Skip to Content

HCI Integration with SAP ECC/CRM System


1.    Introduction to Digital certificate and SSL Handshake

2.    Customer Landscape’s and certificate request

3.    Connection setup from SAP ERP – HCI – C4C

4.    Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination

1.     Introduction to SSL certificate and SSL Handshake

What is SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the https protocol and allows secure connections from a web server to a browser or an application.


Certificate Information:

In certificate general information you can find “Issued to”,” Issued by” and Validity of the certificate.


Certification Path:


When a certificate is signed by Certificate authority, it has a root and the signed certificate (It might also have intermediate or a chain certificate)

What is SSL Handshake?

In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.

Two-way SSL authentication is also referred to as client authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.


2.     Customer Landscape’s and certificate request

Every customer landscape is unique. There are couple of scenarios I would like to discuss here when you are applying a certificate.

a.       Multiple Domain architecture – Public and internal domain

b.      Single Domain architecture – Public registered domain

A.      Multiple Domain architecture


In the above network landscape, there are two domains. “” is the internal domain and it’s not registered. As it’s not registered, Certificate Authority will not sign the CSR (Certificate signing request). If you have a public registered domain you can create a CSR with that domain and get it signed by a CA.

B.      Single Domain architecture


Customer has only one domain and its public registered. You can create a CSR on the same domain.

3.     Connection setup from SAP ERP – HCI – C4C

     Go to STRUST transaction



Below is the example show DN of the certificate:

DN =, OU=Information Technology, O=mycompany Inc, L=Location, S=State, C=Country



This is the CSR. Copy the CSR and get it signed by a Certificate Authority.

Note: CA should be in the Trust list of HCI. Please check for the latest HCI trust list.



Signing Algorithm: Select the algorithm SHA1 or SHA2. Certificate root may change based on the algorithm selected. Make sure that root is in the trust list of the HCI.

Proceed to the next step and check the summery of the certificate. Provide the necessary contact information. You will get the signed certificates in 3-4 days from the CA.

Downloaded certificate contains three certificates as below:


1. entrustcert.crt – Signed server certificate

2. L1Cchain.txt – Chain certificate (change file extension from txt to crt)

3. L1Croot.txt – Root certificate (change file extension from txt to crt)

Import the certificate response in STRUST.



Copy and import the response.



Import the chain and root certificate to the certificate list and add it to the database.






Adding certificate to Database:



Similarly add the other certificate to certificate list and database.

Go to HCI tenant url:





Export the certificate to X.509 format.




Similarly save the “CybertrustPublic SureServer SV CA” certificate to X.509.


Import the certificate Baltimore CyberTrustRoot and Cybertrust Public SureServerSV CA to the certificate list and database in STRUST.


We have deployed the required certificates on the SAP ERP/CRM system.

On HCI tenant we can deploy a keystoreartifact. This keystore contains certificates required to authenticate the client. There is only one keystoreper tenant and this file is called system.jks. In this scenario we have to load the server certificate’s chain and root (L1Cchain.crt and L1Croot.crt). To load this certificates you need to raise a ticket with SAP.


System.jks can be seen in Eclipse in deployed artifacts.


SAP provides HCI tenant certificate and the “Issued to” of the certificate looks like HCI tenant url.


In the below example, the certificate is signed by “Cybertrust Public SureServer SV CA”. This certificate and its root should be loaded in the Trust list of the C4C.



SAP CRM/ERP – HCI – C4C connection is established successfully.

4.     Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination:

HCI certificate exchange mechanism:


Step-by-Step Procedure (On Premise):

1.       1. Install SAP Web dispatcher and Configure it to the CRM or ECC system

2.       2. Download the latest SAP Cryptographic tools.


3.       3. Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel.



Location – D:\usr\sap\<SID>\SYS\exe\nuc\NTAMD64

Copy sapgenpse.exe, sapcrypto.dll to above folder location

4.       4. Copy the file ticket to the sec directory under the Web Dispatcher instance directory.

