# SAP OData

Use the SAP OData connector to connect to a SAP on-premise instance (R/3 or S/4) or S/4 HANA cloud instance. This connector allows you to work with the hundreds of OData APIs that come out of the box to interact with data sources that include purchase orders, requisitions, invoices, and products. Alongside this, this connector works with any custom OData services you may have configured on your instance.

# API version

This connector supports the SAP API Business Hub family of OData APIs (opens new window) as well as custom OData services.

# How to connect to SAP on-premise instances on Workato

Follow the steps below to set up OData services for your SAP on-premise system. Most steps are similar for legacy SAP systems as well as new SAP S/4 HANA instances. However for legacy SAP systems such as ECC, there are unfortunately no standard OData services available. Check out this blogpost (opens new window) to create a custom OData service on your SAP Gateway.

If you're using SAP S/4 HANA, the following steps illustrate how to setup one service as an example:

1

Go to transaction code /n/iwfnd/maint_service

Activate and Maintain service

2

Click on Add Service, maintain LOCAL in ‘System Alias’ and press Enter.

Add service

3

Select service and click on Add Selected Services. In this example, we are adding API_BANKACCOUNT_SRV - a standard SAP API.

Add selected service

4

Name the technical service. In our example, its ZAPI_BANKACCOUNT_SRV. Click on Local Object to Save in Local Package and continue.

Save in local package

Confirmation

5

Test out your new OData service by going back to the Service Catalog again and search for Technical Service Name. Click on Call Browser to hit OData Endpoint URL on Browser and SAP Gateway Client to test it on Gateway Client with different options/operations/methods/headers/payload, etc.

search for technical service

test in call browser

When you have completed the steps, return to Workato to fill in the connection fields with the same details you see in the SAP Gateway Client.

# How to connect to SAP S/4 HANA Cloud via Basic Authentication on Workato

Follow the steps below to set up OData services for your SAP S/4 HANA Cloud instance.

1

Find the OData API for your automation needs in the SAP API Business Hub explorer (opens new window).

SAP API explorer

2

Once you've found a suitable API, click to open it, and find the communication scenario ID. Store this ID for use later on.

API communication scenario

3

Follow the steps in Setting up Communication Management (opens new window) to do the following:

  • Create a Communication User: the integration user assigned to Workato
    Use basic authentication
  • Create a Communication System: tied to the communication User
  • Create a Communication Arrangement: ties the communication system and user to the communication scenario

When you have completed the steps, return to Workato to fill in the connection fields.

# How to connect to SAP S/4 HANA Cloud via Client Certification Authentication on Workato

Follow the steps below to set up OData services for your SAP S/4 HANA Cloud instance.

1

Find the OData API for your automation needs in the SAP API Business Hub explorer (opens new window).

SAP API explorer

2

Once you've found a suitable API, click to open it, and find the communication scenario ID. Store this ID for use later on.

API communication scenario

3

Prepare your CA-signed x509 certificate. This certificate must be signed by a CA known to your S/4 HANA Cloud backend system. You can verify known CAs by checking the Certificate Trust List in your S/4 HANA cloud system. Find out more about this in this SAP Blog article (opens new window) or check out our guide below on how to use SAP Passport as a simple way to create certificates.

4

Follow the steps in Setting up Communication Management (opens new window) to do the following:

  • Create a Communication User: Create your communication user using the certificate created in step 3.
  • Create a Communication System: Tied to the communication User and set authentication method to SSL Client Certificate
  • Create a Communication Arrangement: ties the communication system and user to the communication scenario

When you have completed the steps, return to Workato to fill in the connection fields.

# Connection fields

Field Description
Connection name Give this connection a descriptive name so you can reuse it in other recipes.
Connection type Choose an on-premise agent if your SAP instance is running in a network that does not allow direct connection. Before attempting to connect, make sure you have an active on-premise agent. Refer to the On-premise agent guide for more information. If you choose to use Client certificate (x509) as your authentication type, you must select the option Cloud. If Cloud is selected, requests will be sent directly from Workato's servers.
Authentication type Select either Basic or Client certificate(x509).
Username applicable for authentication type as Basic. The username of the Communication User you created above.
Password applicable for authentication type as Basic. The password of the Communication User you created above.
Client certificate applicable for authentication type as Client certificate(x509). The username of the Communication User you created above.
Private key applicable for authentication type as Client certificate(x509). The private key for your Client certificate
Passphrase applicable for authentication type as Client certificate(x509). The passphrase for the private key - if applicable.
CA certificate applicable for authentication type as Client certificate(x509). If you used a custom CA to sign your x509 certificate, you will need to add the CA's certificates here. If there are multiple certificates in a chain, leave a blank line between each certificate.
Host The base path to your SAP OData services. For SAP S/4 HANA Cloud, this is found in the Communication Arrangement URL.
For example, if the service URL is https://www.myS4HanaSystem.com/sap/opu/odata/sap/API_PURCHASEORDER_PROCESS_SRV, then your host is https://www.myS4HanaSystem.com/sap/opu/odata/sap/.
Service A sample service that you can use to test authentication. This can be the first service that you have configured. For SAP S/4 HANA Cloud, the service name can be found in your Communication Arrangement.
SAP client The SAP client to reference. E.g. If https://www.myS4HanaSystem.com/sap/opu/odata/sap/API_PURCHASEORDER_PROCESS_SRV?sap-client=800​ (opens new window) is the service URL, your sap client is 800.

# Triggers & Actions

This connector supports the following triggers and actions:

  • New object
  • New/updated object
  • Create object
  • Update object
  • Search object
  • Get object details by ID

# Supported object types

The available object types depends on your selected service. The service you provide in the action or trigger configuration will dictate what objects show in the Object dropdown.

