Enabling Support for Principal Propagation

Prerequisites

Principal propagation requires Mobile Add-On for ERP 6.2.0, version SP05 or above.
The back end SAP system is configured to allow for principal propagation through SNC secured RFC communications. For more information, see the procedure Configure Principal Propagation to an ABAP System for RFC.
Mobile client is using Agentry client version 3.1 or Agentry client version 3.0 SP16 PL08

Context

To enable support for principal propagation, changes are needed in the JavaBE.ini file, as well as the changes required to support the SAP Inventory Manager application set up on the SAP S/⁠4HANA cloud environment. Note that most of the cloud environment configuration is performed by your system installer.

Procedure

Open the JavaBE.ini file in the text editor of your choice and navigate to the [JCO] section.

Set CONNECTION_TYPE to PRINCIPAL_PROPAGATION.

Sample Code

[JCO]
CLASS=JCO3
CONNECTION_TYPE=PRINCIPAL_PROPAGATION

Ensure that the LOGON_METHOD in the [LOGON_METHOD] section is set to USER_AUTH. Make any changes to the type of logon in the configured destinations.
Sample Code
```
[LOGON_METHOD]
LOGON_METHOD=USER_AUTH
```
If custom destinations are use, specify the customized destination names. Navigate to the [JCO3] section and input your desired custom destination names into the provided templates:
Sample Code
```
[JCO3]
;customized destination names
DESTINATION_SERVICE_NAME=CUSTOM_DESTINATION_SERVICE
DESTINATION_PUSH_NAME=CUSTOM_DESTINATION_PUSH
DESTINATION_SESSION_NAME=CUSTOM_DESTINATION_SESSION
```
Navigate to the [CLOUD] section.
Set the CREDENTIAL_SETTING_TIMEOUT to the same setting found on the SAP Business Technology Platform Mobile Services (SCPms) Cockpit.
Set the timeout to longer than what you expect your longest transmit will take, as credentials cannot refresh midtransit.

Note

Remember to use the same setting on the SAP BTP services Cockpit.
Sample Code
```
[CLOUD]
.
.
.
;timeout for credentials in seconds; should match what is in the SCPms Cockpit for timeout
;or in a published Agentry.ini file if one is used.
CREDENTIAL_SESSION_TIMEOUT=1200
```

Still in the [CLOUD] section, add the following configuration option:

Sample Code

;keep destination thread open until timeout is reached rather than close after each backend session
FORCE_KEEP_DESTINATION_THREAD_ALIVE=TRUE

Navigate to the [USER_AUTH] section.
Bypass the user ID check by setting it to TRUE.
Sample Code
```
[USER_AUTH]
BYPASS_USERID_CHECK=TRUE
```
Optional: Still in the [USER_AUTH] section, set the following configuration option:
Sample Code
```
ALLOW_USERNAME_REMAPPING=true
```
Out of the box, the configuration option is set to FALSE. Set it to TRUE to allow the remapping of a username when an SSO username does not match with a back end username. Principal propagation, and SSO in some cases, does not know the back end username at the time of authentication, and must remap it after authentication.
Save your changes.

Next Steps

Republish the SAP Inventory Manager application in order for the modifications to take effect.