SAP Community - SAP BTP, Kyma runtime

Trustable AI thanks to - SAP AI Core & SAP HANA Cloud & SAP S/4HANA & Enterprise Blockchain 🚀

2024-04-11T12:51:09.466000+02:00

This blog is the seventh in the series and discusses what AI and and SAP and Enterprise Blockchain are, why they are so important for each other, and then takes a deep dive in to the SAP product oriented reference architecture of how to implement SAP AI Core and S/4HANA and Enterprise Blochchain.

What will it take to make AI trustable ?

tl:dr

SAP Artificial Intelligence SAP AI Core SAP HANA Cloud SAP S4HANA Enterprise Blockchain - atkrypto.io

Enterprise Blockchain is the Cyber Security for Enterprise AI. 🚀

This blog introduces the Enterprise Blockchain Wallet and Off-Chain data storage and demonstrates why it is so special and important for protecting the trustworthiness and reliability and integrity and originality of information and data, be patient and read on because the Enterprise Blockchain Wallet is something very special and enables us to protect large and unstructured data very simply and effectively and is one of the biggest reasons why an Enterprise Blockchain Database is so suited to protecting data for AI operations

The blog is going to break the subject down in to three sections:

Section 1.0: The What is it of SAP AI, and Enterprise Blockchain

Section 2.0: The Why is it, of SAP AI, and Enterprise Blockchain

Section 3.0: The How is it, of SAP AI, and Enterprise Blockchain

A huge amount has been written about both Artificial Intelligence and Enterprise Blockchain and there is no point to repeat everything here, so we will talk briefly about the subjects and then point to very useful resources for further reading, and focus our attention on why Enterprise Blockchain makes Artificial Intelligence trustable, and how to do it.

Section 1.0: The What is of SAP AI, and Enterprise Blockchain

What is Artificial Intelligence ?

What is the History of AI ?

and SAP has an amazing AI powered product roadmap, taking the product portfolio...

. from a System of Record

. through being a System of Engagement

. to being a System of Intelligence

What AI can do for the Enterprise, and where AI is going, massive opportunities are coming along, and it is happening all around us as we speak, this technology revolution is not on presentations, it is real and we can implement it and benefit from it right now, today. SAP's AI capabilities are growing by the day:

Like everything else we do in Enterprise IT,

AI is about Data

What is Enterprise Blockchain ?

Enterprise Blockchain is both:

. a Secure Store

. a Secure Communication Channel

McKinsey & Company, in their December 2023 Featured Insights Publication, gave a beautiful description of what is unique and special about Blockchain, "Blockchain is a secure database shared across a network of participants, where up-to-date information is available to all participants at the same time". If we just pause for a moment and let that sink in, and think about what that means, to Business Processes, to Collaboration, to System Resilience, we start to see what is so special about Blockchain Databases and Distributed Ledger Technology.

In these previous blogs, I made a deep dive in to what Enterprise Blockchain is and why we should be positioning it in our Enterprise Architecture:

Why I love SAP and Blockchain Databases and why you should too 🚀

SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard 🚀

SAP Enterprise Architecture: Let the Use Case find the Blockchain🚀

and in a nutshell, Enterprise Blockchain is:

. The Digital Transformation of Information Security

. The Next Generation Data Integrity, Originality, Confidentiality Protection

. Re-imagining Information Security

. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product

To wrap up this section:

. AI is about Data

. Enterprise Blockchain is about Security of Data

Section 2.0: The Why is it, of SAP AI, and Enterprise Blockchain

SAP say it themselves, building trust in AI, means the AI has to be:

. Relevant

. Reliable

. Responsible

What is AI's biggest risk ?

AI's biggest risk is that the Data behind the AI is not trustworthy. In the same way as asking the wrong person for directions can leave you going all around the houses, if the Data behind the AI, and this means the Models as well, has been changed/contaminated/modified/poluted/made unreliable, whether purposefully through malicious acts or cyber attack, or accidentally, the result will be AI insights which cannot be trusted, and the result of that could be catastrophic.

Gartner remind us of this, when they describe the 4 key initiatives to get your Enterprise AI ready, and number 2 is AI Cyber Security:

AI is about the Data

So, if we are going to do AI, then we need to care for and protect the Data that the AI is using.

Imagine, as described in the previous blog, when we let the Use Case find the Enterprise Blockchain, we have a Business Requirement, a Business Demand, to make AI trustable to make AI achieve as SAP put it, the three R's, Relevant, Reliable, Responsible:

In the US, NIST, the National Institute of Standards & Technology have a whole section dedicated to AI and risks with AI. The biggest risk to AI is the trustworthiness of the data:

When we look in our Enterprise Technology Standards, and we look for the Technology Standard in our Enterprise Portfolio which is positioned to bring the strongest protection to Data, we find the Enterprise Blockchain.

Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io

In the previous blogs, we have discussed in detail about the special characteristics of Enterprise Blockchain and just why it natively out of the box protects the integrity of data to a level that legacy database products cannot do, in a nutshell....

AI is about Data

AI is about the Data that goes in to the AI engine

This means AI depends on a Database or a Datastore

What kind of Database does AI need ? What capabilities does the Database for the AI Data need to have ?

1. It must not be possible to modify the Data in the Database which feeds the AI - the Database needs to be immutable

2. The Data in the Database, the integrity and originality of that Data must be protected to the highest level that is technically possible

3. The Data must be available with the highest availability, the Database must be resilient to attack

When we look in our Enterprise Technology Standards we find 1 Technology Standard in the Enterprise which has those capabilities, and that is..... Enterprise Blockchain

Enterprise Blockchain ticks those three boxes...

✅Immutable - tick that box

✅Integrity must be protected to the highest level - tick that box, thanks to the Enterprise Blockchain Hash Mechanism and the Enterprise Blockchain Consensus Mechanism

✅Highest level of resilience and availability - tick that box thanks to the Distributed and Decentralised nature of the Enterprise Blockchain

This is why, Enterprise Blockchain is the enabler of trustable outcomes from Enterprise AI.

atkrypto.io what is a blockchain

But there's more than that, AI, and especially during the AI Training, AI needs a lot of data, and that's why SAP AI Core uses SAP HANA Cloud (Data Lake) as the Data Source, because the volumes of data for training are big.

And this is why, in this blog we take the Enterprise Blockchain Technology story one level further and we introduce the:

Enterprise Blockchain Wallet

Off-Chain Data Storage

In the Enterprise Blockchain Platforms, the Enterprise Blockchain Wallet is used for Off-Chain storage of big data and in the following paragraphs we will explain why.

What is the Enterprise Blockchain Wallet, and what is Off-Chain Data Storage and why would we use them and why do we need them ?

As we have explained in a previous blog, the Enterprise Blockchain Database, the Distributed Ledger, can be looked at simply as a Database Table (which is replicated and synchronised across multiple Servers) and in principle it stores the Data like this:

Blockchain is a very simple form of database atkrypto.io

This is fine, and suited to what we call Structured Data, and as AWS nicely describe, Structured Data is information like words and numbers. This kind of data is perfectly suited to being stored in an Enterprise Blockchain Database and also a legacy Database. Examples of the data would Names, Addresses, Phone Numbers, Product Information etc.

But, AI Artificial Intelligence software, especially during the Learning requires large quantities of this information, this data, and in SAP AI Core the volumes, the amounts of data which are required for AI Learning are so big, and are often stored in what's called CSV, Comma Separated Values files, and these CSV files will are too big to be stored on the Enterprise Blockchain Database itself, and they are too big to be stored in a Legacy Database.

So, if we can't store the large CSV file in Enterprise Blockchain Database, then how, in an Enterprise Blockchain Platform do we store large files of Data ?

Voila.... bring in the Enterprise Blockchain Platform Wallet. The best Enterprise Blockchain Platform products include what is called the Enterprise Blockchain Platform Wallet, or to make it shorter, the Enterprise Blockchain Wallet.

The Enterprise Blockchain Wallet enables us to store large Data, like large Files safely and securely off the chain, or 'Off-Chain'.

But if we store the large Data files Off-Chain in the Enterprise Blockchain Wallet, then how do we also have them some how on the Enterprise Blockchain Database ?

The way this works is elegant, in any decent Enterprise Blockchain Platform, the Enterprise Blockchain Wallet location is completely configurable, and could be anywhere from SAP HANA Cloud (Data Lake), or for example multiple hyperscaler object stores, such as Amazon S3, OSS (Alicloud Object Storage
Service), SAP HANA Cloud, Data Lake, and Azure Blob Storage.

The configurable Enterprise Blockchain Wallet of the Enterprise Blockchain Platform looks like this:

Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io

Ok, so we've got the AI Data stored in the (configurable) Enterprise Blockchain Wallet, but what about securing the AI Data ? Obviously the Enterprise Blockchain Wallet storage location has built in security, for example the SAP HANA Cloud, the AWS S3 Buckets, but we need more than the out of the box security of these products, the reason we are using the Enterprise Blockchain Database is because of the amazing security strengths that it natively out of the box has, and so, what about the Enterprise Blockchain Wallet, doesn't the Enterprise Blockchain Platform have some cool super hard way of protecting the data in the Enterprise Blockchain Wallet ?

Well yes it does, this is the magic of Enterprise Blockchain Database 'Off-Chain' storage in the Enterprise Blockchain Wallet. This is so unique to Blockchain Technologies.

What happens is this, when store data in the Enterprise Blockchain Wallet, the Enterprise Blockchain Platform software runs a hash algorithm over the data that we have stored and the data, and the large file gets hashed:

The data or the file in the Enterprise Blockchain Wallet gets hashed, and then, that hash is stored in the Enterprise Blockchain Database.

This means we now have a unique hash of that data or file, and if anybody or anything makes even the tiniest teeniest change to that data or file, next time we run a hash over that data or file the result will be different that the original hash which is safely stored in the Enterprise Blockchain Database and this is how we will know that the data has been changed and we cannot trust the Data and therefore we cannot use it for our Enterprise AI.

On the other hand, if just before we load the data in to the Enterprise AI from the Enterprise Blockchain Wallet, if we run a hash over the data and the hash result is the same as we have in the Enterprise Blockchain Database, then we will know we can trust the Data and we can use it in our AI and we will have trustable AI.

Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io

And this is why, for all of these reasons,

Trustable Enterprise AI depends on Data being stored in the Enterprise Blockchain

Outlier Ventures, in their AI Thesis, very nicely show how Enterprise Blockchain & Artificial Intelligence together solves the risks associated with AI alone:

To conclude this section, the Why to, of Artificial Intelligence and Enterprise Blockchain, Artificial Intelligence needs to be Reliable, Relevant, Responsible, for it to be Trustable.

Enterprise Blockchain, due to its native super strong security strength when used as a store of Data and Models for AI, enables AI to be Trustable.

Section 3.0: The How is it, of SAP AI, and Enterprise Blockchain

Now that we know why trustable Enterprise AI needs the Enterprise Blockchain Database to protect the integrity and originality of the Data and Models, how do we implement it today ?

Well that's easy, here are the ingredients and the recipe 😄

Ingredients, you're going to need:

Data Source(s) eg

S/4HANA and others

Enterprise AI Product

SAP AI Core

SAP AI Launchpad

Large Storage for Large Data and the Enterprise Blockchain Wallet

SAP HANA Cloud (Data Lake)

Enterprise Blockchain Platform

These are the basic ingredients, the data from the S/4HANA will be stored in the SAP HANA Cloud (Data Lake) which will also be the Enterprise Blockchain Platform (configurable) Wallet, the Enterprise Blockchain Platform, and then SAP AI Core to read the Data from the (SAP HANA Cloud - Data Lake) Enterprise Blockchain Platform Wallet and process it through Enterprise AI and turn it in to insights through the SAP AI Launchpad.

And your Technical Reference Architecture will look something like this:

SAP AI Core SAP S4HANA SAP AI Launchpad SAP HANA Cloud Data Lake Enterprise Blockchain Protection - atkrypto.io

And that's how you do it.

Wrapping up, conclusions:

. Trustable Enterprise AI depends on Data being stored in the Enterprise Blockchain

Enterprise Blockchain is:

. The Digital Transformation of Information Security

. The Next Generation Data Integrity, Originality, Confidentiality Protection

. Re-imagining Information Security

. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product

Enterprise Blockchain is both:

. a Secure Store

. a Secure Communication Channel

The configurable Enterprise Blockchain Wallet enables you to store Big Data 'Off-Chain' and the hashes of the Big Data are stored safely and securely on the Enterprise Blockchain Database.

