Skip to Content

In this document I share my learning about using Certificates in the Integration between C4C and ECC using HCI. It’s mainly an assimilation of information from the Integration Guides – but purely focused on using Certificates. It should be similar for CRM as well

Quick Reference for Certificates Configuration – between C4C and ECC
using HCI

Basically, the Client should trust the Server and the Server should trust the Client for a mutual SSL handshake to happen. To have this trust, both the client and server should provide their certificate/identification to the other. ECC/HCI/C4C behave as a client or server depending upon the direction of flow of information and based on who they are communicating with – Eg: both C4C and ECC communicate with HCI either in an Inbound direction or Outbound direction

A.   For Inbound communication from ECC to C4C via HCI:

/wp-content/uploads/2015/03/1_670434.png

There are 2 parts to the trust:

  1. Between ECC and HCI and
  2. Between HCI and C4C

Between ECC and HCI: ECC is the Client (The side initiating the request is deemed as Client, hence ECC is the Client) and HCI is the Server accepting the request. Hence there should be mutual trust between the two. Then, HCI becomes the Client and C4C the Server, and mutual trust should exist between the two

  1. ECC is Client, HCI is server:
    1. HCI should trust ECC as a client ->
        • ECC’s own Client Certificate has to be an approved one. This should not be a Self- Signed certificate(like shown below), instead should be a signed one by a valid/approved CA. A certificate request can be created from the STRUST and sent to the CA for signing. Later, the Signed response can be imported back here

/wp-content/uploads/2015/03/2_670548.png

        • HCI should have this Signed ECC Client Certificate in its iFlows: Once a valid Signed Certificate has been obtained for the Client in ECC, in HCI, in the iFlows – eg.Material replication, using certificate based authentication, this ECC Client Cert needs to be uploaded to the iFlow – Export this SSL Client Certificate from STRUST and import to the iFlow in HCI

/wp-content/uploads/2015/03/3_670549.png
b.      ECC should trust HCI as a Server: HCI is the server for ECC, and the HCI Server Root Certificate has to be imported to STRUST in ECC.           HCI Worker node URL has the certificate chain which should be imported in STRUST – SSL Client. The Root of the certificate chain is sufficient for this – in case you get errors, you can import the Intermediate as well as shown below

/wp-content/uploads/2015/03/4_670565.png

/wp-content/uploads/2015/03/5_670566.png

  2.      Between HCI and C4C, HCI becomes the client and C4C is the server

    1. C4C as a Server should trust the HCI client cert
      • In the HCI provisioning mail, the HCI Client Certificate details are provided – or raise a ticket. This then needs to be uploaded to C4C in the communication arrangement for Inbound communications, and
      • the CA for the HCI cert should be in the trust list of C4C

/wp-content/uploads/2015/03/6_670567.png

     b. HCI should trust the C4C Server Cert – Nothing needs to be done for this, as this is already taken care of within HCI.

B. For Outbound communications from C4C to HCI:

/wp-content/uploads/2015/03/7_670568.png
There are 2 parts to the trust:

  1. Between C4C to HCI and
  2. Between HCI to ECC

1. Between C4C to HCI : C4C is the client and HCI is the server (C4C is the one initiating the request, hence is deemed as the Client)

    1. The CA for the HCI server cert should be in the trust list of C4C
    2. C4C client certificate should be imported to the iFlows in HCI in the sender channel – You need to export the x.509 certificate from C4C Communication arrangements and import it to the iFlows in HCI

/wp-content/uploads/2015/03/8_670569.png

/wp-content/uploads/2015/03/9_670574.png

/wp-content/uploads/2015/03/10_670575.png
           c. HCI server should be trusted by C4C client. Nothing needs to be done for this

2. HCI is the Client and ECC is the server

    1. ECC- In the Server SSL, the HCI client certificate has to be imported in STRUST

          The HCI client certificate is present inside the key store of HCI. You need to request operations team to provide you the corresponding public certificate, from which you can get the issuer certificate (raise a ticket for this). This then needs to be present in the Server PSE of ECC.

