HCI Integration with SAP ECC/CRM System


Content

1.    Introduction to Digital certificate and SSL Handshake

2.    Customer Landscape’s and certificate request

3.    Connection setup from SAP ERP – HCI – C4C

4.    Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination

1.     Introduction to SSL certificate and SSL Handshake

What is SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the https protocol and allows secure connections from a web server to a browser or an application.

/wp-content/uploads/2015/01/image001_618983.png

Certificate Information:

In certificate general information you can find “Issued to”,” Issued by” and Validity of the certificate.

/wp-content/uploads/2015/01/image002_618978.png

Certification Path:

/wp-content/uploads/2015/01/image003_618979.png

When a certificate is signed by Certificate authority, it has a root and the signed certificate (It might also have intermediate or a chain certificate)

What is SSL Handshake?

In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.

Two-way SSL authentication is also referred to as client authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.

/wp-content/uploads/2015/01/image005_618989.png

2.     Customer Landscape’s and certificate request

Every customer landscape is unique. There are couple of scenarios I would like to discuss here when you are applying a certificate.

a.       Multiple Domain architecture – Public and internal domain

b.      Single Domain architecture – Public registered domain

A.      Multiple Domain architecture

/wp-content/uploads/2015/01/image007_618990.jpg

In the above network landscape, there are two domains. “Internaldomain.com” is the internal domain and it’s not registered. As it’s not registered, Certificate Authority will not sign the CSR (Certificate signing request). If you have a public registered domain you can create a CSR with that domain and get it signed by a CA.

B.      Single Domain architecture

/wp-content/uploads/2015/01/image009_618991.jpg

Customer has only one domain and its public registered. You can create a CSR on the same domain.

3.     Connection setup from SAP ERP – HCI – C4C


     Go to STRUST transaction

/wp-content/uploads/2015/01/image010_618992.png

/wp-content/uploads/2015/01/image011_618993.png

Below is the example show DN of the certificate:

DN = CN=erpc.externaldomain.com, OU=Information Technology, O=mycompany Inc, L=Location, S=State, C=Country

/wp-content/uploads/2015/01/image012_618994.png

/wp-content/uploads/2015/01/image014_618995.png

This is the CSR. Copy the CSR and get it signed by a Certificate Authority.

Note: CA should be in the Trust list of HCI. Please check for the latest HCI trust list.

http://www.entrust.net/cisco/

/wp-content/uploads/2015/01/image016_618996.png

/wp-content/uploads/2015/01/image018_618997.png

Signing Algorithm: Select the algorithm SHA1 or SHA2. Certificate root may change based on the algorithm selected. Make sure that root is in the trust list of the HCI.

Proceed to the next step and check the summery of the certificate. Provide the necessary contact information. You will get the signed certificates in 3-4 days from the CA.

Downloaded certificate contains three certificates as below:

/wp-content/uploads/2015/01/image019_619025.png

1. entrustcert.crt – Signed server certificate

2. L1Cchain.txt – Chain certificate (change file extension from txt to crt)

3. L1Croot.txt – Root certificate (change file extension from txt to crt)

Import the certificate response in STRUST.

/wp-content/uploads/2015/01/image020_618999.png

/wp-content/uploads/2015/01/image022_619000.png

Copy and import the response.

/wp-content/uploads/2015/01/image024_619001.png

/wp-content/uploads/2015/01/image026_619002.png

Import the chain and root certificate to the certificate list and add it to the database.

/wp-content/uploads/2015/01/image027_619003.png

/wp-content/uploads/2015/01/image028_619005.png

/wp-content/uploads/2015/01/image029_619006.png

/wp-content/uploads/2015/01/image030_619007.png

/wp-content/uploads/2015/01/image031_619008.png

Adding certificate to Database:

/wp-content/uploads/2015/01/image032_619009.png

/wp-content/uploads/2015/01/image034_619010.png

Similarly add the other certificate to certificate list and database.

