Denodo RFCReadTable Custom Wrapper - User Manual
You can translate the document:
Introduction
RFCReadTable is a Virtual DataPort custom wrapper for querying tables of SAP Systems.
The custom wrapper invokes the standard RFC function module RFC_READ_TABLE that gives access to all tables in a SAP system via ABAP (Advanced Business Application Programming). The function retrieves columns of a specified table in the SAP system and returns the data as a result set.
Although VDP can invoke the RFC_READ_TABLE using its BAPI data source, the motivation behind the RFCReadTable Custom Wrapper is to simplify the process by automatically creating the view schema, without the need to create data combinations manually.
Architecture and Features
RFCReadTable Custom Wrapper allows users to create base views and execute SQL queries on SAP platforms accessing via SAP Java Connector (SAP JCo). JCo is a Java language wrapper to the RFC library that allows any Java application access to SAP systems.
RFCReadTable Custom Wrapper Architecture
The custom wrapper uses the RFC_READ_TABLE function. Note however that, unfortunately, older versions of this RFC had some limitations:
- The combined length of the retrieved columns could not exceed 512 bytes.
- In some cases (for decimal fields), RFC_READ_TABLE will compute a field output length that is shorter than the actual storage length required for displaying large values. When it attempts to extract data, it truncates the result and the output will contain a ‘*’ character.
In those cases, the Custom Wrapper will log an error to inform the user, e.g.:
ERROR RFCReadTableWrapper - Error converting: '*6.38600-' in field 'UKURS' of ABAP type 'P' in row '25'. |
- When working with columns of type FLOAT, the module may cause an ABAP exception: ASSIGN_BASE_WRONG_ALIGNMENT.
SAP published a new implementation of RFC_READ_TABLE that works around these limitations. The specific SAP notes including this upgrade may vary depending on your SAP version (e.g. notes 2246160 and 382318). Please check your SAP installation in order to determine whether this new version of the RFC is available for you.
If you cannot use a modern version of RFC_READ_TABLE, there would still be three options to work around these limitations:
- Limit the columns to be retrieved.
Use the Selection view in the VDP Admin Tool or limit the projected fields in the VQL Shell => field projections are delegated to SAP.
- Use BBP_RFC_READ_TABLE to retrieve the table content.
BBP_RFC_READ_TABLE solves the FLOAT problem, but does not increase the 512 byte limit.
- Use a custom function module to retrieve the table content.
Requires development user, and creation of a custom function module. For more information see SAP’s documentation.
In the latter two cases the wrapper should be configured with the optional parameter RFC Name indicating the name of the alternative RFC function.
Capabilities
This wrapper is only able to carry out read operations. It can delegate to SAP the following query artifacts and operators:
- Operators: =, <>, LIKE, <,>,<=,>=,IN,BETWEEN.
- AND operations.
- OR operations.
- NOT operations.
Due to the delegation of the previous operators, the performance of the custom wrapper is better because many operations will be performed by SAP itself, instead of having to rely on VDP in-memory post-filtering.
Usage
Creating a RFCReadTable Data Source
In order to use the RFCReadTable Custom Wrapper in VDP:
- Obtain the SAP Java Connector 3.0.
- It can be downloaded from http://service.sap.com/connectors, section SAP Java Connector → Tools & Services.
- If VDP runs on a 32-bit O.S, download the 32-bit connector.
- If VDP runs on a 32-bit JVM, on a 64-bit O.S, download the 32-bit connector.
- If VDP runs on a 64-bit JVM, download the 64-bit connector.
- Copy together the files sapjco3.dll (sapjco3.so for Linux systems), sapjco3.jar and denodo-rfcreadtable-customwrapper-${version}-jar-with-dependencies.jar into a folder. Locate this folder out of <DENODO_HOME>. These are the files for Windows systems.
- Go to New → Data Source → Custom. Select the folder where the connectors of SAP and the jar of the custom wrapper were placed in the ‘Class path’ parameter and write the following wrapper’s class name com.denodo.connect.sap.rfcreadtable.wrapper.RFCReadTableWrapper in the ‘Class name’ parameter.
RFCReadTable Data Source
The datasource need the following parameters:
- Client Id (mandatory): The 3-character client ID definition.
- User/Password : Username and password to log into SAP. These fields are mandatory, but in Denodo 8 there is a possibility to configure an authentication alternative using the field Custom configuration file. See the Azure Key Vault Authentication and CyberArk Vault Authentication sections depending on the authentication method required .
- Pass-through session credentials (from Denodo 7.0): If selected, when a client queries a view that uses this data source, Virtual DataPort will use the credentials of the user to execute the wrapper, instead of the value of the fields “User” and “Password”. The value of these fields will be used only when creating the base view to connect to SAP to obtain information about the SAP table. This option is not supported when Kerberos is used as authentication mechanism for VDP.
- RFC Name (optional): Name of the custom version of RFC_READ_TABLE, if any. By default the wrapper will invoke RFC_READ_TABLE. For more information see section Architecture and Features.