2 things:

1. Actual HCI Client certificate that comes with the provisioning Mail – You can use this to do the User->Certificate mapping explained later

2. The Certificate Chain of HCI as a client -> Request for this in LOD-HCI, and once obtained, import it to the STRUST list of the PSE Server (This may or may not be required, but for me it worked with having this complete information)

Additionally the issuer certificate of HCI should be stored in the system which is facing the internet.

– For example if HCI can directly connect to backend system then the root certificate of HCI should be placed in the Server PSE of the backend system.

– If there is a reverse proxy which receives the request from HCI then the root certificate of HCI should be placed in the trust store of the proxy server.

For simplicity reasons, this blog does not talk about the Reverse Proxy  Scenario in between HCI and ECC.

Upload to STRUST Server SSL

/wp-content/uploads/2015/03/11_670576.png

b.    ECC should have a signed Server Root certificate, which should be trusted by HCI in its keystore. Do ensure that this is not a self-signed certificate as it would not work

/wp-content/uploads/2015/03/12_670577.png

A Certified Root Server Certificate one has to be obtained by the customer and uploaded here

Mapping the Integration User to the Certificate

When using Certificate based Authentication, the user needs to be mapped to the certificate – so that this certificate can be used to authenticate the
user. The certificate that you need to map can be found in the HCI provisioning mail as an attachment

Create Service Account for Connectivity from HCI to ERP

1. From transaction SU01, create a service account with the type C or B and assign the custom roles :

SAP_SD_COD_INTEGRATION

SAP_SD_COD_INTEGRATION_EXT

/wp-content/uploads/2015/03/13_670578.png

In the following example, the CODINTG user is mapped to the HCI client certificate. To map HCI Client Certificate with Service Account, follow the
steps below.

/wp-content/uploads/2015/03/14_670579.png

/wp-content/uploads/2015/03/15_670580.png

6. Select the file that contains the public certificate and click Open.

/wp-content/uploads/2015/03/16_670581.png

To report this post you need to login first.

45 Comments

You must be Logged on to comment or reply to a post.

  1. Rajiv Juarbal

    Hi Vinita,

    This is interesting, I need a clarification in B. For Outbound communications from C4C to HCI: 2nd part – HCI is the Client and ECC is the server. You mentioned HCI client certificate should be imported in SSL Server but in the screenshot, I see that the imported certificates are the HCI Root certificates. Are these the root certificates of the HCI Client certificate provided by SAP?

    Regards,

    Rajiv

    (0) 
    1. Ginger Gatling

      Hello Rajiv

      Yes – the HCI root certificates are provided by SAP.   You will need to create a ticket for SAP to send it to you, but SAP will provide this to you.   The only certificates you must provide is the ERP certificate.  Also, I don’t know if Natalia discusses it here, but the reverse proxy server certificate must also be purchased by the customer.   SAP provides the C4C and HCI certificates – client and server. 

      Regards

      Ginger

      (0) 
      1. Rajiv Juarbal

        Hi Ginger,

        So this root certificates are different from those we can extract from the certification path view in the provided HCI client certificate in the provisioning email?

        Best Regards,

        Rajiv

        (0) 
  2. Berthold Wocher

    Hello Vinita,

    thanks for this blog 🙂 I really like it

    for the second part I would like to comment:

    Between HCI and ERP there will be always another Server (e.g. SAP Web Dispatcher) actings as a Reverse Proxy. If you do it very secure – then the Web Dispatcher would terminate SSL and therefore we have an handshake first between HCI and WD and second between WD and ERP. This influences the settings in the trust relations: e.g. WD has to trust the HCI client cert……

    I think you could either mention that your blog is for simplicity reasons not considering the Reverse Proxy or you could improve your section 2 by considering the WD….

    What do you think?