The good news is, as we discussed in the previous blog, this is no longer hype, we can do all of this today, and now, within the SAP Partner Edge Open EcoSystem there are enabling technology Blockchain Products designed and built by SAP Experts specifically for the needs of SAP Customers to make doing Blockchain and SAP easy, and so you can do SAP and Blockchain, today it's real and there's nothing stopping you.

So what are we waiting for ? Oh yeah, more use cases, ok, that will be the next blog.

What do you think, are the words AI, Blockchain, Web3, Distributed Ledger Technology, starting to appear in your Company's visions and technology visions ? What use cases are you looking at ? Let's chat about it in the comments.

For now, over and out.

Andy Silvey.

Independent SAP Technical Architect and CEO of atkrypto.io

Author Bio:

Andy Silvey is a 25 years SAP Technology veteran [15 years SAP Basis and 10 years SAP Tech Arch including Tech, Integration, Security, Data from 3.1H to S/4HANA PCE on RISE and the BTP and everything in between, and former SCN Moderator and Mentor alumni].

Andy is also co-Founder of atkrypto inc, an startup whose ambition is to make Blockchain easy for Enterprise.

atkrypto.io's flagship product is the atkrypto Enterprise Blockchain Platform for SAP, and atkrypto.io is a SAP Partner Edge Open EcoSystem Partner.

The atkrypto Enterprise Blockchain Platform for SAP has been designed by SAP Independent Experts for the needs of SAP Customers and to be deployed on the SAP BTP Kyma Runtime Service and leverage native integration to SAP Products.

atkrypto Enterprise Blockchain Platform for SAP has a number of unique qualities, including being the only Blockchain software in the world which has a DataCenter version and a light mobile version which can run on Edge/IoT/Mobile devices and enables data to be written to the Blockchain at the Edge where that same Blockchain is running on a Server in the DataCenter, protecting the integrity and originality of data from the Edge to Insights. Taking Blockchain to the Data at the Edge instead of taking the Data to the Blockchain.

Kyma Integration with SAP Cloud Logging. Part 2: Let's ship some traces

2024-04-19T10:59:02.498000+02:00

In the first blog post of this three-part series, we talked about:

What is SAP Cloud Logging?
How to integrate it with Kyma runtime?
How to ship logs?

In this blog, we will explore:

Shipping traces from Kyma runtime to SAP Cloud Logging.
Using SAP Cloud Logging dashboard to view and leverage traces.

What is distributed tracing?

Distributed tracing is a method used to monitor and profile applications that span multiple services or components. It provides a detailed view of the flow of requests as they traverse through various parts of a distributed system. By capturing and correlating information about each request, distributed tracing enables developers and operators to understand the performance characteristics, latency bottlenecks, and dependencies within their systems.

Shipping traces from Kyma runtime to SAP Cloud Logging

SAP Cloud Logging based on OpenSearch supports ingestion of traces when having the OTLP ingestion mode enabled. It provides pre-integrated dashboards to introspect them easily.

The goal of the next steps is to establish a cluster-central gateway using the Kyma Telemetry module being connected to Cloud Logging.

Additionally, we enable Istio to propagate trace context for every incoming request and emit trace data to the central gateway. Also, we enable our application to instrument and emit trace data to the gateway.

Prerequisites

Steps

Configure Trace pipeline.

You must tell Kyma to ship the generated traces to the SAP Cloud Logging instance. This is done by creating a Trace pipeline. If you followed steps in the previous blog post, then you can simply run the following command, else adjust the name for secretKeyRef accordingly.

kubectl apply -f https://raw.githubusercontent.com/SAP-samples/kyma-runtime-extension-samples/main/sap-cloud-logging/k8s/tracing/traces-pipeline.yaml

For reference, this is what the TracePipeline looks like:

apiVersion: telemetry.kyma-project.io/v1alpha1
kind: TracePipeline
metadata:
  name: my-cls-trace-pipeline
spec:
  output:
    otlp:
      endpoint:
        valueFrom:
          secretKeyRef:
            name: my-cls-binding
            namespace: cls
            key: ingest-otlp-endpoint
      tls:
        cert:
          valueFrom:
            secretKeyRef:
              name: my-cls-binding
              namespace: cls
              key: ingest-otlp-cert
        key:
          valueFrom:
            secretKeyRef:
              name: my-cls-binding
              namespace: cls
              key: ingest-otlp-key

To learn more about TracePipeline and possible configuration options, check the resource documentation.

Next, you enable mesh level configuration using Istio Telemetry resource.

kubectl apply -f https://raw.githubusercontent.com/SAP-samples/kyma-runtime-extension-samples/main/sap-cloud-logging/k8s/tracing/trace-istio-telemetry.yaml

For reference, this is how the default telemetry configuration looks like:

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: tracing-default
  namespace: istio-system
spec:
  tracing:
  - providers:
    - name: "kyma-traces"
    randomSamplingPercentage: 1.0

You can learn more about various options in the standard Istio documentation.

With this configuration, you enable tracing 1.0% of all requests that enter the Kyma runtime via Istio Service mesh. To optimize resource and network usage, it is important to set the sampling percentage value to a sensible default.

To understand how tracing is implemented in Kyma and what its architecture looks like, check the Kyma documentation.

NOTE: This would require an SAP Cloud Logging service instance. To find out how to create it, read the first blog post.

Viewing the traces

You can access the SAP Cloud Logging instance dashboard. The access details are available in the Secret generated by the service binding.

Next, to access the traces, you can navigate to:

Observability --> Trace Analytics --> Traces

You can also use various filter criteria to narrow down to the trace you are particularly interested in. The simplest one to use is the Service Name. It is the name of the Kubernetes Service which is associated with your microservice or function.

In case the response contains a request ID, you can always use it to find the corresponding Trace ID from the logs and use that as filter criteria.

This is particularly useful if you have enabled 100% tracing and want to troubleshoot a specific request.

Here is an example of using the request-id for a CAP application.

Examples

Here are some examples of how traces look for various scenarios:

A function calling an upstream microservice:

I would like to point out that Kyma serverless does the additional instrumentation of your function code for tracing, and the same is visible in the spans generated.

One microservice calling another upstream microservice:

A multi-tenant JavaScript CAP application:

CAP JavaScript supports instrumentation. You just need to add the following NPM packages to your CAP project, provided by SAP and open telemetry.

{
  "dependencies": {
    "@cap-js/telemetry": "^0.1.0",
    "@grpc/grpc-js": "^1.10.3",
    "@opentelemetry/exporter-metrics-otlp-grpc": "^0.49.1",
    "@opentelemetry/exporter-trace-otlp-grpc": "^0.49.1",
    .....
  }
}

You can learn more about cap-js/telemetry in npm package documentation as well as GitHub repository.

Instrumentation

As mentioned in the previous example, you can use the npm package cap-js/telemetry for a JavaScript-based CAP application. For other technologies, consider using the SDKs provided by OpenTelemetry.

Cloud Native Buildpacks + Java

If you are using cloud native buildpacks, then you can also consider enabling OpenTelemetry while building the docker image. Check out this example from OpenTelemetry. There is also information about Paketo Buildpack for OpenTelemetry

NOTE: The endpoints to which the traces and metrics need to be shipped are available in the Telemetry default custom resource. You can view them in kyma-system namespace under Kyma -> Telemetry

Istio sidecar trace generation

If you have Istio sidecar enabled, Istio takes care of generating Spans, linking them to traces when you make upstream calls to services in the Istio service mesh. The requirement is to pass the appropriate headers so Istio can do the linking and generate the trace / span details.

This can be achieved by:

Using one of the SDKs mentioned above. (Preferred option)
Or, manually passing the required headers.

Reference: Istio distributed tracing

If you would like to do manual propagation, you should take the incoming "x-request-id" and "traceparent" headers from the HTTP request and forward them when making upstream calls to other microservices running inside the same Kyma cluster and part of Istio service mesh.

Other scenarios

Similarly, for calls to DB e.g. to SAP HANA Cloud, you can consider using SDKs that do the instrumentation.

How can you benefit from using distributed tracing?

Distributed tracing is a powerful technique used to monitor and understand the behavior of complex distributed systems. By implementing distributed tracing, you can gain several benefits:

Troubleshooting and debugging: Distributed tracing allows you to track requests as they flow through various components of your system. This helps identify performance bottlenecks, latency issues, and errors, making it easier to troubleshoot and debug problems.
Performance optimization: With distributed tracing, you can analyze the timing and dependencies of requests across different services. This helps identify areas where performance improvements can be made, such as optimizing slow database queries, reducing network latency, or optimizing resource usage.
Service dependency visualization: Distributed tracing provides a holistic view of how different services interact with each other. This helps understand the dependencies between services and identify potential points of failure or bottlenecks.
Capacity planning: By analyzing the traces of requests, you can gain insights into the resource utilization patterns of your system. This can help in capacity planning, ensuring that your system is provisioned with the right amount of resources to handle the expected load.

Coming next

Stay tuned for the next blog on Shipping metrics to SAP Cloud Logging from Kyma runtime.

SAP BTP, Kyma Runtime internally available on SAP Converged Cloud

2024-04-19T11:33:15.943000+02:00

Hello Kyma community,

the Kyma team is happy to announce the SAP internal availability of SAP BTP, Kyma runtime on SAP Converged Cloud in the eu-de-1 region. This is the first stage of gradual enablement in non-restricted regions that should culminate in the general availability of Kyma on SAP Converged Cloud for all SAP customers. With that, we will do our part to deliver the SAP BTP Everywhere promise.

We started on this journey almost two years ago. The feedback we received from a limited pilot early last year guided our efforts towards delivering the best possible user experience to enable our customers to seamlessly adopt and benefit from SAP Converged Cloud. In turn, we ensure that our customers can start their migration efforts or new development today without additional effort or cost compared to major hyperscalers.

Right now, internal SAP teams can simply enable Kyma on SAP Converged Cloud via the SAP BTP Cockpit and start using the SAP BTP platform in the SAP Datacenter just like you would on the other hyperscalers. There is no need to manage infrastructure accounts and quotas, install and upgrade Kubernetes, or worry about infrastructure monitoring and security scanning. The Kyma team handles all day two operations related to infrastructure and available modules, so you do not have to.

You can immediately connect your applications to most SAP BTP services (from the nearby cf-eu20 region today) or SAP HANA Cloud instances even if the whole of BTP is not running on SAP Converged Cloud yet. We made sure that all currently available Kyma modules run smoothly and do not require specific configuration for SAP Converged Cloud.

There are some limitations we are working on. For example, it is not currently possible to set up the hyperscaler equivalent of VPC peering within or outside SAP Converged Cloud. Nor is it possible to connect to HANA Cloud instances via private networking (which is the case on hyperscalers as well).

Stay tuned for more updates, and give Kyma on SAP Converged Cloud a try in the meantime!

To learn more about SAP BTP, Kyma runtime please read and follow our other blogs, and visit the SAP BTP, Kyma runtime site.

Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment

2024-04-20T15:41:26.519000+02:00

This brief is to showcase how to get this done using a SAP BTP trial account.

Albeit, the entire procedure is well documented in SAP Help portal, namely under Configure a Custom Identity Provider for Kyma, the missing piece of the puzzle is the configuration of the identity provider application.

Any OIDC provider can be used as a custom OIDC provider with a kyma cluster. However, SAP BTP platform makes it both simple and affordable with the Always Free SAP Cloud Identity Authentication services.

From experience, this is is the most error-prone part of the procedure.
In order to alleviate the pain and burden of creating a SAP IAS service provider application I have prepared automation scripts that can be used entirely programmatically either from a kyma environment itself or directly from a BTP subaccount level.

Let's see how.

Table of Contents

prepare subaccount for kyma runtime with a custom IAS tenant

establish BTP subaccount trust with a custom SAP IAS tenant.

Kyma Environment.

Accessing Kyma Dashboard

PS.

1. The SAP IAS service provider application automation script for those you'd like to run it directly from a kyma dashboard.

A hint: You may want to replace all the placeholder values with the shoot name of a kyma cluster.

