SAP Multi-Bank Connectivity
Architecture Overview
Kolja Ewering
March 2020
PUBLIC
Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission
of SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license
agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of
business outlined in this presentation or any related document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.
The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or
functionality. This presentation is provided without a warranty of any kind, either express or implied, including but not limited
to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for
informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions
in this presentation, except if such damages were caused by SAP’s intentional or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
2
Architecture Layers
System Overview
Infrastructure:
•
•
•
•
•
•
Based on SAP HANA Cloud Platform
Virtualization and scalability
Test and production systems
Multi-tenancy with strict isolation
Multiple services, e.g. Persistency, Identity
Management, Key Management
(Java) application development on-top
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
Technical Communication:
•
•
•
•
Various connectivity options (e.g. https, sftp)
High security (multiple security layers)
Reliable messaging: “at-least-once” quality
Bidirectional with multiple communication patterns
(e.g. push-push, push-pull)
Integration capabilities e.g.:
•
•
Routing
•
Mapping
•
Security Protocol Mediation
5
Technology ………. Application
Protocol Layers
(roughly based on OSI layers)
Protocol Layer
Used technology
Remarks
6. Application
Predefined set of industry
standard message formats1
Mapping done in the ERP
System
5. Security
PKCS#7 -or- PGP -orXML Digitial Signature
Certificates exchanged during
onboarding
4. Message
Message format
Message format supports
technical header, security and
bulks
3. Session
TLS-https-WS / XI -orSSH-sftp-file -or- AS2
2. Transport
TCP/IP
(none)
1. Network/Physical
Internet
(none)
1 = e.g.: ISO20022 (native, CGI, SEPA), SAP IDoc (PEXR), Swift MT
2 = available in pull scenario for corporates; in discussion for banks
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
6
Application Layer
Example: ISO 20022 Message Types
SAP CDG
▪ 15 Selected Banks: E.g.: HSBC, Citibank, RBS
▪ Purpose: Develop mappings of CGI guidelines
of all 6 CGI profiles to SAP internal Data Fields
▪ Deliverables: Individual maps – DMEE/PMW
XML Format, PI XML Schema, Excel
Spreadsheet, or other
ISO20022 CGI
▪ Financial institutions and non-financial
institutions (corporate organizations,
corporate associations, etc.)
▪ Purpose: Simplify implementation for
corporate users, focus on localization (country
specific rules and laws)
▪ Deliverables: CGI message implementation
templates (profiles)
ISO20022
▪ ISO TC68 (Financial Services) members, see
http://www.iso20022.org/
▪ Purpose: Common platform for development
of messages
▪ Deliverables: UML based modeling
methodology, central directory, 20022 XML
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
7
Application Layer
Example: ISO 20022 pain.001 Payment with two Transactions
<Document xmlns="urn:iso:std:iso:20022:tech:xsd:pain.001.001.03"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:iso:std:iso:20022:tech:xsd:pain.001.001.03
sap_pain.001.001.03.xsd">
<CstmrCdtTrfInitn>
<GrpHdr>
<MsgId>MID-SAP-EBA-SCT-812-001</MsgId>
<CreDtTm>2009-10-27T08:30:47Z</CreDtTm>
<NbOfTxs>2</NbOfTxs>
<InitgPty>
<Nm>Deutsche Wunschbank AG</Nm>
</InitgPty>
</GrpHdr>
<PmtInf>
<PmtInfId>PID-SAP-EBA-SCT-812-001-A</PmtInfId>
<PmtMtd>TRF</PmtMtd>
<ReqdExctnDt>2009-11-26</ReqdExctnDt>
<Dbtr>
<Nm>Max Mustermann</Nm>
</Dbtr>
<DbtrAcct>
<Id>
<IBAN>DE49900100000001000023</IBAN>
</Id>
</DbtrAcct>
<DbtrAgt>
<FinInstnId>
<BIC>WOWIDES1</BIC>
</FinInstnId>
</DbtrAgt>
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
<CdtTrfTxInf>
<PmtId>
<EndToEndId>
E2EID-SAP-EBA-SCT-812-001-A1
</EndToEndId>
</PmtId>
<Amt>
<InstdAmt Ccy="EUR">5.10</InstdAmt>
