Quick Guide on using Certificates for Integrating C4C and ECC using HCI
In this document I share my learning about using Certificates in the Integration between C4C and ECC using HCI. It’s mainly an assimilation of information from the Integration Guides – but purely focused on using Certificates. It should be similar for CRM as well
Quick Reference for Certificates Configuration – between C4C and ECC
using HCI
Basically, the Client should trust the Server and the Server should trust the Client for a mutual SSL handshake to happen. To have this trust, both the client and server should provide their certificate/identification to the other. ECC/HCI/C4C behave as a client or server depending upon the direction of flow of information and based on who they are communicating with – Eg: both C4C and ECC communicate with HCI either in an Inbound direction or Outbound direction
A. For Inbound communication from ECC to C4C via HCI:
There are 2 parts to the trust:
- Between ECC and HCI and
- Between HCI and C4C
Between ECC and HCI: ECC is the Client (The side initiating the request is deemed as Client, hence ECC is the Client) and HCI is the Server accepting the request. Hence there should be mutual trust between the two. Then, HCI becomes the Client and C4C the Server, and mutual trust should exist between the two
- ECC is Client, HCI is server:
- HCI should trust ECC as a client ->
- ECC’s own Client Certificate has to be an approved one. This should not be a Self- Signed certificate(like shown below), instead should be a signed one by a valid/approved CA. A certificate request can be created from the STRUST and sent to the CA for signing. Later, the Signed response can be imported back here
- HCI should have this Signed ECC Client Certificate in its iFlows: Once a valid Signed Certificate has been obtained for the Client in ECC, in HCI, in the iFlows – eg.Material replication, using certificate based authentication, this ECC Client Cert needs to be uploaded to the iFlow – Export this SSL Client Certificate from STRUST and import to the iFlow in HCI
b. ECC should trust HCI as a Server: HCI is the server for ECC, and the HCI Server Root Certificate has to be imported to STRUST in ECC. HCI Worker node URL has the certificate chain which should be imported in STRUST – SSL Client. The Root of the certificate chain is sufficient for this – in case you get errors, you can import the Intermediate as well as shown below
2. Between HCI and C4C, HCI becomes the client and C4C is the server
- C4C as a Server should trust the HCI client cert
- In the HCI provisioning mail, the HCI Client Certificate details are provided – or raise a ticket. This then needs to be uploaded to C4C in the communication arrangement for Inbound communications, and
- the CA for the HCI cert should be in the trust list of C4C
b. HCI should trust the C4C Server Cert – Nothing needs to be done for this, as this is already taken care of within HCI.
B. For Outbound communications from C4C to HCI:
There are 2 parts to the trust:
- Between C4C to HCI and
- Between HCI to ECC
1. Between C4C to HCI : C4C is the client and HCI is the server (C4C is the one initiating the request, hence is deemed as the Client)
- The CA for the HCI server cert should be in the trust list of C4C
- C4C client certificate should be imported to the iFlows in HCI in the sender channel – You need to export the x.509 certificate from C4C Communication arrangements and import it to the iFlows in HCI
c. HCI server should be trusted by C4C client. Nothing needs to be done for this
2. HCI is the Client and ECC is the server
- ECC- In the Server SSL, the HCI client certificate has to be imported in STRUST
The HCI client certificate is present inside the key store of HCI. You need to request operations team to provide you the corresponding public certificate, from which you can get the issuer certificate (raise a ticket for this). This then needs to be present in the Server PSE of ECC.
2 things:
1. Actual HCI Client certificate that comes with the provisioning Mail – You can use this to do the User->Certificate mapping explained later
2. The Certificate Chain of HCI as a client -> Request for this in LOD-HCI, and once obtained, import it to the STRUST list of the PSE Server (This may or may not be required, but for me it worked with having this complete information)
Additionally the issuer certificate of HCI should be stored in the system which is facing the internet.
– For example if HCI can directly connect to backend system then the root certificate of HCI should be placed in the Server PSE of the backend system.
– If there is a reverse proxy which receives the request from HCI then the root certificate of HCI should be placed in the trust store of the proxy server.
For simplicity reasons, this blog does not talk about the Reverse Proxy Scenario in between HCI and ECC.
Upload to STRUST Server SSL
b. ECC should have a signed Server Root certificate, which should be trusted by HCI in its keystore. Do ensure that this is not a self-signed certificate as it would not work
A Certified Root Server Certificate one has to be obtained by the customer and uploaded here
Mapping the Integration User to the Certificate
When using Certificate based Authentication, the user needs to be mapped to the certificate – so that this certificate can be used to authenticate the
user. The certificate that you need to map can be found in the HCI provisioning mail as an attachment
Create Service Account for Connectivity from HCI to ERP
1. From transaction SU01, create a service account with the type C or B and assign the custom roles :
SAP_SD_COD_INTEGRATION
SAP_SD_COD_INTEGRATION_EXT
In the following example, the CODINTG user is mapped to the HCI client certificate. To map HCI Client Certificate with Service Account, follow the
steps below.
