AWS for SAP

HAQM SES configuration for SAP ABAP Systems

Introduction

Disclaimer

Since AWS certificates can rotate / change at any time, it is customer’s responsibility to keep their SAP trust stores up to date.

More information on certificate pinning can be found at the following link http://www.amazontrust.com/repository

One of the most common requirements when running an SAP system is to send outgoing email, which can come from several different areas, from monitoring and alerting (e.g Solman), batch processing / process chains, workflows, and so on…. If you have moved your SAP system to AWS, you may want to get rid of some mail servers still running on-premises or avoid the deployment of an EC2 instance dedicated to run a SMTP(Simple Mail Transfer Protocol) server.

HAQM Simple Email Service (SES) is a cost-effective, flexible, and scalable email service that enables customers to send mail from within any application. You can configure HAQM SES quickly to support several email use cases, including transactional, marketing, or mass email communications

In this blog we will guide you through the required steps to configure outbound mail from an SAP ABAP system using HAQM SES (Simple Email Service) service.

Prerequisites

As first step, we will be configuring a “Sandbox” account within HAQM SES and verify a sender email address for initial testing. Once all the setup steps will be successful, we can convert this account into Production and the SES service will be accepting all mails coming from our SAP systems (for more details on this topic, please see the HAQM SES documentation).

Within AWS EC2 Console, navigate to HAQM SES and click on Email Addresses, then press the “Verify a New Email Address”. Please enter your email, click on Verify This Email Address and check your mail inbox, you should receive an automated email with a link to confirm that you are authorized to use this email address:

Email address verification box

After the verification is completed, the Status will change to green under Verification Status

HAQM SES email address verification

Once the email address verification is completed, we need to create proper smtp credentials which will be used by our SAP systems. To create the credentials, click on “SMTP Settings” and press the “Create My SMTP Credentials” button.

HAQM SES SMTP settings screen

Please also note down the Server Name as it will be required afterwards during the SAP system configuration

Enter a meaningful username and click on create bottom in the bottom right page

HAQM SES IAM username input screen

You have the possibility to display and download the SMTP username and password credentials in a csv file (bottom right page)

HAQM SES credentials to be used in SAP

SAP ABAP Outbound Email Configuration

We can now connect to our SAP ABAP system and logon into the working client and call transaction SCOT, select the SMTP nodes, and create a new one via the wizard

SCOT landing page

Specify a meaningful name and provide the parameters noted during the HAQM SES setup

Press on the settings button, and provide the credentials generated in the previous steps

SCOT security settings display

Note: some older Netweaver releases might return an error related to the password field length; in such case, some SAP Notes need to be imported to correct the issue ( 1724704, 2439601,2363295 and 2372893).

Download the 5 root certificates from http://www.amazontrust.com/repository/ in der format and store the file locally.

In transaction STRUST, import the certificates into the SSL client (Standard) and restart the service via SMICM

STRUST ssl configuration with imported HAQM certificate

Test outbound email

In transaction SO01, create a test email and press the send button

SO01 create mail screen

In transaction SOST, you can trigger a send job via menu Send Request → Start Send Process for Selection

Transaction SOST displaying email in queue

If everything is fine, you will see the status change and get a mail in your inbox

Transaction SOST displaying email sent successfully

In case of any issue, please check the correct AWS region / SES endpoints are selected (and entered within SCOT), and that SMICM has been restarted after importing the certificate into STRUST. You will find any communication / certificate error messages in ICM logs (SMICM, Goto→ trace files → display all)

SAP transaction SMICM display trace files menu

Conclusion

In this blog, we have shown how to configure SAP ABAP systems for sending outbound emails, a very common requirement, both from Business processes and Basis operations perspectives. More information can be found in the following link

Let us know if you have any comments or questions—we value your feedback.