</Amt>
<CdtrAgt>
<FinInstnId>
<BIC>DRESDEFFXXX</BIC>
</FinInstnId>
</CdtrAgt>
<Cdtr>
<Nm>DEGUDENT GMBH</Nm>
</Cdtr>
<CdtrAcct>
<Id>
<IBAN>DE27500800000090521500</IBAN>
</Id>
</CdtrAcct>
<RmtInf>
<Ustrd>VZW unstrukturiert
SAP-EBA-SCT-812-001-A1</Ustrd>
</RmtInf>
</CdtTrfTxInf>
</PmtInf>
(continued)
<PmtInf>
… 2nd transaction …
</PmtInf>
</CstmrCdtTrfInitn> </Document>
8
Security Layer
Example: Payload Security with PKCS#7 / CMS
Public-Key Cryptography Standard #7
Cryptographic Message Syntax (= successor to PKCS#7)
Mature Public Standard: IETF RFC 2315 / 5652 – Used by S/MIME
(PKCS#7 http://tools.ietf.org/html/rfc2315 / CMS http://tools.ietf.org/html/rfc5652)
PKCS#7 is available in SAP ECC system from early releases on
(http://help.sap.com/saphelp_nw73/helpdata/en/5c/f311370ceae904e10000009b38f936/frameset.htm )
PKCS#7 allows a variety of content types inside the message:
▪
▪
▪
Signed data
Enveloped (=encrypted) data
One step SignedAndEnveloped data or sequence of signed and enveloped data
SAP Multi-Bank Connectivity can send and receive payload as PKCS#7 Message (signed and
encrypted content, certificates inside)
Additional security layer above TLS or SSH
Signature can be used for debit account authorization check
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
9
Security Layer
Payload Security Alternatives
As alternative to the standard payload security via PKCS#7, SAP Multi-Bank Connectivity also
supports PGP and XML Digital Signature
▪ Pretty Good Privacy (PGP)
– Based on OpenPGP standard
(http://tools.ietf.org/html/rfc4880)
– Signature + encryption
▪ XML Digital Signature
– Based on W3C standard “XML Signature Syntax and Processing”
(http://www.w3.org/TR/xmldsig-core1/)
– Only signature / no encryption
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
10
Message Layer
SAP Multi-Bank Connectivity Message Generic Transport Format
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!-- Request Message -->
<SOAP:Envelope
xmlns:SOAP=http://schemas.xmlsoap.org/soap/envelope/
xmlns:SAP="http://sap.com/xi/XI/Message/30">
<SOAP:Header />
<SOAP:Body>
<n0:FSNMessageBulk xmlns:n0="http://sapcd.com/fsnagt">
<FSNMessage>
<SenderId>DE49900100000001000023</SenderId>
<ReceiverId>WOWIDES1</ReceiverId>
<MessageType>pain.001.003.03</MessageType>
<FileName>DTA120807181425_0000</FileName>
<NumberOfRecords>17</NumberOfRecords>
<MessageId>MID-SAP-SCT-812001</MessageId>
<RelatedMessageId>ABC-123</RelatedMessageId>
<ExtendedHeader > <!-- … --> </ExtendedHeader>
<MessageContent>
QlNOX2lzX3N1cGVyIQ==
</MessageContent>
</FSNMessage>
</n0:FSNMessageBulk>
</SOAP:Body>
</SOAP:Envelope>
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
SOAP Message
▪ Messages are transported as SOAP documents
▪ But: Messages can be sent/received also using native
application payloads (e.g. pain.001) without Message
wrapping
MessageBulk
▪ SOAP Body contains a message bulk with multiple
messages inside
Message Header
▪ Sender/ReceiverID
▪ Used for routing
▪ IDs agreed between bank and corporate
▪ Bank-ID is unique in context of SAP Multi-Bank
Connectivity. Corporate-ID is unique in context of
a bank
▪ Payload information
▪ MessageID is a sender unique ID
▪ Number of records: Validation and billing
▪ RelatedMessageID refers to previous messages in case
of correlated messages (e.g. pain.001 / pain.002)
▪ ExtendedHeader allows flexible extensions
Message Content
▪ Message content is encrypted, signed and base64
encoded
▪ Send/receive native application payloads without
security envelopes
11
Session Layer
File Exchange option: Usage of SFTP with SSH
SSH as basic session protocol
▪
▪
▪
On top of Internet and TCP/IP (port 22 for SSH)
leveraging Internet infrastructure almost everywhere available (e.g. firewall, proxy)
Transport level security: Using SSH for encryption and client/server authentication
(specification see client: http://tools.ietf.org/html/rfc4252; server: http://tools.ietf.org/html/rfc4253
chapter 7)
SFTP on top of SSH
▪
Adds file exchange commands (get, put, ls etc.)
