SAP Ariba, recently rebranded as SAP Integration Suite, is a highly popular choice for secure data exchange and file transfer across enterprises. Its network consists of several member organizations, and offers formats like cXML, EDIFACT and OAGIS, and protocols like VAN and AS2, allowing non-member organizations to achieve SAP Ariba integration to communicate with said members.
While SAP prominently mentions VAN (Value Added Network) as a preferred connectivity option, it also allows AS2 - Applicability Statement 2, the versatile protocol that allows secure data exchangre over open networks and the public internet. As such, if you implement SAP Ariba integration for your business or organization via AS2, you will reap the benefit of a secure and flexible file transfer option while avoiding the cost and overhead of procuring and maintaining dedicated VAN infrastructure. As an added advantage, AS2 would be compatible, and maybe already in use, with your other trading entities and counterparties such as Walmart, Amazon, Target, etc.
There is no specific subset of AS2 solutions or products that you need to stick with, in order to integrate with SAP Ariba over AS2; you can use either a cost-effective, highly scalable and maintenance-free cloud solution like Aayu MFT Gateway, or go for an on-premises product like Aayu AS2 Gateway with more control and deployment target options. However, be aware of the few specific requirements that SAP Ariba generally mandates to ensure secure data exchange when utilizing AS2 for file transfer:
You may need to check both of the above with your counterparty or partner’s SAP integration team ahead of time, because obtaining CA-issued certificate involves a somewhat lengthy process - often spanning few days.
Once you have met the prerequisites, setting up SAP Ariba integration is quite straightforward. Here we will discuss the process using Aayu MFT Gateway, which offers a fully-equipped and extensible one month free trial including technical support, and a range of pay-as-you-go plans to choose from afterwards:
If SAP Ariba integration team informed you to use a CA-issued certificate for AS2/S-MIME, please confirm the list of acceptable CAs/issuers from them (their list may be updated over time), and contact one of the CAs to obtain a MIME certificate (also known by names like “email”, “personal” and “signature”). Ensure that “Key Encipherment” and “Digital Signature” are allowed under the issued certificate’s purposes attribute.
If you have already obtained such a certificate, use the Import From Keystore option under New Certificate section of the MFTG Certificate Manager to upload the relevant key and certificate in the form of a key store. Alternatively you can do this during the station creation process (step 2) as well, through the From Keystore option therein.
If you already have a certificate on MFT Gateway (with a preconfigured Distinguished Name (DN)) that you would prefer to adapt for this purpose, you can secure a CA signed certificate with those configurations by exporting a CSR (cert. signing request), exchanging it with your preferred CA, and importing it back through the Renew button.
If SAP Ariba has requested secure data exchange at wire level through certificate-based authentication (“two-way SSL”), you would also need a corresponding CA-issued certificate to be installed as the TLS client certificate on your MFT Gateway account. The MFTG team is currently working on adding DIY capability to configure this certificate on your own, and until it is available you can contact the highly responsive and supportive MFTG team to get the client certificate installed on your behalf. For the TLS client certificate, “Client Authentication” is usually expected under purposes,
If you already have a station/identifier that you wish to use, you can skip this step; however, if SAP Ariba team requested you to use a CA-issued certificate and the current certificate is not compatible, you may have to change it accordingly (see below).
For creation, steps are outlined in this official guide. You can pick a desired AS2 identifier that represents your organization, and a corrsponding common name for the certificate if you are generating a fresh one.
In case of an existing station, you can change its certificate through the CA Signed option on the station settings page. Please note that if you already have other partners connecting through this station, you need to inform them to update the certificate on their ends as well (at the same time) to prevent interruption to other AS2 workflows.
When done with either of the above, visit the partner view of your station and share the following information with your SAP Ariba partner:
https://...)Communicate with your partner/counterparty to obtain the same information as what you shared with them earlier:
https://...)Afterwards, follow this official guide to create a partner entity representing your SAP Ariba file transfer backed counterparty, using the received set-up details.
At this point, your SAP Ariba integration is complete. However it is highly recommended to perform test transfers back and forth, before commencing production traffic:
Follow this guide to submit an outbound message, by selecting your station (from step 2) as the sender and the SAP Ariba partner (from step 3) as the receiver.
If you are sending EDI data, as is the common practice, note that SAP Ariba file transfer recipient module expects the file to be delivered with the correct content type (MIME type), e.g. “application/edifact”. MFT Gateway will automatically do this if you use the correct file extension (e.g. “.edifact” in this case) during the upload. Other AS2 solutions may have their own MIME type detection mechanisms.
If your file gets rejected from SAP Ariba file transfer recipient module, with an error similar to “Unexpected character ‘
As a more common occurrence, if you receive a HTTP 401 error response code from SAP Ariba, it indicates that your authentication is either mismatched or misconfigured and needs to be reviewed.
Based on information that you provided to SAP Ariba integration team in step 2, they will be able to transmit test files to you upon request.
In some cases, SAP system may continue to use a fixed filename (e.g. “ZZARIBATEST_FILE”) for all transmissions; this may cause overwrites on your receiving AS2 solution side, if duplicate filename handling is not supported/enabled. If this happens, please reach back to get the file-naming policy updated from SAP side.
If you reached here, congratulations! You now have a verified channel for secure data exchange with SAP Ariba.
If you face any issues during the set-up process, or have any other queries on SAP Ariba file transfer integration, feel free to ping us anytime.
Janaka is a Software Architect at Aayu Technologies. He is experienced in diverse areas including enterprise integration, B2B communication, and cloud and serverless technologies; and has been involved in the design and implementation of almost every Aayu product. Any interesting bug will keep him up overnight, as will tea, movies, and music.
We are a US based company with Sri Lankan ingenuity majored in Cloud and Serverless technology based product engineering.
Our solutions power small businesses using our hosted SaaS solutions , to enterprises that run our software on-cloud and on-premise.