    Regards,

    Berthold

    (0) 
  3. Berthold Wocher

    Hello Vinita,

    one small proposal for simplification regarding section 1b)

    It is sufficient to import the root CA of HCI server certificate into ERP STRUST. I know that there are a lot of documents stating that the complete chain must be imported into the trust list – but this is not true. For the Handshake with HCI Server the root is sufficient.

    Best regards,

    Berthold

    (0) 
  4. Rajesh nimmakayala

    Hi Vinita.

    Thank you so much for your wiki and it helps us a lot in our integration (CRM  < — > C4C via HCI) I have a question in outbound communication.

    Outbound communications from C4C to CRM :  Between HCI and CRM  , HCI is the Client and CRM  is the server

    1. CRM- In the Server SSL, the HCI client certificate has to be imported in STRUST (Does this HCI client certificate is same as provided in HCI provisioning email ) ?

    Have a nice week ahead 🙂  

    Thanks,

    Rajesh Nimmakayala

    (0) 
  5. Florian Preuss

    Hi Vinita,

    nice blog… Helps understanding the certificate based client authentication.

    You wrote the following:

    2. HCI is the Client and ECC is the server

    ECC- In the Server SSL, the HCI client certificate has to be imported in STRUST

    The HCI client certificate is present inside the key store of HCI. You need to request

    operations team to provide you the corresponding public certificate, from which you can

    get the issuer certificate (raise a ticket for this). This then needs to be present in

    the Server PSE of ECC.

    Now we have obtained the HCI client certificate via LOD-HCI. In this client certificate

    I do not see any key chain. What certificate needs to be obtained in addition as mentioned above? I’m a little confused here “provide you the corresponding public certificate”.

    Best Regards

    Florian

    (0) 
    1. Vinita Sinha Post author

      Hi Florian,

      You can request specifically for the Root and Intermediate certificates in the ticket. From what I know, this process would be automated soon and you would be able to download the complete chain, but for now, you can request for this in the ticket itself

      Kind Regards,

      Vinita

      (0) 
      1. Florian Preuss

        Hi Vinita,

        just to get the picture completely.

        The HCI client certificate provided via SAP ticket. This certificate is issued by Verizon.

        /wp-content/uploads/2015/04/2015_04_08_15_54_28_680245.jpg

        The root and intermediate certificates from HCI were retrieved via the link “https://<host><port>/cxf” of the HCI worker node.

        Above you wrote in the chapter “Connectivity from HCI to ERP” that the public client certificate from HCI has to be assigned in VUSREXTID. Is this the HCI client certificate mentioned in my screenshot or a different one which has to be obtained separately?

        Thank you!

        Florian

        (0) 
        1. Vinita Sinha Post author

          Hi Florian,

          Sorry for the late response..

          Let me clarify based on what worked for me:

          1. The HCI Client Certificate that you get with the mail is used to do the user-cert mapping in ECC (your attached pic)

          2. The HCI Client Cert Chain (Root and Intermediate) can be obtained by requesting for this in the LOD-HCI component and importing both of these in the STRUST Server list

          I’ve also updated this info in the blog itself !

          Hope this helps

          Kind Regards

          Vinita

          (0) 
          1. Rajiv Juarbal

            Hi Vinita,

            Is this HCI Client Cert Chain (Root and Intermediate) not the same with the certificates (referring to Baltimore and Cybertrust) that we can view from the Certification Path of the HCI Client certificate provided by SAP in the provisioning email? Please see attached screenshot.

            HCI_Client_Certificate.jpg

            Regards,

            Rajiv

            (0) 
            1. Vinita Sinha Post author

              Hi Rajiv,

              If you got the whole chain in the mail then fine… If you got just the actual Client Cert and not the whole chain, then you need to request for it. Actually the Root should be sufficient anyways

              Regards

              Vinita

              (0) 
              1. Rajiv Juarbal

                Hi Vinita,

                Actually we just have the HCI client certificate, then we extract the root and intermediate from the Certification Path view (in my screenshot above) and imported them in SSL Server since we’re not using reverse proxy but then we still have this 403 – Forbidden error.

