236140327 setup of sap fiori system landscape

Setup of SAP Fiori System LandscapePDF download from SAP Help Portal:http://help.sap.com

Created on July 23, 2014

The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.

NoteThis PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SEand its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided bySAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not beliable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the expresswarranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and otherSAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Table of content

PUBLIC 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 1 of 70

Table of content1 Setup of SAP Fiori System Landscape1.1 Setup of SAP Fiori System Landscape with ABAP Environment1.1.1 Deployment Options1.1.2 Pre-Installation1.1.3 Installation1.1.3.1 Setup of Front-End Server1.1.3.1.1 Setup of SAP NetWeaver Gateway1.1.3.1.1.1 Installation of SAP NetWeaver Gateway1.1.3.1.1.2 Specify Language Settings1.1.3.1.2 Installation of Central UI Components1.1.3.1.3 Installation of Product-Specific UI Components (SAP NW 7.31)1.1.3.1.4 Installation of Product-Specific UI Components (SAP NW 7.4)1.1.3.2 Installation of SAP Notes (Transactional Apps)1.1.3.3 Setup of Clients1.1.3.4 Downloading and Installing Product Versions1.1.3.5 Virus Scanning1.1.4 Communication Channels1.1.4.1 Communication Between Client and ABAP Front-End Server1.1.4.1.1 Configuring ABAP Server Session Security1.1.4.1.2 Configuring the AS ABAP for Supporting SSL1.1.4.2 Communication Between ABAP Front-End and ABAP Back-End Server1.1.4.2.1 Connect SAP NetWeaver Gateway to SAP Business Suite (Trusted RFC1.1.4.2.2 Managing RFC Destinations1.1.4.2.3 Activating SAP NetWeaver Gateway1.1.4.2.4 Creating System Alias for Applications1.1.4.3 User Authentication and Single Sign-On1.1.4.3.1 Setting Up Single Sign-On for SAP Fiori Apps1.1.4.4 Internet-Facing Deployment1.2 Setup of SAP Fiori System Landscape with SAP HANA Database1.2.1 Deployment Options1.2.2 Pre-Installation1.2.3 Installation1.2.3.1 Setup of Front-End Server1.2.3.1.1 Setup of SAP NetWeaver Gateway1.2.3.1.1.1 Installation of SAP NetWeaver Gateway1.2.3.1.1.2 Specify Language Settings1.2.3.1.2 Installation of Central UI Components1.2.3.1.3 Installation of Product-Specific UI Components (SAP NW 7.31)1.2.3.1.4 Installation of Product-Specific UI Components (SAP NW 7.4)1.2.3.2 Installation of SAP Web Dispatcher1.2.3.3 Installation of SAP Notes (Transactional Apps, Fact Sheets)1.2.3.4 Setup of Clients1.2.3.5 Downloading and Installing Product Versions1.2.3.6 Virus Scanning1.2.4 Communication Channels1.2.4.1 Communication Between Client and SAP Web Dispatcher1.2.4.1.1 Configuring Communication Channel between Clients and SAP Web Di1.2.4.2 Communication Between SAP Web Dispatcher and ABAP Servers1.2.4.2.1 Configuring ABAP Server Session Security1.2.4.2.2 Configuring the AS ABAP for Supporting SSL1.2.4.2.3 Defining Routing Rules for SAP Web Dispatcher and ABAP Front-End1.2.4.2.4 Defining Routing Rules for SAP Web Dispatcher and ABAP Backend1.2.4.2.5 Configuring Trust Between SAP Web Dispatcher and ABAP Servers1.2.4.3 Communication Between ABAP Front-End and ABAP Back-End Server1.2.4.3.1 Connect SAP NetWeaver Gateway to SAP Business Suite (Trusted RFC1.2.4.3.2 Managing RFC Destinations1.2.4.3.3 Activating SAP NetWeaver Gateway1.2.4.3.4 Creating System Alias for Applications1.2.4.4 Communication Between ABAP Back End and Map Provider1.2.4.4.1 Configure SAP Visual Business to Enable GeoMaps (Fact Sheets)


Page 2 of 70

300225436Comment on TextNot to be considered now

1.2.4.5 User Authentication and Single Sign-On1.2.4.5.1 Setting Up Single Sign-On for SAP Fiori Apps1.2.4.6 Internet-Facing Deployment1.3 Setup of SAP Fiori System Landscape with SAP HANA XS1.3.1 Deployment Options1.3.2 Pre-Installation1.3.3 Installation1.3.3.1 Setting Up the Front-End Server1.3.3.1.1 Setup of SAP NetWeaver Gateway1.3.3.1.1.1 Installation of SAP NetWeaver Gateway1.3.3.1.1.2 Specify Language Settings1.3.3.1.2 Installation of Central UI Components1.3.3.1.3 Installation of Product-Specific UI Components (SAP NW 7.31)1.3.3.1.4 Installation of Product-Specific UI Components (SAP NW 7.4)1.3.3.1.5 Installation of SAP Smart Business Products on Front-End Server1.3.3.1.6 Installation of KPI Modeler on Front-End Server1.3.3.2 Setting Up the SAP HANA Server1.3.3.2.1 Installation of SAP Smart Business Products on SAP HANA Server1.3.3.2.2 Setting Up Database Tables for the KPI Modeler1.3.3.3 Installation of SAP Web Dispatcher1.3.3.4 Installation of SAP Notes (Transactional Apps, Fact Sheets)1.3.3.5 Installation of SAP Notes (Analytical Apps)1.3.3.6 Setup of Clients1.3.3.7 Downloading and Installing Product Versions1.3.3.8 Virus Scanning1.3.4 Communication Channels1.3.4.1 Communication Between Client and SAP Web Dispatcher1.3.4.1.1 Configuring Communication Channel between Clients and SAP Web Di1.3.4.2 Communication Between SAP Web Dispatcher and ABAP Servers1.3.4.2.1 Configuring ABAP Server Session Security1.3.4.2.2 Configuring the AS ABAP for Supporting SSL1.3.4.2.3 Defining Routing Rules for SAP Web Dispatcher and ABAP Front-End1.3.4.2.4 Defining Routing Rules for SAP Web Dispatcher and ABAP Backend1.3.4.2.5 Configuring Trust Between SAP Web Dispatcher and ABAP Servers1.3.4.3 Communication Between ABAP Front-End and ABAP Back-End Server1.3.4.3.1 Connect SAP NetWeaver Gateway to SAP Business Suite (Trusted RFC1.3.4.3.2 Managing RFC Destinations1.3.4.3.3 Activating SAP NetWeaver Gateway1.3.4.3.4 Creating System Alias for Applications1.3.4.4 Communication Between SAP Web Dispatcher and SAP HANA XS1.3.4.4.1 Configuring SAP HANA XS Session Security1.3.4.4.2 Defining Routing Rules for SAP Web Dispatcher and SAP HANA XS1.3.4.5 Communication Between ABAP Back End and Map Provider1.3.4.5.1 Configure SAP Visual Business to Enable GeoMaps (Fact Sheets)1.3.4.6 User Authentication and Single Sign-On1.3.4.6.1 Setting Up Single Sign-On for SAP Fiori Apps1.3.4.7 Internet-Facing Deployment


Page 3 of 70

300225436Comment on TextNot to be considered now

1 Setup of SAP Fiori System Landscape 1.1 Setup of SAP Fiori System Landscape with ABAPEnvironment In the SAP Fiori system landscape with ABAP environment, you can use transactional apps.Set up the system landscape to enable SAP Fiori before you start to implement an app.An app requires front-end components (providing the user interface and the connection to the back end) and back-end components (providing the data). The front-end components and the back-end components are delivered in separate products and have to be installed in a system landscape that is enabled for SAP Fiori.The following figure shows the detailed system landscape for SAP Fiori transactional apps.

System Landscape for SAP Fiori Transactional Apps

Components of the System LandscapeDepending on the system landscape, the following components are used:

ClientTo be able to run SAP Fiori apps, the runtime environment (such as the browser) of the client must support HTML5.

ABAP Front-End ServerThe ABAP front-end server contains all the infrastructure components to generate an SAP Fiori app-specific UI for the client and to communicate with the SAPBusiness Suite back-end systems. The UI components and the gateway are based on SAP NetWeaver. Typically, both are deployed on the same server.The central UI component is a framework that provides the common infrastructure for all SAP Fiori apps: SAP Fiori launchpad is the basis of all SAP Fiori UIs,and provides fundamental functions for SAP Fiori apps such as logon, surface sizing, navigation between apps, and role- based app catalogs. End-users accessthe SAP Fiori apps from the SAP Fiori launchpad. The specific UIs for the apps are delivered as SAP Business Suite product-specific UI add-on products, whichmust be additionally installed on the front-end server.SAP NetWeaver Gateway handles the communication between the client and the SAP Business Suite backend. SAP NetWeaver Gateway uses OData servicesto provide back-end data and functions, and processes HTTPS requests for OData services. The transactional apps, which are updating data in the SAPBusiness Suite systems, use this communication channel.

