SAP 擷取器

若要開啟連接器，進行下列事項：

1. 在連線中，按一下建立連線。

2. 選取 SAP 擷取器來源連接器，然後提供下列設定：

連線到特定 SAP 應用程式伺服器

資料來源

• 資料閘道

  選取 Data Movement gateway 以用於移動資料。

• 連線至：選取應用程式伺服器。

• 伺服器：SAP Extractor 來源所在應用程式伺服器的 IP 位址。

• 執行個體編號：SAP Extractor 資料來源的執行個體編號。

• 用戶端識別碼：SAP Extractor 資料來源的系統 ID。

帳戶屬性

• 使用者名稱：存取 SAP Extractor 資料來源的使用者名稱。這是指早先在 SAP 中所建立通訊使用者的使用者名稱。

• 密碼：存取 SAP Extractor 資料來源的密碼。這是指早先在 SAP 中所建立通訊使用者的密碼。

安全性

請參閱下方的安全性。

CDC 屬性

執行擷取器的間隔 (分鐘)：指定檢查變更的頻率。

名稱

來源連線的顯示名稱。

使用載入平衡連線到 SAP 系統

資料來源

• 資料閘道

選取要使用的 Data Movement gateway。

若您不想要使用 Data Movement gateway，選取無。如需關於 Data Movement gateway 的詳細資訊，請參閱 Qlik Data Gateway - Data Movement。

資訊備註此欄位無法用於 Qlik Talend Cloud 啟動器 訂閱，因為不支援 Data Movement gateway。

• 連線至：選取載入平衡環境。

• 訊息伺服器：訊息伺服器主機的主機名稱或 IP 位址。

• 應用程式伺服器群組名稱：SAP 伺服器群組的名稱。這是載入平衡連線的選用性應用程式伺服器群組。

• SAP 系統名稱：SAP R/3 的名稱。

• 訊息伺服器服務：以下檔案所指定 SAP 訊息伺服器服務的名稱：

  <system drive>:\WINDOWS\system32\drivers\etc\services

  如您未指定值，Data Provider for SAP 會使用以下預設名稱：

  sapms<R/3 system name>

• 用戶端識別碼：SAP Extractor 資料來源的系統 ID。

帳戶屬性

• 使用者名稱：存取 SAP Extractor 資料來源的使用者名稱。這是指早先在 SAP 中所建立通訊使用者的使用者名稱。

• 密碼：存取 SAP Extractor 資料來源的密碼。這是指早先在 SAP 中所建立通訊使用者的密碼。

安全性

請參閱下方的安全性。

CDC 屬性

執行擷取器的間隔 (分鐘)：指定檢查變更的頻率。

內部屬性

內部屬性用於特殊使用情況，因此不會在對話方塊中顯示。您只能在 Qlik 支援指示下使用。

根據需要使用欄位右側的 和 按鈕以新增或移除屬性。

名稱

來源連線的顯示名稱。

安全性

In the Security settings, you can configure Secure Network Communication (SNC).

Prerequisites for working with SNC

Follow the steps below to install the Secure Network Communication (SNC) client on the Data Movement gateway machine.

What you need:

• An exported certificate (.crt) of the SAP server. Export the certificate as follows:
  1. Log into the SAP system.
  2. Run STRUST transaction.
  3. Select SNC SAPCryptolib.
  4. Select the subject under Own Certificate.
  5. Click the Display > Change option, and select Export certificate.
  6. From the Certificate section, choose the type and save the file.
• SAPCAR.EXE
• SAP user (authorized customer)
• The version of the crypto library which is installed on the corresponding SAP server

Installing the SNC client

1. Create a workspace folder for the SAP SNC files and binaries (hereafter referred to as "your SNC folder"), for example: "C:\snc\"
2. Copy the exported server certificate and SAPCAR.EXE to your SNC folder.
3. Go to https://support.sap.com/en/my-support/software-downloads.html and search for SAPCRYPTOLIB under Installations & Upgrades. Download the 64-bit .SAR to your SNC folder.