# Source: skr-easy/templates/binding-ias.yaml
apiVersion: services.cloud.sap.com/v1
kind: ServiceBinding
metadata:
  name: skr-ias-binding
  labels:
    app.kubernetes.io/name: skr-ias-binding
spec:
  serviceInstanceName: '<serviceInstanceName>' ##fee3078
  externalName: '<externalName>' ##fee3078
  secretName: skr-ias-binding-secret
  parameters:
    credential-type: "NONE" 
  parametersFrom: []
---
# Source: skr-easy/templates/service-ias.yaml
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
  name: '<name>' ##'fee3078'
  labels:
    app.kubernetes.io/name: '<label>' ##'fee3078'
spec:
  externalName: '<externalName>' ##fee3078
  serviceOfferingName: identity
  servicePlanName: application
  parameters:
    name: '<name>'                     ##'fee3078' ### name of the application created in IAS or the service instance id
    display-name: '<display-name>'     ##'shoot-name-fee3078' ### display-name of the application created in IAS
    home-url : '<home-url >'           ## 'https://$BTP_SUBDOMAIN.fee3078.kyma.ondemand.com'
    user-access: public ## allows for self-registration

    oauth2-configuration:
      grant-types:
        - authorization_code
        - authorization_code_pkce_s256
      token-policy:
        token-validity: 3600
        refresh-parallel: 3
        access-token-format: default

      public-client: true ## if set to true, enables PKCE flow for the application, where the client does not need to provide a credential.
      redirect-uris:
        - 'https://dashboard.kyma.cloud.sap'
        - 'http://localhost:8000'
    subject-name-identifier:      ## https://help.sap.com/docs/identity-authentication/identity-authentication/configure-subject-name-identifier-sent-to-application?locale=en-US
      attribute: mail ##userUuid
      fallback-attribute: none ##uid

    default-attributes:    ## https://help.sap.com/docs/identity-authentication/identity-authentication/configure-default-attributes-sent-to-application?locale=en-US
    
    assertion-attributes:  ## https://help.sap.com/docs/identity-authentication/identity-authentication/configure-user-attributes-sent-to-application?locale=en-US
      email: mail
      groups: companyGroups
      first_name: firstName
      last_name: lastName
      login_name: loginName
      mail: mail
      scope: companyGroups
      user_uuid: userUuid
      locale: language

2. Let's assume one needs to provision a kyma cluster with a custom IAS from the start.
In this case the SAP IAS service provider application must be created before the kyma environment is enabled.

SAP IAS service instance application plan parameters for those who need to enable a kyma cluster configured with a custom SAP IAS from the get-go:

{
        "name": "quovadis",
        "display-name": "quovadis",
        "user-access": "public",
        "oauth2-configuration": {
            "grant-types": [
                "authorization_code",
                "authorization_code_pkce_s256"
            ],
            "token-policy": {
                "token-validity": 3600,
                "refresh-parallel": 3,
                "access-token-format": "default"
            },
            "public-client": true,
            "redirect-uris": [
                "https://dashboard.kyma.cloud.sap",
                "http://localhost:8000"
            ]
        },
        "subject-name-identifier": {
            "attribute": "mail",
            "fallback-attribute": "none"
        },
        "default-attributes": null,
        "assertion-attributes": {
            "email": "mail",
            "groups": "companyGroups",
            "first_name": "firstName",
            "last_name": "lastName",
            "login_name": "loginName",
            "mail": "mail",
            "scope": "companyGroups",
            "user_uuid": "userUuid",
            "locale": "language"
        }
}

As the SAP IAS service provider OAuth2 application must be configured with the authorization code with PKCE grant type, one needs to provide the following service bindings parameters:

 {
    "credential-type": "NONE"
 }

The resulting binding will contain both the clientid and the issuer url. These values can be used directly with the kyma cluster provisioning wizard.

{
    "clientid": "f61*************",
    "url": "https://***.trial-accounts.ondemand.com",
}

From now on, one can update/create the kyma environment settings, either from the BTP cockpit or using the btp cli with the below json parameters (saved to a local config.json file)

{
    "administrators": [
        "email1@domain.com",
        "email2@domain.com",
        "emailN@domain.com"
    ],
    "oidc": {
        "clientID": "f61********************",
        "groupsClaim": "groups",
        "issuerURL": "https://***.trial-accounts.ondemand.com",
        "signingAlgs": [
            "RS256"
        ],
        "usernameClaim": "sub",
        "usernamePrefix": "-"
    },
    "name": "quovadis"
}

Eventually, the below script shows how to create a new kyma environment using btp cli with BTP Trial account, namely:

btp create accounts/environment-instance --display-name quovadis --environment kyma --service kymaruntime --plan trial --parameters config.json

Creating an environment instance for subaccount e691b16b-**********...

environment id:     B1A10B19-************
environment name:   quovadis
environment:        kyma
landscape:          
state:              CREATING
state message:      Creating environment instance.

Command runs in the background. 
Use 'btp get accounts/environment-instance' to verify status.

OK


btp list accounts/environment-instance

Showing environment details for subaccount e691b16b-*************:

environment name   environment id                         environment type   state   state message                   landscape   
*******trial       AA23C91E-************   cloudfoundry       OK      Environment instance created.   cf-ap21     
quovadis           B1A10B19-************   kyma               OK      Environment instance created.               


OK

and then how to dispose of it:

btp delete accounts/environment-instance B1A10B19-**************
Do you really want to delete the specified environment instance and all content? [no]> yes

Deleting environment instance B1A10B19-******** and all its data in subaccount e691b16b-***********...

environment name:   quovadis
environment id:     B1A10B19-***************
environment type:   kyma

Command runs in the background. 
Use 'btp list accounts/environment-instance' to verify status.

OK

Alternatively, a kyma environment update can be performed as well, for instance:

btp update accounts/environment-instance B1A10B19-******** --plan trial --parameters config2.json

Updating environment instance with ID B1A10B19-***********

OK

Please note it is not possible to amend the list of modules via a kyma environment update.

Mistral gagnant. Mistral AI and SAP Kyma serverless.

2024-04-20T17:53:48.035000+02:00

Mistral gagnant. Mistral AI and SAP Kyma serverless (nodejs) story.

Let me tell you my story.

I have come across Mistral AI as an alternative to OpenAI/SAP AI core.

And, very naturally, I wanted to be able to consume the Mistral Javascript Client from a backend service running on SAP BTP, Kyma runtime (which is the SAP's managed and business-friendly kubernetes offering) as a serverless function.

And here is how the story unfolded...

Table of Contents

Mistral gagnant.

Voila. C'est le mistral gagnant:)

PS.

Prompts examples:

MistralAI prompt: what is the best French dish?
The "best" French dish can depend on personal taste, but some of the most popular and renowned French dishes include:

1. Coq au Vin: This is a classic French dish where chicken is slow-cooked with wine, lardons (small strips or cubes of pork fat), mushrooms, and possibly garlic.

2. Bouillabaisse: Originating from the port city of Marseille, this is a traditional Provençal fish stew.

3. Escargots: Snails cooked in a garlic, butter, and parsley sauce, often served as an appetizer.

4. Ratatouille: A vegetable stew from Nice, usually made with eggplant, zucchini, bell peppers, tomatoes, and sometimes potatoes and onions.

5. Crème Brûlée: A rich custard base topped with a contrasting layer of hard caramel.

6. Tarte Tatin: A caramelized apple tart where the apples are cooked first in butter and sugar before the tart is baked.

7. French Onion Soup: Made with onions, beef broth, and usually topped with croutons and cheese.

8. Quiche Lorraine: An open pie with a filling consisting of a savoury custard with smoked lardons or bacon.

9. Steak Frites: A simple yet classic dish of a grilled or fried steak served with French fries.

10. Croissants: A buttery, flaky, crescent-shaped pastry that originated in Austria but became very popular in France.

MistralAI prompt: How to implement mTLS with SAP Kyma
Mutual Transport Layer Security (mTLS) is a method of authentication that uses digital certificates to verify the identity of both the client and server during a communication session. Implementing mTLS with SAP Kyma involves several steps, including creating a certificate authority (CA), generating and distributing certificates, and configuring your applications to use mTLS.

Here are the general steps to implement mTLS with SAP Kyma:

1. Set up a certificate authority (CA) to issue and sign the certificates. You can use a public CA, or set up your own private CA using tools such as OpenSSL or Certbot.
2. Generate a private key and certificate signing request (CSR) for each service or application that will use mTLS. You can use OpenSSL or Certbot to generate the private key and CSR.
3. Submit the CSR to the CA to obtain a signed certificate. The CA will verify the identity of the requestor and issue a signed certificate.
4. Configure your application or service to use the private key and signed certificate. This typically involves setting environment variables or configuration files in your application to point to the location of the private key and certificate.
5. Configure SAP Kyma to use mTLS. This involves setting up a custom domain for your application, configuring the Istio service mesh to enforce mTLS, and configuring any ingress gateways to require client authentication.
6. Test your mTLS implementation to ensure that it is working correctly. You can use tools such as curl or OpenSSL to test the connection between your client and server, and verify that the certificates are being exchanged and validated correctly.

SAP Kyma provides a built-in certificate authority called the Kyma Certificate Service (KCS) which can be used for generating and managing certificates for mTLS. You can find more information on how to use KCS in the SAP Kyma documentation.

Additional reading:

Piet Mondrian's artwork powered with AI with little or no code.

Real time access management with SAP BTP Kyma serverless workloads

2024-04-21T11:09:46.265000+02:00

Real time access management with SAP BTP Kyma workloads

Using kyma functions to handle the promotional events from campaigns defined in the SAP BTP Omnichannel Promotion Pricing integrated with SAP Commerce Cloud may be a rather challenging endeavour.The main reason being, the promotional events must be handled in a sequence and are subject to draconian time processing constraints (less than 600 milliseconds per event).

Let's see how this can be done.

Table of Contents

Further reading

PS.

IoT - Ultimate Data Cyber Security - with Enterprise Blockchain and SAP BTP 🚀

2024-04-22T11:07:39.454000+02:00

It wasn't that long ago that Cyber Security and Resilience translated to High Availability and Disaster Recovery. Driven by the Sensitivity, Confidentiality, and Availability requirements of the Data, Systems and Applications were built to have the highest possible availability. That requirement came from the times when an entire end to end Business Process ran in a single standalone Application.

Fast forward to today, end to end Business Processes can begin in one Application on one side of the world and pass through Applications somewhere else in the world and finish in Applications in an altogether different location in the world. The beginning of the Business Process can be Sensors and Things at the Edge, producing Data, Events, something has happened and triggered the Business Process.

This creates several problems:

Protect the Originality & Integrity of the Data - When the Thing, the IoT Sensor, let's say critical infrastructure, something like a Base Station in a Telco Network, or a piece of the Electrical Grid for a Utility Company, when the Thing, the IoT Sensor creates the piece of Data, a Record of something that just happened we need to make sure that piece of Data cannot be modified or destroyed and therefore protect the originality and integrity of the Data

Moving the Data from the Edge to the SAP Application in the Cloud or DataCenter and at the same time Protect the Originality & Integrity of the Data - we need to get the Data from the Thing, the IoT Sensor, to the SAP Application in the Cloud or DataCenter and we need to be sure, to have surety that the Data which arrives in the SAP Cloud or DataCenter is exactly the same Data that was created at the Edge at the Thing, the IoT Sensor. If this Data gets changed in any way, we won't be able to trust the Business Processes and Insights which are depending on that Data. And so, in the activity of moving the Data we need to make sure that that piece of Data cannot be modified or destroyed and therefore protect the originality and integrity of the Data

And so, here we are, the biggest threat to Enterprise SAP Applications is no longer the High Availability, the Server crashing, that's all under control and possible to take care of,

The biggest threat to IoT & Enterprise SAP Applications is Cyber Security and Cyber Attacks

A common thought is that a hacker, or cyber attacker wants to modify Data for their own financial benefit, for example change the destination bank account number for invoice payments, yes those threats are still there, but biggest threat is that a hacker or cyber attacker deletes or modifies Master and Transaction Data resulting that the Master and Transactional Data does not have integrity and cannot be used, and if the attacker succeeded to modify the Backup as well, then the Enterprise could be out of business for a long time trying to pick up the pieces and get up and running again.

The biggest threat to IoT & Enterprise SAP Applications is Cyber Attacks rendering the Master and Transaction Data un-trustworthy

And that's where the Enterprise Blockchain comes in, and this blog is going to explain why.

Ok let's go🚀

Welcome to the eighth blog in this series on Enterprise Blockchain and SAP. If you have been following the previous blogs then you'll be familiar with the blog template. We'll begin by talking about and framing the problem, in this case Data Cyber Security for IoT and SAP and then go in to identifying the enabling technology which will have the best capabilities and be the most appropriate to solving the problem all the way through to the reference solution architecture to be able to implement the solution.