ABAP Back-End ServerIn the ABAP back-end server, the SAP Business Suite products are installed, which provide the business logic and the back-end data, including users, roles,and authorizations. The add-ons for the SAP Fiori apps are continuously released in Support Packages. The back-end server is based on SAP NetWeaver.

DatabaseSAP HANA is an in-memory database platform that you can use to analyze large volumes of data in real-time.anyDB stands for any database that stores the data for the back-end server. For transactional apps, any database can be deployed instead of SAP HANA.

1.3.1 Deployment OptionsPUBLIC 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 4 of 70

Deployment of SAP NetWeaver GatewayFor running SAP Fiori apps, we recommend that you use a Central Hub Deployment of SAP NetWeaver Gateway . This means you install SAP NetWeaverGateway independent of consumer technologies in a standalone system, either behind or in front of the firewall. You therefore separate back-end components fromfront-end components.We do not recommend the Embedded Deployment option. This document is entirely based on the Central Hub Deployment option.For more information about SAP NetWeaver Gateway deployment options for SAP NetWeaver 7.31, see SAP Library for SAP NetWeaver Gateway 2.0 SPS08on SAP Help Portal at http://help.sap.com/nwgateway20 Installation and Upgrade Information Master Guide SAP NetWeaver Gateway Master Guide Deployment Options/Embedded Versus Hub Deployment .

For more information about SAP NetWeaver Gateway deployment options for SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Master Guide Deployment Options .

Internet-Facing DeploymentOnly transactional SAP Fiori apps can be used externally via the internet. This also applies to mobile devices that are not directly connected to the corporateintranet (in case users are travelling).For more information, see Internet-Facing Deployment.

1.3.2 Pre-Installation Before you begin to install the system landscape for SAP Fiori, make sure you have planned the following:

Network ArchitectureYou have to decide in which network zones the components of the SAP Fiori system landscape reside.For example, should the clients be able to access the SAP Fiori apps over the Internet, or only within the company's intranet? Is there a DMZ and is the SAPWeb Dispatcher (SAP Fiori fact sheets and analytical apps) deployed there? Depending on your network architecture, make sure you have the right securitymeasures in place, such as a secure firewall configuration.

Certificates for Single Sign-OnFor single sign-on (SSO) using logon tickets, you require an SSL server certificate for each of the components between which you want to use SSO.Components can be, depending on your system landscape:

SAP Web Dispatcher (SAP Fiori fact sheets and analytical apps)SAP NetWeaver Gateway on front-end serverABAP back-end server (Search in SAP Fiori fact sheets)SAP HANA XS Engine (SAP Fiori analytical apps)

NoteDepending on from where you obtain the certificates, it can take several days to get them.

For more information, see section SAP HANA Authentication and Single Sign-On in the SAP HANA Security Guide at http://help.sap.com/hana_platform Security Information .

Browser PrerequisitesSAP Fiori apps require a web browser that can display files in HTML5 format.For more information, see Setup of Clients.

Roles and AuthorizationsYou have to decide how to set up the roles and authorizations for the SAP Fiori users. This includes, for example, which user group uses which apps.For more information, see section User Management Concept in the generic section App Implementation.

Operating System Access for SAP HANA DatabaseRequired if you use SAP Fiori apps that use an SAP HANA database.To configure HTTPS and SSO in the SAP HANA database, the administrator requires privileges to access SAP HANA on the operating system level.For more information, see section Operating System User adm in the SAP HANA Administration Guide at http://help.sap.com/hana_platform SystemAdministration and Maintenance Information .

Data ReplicationRequired if you use SAP Fiori analytical apps that use SAP HANA in a side-by-side scenario alongside any database that contains the SAP Business Suitedata.Make sure that data replication between the database that contains the SAP Business Suite data and SAP HANA is configured.


Page 5 of 70

For more information, see section Replicate Data in the SAP HANA Live Administration Guide at http://help.sap.com/hba Installation, Security, Configuration,and Operations Information .

1.3.3 Installation This document covers the general steps to take when installing SAP Fiori apps. Where necessary, these instructions refer to app-specific documentation.

System LandscapeAccording to the type of app you want to use, the system landscape for SAP Fiori apps consists of different components for the front end and the back end. Formore information, see Setup of SAP Fiori System Landscape with ABAP Environment.For the installation of SAP NetWeaver Gateway, SAP recommends to use the Central Hub Deployment option, which means that you separate business contentfrom front-end content. You therefore have to install components on a back-end server and a front-end server. For more information, see Deployment Options.

PrerequisitesThe following software versions are required:

Software Minimum Release Required DetailsDatabase anyDB See the installation guide for the respective SAP Business

Suite product release.HANA 1.0 SPS 07 Revision 74 See the documentation for SAP HANA Platform at

http://help.sap.com/hana_platform Installation andUpgrade Information SAP HANA Server InstallationGuide .

SAP NetWeaver Back-End Server:SAP NetWeaver 7.40 SPS 06Front-End Server:SAP NetWeaver 7.40 SPS 05 or SAP NetWeaver 7.31SPS 05 or higher (recommended minimum SPS 08)

See the documentation for SAP NetWeaver 7.31 at http://help.sap.com/nw731 Installation and UpgradeInformation Installation Guide .See the documentation for SAP NetWeaver 7.40 at http://help.sap.com/nw74 Installation and UpgradeInformation Installation Guide .

Respective Business Suite product Back-End Server:SAP enhancement package 7 for SAP ERP 6.0 SPS 04(EHP7 FOR SAP ERP 6.0)

See the documentation at http://help.sap.com/erp607 Installation and Upgrade Information Installation

Guide .Back-End Server:SAP enhancement package 3 for SAP Supply ChainManagement 7.0 SPS 04(EHP3 FOR SAP SCM 7.0)

See the documentation at http://help.sap.com/scm703 Installation and Upgrade Information Installation

Guide .

Back-End Server:SAP enhancement package 3 for SAP APO 7.0 forenhancement package 7 for SAP ERP 6.0 SPS04(APO 7.0 EHP3 ON ERP 6.0 EHP7)

See the documentation at http://help.sap.com/apo Installation and Upgrade Information Installation and

Upgrade Note .

Back-End Server:SAP enhancement package 3 for SAP CRM 7.0 SPS 04(EHP3 FOR SAP CRM 7.0)

See the documentation at http://help.sap.com/crm703 Installation and Upgrade Information Installation

Guide .Back-End Server:SAP enhancement package 3 for SAP SupplierRelationship Management 7.0 SPS 04(EHP3 FOR SAP SRM 7.0)

See the documentation at http://help.sap.com/srm703 Installation and Upgrade Information Installation

Guide .

Back-End Server:SAP Portfolio and Project Management 6.0 SPS 03(SAP PPIM 6.0)

See the documentation at http://help.sap.com/ppm Installation and Upgrade Information Master Guide .

Back-End Server:SAP Access Control 10.1 SPS 05(SAP GRC ACCESS CONTROL 10.1)

See the documentation at http://help.sap.com/grc-ac Installation and Migration Information Installation

Guide .Back-End Server:SAP Environment, Health, and Safety ManagementExtension 5.0(SAP EHS MGMT. EXTENSION 5.0)

See the documentation at http://help.sap.com/ehs-comp Installation and Upgrade Information Installation

Note .

Back-End Server:SAP Customer Engagement Intelligence 1.1 SPS03(SAP CUSTOMER ENGAGEMENT INTEL 1.1)

See the documentation at http://help.sap.com/cei Installation and Upgrade Information Installation

Guide .Back-End Server:SAP Master Data Governance 7.0 SPS02(SAP MASTER DATA GOVERNANCE 7.0)

See the documentation at http://help.sap.com/mdg70 Installation and Upgrade Information Installation

Guide .Back-End Server:Smart Financials 1.0 SPS01(SAP SFINANCIALS 1.0)

See the documentation at http://help.sap.com/sfin100 Installation and Upgrade Information Administrator's

Guide .


Page 6 of 70

Installation TasksThe table lists the installation tasks required for SAP Fiori apps:

Step Task Details1 Front-End Server

Install the required components.See Setup of Front-End Server.

2 Back-End Server and Front-End ServerInstall the required SAP Notes.

See Installation of SAP Notes (Transactional Apps).

3 ClientSet up the client.

See Setup of Clients.

Installation ToolWe recommend that you use Software Update Manager in combination with Maintenance Optimizer to install the components. This facilitates SAP NetWeaver-based application system upgrades, enhancement package updates, and support package installation, while offering a harmonized UI. Software UpdateManager is shipped as part of the software logistics toolset (SL Toolset) 1.0 independently of the applications.You can download Software Update Manager from the Download Center on SAP Service Marketplace at http://service.sap.com/swdc SAP SoftwareDownload Center Search for Software Downloads Software Update Manager .Maintenance Optimizer in SAP Solution Manager is the central point of access for all maintenance activities. It supports the installation of updates and upgrades

and completely manages the maintenance activities for your whole solution, and is centrally accessible from inside SAP Solution Manager. You can find moreinformation under https://service.sap.com/mopz.