6. Select the file that contains the public certificate and click Open.
Hi Vinita,
This is interesting, I need a clarification in B. For Outbound communications from C4C to HCI: 2nd part - HCI is the Client and ECC is the server. You mentioned HCI client certificate should be imported in SSL Server but in the screenshot, I see that the imported certificates are the HCI Root certificates. Are these the root certificates of the HCI Client certificate provided by SAP?
Regards,
Rajiv
Hello Rajiv
Yes - the HCI root certificates are provided by SAP. You will need to create a ticket for SAP to send it to you, but SAP will provide this to you. The only certificates you must provide is the ERP certificate. Also, I don't know if Natalia discusses it here, but the reverse proxy server certificate must also be purchased by the customer. SAP provides the C4C and HCI certificates - client and server.
Regards
Ginger
Hi Ginger,
So this root certificates are different from those we can extract from the certification path view in the provided HCI client certificate in the provisioning email?
Best Regards,
Rajiv
Hi Rajiv
for the 2nd part of this blog - please look at our web disptacher guide. The reverse proxy isn't included here, but is needed. The reverse proxy must have the trust with ERP - it forwards a client certificate which is mapped to the user ID in ERP.
How to Set Up SAP Web Dispatcher for Two Way SSL between SAP Cloud for Customer and SAP NetWeaver Application Server in …
-ginger
Thanks Ginger
Hello Vinita,
thanks for this blog 🙂 I really like it
for the second part I would like to comment:
Between HCI and ERP there will be always another Server (e.g. SAP Web Dispatcher) actings as a Reverse Proxy. If you do it very secure - then the Web Dispatcher would terminate SSL and therefore we have an handshake first between HCI and WD and second between WD and ERP. This influences the settings in the trust relations: e.g. WD has to trust the HCI client cert......
I think you could either mention that your blog is for simplicity reasons not considering the Reverse Proxy or you could improve your section 2 by considering the WD....
What do you think?
Regards,
Berthold
Hi Berthold,
Incorporated your feedback now..Thanks !
Hello Vinita,
one small proposal for simplification regarding section 1b)
It is sufficient to import the root CA of HCI server certificate into ERP STRUST. I know that there are a lot of documents stating that the complete chain must be imported into the trust list - but this is not true. For the Handshake with HCI Server the root is sufficient.
Best regards,
Berthold
Hi Berthold,
Incorporated your feedback now..Thanks !
Hi Vinita.
Thank you so much for your wiki and it helps us a lot in our integration (CRM < --- > C4C via HCI) I have a question in outbound communication.
Outbound communications from C4C to CRM : Between HCI and CRM , HCI is the Client and CRM is the server
Have a nice week ahead 🙂
Thanks,
Rajesh Nimmakayala
Hi Vinita,
nice blog... Helps understanding the certificate based client authentication.
You wrote the following:
2. HCI is the Client and ECC is the server
ECC- In the Server SSL, the HCI client certificate has to be imported in STRUST
The HCI client certificate is present inside the key store of HCI. You need to request
operations team to provide you the corresponding public certificate, from which you can
get the issuer certificate (raise a ticket for this). This then needs to be present in
the Server PSE of ECC.
Now we have obtained the HCI client certificate via LOD-HCI. In this client certificate
I do not see any key chain. What certificate needs to be obtained in addition as mentioned above? I'm a little confused here "provide you the corresponding public certificate".
Best Regards
Florian
Hi Florian,
You can request specifically for the Root and Intermediate certificates in the ticket. From what I know, this process would be automated soon and you would be able to download the complete chain, but for now, you can request for this in the ticket itself
Kind Regards,
Vinita
Hi Vinita,
just to get the picture completely.
The HCI client certificate provided via SAP ticket. This certificate is issued by Verizon.
The root and intermediate certificates from HCI were retrieved via the link "https://<host><port>/cxf" of the HCI worker node.
Above you wrote in the chapter "Connectivity from HCI to ERP" that the public client certificate from HCI has to be assigned in VUSREXTID. Is this the HCI client certificate mentioned in my screenshot or a different one which has to be obtained separately?
Thank you!
Florian
Hi Florian,
Sorry for the late response..
Let me clarify based on what worked for me:
1. The HCI Client Certificate that you get with the mail is used to do the user-cert mapping in ECC (your attached pic)
2. The HCI Client Cert Chain (Root and Intermediate) can be obtained by requesting for this in the LOD-HCI component and importing both of these in the STRUST Server list
I've also updated this info in the blog itself !
Hope this helps
Kind Regards
Vinita
Hi Vinita,
Yes, it helps very much. Thank you.
Best Regards
Florian
Hi Vinita,
Is this HCI Client Cert Chain (Root and Intermediate) not the same with the certificates (referring to Baltimore and Cybertrust) that we can view from the Certification Path of the HCI Client certificate provided by SAP in the provisioning email? Please see attached screenshot.
Regards,
Rajiv
Hi Rajiv,
If you got the whole chain in the mail then fine... If you got just the actual Client Cert and not the whole chain, then you need to request for it. Actually the Root should be sufficient anyways
Regards
Vinita
Hi Vinita,
Actually we just have the HCI client certificate, then we extract the root and intermediate from the Certification Path view (in my screenshot above) and imported them in SSL Server since we're not using reverse proxy but then we still have this 403 - Forbidden error.
Regards,
Rajiv
Hi Rajiv,
The Certification Path wasnt there in this case..
Ok Vinita, got it. So in our case, we don't need to request for the certificate chain of our HCI client certificate right? Now I'm puzzled on why we're still getting forbidden error. For our outbound connection from onpremise to C4C it's working well, but not for C4C to onpremise.
Rajiv
In my opinion, for Auth error, you need to ensure that the Certificate Mapping to the User in ECC is done correctly, and that this user has the necessary Roles/Profiles assigned to him.
Does ERP and CRM have the same roles that need to be maintained as stated above,
SAP_SD_COD_INTEGRATION
SAP_SD_COD_INTEGRATION_EXT?
Rajiv
HI,
Can you please try to add HCI root and Intermediate certificate to your Certificate list of SSL Server PSE. Which ever certificate you are getting from HCI tenat URL is not HCI but its belongs to Loadbalancer.
Please raise an incident and SAP will provide you the certificate. HCI intermediate certificate is diffetrent from loadbalancer inermediate certificate. Hope it might help you.
Hi Rajesh,
Root and Intermediate certificates of HCI client certificate are already imported in SSL Server PSE but still getting the error 403-Forbidden. I will check on the roles of the user as what Vinita suggested.
Rajiv
Hi Vinita,
I followed your step above in mapping the HCI client certificate to the CRM user created for integration. Below is the mapped HCI client certificate.
And the roles of the User
For the roles, we just applied SAP Note 1956819, your response is highly appreciated.
Thanks and Best Regards,
Rajiv
@Rajiv - would you please post your latest question to a forum question - It's moved over so far it's hard to read - and I'll ask Berthold Wocher to check it out.
Thanks!
Ginger
Hi Ginger/Berthold,
New discussion (C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden) for this matter. Thank you.
Rajiv
Hello Rajiv,
in order to eliminate possible error reasons - I would suggest in a first step to assign SAP_ALL to the communication user. If that works, then you can adjust the profile/role to minimal rights again.
Alternatively you can also do an authorization trace in ST01 - and check whether you find there an error.
Best regards,
Berthold
Hi Berthold,
I assigned SAP_ALL to the CRM user now but still has the same error.
Regards,
Rajiv
Hello Experts,
We are able to successfully test the outbound connection from HCI to CRM. But when we push the data from C4C to CRM via HCI we are getting the following error in HCI.
We are using basic authentication from HCI to CRM and using the Integration User who has authorization role of Z_SAP_C4C_INTEGRATION in CRM.
Can you please tell us what we are missing???
Thanks and Regards,
Sriram
9448655832
Hello Sriram,
There is a standard role to be assigned to user in CRM - please check the guide. I don't think it is Z** role. Else for starters, try giving SAP ALL to CRM user id and test the scenario. Then you can cutback on the authorizations.
Best Regards,
Pragya
Also..it will be good to start a discussion thread for the question..that way it is easy to read...
Hi Pragya/Sriram,
I started a new discussion (C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden) for this as we have the same error (403-Forbidden) from C4C to CRM.
Regards,
Hi Vinita,
Thanks for the post on Certificate based integration with C4C to ERP. We have followed all the steps which you have mentioned in the blog. When we are trying to test the connection from C4C to HCI for "Check connectivity with Business Suite" communication scenario. We are getting an error in C4C saying " ICM_SSL_HTTP_ERROR". Could you please help us to resolve this issue.
Please help us are we missing any steps.
Note: We are facing this issue even with the Basic Authentication flow from C4C to HCI.
Attached is the screenshot for your reference.
Thank so much
Regards
Edison EY
HI Edison
The SSL means that there isn't trust. Have you checked the connectivity FAQ? Connectivity FAQ - Integrating Cloud for Customer with SAP ERP/CRM
Has your network person done the configuration? They can check the logs for the trust issue. If you can't resolve it, you can create a ticket in LOD-CRM-INT-NET. The SAP support team will need to work with the network administrator.
-ginger
Thanks Ginger for quick response.
We have added the HCI Root certificate of Signed CA in the C4C trusted list and C4C root certificate we have added in the HCI Integration flow. Do we need to do any further steps for the SSL trust. The communication is not happening between C4C and HCI. We are not able to see any trace log in the webservice Message monitoring as well.
Please help us with any example.
Thanks
Edison EY
Hello Edison,
Please check the steps in the integration guide - every point where it talks of the setup in C4C and HCI.
BTW is your ERP outside the customer network?
It would also be better to first try ERP->C4C connection. Does that work for you?If not then you need to first check the config on your ERP and HCI to connect to ERP and then come to C4C and HCI. Trust between C4C and HCI are mostly handled by SAP already. The only thing that could be missing is the client certificate which would be for certificate based authentication.
It would be easier if you have a separate thread to the issue...
Best Regards,
Pragya
HI Edision
Pragya's point is write- maybe create another thread.
First test should be: ECC - HCI - C4C
for C4C back down you need the reverse proxy - it also needs trust to HCI and ECC.
-ginger
HI Vanita,
very nice blog, i have followed this and tried establishing connectivity between C4C to HCI. when i doing connection check in communication arrangement, i am getting below error.. any suggestion ?
Error accessing service; Service Ping ERROR: Error when calling SOAP Runtime functions: SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_CONNECTION_BROKEN") ()
Hello Vinita ,
Thanks for the Blog ! It is really helpfull
but For ECC to HCI , don't we need to update HCI system.jks file with ECC client certificate
or is it suffice to upload the ECC client certificate in the IFLOW(Sender System) ?
Ginger Gatling
No, for ECC to HCI we do not need to update the HCI tenant key store since the key store is not coming to picture in here ECC->HCI Load balancer (handshake is done between client and load balancer). But even though if you need to connect HCI to ECC (HCI as client ECC as server) in that case HCI key store needs to be loaded with ECC server root CAs (WD certificates if WD is used).
Very nice blog, thank you! I only wish there was a similar blog with images where the HANA Cloud Connector is used in place of the Web Dispatcher 🙂
Hi Ossi!
Did you ever find this? Wondering if there is a clever way of using the Cloud Connector for outbound messaging from the backend to HCI. 🙂
All the best,
@simenhuuse
Hello Simen! No, I didn't find such a doc. Usually the assumption is that you should be able to connect from backed to HCI directly bypassing the SCC. Referring to this.
However, it has been many months since I last looked into these, there might be new possibilities and better documents available. At least I hope so! 🙂
hi vinita
when HCI is client and ecc is service, we need to do two things:
1. Actual HCI Client certificate that comes with the provisioning Mail – You can use this to do the User->Certificate mapping explained later
2. The Certificate Chain of HCI as a client -> Request for this in LOD-HCI, and once obtained, import it to the STRUST list of the PSE Server (This may or may not be required, but for me it worked with having this complete information)
I just can't understand what's the difference between 'HCI Client certificate' and 'Certificate Chain of HCI', can we just import the HCI client certificate into STRUST list of the PSE Server , not the Certificate Chain
Hi everyone,
I am trying to connect C4C and CPI for the basic connectivity test scenario. Currently I stuck to get a connection from C4C to CPI. When I do the connection check (outbound) in the communication arrangement I got following error: Fehler beim Zugreifen auf den Service: Service-Ping-Fehler: Unauthorized (401)
I downloaded the certificate already from C4C and imported into the iFlow in CPI but still does not work.
iFlow: Check Connectivity to SAP Business Suite
Any ideas?
Thanks
Best regards
DL
Hi Dominik,
Have you yet fixed this issue? I am exactly stuck in the same situation. Please let me know if you have any solution. Thank you very much.
Best regards,
Justin
Hello Justin,
yeah connection from C4C to CPI is working in the meanwhile. "Process Integration" is needed das a Service in the BTP subaccount from the CPI. This service will provide the option to use certificate based authentiication.
Thanks
Best regards
DL
Hello Dominik,
Please correct me if my understanding is right. I found guides that are using "Process Integration" are for HTTP communication. But I am using SOAP type in the iflow. How should I deploy it? Could you provide any guides for it?
Thank you very much.
BR,
Justin
Hello Justin,
independent from adapter type the process integration is needed. The process integration will map the Incoming request from C4C to the standard role "MessageSend". For that you need to activate the Process integration and create one service key. In this service key you can import the certificate from C4C. In the iFlow you do not need to do any special setting. Just check if standard role "MessageSend" is assigned to this ifow (inbound adapter e.g. SOAP).
Thanks
Best regards
DL