The blog is going to break the subject down in to three sections:

Section 1.0: The What is it of IoT & SAP, and Enterprise Blockchain

Section 2.0: The Why is it, of IoT & SAP, and Enterprise Blockchain

Section 3.0: The How is it, of IoT & SAP, and Enterprise Blockchain

tl:dr

If you want to protect the originality and integrity and confidentiality of IoT data, from the Edge to Insights and SAP Business Processes, then the answer is an Enterprise Blockchain Database, where the Enterprise Blockchain Tenants are running on Edge Hosts/Servers and in the SAP BTP Business Technology Platform, enabling Enterprise Blockchain Database to protect the Data from the Edge Hosts/Servers to the SAP BTP.

IoT Internet of Things Edge Data Cyber Security and SAP Asset Performance Management BTP Protected by Enterprise Blockchain - atkrypto.io

[the finer technical details of getting the data from the Enterprise Blockchain to SAP Asset Management and S/4HANA will be clearer possibly after Sapphire Orlando in June. In the mean time there are a number of ways to get the Data in and out of the Enterprise Blockchain running on the SAP BTP Kyma Service]

Enterprise Blockchain is both:

. a Secure Store

. a Secure Communication Channel

Enterprise Blockchain is the Cyber Security for Enterprise IoT Data from the Edge to Insights 🚀

and now.... the long answer...

Section 1.0: The What is it of IoT & SAP, and Enterprise Blockchain

What is IoT Internet of Things ?

History of IoT

In 2021, there were over 10 billion IoT devices in the world, and by 2025, the IDC expects global data generation to exceed 73 zettabytes – which is equal to 73 trillion gigabytes. Although we can’t really quantify digital data in physical terms, we can say that if all that data were converted into 1990s floppy disks – and they were laid out end to end – they could go to the moon and back over 5,000 times.

[Source: What is IoT? The Future of Business | SAP]

What are some IoT applications?

Looking at IoT applications, which are sometimes described as use cases, can help ground the discussion about what IoT is. Broadly, IoT applications occur in one of nine settings.

Human health. Devices can be attached to or inserted inside the human body, including wearable or ingestible devices that monitor or maintain health and wellness, assist in managing diseases such as diabetes, and more.
Home. Homeowners can install devices such as home voice assistants, automated vacuums, or security systems.
Retail environments. Devices can be installed in stores, banks, restaurants, and arenas to facilitate self-checkout, extend in-store offers, or help optimize inventory.
Offices. IoT applications in offices could entail energy management or security for buildings.
Standardized production environments. In such settings, including manufacturing plants, hospitals, or farms, IoT applications often aim to gain operating efficiencies or optimize equipment use and inventory.
Custom production environments. In customized settings like those in mining, construction, or oil and gas exploration and production, IoT applications might be used in predictive maintenance or health and safety efforts.
Vehicles. IoT can help with condition-based maintenance, usage-based design, or presales analytics for cars and trucks, ships, airplanes, and trains.
Cities. IoT applications can be used for adaptive traffic control, smart meters, environmental monitoring, or managing resources.
Outside. In urban environments or other outdoor settings, such as railroad tracks, autonomous vehicles, or flight navigation, IoT applications could involve real-time routing, connected navigation, or shipment tracking.

Other real-world examples abound. IoT solutions are being used in myriad settings: in refrigerators, to help restaurants optimize their food-compliance processes; in fields, to track livestock; in offices, to track how many and how often meeting rooms are used; and beyond.

What is the economic impact of IoT?

The potential value of IoT is large and growing. By 2030, we estimate it could amount to up to $12.5 trillion globally. That includes the value captured by consumers and customers of IoT products and services.

The potential economic value of IoT differs based on settings and usages, with factory settings and human health applications representing outsize shares of this total. Factory settings could generate $1.4 trillion to $3.3 trillion by 2030, or just over a quarter of the total value potential. IoT economic impact in human health settings could reach around 14 percent of the total estimated value.

Another way of looking at IoT’s value is to explore use-case clusters (similar uses adapted to different settings). Some of the most common use cases account for a sizable share of IoT’s potential economic value:

operations optimization, which is basically making the various day-to-day management of assets and people more efficient (41 percent)
health (15 percent)
human productivity (15 percent)
condition-based maintenance (12 percent)

Other clusters include sales enablement, energy management, autonomous vehicles (the fastest-growing cluster), and safety and security.

[Source: What is IoT: The Internet of Things explained | McKinsey]

Like everything else we do in Enterprise IT,

IoT Internet of Things is about Data

What is Enterprise Blockchain ?

Enterprise Blockchain is both:

. a Secure Store

. a Secure Communication Channel

In these previous blogs, I made a deep dive in to what Enterprise Blockchain is and why we should be positioning it in our Enterprise Architecture:

Why I love SAP and Blockchain Databases and why you should too🚀

SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard🚀

SAP Enterprise Architecture: Let the Use Case find the Blockchain 🚀

IoT Internet of Things and SAP - Enterprise Blockchain is the next generation Data Cyber Security Protection - atkrypto.io

and in a nutshell, Enterprise Blockchain is:

. The Digital Transformation of Information Security into Cyber Security

. The Next Generation Data Integrity, Originality, Confidentiality Protection

. Re-imagining Information Security

. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product

To wrap up this section:

. Iot Internet of Things is about Data

. Enterprise Blockchain is about Cyber Security of Data

Section 2.0: The Why is it, of IoT & SAP, and Enterprise Blockchain

So, why does IoT, Internet of Things, in the Enterprise IT, when implemented in conjunction with SAP Applications need Enterprise Blockchain ?

IoT is about Data, and the Data in most cases originates from the Edge and outlying parts of the Network.

The problem is the Cyber Security of getting the Data from the Edge and outlying parts of the Network to the safe zones of the SAP Cloud and yours or SAP's DataCenters.

IoT's biggest risk is that the Data coming from the IoT Devices is not trustworthy. In the same way as asking the wrong person for directions can leave you going all around the houses, if the Data coming from the IoT Devices, has been changed/contaminated/modified/poluted/made unreliable, whether purposefully through malicious acts or cyber attack, or accidentally, the result will be IoT's Data insights which cannot be trusted, and the result of that could be catastrophic. Just imagine not being able to trust the temperature of refrigeration during pharmaceutical and food production !

If we cannot protect and the originality and integrity of IoT Data, secure it, then how can we trust IoT Data ?

As Mckinsey & Company say:

IoT is about the Data

So, if we are going to do IoT and include IoT Data in our Business Processes and Insights, then we need to care for and protect the Data that is coming from IoT Devices.

Imagine, as described in the previous blog, when we let the Use Case find the Enterprise Blockchain, we have a Business Requirement, a Business Demand, to make IoT Data trustable.

Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io

IoT is about Data

IoT is about the Data that goes in to the SAP Applications in the Cloud and Data Centers

This means IoT Device Data depends on a Database or a Datastore

What kind of Database do IoT Devices produces ? What capabilities does the Database for the IoT Devices Data need to have ?

1. It must not be possible to modify the Data in the Database which comes from the IoT Devices - the Database needs to be immutable

2. The Data in the Database, the integrity and originality of that Data must be protected to the highest level that is technically possible

3. The Data must be available with the highest availability, the Database must be resilient to attack

When we look in our Enterprise Technology Standards we find 1 Technology Standard in the Enterprise which has those capabilities, and that is..... Enterprise Blockchain

Enterprise Blockchain ticks those three boxes...

Immutable - tick that box

Integrity must be protected to the highest level - tick that box, thanks to the Enterprise Blockchain Hash Mechanism and the Enterprise Blockchain Consensus Mechanism

Highest level of resilience and availability - tick that box thanks to the Distributed and Decentralised nature of the Enterprise Blockchain

This is why, Enterprise Blockchain is the enabler of trustable outcomes from Enterprise IoT Devices' Data.

atkrypto.io what is a blockchain

But there's more than that, IoT Devices can produce a lot of data, and the volumes of data can be big.

And this is why, in this blog we take the Enterprise Blockchain Technology story one level further and we introduce the:

Enterprise Blockchain Wallet

Off-Chain Data Storage

In the Enterprise Blockchain Platforms, the Enterprise Blockchain Wallet is used for Off-Chain storage of big data and in the following paragraphs we will explain why.

What is the Enterprise Blockchain Wallet, and what is Off-Chain Data Storage and why would we use them and why do we need them ?

Blockchain is a very simple form of database atkrypto.io

But, IoT Devices can produce a lot of Data, for example, there could be photographs proving that general waste was tipped at the correct certified location, photographs and in large volumes would be too big to be stored on the Enterprise Blockchain Database itself.

And that's ok, Enterprise Blockchain Platforms are ready for that, and have been designed to store both Structured Data and Data which is in files which are so big that they cannot be stored in the Enterprise Blockchain Database itself, for example the photographs from a Waste Truck's onboard camera proving that waste was responsibly tipped in the correct location and taken at the same time as recording GPS location coordinates proving the location of the Waste Truck.

So, if we can't store the large photographs files in large quantities to the Enterprise Blockchain Database, then how, in an Enterprise Blockchain Platform do we store large files of Data ?

The Enterprise Blockchain Wallet enables us to store large Data, like large Files safely and securely off the chain, or 'Off-Chain'.

But if we store the large Data files Off-Chain in the Enterprise Blockchain Wallet, then how do we also have them some how on the Enterprise Blockchain Database ?

The configurable Enterprise Blockchain Wallet of the Enterprise Blockchain Platform looks like this:

Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io

Ok, so we've got the IoT Data stored in the (configurable) Enterprise Blockchain Wallet, but what about securing the IoT Data ? Obviously the Enterprise Blockchain Wallet storage location has built in security, for example the SAP HANA Cloud, the AWS S3 Buckets, but we need more than the out of the box security of these products, the reason we are using the Enterprise Blockchain Database is because of the amazing security strengths that it natively out of the box has, and so, what about the Enterprise Blockchain Wallet, doesn't the Enterprise Blockchain Platform have some cool super hard way of protecting the data in the Enterprise Blockchain Wallet ?

Well yes it does, this is the magic of Enterprise Blockchain Database 'Off-Chain' storage in the Enterprise Blockchain Wallet. This is so unique to Blockchain Technologies.

The data or the file in the Enterprise Blockchain Wallet gets hashed, and then, that hash is stored in the Enterprise Blockchain Database.

On the other hand, if just before we load the data in to the SAP Enterprise Applications, eg SAP Asset Performance Management and SAP S/4HANA, from the Enterprise Blockchain Wallet, if we run a hash over the data and the hash result is the same as we have in the Enterprise Blockchain Database, then we will know we can trust the Data and we can use it in our SAP Applications and we will have trustable IoT Data.

Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io

And this is why, for all of these reasons,

Trustable Enterprise IoT Data depends on Data being stored in the Enterprise Blockchain

But that's not the end of the Why IoT Data needs Enterprise Blockchain.

As we showed at the beginning of the blog in this picture:

IoT Internet of Things Edge Data Cyber Security and SAP Asset Performance Management BTP Protected by Enterprise Blockchain - atkrypto.io

As the picture shows, we have an Enterprise Blockchain Database Tenant installed on a Server Host at the Edge of the Network AND we have an Enterprise Blockchain Data Tenant installed on the SAP BTP Kyma Runtime.

The consequence of this is that we have a distributed Enterprise Blockchain Database table which stretches from the Edge of the Network where the IoT Devices are all the way across the Network to the SAP BTP and DataCenter.

This means we have Enterprise Blockchain Data Protection from the source where the IoT Devices are to the Insights and Business Processes where the SAP Applications are.

We have taken the Enterprise Blockchain to the Data at the source at the IoT Devices instead of taking the IoT Device's Data across all of the Networks to the safety of the SAP BTP and DataCenter. This is because we need to store the Data in the Enterprise Blockchain as close as possible to the source of the Data. The closer the Enterprise Blockchain Tenant is to the source of the Data, the safer the Data will be, it's as simple as that. Enterprise Blockchain is the next generation Cyber Security for IoT Data, and we need to minimise the amount of exposure IoT Data has to previous generation security technologies and approaches.

And this is why we say, Enterprise Blockchain is a Secure Communication Channel, because instead of integrating Applications sending and replicating Data across Networks, we are sharing the Data across the Enterprise Blockchain and the Enterprise Blockchain is the Secure Communication Channel.

IoT Internet of Things and SAP - Enterprise Blockchain is the next generation Data Cyber Security Protection - atkrypto.io

To conclude this section, the Why to, of IoT and Enterprise Blockchain, IoT Data needs to Trustable.

Enterprise Blockchain, due to its native super strong security strength when used as a store of Data enables IoT Data to be Trustable, and the Enterprise Blockchain Software needs be installed as close as possible to the source of the IoT Data, as close as possible to the IoT Devices.