NoteAlternatively, you can use the add-on installation tool (transaction SAINT) for the installation. For more information about SAINT, see Add-On Installation Tool.

1.2.3.1 Setup of Front-End Server

ProcessThe table lists the installation tasks on the front-end server required for SAP Fiori apps:

Step Task Details1 Set up SAP NetWeaver Gateway. See Setup of SAP NetWeaver Gateway.2 Install the central UI components. See Installation of Central UI Components.3 Install the product-specific UI component that corresponds

to the Business Suite product that you use depending onthe SAP NetWeaver version on your front-end server.

See Installation of Product-Specific UI Components (SAPNW 7.31) or Installation of Product-Specific UIComponents (SAP NW 7.4).

1.3.3.1.1 Setup of SAP NetWeaver Gateway

ProcessThe table lists the installation tasks for SAP NetWeaver Gateway required for SAP Fiori apps:

Step Task Details1 Check or install the required SAP NetWeaver Gateway

components.See Installation of SAP NetWeaver Gateway.

2 Specify the default language and the logon language. See Specify Language Settings.

1.3.3.1.1.1 Installation of SAP NetWeaver Gateway On your front-end server, some components have to be available as part of your SAP NetWeaver Gateway installation:

If you run SAP NetWeaver 7.31 SPS 05 or higher (recommended minimum SPS 08) on your front-end server, you have to install the listed components.If you run SAP NetWeaver 7.40 SPS 05 or higher on your front-end server, the listed components are automatically installed with your SAP NetWeaverinstallation. Verify that they are in place.

You can download the product versions containing the Gateway components from SAP Service Marketplace. For more information, see Downloading and InstallingProduct Versions.

Required SAP NetWeaver Gateway Components


Page 7 of 70

You can find details on the installation of SAP NetWeaver Gateway for SAP NetWeaver 7.31 in the SAP Library for SAP NetWeaver Gateway 2.0 SPS 08 onSAP Help Portal at http://help.sap.com/nwgateway20 Installation and Upgrade Information Installation Guide SAP NetWeaver Gateway InstallationGuide .For more information about SAP NetWeaver Gateway components for SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 ApplicationHelp Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Master Guide DeploymentOptions .

SAP EhP3 for SAP NetWeaver 7.0If you run EhP 3 for SAP NetWeaver 7.0 on your front-end server, install the following components of SAP NetWeaver Gateway 2.0:

SAP NW Gateway Product Instance Comprised Component Versions Support PackageGateway Server Core NW 703/731 GW_CORE 200 (GW_Core 200)

SAP IW FND 250 (IW_FND 250)SAP WEB UIF 7.31 (WEBCUIF 731)

SP08SP08SP09

Only for the Approve Requests app:Gateway PGW

SAP IW PGW 100 (IW_PGW 100)SAP IW BEP 200 (IW_BEP 200)

SP05SP08

SAP EhP4 for SAP NetWeaver 7.0If you run EhP 4 for SAP NetWeaver 7.0 on your front-end server, install the following components of SAP NetWeaver Gateway 2.0:

NW Gateway Product Instance Comprised Component Versions Support PackageAs of SAP NetWeaver 7.4, the components GW_CORE, IW_FND and IW_BEP are replaced by a new softwarecomponent for the SAP NetWeaver Gateway foundation, SAP_GWFND. This component is included in the SAPNetWeaver installation.

SP07

Only for the Approve Requests app:Install Gateway PGW NW 740.

SAP IW PGW 100 (IW_PGW 100) SP05

1.3.3.1.1.2 Specify Language Settings You must specify the settings for supported languages in the SAP NetWeaver Gateway system. Settings include default and logon languages.

NoteThe default language of the SAP NetWeaver Gateway system must be the same as the default language of the back-end system, for example, English. If thisis not the case, ensure that the SAP NetWeaver Gateway system contains a subset of the languages of the back-end system.

The logon language for the ABAP Application Server is set according to the following process:If the Mandatory Logon Data indicator has been activated for a service in transaction SICF, the system uses the language that was entered there.If this is not the case, but the HTTP request contains the language in the HTTP header (as a header or a form field), you log onto the system using thislanguage.The browser settings of the calling client are then used. The system selects as the logon language the first language from the list that is maintained in thebrowser, and which is also installed in the SAP system. The language list is specified using the HTTP header field accept-language .

NoteWith Internet Explorer, you can for example set the language you require by choosing Tools Internet Options Languages .

If no language is defined by this process, the classic SAP system mechanisms are used. The logon language is based on the user settings (in transactionSU01) and if nothing is entered here, the default language of the SAP system is used automatically.

For more information about language settings for SAP NetWeaver Gateway for SAP NetWeaver 7.31, see SAP Library for SAP NetWeaver Gateway on SAPHelp Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information Configuration Guide SAP NetWeaver Gateway ConfigurationGuide Basic Configuration Settings Language Settings .For more information about language settings for SAP NetWeaver Gateway for SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaver Gateway Foundation Configuration Guide Basic Configuration Settings Language Settings

.

1.3.3.1.2 Installation of Central UI Components

If you run SAP NetWeaver 7.31 on your front-end server, you have to install the listed central SAP UI5 components.If you run SAP NetWeaver 7.4 on your front-end server, the components are automatically installed with your SAP NetWeaver installation. Verify that theyare in place.

SAP NW Release Required Central SAP UI5 Add-On Product Version Comprised Component VersionsEHP3 FOR SAP NETWEAVER 7.0 (AS ABAP)(minimum support package stack 05, recommendedminimum SPS 08) or higherorSAP EhP1 for SAP NetWeaver 7.3 or higher

UI ADD-ON 1.0 FOR NW 7.03 (minimum supportpackage stack 08), instances Integration Services:Provider and Integration Services: Libs

SAP IW BEP 200 (IW_BEP 200), SP08

SAP UI ADD-ON INFRA V1.0 (UI_INFRA 100), SP08

SAP UI2 SERVICES V1.0 (UI2_SRVC 100), SP08


Page 8 of 70

300225436Comment on TextNeed to confirm from Deepak

300225436Comment on TextNeed this component to be installed

SAP EhP1 for SAP NetWeaver 7.3 or higherSAPUI5 CLIENT RT AS ABAP 1.00 (UISAPUI5 100),SP08SAP UI2 FOUNDATION V1.0 (UI2_FND 100), SP08

SAP UI2 IMPL. FOR NW 7.00 V1.0 (UI2_700 100),SP08SAP UI2 IMPL. FOR NW 7.01 V1.0 (UI2_701 100),SP08SAP UI2 IMPL. FOR NW 7.02 V1.0 (UI2_702 100),SP08SAP UI2 IMPL. FOR NW 7.31 V1.0 (UI2_731 100),SP08

SAP NETWEAVER 7.4 (AS ABAP), SAP NETWEAVER7.4 FOR SUITE (AS ABAP) (minimum support packagestack 04 and component SAP UI 7.40 SP08 for both)

All required components are included in the SAP NetWeaver 7.4 installation. Verify that the above-mentionedcomponents are in place.

You can download the UI components from SAP Service Marketplace. For more information, see Downloading and Installing Product Versions.

1.3.3.1.3 Installation of Product-Specific UI Components (SAPNW 7.31) If your front-end server is based on EHP 3 for SAP NetWeaver 7.0, you need to install the following applicable user interface (UI) components depending on theBusiness Suite product(s) you use on the front-end server.

Business Suite Product Required UI Component Relevant Instance Components That Are AutomaticallyInstalled

SAP ERP SAP Fiori for SAP ERP 1.0 SPS 02(UI FOR EHP7 FOR SAP ERP 6.0)

UI for Central App NW731UI for Retail NW731UI for Global Trade NW731UI for Insurance NW731UI for PLM NW731UI for Travel NW731

Installing the instances on the leftautomatically installs the following softwarecomponent versions:

UIEAAP01 100UIRT401 100UIGLT001 100UIFSIS01 100UIPLM001 100UITRV001 100

SAP Fiori principal apps for SAP ERP 1.0SPS 02(FIORI ERP APPLICATIONS X1 1.0)

Central App UI NW731HCM UI NW731Travel UI NW731


UIX01EAP 1.0UIX01HCM 1.0UIX01TRV 1.0

SAP SNC SAP Supply Network Collaboration, UserInterface Add-On for Purchase OrderCollaboration 1.0 SPS 03(SAP SNC USABILITY EXT 1.0)

SNC Mobile UI Ext. NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

SCMSNC_EXT1 100 (SCMSNCE1)

SAP CRM SAP Fiori for SAP CRM 1.0 SPS 02(UI FOR EHP3 FOR SAP CRM 7.0)

CRM AS ABAP UI NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UICRM001 100

SAP SCM SAP Fiori for SAP SCM 1.0(UI FOR SAP SCM 1.0)

