Setting up SAP S/4HANA Cloud, Private Edition integration

Before connecting Payhawk to SAP S/4HANA® Cloud, Private Edition, you need to prepare your SAP system to accept secure external communication.

Depending on your organization's IT infrastructure and security architecture, you can choose one of two connection strategies:

1. Direct connection which connects Payhawk directly to your SAP S/4HANA Private Cloud via a secure port and certificate mapping.

2. Connection through SAP BTP which routes Payhawk traffic securely through the SAP Business Technology Platform (BTP) using the SAP Cloud Connector without exposing internal ports.

Strategy 1: Direct Connection

This approach requires installing Payhawk's security certificate directly into your SAP S/4HANA system, creating a user mapping rule, and opening a dedicated network port for communication.

Step 1: Installing the certificate in Trust Manager (STRUST)

To ensure your SAP S/4HANA system trusts incoming requests from Payhawk:

1. Log in to the SAP GUI and open transaction code STRUST.

2. Double-click on the SSL server Standard PSE folder on the left side.

3. In the Certificate section at the bottom, click Import Certificate.

4. Choose the certificate file provided by the Payhawk setup wizard and click Enter.

5. Click Add to Certificate List to add Payhawk’s certificate to your trusted list.

6. Click Save to apply the changes.

Step 2: Map the certificate to an SAP user (CERTRULE)

Next, you need to tell SAP which technical system user corresponds to the certificate:

1. Create or identify a dedicated technical or communication user in transaction SU01 with the required permissions for Payhawk data.

2. Open transaction code CERTRULE.

3. Click Import Certificate and select the same Payhawk certificate file.

4. Click the Rule button to create a new mapping rule.

5. Assign this rule to your technical or communication user ID so that incoming Payhawk calls are automatically logged in under this user.

6. Click Save.

Step 3: Open a port for inbound calls

1. Run transaction code SMICM and choose Goto > Services to view your active HTTPS ports.

2. Ensure your corporate firewall, reverse proxy, or SAP Web Dispatcher is configured to allow inbound traffic from Payhawk's designated IP addresses directly to this HTTPS port.

Strategy 2: Connection through SAP BTP

If your corporate security policy strictly prohibits opening inbound firewall ports, you can route the connection securely using SAP Business Technology Platform (BTP) and the SAP Cloud Connector.

Step 1: Install and configure SAP Cloud Connector (SCC)

The Cloud Connector acts as a secure, outbound-initiated tunnel between your private network and the cloud.

1. Install the SAP Cloud Connector software within your private cloud environment if it isn't already running.

2. Log in to the Cloud Connector administration panel.

3. Click Add Subaccount and enter your SAP BTP subaccount details (Region, Subaccount ID, and credentials) to establish the secure link.

4. Navigate to Cloud to On-Premise from the side menu and go to the Mapping Virtual to Internal System tab.

5. Click the + (Add) button and create a mapping:

   1. Select ABAP System as the Back-end Type.

   2. Enter your internal SAP S/4HANA system details (Internal Host and Port).

   3. Define a Virtual Host and Virtual Port name (for example, s4virtual:443). This is the alias BTP will use to talk to your system.

6. Under the Resources Accessible section at the bottom, click Add to specify which API URLs Payhawk is allowed to use.

7. Enter the specific OData/SOAP base paths required by Payhawk and select Path and all sub-paths. Click Save.

Step 2: Set up an SAP BTP Application Router (App Router)

The BTP App Router acts as the single point of entry for Payhawk’s cloud APIs, safely handing off requests to the Cloud Connector.

1. Log in to your SAP BTP Cockpit and navigate to your subaccount.

2. Go to Connectivity > Destinations and click New Destination.

3. Create a destination pointing to your SAP system using the following details:

   • Type: HTTP

   • Proxy Type: OnPremise

   • URL: Enter the Virtual Host and Virtual Port you defined in the Cloud Connector (for example, http://s4virtual:443).

   • Authentication: Configure the technical user credentials or certificate mapping details created for Payhawk.

4. Deploy your SAP BTP Application Router application within your BTP Space.

5. In the App Router’s routing configuration file (xs-app.json), map incoming routes coming from Payhawk to target the newly created BTP Destination.

Once completed, Payhawk will safely make API calls to your cloud-hosted BTP App Router, which routes traffic down through the Cloud Connector directly into your S/4HANA Private Cloud instance.

Step 2: Set up an SAP BTP Application Router (App Router)

The BTP App Router acts as the single point of entry for Payhawk’s cloud APIs, safely handing off requests to the Cloud Connector.

1. Create the BTP Destination: In your SAP BTP Cockpit, navigate to your subaccount, go to Connectivity > Destinations, and click New Destination. Create a destination pointing to your virtual host using your SAP system's technical user credentials or certificate mapping.

   • Type: HTTP

   • Proxy Type: OnPremise

   • URL: Enter the Virtual Host and Virtual Port you defined in the Cloud Connector (for example, http://s4virtual:443).

   • Authentication: Configure the technical user credentials for Payhawk.

2. Create Required Service Instances: To enable secure routing and connectivity, navigate to Services > Instances and Subscriptions in your BTP Cockpit and create one instance for each of the following services:

   • Destination Service

   • Connectivity Service

   • XSUAA Service (Authorization and Trust Management service)

3. Install the App Router:

4. Connect the App Router to the Payhawk Wizard:

   1. Once the App Router is deployed, copy its public URL (Route).

   2. Open the Payhawk integration wizard and input this App Router route.

   3. The Payhawk wizard will then generate and provide a JSON configuration file for you to download.

5. Generate the XSUAA Service Key:

   1. Return to your SAP BTP Cockpit and locate the XSUAA service instance you created earlier.

   2. Create a new Service Key for this instance, pasting the contents of the downloaded Payhawk JSON file into the configuration parameters.

   3. Save and open the newly created service key. Copy the Client ID (clientid) and the Token URL (url) from the credentials text.

   4. Paste the Client ID and Token URL back into the Payhawk wizard to finalize the secure authentication link.

Next steps

• Connecting Payhawk to SAP S/4HANA Cloud, Private Edition