Azure BLOB as SAP ILM Store

As customers move their SAP landscapes into Azure, it is not all about just replacing server, storage, and network infrastructure. As customer, you also look for replacing products, that you are using for such tasks like backup/restore, monitoring, archiving, etc. You want to simplify operations by ideally using SaaS services the public cloud provides. In the case we describe here, on a very deep technical level, we are describing how to leverage Azure Blob storage directly for SAP archiving using ILM functionality of S/4HANA 2021. A development SAP and Microsoft cooperated in. Azure BLOB storage is a massively scalable, highly available, and durable, and a secure object storage solution in the cloud. To use it for archiving SAP data, you so far had to use other products in the middle that would support writing and reading into or from Azure Blob storage on the one side. And on the other side represent the respective interfaces to SAP to be recognized as archive target. Something that is not necessary anymore with S/4HANA 2021 and future versions of S/4HANA. This article will explain how to setup and configure S/4HANA ILM using Azure Blob storage as archiving target. 

As we start this article, please note a very important selection criterion for Azure Blob storage:

Premium Tier BLOCK BLOB low latency storage is not suitable for this purpose which has only LRS and ZRS storage redundancy options.

Azure Portal Configuration

1. Create Application ID in Azure Active Directory
   1. Give a name for your application and select the account type as shown below. Application ID Creation
   2. Create Client SecretCreate Client Secret

       

   3. Copy the "Client Secret" Value and secure it as it will be visible only for the first time.
   4. Add "Access Azure Storage" Permission in API Permission as shown below.API Permission

       

   5. Copy the Application IDCopy Application ID

       

   6. Copy OAuth 2.0 token endpoint and OAuth 2.0 Authorization endpoint URLAuthorization Endpoint

       

      Spoiler

      Important Note: copy excluding https://

       

2. Create Storage Account with the standard tier with the storage redundancy from the above selection process and make sure you configure the following
   1. set the Secure transfer required to "enabled."
   2. set the Allow Blob public access to "disabled."
   3. set the Allow storage account key access to "disabled."
   4. select the minimum TLS version to "Version 1.2."Storage Account Configuration
   5. Provide access to the Application ID by adding role assignments in the IAMAdd role

       

   6. Copy the Blob Endpoint URL Copy Blob Endpoint URL

       

      Spoiler

      Important Note: copy excluding https://
       
3. Before Proceeding to the next step, please make sure you have the following information
   1. OAuth 2.0 authorization endpoint (v2) URL excluding https://
   2. OAuth 2.0 token endpoint (v2) URL excluding https://
   3. Blob Service URL excluding https://
   4. Application (Client) ID
   5. Client Secret Value
4. Export Certificates
   1. open the Oauth Authorize URL and export the certificate Export OAuth Certificate

       

Open the Blob Service URL and export the certificate Export Blob CertificateSAP Configuration

1. Import Certificates in SAP 
   1. Goto T-Code STRUST and Select SSL Client (Standard) 
   2. Import OAuth certificate as shown below.  OAuth URL Certificate import

       

   3.  Import Blob Service Certificate as shown below Blob URL Certificate Import

       

2. OAuth Configuration
   1. Goto T-code OA2C_CONFIG
   2. Click Create
   3. Select ILMAZURE_STORAGE_OATUHPROF profile from the drop-down list
   4. Provide a Configuration name
   5. Enter the Client ID copied earlier in step Azure Portal Configuration 1.5 

       

   6. Proceed to enter the client secret Value copied in step Azure Portal Configuration 1.3
   7. Enter the OAuth token Endpoint URL copied from Azure Portal Configuration step 1.6
   8. Select SSL Client PSE at the bottom of the page to "DFAULT SSL Client (Standard)" from the drop-down list OAuth Configuration
   9. Save
3. Create RFC Destination to Azure BLOB
   1. Goto T-Code SM59
   2. Create RFC Destination Type G - HTTP Connection to External Server
   3. Enter Description
   4. In the Technical Settings tab, enter the host files with Blob Endpoint URL copied from step Azure Portal Configuration 2.6 

       

   5. In the Logon & Security tab security Options, select SSL Certificate DFAULT SSL Client (Standard) from the drop-down list. 
   6. In Special  Options HTTP Settings select HTTP version as HTTP 1.1 

       

       
   7. Save the changes 
   8. Test the Connection 
      Spoiler

      Error 409 is good 
4. Test Connectivity from SAP to Azure BLOB
   1. Goto T-Code SA38
   2. Enter Program Name "RILM_STOR_TEST_AZURE" and execute
   3. Enter the HTTP Destination, OAuth Client Profile, and Configuration as shown below 

   4. Execute and the result as shown below

Next Steps

With the successful Azure BLOB connectivity concluding our blog, for other ILM Store and Origin customizing and publishing, please refer to SAP Documentation for the SAP ILM configuration guide.

Quick References

The following notes and links come in handy during the configuration.

what's new on S/4 HANA 2021

ILM store documentation

Setup guide for Azure BLOB 

3037454 - "Logon is being prepared" when accessing SOAMANAGER - SAP ONE Support Launchpad

2832543 - Error "500 Internal Server Error" when running t-code SOLMAN_SETUP in SAP Solution Manager 7.2 - SAP ONE Support Launchpad

https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section