WARNING

The service you provide must be enabled for the communication user you have given in your connection. You enable new services by creating new Communication Arrangements in S/4 HANA that link communication users to communication scenarios.

For example, providing the API_PRODUCT_SRV service in the Service input field will allow you to select all object types defined for that service.

List of service objects

Selecting a specific object will then cause more input fields specific to that object to appear. You can then start mapping datapills to these objects.

Object specific fields

When retrieving or mutating records in SAP OData services, you may want to interact with both the record as well as records related to it. For example a customer record as well as it's related addresses. To do so, you can utilize the related records input field that is present in every action. This input field is a multiselect tree dropdown that allows you to select related children records, and even grandchildren records.

After selecting this input, new input fields will be shown (for create/update actions) and new output fields (for triggers, search and get actions). This allows you to minimize job execution time and reduce recipe complexity.

# Sample guide: Using SAP Passport to create certificates for Client Certificate authentication with S/4 HANA Cloud

Preparing a CA-signed x509 certificate requires a certificate signed by a trusted CA. SAP passport provides a fast and simple way to generate x509 certificates that are signed by SAP's Cloud Root CA. This guide aims to showcase how you can achieve connectivity via this method - but ultimately the certificates you use in production should adhere to your organization's preferred/existing vendors which may not necessarily be SAP.

2

Download the certificate which comes as a .pfx file.

3

Convert the .pfx file into the .pem format using OpenSSL. You will need to have OpenSSL downloaded on your local machine.

  • You may use the following command openssl pkcs12 -in input-cert.pfx -out output-cert.pem -legacy. You will be prompted for your PEM pass phrase. Create an opaque password and save it for later.
4

With the .pem file, you can open it with any plain text editor to inspect the contents. The structure should be similar to the following:

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: SXXXXXXXXXX
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w
...<redacted>...
jTG6eYRIAnHR2+4Vto+QxA==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: S0023610052
subject=C = DE, O = SAP Trust Community, OU = SAP Service Marketplace, CN = SXXXXXXXXXX
issuer=C = DE, O = SAP Trust Community, CN = SAP Passport CA G2
-----BEGIN CERTIFICATE-----
MIIDjzCCAnegAwIBAgINY3nCYsU77LIAABBWgj
...<redacted>...
NSo4ezWlQtb/44Swg0NFaLpwmn
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=C = DE, O = SAP Trust Community, CN = SAP Passport CA G2
issuer=C = DE, L = Walldorf, O = SAP SE, CN = SAP Cloud Root CA
-----BEGIN CERTIFICATE-----
MIIFLzCCAxegAwIBAddfzANBgkqhkiG9w0BAQsF
...<redacted>...
hmZooggAg+fCd5ZE4NgC7bAdwj/QYjPmXsolDjABgYUxtGQ=
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=C = DE, L = Walldorf, O = SAP SE, CN = SAP Cloud Root CA
issuer=C = DE, L = Walldorf, O = SAP SE, CN = SAP Cloud Root CA
-----BEGIN CERTIFICATE-----
MIIFZjCCA06gAwIBAgIQGHcPvmUGa79M6pM42bGdfdsfasdf
...<redacted>...
LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp
-----END CERTIFICATE-----
5

Create a new .pem file from the file above. This .pem file should only include the certificates without the private key. Based on the example above, you new .pem file should look like this. Save this as communication_user.pem.

-----BEGIN CERTIFICATE-----
MIIDjzCCAnegAwIBAgINY3nCYsU77LIAABBWgj
...<redacted>...
NSo4ezWlQtb/44Swg0NFaLpwmn
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFLzCCAxegAwIBAddfzANBgkqhkiG9w0BAQsF
...<redacted>...
hmZooggAg+fCd5ZE4NgC7bAdwj/QYjPmXsolDjABgYUxtGQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFZjCCA06gAwIBAgIQGHcPvmUGa79M6pM42bGdfdsfasdf
...<redacted>...
LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp
-----END CERTIFICATE-----
6

When creating your communication user, you can upload the communication_user.pem file in the certificate section.

API communication scenario

7

Set up the rest of your configurations for Communication System and Communication Arrangement on your SAP S/4 HANA Cloud instance as per normal. Ensure authentication method for Inbound communication in your Communication system is set to SSL Client Certificate.

API communication scenario

8

Come back to Workato and fill up the following in your connection fields:

  • Authentication type - Client certificate(x509)
  • Client certificate - This is the first certificate in your .pem file from step 4. Based on the example above it should be:
-----BEGIN CERTIFICATE-----
MIIDjzCCAnegAwIBAgINY3nCYsU77LIAABBWgj
...<redacted>...
NSo4ezWlQtb/44Swg0NFaLpwmn
-----END CERTIFICATE-----
  • Private key - This is the private key in your .pem file from step 4 Based on the example above it should be:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w
...<redacted>...
jTG6eYRIAnHR2+4Vto+QxA==
-----END ENCRYPTED PRIVATE KEY-----
  • Passphrase - This is the private PEM pass phrase you created in step 3
  • CA certificate - This should be the remaining two certificates in your .pem file from step 4. Since it is a chain, you will need to include both with a blank line in between.
-----BEGIN CERTIFICATE-----
MIIFLzCCAxegAwIBAddfzANBgkqhkiG9w0BAQsF
...<redacted>...
hmZooggAg+fCd5ZE4NgC7bAdwj/QYjPmXsolDjABgYUxtGQ=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFZjCCA06gAwIBAgIQGHcPvmUGa79M6pM42bGdfdsfasdf
...<redacted>...
LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp
-----END CERTIFICATE-----
  • Host, Service, SAP Client - Fill these in as needed based on your SAP instance details.


Last updated: 7/31/2023, 6:54:02 PM