Using Fortanix DSM with SAP S/4HANA for Tokenization

1.0 Introduction

This article describes the steps to integrate Fortanix Data Security Manager (DSM) with SAP S/4HANA and SAP Data Custodian for tokenization and detokenization. It also contains the information that a user requires for:

• Creating an application (app) in Fortanix DSM and saving the API key of the app in a text file.
• Importing the Fortanix Secure Socket Layer (SSL) certificate in the SAP S/4HANA system.
• Setting up Fortanix Remote Function Call (RFC) communication.
• Import the text file containing the Fortanix DSM app API key for authentication with SAP S/4HANA.
• Display or update the text file containing the Fortanix DSM app API key for authentication with SAP S/4HANA.
• Map the SAP S/4HANA business fields that will be tokenized using Fortanix DSM.
• Configure application synchronization job schedule in SAP S/4HANA.
• Tokenization and detokenization of fields in SAP S/4HANA business processes.

2.0 Prerequisites

The following are the components involved in this integration:

• Fortanix Data Security Manager (DSM) – This is the Tokenization Service Provider (TSP)
• SAP Data Custodian, add-on for SAP S/4HANA
• SAP Data Custodian Tenant - Go to the transaction /SDCAC/IMG and configure the SAP Data Custodian Tenant Communication as per the SAP help guide.

3.0 Establish Connection Between Fortanix DSM and SAP S/4 HANA

SAP S/4 HANA leverages Fortanix DSM for tokenizing its data using tokenization or Format Preserving Encryption (FPE) – Refer to Fortanix DSM – Tokenization Guide to learn more.

Users have the option to connect SAP Data Custodian, an add-on for SAP S/4HANA to Fortanix DSM for tokenization and detokenization scenarios.

3.1 Create Application in Fortanix DSM

The following are the steps to create an app in Fortanix DSM to establish communication between Fortanix DSM and the SAP Data Custodian tenant. This section covers how to create and download the API key of a tokenization app in Fortanix DSM. Create an account in Fortanix DSM to complete the setup and configuration for creating the appropriate tokenization security objects and applications.  

For more details on how to create a Fortanix DSM account, refer to the Fortanix DSM Getting Started Guide.

For more details on how to create a tokenization security object and application, refer to the Using Fortanix DSM to create a tokenization secret guide.

1. Create an account in Fortanix DSM to complete the setup and configuration for creating the appropriate tokenization security objects and applications.
   For more details on how to create a Fortanix DSM account, refer to the Fortanix DSM Getting Started Guide.
   For more details on how to create a tokenization security object and application, refer to the Using Fortanix DSM to create a tokenization secret guide.
   NOTE

   Ensure that the app has Encrypt and Decrypt permission.
2. After creating the app, go to the detailed view of the app and copy the API key of the app.
   Figure 1: Copy API Key
3. Paste the API key of the app in a text file. Save the file as Access Key.txt under a dedicated credentials folder on your computer. This file is required in SAP Data Custodian, an add-on for SAP S/4HANA Section 3.5: Import Fortanix App API Key In SAP S/4 HANA.  Figure 2: Access key textfile  Figure 3: Save the file

3.2 Create Security Object in Fortanix DSM

Create security objects in Fortanix DSM of type “Tokenization” based on the dataset, data type, and length of the field that has been identified for tokenization from the SAP S/4HANA system.

As an example, you will be configuring the City field’s tokenization object. This field is a character (including special characters) and case-sensitive and must be included in the tokenization data type definition.

For example: City is CHAR 35 in the SAP S/4HANA application (KNA1-ORT01), and it may have uppercase or lowercase characters, digits, or special characters, which means SAP S/4HANA application data may have a city like “San Jose or SAN Jose”, or other examples might have special characters, so when you define a tokenization object in Fortanix DSM, make sure it allows all these combinations.