Ticket file Location – D:\usr\sap\WHC\W04\sec


You have successfully installed SAPCryptographicLib files.

5.       5. Creating Server PSE and certificate requestusing “sapgenpse.exe” via Command prompt

Go to web dispatcher kernal folder in cmd


Command: sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>

Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.

sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\cert.req “, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country”

Domain name should be a public registered domain. This “” will be used by HCI to communicate with CRM/ERP system.

For example:


So, your public domain is “”; your public IP should be linked with ”WD” in the domain’s DNS Manager of the domain.

DNS Manager of “”


Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.

sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\cert.req ”, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country “


Get the cert.reqsigned by any HCI trusted CA’s below

List of HCI Trusted CAs:

TC TrustCenterCA

TC TrustCenterClass2L1CAXI

VeriSign Class 1 Public Primary Certification Authority – G3

Verisign Class3 Public Primary certificate Authority – G5

Verisign Class3 Public Primary certificate Authority – G5 – Intermediate Certification Authority (2048)


CN=TC TrustCenterClass 2 L1 CA XI

Go Daddy Class 2 Certification Authority

Entrust Certification Authority – L1C

VeriSign Class 3 International Server CA – G3

VeriSign Class 3 Secure Server CA – G3





Baltimore CyberTrustRoot

Cybertrust Public SureServer SV CA

CN = CertumCA, O = Unizeto Sp. z o.o., C = PL

CN = CertumLevel IV CA, OU = Certum Certification Authority O = Unizeto Technologies S.A., C = PL

Note: Entrust Certification Authority – L1C provides free 90 day trial

6.       6. Similarly, Create Client PSE and certificate request using “sapgenpse.exe” via Command prompt

Go to web dispatcher kernal folder in cmd


sapgenpseget_pse -p SAPSSLC.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\clientcert.req “CN=Wdc., OU= Information Technology, O= mycompanyInc, l=Location, S=State, C=Country”


If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in same landscape.

7.       7.Create a certificate request for “SSL Server Standard” on the backend ERP system in STRUST


     Right click on “SSL Server Standard” – Create a certificate request


     CN=erps., OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country



     Export the certificate request as “erps.req”. If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in      trusted zone(Same landscape)

8.       8. From the steps 5, 6 and 7. We have generated the below certificate requests

a.       cert.req – Web dispatcher Server

b.      clientcert.req – Web dispatcher Client

c.       ERPS.reqStrust ERP Server

9.       9. Get certificate “a ” signed by HCI trusted CA’s

    Get certificate “b & c” signed by your company internal CA or use self-signed certificate

10. 10. Import the certificate response along with Root certificate and chain certificate(If applicable)

      When a certificate is signed you will get signed certificate, Root certificate and you may also get a chain certificate.

     sapgenpse import_own_cert -p SAPSSLS.pse -c D:\usr\sap\WHE\W00\sec\responseCert.crt -r  D:\usr\sap\WHE\W00\sec\root.crt -r D:\usr\sap\WHE\W00\sec\chain.crt -x      123456 responseCert.crt

      (signed server certificate)

     Providing access to the PSE file for the system users

     sapgenpseseclogin -p D:\usr\sap\WHE\W00\sec\SAPSSLS.pse -x 123456 -O <DOMAIN>\SAPService<SID>

11.   11. Similarly, import the certificate response for the SAPSSLC.pse (If you are using selfsignedcertificate this step is not required )

     sapgenpse import_own_cert -p SAPSSLC.pse -c D:\usr\sap\WHE\W00\sec\CResponseCert.crt -r  D:\usr\sap\WHE\W00\sec\root.crt -x 123456 CResponseCert.crt 

     (signed server certificate)

     Providing access to the PSE file for the system users

     sapgenpseseclogin -p D:\usr\sap\WHE\W00\sec\SAPSSLC.pse -x 123456 -O <DOMAIN>\SAPService<SID>

12.   12. Add below parameters in the web dispatcher profile:

