SAP destination data provider

The ImageMaster SAPDestinationDataProvider is a module designed for managing connections between SAP Messenger and ImageMaster client. The intention of this module is to create and manage the destinations, so the SAP system would be separate and independent from the business code. The module provides functions for adding, updating, and deleting SAP connections.

To provide SAP connection management functionality, the DestinationManager component uses the instance of DestinationDataProvider registered in the JCo environment to get the destination properties. The JCoDestinationManager is a global data structure where all SAP connections are located. The static functions of this class are used by the SAP Messenger Service to access the configured SAP connections. One instance of the JCo DestinationDataProvider exists per a Java VM.

Note that a destination instance may become invalid if the destination configuration has been changed or removed. In such a case the running operation will be terminated and the further usage of the invalidated destination will be blocked by JCoException with the key JCO_ERROR_DESTINATION_DATA_INVALID. The application may fetch an updated destination instance from the JCoDestinationManager if it is suitable for the application scenario.

The procedure of accessing SAP connections is the following:

1. A customer provided DestinationDataProvider (e.g. our ImageMaster implementation) class is registered in the environment. This class provides all connection information for the destinations.

   (The DestinationDataProvider can also host destinations with authentication information but this option is insecure because in this case another application can access SAP by fetching a destination and without providing any user and password. Therefore use the CustomDestination, see “Secure custom destinations” for details.)

   Due to security reasons, this class must not provide authentication information: it should be done by the application.

2. The ImageMaster application accesses the JCoDestionationManager by providing a destination name.

3. The JCoDestinationManager returns a CustomDestination. During runtime this CustomDestination will provide the username and password to the application allowing access to the SAP.

JCo architecture

The JCoDestinationManager is a part of the SAP Environment. To obtain information about the destinations, i.e. the connection parameters, the JCoDestinationManager uses the DestinationDataProvider class that can be wrapped in a separate application which is only responsible for providing the connect parameters. Therefore the ImageMaster application only needs to know the destination names and it provides the authentication information by itself.

Configuration

The configuration information is separated in two configuration objects:

• The SAPSystem object

  The object contains general access information to the SAP system, i.e. basic connection information for all SAPTenant objects that will be accessed.

  Optional JCo properties can be set for an SAPSystem object. Such properties are valid for all tenants configured unless replaced by a property with the same set in a SAPTenant configuration. To get an overview of all supported properties, refer to the SAP JCo documentation.

  The following JCo properties will not be replaced because there are vital connection parameters configured via the GUI:

  • jco.client.client

  • jco.client.user

  • jco.client.passwd

  • jco.client.sysnr

  • jco.client.ashost

  • jco.client.mshost

  • jco.client.r3name

  • jco.client.group

  • jco.destination.repository_destination

  • jco.destination.auth_type

  • jco.client.destination

    There are two types of connections: direct and load balanced connections. The configuration attributes for direct and load balanced connections are mutually exclusive.

  • Direct connections: direct access to the SAP system by providing instance number and hostname or IP address of the connection

    Example

    Instance No: 02

    Server: 53.113.173.184

  • Load Balanced connections: access to the SAP system via the SAP load balancer

    Example

    Message Server: ap.org.t-systems.com

    R3 Name: TSI12

    Group: PUBLIC

• The SAPTenant object

  The object contains tenant-specific connection data. One SAPTenant identifies one connection.

  The Repository Destination identifies a dedicated connection to a SAPSystem only used for accessing the SAP repository. An additional SAPTenant should be configured to be used as a repository destination. This SAPTenant must NOT be configured with the “Repository Destination” set in its configuration. See the example in the “Secure custom destinations” section below.

  Optional JCo properties can be set for a SAPTenant. These properties are valid for this tenant and replace properties with the same set in the SAPSystem configuration. Properties with different names from the SAPSystem are added. To get an overview of all supported properties, refer to the SAP JCo documentation.

Deactivation

To use other DestinationDataProvider1 The third party DestinationDataProvider must support connection names which can be prefixed by the ImageMaster tenant name. modules which can be provided by third parties, deactivation of the local SAPDestinationDataProvider by a Java VM configuration option at runtime is supported.

• Dima.global.sap.destination.data.provider=false (the default value): our local implementation of the DestinationDataProvider is used.

• Dima.global.sap.destination.data.provider=true – the DestinationDataProvider provided from a third party is used. (Even if the local SAPDestinationDataProvider has been deactivated, it is necessary to configure the destination names with username and password, in case a third party destination data provider uses the JCo property jco.destination.repository_destination to support a custom destination.)

Configuration of the destination names and tenant name should be performed synchronously (JCo property jco.client.destination contains the known destination name).

Secure custom destinations

The usage of custom destinations has been introduced due to security demands: connecting with a username and password from the global JCo environment can be read by a third party and misused for unauthorized access (SAP access rights can be determined by the user from the property jco.client.user). To avoid this, SAP Messenger configures a secure custom repository destination jco.destination.repository_destination=name. This is usually identified as a different tenant in SAP with a dedicated username and password who is only allowed to read the repository information.

A custom destination for data access is created by the SAP Messenger Service at runtime by retrieving a connection from the JCo environment, which has previously been added without username and password. At runtime the username and password are temporarily added to the connection. After processing data operations, the connection is returned to the pool without username/password to prevent unauthorized access to the connections from the JCo environment.