Skip to Content
Author's profile photo Vinita Sinha

Quick Guide on using Certificates for Integrating C4C and ECC using HCI

In this document I share my learning about using Certificates in the Integration between C4C and ECC using HCI. It’s mainly an assimilation of information from the Integration Guides – but purely focused on using Certificates. It should be similar for CRM as well

Quick Reference for Certificates Configuration – between C4C and ECC
using HCI

Basically, the Client should trust the Server and the Server should trust the Client for a mutual SSL handshake to happen. To have this trust, both the client and server should provide their certificate/identification to the other. ECC/HCI/C4C behave as a client or server depending upon the direction of flow of information and based on who they are communicating with – Eg: both C4C and ECC communicate with HCI either in an Inbound direction or Outbound direction

A.   For Inbound communication from ECC to C4C via HCI:

/wp-content/uploads/2015/03/1_670434.png

There are 2 parts to the trust:

  1. Between ECC and HCI and
  2. Between HCI and C4C

Between ECC and HCI: ECC is the Client (The side initiating the request is deemed as Client, hence ECC is the Client) and HCI is the Server accepting the request. Hence there should be mutual trust between the two. Then, HCI becomes the Client and C4C the Server, and mutual trust should exist between the two

  1. ECC is Client, HCI is server:
    1. HCI should trust ECC as a client ->
        • ECC’s own Client Certificate has to be an approved one. This should not be a Self- Signed certificate(like shown below), instead should be a signed one by a valid/approved CA. A certificate request can be created from the STRUST and sent to the CA for signing. Later, the Signed response can be imported back here

/wp-content/uploads/2015/03/2_670548.png

        • HCI should have this Signed ECC Client Certificate in its iFlows: Once a valid Signed Certificate has been obtained for the Client in ECC, in HCI, in the iFlows – eg.Material replication, using certificate based authentication, this ECC Client Cert needs to be uploaded to the iFlow – Export this SSL Client Certificate from STRUST and import to the iFlow in HCI

/wp-content/uploads/2015/03/3_670549.png
b.      ECC should trust HCI as a Server: HCI is the server for ECC, and the HCI Server Root Certificate has to be imported to STRUST in ECC.           HCI Worker node URL has the certificate chain which should be imported in STRUST – SSL Client. The Root of the certificate chain is sufficient for this – in case you get errors, you can import the Intermediate as well as shown below

/wp-content/uploads/2015/03/4_670565.png

/wp-content/uploads/2015/03/5_670566.png

  2.      Between HCI and C4C, HCI becomes the client and C4C is the server

    1. C4C as a Server should trust the HCI client cert
      • In the HCI provisioning mail, the HCI Client Certificate details are provided – or raise a ticket. This then needs to be uploaded to C4C in the communication arrangement for Inbound communications, and
      • the CA for the HCI cert should be in the trust list of C4C

/wp-content/uploads/2015/03/6_670567.png

     b. HCI should trust the C4C Server Cert – Nothing needs to be done for this, as this is already taken care of within HCI.

B. For Outbound communications from C4C to HCI:

/wp-content/uploads/2015/03/7_670568.png
There are 2 parts to the trust:

  1. Between C4C to HCI and
  2. Between HCI to ECC

1. Between C4C to HCI : C4C is the client and HCI is the server (C4C is the one initiating the request, hence is deemed as the Client)

    1. The CA for the HCI server cert should be in the trust list of C4C
    2. C4C client certificate should be imported to the iFlows in HCI in the sender channel – You need to export the x.509 certificate from C4C Communication arrangements and import it to the iFlows in HCI

/wp-content/uploads/2015/03/8_670569.png

/wp-content/uploads/2015/03/9_670574.png

/wp-content/uploads/2015/03/10_670575.png
           c. HCI server should be trusted by C4C client. Nothing needs to be done for this

2. HCI is the Client and ECC is the server

    1. ECC- In the Server SSL, the HCI client certificate has to be imported in STRUST

          The HCI client certificate is present inside the key store of HCI. You need to request operations team to provide you the corresponding public certificate, from which you can get the issuer certificate (raise a ticket for this). This then needs to be present in the Server PSE of ECC.

2 things:

1. Actual HCI Client certificate that comes with the provisioning Mail – You can use this to do the User->Certificate mapping explained later

2. The Certificate Chain of HCI as a client -> Request for this in LOD-HCI, and once obtained, import it to the STRUST list of the PSE Server (This may or may not be required, but for me it worked with having this complete information)

Additionally the issuer certificate of HCI should be stored in the system which is facing the internet.

– For example if HCI can directly connect to backend system then the root certificate of HCI should be placed in the Server PSE of the backend system.

– If there is a reverse proxy which receives the request from HCI then the root certificate of HCI should be placed in the trust store of the proxy server.

For simplicity reasons, this blog does not talk about the Reverse Proxy  Scenario in between HCI and ECC.

Upload to STRUST Server SSL

/wp-content/uploads/2015/03/11_670576.png

b.    ECC should have a signed Server Root certificate, which should be trusted by HCI in its keystore. Do ensure that this is not a self-signed certificate as it would not work

/wp-content/uploads/2015/03/12_670577.png

A Certified Root Server Certificate one has to be obtained by the customer and uploaded here

Mapping the Integration User to the Certificate

When using Certificate based Authentication, the user needs to be mapped to the certificate – so that this certificate can be used to authenticate the
user. The certificate that you need to map can be found in the HCI provisioning mail as an attachment

Create Service Account for Connectivity from HCI to ERP

1. From transaction SU01, create a service account with the type C or B and assign the custom roles :

SAP_SD_COD_INTEGRATION

SAP_SD_COD_INTEGRATION_EXT

/wp-content/uploads/2015/03/13_670578.png

In the following example, the CODINTG user is mapped to the HCI client certificate. To map HCI Client Certificate with Service Account, follow the
steps below.

/wp-content/uploads/2015/03/14_670579.png

/wp-content/uploads/2015/03/15_670580.png

6. Select the file that contains the public certificate and click Open.

/wp-content/uploads/2015/03/16_670581.png

Assigned tags

      46 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Vinita,

      This is interesting, I need a clarification in B. For Outbound communications from C4C to HCI: 2nd part - HCI is the Client and ECC is the server. You mentioned HCI client certificate should be imported in SSL Server but in the screenshot, I see that the imported certificates are the HCI Root certificates. Are these the root certificates of the HCI Client certificate provided by SAP?

      Regards,

      Rajiv

      Author's profile photo Ginger Gatling
      Ginger Gatling

      Hello Rajiv

      Yes - the HCI root certificates are provided by SAP.   You will need to create a ticket for SAP to send it to you, but SAP will provide this to you.   The only certificates you must provide is the ERP certificate.  Also, I don't know if Natalia discusses it here, but the reverse proxy server certificate must also be purchased by the customer.   SAP provides the C4C and HCI certificates - client and server. 

      Regards

      Ginger

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Ginger,

      So this root certificates are different from those we can extract from the certification path view in the provided HCI client certificate in the provisioning email?

      Best Regards,

      Rajiv

      Author's profile photo Ginger Gatling
      Ginger Gatling

      Hi Rajiv

      for the 2nd part of this blog - please look at our web disptacher guide.  The reverse proxy isn't included here, but is needed.   The reverse proxy must have the trust with ERP - it forwards a client certificate which is mapped to the user ID in ERP.  

      How to Set Up SAP Web Dispatcher for Two Way SSL between SAP Cloud for Customer and SAP NetWeaver Application Server in …

      -ginger

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Thanks Ginger

      Author's profile photo Berthold Wocher
      Berthold Wocher

      Hello Vinita,

      thanks for this blog 🙂 I really like it

      for the second part I would like to comment:

      Between HCI and ERP there will be always another Server (e.g. SAP Web Dispatcher) actings as a Reverse Proxy. If you do it very secure - then the Web Dispatcher would terminate SSL and therefore we have an handshake first between HCI and WD and second between WD and ERP. This influences the settings in the trust relations: e.g. WD has to trust the HCI client cert......

      I think you could either mention that your blog is for simplicity reasons not considering the Reverse Proxy or you could improve your section 2 by considering the WD....

      What do you think?

      Regards,

      Berthold

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      Hi Berthold,

      Incorporated your feedback now..Thanks !

      Author's profile photo Berthold Wocher
      Berthold Wocher

      Hello Vinita,

      one small proposal for simplification regarding section 1b)

      It is sufficient to import the root CA of HCI server certificate into ERP STRUST. I know that there are a lot of documents stating that the complete chain must be imported into the trust list - but this is not true. For the Handshake with HCI Server the root is sufficient.

      Best regards,

      Berthold

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      Hi Berthold,

      Incorporated your feedback now..Thanks !

      Author's profile photo Rajesh nimmakayala
      Rajesh nimmakayala

      Hi Vinita.

      Thank you so much for your wiki and it helps us a lot in our integration (CRM  < --- > C4C via HCI) I have a question in outbound communication.

      Outbound communications from C4C to CRM :  Between HCI and CRM  , HCI is the Client and CRM  is the server

      1. CRM- In the Server SSL, the HCI client certificate has to be imported in STRUST (Does this HCI client certificate is same as provided in HCI provisioning email ) ?

      Have a nice week ahead 🙂  

      Thanks,

      Rajesh Nimmakayala

      Author's profile photo Florian Preuss
      Florian Preuss

      Hi Vinita,

      nice blog... Helps understanding the certificate based client authentication.

      You wrote the following:

      2. HCI is the Client and ECC is the server

      ECC- In the Server SSL, the HCI client certificate has to be imported in STRUST

      The HCI client certificate is present inside the key store of HCI. You need to request

      operations team to provide you the corresponding public certificate, from which you can

      get the issuer certificate (raise a ticket for this). This then needs to be present in

      the Server PSE of ECC.

      Now we have obtained the HCI client certificate via LOD-HCI. In this client certificate

      I do not see any key chain. What certificate needs to be obtained in addition as mentioned above? I'm a little confused here "provide you the corresponding public certificate".

      Best Regards

      Florian

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      Hi Florian,

      You can request specifically for the Root and Intermediate certificates in the ticket. From what I know, this process would be automated soon and you would be able to download the complete chain, but for now, you can request for this in the ticket itself

      Kind Regards,

      Vinita

      Author's profile photo Florian Preuss
      Florian Preuss

      Hi Vinita,

      just to get the picture completely.

      The HCI client certificate provided via SAP ticket. This certificate is issued by Verizon.

      /wp-content/uploads/2015/04/2015_04_08_15_54_28_680245.jpg

      The root and intermediate certificates from HCI were retrieved via the link "https://<host><port>/cxf" of the HCI worker node.

      Above you wrote in the chapter "Connectivity from HCI to ERP" that the public client certificate from HCI has to be assigned in VUSREXTID. Is this the HCI client certificate mentioned in my screenshot or a different one which has to be obtained separately?

      Thank you!

      Florian

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      Hi Florian,

      Sorry for the late response..

      Let me clarify based on what worked for me:

      1. The HCI Client Certificate that you get with the mail is used to do the user-cert mapping in ECC (your attached pic)

      2. The HCI Client Cert Chain (Root and Intermediate) can be obtained by requesting for this in the LOD-HCI component and importing both of these in the STRUST Server list

      I've also updated this info in the blog itself !

      Hope this helps

      Kind Regards

      Vinita

      Author's profile photo Florian Preuss
      Florian Preuss

      Hi Vinita,

      Yes, it helps very much. Thank you.

      Best Regards

      Florian

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Vinita,

      Is this HCI Client Cert Chain (Root and Intermediate) not the same with the certificates (referring to Baltimore and Cybertrust) that we can view from the Certification Path of the HCI Client certificate provided by SAP in the provisioning email? Please see attached screenshot.

      HCI_Client_Certificate.jpg

      Regards,

      Rajiv

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      Hi Rajiv,

      If you got the whole chain in the mail then fine... If you got just the actual Client Cert and not the whole chain, then you need to request for it. Actually the Root should be sufficient anyways

      Regards

      Vinita

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Vinita,

      Actually we just have the HCI client certificate, then we extract the root and intermediate from the Certification Path view (in my screenshot above) and imported them in SSL Server since we're not using reverse proxy but then we still have this 403 - Forbidden error.

      Regards,

      Rajiv

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      Hi Rajiv,

      The Certification Path wasnt there in this case..

      /wp-content/uploads/2015/04/path_688850.png

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Ok Vinita, got it. So in our case, we don't need to request for the certificate chain of our HCI client certificate right? Now I'm puzzled on why we're still getting forbidden error. For our outbound connection from onpremise to C4C it's working well, but not for C4C to onpremise.

      Rajiv

      Author's profile photo Vinita Sinha
      Vinita Sinha
      Blog Post Author

      In my opinion, for Auth error, you need to ensure that the Certificate Mapping to the User in ECC is done correctly, and that this user has the necessary Roles/Profiles assigned to him.

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Does ERP and CRM have the same roles that need to be maintained as stated above,

      SAP_SD_COD_INTEGRATION

      SAP_SD_COD_INTEGRATION_EXT?

      Rajiv

      Author's profile photo Rajesh nimmakayala
      Rajesh nimmakayala

      HI,

      Can you please try to add HCI root and Intermediate certificate to your Certificate list of SSL Server PSE. Which ever certificate you are getting from HCI tenat URL is not HCI but its belongs to Loadbalancer.

      Please raise an incident and SAP will provide you the certificate. HCI intermediate certificate is diffetrent from loadbalancer inermediate certificate. Hope it might help you.

      HCI Inter.JPG

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Rajesh,

      Root and Intermediate certificates of HCI client certificate are already imported in SSL Server PSE but still getting the error 403-Forbidden. I will check on the roles of the user as what Vinita suggested.

      Rajiv

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Vinita,

      I followed your step above in mapping the HCI client certificate to the CRM user created for integration. Below is the mapped HCI client certificate.

      Certificate Mapping.JPG

      And the roles of the User

      Roles.JPG

      For the roles, we just applied SAP Note 1956819, your response is highly appreciated.

      Thanks and Best Regards,

      Rajiv

      Author's profile photo Ginger Gatling
      Ginger Gatling

      @Rajiv - would you please post your latest question to a forum question  - It's moved over so far it's hard to read - and I'll ask Berthold Wocher to check it out.

      Thanks!
      Ginger

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Ginger/Berthold,

      New discussion (C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden) for this matter. Thank you.

      Rajiv

      Author's profile photo Berthold Wocher
      Berthold Wocher

      Hello Rajiv,

      in order to eliminate possible error reasons - I would suggest in a first step to assign SAP_ALL to the communication user. If that works, then you can adjust the profile/role to  minimal rights again.

      Alternatively you can also do an authorization trace in ST01 - and check whether you find there an error.

      Best regards,

      Berthold

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Berthold,

      I assigned SAP_ALL to the CRM user now but still has the same error.

      Regards,

      Rajiv

      Author's profile photo Sriramakrishnan Mathivanan
      Sriramakrishnan Mathivanan

      Hello Experts,

      We are able to successfully test the outbound connection from HCI to CRM. But when we push the data from C4C to CRM via HCI we are getting the following error in HCI.

      1.PNG
      We are using basic authentication from HCI to CRM and using the Integration User who has authorization role of Z_SAP_C4C_INTEGRATION in CRM.

      Can you please tell us what we are missing???

      Thanks and Regards,

      Sriram

      9448655832

      Author's profile photo Pragya Pande
      Pragya Pande

      Hello Sriram,

      There is a standard role to be assigned to user in CRM - please check the guide. I don't think it is Z** role. Else for starters, try giving SAP ALL to CRM user id and test the scenario. Then you can cutback on the authorizations.

      Best Regards,

      Pragya

      Author's profile photo Pragya Pande
      Pragya Pande

      Also..it will be good to start a discussion thread for the question..that way it is easy to read...

      Author's profile photo Rajiv Juarbal
      Rajiv Juarbal

      Hi Pragya/Sriram,

      I started a new discussion (C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden) for this as we have the same error (403-Forbidden) from C4C to CRM.

      Regards,

      Author's profile photo Former Member
      Former Member

      Hi Vinita,

      Thanks for the post on Certificate based integration with C4C to ERP. We have followed all the steps which you have mentioned in the blog. When we are trying to test the connection from C4C to HCI for "Check connectivity with Business Suite" communication scenario. We are getting an error in C4C saying " ICM_SSL_HTTP_ERROR". Could you please help us to resolve this issue.

      Please help us are we missing any steps.

      Note: We are facing this issue even with the Basic Authentication flow from C4C to HCI.

      Attached is the screenshot for your reference.

      Thank so much

      Regards

      Edison EYC4C-HCI Connection Issue.jpg

      Author's profile photo Ginger Gatling
      Ginger Gatling

      HI Edison

      The SSL means that there isn't trust.   Have you checked the connectivity FAQ?  Connectivity FAQ - Integrating Cloud for Customer with SAP ERP/CRM

      Has your network person done the configuration? They can check the logs for the trust issue.  If you can't resolve it, you can create a ticket in LOD-CRM-INT-NET.   The SAP support team will need to work with the network administrator.

      -ginger

      Author's profile photo Former Member
      Former Member

      Thanks Ginger for quick response.

      We have added the HCI Root certificate of Signed CA in the C4C trusted list and C4C root certificate we have added in the HCI Integration flow. Do we need to do any further steps for the SSL trust. The communication is not happening between C4C and HCI. We are not able to see any trace log in the webservice Message monitoring as well.

      Please help us with any example.


      Thanks

      Edison EY

      Author's profile photo Pragya Pande
      Pragya Pande

      Hello Edison,

      Please check the steps in the integration guide - every point where it talks of the setup in C4C and HCI.

      BTW is your ERP outside the customer network?

      It would also be better to first try ERP->C4C connection. Does that work for you?If not then you need to first check the config on your ERP and HCI to connect to ERP and then come to C4C and HCI. Trust between C4C and HCI are mostly handled by SAP already. The only thing that could be missing is the client certificate which would be for certificate based authentication.

      It would be easier if you have a separate thread to the issue...

      Best Regards,

      Pragya

      Author's profile photo Ginger Gatling
      Ginger Gatling

      HI Edision

      Pragya's point is write- maybe create another thread.

      First test should be:  ECC - HCI - C4C

      for C4C back down you need the reverse proxy - it also needs trust to HCI and ECC.  

      -ginger

      Author's profile photo Former Member
      Former Member

      HI Vanita,

      very nice blog, i have followed this and tried establishing connectivity between C4C to HCI. when i doing connection check in communication arrangement, i am getting below error.. any suggestion ?

      Error accessing service; Service Ping ERROR: Error when calling SOAP Runtime functions: SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_CONNECTION_BROKEN") ()

      Author's profile photo ankit kesarwani
      ankit kesarwani

      Hello Vinita ,

      Thanks for the  Blog ! It is really helpfull

      but For ECC to HCI , don't we need to update HCI system.jks file with ECC client certificate

      or is it suffice to upload the ECC client certificate in the IFLOW(Sender System) ?

      Ginger Gatling

      Author's profile photo Sreehari Puliparambil Janardhanan
      Sreehari Puliparambil Janardhanan

      No, for ECC to HCI we do not need to update the HCI tenant key store since the key store is not coming to picture in here ECC->HCI Load balancer (handshake is done between client and load balancer). But even though if you need to connect HCI to ECC (HCI as client ECC as server) in that case HCI key store needs to be loaded with ECC server root CAs (WD certificates if WD is used).

      Author's profile photo Ossi M
      Ossi M

      Very nice blog, thank you! I only wish there was a similar blog with images where the HANA Cloud Connector is used in place of the Web Dispatcher 🙂

      Author's profile photo Simen Huuse
      Simen Huuse

      Hi Ossi!

      Did you ever find this? Wondering if there is a clever way of using the Cloud Connector for outbound messaging from the backend to HCI. 🙂

       

      All the best,

      @simenhuuse

      Author's profile photo Ossi Makinen
      Ossi Makinen

      Hello Simen! No, I didn't find such a doc. Usually the assumption is that you should be able to connect from backed to HCI directly bypassing the SCC. Referring to this.

      However, it has been many months since I last looked into these, there might be new possibilities and better documents available. At least I hope so! 🙂

      Author's profile photo David Sun
      David Sun

      hi vinita

      when HCI is client and ecc is service, we need to do two things:

      1. Actual HCI Client certificate that comes with the provisioning Mail – You can use this to do the User->Certificate mapping explained later

      2. The Certificate Chain of HCI as a client -> Request for this in LOD-HCI, and once obtained, import it to the STRUST list of the PSE Server (This may or may not be required, but for me it worked with having this complete information)

      I just can't understand what's the difference between 'HCI Client certificate' and 'Certificate Chain of HCI', can we just import the HCI client certificate into STRUST list of the PSE Server , not the Certificate Chain

       

      Author's profile photo Dominik Lange
      Dominik Lange

      Hi everyone,

       

      I am trying to connect C4C and CPI for the basic connectivity test scenario. Currently I stuck to get a connection from C4C to CPI. When I do the connection check (outbound) in the communication arrangement I got following error: Fehler beim Zugreifen auf den Service: Service-Ping-Fehler: Unauthorized (401)

      I downloaded the certificate already from C4C and imported into the iFlow in CPI but still does not work.

      Communication%20arrangement

      iFlow: Check Connectivity to SAP Business Suite

      iFlow%20setup

       

      Any ideas?

       

      Thanks

       

      Best regards

       

      DL