DIR_INSTANCE = D:\usr\sap\WHE\W00




icm/server_port_2 = PROT=HTTPS, PORT=443, TIMEOUT=900


            icm/HTTPS/forward_ccert_as_header = true


            wdisp/ssl_auth = 2

            wdisp/ssl_cred = D:\usr\sap\WHE\W00\sec\SAPSSLC.pse

13.   13. Creating trust between ERP system and Web dispatcher by exchanging root certificates

     Maintain the root certificate of the ERP – SSL Server Standard in SAPSSLC.pse

     sapgenpsemaintain_pk -a D:\usr\sap\WHE\W00\sec\ERPSCert.cer -p SAPSSLC.pse -x 123456

14.   14. Download and Import HCI x.509 Certificate to SAPSSLS.pse in Web Dispatcher






Similarly, download the chain certificate.


Saved it as “hcicrtchain.cer”

Maintain the root and chain certificate of HCI in SAPSSLS.pse

a.       sapgenpse maintain_pk -a D:\usr\sap\WHE\W00\sec\hcicrtroot.cer -p SAPSSLS.pse -x 123456


b.      sapgenpse maintain_pk -a D:\usr\sap\WHE\W00\sec\hcicrtchain.cer -p SAPSSLS.pse -x 123456

15.   15. Restart Web dispatcher

16.   16. Add following parameters to the ERP profile file.

     T-code : RZ10

     icm/HTTPS/trust_client_with_issuer = Issuer of the SAPSSLC signed

     icm/HTTPS/trust_client_with_subject = Subject of the SAPSSLC certificate

     icm/HTTPS/verify_client = 1

     icm/server_port_0 = PROT=HTTPS,PORT=443,TIMEOUT=120,PROCTIMEOUT=120,VCLIENT=1



17.   17. Access the webgui and check the certificate


HCI integration connectivity is complete.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Former Member

    Hello Deepak,

    When I generate the SAP ERP certificate as per step 3 and send it to Entrust datacard services, I received an email saying the below

    Since your organization name appears on the SSL Certificate, we will need to validate the legal organization name before we can issue the certificate.

    Also, when I try to get my server certificate signed from GoDaddy I receive an email asking me to do Domain Control validation.

    Can you please suggest how to get around these?



  2. Former Member Post author


    The certificates L1CCHAIN and L1ROOT are the chain and root certificates of the server certificate that you got signed by a CA.

    When you open the signed certificate>In certification Path you will find the certificates, you can export them.

    Let me know if this helps.



  3. Former Member

    Hello together,

    Are there any experiences with using domain certificates with subdomains? For example for the ERP and web dispatcher (test and productive). So instead of buying 4 SSL stand alone certificates with the same domain, You buy one domain certificate and create 4 subdomains.

    Is it supported? Are there any difficulties?



    1. Former Member Post author

      Hi Stephan,

      I have purchased only once certificate. Below is my work around.

      1. Web dispatcher SSL Server – Purchased certificate

      2. Between Web dispatcher and ERP – Used self signed certificates(Long Validity)

      3. ERP SSL Client – Same purchased certificate.

      By doing this way. I am able to reduce cost



      1. Harish Kintali

        Hi Deepak,

        If it is cost you are looking at, tt is enough to purchase “*” and use it both for ERP and WebDispatcher.



        1. Former Member Post author

          Hi Harish,

          I did not try this and I could think of one thing, if we take * then any certificate requesting information in the domain will go through. It may create a security issue.



  4. Juan Carlos Chaparro


    We have purchased a wildcard certificate * with godaddy for some web servers. Can we use this certificate for communication between ERP to HCI?

    What would be the correct way to load the certificate?
    Strust -> SSL client standard -> import certificate?

    Thanks for your help.

  5. Former Member



    I have error 403 forbiden testing ERP RFC to HCI.


    Do I have to validate my ERP certificate by setting in STRUST CN=*.domain.local  in SSL standard with go daddy?




Leave a Reply