UI for SCM Basis NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

SCMB_UI 100

SAP SRM SAP Fiori for SAP SRM 1.0 SPS 02(UI FOR EHP3 FOR SAP SRM 7.0)

SRM Server UI NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UISRM200 100

SAP Fiori principal apps for SAP SRM 1.0SPS 02(FIORI SRM APPLICATIONS X1 1.0)

SRM Server UI NW 731 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIX01SRM 1.0

SAP GRC SAP Fiori for SAP Access Control 1.0 SPS02(UI FOR SAP ACCESS CONTROL 10.1)

UI for Access Control NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UIGRC001 100

SAP PORTF AND PROJ MGMT SAP Fiori for SAP Portfolio and ProjectManagement 1.0 SPS 02(UI FOR SAP PORTF PROJ MGMT 6.0)

UI for PPM NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UIPPM001 100


Page 9 of 70

300225436Comment on Textneed to check with Deepak

SAP ILM SAP Fiori for SAP Information LifecycleManagement 1.0 SPS 01(UI FOR SAP ILM 1.0)

UI for ILM NW731 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UIILM001 100

For the Approve Requests app:SAP NetWeaver and, optionally, SAP ERPand/or SAP SRM

SAP Fiori for Request Approvals 1.0 SPS01(FIORI APPROVE REQUESTS X1 1.0)

Approve Requests UI NW731 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIX01CA1 1.0

SAP MDG SAP Fiori for SAP Master DataGovernance 1.0(SAP FIORI FOR SAP MDG 1.0)

UI for MDG NW731 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIMDG001 1.0

SAP EHSM SAP Fiori for SAP EHS Management 1.0(SAP FIORI FOR SAP EHSM 1.0)

UI for EHSM NW731 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIEHSM01 1.0

SAP CEI SAP Fiori for SAP Customer EngagementIntelligence 1.0 SPS 01(SAP FIORI FOR SAP CEI 1.0)

UI for Cust Eng Intell NW731 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UICUAN 100

SAP sFIN SAP Fiori for Smart Financials 1.0 SPS 01(SAP FIORI FOR SAP SFIN 1.0)

UI for FIN NW731UI for FSCM CCD NW731

Installing the instance on the leftautomatically installs the following softwarecomponent versions:

UIAPFI70 100UIFSCM70 100

You can download the product versions containing the UI components from SAP Service Marketplace. For more information, see Downloading and InstallingProduct Versions.

1.3.3.1.4 Installation of Product-Specific UI Components (SAPNW 7.4) If your front-end server is based on EHP 4 for SAP NetWeaver 7.0, you need to install the following applicable user interface (UI) components depending on theBusiness Suite product(s) you use on the front-end server.

Business Suite Product Required UI Component Relevant Instance Components That Are AutomaticallyInstalled

SAP ERP SAP Fiori for SAP ERP 1.0 SPS 02(UI FOR EHP7 FOR SAP ERP 6.0)

UI for Central App NW740UI for Retail NW740UI for Global Trade NW740UI for Insurance NW740UI for PLM NW740UI for Travel NW740


UIEAAP01 100UIRT401 100UIGLT001 100UIFSIS01 100UIPLM001 100UITRV001 100

SAP Fiori principal apps for SAP ERP 1.0SPS 02(FIORI ERP APPLICATIONS X1 1.0)

Central App UI NW740HCM UI NW740Travel UI NW740


UIX01EAP 1.0UIX01HCM 1.0UIX01TRV 1.0

SAP SNC SAP Supply Network Collaboration, UserInterface Add-On for Purchase OrderCollaboration 1.0 SPS 03(SAP SNC USABILITY EXT 1.0)

SNC Mobile UI Ext. NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

SCMSNC_EXT1 100 (SCMSNCE1)

SAP CRM SAP Fiori for SAP CRM 1.0 SPS 02(UI FOR EHP3 FOR SAP CRM 7.0)

CRM AS ABAP UI NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UICRM001 100

SAP SCM SAP Fiori for SAP SCM 1.0(UI FOR SAP SCM 1.0)

UI for SCM Basis NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

SCMB_UI 100

SAP SRM SAP Fiori for SAP SRM 1.0 SPS 02(UI FOR EHP3 FOR SAP SRM 7.0)

SRM Server UI NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UISRM200 100

SAP Fiori principal apps for SAP SRM 1.0 SRM Server UI NW 740 Installing the instance on the left


Page 10 of 70

SPS 02(FIORI SRM APPLICATIONS X1 1.0)

automatically installs the following softwarecomponent version:

UIX01SRM 1.0

SAP GRC SAP Fiori for SAP Access Control 1.0 SPS02(UI FOR SAP ACCESS CONTROL 10.1)

UI for Access Control NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UIGRC001 100

SAP PORTF AND PROJ MGMT SAP Fiori for SAP Portfolio and ProjectManagement 1.0 SPS 02(UI FOR SAP PORTF PROJ MGMT 6.0)

UI for PPM NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UIPPM001 100

SAP ILM SAP Fiori for SAP Information LifecycleManagement 1.0 SPS 01(UI FOR SAP ILM 1.0)

UI for ILM NW740 Installing the instances on the leftautomatically installs the following softwarecomponent version:

UIILM001 100

For the Approve Requests app:SAP NetWeaver and, optionally, SAP ERPand/or SAP SRM

SAP Fiori for Request Approvals 1.0 SPS01(FIORI APPROVE REQUESTS X1 1.0)

Approve Requests UI NW740 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIX01CA1 1.0

SAP MDG SAP Fiori for SAP Master DataGovernance 1.0(SAP FIORI FOR SAP MDG 1.0)

UI for MDG NW740 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIMDG001 1.0

SAP EHSM SAP Fiori for SAP EHS Management 1.0(SAP FIORI FOR SAP EHSM 1.0)

UI for EHSM NW740 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UIEHSM01 1.0

SAP CEI SAP Fiori for SAP Customer EngagementIntelligence 1.0 SPS 01(SAP FIORI FOR SAP CEI 1.0)

UI for Cust Eng Intell NW740 Installing the instance on the leftautomatically installs the following softwarecomponent version:

UICUAN 100

SAP sFIN SAP Fiori for Smart Financials 1.0 SPS 01(SAP FIORI FOR SAP SFIN 1.0)

UI for FIN NW740UI for FSCM CCD NW740

Installing the instance on the leftautomatically installs the following softwarecomponent versions:

UIAPFI70 100UIFSCM70 100

You can download the product versions containing the UI components from SAP Service Marketplace. For more information, see Downloading and InstallingProduct Versions.

1.1.3.2 Installation of SAP Notes (Transactional Apps) The SAP Notes below provide important overview information and links to further SAP Notes that you need to implement.Central SAP Notes

SAP Note Number Target Server Description1995691 Front-end server General Information: FIORI UI Infrastructure Components

Q2/20141995693 Front-end server General Information: FIORI SAP NetWeaver Gateway 2.0

Q2/2014

Product-Specific Release Information Notes (RIN)

Product Target Server SAP Note Number DescriptionERP Back-end server 1737650 EHP7 for SAP ERP 6.0 SP Stacks

Release & Information NoteFront-end server 1914499 Release Information Note: UI FOR EHP7

FOR SAP ERP 6.01930165 Release Information Note: SAP Fiori

principal apps for SAP ERP 1.0CRM Back-end server 1737725 EHP3 for SAP CRM 7.0 SP stacks

Release Information NoteFront-end server 1914501 Release Information Note: UI FOR EHP3

FOR SAP CRM 7.0SRM Back-end server 1818517 EHP3 for SAP SRM 7.0 SP stacks

Release Information NoteFront-end server 1932202 Release Information Note: SAP Fiori

principal apps for SAP SRM 1.0


Page 11 of 70

1914502 Release Information Note: UI FOR EHP3FOR SAP SRM 7.0

PPM Back-end server 1826383 PPM 6.0: Support package information,notes, and schedule

Front-end server 1928934 Release Information Note: UI FOR SAPPORTF PROJ MGMT 6.0

SCM Back-end server 1737723 EHP3 for SAP SCM 7.0 SP Stacks Release & Information Note

Front-end server 2001729 Release Information Note: SAP Fiori forSAP SCM 1.0

SNC Back-end server 1907850 SAP SNC USABILITY EXT 1.0: ReleaseInformation Note

Front-end server 1914553 Rel. Info for Mobile UI ext. for SAP SNCUSABILITY EXT 1.0

GRC Back-end server 1870233 Release Information Note for SAP AccessControl 10.1

Front-end server 1929930 Release Information Note for UI for AccessControl 10.1

ILM Front-end server 1964761 Release Information Note for SAP FIORIFOR SAP ILM 1.0

Approve Requests Front-end server 1932223 Release Information Note: SAP Fiori forRequest Approvals 1.0

EHSM Front-end server 1987796 Release Information Note: SAP Fiori forEHS Management

SCM Front-end server 2001729 Release Information Note: SAP Fiori forSAP SCM 1.0

MDG Front-end server 1995680 MDG 7.0 SP 2 Feature Pack: Fiori UIRelease Information Note

sFIN Front-end server 1955437 Release Information Note: SAP FIORIFOR SAP SFIN 1.0

1.3.3.6 Setup of Clients SAP Fiori apps are designed for both desktop and mobile device and can be used with an HTML5-capable web browser. For more information about supportedcombinations of device, browser and operating system, see SAP Note 1935915.For Android and iOS devices, you can use SAP Fiori Client. This native application renders SAP Fiori application content, and provides more reliable assetcaching. For iOS, it additionally supplies an enhanced attachment viewing process. For more information about SAP Fiori Client, see SAP Help Portal at http://help.sap.com/fiori-client SAP Fiori Client User Guide .