(specification: http://tools.ietf.org/html/draft-ietf-secsh-filexfer-02)
To agree on:
▪
▪
▪
▪
▪
sftp login und key relation (per System vs. per System-Corporate (tenant))
Directory structure
Filename conventions
File status and server actions (e.g. what happens after successful ‘get’)
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
12
Session Layer
Webservice option: Usage of HTTPS with XI protocol
HTTPS as basic session protocol
▪
▪
▪
On top of Internet and TCP/IP (port 443 for TLS)
leveraging Internet infrastructure almost everywhere available (e.g. firewall, proxy)
Transport level security: Using TLS for encryption and client/server authentication
(specification see http://tools.ietf.org/html/rfc5246 )
XI 3.0 message protocol on-top
▪
▪
Adds reliable message transfer
Message will be stored until it is successfully delivered
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
13
Session Layer
AS2 option
HTTPS as basic session protocol
▪
▪
as described before
Transport level security: Using TLS for encryption and client/server authentication
(specification see http://tools.ietf.org/html/rfc5246 )
AS2 (Applicability Statement 2) transfer protocol on-top
▪
▪
▪
▪
Standard specified in http://tools.ietf.org/html/rfc4130
Adds reliable file transfer based on HTTP and MIME standards
Message will be stored until it is successfully delivered
Makes use of S/MIME for providing message level security signatures and encryption
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
14
Transport and Network Layer
Transport and network layer use TCP/IP and Internet
Internet
▪
▪
Usage of the public Internet connectivity
Point-to-point connections not supported
TCP/IP
▪
TCP and IPv4/IPv6 as usual in the Internet
Optional: VPN
▪
VPN via IPSec is supported on request
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
15
Solution Components
SAP Cloud Platform Integration used by
SAP Multi-Bank Connectivity
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
17
SAP Multi-Bank Connectivity Connector
▪ Provided for corporates using SAP ERP systems
▪ ABAP Add-On to SAP ECC to simplify integration with SAP Multi-Bank
Connectivity
▪ Already included in S/4HANA
▪ Handles:
– Wrapping of SAP Multi-Bank Connectivity Messages
– Connectivity to SAP Multi-Bank Connectivity (via XI 3.0 protocol)
– Security (PKCS#7)
– Optional: Generate Tamper
Protection signatures
▪ Local monitoring of sent/received
messages
MBC
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
18
SFTP Connectivity
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
19
Message Flows
Communication Pattern: Push vs. Pull
Push
Push is:
•
•
•
•
Asynchronous one-way request
Lower latency
Retry in case if receiver unavailability
Quality of service: at-least-once per message
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
Pull
Pull is:
•
•
•
•
•
Synchronous request/response
Has select query, might return n messages
Higher latency due to polling period
Needs a pull trigger at receiver
Quality of service: at-least-once per message
22
Communication Pattern Combinations
Supports push and pull patterns
Participant can select a combination for both messaging directions:
Push-push
▪ Participant pushes messages to SAP Multi-Bank Connectivity / SAP Multi-Bank Connectivity pushes
messages to participant
– bi-directional communication with low latency ✓
– requires participant to open his firewall for inbound calls from external sources 
Push-pull
▪ Participant pushes messages to SAP Multi-Bank Connectivity / Participant pulls messages from SAP MultiBank Connectivity
 communication is always triggered by participant
 no need to open the firewall on participant side for inbound calls ✓
 higher latency in one direction 
▪ (The other combinations pull-push and pull-pull are also possible, but don’t provide any additional benefit.)
