Hermes for SAP ECC

Hermes is a lightweight application that you deploy on a server inside your private network, protected by your firewall. It regularly queries the graphiteConnect Public API for supplier updates and synchronizes those updates with your SAP ECC system using RFC function modules.

Hermes only initiates outbound HTTPS connections to the Graphite Public API — it does not open any inbound ports.

Note: For Oracle E-Business Suite integrations, see Hermes for E-Business Suite.

Installation Method Comparison

Use the native installer or package for single-instance deployments. Choose the ZIP method to run multiple independent Hermes instances on a single machine or to deploy to environments without a package manager.

System Requirements

• OS: Windows 10 / Windows Server 2019 or later (x64), or any recent x64 Linux distribution with glibc >= 2.28
• Memory: 500 MB available RAM
• Disk: 1 GB (300 MB for installation, remainder for logs)
• CPU: Any modern x64 CPU
• Windows only: Microsoft Visual C++ Redistributable 2013 is required by the bundled node-rfc dependency

Windows Installation

Windows Installer (Recommended for single instance)

1. Download the latest Hermes Windows installer:
   • Production: Hermes-Windows-Installer.exe
   • Testing/development: Hermes-Windows-Installer.exe
2. Right-click the installer and select Run as administrator.
3. Run the installation wizard. Accept the license agreement and choose an installation directory (default: C:\Program Files\Graphite Hermes\).
4. Once the wizard completes, open production.json in the installation directory and fill in your environment-specific settings. See Configuration.
5. Open Windows Services (services.msc), locate Graphite Hermes, and start it.

Uninstalling: Open Add or Remove Programs, find Graphite Hermes, and click Uninstall. This stops the service and removes all application files.

Updating: Download the latest installer and run it as administrator. It detects your existing installation, stops the service, replaces the application files, and restarts the service. Your production.json remains unchanged.

Windows ZIP (Multiple instances)

Use this method to run multiple Hermes instances on the same Windows machine — for example, one instance per SAP system or environment.

1. Download the latest Hermes Windows ZIP:
   • Production: hermes.windows.zip
   • Testing/development: hermes.windows.zip
2. Extract the ZIP to the directory where you want this instance to live, for example C:\hermes-primary\. For a second instance, extract to a separate directory such as C:\hermes-secondary\.
3. Open production.json in the extracted directory and fill in your settings. If it does not exist, create it from production.example.json:
   cmd

   copy /Y "C:\hermes-primary\production.example.json" "C:\hermes-primary\production.json"

4. Register the instance as a Windows service. Right-click Command Prompt, select Run as administrator, then run install.cmd from the instance directory:
   cmd

   "C:\hermes-primary\install.cmd"

   The script prompts for a unique service name. This name is saved to production.json as windowsServiceName.
5. Open Windows Services (services.msc), locate your named service, and start it.

Note: Each instance must have a unique service name. If two instances share the same name, Windows overwrites the first service definition.

File permissions: Before starting a ZIP-based Windows service, verify the service account can write runtime files:

mkdir "C:\hermes-primary\logs" 2>nul
type nul > "C:\hermes-primary\update-status.json"
icacls "C:\hermes-primary\logs" /grant "SYSTEM:(OI)(CI)M" /T
icacls "C:\hermes-primary\update-status.json" /grant "SYSTEM:M"

If your service runs under a custom Windows account, replace SYSTEM with that account name.

Uninstalling a ZIP instance:

"C:\hermes-primary\node.exe" "C:\hermes-primary\dist\win-svc.js" uninstall --name "Your Service Name"
rmdir /s /q "C:\hermes-primary"

Updating a ZIP instance:

"C:\hermes-primary\node.exe" "C:\hermes-primary\dist\update.js" <release|develop>

Linux Installation

Linux Package (.deb/.rpm) — Recommended for single instance

Installs Hermes to /opt/graphite-hermes/ and registers a systemd service under a dedicated hermes system user.