Section 3.0: The How is it, of IoT & SAP, and Enterprise Blockchain

Now that we know why trustable Enterprise IoT needs the Enterprise Blockchain Database to protect the integrity and originality of the Data, how do we implement it today ?

Well that's easy, here are the ingredients and the recipe...

Ingredients, you're going to need:

Data Source(s) eg

IoT Devices which are either REST or MQTT (this could be other protocols and transfer mechanisms depending upon the required Adapters)

SAP and IoT IoT Devices sending Data to MQTT Broker in the Edge Host Instance of the Enterprise Blockchain Platform Database Tenant - atkrypto.io

SAP and IoT IoT Devices sending Data to REST Endpoint in the Edge Host Instance of the Enterprise Blockchain Platform Database Tenant - atkrypto.io

Large Storage for Large Data and the Enterprise Blockchain Wallet

SAP HANA Cloud (Data Lake)

Enterprise Blockchain Platform and specifically one which is capable of running Tenants as close to the Source of the IoT Data as possible at the Edge. We do NOT want to send the IoT Data across the Internet to a Blockchain somewhere in the Cloud, that would defeat the object of the exercise.

These are the basic ingredients, the data from the IoT Devices will be stored either Off-Chain in the SAP HANA Cloud (Data Lake) which will also be the Enterprise Blockchain Platform (configurable) Wallet, or On-Chain in the Enterprise Blockchain Platform Database Ledgers, this Enterprise Blockchain Database Ledger will be running from the Edge to the SAP BTP and DataCenters and then SAP Applications like SAP Asset Performance Management and SAP S/4HANA will be able use the Data in Business Processes and Insights.

And your Technical Reference Architecture will look something like this:

IoT Internet of Things Edge Data Cyber Security and SAP Asset Performance Management BTP Protected by Enterprise Blockchain - atkrypto.io

And that's how you do it.

Wrapping up, conclusions:

. Trustable Enterprise IoT depends on Data being stored in the Enterprise Blockchain at the Edge and in the SAP BTP

Enterprise Blockchain is:

. The Digital Transformation of Information Security to Cyber Security

. The Next Generation Data Integrity, Originality, Confidentiality Protection

. Re-imagining Information Security

. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product

Enterprise Blockchain is both:

. a Secure Store

. a Secure Communication Channel

The configurable Enterprise Blockchain Wallet enables you to store Big Data 'Off-Chain' and the hashes of the IoT Data are stored safely and securely on the Enterprise Blockchain Database.

So what are we waiting for ? Oh yeah, more use cases, ok, that will be the next blog.

What do you think, are the words IoT, Blockchain, Web3, Distributed Ledger Technology, starting to appear in your Company's visions and technology visions ? What use cases are you looking at ? Let's chat about it in the comments.

For now, over and out.

Andy Silvey.

Independent SAP Technical Architect and CEO of atkrypto.io

Author Bio:

Andy is also co-Founder of atkrypto inc, an startup whose ambition is to make Blockchain easy for Enterprise.

atkrypto.io's flagship product is the atkrypto Enterprise Blockchain Platform for SAP, and atkrypto.io is a SAP Partner Edge Open EcoSystem Partner.

All of this makes atkrypto,io the DePIN Decentralised Physical Infrastructure Network solution for Enterprise.

atkrypto is one of the Next20 startups being featured at TM Forum's DTW Ignite in Copenhagen in June

If you will be at DTW24 come and talk to us about Cyber Security of SAP Data with Enterprise Blockchain.

B2B Business Processes - Ultimate Cyber Data Security - with Blockchain and SAP BTP 🚀

2024-05-07T09:54:43.546000+02:00

B2B Business Processes - there are many Business Processes which cross Company and Organisation boundaries.

What has that got to do with Enterprise Blockchain and Cyber Security ? Let's find out.

This is a great Enterprise Blockchain story, it's one of my favourites, like the BCP one, it's so easy to implement and so effective and protects Data and Systems and Business Partners across so many dimensions, read on to find out why.

So buckle up and enjoy the ride...

B2B Business Processes, also known as, Multi-Party Collaboration, the following common Business Processes and others can all include elements of 3rd Party Organisation integration:

Order-To-Cash
Procure-To-Pay
Plan-To-Produce/Plan-To-Inventory
Record-To-Report
Source-To-Pay
Idea-To-Offering
Count-To-Reconcile
Forecast-To-Monitor
Inspect-To-Comply
Cradle-To-Grave/Acquire-To-Retire

Where ever you have a Business Process which includes sending your Data to a 3rd Party Organisation, to another Company, your Data is being put at risk. When ever you send or replicate or integrate your Company's Data to another Company your Data is at risk, and this means your Business Process is at risk and therefore your Business is at risk.

This blog is going to be talking about and showing is the weakness of the current approach of working with Data across multiple Organisations which collaborate together on a Business Process.

An easy example is 3PL 3rd Party Logistics.

Your Company needs something delivered and your S/4HANA system sends an instruction to the 3rd Party Logistics company to make a collection and a delivery.

This all looks very normal and very common, but what is actually happening when your Company sends an instruction from the S/4HANA system to the Delivery Planning System at your Partner Company the 3PL 3rd Party Logistics Company ?

Data, it's all about Data, your S/4HANA system is sending Data to your Business Partner the 3rd Party Logistics Company instructing them on where to collect from or deliver to.

And this is the problem, as soon as your Data leaves your network, it's no longer your Data, and you lose control of the Data.

This is a classical Integration scenario, the S/4HANA is Integrated to the 3rd Party Logistics Company's System and you send them your Data. What happens to that Data at your Business Partner is beyond your control, you can only trust that they will care for your Data the same way as they would care for their own Data.

This is how you are doing it today, with IDOCS and API's, this is legacy Data Integration through Replication:

Cyber Security Risk SAP Customers have to share Master Data with Partners Legacy Integration through Data Replication atkrypto.io

This creates several problems including:

Trust between Partners: The more Partners in a Business Transaction or Business Process, the less trust there is between Partners. This is a very simple graph, as the number of Partners in a Business Transaction or Business Process goes up, so the trust between the Partners goes down. What is trust in a Business Transaction or Business Process, doing what you said you would, data, instruction, confirmation. I will deliver the parcel to the address you gave me, but what if somebody in my Team changes the delivery address for their own benefit ?

Protect the Originality & Integrity of the Data - When your S/4HANA sends the Data to your Business Partner's System we need to make sure that the Data cannot be modified or destroyed and therefore protect the originality and integrity of the Data

Replicating & Integrating the Data from your S/4HANA to your Business Partner's System and at the same time Protect the Originality & Integrity of the Data - we need to get the Data from the S/4HANA to the Business Partner's System and we need to be sure, to have surety that the Data which arrives at the Business Partner's System is the same Data as was sent from your S/4HANA. If this Data can be changed in any way, we won't be able to trust the Business Processes and Insights which are depending on that Data. And so, in the activity of moving the Data we need to make sure that that piece of Data cannot be modified or destroyed and therefore protect the originality and integrity of the Data

and it doesn't end there, it's often the case that a 3rd Party Organisation will be getting Data directly from your S/4HANA (as the Source) or posting Data to your S/4HANA (as the Target), in both cases it could be an API which through your Integration Technologies is ultimately exposed to the Internet and where the system calling the API needs to have a User on your S/4HANA.

And 3rd Party Logistics is only the tip of the iceberg when it comes to Multi-Party Collaboration and Business Transactions and Business Processes. You know how integrated your Systems are with your Business Partners how the data is flowing in and out of your network to and from your Partner's networks.

And so, here we are,

The biggest threat to B2B Business Processes is Cyber Security and Cyber Attacks

The biggest threat to Multi-Party Collaboration is Cyber Security and Cyber Attacks

And that's where the Enterprise Blockchain comes in, and this blog is going to explain why.

This blog will be less about deep dives into Use Cases and more about how Enterprise Blockchain is:

. A Secure Store of Data

. A Secure Communication Channel for Data

. A Common Shared Single Source of Truth in your Organisation and across Organisations

. The next generation Data Integration is about having a Common Shared Single Source of Truth

Subsequent blogs will deep dive individual use case by use case, this one will focus on the principle of Enterprise Blockchain already today being the next generation Secure Store and Secure Communication Channel for Data and how and why.

Ok let's go 🚀

Welcome to the ninth blog in this series on Enterprise Blockchain and SAP. If you have been following the previous blogs then you'll be familiar with the blog template. We'll begin by talking about and framing the problem, in this case Data Cyber Security for B2B Business Processes and then go in to identifying the enabling technology which will have the best capabilities and be the most appropriate to solving the problem all the way through to the reference solution architecture to be able to implement the solution.

The blog is going to break the subject down in to three sections:

Section 1.0: The What is it of B2B Business Processes and SAP, and Enterprise Blockchain

Section 2.0: The Why is it, of B2B Business Processes and SAP, and Enterprise Blockchain

Section 3.0: The How is it, of B2B Business Processes and SAP, and Enterprise Blockchain

In case you missed them, the previous blogs in this series are here:

Why I love SAP and Blockchain Databases and why you should too 🚀

SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard 🚀

SAP Enterprise Architecture: Let the Use Case find the Blockchain🚀

Oil & Gas - Ultimate Data Security - Blockchain Data Backbone from OT to SAP IT🚀

The What Is... The Why To... The How To... of: ESG & SAP & Enterprise Blockchain 🚀

BCP: Business Continuity Planning for SAP S/4HANA - made easy with Enterprise Blockchain 🚀

Trustable AI thanks to - SAP AI Core & SAP HANA Cloud & SAP S/4HANA & Enterprise Blockchain 🚀

IoT - Ultimate Data Cyber Security - with Enterprise Blockchain and SAP BTP 🚀

tl:dr

Enterprise Integrations and Integration Architecture centered around sending and replicating Data to Business Partners results in you losing control of your Data, and losing surety that the Business Partner is looking at the same Data as you are.

The Digital Transformation of Enterprise Integrations is to have a shared common single source of truth for data with your Business Partners.

Enterprise Blockchain is the answer, Enterprise Blockchain enables both Business Partners, you and your Business Partner to share the same Distributed Ledger and consequently have a common shared single source of truth for data across multiple Companies.

That's one thing, the next thing is that thanks to the special characteristics of the Enterprise Blockchain Distributed Ledger, namely, Immutable, Hash Mechanism, Consensus, Distributed, when you or your Business Partner write data to the Enterprise Blockchain, you know, that nobody can modify the Data for their own gains, your know that natively, out of the box you have the highest level of Data Cyber Security and Resilience of any commercial database product available.

In the 3PL scenario, this is what your SAP Technical Architecture would look like:

Enterprise Blockchain as a Shared Common Single Source of Truth for Master and Transactional Data across Organisations with SAP BTP and atkrypto.io

[the finer technical details of the Technical Solution Architecture will be elaborated in the rest of the blog]

The Future of Enterprise Collaboration and Cross Organisation Data Integration and B2B Business Processes (and this is possible today with the SAP BTP and SAP Partner Edge Open EcoSystem Partner Enterprise Blockchain Products).

And as will be explained later in the blog, it's not only about the Enterprise Blockchain being a common shared source of truth across organisations, it's about digitally decoupling the S/4HANA from 3rd Party System Integrations and gradually ring fencing the S/4HANA away from being directly accessed by 3rd Party Systems as it is today with API's.

This is like pick your own strawberries, instead of sending your Partners the strawberries, you tell your Partner the strawberries are ready and which field they are in and you let your Partners pick the strawberries themselves from the Enterprise Blockchain.

S/4HANA Data Events write the Data to the Enterprise Blockchain and S/4HANA Notification Events notify the Partner that something has happened, then, instead of calling an API on your SAP S/4HANA, the Partner then calls the API of the Enterprise Blockchain and Reads the Data from there.

The Enterprise Blockchain Database software is running on your SAP BTP Kyma Runtime and in your Partner's Servers, therefore, creating natively, out of the box, the most secure and resilient common shared single source of truth. Your have a Distributed Ledger running from your SAP BTP to the Partner's Servers.

Enterprise Blockchain Multi Party Business Processes Data Sharing atkrypto.io

Therefore, S/4HANA Data Event Writes to the Enterprise Blockchain as the Common Shared Single Source of Truth across the Organisations, and the S/4HANA Notification Event notifies the Partner that something has happened and that they should call the Enterprise Blockchain API to get the Data of what has happened.