1. Create a tokenization security object of type Custom with the following settings:
   1. Character type - Alphanumeric
   2. The minimum Length must be 2 characters and the maximum Length must be 35 characters
   3. Select the Allow special characters check box
   For details on how to create a tokenization security object of type Custom, refer to User’s Guide: Tokenization.  Figure 4: Create custom token
   NOTE

   The security object must be assigned to the same DSM group as the DSM app created in Section 3.1: Create Application in Fortanix DSM. You must add the necessary permissions such as tokenization and detokenization.

3.3 Import Fortanix SSL Certificate

Users must import the SSL certificate from Fortanix DSM to establish secure RFC communication between Fortanix DSM and SAP S/4HANA. This section covers how to obtain the Fortanix DSM SSL Certificate and import it into the SAP Trust Manager.

1. Download the SSL certificate from the Fortanix DSM app created in Section 3.1: Create Application in Fortanix DSM in a suitable folder on your computer.
   To create and download the SSL certificate:
   
   1. Create a folder on your computer. For example: DSM_Certs
   2. Create a self-signed certificate and make sure that you should have the App-ID of the app created in Section 3.1: Create Application in Fortanix DSM handy as you must update the Common Name for the self-signed certificate
   3. Change directory to DSM_Certs and run the following command:

      openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt

      Figure 5: Create a self-signed certificate  Figure 6: Certificate generated
   4. Combine the private key and certificate file into a single PEM format.

      cat certificate.crt private.key > client.pem

2. Go to the SAP Data Custodian Implementation Guide (IMG) with transaction /n/sdcac/img in the SAP S/4HANA system.
3. Expand the Configure Tokenization section.
4. Select the Import the Tokenization Provider SSL Certificate activity.
5. Select SSL client SSL Client (Standard).
6. Ensure you are in Change mode.
7. Locate the Certificate section.
8. Click the Import Certificate button.
9. Enter the path of the saved SSL Certificate in the File Path field.
10. Select the green check mark.
11. Select Add to Certificate List.
12. Click Save.

3.4 Set Up Fortanix RFC Communication

Users must set up the Remote Function Call (RFC) to establish communication between the Fortanix DSM and SAP S/4HANA.

1. Go to the SAP Data Custodian Implementation Guide (IMG) with the transaction code /n/sdcac/img in the SAP S/4HANA system.
2. Expand the Configure Tokenization section.
3. Select the Set Up Tokenization Service Provider's RFC Communication activity.
4. Click the Create button.
5. Enter an RFC Destination name in the RFC Destination field.
6. Select G for the Connection Type. (That is, HTTP connection to an external server)
   NOTE

   Ignore warnings about unsecured HTTP connections. SAP Data Custodian and SAP S/4HANA only use secure connections.
7. In the Description section, enter an RFC destination description.
8. Select the Technical Settings tab.
9. In the Target System Settings section, enter the TSP's hostname in the Host field.
10. In the HTTP Proxy Options section, enter the proxy host information if applicable in the Proxy Host field and the port number into the Proxy Service field.  Figure 7: RFC Connection
11. Select the Logon & Security tab.
12. In the Security Options section, select Active for SSL.
13. Using the drop down menu for the SSL Certificate field, select the location of the SAP Data Custodian tenant SSL certificate saved in the previous Section 3.3: Import Fortanix SSL Certificate.
    NOTE

    If the SSL certificate was saved to the default folder, the location is DEFAULT SSL Client (Standard).
14. Leave all other fields in their default values.
15. Click Save. If all settings are correct, the RFC destination will be saved.
16. Select Connection Test.
    NOTE

    The test result should be 200 without errors.

3.5 Import Fortanix App API Key into SAP S/4HANA

Users must import Fortanix DSM API key credentials into the SAP S/4HANA system for authentication. An AES-256 encryption algorithm secures data during import, and credentials are only decrypted at runtime. After the credentials are encrypted and stored in the SAP S/4HANA system, the key will become available to all clients.

