAP by fetching a destination and without providing any user and password. Therefore use the CustomDestination, see “Secure custom destinations” for details.)
Due to security reasons, this class must not provide authentication information: it should be done by the application.
-
The ImageMaster application accesses the JCoDestionationManager by providing a destination name.
-
The JCoDestinationManager returns a CustomDestination. During runtime this CustomDestination will provide the username and password to the application allowing access to the SAP.
JCo architecture
The JCoDestinationManager is a part of the SAP Environment. To obtain information about the destinations, i.e. the connection parameters, the JCoDestinationManager uses the DestinationDataProvider class that can be wrapped in a separate application which is only responsible for providing the connect parameters. Therefore the ImageMaster application only needs to know the destination names and it provides the authentication information by itself.
Figure 381: JCo architecture
Configuration
The configuration information is separated in two configuration objects:
-
The SAPSystem object
The object contains general access information to the SAP system, i.e. basic connection information for all SAPTenant objects that will be accessed.
Optional JCo properties can be set for an SAPSystem object. Such properties are valid for all tenants configured unless replaced by a property with the same set in a SAPTenant configuration. To get an overview of all supported properties, refer to the SAP JCo documentation.
The following JCo properties will not be replaced because there are vital connection parameters configured via the GUI:
-
jco.client.client
-
jco.client.user
-
jco.client.passwd
-
jco.client.sysnr
-
jco.client.ashost
-
jco.client.mshost
-
jco.client.r3name
-
jco.client.group
-
jco.destination.repository_destination
-
jco.destination.auth_type
-
jco.client.destination
There are two types of connections: direct and load balanced connections. The configuration attributes for direct and load balanced connections are mutually exclusive.
-
Direct connections: direct access to the SAP system by providing instance number and hostname or IP address of the connection
Example
Instance No: 02
Server: 53.113.173.184
-
Load Balanced connections: access to the SAP system via the SAP load balancer
Example
Message Server: ap.org.t-systems.com
R3 Name: TSI12
Group: PUBLIC
-
The SAPTenant object
The object contains tenant-specific connection data. One SAPTenant identifies one connection.
The Repository Destination identifies a dedicated connection to a SAPSystem only used for accessing the SAP repository. An additional SAPTenant should be configured to be used as a repository destination. This SAPTenant must NOT be configured with the “Repository Destination” set in its configuration. See the example in the “Secure custom destinations” section below.
Optional JCo properties can be set for a SAPTenant. These properties are valid for this tenant and replace properties with the same set in the SAPSystem configuration. Properties with different names from the SAPSystem are added. To get an overview of all supported properties, refer to the SAP JCo documentation.
Deactivation
To use other DestinationDataProvider1 modules which can be provided by third parties, deactivation of the local SAPDestinationDataProvider by a Java VM configuration option at runtime is supported.
-
Dima.global.sap.destination.data.provider=false (the default value): our local implementation of the DestinationDataProvider is used.
-
Dima.global.sap.destination.data.provider=true – the DestinationDataProvider provided from a third party is used. (Even if the local SAPDestinationDataProvider has been deactivated, it is necessary to configure the destination names with username and password, in case a third party destination data provider uses the JCo property jco.destination.repository_destination to support a custom destination.)
Configuration of the destination names and tenant name should be performed synchronously (JCo property jco.client.destination contains the known destination name).
The usage of custom destinations has been introduced due to security demands: connecting with a username and password from the global JCo environment can be read by a third party and misused for unauthorized access (SAP access rights can be determined by the user from the property jco.client.user). To avoid this, SAP Messenger configures a secure custom repository destination jco.destination.repository_destination=name. This is usually identified as a different tenant in SAP with a dedicated username and password who is only allowed to read the repository information.
A custom destination for data access is created by the SAP Messenger Service at runtime by retrieving a connection from the JCo environment, which has previously been added without username and password. At runtime the username and password are temporarily added to the connection. After processing data operations, the connection is returned to the pool without username/password to prevent unauthorized access to the connections from the JCo environment.
Example
Logical System: M04CLNT800
User: <username1>
Password: <pwd1>
[Repository Destination: M04CLNT700]
User and password of M04CLNT800 are not added to the JCo environment. They are added later at runtime.
The SAPTenant for repository destination M04CLNT700 should be configured.
Logical System: M04CLNT700
User: <username2>
Password: <pwd2>