Table of Contents:

1 General Prerequisites
- 1.1 SAP NetWeaver release
- 1.2 Open Ports
- 1.3 Java connector
- 1.4 Azure BLOB storage
- 1.5 Master Key
- 1.6 Connection information
- 1.7 Create Schema
- 1.8 Create DB user
  - 1.8.1 a) OAuth 2.0 authentication
  - 1.8.2 b) Database user authentication
- 1.9 Download the JDBC driver for the SQL server
2 Create Azure SQL storage in Storage Management
- 2.1 a) oAuth 2.0 Authentication
- 2.2 b) JDBC user/password authentication

Storage management supports SQL Database in Azure. Storage Management automatically creates Azure SQL tables and can load them with data when used in combination with Azure BLOB. It can also be used to query data back to SAP.

General Prerequisites

SAP NetWeaver release

Storage management requires SAP ABAP stack NW 7.01 SP15 or higher.

Open Ports

To enable communication between SAP systems and Azure, outbound communication from the SAP system to the following ports on the Azure side needs to be allowed:

Port	Protocol	Target

Port	Protocol	Target
1433	TCP	Database host FQDN (e.g. azuresql01.database.windows.net)
80/443	HTTP/HTTPS	Azure BLOB endpoint (e.g. azureblob01.blob.core.windows.net)

Storage Management allows encrypted communication through the public internet with Azure services, but for production deployment, it is recommended to have some kind of secure connectivity in place (VPN, Private Link, Private endpoints).

Java connector

Java connector is a critical middle-ware component used for communication between SAP and Azure SQL. Follow the installation steps described in the Java Connector Setup.
The minimum required Java connector version is 222.

and library version supporting msal4j library (optional for OAuth 2.0 Authentication)

Azure BLOB storage

Azure BLOB storage is required as intermediate storage during data transfer. Follow this guide to create the storage Azure BLOB.

Master Key

To allow BULK INSERT into database tables from the BLOB container, Azure SQL needs to store Database Scoped Credentials.
SAS token used for authentication to BLOB container is used for creation or update of these credentials, but to store this sensitive information securely, Azure SQL requires the use of a Master Key.
This can be simply created by executing a query:

CREATE MASTER KEY;

Specific passwords can be chosen during Master Key creation.
More information in the official Microsoft documentation CREATE MASTER KEY (Transact-SQL) - SQL Server.
For Azure SQL Database, this is to be done on the level of a particular database instead of the master.
The reason is that the root is a certificate controlled and managed by the Azure SQL Database service, which means that management for the keys is simplified to the database-scoped key hierarchy.
More information can be found in the chapter Recommendations for using Cell Level Encryption in Azure SQL Database.

Connection information

To get connectivity details for your Azure SQL database, in the Azure portal managing interface select Overview and navigate to Show database connection strings:

Note the highlighted sqlserver hostname and database name.

Create Schema

It is recommended to create a separate schema for every SAP system connected to the database.
This action is not mandatory, as the default DBO schema can be used if there will be a 1:1 relation between the SAP system and the whole Azure SQL DB.

Create DB user

There are two authentication options:

a) OAuth 2.0 authentication

To use OAuth authentication, there needs to be an application registration resulting in Tenant ID, Client ID, and Secret strings. OAuth profile setup is documented in OAuth 2.0 Authentication.
Afterward, the registered application Display Name can be added as a DB user:

CREATE USER [app-glue-connector] FROM EXTERNAL PROVIDER; // app-glue-connector is an example Azure AD app. registration
EXEC sp_addrolemember 'db_owner', 'app-glue-connector';

To enable OAuth 2.0 authentication from the SAP side, an OAuth RFC destination needs to be created.

b) Database user authentication

The other option is to use authentication using a standard database user. You can use the built-in admin created during pool creation, or a dedicated technical user created later on.

// For SQL editions with master database, create login in master
CREATE LOGIN "app-glue-connector" WITH PASSWORD = 'FovAy>pCYW%%WX'; // create your technical user and password

//switch to the working database
CREATE USER "app-glue-connector" FOR LOGIN "app-glue-connector";  
EXEC sp_addrolemember 'db_owner', 'app-glue-connector';

// For AzureSQL serverless without master database
CREATE USER "app-glue-connector" WITH PASSWORD = 'My#Strong1#Password';

EXEC sp_addrolemember 'db_owner', 'app-glue-connector';

Download the JDBC driver for the SQL server

Download the JDBC driver from the MS JDBC Download site. Upload the .jar file to the sub-directory under /sapmnt filesystem, so it is available to each application server.
The default directory for the driver is /sapmnt/<SID>/global/security/dvd_conn/mssql/, but it can be changed freely, as long as every application server will have access to it via the same SAP logical path/file.
The default SAP logical file (of type DIR) used to address the directory with JDBC driver is /DVD/DEF_MSSQL_DRIVER.

Create Azure SQL storage in Storage Management

You can choose between two authentication methods: database user/password, and oAuth2.0 credentials. For production environments, it is recommended to use oAuth.

Go to transaction /DVD/SM_SETUP
Create new storage of type AZURE_SQL

a) oAuth 2.0 Authentication

Storage ID	Logical identifier of the storage (maximum 10 characters)
Referenced storage	Azure BLOB storage ID serving as staging directory during data transfer
Storage credentials	Type of storage credentials used to establish connection between Azure SQL and Blob storage. Supported types: (default) Inherit from referenced storage - SAS token used in Blob storage will be used Azure SQL Managed identity - System Assigned Managed Identity (SAMI) of Azure SQL will be used. This is useful in serverless Azure SQL deployments as it allows you to whitelist a connection from Azure SQL to Private endpoint of a storage account.
Java connector RFC	RFC destination for communication with Java connector
Java call repeat	Number of times failed JDBC calls are repeated
Repeat delay (seconds)	Delay between repeated JDBC calls
Dedicated SQL endpoint	Database server name as specified in JDBC connection details
JDBC Port	Port for the JDBC connection, 1433 is currently a fixed port number
Database name	Database name as specified in JDBC connection details
Database schema	Database schema to be used (default is DBO)
Enable update	Enables merge on same key entries
Use extended escaping	Encapsulates data contents in special characters to avoid possible problems during BULK INSERT to Azure SQL table
Use clustered primary key	Using clustered or non-clustered primary key
Append package	Append packages into one CSV files and not one CSV file per package
Driver path	SAP Logical path defined via transaction FILE. Consists of the concatenation of Logical File Path and Logical File Name. Example:
Login timeout (seconds)	Time interval in seconds during which the JDBC driver is trying to establish a connection
Fetch Size	Default size of fetch rows from the server using by JDBC driver (e.g. 500)
Hints	Additional parameters added to the JDBC connection string
Connection pool size	Size of connection pool used by connection pooling in JCo
Bulk hints	Parameters used during BULK INSERT during data commit
OAuth 2.0 profile	Profile for OAuth 2.0 setup

b) JDBC user/password authentication

All configuration is identical as in a), only the Authentication part is switched to Use JDBC User/Password, and actual credentials are filled in.
Password can be typed in and converted to a hash string to avoid direct visibility.

SNP

(SM-2402) Azure SQL