1.3.3.7 Downloading and Installing Product Versions SAP recommends using Maintenance Optimizer in SAP Solution Manager to install and update product versions. SAP Solution Manager calculates therequired software components that have to be deployed on each server. Alternatively, you can download the required files directly from SAP ServiceMarketplace and deploy them manually.For more information about Maintenance Optimizer, see SAP Help Portal at http://help.sap.com/solutionmanager71 Application Help SAP Library SAPSolution Manager Maintenance Management Maintenance Optimizer .

Procedure

SAP Solution Manager

NoteFor product versions on the SAP HANA server: Your SAP HANA database has to be registered in the System Landscape Directory (SLD).For more information about how to register in SLD, see SAP Help Portal at http://help.sap.com/hana_appliance Installation and Upgrade Information SAP HANA Update Guides .

1. In SAP Solution Manager, run transaction lmdb. On the Product Systems tab, select your product system and choose Display .2. In the navigation tree, click on the top node ( Product System ).3. On the Product Versions tab, under Maintenance Optimizer Transactions , choose Create Transaction . Then choose Calculate Files Automatically .

If you are not yet running SPS 07, set it as your target stack and choose Continue .

NoteThis will update your SAP HANA DB to SPS 07.


Page 12 of 70

4. Confirm your selections and select all product versions that you want to install. Confirm and add them to the download basket. If not all dependencies asgiven in the respective tables are automatically resolved, you must select them manually.

5. On the Stack Files tab, download the system-specific stack XML file:In the SAP HANA system, for SAP Application Lifecycle Manager (ALM)In the ABAP system, for the transaction SAINT

6. Save and close the Maintenance Optimizer windows.7. Download the calculated files using SAP Download Manager from SAP Service Marketplace. Make the downloaded files and XML files available on your

systems, which need to be updated.8. Depending on the product versions that you want to install or update, do the following:

Step For Product Versions on the SAP HANA Server For Product Versions on the ABAP Server1 As a SYSTEM user in the SAP HANA studio, right-click

on the server node in the navigation pane, and selectLifecycle Management .

Start transaction SAINT.

2 Under Update SAP HANA System , select ApplySupport Package Stack .

Upload the stack XML file to get the softwarecomponents that need to be installed on the ABAPserver.

3 Choose Manually downloaded content , then browse tofind the content that you downloaded in step 7 and runthe installation and update procedure.

Start the installation and update.

SAP Service Marketplace

NoteFor product versions on the SAP HANA server: You must have updated your SAP HANA appliance to SPS 07.

You can download the product versions from the SAP Service Marketplace as follows:1. Open the software download center at http://service.sap.com/swdc.2. Choose Search for Software Downloads .3. Enter the technical name of the software component, for example, UI FOR EHP7 FOR SAP ERP 6.0.4. Download the component.5. Repeat steps 2 to 4 for each required component.

For more information which components you need to install, see the Installation Tasks in the Installation overview for your app type.After downloading the components, you can start the installation and update. Ensure that the components that you install in your landscape have the latestsupport package level.

1.3.3.8 Virus Scanning Various SAP Fiori applications offer the possibility to upload documents and to display uploaded documents. If one of these applications is used, it is necessaryto install an appropriate virus scanner and define sufficiently restrictive scan profiles to prevent upload of malicious content.Uploaded documents are displayed in SAP Fiori applications without further security-related checks. If a document contains malicious content, unintended actionscould be triggered at the frontend during download or display, which might lead to cross-site scripting vulnerabilities.

Scan Profiles for SAP Fiori ApplicationsIf one of the SAP Fiori applications listed below is used, the installation of an appropriate virus scanner (external product) connected to the back-end system isnecessary. The virus scanner will reject all documents that are not compliant with the rules defined in the settings of the virus scanner (scan profile).To prevent any issues when displaying uploaded documents (for example, cross-site scripting) these rules need to disallow dangerous MIME types (for example,documents with active content like html or javascript).For more information about the configuration for SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Application Help Function-Oriented View Security System Security Virus Scan Interface .For more information about the configuration for SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View Security System Security Virus Scan Interface .You can find additional information in the SAP Notes 786179 and 1494278.The following list contains all SAP Fiori applications that offer uploading or displaying of documents. All documents used in these applications are stored in theKnowlegde Provider (KPro) and are all checked with the scan profile /SCMS/KPRO_CREATE before stored on the database

Area Application Technical Name ProfileSAP CRM My Leads CRM_LEADS /SCMS/KPRO_CREATE

My Accounts CRM_MYACCOUNTS /SCMS/KPRO_CREATE

My Appointments CRM_MYCAL /SCMS/KPRO_CREATE

My Contacts CRM_MYCONT /SCMS/KPRO_CREATE

My Opportunities CRM_OPPRTNTY /SCMS/KPRO_CREATE

SAP ERP My Quotations SD_MYQUOTES /SCMS/KPRO_CREATE (*)

Sales Order Fulfillment Monitor SD_SOFULFIL_MON /SCMS/KPRO_CREATE (*)

Report Quality Issue UI_QM_CREATE /SCMS/KPRO_CREATE


Page 13 of 70

300225436Comment on TextDid not get this

SAP PORTF PROJ MGMT Approve Decision Points PPM_PFMDCPT_APV /SCMS/KPRO_CREATE

Change Portfolio Items PPM_PFMITEM_CHG /SCMS/KPRO_CREATE

Create Portfolio Item Proposals PPM_PFMITPR_CRE /SCMS/KPRO_CREATE

Confirm Project Tasks PPM_PROTSK_CNF /SCMS/KPRO_CREATE

(*) Profile /SCMS/KPRO_CREATE is the default profile. It can be overruled by the following settings (evaluated from top to bottom until a profile is found):1. Value of parameter &GOS_VPROFILE from memory id &GOS_VSI_PROFILE2. Value of parameter &BCS_VPROFILE from memory id &BCS_VSI_PROFILE3. Value in field VALUE for the record in table SXPARAMS with key PARAM = SO_VSI_PROFILE

1.3.4 Communication Channels To transfer application data and security credentials within your SAP Fiori system landscape, communication between the client, the front end, and the back endis established by using different communication channels and protocols:

System Landscape with ABAP Environment: Communication Channels

More InformationFor information about setting up communication encryption for SAP NetWeaver, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network and CommunicationSecurity Transport Layer Security For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network and CommunicationSecurity Transport Layer Security

For information about setting up communication encryption for SAP HANA, see the SAP Help Portal at http://help.sap.com/hana_platform SecurityInformation SAP HANA Security Guide SAP HANA Network and Communication Security Securing Data Communication

1.1.4.1 Communication Between Client and ABAP Front-EndServer For transactional apps, the client can issue the following types of requests to the ABAP front-end server:

HTML requestsOData requests

For communication between the client and the ABAP front-end server, an HTTPS connection is established.

ActivitiesTo set up the connections between SAP Web Dispatcher and the ABAP servers, you must make the following settings:

You must configure HTTP security session management for the ABAP front-end server.You must configure the ABAP front-end server for supporting SSL.


Page 14 of 70

300225436Highlight

300225436Highlight

NoteIf you implement SAP Fiori transactional apps in an internet-facing scenario, SAP recommends that you deploy SAP Web Dispatcher in a demilitarized zone(DMZ). For more information, see Internet-Facing Deployment.

To ensure confidentiality and integrity of data, SAP recommends protecting HTTP connections by using Transport Layer Security (TLS) or Secure Sockets Layer(SSL). For information about setting up communication encryption for SAP NetWeaver, see the following documentation:

For SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network andCommunication Security Transport Layer Security .For SAP NetWeaver 7.4, see the SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network and CommunicationSecurity Transport Layer Security .

NoteA token-based protection against Cross-Side Request Forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS Fiori OData services. Itprotects all modifying requests.

1.3.4.2.1 Configuring ABAP Server Session Security For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using thetransaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection for security-related cookies:

HttpOnlyThis attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and auser accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.SecureThis attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookiefrom being passed over unencrypted requests.

In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameterhttp/security_session_timeout.

Logout from Multiple SystemsSAP Fiori apps only support logout with the ABAP front-end server and a single SAP HANA XS. If additional SAP NetWeaver Gateway systems or SAP HANAXS systems are deployed (for example, to distribute OData services across multiple server farms), the corresponding HTTP sessions are not closed when theuser logs out. In this case, it is important to have session expiration configured.