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
23
Security - Isolation, Encryption
Isolation
Separate Tenants
▪ Every participant has an own tenant
– Separate user/role management
– Separate handling of key material
– Separate integration flows
Isolated Worker Nodes
▪ The worker nodes for each tenant run in separate VMs
▪ VMs are “sandboxed” by the platform so that they can’t influence other VMs
– VMs are only visible via the load balancer
Isolated DB schemas
▪ The data for each tenant is stored in separate database schemas
▪ Every tenant is using own keys for database encryption
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
25
Data Protection by Encryption on Multiple Levels
MBC
API
API
Data is encrypted in-transfer
– Point-to-point Transport Level Security (TLS/SSH)
– Message Level Security (PKCS#7, PGP)
– optional VPN
… and at-rest
– DB Encryption (AES 128)
 Message Level Security (PKCS#7, PGP) on SFTP server
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
26
Key Management
Overview of Keys and Certificates
Corporate
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
SAP Multi-Bank Connectivity
Bank
30
Setting up Keys without SAP Multi-Bank Connectivity
2. Sender sends certificate signing
request (including the public key) to
Certificate Authority.
Certificate Authority
(CA)
3. Certificate Authority signs
public key and returns signed
certificate back to Sender
Sender e.g.
Corporate
5. Sender shares certificate
(including the public key of
Sender) with Receiver
Receiver e.g.
Bank
6. Receiver can verify the CA
signature of certificate and
stores certificate
1. Sender generates a key pair
4. Sender stores certificate
 and vice-versa →
(receiver will also generate own
key and share certificate)
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
31
Transmitting files using keys without
SAP Multi-Bank Connectivity
Sender e.g.
Corporate
3. Sender sends signed&encrypted
file to receiver
1. Sender signs file using
Sender private key
Receiver e.g.
Bank
3. Receiver decrypts received
files using Receiver private key
4. Receiver verifies signature of
files using Sender public key
2. Sender encrypts file using
Receiver public key
The reverse communication
(bank to corporate) works
analogously - with switched roles
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
32
Setting up keys with SAP Multi-Bank Connectivity
2. Sender sends certificate signing
request (including the public key) to
Certificate Authority.
Certificate Authority
(CA)
3. Certificate Authority signs
public key and returns signed
certificate back to Sender
Sender e.g.
Corporate
1. Sender generates a key pair
4. Sender stores certificate
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
5. Sender shares
certificate with SAP
Multi-Bank
Connectivity
8.a SAP Multi-Bank
Connectivity shares
SAP Multi-Bank
Connectivity
certificate with
Sender
9. Receiver shares
certificate with SAP
Multi-Bank Connectivity
SAP Multi-Bank
Connectivity
6. SAP Multi-Bank Connectivity
stores certificate
Receiver e.g.
Bank
8.b SAP Multi-Bank
Connectivity shares
SAP Multi-Bank
Connectivity
certificate with
Receiver
7. SAP Multi-Bank Connectivity
generates key pair
33
Transmitting files using keys with
SAP Multi-Bank Connectivity
3. Sender sends
signed&encrypted file
to SAP Multi-Bank
Connectivity
Sender e.g.
Corporate
1. Sender signs file using Sender
private key
2. Sender encrypts file using SAP
Multi-Bank Connectivity public key
9. SAP Multi-Bank
Connectivity sends
signed&encrypted
file to Receiver
SAP Multi-Bank
Connectivity
4. SAP Multi-Bank Connectivity
decrypts file using SAP Multi-Bank
Connectivity private key
5. SAP Multi-Bank Connectivity
verifies signature with Sender public
key
Receiver e.g.
Bank
10. Receiver decrypts file using
Receiver private key
11. Receiver verifies signature
using SAP Multi-Bank
Connectivity public key
6. SAP Multi-Bank Connectivity
Performs transformation
7. SAP Multi-Bank Connectivity signs
payload using SAP Multi-Bank
Connectivity private key
8. SAP Multi-Bank Connectivity
encrypts file using Receiver public key
The reverse communication (bank to corporate) works analogously - with switched roles
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
34
Follow us
www.sap.com/contactsap
© 2020 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP
SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.