Go to HCI tenant url:

/wp-content/uploads/2015/01/image035_619011.png

/wp-content/uploads/2015/01/image036_619012.png

/wp-content/uploads/2015/01/image037_619013.png

/wp-content/uploads/2015/01/image038_619014.png

Export the certificate to X.509 format.

/wp-content/uploads/2015/01/image039_619015.png

/wp-content/uploads/2015/01/image040_619016.png

/wp-content/uploads/2015/01/image041_619017.png

Similarly save the “CybertrustPublic SureServer SV CA” certificate to X.509.

/wp-content/uploads/2015/01/image042_619018.png

Import the certificate Baltimore CyberTrustRoot and Cybertrust Public SureServerSV CA to the certificate list and database in STRUST.

/wp-content/uploads/2015/01/image043_619019.png

We have deployed the required certificates on the SAP ERP/CRM system.

On HCI tenant we can deploy a keystoreartifact. This keystore contains certificates required to authenticate the client. There is only one keystoreper tenant and this file is called system.jks. In this scenario we have to load the server certificate’s chain and root (L1Cchain.crt and L1Croot.crt). To load this certificates you need to raise a ticket with SAP.

/wp-content/uploads/2015/01/image019_619025.png

System.jks can be seen in Eclipse in deployed artifacts.

/wp-content/uploads/2015/01/image045_619026.png

SAP provides HCI tenant certificate and the “Issued to” of the certificate looks like HCI tenant url.

/wp-content/uploads/2015/01/image046_619027.png

In the below example, the certificate is signed by “Cybertrust Public SureServer SV CA”. This certificate and its root should be loaded in the Trust list of the C4C.

/wp-content/uploads/2015/01/image048_619028.png

/wp-content/uploads/2015/01/image050_619029.png

SAP CRM/ERP – HCI – C4C connection is established successfully.

4.     Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination:


HCI certificate exchange mechanism:

/wp-content/uploads/2015/01/image052_619030.jpg


Step-by-Step Procedure (On Premise):

1.       1. Install SAP Web dispatcher and Configure it to the CRM or ECC system

2.       2. Download the latest SAP Cryptographic tools.

/wp-content/uploads/2015/01/image053_619031.png

3.       3. Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel.

sapgenpse.exe

sapcrypto.dll

Location – D:\usr\sap\<SID>\SYS\exe\nuc\NTAMD64

Copy sapgenpse.exe, sapcrypto.dll to above folder location

4.       4. Copy the file ticket to the sec directory under the Web Dispatcher instance directory.

Ticket file Location – D:\usr\sap\WHC\W04\sec

/wp-content/uploads/2015/01/image055_619032.png

You have successfully installed SAPCryptographicLib files.

5.       5. Creating Server PSE and certificate requestusing “sapgenpse.exe” via Command prompt

Go to web dispatcher kernal folder in cmd

/wp-content/uploads/2015/01/image056_619033.png

Command: sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>

Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.

sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\cert.req “CN=wd.externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country”

Domain name should be a public registered domain. This “CN=wd.externaldoamin.com” will be used by HCI to communicate with CRM/ERP system.

For example:

CN= wd.externaldomain.com

So, your public domain is “externaldomain.com”; your public IP should be linked with ”WD” in the domain’s DNS Manager of the domain.

DNS Manager of “externaldomain.com”

/wp-content/uploads/2015/01/image057_619034.png

Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.

sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\cert.req ” CN=wd.externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country “

/wp-content/uploads/2015/01/image058_619035.png

Get the cert.reqsigned by any HCI trusted CA’s below

List of HCI Trusted CAs:

TC TrustCenterCA

TC TrustCenterClass2L1CAXI

VeriSign Class 1 Public Primary Certification Authority – G3

Verisign Class3 Public Primary certificate Authority – G5

Verisign Class3 Public Primary certificate Authority – G5 – Intermediate

Entrust.net Certification Authority (2048)