1. Go to the SAP Data Custodian Implementation Guide (IMG) with the transaction code /n/sdcac/img in the SAP S/4HANA system.
2. Expand the Configure Tokenization section.
3. Select the Import Tokenization Provider Technical User and Fields activity.
4. Select the onboarded TSP using the Tokenization Provider Name drop down menu.
5. Select the RFC destination name created in the previous Section 3.4: Set Up Fortanix RFC Communication.
6. Obtain the Fortanix application UUID.
   Figure 8: Fortanix App UUID
7. Enter your UUID in the URI of Authentication field.
8. Browse for the Fortanix DSM app credentials folder in the Folder of TU Credentials field.
   NOTE

   This will be the path of the Access Key.txt file you created in Section 3.1: Create Application and Security Object in Fortanix DSM.
   Figure 9: Upload Access.txt file
9. Enter the UUID of the Fortanix DSM application that is used to obtain the security objects in the Batch URI of Provider Fields field
10. Click Execute to import the application and security objects from Fortanix DSM. The following message should appear. In case of any errors, follow the troubleshooting steps.  Figure 10: Technical fields onboarded successfully

3.6 Display or Update Fortanix DSM Security Objects

Users have the option to display or update the security object imported from Fortanix DSM.

1. Go to the SAP Data Custodian Implementation Guide (IMG) with the transaction code /n/sdcac/img in the SAP S/4HANA system.
2. Expand the Configure Tokenization section.
3. Select the Display/Import Tokenization Service Provider's Fields activity.
   NOTE

   The active Fortanix DSM application is displayed in the Onboarded Tokenization Service Provider field.
4. View the Imported Technical Fields.
   1. Select the Display TSP Fields option to view all the imported security objects (technical fields).
   2. Click Execute
5. Update Imported Technical Fields.
   1. Select Update TSP Fields option to update or re-import the security objects (technical fields).
   2. Click Execute.
   Figure 11: Display or update the Fortanix DSM app fields

4.0 Map SAP S/4HANA Fields with Fortanix DSM Security Objects

Users must map the SAP S/4HANA business fields that will be tokenized to the security object imported from Fortanix DSM.

1. Go to the SAP Data Custodian Implementation Guide (IMG) with transaction code /n/sdcac/img in the SAP S/4HANA system.
2. Expand the Configure Tokenization section.
3. Select the Map Tokenization Entity Fields and Technical Fields activity.
4. Ensure you are in Change mode.
5. Select New Entries.
6. Enter or search for the tokenization entity.
7. Select the Tokenization Entity for tokenization mapping.
8. Select Maintain and Map Tokenization Fields subfolder in Dialog Structure.
9. Ensure you are in Change mode.
10. Select New Entries on the menu bar.
11. Enter or search for tokenization fields.
    NOTE

    Each SAP tokenization field must be mapped to an imported Fortanix DSM security object for tokenization and detokenization.
12. Enter or search for the security object imported from Section 3.6: Display or Import Fortanix DSM Security Object.
    1. Enter the entity name in the Tokenization Entity field and navigate to the next screen. Use F4 to select the Tokenization Provider Field and use F4 again to select the field created in the Fortanix DSM application
    2. The entity field to be tokenized must be mapped against the Fortanix DSM security object created – City (TG1). For example: City field for the customer as a business partner: KNA1 – ORT01
    Figure 12: Map tokenization fields
13. Repeat Step 12 and Step 13 for any additional field mappings.
14. Click Save.

5.0 Configure Application Synchronization Job Schedule

Users must configure a recurring job schedule to synchronize application attributes and tokenization field mappings for either control, transparency, tokenization, or resource fact scenarios from SAP S/4HANA to the SAP Data Custodian tenant. Synchronized application attributes and tokenization field mappings can then be used in the SAP Data Custodian tenant for policy definition.