- Language (optional): Login language, default is en.
For the configuration of the physical connection to SAP the custom wrapper offers two options:
- Direct connection to a SAP instance:
- System number (mandatory): System number of the SAP server.
- Host (mandatory): SAP server.
- Load balancing connection to a group of SAP instances:
- System ID (mandatory): System ID of the SAP system.
- Message server (mandatory): SAP message server.
- Message server port (optional): SAP message server port.
- Load balancing group (mandatory): Group of SAP application servers.
In both cases a SAP router string can be configured if the SAP systems is behind a SAP router:
- Router: SAP Router string contains the chain of SAP Routers and its port numbers and has the form: (/H/<host>[/S/<port>])+
Creating a Base View
Once the custom wrapper has been registered, we will be asked by VDP to create a base view for it.
Base views created from the RFCReadTableWrapper need the following parameters:
- Table (mandatory): Name of the table to be read.
- Remove trailing spaces (mandatory): Remove trailing spaces from string results.
- Return empty strings as null (mandatory): Automatically convert to null any empty string values returned.
- Paginated results (mandatory): Paginate the results to avoid retrieving them all at once, reducing the overall memory usage at VDP. Note that this requires the RFC being called to support the ROWSKIPS and ROWCOUNT parameters.
However, it should be noted that SAP itself does not allow database persistent cursors, so using pagination could provoke a performance problem at SAP, because SAP would have to perform the entire query once for each 'page' VDP asks from it, and each time skip a large number of rows until finding the first row that should be sent back to VDP.
And the problem would not only be performance: also, given SAP would be performing a number of queries on its database instead of just one, results of second and subsequent queries could be affected by modifications on the SAP database happened between queries, so the consistency of the final results could be compromised.
- RowCount (optional): page size used in the pagination. By default it is fixed to 1000.
- Retrieve results from ET_DATA: If true, the custom wrapper will use the ET_DATA output parameter to obtain data, which works around the standard 512-byte limitation of the RFC_READ_TABLE function. Default is false.
NOTE: The ET_DATA functionality requires the SAP server to have this specific functionality installed, which might not be standard in your version and require additional SAP notes to be installed (which specific notes need to be installed depends on the SAP base version).
Example
In the following example we want to import ‘TJ03T’, that is a standard SAP Table which is used to store texts for object types information and which is available within the used SAP system.
Parameters of the data source edition for a SAP direct connection
Parameters of the datasource edition for a SAP load balancing connection
Base view parameters
The schema and data of the TJ table can be seen in the images below.
RFCReadTable Base View
RFCReadTable Base View execution
Security
For securing the communication between the RFCReadTable wrapper and the SAP server Secure Network Communication (SNC) and SAP Cryptographic Library (SAPCRYPTOLIB) are used.
SNC supplies three levels of protection:
- Authentication only
The system verifies the identity of the communication partners.
- Integrity protection
The system detects any changes or manipulation of the data, which may have occurred between the wrapper and the SAP server.
- Privacy protection
The system encrypts the messages being transferred between the wrapper and the SAP server.
Base views using SNC need the following parameters:
- Enable SNC: whether to apply SNC to connections or not
- SAP Cryptographic library (mandatory): path and file name of the SAP Cryptographic Library (sapcrypto.dll for Windows or libsapcrypto.so for UNIX).
The installation package is available free-of-charge to SAP customers on the SAP Service Marketplace at https://support.sap.com/swdc. Menu path: Installations and Upgrades -> Browse our Download Catalog -> SAP Cryptographic Software.
- Partner SNC name (mandatory) : the distinguished name of the SAP server. It can be found in the SAP profile parameter snc/identity/as.
- SNC name (optional): the distinguished name of the custom wrapper user.
- Security level (optional): the protection level to apply:
- Apply authentication only
- Apply integrity protection (includes authentication)
- Apply privacy protection (includes integrity protection and authentication)
- Apply the default protection: value configured in the SAP profile parameter snc/data_protection/use
- Apply the maximum protection: value configured in the SAP profile parameter snc/data_protection/max
For information on how to enable SNC to secure the communications between the host where the Virtual DataPort server is installed and SAP, you can read this article from our Knowledge Base:
https://community.denodo.com/kb/view/document/Enabling SNC on SAP Connections
Azure Key Vault Authentication
The Denodo RFCReadTable Custom Wrapper provides support to obtain credentials from Azure KeyVault using the “client secret” authentication method. This only applies to Denodo 8 or higher.
This authentication mode requires creating a properties file and configuring it at the Custom configuration file field . These properties allow instructing the custom wrapper to perform a request to Azure KeyVault in order to obtain (as secrets) the user and the password to be used to connect to SAP.