TCTrustCenterClass2CAII

CN=TC TrustCenterClass 2 L1 CA XI

Go Daddy Class 2 Certification Authority

Entrust Certification Authority – L1C

VeriSign Class 3 International Server CA – G3

VeriSign Class 3 Secure Server CA – G3

DigiCertSecureServerCA.cer

DigiCertGlobalRootCA.cer

AddTrustExternalCARoot.cer

COMODOHigh-AssuranceSecureServerCA.crt

Baltimore CyberTrustRoot

Cybertrust Public SureServer SV CA

CN = CertumCA, O = Unizeto Sp. z o.o., C = PL

CN = CertumLevel IV CA, OU = Certum Certification Authority O = Unizeto Technologies S.A., C = PL

Note: Entrust Certification Authority – L1C provides free 90 day trial

6.       6. Similarly, Create Client PSE and certificate request using “sapgenpse.exe” via Command prompt

Go to web dispatcher kernal folder in cmd

/wp-content/uploads/2015/01/image060_619036.png

sapgenpseget_pse -p SAPSSLC.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\clientcert.req “CN=Wdc. externaldomain.com, OU= Information Technology, O= mycompanyInc, l=Location, S=State, C=Country”

/wp-content/uploads/2015/01/image062_619037.png

If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in same landscape.

7.       7.Create a certificate request for “SSL Server Standard” on the backend ERP system in STRUST

/wp-content/uploads/2015/01/image063_619038.png

     Right click on “SSL Server Standard” – Create a certificate request

/wp-content/uploads/2015/01/image064_619039.png

     CN=erps. externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country

/wp-content/uploads/2015/01/image065_619043.png

/wp-content/uploads/2015/01/image067_619045.png

     Export the certificate request as “erps.req”. If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in      trusted zone(Same landscape)


8.       8. From the steps 5, 6 and 7. We have generated the below certificate requests

a.       cert.req – Web dispatcher Server

b.      clientcert.req – Web dispatcher Client

c.       ERPS.reqStrust ERP Server

9.       9. Get certificate “a ” signed by HCI trusted CA’s

    Get certificate “b & c” signed by your company internal CA or use self-signed certificate

10. 10. Import the certificate response along with Root certificate and chain certificate(If applicable)

      When a certificate is signed you will get signed certificate, Root certificate and you may also get a chain certificate.

     sapgenpse import_own_cert -p SAPSSLS.pse -c D:\usr\sap\WHE\W00\sec\responseCert.crt -r  D:\usr\sap\WHE\W00\sec\root.crt -r D:\usr\sap\WHE\W00\sec\chain.crt -x      123456 responseCert.crt

      (signed server certificate)

     Providing access to the PSE file for the system users

     sapgenpseseclogin -p D:\usr\sap\WHE\W00\sec\SAPSSLS.pse -x 123456 -O <DOMAIN>\SAPService<SID>

11.   11. Similarly, import the certificate response for the SAPSSLC.pse (If you are using selfsignedcertificate this step is not required )

     sapgenpse import_own_cert -p SAPSSLC.pse -c D:\usr\sap\WHE\W00\sec\CResponseCert.crt -r  D:\usr\sap\WHE\W00\sec\root.crt -x 123456 CResponseCert.crt 

     (signed server certificate)

     Providing access to the PSE file for the system users

     sapgenpseseclogin -p D:\usr\sap\WHE\W00\sec\SAPSSLC.pse -x 123456 -O <DOMAIN>\SAPService<SID>

12.   12. Add below parameters in the web dispatcher profile:

DIR_INSTANCE = D:\usr\sap\WHE\W00

ssl/ssl_lib=D:\usr\sap\WHE\SYS\exe\nuc\NTAMD64\sapcrypto.dll

ssl/server_pse=D:\usr\sap\WHE\W00\sec\SAPSSLS.pse

ssl/client_pse=D:\usr\sap\WHE\W00\sec\SAPSSLC.pse

icm/server_port_2 = PROT=HTTPS, PORT=443, TIMEOUT=900

            wdisp/ssl_encrypt=1

            icm/HTTPS/forward_ccert_as_header = true

            icm/HTTPS/verify_client=1

            wdisp/ssl_auth = 2

            wdisp/ssl_cred = D:\usr\sap\WHE\W00\sec\SAPSSLC.pse

13.   13. Creating trust between ERP system and Web dispatcher by exchanging root certificates

     Maintain the root certificate of the ERP – SSL Server Standard in SAPSSLC.pse

     sapgenpsemaintain_pk -a D:\usr\sap\WHE\W00\sec\ERPSCert.cer -p SAPSSLC.pse -x 123456

14.   14. Download and Import HCI x.509 Certificate to SAPSSLS.pse in Web Dispatcher

/wp-content/uploads/2015/01/image068_619046.png

/wp-content/uploads/2015/01/image070_619047.png

/wp-content/uploads/2015/01/image071_619048.png

/wp-content/uploads/2015/01/image072_619049.png

/wp-content/uploads/2015/01/image073_619050.png

Similarly, download the chain certificate.

/wp-content/uploads/2015/01/image074_619051.png

Saved it as “hcicrtchain.cer”

Maintain the root and chain certificate of HCI in SAPSSLS.pse

a.       sapgenpse maintain_pk -a D:\usr\sap\WHE\W00\sec\hcicrtroot.cer -p SAPSSLS.pse -x 123456

/wp-content/uploads/2015/01/image076_619052.png

b.      sapgenpse maintain_pk -a D:\usr\sap\WHE\W00\sec\hcicrtchain.cer -p SAPSSLS.pse -x 123456

15.   15. Restart Web dispatcher

16.   16. Add following parameters to the ERP profile file.

     T-code : RZ10

     icm/HTTPS/trust_client_with_issuer = Issuer of the SAPSSLC signed

     icm/HTTPS/trust_client_with_subject = Subject of the SAPSSLC certificate

     icm/HTTPS/verify_client = 1

     icm/server_port_0 = PROT=HTTPS,PORT=443,TIMEOUT=120,PROCTIMEOUT=120,VCLIENT=1

/wp-content/uploads/2015/01/image077_619053.png

/wp-content/uploads/2015/01/image078_619054.png

17.   17. Access the webgui and check the certificate

/wp-content/uploads/2015/01/image081_619055.png

HCI integration connectivity is complete.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. diptee s

    Hello Deepak,

    When I generate the SAP ERP certificate as per step 3 and send it to Entrust datacard services, I received an email saying the below


    Since your organization name appears on the SSL Certificate, we will need to validate the legal organization name before we can issue the certificate.


    Also, when I try to get my server certificate signed from GoDaddy I receive an email asking me to do Domain Control validation.


    Can you please suggest how to get around these?


    Regards,

    Diptee

    (0) 
  2. Deepak Rayudu Post author

    John,

    The certificates L1CCHAIN and L1ROOT are the chain and root certificates of the server certificate that you got signed by a CA.


    When you open the signed certificate>In certification Path you will find the certificates, you can export them.


    Let me know if this helps.


    Regards,

    Deepak

    (0) 
  3. Stephan Otto

    Hello together,

    Are there any experiences with using domain certificates with subdomains? For example for the ERP and web dispatcher (test and productive). So instead of buying 4 SSL stand alone certificates with the same domain, You buy one domain certificate and create 4 subdomains.

    Is it supported? Are there any difficulties?

    Thanks,

    Stephan

    (0) 
    1. Deepak Rayudu Post author

      Hi Stephan,

      I have purchased only once certificate. Below is my work around.

      1. Web dispatcher SSL Server – Purchased certificate

      2. Between Web dispatcher and ERP – Used self signed certificates(Long Validity)

      3. ERP SSL Client – Same purchased certificate.

      By doing this way. I am able to reduce cost

      Regards,

      Deepak

      (0) 
      1. Harish Kintali

        Hi Deepak,

        If it is cost you are looking at, tt is enough to purchase “*.domainname.com” and use it both for ERP and WebDispatcher.

        BR,

        Harish

        (0) 
        1. Deepak Rayudu Post author

          Hi Harish,

          I did not try this and I could think of one thing, if we take *.domainname.com then any certificate requesting information in the domain will go through. It may create a security issue.

          Thanks,

          Deepak

          (0) 

Leave a Reply