1. Go to the SAP Data Custodian Implementation Guide (IMG) with the transaction code /n/sdcac/img in the SAP S/4HANA system.
2. Expand the Configure Tokenization section.
3. Select the Configure Application Synchronization Job Schedule activity.
4. In the General Data section, enter a name in the Job Name field.
5. Select Job Class.
6. Select Start Condition on the menu bar.
7. Select Data/Time tab.
8. Enter Scheduled Start details in Date and Time fields.
9. Select the check box for Periodic Job.
10. Select Period Values and click Save.
    NOTE

    The recommended period value is Daily.
11. Select Save for the Start Condition.
12. Select Step on the menu bar.
13. Locate the ABAP Program section.
14. Set the program name to /SDCAC/GROUP_SYCHRONIZATION.
15. Click Save for the Step.
16. Click Save for the Job.
    NOTE

    To check the job result, go to transaction SLG1 and enter the object /SDCAC/GR_SYNC_LOG.

6.0 Perform Bulk Tokenization and Detokenization

Users must perform bulk tokenization before using the SAP Data Custodian tokenization feature. All field values maintained in the SAP Data Custodian IMG configuration mapping must be bulk tokenized before implementing the tokenization or detokenization feature.

This section covers how to implement the BAdI /SDCAC/TK_BULK_BADI based on the entity field mappings maintained in the SAP Data Custodian IMG configuration mapping. This is a multi-implementation BAdI and requires filter values for each implementation. Ensure you read the additional bulk tokenization information in the Program Documentation before completing this activity. Please ask your SAP contact for the Implementation Guide for Bulk Tokenization.

6.1 Logging

Tokenization or detokenization activity logging must be implemented to ensure data consistency. After the implementation process is complete, users must enable the logging feature by implementing the following enhancements:

Users must create two (2) custom data dictionary tables:

1. Tokenization log table:
   

   Add fields from the append structures: /SDCAC/TOKENIZATION_FIELDS as key fields and /SDCAC/TOKENIZATION_LOGS as non-key fields.
   This table is used to store the tokenization logs for data currently tokenized in the database.

2. History table:
   Add fields from the append structures: /SDCAC/TOKENIZATION_FIELDS and /SDCAC/TOKENIZATION_LOGS as key fields.
   This table is used to store detokenization logs.
   For the data that has been successfully detokenized, the previous tokenization logs are moved from the Tokenization log table to this table.

The BAdI interface has two (2) implementation methods:

1. READ_TK_LOGS:
   The READ_TK_LOGS method is called before detokenization/tokenization occurs. This can be implemented to read the logs from the custom log table when bulk and individual tokenization operations are performed to avoid unnecessary tokenization/detokenization activity.
2. WRITE_TK_LOGS:
   The WRITE_TK_LOGS method is called after the tokenization operation happens. An enhancement can be implemented here to write logs into the custom Tokenization log table when tokenization activity is performed. These logs are used as a reference to avoid unnecessary tokenization or detokenization activity.
   NOTE

   If bulk detokenization is performed for any field, all the logs pertaining to that field will be moved to the History table.

5.2 Bulk Tokenization and Detokenization

1. Go to the SAP Data Custodian Implementation Guide (IMG) menu with the transaction code /n/sdcac/img in the SAP S/4HANA system.
2. Expand the Configure Tokenization section.
3. Select the Perform Bulk Tokenization/Detokenization activity.
4. Select Tokenization or Detokenization in the Object Selection section.
5. Select the checkbox beside All Config Tokenization Fields to configure all available entity fields related to your tokenization entity or unselect to enable each individual field manually.
6. Select your desired Name of a BAdI Filter using the picker tool or input help (F4).
7. (Optional) Select the Parallel Processing Settings check box in the Server Group Selection section.
8. (Optional) Select your Server Group using the picker tool.
   NOTE

   Server group configuration details can be obtained from the t-code RZ12.
9. (Optional) Set your Max Number of Parallel Tasks.
   NOTE

   The Max Number of Parallel Tasks field indicates how many free background tasks will be used during the tokenization or detokenization process. If this field is left empty, 50% of the server group’s free parallel background tasks will be utilized.
10. Select the Execute button.
11. Complete the steps in Section 5.0: Configure Application Synchronization Job Schedule to schedule your new background job.