More InformationFor more information about activating HTTP security session management, see the following documentation:

For SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Application Help Function-Oriented View Security UserAuthentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security SessionManagement on AS ABAP .For SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View Security UserAuthentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security SessionManagement on AS ABAP .

For more information about session security protection for SAP NetWeaver Gateway, see the following documentation:For SAP NetWeaver 7.31, see the SAP Library for SAP NetWeaver Gateway on SAP Help Portal at http://help.sap.com/nwgateway20 SecurityInformation Security Guide SAP NetWeaver Gateway Security Guide Session Security Protection .For SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaverGateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Security Guide Session Security Protection .

1.3.4.2.2 Configuring the AS ABAP for Supporting SSL All communication between the client, SAP Web Dispatcher, and the ABAP servers is handled by using HTTPS connections. To secure these HTTPSconnections, you must configure all ABAP servers to support the Secure Sockets Layer (SSL) protocol.For more information about the steps that are required to enable SSL on the ABAP servers, see:

For SAP NetWeaver 7.31: http://help.sap.com/saphelp_nw731 Application Help Function-Oriented View Security Network and Transport LayerSecurity Transport Layer Security on the AS ABAP Configuring the AS ABAP for Supporting SSL For SAP NetWeaver 7.4: http://help.sap.com/saphelp_nw74 Application Help Function-Oriented View Security Network and Transport LayerSecurity Transport Layer Security on the AS ABAP Configuring the AS ABAP for Supporting SSL

NoteFor secure communication between SAP Web Dispatcher and the ABAP servers, SSL must also be enabled for SAP Web Dispatcher. For more informationabout setting up SSL for SAP Web Dispatcher, see Configuring Communication Channel between Clients and SAP Web Dispatcher.

1.3.4.3 Communication Between ABAP Front-End and ABAPPUBLIC 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 15 of 70

1.3.4.3 Communication Between ABAP Front-End and ABAPBack-End Server For transactional apps and fact sheets, data and services from the ABAP back-end server are provided to the ABAP front-end server by using OData services.For communication between the ABAP front-end server and the ABAP back-end server, a trusted RFC connection is established.

ActivitiesTo set up the connection between the ABAP front-end server and the ABAP back-end server, you must make the following settings:

You must define a trust relationship between SAP Gateway (on the ABAP front-end server) and the ABAP back-end server.You must manage RFC destinations.You must activate SAP Gateway on the ABAP front-end server.You must create system aliases for applications.

To ensure confidentiality and integrity of data, SAP recommends protecting HTTP connections by using Transport Layer Security (TLS) or Secure Sockets Layer(SSL). For information about setting up communication encryption for SAP NetWeaver, see the following documentation:

For SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network andCommunication Security Transport Layer Security .For SAP NetWeaver 7.4, see the SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network and CommunicationSecurity Transport Layer Security .

1.3.4.3.1 Connect SAP NetWeaver Gateway to SAP BusinessSuite (Trusted RFC) You must set up a connection between SAP NetWeaver Gateway on your front-end server and your existing SAP Business Suite system on your back-endserver.For more information about how to maintain the trust relationship, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information Configuration Guide SAP NetWeaver Gateway Configuration Guide OData Channel Configuration Connection Settings on the SAP NetWeaver Gateway Hub System

Connection Settings: SAP NetWeaver Gateway to SAP Systems Defining Trust between the SAP NetWeaver Gateway Host and Your SAP Systems forType 3 Connections .For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaver GatewayFoundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Configuration Guide OData Channel Configuration Connection Settings on theSAP NetWeaver Gateway Hub System Connection Settings: SAP NetWeaver Gateway to SAP Systems Defining Trust between the SAP NetWeaverGateway Host and Your SAP Systems for Type 3 Connections .

NoteEnsure that the RFC connection is securely configured.For information about the required security settings, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Security Information Security Guide SAP NetWeaverSecurity Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios RFCCommunication Between SAP Systems Network Security and Communication .For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide SAP NetWeaver SecurityGuide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios RFC CommunicationBetween SAP Systems Network Security and Communication .

1.3.4.3.2 Managing RFC Destinations You define remote function call (RFC) destinations from the ABAP front-end server to the ABAP back-end system(s). Additionally, define an RFC destination thathas the front-end server itself as target for local RFC calls.

PrerequisitesYou have created the trusted relationship because the back-end servers must already trust the front-end server. For more information, see Connect SAPNetWeaver Gateway to SAP Business Suite (Trusted RFC).

Procedure1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-End

Server) Manage RFC Destinations .2. Define the required RFC destinations.

For more information about the settings, see the following documentation:For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information ConfigurationGuide SAP NetWeaver Gateway Configuration Guide OData Channel Configuration Connection Settings on the SAP NetWeaver Gateway


Page 16 of 70

Hub System Connection Settings: SAP NetWeaver Gateway to SAP Systems Creating a Type 3 RFC Destination on SAP NetWeaver GatewayHost to SAP System .For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaverGateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Configuration Guide OData Channel Configuration ConnectionSettings on the SAP NetWeaver Gateway Hub System Connection Settings: SAP NetWeaver Gateway to SAP Systems Creating a Type 3RFC Destination on SAP NetWeaver Gateway Host to SAP System .

1.3.4.3.3 Activating SAP NetWeaver Gateway Before you can use SAP NetWeaver Gateway functionality, you have to activate it globally in your system. You can activate and deactivate SAP NetWeaverGateway. When you deactivate it, all SAP NetWeaver Gateway services stop running, no consumer servers can communicate with it, and an error message issent to any system that calls for the services.

PrerequisitesEnsure that you have installed and configured the consumer server.You have completed the installation and post-installation configuration for SAP NetWeaver Gateway. For more information, see Connect SAP NetWeaver Gatewayto SAP Business Suite (Trusted RFC) and Managing RFC Destinations.


Server) Activate SAP NetWeaver Gateway .A message displays.

2. Choose Activate .A message displays informing you of the current status.

1.3.4.3.4 Creating System Alias for Applications An SAP system alias is needed as the logical name of a system connection, that is, you specify where the SAP system alias should point to. Depending on theSAP NetWeaver Gateway content scenario and your system landscape you thus set up the system alias. The system alias is the result of the routing for aninbound request on SAP NetWeaver Gateway. It can be a remote or a local system. If that system alias is flagged as a Local GW instance, it means that thesystem that is responsible for processing (managing and storing) the data of an inbound request is the local SAP NetWeaver Gateway instance itself

PrerequisitesYou have defined remote function call (RFC) destinations from the ABAP front-end server to all back-end servers. For more information, see Managing RFCDestinations.


Server) Define SAP System Alias .2. Choose New Entries .3. Create the following SAP system aliases:

One SAP system alias pointing to the front-end server with the indicator Local Gateway activated.One SAP system alias for each back-end system with the corresponding RFC destination assigned.

For more information about further settings, see the following documentation:For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information ConfigurationGuide SAP NetWeaver Gateway Configuration Guide OData Channel Configuration Connection Settings on the SAP NetWeaver GatewayHub System Connection Settings: SAP NetWeaver Gateway to SAP Systems Creating the SAP System Alias for Applications .For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaverGateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Configuration Guide OData Channel Configuration ConnectionSettings on the SAP NetWeaver Gateway Hub System Connection Settings: SAP NetWeaver Gateway to SAP Systems Creating the SAPSystem Alias for Applications .

1.3.4.6 User Authentication and Single Sign-On


Page 17 of 70

System Landscape: User Authentication and Single Sign-On

Initial AuthenticationWhen a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch, theABAP front-end server authenticates the user by using one of the following authentication and single sign-on (SSO) mechanisms:

Kerberos/SPNegoIf you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP front-end server. Thisauthentication is especially recommended, if you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft ActiveDirectory .Kerberos/SPNego authentication provides the following advantages:

It simplifies the logon process by reusing credentials that have already been provided, for example, during logon to the Microsoft Windowsworkstation. A separate logon to the ABAP front-end server is not required.It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simplifies the Single Sign-On setup within yoursystem landscape.It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory ). As this system is typicallylocated within the corporate network, Kerberos/SPNego cannot be used for most internet-facing deployment scenarios. To enable Single Sign-On withKerberos/SPNego authentication from outside your corporate network, you might have to set up a VPN connection.Kerberos/SPNego is available with the SAP Sign-On product, which also provides additional authentication mechanisms, such as X.509 certificates or anSAML Identity Provider.For an overview of SAP Sign-On, see http://www.sap.com/pc/tech/application-foundation-security/software/single-sign-on/index.html.X.509 certificatesIf you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 certificates by configuring therequired back-end systems (ABAP or SAP HANA) to accept X.509 certificates.Authentication with X.509 certificates provides the following advantages:

It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup withinyour system landscape.

X.509 certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can beperformed centrally by a mobile device management software, for example SAP Afaria.