Enterprise Blockchain is:

. a Secure Store

. a Secure Communication Channel

. a Shared Common Single Source of Truth for Master and Transactional Data across Organisations

Enterprise Blockchain is the Cyber Security for Enterprise B2B Business Processes and Multi Party Collaboration.

and now.... the long answer...

Section 1.0: The What is it of B2B Business Processes and SAP, and Enterprise Blockchain

What are B2B Business Processes, what is Multi-Party Collaboration, what are 3rd Party Integrations, what is it all and why do we need it ?

B2B Business Processes, Multi-Party Collaboration, in the context of this subject, these are any Business Process in your Company which includes your Master and Transactional S/4HANA Data being used by another Company, and results in the other Company needing access to your Data.

There are many examples, in today's world of outsourcing that which is not considered part of the core Business, Multi-Party Collaboration is very common across most lines of the Business. Another easy and common one is outsources Payroll.

As described in this blog, by @mert_turan , your Company is using a 3rd Party Payroll provider to take care of your Payroll, the process and the integration can look like this:

Payroll Process by Mert Turan

This is a classic example of a B2B Business Process, where your Company is sending highly sensitive and highly confidential Data, transferring that Data to a 3rd Party Company, in this case a 3rd Party Payroll Provider. Look at all of the Data transfers which are going on in that Payroll Business Process.

Just look at the sensitivity and confidentiality of the Data which is being transferred to the 3rd Party Company, Personal and Business Sensitive Master and Transactional Data.

What could possibly go wrong ?

What could possibly go wrong with any of these Multi-Party Collaborative Business Processes, Payroll, Supplier Network Collaboration, 3rd Party Logistics, Contract Manufacturing ?

What is the biggest risk ?

The Data, again, it's all about the Data, and keeping the Data safe, and reducing the chance that somebody can mess with the Data.

What about the Enterprise Blockchain, what is Enterprise Blockchain ?

Enterprise Blockchain is both:

. a Secure Store

. a Secure Communication Channel

In these previous blogs, I made a deep dive in to what Enterprise Blockchain is and why we should be positioning it in our Enterprise Architecture:

Why I love SAP and Blockchain Databases and why you should too🚀

SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard🚀

SAP Enterprise Architecture: Let the Use Case find the Blockchain 🚀

Enterprise Blockchain Multi Party Business Processes Data Sharing atkrypto.io

and in a nutshell, Enterprise Blockchain is:

. The Digital Transformation of Information Security into Cyber Security

. The Next Generation Data Integrity, Originality, Confidentiality Protection

. Re-imagining Information Security

. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product

To wrap up this section:

. B2B Business Processes are about Data

. Enterprise Blockchain is about Cyber Security of Data

Section 2.0: The Why is it, of B2B Business Processes and SAP, and Enterprise Blockchain

So, why B2B Business Processes in the Enterprise IT, when implemented in conjunction with SAP Applications need Enterprise Blockchain ?

Multi-Party Collaboration is about replicating Data to 3rd Party Company, and the Data, this is your Company's Data and in most cases highly sensitive and highly business and personally confidential.

The problem is the Cyber Security of getting the Data from the your Company's SAP S/4HANA to the 3rd Party Company's Application, and ensuring the originality and integrity of the highly sensitive and confidential Master and Transactional Data which you are replicating to the Partner Company remains intact.

As we talked about earlier, and this is worth repeating because this is the problem of Multi-Party Collaboration:

ITSecurityWire.com, in their article, Best Practices to Secure Data Integration, put it like this:

The LinkedIn Community describe the risks of Data integration like this:

Those are the problems with today's legacy ways of making your S/4HANA Master and Transaction Data available for 3rd Party Companies in your B2B Business Processes.

And what's the solution ?

The solution is the Enterprise Blockchain as the Common Data Back Bone across Companies.

Instead of replicating and sending the Data to your Business Partner, you write the S/4HANA Data to the Enterprise Blockchain.

Imagine, as described in the previous blog, when we let the Use Case find the Enterprise Blockchain, we have a Business Requirement, a Business Demand, to make Data for B2B Business Process the safest it can be, the most trustable that it can be.

Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io

B2B Business Processes are about Data

B2B Business Processes are about the Data that goes from your S/4HANA outside the boundaries of your Company and your Network and to Partner Company's Applications and Networks and Databases.

This means B2B Business Processes are about Data and the Data depends on a Database or a Datastore

What kind of Database do B2B Business Processes Data need ? What capabilities does the Database for the B2B Business Processes Data need to have ?

1. It must not be possible to modify the Data in the Database ]- the Database needs to be immutable

2. The Data in the Database, the integrity and originality of that Data must be protected to the highest level that is technically possible

3. The Data must be available with the highest availability, the Database must be resilient to attack

4. The Database must be running simutaneously in your DataCenter and your Business Partner's DataCenter

5. S/4HANA must not expose any API's to Business Partner Companies

When we look in our Enterprise Technology Standards we find 1 Technology Standard in the Enterprise which has those capabilities, and that is..... Enterprise Blockchain

Enterprise Blockchain ticks those boxes...

Immutable - tick that box

Integrity must be protected to the highest level - tick that box, thanks to the Enterprise Blockchain Hash Mechanism and the Enterprise Blockchain Consensus Mechanism

Highest level of resilience and availability - tick that box thanks to the Distributed and Decentralised nature of the Enterprise Blockchain

DeCouples S/4HANA from the process, no need to S/4HANA API's to be exposed to 3rd Party Business Partner's Applications

This is why, Enterprise Blockchain is the enabler of trustable outcomes from Enterprise B2B Business Processes.

atkrypto.io what is a blockchain

But there's more than that, B2B Business Processes can produce a lot of data, and the volumes of data can be big.

And this is why, in this blog we take the Enterprise Blockchain Technology story one level further and we introduce the:

Enterprise Blockchain Wallet

Off-Chain Data Storage

In the Enterprise Blockchain Platforms, the Enterprise Blockchain Wallet is used for Off-Chain storage of big data and in the following paragraphs we will explain why.

What is the Enterprise Blockchain Wallet, and what is Off-Chain Data Storage and why would we use them and why do we need them ?

Blockchain is a very simple form of database atkrypto.io

But, Payroll can produce a lot of Data, and in large volumes which would be too big to be stored on the Enterprise Blockchain Database itself.

So, if we can't store the large photographs files in large quantities to the Enterprise Blockchain Database, then how, in an Enterprise Blockchain Platform do we store large files of Data ?

The Enterprise Blockchain Wallet enables us to store large Data, like large Files safely and securely off the chain, or 'Off-Chain'.

But if we store the large Data files Off-Chain in the Enterprise Blockchain Wallet, then how do we also have them some how on the Enterprise Blockchain Database ?

The configurable Enterprise Blockchain Wallet of the Enterprise Blockchain Platform looks like this:

Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io

Ok, so we've got the large volumes of Data stored in the (configurable) Enterprise Blockchain Wallet, but what about securing the Data ? Obviously the Enterprise Blockchain Wallet storage location has built in security, for example the SAP HANA Cloud, the AWS S3 Buckets, but we need more than the out of the box security of these products, the reason we are using the Enterprise Blockchain Database is because of the amazing security strengths that it natively out of the box has, and so, what about the Enterprise Blockchain Wallet, doesn't the Enterprise Blockchain Platform have some cool super hard way of protecting the data in the Enterprise Blockchain Wallet ?

Well yes it does, this is the magic of Enterprise Blockchain Database 'Off-Chain' storage in the Enterprise Blockchain Wallet. This is so unique to Blockchain Technologies.

The data or the file in the Enterprise Blockchain Wallet gets hashed, and then, that hash is stored in the Enterprise Blockchain Database.

Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io

And this is why, for all of these reasons,

Trustable Enterprise B2B Business Processes depends on Data being stored in the Enterprise Blockchain

But that's not the end of the b2B Business Processes need Enterprise Blockchain.

As we showed at the beginning of the blog in this picture:

Enterprise Blockchain Multi Party Business Processes Data Sharing atkrypto.io

As the picture shows, we have an Enterprise Blockchain Database Tenant installed on a Server Host at the in your DataCenter, in your Network on your SAP BTP Kyma Service AND we have an Enterprise Blockchain Database Tenant installed on your B2B Business Partner's Network, if they are a SAP Customer then like you they can put it on the SAP BTP Kyma Service, if not they can run it on Kubernetes.

The consequence of this is that we have a distributed Enterprise Blockchain Database table which stretches from your DataCenter and Network where your S/4HANA is writing Data to it and stretches all the way across the Network to your Business Partner's DataCenter.

This means we have Enterprise Blockchain Data Protection from the source from your S/4HANA to the target your B2B Business Partner's It infrastructure enabling the trusted resilient reliable Business Processes to be completed.

At the same time, we are not exposing S/4HANA or the API's on the S/4HANA to any 3rd Party Applications.

We have digitally decoupled the S/4HANA from the Business Process.

Enterprise Blockchain as a Shared Common Single Source of Truth for Master and Transactional Data across Organisations with SAP BTP and atkrypto.io

To conclude this section, the Why to, B2B Business Processes and Enterprise Blockchain, B2B Business Process Data needs to safely replicated and trustable.

Enterprise Blockchain, due to its native super strong security strength when used as a store of Data enables B2B Business Processes to be both Secure, and Trustable.

And as we will see in the next section, it's not only about the Enterprise Blockchain being a common shared source of truth across Organisations, it's about digitally decoupling the S/4HANA from 3rd Party System Integrations and gradually ring fencing the S/4HANA away from being directly accessed by 3rd Party Systems as it is today with API's.

Section 3.0: The How is it, of B2B Business Processes and SAP, and Enterprise Blockchain

The goal of this blog was to show how instead of using the legacy fire and forget approach of replicating data to 3rd Party Business Partners, the Enterprise Blockchain can be deployed as a common shared single source of truth running, with an Enterprise Blockchain Tenant running close to your S/4HANA and another Enterprise Blockchain Tenant running close to your Business Partner's Application.

In this section of the blog we will show all of the possible potential Technical Solution Architectures which will enable you to implement this next generation approach to sharing Data with the highest level of Cyber Security already today.

As described above one of the many beauties of this approach is your S/4HANA writes to the Enterprise Blockchain and your Business Partner's Application reads from the same Enterprise Blockchain. This achieves a number of things including:

. Total Control - you have total control over the Data you are sharing with the Business Partner, and you know that as long as your Business Partner's Application reads the Data from the common shared source, the Enterprise Blockchain

. Ultimate Cyber Security - then you know the maximum has been done to minimise the chance for Cyber Security risks and the maximum has been done to protect originality, integrity, and confidentiality of the Data

. S/4HANA Digitally DeCoupled from the Business Process - and on top of this, the S/4HANA has been digitally disconnected from the Business Process, because no longer do any 3rd Party Applications directly call API's on the S/4HANA

In the Technical Solution Archecture there would be two main ways for getting the data from the S/4HANA and writing it to the Enterprise Blockchain, these would be:

. API's

. Events

In these Technical Solution Architecture examples we will prioritise using S/4HANA Events to write the Data to the Enterprise Blockchain, we will be sending the Event Notification and the Event Payload, we could of course draw the same Technical Solution Architecture with API's, but we prefer the Events for the simplicity and reduced call backs to the S/4HANA and therefore making the S/4HANA more Digitally DeCoupled and therefore, enabling the S/4HANA to be protected to the higher security level and exposed to less Cyber Security risk.

Ok, let's go with the Technical Solution Architectures, in these examples we will focus on the OutSourced Payroll as the integration and B2B Business Process Example.

What do we have and what do we need:

Your Company will need:

. S/4HANA

. SAP EM and preferably SAP AEM since it has richer Security and Event Payload size capabilities and can Publish Events from Non-SAP Enterprise Applications and connect to your Enterprise Event Mesh

. SAP BTP

. SAP BTP Kyma Runtime Service - this is where the Enterprise Blockchain Container will run

. Enterprise Blockchain Platform Software which can run on Kubernetes

. If there will be larger Data objects then you will need Large Storage for Large Data and the Enterprise Blockchain Wallet in the form of SAP HANA Cloud (Data Lake)

Your Business Partner will need:

. Obviously their Payroll Application

. Either SAP BTP with Kyma Runtime, or Servers which can run Kubernetes Containers

. n.b. there is an Optional Technical Solution Architecture where you simply allow your Business Partner to read data from your Enterprise Blockchain where the Enterprise Blockchain Platform is running exclusively on your BTP, we will show that Option as well

Technical Reference Solution Architecture for SAP S/4HANA and SAP SuccessFactors and OutSourced 3rd Party Payroll Provider using Enterprise Blockchain as a Common Shared Single Source of Truth for Data and the Ultimate Cyber Data Security for B2B Business Processes...

OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain atkrypto.io

In the next example, we have the same basic Technical Solution Architecture as the previous example, except, this Reference Use Case is ready for the Enterprise Blockchain needed to be able to handle large volumes of data and brings the Enterprise Wallet in to the picture. In the Enterprise Blockchain Platform the Enterprise Wallet storage is configurable and therefore could be SAP HANA Cloud (DataLake) or AWS S3 Buckets or other HyperScaler Data stores.

All of the other Cyber Security characteristics remain the same, S/4 is digitally decoupled from the Business Partner, Enterprise Blockchain is used as a common shared single source of truth for Master and Transactional Data, and the Enterprise Blockchain Tenants are running in both your DataCenter (AnyPremise) and the Business Partner's DataCenter (AnyPremise):

OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain & Enterprise Wallet atkrypto.io

The next example Reference Technical Solution Architecture is a little bit different, let's assume, for their own reasons, your Business Partner is not going to run an Enterprise Blockchain Tenant in their (AnyPremise) DataCenter.

This is still fine, you will set up the Enterprise Blockchain Platform in your DataCenter(s) (AnyPremise) and your B2B Business Partner, in this case the outsourced 3rd Party Payroll Vendor will simply use API's to read and write to and from your Enterprise Blockchain.

All of the other benefits of the design remain the same, all of the other next generation Data sharing Cyber Security characteristics are still there, S/4 is digitally decoupled from the Business Partner, Enterprise Blockchain is used as a common shared single source of truth for Master and Transactional Data.

Here it is:

OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to your Enterprise Blockchain atkrypto.io

Finally, we have the same Reference Technical Architecture as above, but to be able to cater for large volumes of Data we include the Enterprise Wallet in the design:

OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise your Blockchain & Enterprise Wallet atkrypto.io

Ok let's wrap this up, the conclusions:

Ultimate Cyber Security for B2B Business Processes is Enterprise Blockchain, where the Enterprise Blockchain acts a common shared single source of truth for Data across Organisations

Enterprise Blockchain is:

. A Secure Store of Data

. A Secure Communication Channel for Data

. A Common Shared Single Source of Truth in your Organisation and across Organisations

. The next generation Data Integration is about having a Common Shared Single Source of Truth

The next generation Integrations don't replicate Data, that's legacy, the next generation Integrations use Enterprise Blockchain as a common shared single source of truth.

The configurable Enterprise Blockchain Wallet enables you to store Big Data 'Off-Chain' and the hashes of the Data are stored safely and securely on the Enterprise Blockchain Database.

So what are we waiting for ? Oh yeah, deep dive in to more use cases, ok, that will be the next blog.

What do you think, are the words Blockchain, Web3, Distributed Ledger Technology, starting to appear in your Company's visions and technology visions ? What use cases are you looking at ? Let's chat about it in the comments.

For now, over and out.

Andy Silvey.

Independent SAP Technical Architect and CEO of atkrypto.io

Author Bio:

Andy is also co-Founder of atkrypto inc, an startup whose ambition is to make Blockchain easy for Enterprise.

atkrypto.io's flagship product is the atkrypto Enterprise Blockchain Platform for SAP, and atkrypto.io is a SAP Partner Edge Open EcoSystem Partner.

All of this makes atkrypto,io the DePIN Decentralised Physical Infrastructure Network solution for Enterprise.

atkrypto is one of the Next20 startups being featured at TM Forum's DTW Ignite in Copenhagen in June

If you will be at DTW24 come and talk to us about Cyber Security of SAP Data with Enterprise Blockchain.

Installing SAPRouter on Linux: A Step-by-Step Guide

2024-05-11T15:55:48.753000+02:00

What is SAP Router ?

SAPRouter is a software component used to secure communication between SAP systems and the internet. Installing SAPRouter on Linux is a crucial step in ensuring secure communication for your SAP landscape. This step-by-step guide will walk you through the installation process.

Prerequisites:

- Linux server (e.g., CentOS, Ubuntu)

- Root access to the server

- SAPRouter software package downloaded from the SAP Support Portal

Step 1: Download SAPRouter:

Download the SAPRouter software package from the SAP Support Portal. Ensure that you download the correct version for your operating system.

Step 2: Extract the SAPRouter Package:

Transfer the downloaded SAPRouter package to your Linux server. Use the following command to extract the package:

tar -xvf saprouter_<version>_linux_x86_64.tar.gz

Step 3: Create a Directory for SAPRouter:

Create a directory to store the SAPRouter files. You can use the following command to create the directory:

mkdir /usr/sap/saprouter

Step 4: Copy SAPRouter Files:

Copy the extracted SAPRouter files to the newly created directory:

cp -R <path_to_extracted_files>/saprouter /usr/sap/saprouter

Step 5: Create a Configuration File:

Create a configuration file named `saprouter.ini` in the `/usr/sap/saprouter` directory. Here's a basic example of the configuration file:

# SAProuter Configuration File

version = 39

httpport = 81

tracefile = /usr/sap/saprouter/saprouter.trc

authid = *

permit = *

Step 6: Set Permissions:

Ensure that the SAPRouter binary and configuration files have the correct permissions:

chmod 755 /usr/sap/saprouter/saprouter

chmod 644 /usr/sap/saprouter/saprouter.ini

Step 7: Start SAPRouter:

Start the SAPRouter using the following command:

/usr/sap/saprouter/saprouter -r -R /usr/sap/saprouter/saprouter.ini

Step 8: Verify SAPRouter Status:

Verify that SAPRouter is running and listening on the specified port (e.g., 81):

netstat -tuln | grep 81

Step 9: Configure Firewall:

Configure your firewall to allow incoming and outgoing traffic on the SAPRouter port (e.g., 81) to ensure proper communication.

Step 10: Configure SAP Systems:

Update the `secinfo` file of your SAP systems to include the SAPRouter details for communication through the SAPRouter.

Overall information:

By following these steps, you can successfully install SAPRouter on your Linux server. This will help secure communication between your SAP systems and the internet, ensuring the integrity and confidentiality of your SAP landscape.

#SAP #SAPRouter #Linux #Installation SAP Young Thinkers #Red Hat Enterprise Linux SUSE Linux Enterprise Server SAP Women in Tech SAP Integration Suite SAP Business Application Studio @Muthumayandi_Yadava @Subramanian @Sap @YejinYun

Configuration as code (CaC) with destinations.

2024-05-13T12:54:57.123000+02:00

Configuration as code (CaC) with destinations.

Destinations are very handy and powerful mechanism to facilitate access to target systems and devices.

When it comes to SAP BTP destinations, the idea is to manage both subaccount and instance level destinations (and/or their certificates) as shared configuration resources on a provider subaccount level.

That way, the destinations configurations can be stored as versioned assets in a source repository and need to be maintained only once per provider, thus, without incurring application runtime tie-in.

Last but not least, BTP destination service is used as a self-configuration tool.

Configuration as code with SAP BTP destination service

Table of Contents

Configuration as code with SAP BTP destination service.

create shared destination service instance and binding.

Provision bootstrap destinations.

Configure destination resources.

Documentation.

PS.

Bootstrap destinations definitions.

Even, if there is no intrinsic BTP CLI command to assist in creation of destinations from service bindings, this can be achieved quite easily with a bit of jq gimmick by applying service binding credentials to a json payload template, for instance:

{
    "init_data": {
        "subaccount": {
            "destinations": [
                  {
                    "Description": "dest-httpbin",
                    "Type": "HTTP",
                    "clientId": "sb-clone12847c4c89544b4f9234b26ede429f62!b282590|destination-xsappname!b62",
                    "HTML5.DynamicDestination": "true",
                    "HTML5.Timeout": "60000",
                    "Authentication": "OAuth2ClientCredentials",
                    "Name": "dest-httpbin",
                    "tokenServiceURL": "https://<subdomain>.authentication.us10.hana.ondemand.com/oauth/token",
                    "ProxyType": "Internet",
                    "URL": "https://httpbin.org",
                    "tokenServiceURLType": "Dedicated",
                    "clientSecret": "<clientSecret>"
                  },
                  {
                    "Description": "SAP Destination Service APIs",
                    "Type": "HTTP",
                    "clientId": "sb-clone12847c4c89544b4f9234b26ede429f62!b282590|destination-xsappname!b62",
                    "HTML5.DynamicDestination": "true",
                    "HTML5.Timeout": "60000",
                    "Authentication": "OAuth2ClientCredentials",
                    "Name": "destination-service",
                    "tokenServiceURL": "https://<subdomain>.authentication.us10.hana.ondemand.com/oauth/token",
                    "ProxyType": "Internet",
                    "URL": "https://destination-configuration.cfapps.us10.hana.ondemand.com/destination-configuration/v1",
                    "tokenServiceURLType": "Dedicated",
                    "clientSecret": "<clientSecret>"
                  }
            ],
           "certificates": [
           ],

            "existing_certificates_policy": "update",
            "existing_destinations_policy": "update"           
       }
   }
}

Alternatively, one could resort to using SAP Cloud SDK built-in service binding destinations.

The below nodejs code snippet demonstrates how to leverage SAP Cloud SDK with its service binding destinations with the likes of service manager and destinations services.

apiVersion: serverless.kyma-project.io/v1alpha2
kind: Function
metadata:
  name: {{ .Values.services.srv.name }}
  labels:
    {{- include "app.labels" . | nindent 4 }}
    app: {{ .Values.services.srv.name }}
spec:
  runtime: {{ .Values.services.srv.runtime }}
#  runtimeImageOverride: {{ .Values.services.srv.runtimeImageOverride }}
  source:
    inline:
      dependencies: |
        {
          "name": "{{ .Values.services.srv.name }}",
          "version": "0.0.1",
          "dependencies": {
            "axios":"latest"
            ,"debug": "latest"
            ,"@sap/xsenv": "latest"
            ,"@sap-cloud-sdk/http-client": "latest"
            ,"@sap-cloud-sdk/connectivity": "latest"
            ,"@sap-cloud-sdk/resilience": "latest"
            ,"async-retry": "latest"
          }
        }
      source: |
        const debug = require('debug')('{{ .Values.services.srv.name }}:function');
        const NOT_FOUND = 'Not Found';
        const xsenv = require('@sap/xsenv');

        const services = xsenv.getServices({
          sm: { label: 'service-manager', name: 'saas-sm' }
          ,
          dest: { label: 'destination' }

        });
        console.log('saas-sm: ', services.sm);

        const readServices = xsenv.readServices();
        console.log('readServices: ', readServices);

        const httpClient = require('@sap-cloud-sdk/http-client');

        const cloudSdkConnectivity = require('@sap-cloud-sdk/connectivity');
        const { retrieveJwt, decodeJwt, Destination } = require('@sap-cloud-sdk/connectivity');
        const { setGlobalLogLevel, createLogger } = require('@sap-cloud-sdk/util');
        const { retry } = require ('@sap-cloud-sdk/resilience');
        const { resilience } = require ('@sap-cloud-sdk/resilience');
        const ResilienceOptions = {
          retry: 10,
          circuitBreaker: false,
          timeout: 300*1000 // 5 minutes in milliseconds
        };          

        const retryme = require('async-retry');

        setGlobalLogLevel('debug');
        const logger = createLogger('http-logs');

        module.exports = {
          main: async function (event, context) {
            const req = event.extensions.request;

            const message = `Hello World`
              + ` from the Kyma Function ${context['function-name']}`
              + ` running on ${context.runtime}!`
              + ` with the request headers ${JSON.stringify(req.headers,0,2)}`;
            console.log(message);
            
            if (typeof req.path !== undefined) {
              console.log('path: ', JSON.stringify(req.path,0,2))
            }
            if (typeof req.params !== undefined) {
              console.log('params: ', JSON.stringify(req.params,0,2))
            }
            if (typeof req.url !== undefined) {
              console.log('url: ', JSON.stringify(req.url,0,2))
            }
            if (typeof req.authInfo !== undefined) {
              console.log('authInfo: ', JSON.stringify(req.authInfo,0,2))
            }

            const { pathname } = new URL(req.url || '', `https://${req.headers.host}`)
            console.log('pathname: ', pathname)

            const url = require("url");
            var url_parts = url.parse(req.url);
            console.log(url_parts);
            console.log(url_parts.pathname);