4. Open a command prompt and change the working directory to your SNC folder. Then run the following command to unpack the content of the .SAR to your SNC folder:

   sapcar -xvf LibName.sar

   Example:

   sapcar -xvf SAPCRYPTOLIBP_8541-20011731_32.SAR

5. Add system environment variables as follows:
   1. Add a system environment called SECUDIR with the path to your SNC folder as its value.
   2. Add a system environment variable called QLIK_SNC_LIB with the path to the sapcrypto.dll file as its value.
   3. Add the newly added environment variables to the "PATH" environment variable.

6. Determine the <PSE_File_Name> and choose a <PSE_PIN> to protect it. You will need to provide this information in the next steps.

   Example:

   pseName: "CN=USR,OU=SAP,O=Qlik,C=IS" password: password123

7. Determine the <SNC_NAME>. It should look something like this: CN=USR, OU=SAP, O=Qlik, C=IS

   See also Determining the server SNC name below.

8. Make sure you have the required permissions to access and execute the files in the SECUDIR folder, and then run the following command to generate the PSE file:

   sapgenpse get_pse -p <PSE_File_Name>.pse -x <PSE_PIN> <SNC_NAME>

   Example:

   sapgenpse get_pse -p usr.pse -x password123 "CN=USR,OU=SAP,O=Qlik,C=IS"

9. Bind the PSE file with the OS user and create the CRED_V2 file in SECUDIR folder as follows:

   1. Make a note of the OS user under which the Qlik replication server is running. To do this on Linux, run the ps aux command.

   2. Run the following command:

      sapgenpse seclogin -p <PSE_File_Name>.pse -x <PSE_PIN> -O <OS_USER>

      Example:

      sapgenpse seclogin -p usr.pse -x password123 -O SYSTEM

10. Generate the CRT file by executing the following command:

    sapgenpse export_own_cert -o <PSE_File_Name>.crt -p <PSE_File_Name>.pse -x <PSE_PIN>

    Example:

    sapgenpse export_own_cert -o usr.crt -p usr.pse -x password123

11. Import the SAP Application Server Certificate (<SERVER_CRT>) to the PSE by executing the following command:

    sapgenpse maintain_pk -a <SERVER_CRT>.crt -p <PSE_File_Name>.pse -x <PSE_PIN>

    Example:

    sapgenpse maintain_pk -a sapsys.crt -p usr.pse -x password123

12. To verify that the DN of the SAP Server’s PSE was imported into the client, run the following command and then check the "subject" value:

    sapgenpse maintain_pk -v -l -p <PSE_File_Name>.pse

    Example:

    sapgenpse maintain_pk -v -l -p usr.pse

Importing the client certificate

1. Connect to the SAP Application Server and navigate to the "STRUST" transaction using an authorized user.
2. Double-click the SNC (SAPCryptolib) folder.
3. Click to switch to Change view.
4. Click to import the certificate.
5. In the new dialog, enter the path to the .crt file that was created earlier, then click continue.
6. Verify the details of the certificate in the Certificate section.
7. Click Add to Certificate List to add the certificate to the list.
8. Save the changes.

Determining the server SNC name

There are two ways you can determine the server name:

• Method 1: Decrypt the server CRT file using the OpenSSL command. The server name will be part of the subject.
• Method 2: This method requires appropriate permissions. While connected to the system:
  1. Run the RZ10 transaction.
  2. Select the system profile.

  3. Select the Extended Maintenance option and then click Display.

  4. The value of the snc/identity/as parameter should be the SNC name.

Connection settings

Configure the SNC settings in the SAP 擷取器 連接器 as follows:

• Activate Secure Network Communication: Select to turn on SNC.

• SNC name: The SNC partner name.

  Example:

  p:CN=SYS, OU=SAP, O=Qlik, C=IS

• SNC quality of protection - Select one of the following:
  • Authentication only: Select to verify the identity of the SAP 擷取器 machine. This is the minimum protection level offered by SNC.
  • Integrity protection: Select to detect any changes or manipulation of the data, which might have occurred between the Data Movement gateway machine and the SAP 擷取器 machine.
  • Privacy protection: Select to encrypt the messages being transferred to prevent eavesdropping. Privacy protection also includes integrity protection. This is the maximum level of protection provided by SNC.
  • Maximum security available: The maximum level of data protection supported by the SAP 擷取器 machine.