Free cookie consent management tool by TermsFeed Integrate AS2 with SAP Ariba in 3 simple steps | Aayu Technologies Cookies preferences
Home Blog Integrate AS2 with SAP Ariba in 3 simple steps

Integrate AS2 with SAP Ariba in 3 simple steps

Connect and easily integrate your organization business workflow with any SAP Ariba based trading partner, with MFT Gateway B2B cloud AS2 service

10 Jun 2024 by Janaka Bandara

SAP Ariba, recently rebranded as SAP Integration Suite, is a highly popular choice for secure data exchange and file transfer across enterprises. Its network consists of several member organizations, and offers formats like cXML, EDIFACT and OAGIS, and protocols like VAN and AS2, allowing non-member organizations to achieve SAP Ariba integration to communicate with said members.

While SAP prominently mentions VAN (Value Added Network) as a preferred connectivity option, it also allows AS2 - Applicability Statement 2, the versatile protocol that allows secure data exchangre over open networks and the public internet. As such, if you implement SAP Ariba integration for your business or organization via AS2, you will reap the benefit of a secure and flexible file transfer option while avoiding the cost and overhead of procuring and maintaining dedicated VAN infrastructure. As an added advantage, AS2 would be compatible, and maybe already in use, with your other trading entities and counterparties such as Walmart, Amazon, Target, etc.

File transfer with SAP Ariba: what it takes

There is no specific subset of AS2 solutions or products that you need to stick with, in order to integrate with SAP Ariba over AS2; you can use either a cost-effective, highly scalable and maintenance-free cloud solution like Aayu MFT Gateway, or go for an on-premises product like Aayu AS2 Gateway with more control and deployment target options. However, be aware of the few specific requirements that SAP Ariba generally mandates to ensure secure data exchange when utilizing AS2 for file transfer:

  • SAP requires authentication on inbound connections, using either TLS client auth (more commonly called “two-way SSL”) with a trusted CA (Certificate Authority) issued client certificate, or HTTP basic authentication (username-password based) using credentials preconfigured on SAP side.
  • SAP may require you to use a CA-issued certificate for AS2 security (message composition, S/MIME operations) as well.

You may need to check both of the above with your counterparty or partner’s SAP integration team ahead of time, because obtaining CA-issued certificate involves a somewhat lengthy process - often spanning few days.

Once you have met the prerequisites, setting up SAP Ariba integration is quite straightforward. Here we will discuss the process using Aayu MFT Gateway, which offers a fully-equipped and extensible one month free trial including technical support, and a range of pay-as-you-go plans to choose from afterwards:

SAP Ariba integration over AS2: step by step

1. Prepare the certificates

If SAP Ariba integration team informed you to use a CA-issued certificate for AS2/S-MIME, please confirm the list of acceptable CAs/issuers from them (their list may be updated over time), and contact one of the CAs to obtain a MIME certificate (also known by names like “email”, “personal” and “signature”). Ensure that “Key Encipherment” and “Digital Signature” are allowed under the issued certificate’s purposes attribute.

If you have already obtained such a certificate, use the Import From Keystore option under New Certificate section of the MFTG Certificate Manager to upload the relevant key and certificate in the form of a key store. Alternatively you can do this during the station creation process (step 2) as well, through the From Keystore option therein.

If you already have a certificate on MFT Gateway (with a preconfigured Distinguished Name (DN)) that you would prefer to adapt for this purpose, you can secure a CA signed certificate with those configurations by exporting a CSR (cert. signing request), exchanging it with your preferred CA, and importing it back through the Renew button.

If SAP Ariba has requested secure data exchange at wire level through certificate-based authentication (“two-way SSL”), you would also need a corresponding CA-issued certificate to be installed as the TLS client certificate on your MFT Gateway account. The MFTG team is currently working on adding DIY capability to configure this certificate on your own, and until it is available you can contact the highly responsive and supportive MFTG team to get the client certificate installed on your behalf. For the TLS client certificate, “Client Authentication” is usually expected under purposes,

2. Create a station (AS2 entity representing yourself)

If you already have a station/identifier that you wish to use, you can skip this step; however, if SAP Ariba team requested you to use a CA-issued certificate and the current certificate is not compatible, you may have to change it accordingly (see below).

For creation, steps are outlined in this official guide. You can pick a desired AS2 identifier that represents your organization, and a corrsponding common name for the certificate if you are generating a fresh one.

In case of an existing station, you can change its certificate through the CA Signed option on the station settings page. Please note that if you already have other partners connecting through this station, you need to inform them to update the certificate on their ends as well (at the same time) to prevent interruption to other AS2 workflows.

When done with either of the above, visit the partner view of your station and share the following information with your SAP Ariba partner:

  • AS2 identifier
  • AS2 URL; make sure to share the HTTPS variant (https://...)
  • AS2 certificate
  • TLS certificate
  • Encryption: AES-256 (recommended); or any other from supported encryption algorithms
  • Signing (digest/signature): SHA-256 (recommended); or any other from supported digest algorithms
  • MDN (receipt): synchronous, signed (recommended); MFT Gateway supports all combinations

3. Create a partner (external AS2 entity) representing SAP Ariba

Communicate with your partner/counterparty to obtain the same information as what you shared with them earlier:

  • AS2 identifier; usually ZZARIBATEST (on test-mode connections) or ZZARIBA
  • AS2 URL; if partner’s SAP Ariba integration team has requested certificate-based authentication, this must be a HTTPS URL (https://...)
  • AS2 certificate
  • TLS certificate (if AS2 URL is HTTPS)
  • Encryption algorithm
  • Signing (digest/signature) algorithm
  • MDN (receipt): mode (synchronous (recommended) vs asynchronous), security level (signed (recommended) vs unsigned)

Afterwards, follow this official guide to create a partner entity representing your SAP Ariba file transfer backed counterparty, using the received set-up details.

At this point, your SAP Ariba integration is complete. However it is highly recommended to perform test transfers back and forth, before commencing production traffic:

4. (extra): Transmit a file to SAP Ariba

Follow this guide to submit an outbound message, by selecting your station (from step 2) as the sender and the SAP Ariba partner (from step 3) as the receiver.

If you are sending EDI data, as is the common practice, note that SAP Ariba file transfer recipient module expects the file to be delivered with the correct content type (MIME type), e.g. “application/edifact”. MFT Gateway will automatically do this if you use the correct file extension (e.g. “.edifact” in this case) during the upload. Other AS2 solutions may have their own MIME type detection mechanisms.

If your file gets rejected from SAP Ariba file transfer recipient module, with an error similar to “Unexpected character ‘' (code ) in prolog; expected '<'", it usually indicates above MIME-type issue. In that case, please revise the MIME type that your AS2 software is adding alongside the file content.

As a more common occurrence, if you receive a HTTP 401 error response code from SAP Ariba, it indicates that your authentication is either mismatched or misconfigured and needs to be reviewed.

5. (extra): Receive a file from SAP Ariba

Based on information that you provided to SAP Ariba integration team in step 2, they will be able to transmit test files to you upon request.

In some cases, SAP system may continue to use a fixed filename (e.g. “ZZARIBATEST_FILE”) for all transmissions; this may cause overwrites on your receiving AS2 solution side, if duplicate filename handling is not supported/enabled. If this happens, please reach back to get the file-naming policy updated from SAP side.

In conclusion

If you reached here, congratulations! You now have a verified channel for secure data exchange with SAP Ariba.

If you face any issues during the set-up process, or have any other queries on SAP Ariba file transfer integration, feel free to ping us anytime.