            // returns an array with paths
            let path_array = req.url.match('^[^?]*')[0].split('/').slice(1);
            console.log(path_array)

            console.log(req.url.match('^[^?]*')[0])

            if (!path_array?.length) return 'Please use an API verb';  
            const actions = [ 
               { name: 'offerings', verb: 'service_offerings', dest:  'saas-sm', url: '/v1/' },
               { name: 'plans', verb: 'service_plans', dest:  'saas-sm', url: '/v1/'  },
               { name: 'instances', verb: 'service_instances', dest:  'saas-sm', url: '/v1/'  },
               { name: 'bindings', verb: 'service_bindings', dest:  'saas-sm', url: '/v1/'  },
               { name: 'instanceDestinations', verb: 'instanceDestinations', dest:  'faas-dest-x509', url: '/destination-configuration/v1/'  },
               { name: 'subaccountDestinations', verb: 'subaccountDestinations', dest:  'faas-dest-x509' , url: '/destination-configuration/v1/' }
            ];
            
            const action = actions.find( ({ name }) => name === path_array[1] )
            console.log('action found: ', action)

            if (path_array[0] == 'srv' &&  action !== undefined) {

              path_array = req.url.match('^[^?]*')[0].split('/').slice(2);

              console.log('path_array: ', path_array)

              const queryString = req.query;
              console.log('queryString: ', queryString)
              const urlParams = new URLSearchParams(queryString);

              const params = req.params;
              console.log('params: ', params) 

              try {
                  // https://sap.github.io/cloud-sdk/docs/js/features/connectivity/destinations#service-binding-environment-variables
                  const endpoint =  path_array[1] !== undefined ? '/' + path_array[1] : '';
                  console.log(endpoint)
                  let res = await httpClient.executeHttpRequest({ destinationName: action.dest }, {
                      method: 'GET',
                      url: action.url + action.verb + endpoint
                  });
                  return res.data;
              } catch (err) {
                  console.log(err.stack);
                  return err.message;
              }
              
            }            
          }
        }
   scaleConfig:
    maxReplicas: 5
    minReplicas: 3
  resourceConfiguration:
    function:
      profile: S
  env: ## https://kyma-project.io/docs/kyma/latest/05-technical-reference/00-configuration-parameters/svls-02-environment-variables/#node-js-runtime-specific-environment-variables
    - name: FUNC_TIMEOUT ## Specifies the number of seconds in which a runtime must execute the code.
      value: '1800'
    - name: REQ_MB_LIMIT ## payload body size limit in megabytes.
      value: "10"

    - name: DEBUG
      value: '{{ .Values.services.srv.name }}:*'
    - name: SERVICE_BINDING_ROOT
      value: /bindings
    

  secretMounts: 
    - secretName: {{ .Values.services.sm.bindingSecretName }}
      mountPath: "/bindings/saas-sm"
    - secretName: {{ .Values.services.dest.bindingSecretNamex509 }}
      mountPath: "/bindings/faas-dest-x509"

RingFencing & DeCoupling S/4HANA with Enterprise Blockchain and SAP BTP - Ultimate Cyber Security 🚀

2024-05-14T13:56:58.227000+02:00

tl;dr

As part of S/4HANA Transformation Programs, Security, Accessibility, Resilience are being re-imagined.

The going in position for a lot of S/4HANA Transformation Programs includes the Cyber Security principles:

Only Employees will have direct access to the Digital Core as End Users
There will be no direct access to the Digital Core by 3rd Party Applications

The first principle, 'Only Employees will have direct access to the Digital Core as Users', decoupling the SAP system for External Users has been an architectural design pattern for more than a decade. For example, due to the extremely sensitive and confidential nature of Product LifeCycle Management Data, 13 years ago SAP were advocating, building an empty SAP PLM system in the DMZ which would use RFC's to communicate with the actual SAP PLM system in the Secure Network Zone:

The beauty of this design is that it decouples End User Access from the core SAP PLM system, therefore enhancing the security protection of the SAP PLM system.

Today's equivalent of that is to put the SAP Build Work Zone Launchpad in front of the S/4HANA Digital Core.

That is fine, that means the Digital Core is digitally decoupled for End Users, but what about Machine to Machine, Application to Application, 3rd Party Applications which want to get Data from the S/4HANA ?

Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io

When a 3rd Party Company calls an API on your S/4HANA Digital Core, you are replicating your Data to that 3rd Party Company.

How can the S/4HANA Digital Core be decoupled when 3rd Party Applications need to get Data from the S/4HANA, how can the S/4HANA Digital Core be architected in such a way that there are no Machine to Machine calls directly to the S/4HANA for the purpose of getting Data ?

As elaborated in more detail in a previous blog, API's enable your Data to be replicated to 3rd Party Applications which can also be in 3rd Party Partner Companies, and this brings a set of problems centered around:

As ever, the pattern is the same, the theme is the same,

it's all about the Data

what are the security, sensitivity, confidentiality, availability, criticality requirements of the Data

Ring Fencing S/4HANA raises the Cyber Security by reducing the attack surface.

The most secure way is with Enterprise Blockchain as a Data Ring Fence around the S/4HANA Digital Core, therefore digitally decoupling access and integration of the S/4HANA Data from other Applications.

The Enterprise Blockchain is:

. Ring Fencing of the S/4HANA

. S/4HANA does not expose API's directly to any 3rd Party Companies

. A Secure Store of Data

. A Secure Communication Channel for Data

. A Common Shared Single Source of Truth in your Organisation and across Organisations

. The next generation Data Integration is about having a Common Shared Single Source of Truth

The S/4HANA Ring Fencing with Enterprise Blockchain as a shared single source of truth could involve the Enterprise Blockchain running on your SAP BTP Kyma Runtime and at the same time running on Kubernetes Servers in your Business Partner's Data Center:

S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io

Or alternatively the S/4HANA Ring Fencing with Enterprise Blockchain could be where the Enterprise Blockchain is running on your SAP BTP Kyma Runtime and your 3rd Party Business Partner Company reads the Data from your Enterprise Blockchain on your SAP BTP Kyma Runtime as a shared common single source of truth for the Data:

S4HANA RingFenced by your own Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io

Read on for the full story... 🚀

Introduction

The reason I am so interested in this is I have been securing availability and accessibility of SAP systems for the last 25 years, and back in 2013 I wrote this blog about "Alternatives for Securing Internet Facing Applications".

There is so much to talk about on this subject, let's get in to it. Back in 2013 at a Customer, we were looking at Ring Fencing critical systems.

Back then the focus was on DeCoupling the SAP system where End User access was required from people coming in from the Internet, infact the reasons for the RingFencing were centered around:

Access - Authentication & Authorisation
Storage of Data
Communication Channels
DeCoupling especially for Internet Collaboration

The DeCoupling for Internet Collaboration was based around SAP's SAP PLM Reference Architecture,

and the SAP PLM Technical System Landscape recommendation:

Fast forward to today, and SAP Customers have the luxury that the worry of securing End User Internet Access to their SAP systems is outsourced to SAP through the implementation of the SAP BTP Build Work Zone Launchpad. It should not go unnoticed that when you implement the SAP BTP Build Work Zone Launchpad Service, you also don't have to care for Web Access Firewalls and the Security of Internet Access.

But what about API's, what about System to System, Machine to Machine ? What about Integrations ? What about when Non-SAP Applications in your Company or other Companies need data from the S/4HANA ?

S/4HANA has a rich collection of API's which is always growing, but, should Applications from your Partner Companies call API end points on the S/4HANA Digital Core ?

Should 3rd Party Applications, and 3rd Party Partner's Applications be directly accessing the Digital Core S/4HANA API's ?

Regardless of whether the S/4HANA is an [Any]OnPremise, S/4HANA RISE Private Cloud Edition, S/4HANA Public Cloud Edition, should 3rd Party Applications be allowed to directly call API's on your S/4HANA ?

Let's take the S/4HANA Business Partner API, should Applications from your Partner Companies be allowed/able to call this API on your Digital Core S/4HANA to retrieve changes to Business Partner Data ?

Legacy API Integrations calling S4HANA API and Replicating Data to 3rd Party Company Applications - atkrypto.io

If you have doubts or think the answer is no, then read on, there is a solution, it is very nice, and very easy, and very secure.

One of the biggest Cyber Security threats to your Data and therefore your Operations and therefore your Business, is allowing 3rd Party Applications from 3rd Party Companies to call Data from API's on your S/4HANA Digital Core, and then, replicate your Data to Servers in their Company.

As ever, the pattern is the same, the theme is the same,

it's all about the Data

what are the security, sensitivity, confidentiality, availability, criticality requirements of the Data

Like the other blogs in this series, this blog is going to break the subject down in to three sections:

Section 1.0: The What is it of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain

Section 2.0: The Why is it, of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain

Section 3.0: The How is it, of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain

In case you missed them, the previous blogs in this series are here:

Why I love SAP and Blockchain Databases and why you should too 🚀

SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard 🚀

SAP Enterprise Architecture: Let the Use Case find the Blockchain 🚀

Oil & Gas - Ultimate Data Security - Blockchain Data Backbone from OT to SAP IT 🚀

The What Is... The Why To... The How To... of: ESG & SAP & Enterprise Blockchain 🚀

BCP: Business Continuity Planning for SAP S/4HANA - made easy with Enterprise Blockchain 🚀

Trustable AI thanks to - SAP AI Core & SAP HANA Cloud & SAP S/4HANA & Enterprise Blockchain 🚀

IoT - Ultimate Data Cyber Security - with Enterprise Blockchain and SAP BTP 🚀

B2B Business Processes - Ultimate Cyber Data Security - with Blockchain and SAP BTP 🚀

Section 1.0: The What is it of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain

What is RingFencing ? There is a very nice description here:

RingFencing is about isolating Data, away from the most important SAP system, the S/4HANA Digital Core.

DeCoupling, the word DeCoupling has a number of meanings in Enterprise IT. What we are talking about here in the case of the S/4HANA Digital Core and Data access by 3rd Party Company Applications is that we are DeCoupling the Data access away from directly on the S/4HANA, by DeCoupling we are making the S/4HANA Data indirectly accessible.

It can be thought that if we are RingFencing, or Isolating, or DeCoupling the S/4HANA Data away from the S/4HANA then we are creating another copy of the Data, another Replica of the Data, which is true, we are, and that is the same as when Data is replicated to 3rd Party Systems via API, whichever way you look at it, the ultimate goal is a Replica of the S/4HANA Data which is available and accessible to the 3rd Party Company Application for the reasons of that Application of Business Transaction.

We can replicate the Data using an S/4HANA API to the 3rd Party Company Application and lose all control of the Data and also have to deal with how to secure Authentication and Authorisation and Network Access to the API, or we can replicate to our own RingFenced isolated trusted location.

SAP S4HANA RingFenced DeCoupled Data Cyber Security Principles - atkrypto.io

What about the Enterprise Blockchain, what is Enterprise Blockchain ?

Enterprise Blockchain is:

. a Secure Store

. a Secure Communication Channel

. A Common Shared Single Source of Truth in your Organisation and across Organisations

. The next generation Data Integration is about having a Common Shared Single Source of Truth

In these previous blogs, I made a deep dive in to what Enterprise Blockchain is and why we should be positioning it in our Enterprise Architecture:

Why I love SAP and Blockchain Databases and why you should too 🚀

SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard 🚀

SAP Enterprise Architecture: Let the Use Case find the Blockchain 🚀

S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io

and in a nutshell, Enterprise Blockchain is:

. The Digital Transformation of Information Security into Cyber Security

. The Next Generation Data Integrity, Originality, Confidentiality Protection

. Re-imagining Information Security

. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product

To wrap up this section:

. RingFencing is about isolating and protecting Data

. Enterprise Blockchain is about Cyber Security of Data

Section 2.0: The Why is it, of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain

Why would we want to RingFence and DeCouple S/4HANA, the Digital Core from 3rd Party systems which legitimately need S/4HANA Data ?

The answer is simple, Cyber Security, Cyber Threats.

Not so long ago, the focus was on High Availability and Disaster Recovery, the biggest threat was the system going down and not coming back.

Today, things have changed, and the biggest threat is a malicious actor rendering our business Data unusable.

Today we know we can buy new servers, we know we can get a Data Center up and running, but how do we repair Data which has been maliciously rendered unusable ? Think about the Ransomware attack.

So what is ring fencing and why do we need to do it ?

Ring Fencing is about reducing exposure to Cyber Threats.

What are the biggest easiest ways that we can reduce exposure to Cyber Threat ?

Stop 3rd Party Companies from calling API's on the S/4HANA Digital Core.

Stop publishing API's for 3rd Party Application access on the S/4HANA Digital Core.

Stop doing this: