This post explains technically and functionally how to configure the connector for SAP Multi-Bank Connectivity for SWIFT messages and Bank Statements step by step.
Attention: This post contains information for subscribers only.
Subscribe by clicking the button below to have access to all content. You can cancel your subscription whenever you want.
If you are already subscribed, log in to your account.
What is SAP Multi-Bank Connectivity?
SAP Multi-Bank Connectivity is a connectivity solution which enables banks and their corporate customers to exchange messages. To use this solution, the bank’s corporate customers must use the connector for SAP Multi-Bank Connectivity.
You can send payment messages to the bank automatically via SAP Multi-Bank Connectivity. In response, the connector receives bank messages, such as payment status reports and bank statements, through SAP Multi-Bank Connectivity, and then automatically processes them. The connector doesn’t modify the payload of the messages.
Make the relevant settings described below to configure SAP Multi-Bank Connectivity for SWIFT.
Configure STRUST for Transport Level Security (TLS)
You require a Personal Security Environment (PSE) to configure the SSL Client Standard key on your ERP system. This PSE/key has the necessary certificates for Transport Level Security (TLS) between the ERP system and SAP Multi-Bank Connectivity stored in the ERP stores.
In the case of SAP S/4HANA Cloud systems, SAP performs this configuration. In other cases, this configuration is undertaken by you in transaction code STRUST.
Send SSL Client Public Certificate to SAP Multi-Bank Connectivity Team
To exchange messages with SAP Multi-Bank Connectivity each organization must provide a certificate that is signed by an SAP trusted certificate authority (CA) to the SAP Onboarding team.
Export certificates
To export the certificates perform the following steps:
- Execute transaction code STRUST.
- Expand SSL Client (Standard) and double-click the relevant PSE.
- To maintain the PSE, switch to the change mode.
- To display the details under the Certificate section, in the Own Certificate section, double-click the Subject.
- Choose Export Certificate.
E-mail the certificates to the SAP Multi-Bank Connectivity Onboarding team
- E-mail the public certificates to the SAP Multi-Bank Connectivity Onboarding team.
- State whether the certificate is for your test or production SAP Multi-Bank Connectivity tenant.
Configure SSL Client Standard PSE
Import the root certificate authority (CA) and intermediate certificate of the SAP Multi-Bank Connectivity load balancers to your test and production landscapes.
- Download the root CA and intermediate certificate file from here.
- Extract the certificates from the zip file to your local system.
- Execute transaction code STRUST and navigate to SSL Client (Standard). Double-click the relevant PSE.
- To maintain the PSE, switch to the change mode.
- Choose Import Certificate and enter or select the path to the certificates and press Enter.
- The certificate is imported with all its details under Certificate.
- To add the imported certificate to the Certificate List of the SSL client standard PSE, choose Add to Certificate List and Save.
Note: If you have more than one SAP certificate, repeat the steps to install all your SAP certificates. It’s necessary to perform these steps on all your systems that integrate with SAP Multi-Bank Connectivity, such as development, test, staging, and production.
Configure connectivity between an ERP system and SAP Multi-Bank Connectivity tenant
You can use two connectivity channels:
- HTTP connectivity (SAP recommends)
- XI engine
To configure XI engine follow the SAP documentation.
Configure HTTP Connectivity
Set Up RFC Destinations
- Execute transaction code SM59 or go to SAP Menu > Tools > Administration > Administration > Network > RFC Destinations.
- Configure the following four RFC connections:
Note: Perform a connection test. HTTP 500 is the expected result. If you get a CONNECTION REFUSED error, check and adjust your network settings.
Routing Settings
Execute transaction code SPRO. In the IMG, choose Multi-Bank Connectivity Connector > Maintain Routing Settings and perform the following values:
Pull Type Settings
Execute transaction code SPRO. In the IMG, choose Multi-Bank Connectivity Connector > Maintain Pull Types and perform the following values:
Configure Secure Store and Forward (SSFA) parameters
- Execute transaction code SSFA.
- In the Change View Application section, under Specific SSF Parameters, choose the Overview screen, and choose New Entries.
- In the New Entries Details field, enter BSNAGT and choose Enter.
- In the New Entries field, enter:
- CN: <SYSID> SSF BSNAGT
- OU: <Installation Number>, SAP Web AS
- O: SAP Trust Community
- C: DE
- For HASH Algorithm, enter SHA256.
- For Encryption Algorithm, enter AES128-CBC.
- Select the Include certificates checkbox.
- Select the Digital signature with data checkbox.
- Choose Save.
Note: Consult the SAP Multi-Bank Connectity Onboarding team for the exact parameters to configure in your case.
Configure STRUST for Message Level Security (MLS)
Set up SSF BSNAGT PSE, which is the key store in STRUST that hosts the customer private key for MLS, and the shared SAP Multi-Bank Connectivity public key.
- Execute transaction code STRUST.
- Under System PSE, choose to open the context menu of SSF BSNAGT, select SSF BSNAGT, and choose Create.
- Change the Signature Algorithm to RSA with SHA-256.
- Set the Key Length to 2048.
- Choose Save.
- Navigate to the PSE for SSF BSNAGT and open by double-clicking the PSE.
- To edit, press Ctrl + F1 on your keyboard.
- To display the certificate, double-click the subject of the Own Certificate.
- Choose Export certificate.
- Send the BSNAGT certificate to the SAP Multi-Bank Connectivity Onboarding team. In the e-mail, state the tenant (test or production) for your certificates.
Install MLS Certificate
- Execute transaction code STRUST.
- To add the certificate to the Certificate List of the SSF BSNAGT PSE, choose Import Certificate, select the certificate file, and choose Upload.
- Choose Add to Certificate List.
- Choose Save.
- Select the imported certificate and copy the Subject to a temporary text file.
- To restart ICM, execute transaction code SMICM.
Note: This step is necessary on any system that integrates to SAP Multi-Bank Connectivity.
Subscribe to finish configuring SAP Multi-Bank Connectivity.
Subscribe by clicking the button below to have access to all content. You can cancel your subscription whenever you want.
If you are already subscribed, log in to your account.
Troubleshooting issues during SAP Multi-Bank Connectivity configuration
This section offers guidance for commonly observed issues during SAP Multi-Bank Connectivity configuration. If you have the following error messages then check the questions and answers bellow.
- An internal server error occured: The MPL ID for the failed message is…
- Error during receibing HTTP API response (SSL handshake …)
- HTTP status 500 received during HTTP API call
- Error while sending message
- Error while decrypting data SSF error: Decoding is not possible
- No profile found for Sender/Receiver ID
You cannot verify the connectivity on RFC destination in SM59
SAP Multi-Bank Connectivity for SWIFT and Bank Statements requires the creation of three RFC destinations on an ERP described in this post. As part of the configuration, run a connectivity test on each destination. If the result of the connectivity test is not an HTTP: 500 Response, see the following:
- HTTP: 401 Response – This indicates that the client certificate of the ERP system is not authorized on SAP Multi-Bank Connectivity. Ensure that the RFC destination references the SSL Client Standard/ DFAULT key store. See Set Up RFC Destinations section.
- After verifying, and if the issue persists, contact your appointed SAP Multi-Bank Connectivity Onboarding team member to validate that the ERP system SSL certificates are maintained correctly in SAP Multi-Bank Connectivity.
- HTTP: 403 / 404 Response – This indicates that the endpoint provided by SAP Multi-Bank Connectivity has been incorrectly configured in the system. Ensure that you have correctly entered the URL received from SAP Multi-Bank Connectivity. Check the configuration steps for creating the RFC. See Set Up RFC Destinations section.
- If the issue persists, contact your appointed SAP Multi-Bank Connectivity Onboarding team member to validate the address.
You receive a “No Concatenated Concept Exists” error when you send payment run or receive Pull MBC Message data
You configured XI engine connection channel and the Associated Integration Server parameter is not correctly set.
See Specifying the Associated Integration Server and ensure that the SAP Multi-Bank Connectivity Payment destination is set correctly in the Associated Integration Server field.
You receive data, but the system cannot decrypt the data
If you have the “Error while decrypting data SSF error: Decoding is not possible” error message means the necessary SSFA settings have not been entered correctly.
- See Maintain Secure Store and Forward (SSF) Profile Data section in the Subscriber Content.
- Ask your bank to resend the data. If issues persist, contact your appointed SAP Multi-Bank Connectivity Onboarding team representative.
Short dump when sending message via HTTP API in SAP Multi-Bank Connectivity
When sending a message via HTTP API from Connector Monitor a short dump occurrs.
Implement this SAP note directly: 3264835
No profile found for Sender/Receiver ID
If you have the “No profile found for Sender/Receiver ID” error message ensure that you configured Maintain Secure Store and Forward (SSF) Profile Data correctly and maintained SWIFT parameters as described in each section in the Subscriber Content.
Any other issue?
Leave your comments or questions below.