RecommendationAs X.509 certificates remain valid for a relatively long time, SAP recommends to minimize the security risk by implementing a method to revoke thecertificates, for example if a mobile device is lost.

SAML 2.0If you have implemented the security assertion markup language (SAML) version 2.0 as the method of SSO within your organization, you can configure theABAP front-end server for use with SAML 2.0.This authentication method provides the following advantages:

It includes extensive federation capabilities, which means that it works well in scenarios with federated user domains, where trust configuration can becomplicated.It includes extensive user mapping capabilities that enable you to map SAP users based on identity attributes, such as the SAP user name attributeor a user's e-mail address. This means that SAML 2.0 works well for scenarios with multiple user domains.

During logon, SAML 2.0 authentication requires access to an issuing system (Identity Provider). To enable Single Sign-On with SAML 2.0 in internet-facingdeployment scenarios that leverage its federation capabilities, you must ensure that the SAML Identity Provider is securely accessible from outside yourcorporate network.Logon tickets


Page 18 of 70

For logon tickets, you must configure the ABAP front-end server to issue logon tickets. Alternatively, you can use an existing system, such as a portal, inyour landscape that already issues logon tickets. In addition, you must configure the required back-end systems (ABAP or SAP HANA) to accept logontickets. You must also ensure that users in the ABAP system have the same user names as the database users in SAP HANA; user mapping is notsupported.As logon tickets are transferred as browser cookies, you can only use this authentication mechanism if all systems in your system landscape are locatedwithin the same DNS domain.

RecommendationThe new standardized authentication methods Kerberos/SPNego, X.509 certificates, and SAML 2.0 provide additional security and flexibility featurescompared to proprietary logon tickets. For example, you can define user mappings and shorten token validity periods or session lifetimes on the server.Therefore, SAP recommends using Kerberos/SPNego, X.509 certificates, or SAML 2.0 where technically possible.

Authentication for Requests in the Back-End SystemsAfter initial authentication on the ABAP front-end server, the SAP Fiori apps and the SAP Fiori launchpad can send requests to the ABAP back-end server and toSAP HANA Extended Application Services (SAP HANA XS):

Requests to the ABAP back-end server (transactional apps and fact sheets)Transactional apps and fact sheets send OData requests through the ABAP front-end server towards the ABAP back-end server. After initial authentication,a security session is established between the client and the ABAP front-end server. OData requests towards the ABAP back-end server are thencommunicated securely by trusted RFC.For search in SAP Fiori Launchpad, fact sheets also send InA search requests from the client to the ABAP back-end server. These requests can beauthenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initialauthentication, or you can use your existing portal to do so.Requests to SAP HANA XS (analytical apps)Analytical apps send OData requests from the client to SAP HANA XS. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, orlogon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.

1.3.4.6.1 Setting Up Single Sign-On for SAP Fiori Apps According to your system landscape, the type of app, and the authentication method that you want to use, different steps are required to set up Single Sign-On(SSO).

ActivitiesTo set up SSO in your system landscape, proceed as follows:

SSO for System Landscapes with an ABAP Environment1. Configure the ABAP front-end server for initial authentication.2. Configure authentication for requests to the ABAP back-end server:

Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.SSO for System Landscapes with an SAP HANA Database

1. Configure the ABAP front-end server for initial authentication.2. Configure authentication for requests to the ABAP back-end server:

Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.For search in the SAP Fiori launchpad, configure authentication in the back-end server, which processes the search requests.

SSO for System Landscapes with SAP HANA XS1. Configure the ABAP front-end server for initial authentication.2. For transactional apps and fact sheets, configure authentication for requests to the ABAP back-end server:

Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.For search in the SAP Fiori launchpad, configure authentication in the back-end server, which processes the search requests.

3. For analytical apps, configure authentication for requests to SAP HANA XS:Maintain the SAP HANA trust store.Maintain the internal SAP Web Dispatcher profile for SAP HANA XS.

NoteThe SAP Web Dispatcher referred to here is internal to SAP HANA XS and not the SAP Web Dispatcher included in the SAP Fiori systemlandscape.

Configure trust relationships.Maintain the SSO provider for SAP HANA XS.

To configure user authentication methods for SAP HANA XS, you use the XS Applications tool of the Web-based SAP HANA XS Administration Tool.We recommend configuring user authentication methods for the following packages, which contain the content necessary for the applications:

sap.hba.appssap.hba.r

NoteThe authentication methods specified for these packages also apply to any subpackages.

The detailed steps that are required for each type of system landscape vary according to the authentication method that you want to use. For more information, seethe following documentation:


Page 19 of 70

300225436Comment on TextNeed to ask Deepak

Kerberos/SPNegoFor more information about the configuration that is required for Kerberos/SPNego, see the Secure Login Implementation Guide for SAP NetWeaver SingleSign-On on SAP Help Portal at http://help.sap.com/nwsso.X.509 certificatesFor more information about the configuration that is required for X.509 certificates, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 certificates Using X.509Client Certificates on the AS ABAP Configuring the AS ABAP to use X.509 Client Certificates .For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 certificates Using X.509Client Certificates on the AS ABAP Configuring the AS ABAP to use X.509 Client Certificates .

SAML 2.0For more information about the configuration that is required for using SAML 2.0, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using SAML 2.0 Configuring ASABAP as a Service Provider .For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using SAML 2.0 Configuring ASABAP as a Service Provider .

Logon ticketsFor more information about the configuration that is required for using SAML 2.0, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using LogonTickets with AS ABAP Configuring AS ABAP to Accept Logon Tickets .For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using LogonTickets with AS ABAP Configuring AS ABAP to Accept Logon Tickets .

More InformationFor more information about how to set up a trusted RFC, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios .

For SAP NetWeaver 7.4: http://help.sap.com/nw74 Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios .

For more information about configuring SAP Fiori search, see SAP Fiori Search.For more information about configuring SSO for SAP HANA XS, see the SAP HANA Security Guide and the SAP HANA Administration Guide at http://help.sap.com/hana_platform System Administration and Maintenance Information SAP HANA Administration Guide SAP HANA XSAdministration Tools Maintaining Single Sign-On for SAP HANA XS Applications .

1.3.4.7 Internet-Facing Deployment Only SAP Fiori transactional apps are supported for consumption by Internet clients. This includes mobile devices that are not directly connected to thecorporate intranet, for example when a user is travelling.For the demilitarized zone (DMZ), we recommend that you deploy SAP Web Dispatcher (or any other reverse proxy). SAP Web Dispatcher should allow onlyrequests that will be routed to the general internet communication framework (ICF) services or to Fiori apps that must be exposed.In particular, we recommend blocking all requests to the following:

/sap/hba/* (SAP HANA XS)/sap/es/* (Enterprise Search)

More InformationFor more information about using multiple network zones, see the following documentation:

For SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network andCommunication Security Using Multiple Network Zones .For SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network and CommunicationSecurity Using Multiple Network Zones .

1.2 Setup of SAP Fiori System Landscape with SAP HANADatabase In the SAP Fiori system landscape with SAP HANA database, you can use transactional apps and fact sheets.Set up the system landscape to enable SAP Fiori before you start to implement an app.The apps require front-end components (providing the user interface and the connection to the back end) and back-end components (providing the data). The front-end components and the back-end components are delivered in separate products and have to be installed in a system landscape that is enabled for SAP Fiori.The following figure shows the detailed system landscape for SAP Fiori fact sheets.


Page 20 of 70

System Landscape for SAP Fiori Fact Sheets

Components of the System LandscapeDepending on the system landscape, the following components are used:

ClientTo be able to run SAP Fiori apps, the runtime environment (such as the browser) of the client must support HTML5.

SAP Web DispatcherThe SAP Fiori apps send requests to several systems, depending on the application type and the connected system landscape.SAP Fiori are processed as follows: First, the client loads the UIs for the SAP Fiori apps. Second, while running, the app consumes data from the SAP BusinessSuite back-end systems.Standard browsers have a same origin policy, that is, HTTPS requests for the UI data and the back-end data must communicate with just one web address.To meet this requirement, a reverse proxy server between the client and the SAP system must be installed. The reverse proxy server acts as the only point ofentry for all HTTPS requests. Depending on the requests that the app sends, the reverse proxy server selects the appropriate application server, the ABAP front-end server, the HANA XS Engine, or SAP NetWeaver Gateway server.

NoteWe recommend using SAP Web Dispatcher as reverse proxy server.

ABAP Front-End ServerThe ABAP front-end server contains all the infrastructure components to generate an SAP Fiori app-specific UI for the client and to communicate with the SAPBusiness Suite back-end systems. The UI components and the gateway are based on SAP NetWeaver. Typically, both are deployed on the same server.The central UI component is a framework that provides the common infrastructure for all SAP Fiori apps: SAP Fiori launchpad is the basis of all SAP Fiori UIs,and provides fundamental functions for SAP Fiori apps such as logon, surface sizing, navigation between apps, and role- based app catalogs. End-users accessthe SAP Fiori apps from the SAP Fiori launchpad. The specific UIs for the apps are delivered as SAP Business Suite product-specific UI add-on products, whichmust be additionally installed on the front-end server.SAP NetWeaver Gateway handles the communication between the client and the SAP Business Suite backend. SAP NetWeaver Gateway uses OData servicesto provide back-end data and functions, and processes HTTPS requests for OData services. The transactional apps, which are updating data in the SAPBusiness Suite systems, use this communication channel.