Debian / Ubuntu:

wget https://storage.googleapis.com/graphite-hermes/release/latest/hermes.linux.deb
sudo apt-get install -y ./hermes.linux.deb

Red Hat / Rocky Linux / Amazon Linux:

wget https://storage.googleapis.com/graphite-hermes/release/latest/hermes.linux.rpm
sudo rpm -i ./hermes.linux.rpm

Post-install checklist:

1. Configure /opt/graphite-hermes/production.json.
2. Start Hermes manually:
   Bash

   sudo systemctl start graphite-hermes

3. Verify service status:
   Bash

   sudo systemctl status graphite-hermes

Note: On first install, the package enables graphite-hermes at boot but does not start it. Hermes requires a valid production.json before it can connect to SAP and Graphite.

Uninstalling:

# Debian / Ubuntu
sudo apt-get remove -y graphite-hermes

# Red Hat / Rocky Linux / Amazon Linux
sudo rpm -e graphite-hermes

During uninstallation, the package manager copies your production.json to /opt/graphite-hermes-production.json.bak.

Updating:

# Debian / Ubuntu
sudo apt-get install -y ./hermes.linux.deb

# Red Hat / Rocky Linux / Amazon Linux
sudo rpm -U ./hermes.linux.rpm

Linux ZIP (Multiple instances)

Use this method to run multiple Hermes instances on the same Linux machine or to deploy to minimal environments without apt/rpm.

1. Download the latest Hermes Linux ZIP:
   • Production: hermes.linux.zip
   • Testing/development: hermes.linux.zip
2. Extract to a directory:
   Bash

   sudo mkdir -p /opt/graphite-hermes-primary
   sudo unzip /path/to/hermes.linux.zip -d /opt/graphite-hermes-primary

3. Configure production.json:
   Bash

   sudo cp /opt/graphite-hermes-primary/production.example.json /opt/graphite-hermes-primary/production.json
   sudo nano /opt/graphite-hermes-primary/production.json

4. Register as a systemd service:
   Bash

   sudo /opt/graphite-hermes-primary/install.sh

   When prompted, enter a unique service name. A systemd unit file is created at /etc/systemd/system/<service-name>.service.

Post-install checklist:

1. Start the instance:
   Bash

   sudo systemctl start <service-name>

2. Verify status:
   Bash

   sudo systemctl status <service-name>

File permissions: Before starting a ZIP-based service, verify the service user can write runtime files:

SVC=<your-service-name>
SVC_USER=$(systemctl show -p User --value "$SVC")
WORKDIR=$(systemctl show -p WorkingDirectory --value "$SVC")

sudo install -d -m 2775 -o "$SVC_USER" -g "$(id -gn "$SVC_USER")" "$WORKDIR/logs"
sudo touch "$WORKDIR/update-status.json"
sudo chown "$SVC_USER:$(id -gn "$SVC_USER")" "$WORKDIR/update-status.json"
sudo chown -R "$SVC_USER:$(id -gn "$SVC_USER")" "$WORKDIR/logs"

Updating a ZIP instance:

node <instance-path>/dist/update.js <release|develop> [--service <service-name>]

Migrating from an Older ZIP Installation

Note: If you are running multiple instances, do not use the native package — it installs a single shared instance and will not be aware of your existing custom service definitions.

The update script (update.js) changed significantly in recent versions of Hermes. For existing ZIP installations on older versions, perform a fresh installation per instance rather than running the updater.

For each instance:

1. Back up your configuration and systemd unit file before making any changes:
   Bash

   cp /opt/your-hermes-instance/production.json ~/production-instance.json.bak
   cp /etc/systemd/system/<service-name>.service ~/your-service-name.service.bak

2. Stop and disable the existing service:
   Bash

   sudo systemctl stop <service-name>
   sudo systemctl disable <service-name>

3. Download the latest ZIP and extract over the existing directory:
   Bash

   sudo unzip -o hermes.linux.zip -d /opt/your-hermes-instance

4. Restore your production.json from backup:
   Bash

   sudo cp ~/production-instance.json.bak /opt/your-hermes-instance/production.json

5. Re-register the service:
   Bash

   sudo /opt/your-hermes-instance/install.sh

   Important (Linux): If your previous systemd unit file contained custom Environment= entries (e.g., self-signed certificate paths or a custom LD_LIBRARY_PATH), re-apply those to the new unit file before starting the service.