- KeyVault URI: this is the URI for the target KeyVault. It is specified by Azure at the KeyVault “Overview” section. Set the following property in the file:
com.denodo.connect.sap.vault.plugin.azure.vaultUri
- Tenant ID: this is the tenant identifier of the Azure account.Set the following property in the file:
com.denodo.connect.sap.vault.plugin.azure.tenantId
- Client ID: this is the client identifier of the Azure application used for the access. Set the following property in the file:
com.denodo.connect.sap.vault.plugin.azure.clientId
- Client secret: this is the client secret of the Azure application used for accessing. Set the following property in the file:
com.denodo.connect.sap.vault.plugin.azure.secretKey.secret
- User secret name: the name of the secret that stores the SAP user in Azure KeyVault. Set the following property in the file:
com.denodo.connect.sap.vault.plugin.azure.userSecretName
- Password secret name: the name of the secret that stores the SAP password in Azure KeyVault. Set the following property in the file:
com.denodo.connect.sap.vault.plugin.azure.pwdSecretName
Sample Custom Configuration File
com.denodo.connect.sap.vault.plugin.azure.tenantId=000aaf-some-tenant-00-f0aa000f com.denodo.connect.sap.vault.plugin.azure.vaultUri=https://????????.vault.azure.net/ com.denodo.connect.sap.vault.plugin.azure.clientId=00000000-some-client-id-a00a0a0f com.denodo.connect.sap.vault.plugin.azure.secretKey.secret=00AA000AAA00AA000A_00A com.denodo.connect.sap.vault.plugin.azure.userSecretName=myUserForSap com.denodo.connect.sap.vault.plugin.azure.pwdSecretName=myPwdForSap |
CyberArk Vault Authentication
The Denodo RFCReadTable Custom Wrapper provides support to obtain credentials from CyberArk Vault using the agentless mode. This only applies to Denodo 8 or higher.
This authentication mode requires creating a properties file and configuring it at the Custom configuration file field . These properties allow instructing the custom wrapper to perform a request to to the service AIMWebService of CyberArk in order to obtain the user and the password to be used to connect to SAP, this request is at runtime.
- Application Id: the identifier of the application at CyberArk Vault. Set the following property in the file:
com.denodo.connect.sap.vault.cyberark.app.id
- Vault URI: URL of the AIMWebService of CyberArk. For example, https://cyberark-server.acme.com/AIMWebService/api/Accounts. Set the following property in the file:
com.denodo.connect.sap.vault.cyberark.vaultURI
- Safe: container of Cyberark. Set the following property in the file:
com.denodo.connect.sap.vault.cyberark.safe.id
- Account name: account name that contains the user and password in CyberArk. Set the following property in the file:
com.denodo.connect.sap.vault.cyberark.account.name
- Client certificate (private key): local path of the file that contains the private key used for authenticating previous Application Id in the CyberArk Vault. It has to be a PFX or PKCS#12 file. Set the following property in the file:
com.denodo.connect.sap.vault.clientcertificate.pfx.p12.certificate.url
- Certificate Password: the password of the Client certificate. Set the following property in the file:
com.denodo.connect.sap.vault.clientcertificate.pfx.p12.password
- Certificate of Certification Authority (CA) (optional): local path of the file that contains the certificate used for validating the response from CyberArk Vault. It has to be a PFX or PKCS#12 file or a X509 certificate. You only need this if the vault uses a certificate that is not widely recognized. Set the following property in the file:
com.denodo.connect.sap.vault.clientcertificate.trust.store.file
- Authority Password (optional): the password of the Certificate of Certification Authority (CA). If you provide a X509 certificate, this password is ignored. Set the following property in the file:
Com.denodo.connect.sap.vault.clientcertificate.trust.store.password
- Validate host (optional): If true, it activates the validation of the host name of the certificate. Set the following property in the file:
com.denodo.connect.sap.vault.clientcertificate.validate.host
Sample Custom Configuration File
com.denodo.connect.sap.vault.clientcertificate.pfx.p12.certificate.url=C:\\Documents\\CyberArkCertifieds\\client_1-28.p12 com.denodo.connect.sap.vault.clientcertificate.pfx.p12.password=xxxxxxxx com.denodo.connect.sap.vault.clientcertificate.trust.store.file=C:\\Documents\\CyberArkCertifieds\\RootCA.crt com.denodo.connect.sap.vault.clientcertificate.trust.store.password= com.denodo.connect.sap.vault.clientcertificate.connection.timeout=10000000 com.denodo.connect.sap.vault.clientcertificate.validate.host=true com.denodo.connect.sap.vault.clientcertificate.proxy.host= com.denodo.connect.sap.vault.clientcertificate.proxy.port= com.denodo.connect.sap.vault.clientcertificate.proxy.user= com.denodo.connect.sap.vault.clientcertificate.proxy.password= com.denodo.connect.sap.vault.cyberark.vaultURI=https://services-uscentral.skytap.com:13598/AIMWebService/api/Accounts com.denodo.connect.sap.vault.cyberark.app.id=Denodotest com.denodo.connect.sap.vault.cyberark.safe.id=Denodotest com.denodo.connect.sap.vault.cyberark.account.name=Accountname |