ABAP Back-End ServerIn the ABAP back-end server, the SAP Business Suite products are installed, which provide the business logic and the back-end data, including users, roles,and authorizations. The add-ons for the SAP Fiori apps are continuously released in Support Packages. The back-end server is based on SAP NetWeaver.

DatabaseSAP HANA is an in-memory database platform that you can use to analyze large volumes of data in real-time.

1.3.1 Deployment Options


Page 21 of 70

Deployment of SAP NetWeaver GatewayFor running SAP Fiori apps, we recommend that you use a Central Hub Deployment of SAP NetWeaver Gateway . This means you install SAP NetWeaverGateway independent of consumer technologies in a standalone system, either behind or in front of the firewall. You therefore separate back-end components fromfront-end components.We do not recommend the Embedded Deployment option. This document is entirely based on the Central Hub Deployment option.For more information about SAP NetWeaver Gateway deployment options for SAP NetWeaver 7.31, see SAP Library for SAP NetWeaver Gateway 2.0 SPS08on SAP Help Portal at http://help.sap.com/nwgateway20 Installation and Upgrade Information Master Guide SAP NetWeaver Gateway Master Guide Deployment Options/Embedded Versus Hub Deployment .

For more information about SAP NetWeaver Gateway deployment options for SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Master Guide Deployment Options .

Internet-Facing DeploymentOnly transactional SAP Fiori apps can be used externally via the internet. This also applies to mobile devices that are not directly connected to the corporateintranet (in case users are travelling).For more information, see Internet-Facing Deployment.

1.3.2 Pre-Installation Before you begin to install the system landscape for SAP Fiori, make sure you have planned the following:

Network ArchitectureYou have to decide in which network zones the components of the SAP Fiori system landscape reside.For example, should the clients be able to access the SAP Fiori apps over the Internet, or only within the company's intranet? Is there a DMZ and is the SAPWeb Dispatcher (SAP Fiori fact sheets and analytical apps) deployed there? Depending on your network architecture, make sure you have the right securitymeasures in place, such as a secure firewall configuration.

Certificates for Single Sign-OnFor single sign-on (SSO) using logon tickets, you require an SSL server certificate for each of the components between which you want to use SSO.Components can be, depending on your system landscape:

SAP Web Dispatcher (SAP Fiori fact sheets and analytical apps)SAP NetWeaver Gateway on front-end serverABAP back-end server (Search in SAP Fiori fact sheets)SAP HANA XS Engine (SAP Fiori analytical apps)

NoteDepending on from where you obtain the certificates, it can take several days to get them.

For more information, see section SAP HANA Authentication and Single Sign-On in the SAP HANA Security Guide at http://help.sap.com/hana_platform Security Information .

Browser PrerequisitesSAP Fiori apps require a web browser that can display files in HTML5 format.For more information, see Setup of Clients.

Roles and AuthorizationsYou have to decide how to set up the roles and authorizations for the SAP Fiori users. This includes, for example, which user group uses which apps.For more information, see section User Management Concept in the generic section App Implementation.

Operating System Access for SAP HANA DatabaseRequired if you use SAP Fiori apps that use an SAP HANA database.To configure HTTPS and SSO in the SAP HANA database, the administrator requires privileges to access SAP HANA on the operating system level.For more information, see section Operating System User adm in the SAP HANA Administration Guide at http://help.sap.com/hana_platform SystemAdministration and Maintenance Information .

Data ReplicationRequired if you use SAP Fiori analytical apps that use SAP HANA in a side-by-side scenario alongside any database that contains the SAP Business Suitedata.Make sure that data replication between the database that contains the SAP Business Suite data and SAP HANA is configured.For more information, see section Replicate Data in the SAP HANA Live Administration Guide at http://help.sap.com/hba Installation, Security, Configuration,and Operations Information .


Page 22 of 70

1.3.3 Installation This document covers the general steps to take when installing SAP Fiori apps. Where necessary, these instructions refer to app-specific documentation.

System LandscapeAccording to the type of app you want to use, the system landscape for SAP Fiori apps consists of different components for the front end and the back end. Formore information, see Setup of SAP Fiori System Landscape with SAP HANA Database.For the installation of SAP NetWeaver Gateway, SAP recommends to use the Central Hub Deployment option, which means that you separate business contentfrom front-end content. You therefore have to install components on a back-end server and a front-end server. For more information, see Deployment Options.

PrerequisitesThe following software versions are required:

Software Minimum Release Required DetailsDatabase anyDB (transactional apps, only) See the installation guide for the respective SAP Business

Suite product release.HANA 1.0 SPS 07 Revision 74 See the documentation for SAP HANA Platform at

http://help.sap.com/hana_platform Installation andUpgrade Information SAP HANA Server InstallationGuide .

SAP NetWeaver Back-End Server:SAP NetWeaver 7.40 SPS 06Front-End Server:SAP NetWeaver 7.40 SPS 05 or SAP NetWeaver 7.31SPS 05 or higher (recommended minimum SPS 08)

See the documentation for SAP NetWeaver 7.31 at http://help.sap.com/nw731 Installation and UpgradeInformation Installation Guide .See the documentation for SAP NetWeaver 7.40 at http://help.sap.com/nw74 Installation and UpgradeInformation Installation Guide .

Respective Business Suite product Back-End Server:SAP enhancement package 7 for SAP ERP 6.0 SPS 04(EHP7 FOR SAP ERP 6.0)

See the documentation at http://help.sap.com/erp607 Installation and Upgrade Information Installation

Guide .Back-End Server:SAP enhancement package 3 for SAP Supply ChainManagement 7.0 SPS 04(EHP3 FOR SAP SCM 7.0)

See the documentation at http://help.sap.com/scm703 Installation and Upgrade Information Installation

Guide .

Back-End Server:SAP enhancement package 3 for SAP APO 7.0 forenhancement package 7 for SAP ERP 6.0 SPS04(APO 7.0 EHP3 ON ERP 6.0 EHP7)

See the documentation at http://help.sap.com/apo Installation and Upgrade Information Installation and

Upgrade Note .

Back-End Server:SAP enhancement package 3 for SAP CRM 7.0 SPS 04(EHP3 FOR SAP CRM 7.0)

See the documentation at http://help.sap.com/crm703 Installation and Upgrade Information Installation

Guide .Back-End Server:SAP enhancement package 3 for SAP SupplierRelationship Management 7.0 SPS 04(EHP3 FOR SAP SRM 7.0)

See the documentation at http://help.sap.com/srm703 Installation and Upgrade Information Installation

Guide .

Back-End Server:SAP Portfolio and Project Management 6.0 SPS 03(SAP PPIM 6.0)

See the documentation at http://help.sap.com/ppm Installation and Upgrade Information Master Guide .

Back-End Server:SAP Access Control 10.1 SPS 05(SAP GRC ACCESS CONTROL 10.1)

See the documentation at http://help.sap.com/grc-ac Installation and Migration Information Installation

Guide .Back-End Server:SAP Environment, Health, and Safety ManagementExtension 5.0(SAP EHS MGMT. EXTENSION 5.0)

See the documentation at http://help.sap.com/ehs-comp Installation and Upgrade Information Installation

Note .

Back-End Server:SAP Customer Engagement Intelligence 1.1 SPS03(SAP CUSTOMER ENGAGEMENT INTEL 1.1)

See the documentation at http://help.sap.com/cei Installation and Upgrade Information Installation

Guide .Back-End Server:SAP Master Data Governance 7.0 SPS02(SAP MASTER DATA GOVERNANCE 7.0)

See the documentation at http://help.sap.com/mdg70 Installation and Upgrade Information Installation

Guide .Back-End Server:Smart Financials 1.0 SPS01(SAP SFINANCIALS 1.0)

See the documentation at http://help.sap.com/sfin100 Installation and Upgrade Information Administrator's

Guide .


Page 23 of 70

Installation TasksThe table lists the installation tasks required for SAP Fiori apps:

Step Task Details Relevant for1 Front-End Server

Install the required components.See Setup of Front-End Server. Transactional apps and fact sheets

2 Install SAP Web Dispatcher 7.40 or anyother reverse proxy.

See Installation of SAP Web Dispatcher. Fact sheets

3 Front-End Server and Back-End ServerInstall the required SAP Notes.

See Installation of SAP Notes(Transactional Apps, Fact Sheets).

Transactional apps and fact sheets

4 ClientSet up the client.

See Setup of Clients. Transactional apps and fact sheets

Installation ToolWe recommend that you use Software Update Manager in combination with Maintenance Optimizer t

236140327 setup of sap fiori system landscape

Documents