6. Start the service:
   Bash

   sudo systemctl start <service-name>

Configuration

The production.json file controls how Hermes connects to the Graphite Public API and to SAP. For SAP ECC interfaces, set adapterType to SAP_EH8.

Minimal example:

{
  "adapterType": "SAP_EH8",
  "graphiteApiUrl": "https://app.graphiteconnect.com",
  "graphiteApiKey": "US000000.000000000.000000000000000000000",
  "graphiteInterfaceName": "your-interface-name",
  "ECCParams": {
    "user": "hermes_service_user",
    "passwd": "password",
    "dest": "",
    "hostType": "ASHOST",
    "hostAddr": "your-sap-host",
    "sysnr": "00",
    "client": "100",
    "lang": "EN"
  }
}

Refer to the example production.json included in the distribution ZIP for a full template with all available options.

SAP Connection

The recommended way to configure the SAP connection is via ECCParams in production.json (shown above). All standard RFC connection parameters — host, system number, client, credentials, and language — are configured directly in the file.

Deprecated: Configuring the SAP connection via a sapnwrfc.ini file placed in the working directory is supported but deprecated. The underlying node-rfc library will still resolve a DEST-based connection using sapnwrfc.ini if one is present, but this approach may be removed in a future release. New installations should configure all SAP connection parameters directly in production.json under ECCParams.

Testing the SAP Connection

A test script is included to verify the connection between Hermes and SAP. It runs the STFC_STRUCTURE Remote Function Module.

Linux:

export LD_LIBRARY_PATH=lib/linux/nwrfcsdk/lib
node test

Windows:

set PATH=%PATH%;C:\lib\win32\nwrfcsdk\lib
node test

Encryption

The production.json file can be encrypted to protect your API keys and SAP credentials at rest. Hermes uses AES-256 CTR encryption via the Node.js Crypto library.

The encryption key can be supplied in two ways:

• Environment variable (HERMES_ENCRYPTION_KEY) — recommended for service deployments; allows Hermes to start as a service without user interaction.
• Interactive CLI — run node dist/encryption.js --provide to supply the key to a running instance.

CLI commands:

# Encrypt production.json
node dist/encryption.js --encrypt production.json
# Output: production.json.encrypted

# Decrypt production.json.encrypted
node dist/encryption.js --decrypt production.json.encrypted
# Output: production.json

# Provide decryption key to a running Hermes instance
node dist/encryption.js --provide

All CLI commands use HERMES_ENCRYPTION_KEY if set, or will prompt for the key interactively.

Network Requirements

Hermes only initiates outbound connections — it does not open any inbound ports.

Ensure your firewall allows outbound HTTPS to app.graphiteconnect.com and outbound TCP on the SAP RFC port.

SAP Permissions & TCODEs

Hermes requires a dedicated SAP service account configured in ECCParams. The account must have permission to execute the following transaction codes via the ABAP4_CALL_TRANSACTION remote function module:

For a detailed overview of the Hermes security architecture and the minimum SAP authorizations required, refer to the architecture document provided by Graphite Connect support.

Logging

Hermes writes log output to:

logs/hermes.YYYY-MM-DD.log

Log files are rotated automatically when a log file reaches 20 MB. All interface-related errors are reported to graphiteConnect and can be viewed in the Interfaces Administration tool.

Related Documentation

• Hermes for E-Business Suite — Hermes installation for Oracle EBS
• Public API Integrations — Standard ERP integration workflow
• Authentication — Obtaining an OAuth 2.0 bearer token