                Regards,

                Rajiv

                (0) 
                  1. Rajiv Juarbal

                    Ok Vinita, got it. So in our case, we don’t need to request for the certificate chain of our HCI client certificate right? Now I’m puzzled on why we’re still getting forbidden error. For our outbound connection from onpremise to C4C it’s working well, but not for C4C to onpremise.

                    Rajiv

                    (0) 
                  2. Vinita Sinha Post author

                    In my opinion, for Auth error, you need to ensure that the Certificate Mapping to the User in ECC is done correctly, and that this user has the necessary Roles/Profiles assigned to him.

                    (0) 
                    1. Rajiv Juarbal

                      Does ERP and CRM have the same roles that need to be maintained as stated above,

                      SAP_SD_COD_INTEGRATION

                      SAP_SD_COD_INTEGRATION_EXT?

                      Rajiv

                      (0) 
                      1. Rajesh nimmakayala

                        HI,

                        Can you please try to add HCI root and Intermediate certificate to your Certificate list of SSL Server PSE. Which ever certificate you are getting from HCI tenat URL is not HCI but its belongs to Loadbalancer.

                        Please raise an incident and SAP will provide you the certificate. HCI intermediate certificate is diffetrent from loadbalancer inermediate certificate. Hope it might help you.

                        HCI Inter.JPG

                        (0) 
                        1. Rajiv Juarbal

                          Hi Rajesh,

                          Root and Intermediate certificates of HCI client certificate are already imported in SSL Server PSE but still getting the error 403-Forbidden. I will check on the roles of the user as what Vinita suggested.

                          Rajiv

                          (0) 
                    2. Rajiv Juarbal

                      Hi Vinita,

                      I followed your step above in mapping the HCI client certificate to the CRM user created for integration. Below is the mapped HCI client certificate.

                      Certificate Mapping.JPG

                      And the roles of the User

                      Roles.JPG

                      For the roles, we just applied SAP Note 1956819, your response is highly appreciated.

                      Thanks and Best Regards,

                      Rajiv

                      (0) 
                      1. Berthold Wocher

                        Hello Rajiv,

                        in order to eliminate possible error reasons – I would suggest in a first step to assign SAP_ALL to the communication user. If that works, then you can adjust the profile/role to  minimal rights again.

                        Alternatively you can also do an authorization trace in ST01 – and check whether you find there an error.

                        Best regards,

                        Berthold

                        (0) 
  6. Sriramakrishnan Mathivanan

    Hello Experts,

    We are able to successfully test the outbound connection from HCI to CRM. But when we push the data from C4C to CRM via HCI we are getting the following error in HCI.

    1.PNG
    We are using basic authentication from HCI to CRM and using the Integration User who has authorization role of Z_SAP_C4C_INTEGRATION in CRM.

    Can you please tell us what we are missing???

    Thanks and Regards,

    Sriram

    9448655832

    (0) 
    1. Pragya Pande

      Hello Sriram,

      There is a standard role to be assigned to user in CRM – please check the guide. I don’t think it is Z** role. Else for starters, try giving SAP ALL to CRM user id and test the scenario. Then you can cutback on the authorizations.

      Best Regards,

      Pragya

      (0) 
  7. Edison EY

    Hi Vinita,

    Thanks for the post on Certificate based integration with C4C to ERP. We have followed all the steps which you have mentioned in the blog. When we are trying to test the connection from C4C to HCI for “Check connectivity with Business Suite” communication scenario. We are getting an error in C4C saying ” ICM_SSL_HTTP_ERROR”. Could you please help us to resolve this issue.

    Please help us are we missing any steps.

    Note: We are facing this issue even with the Basic Authentication flow from C4C to HCI.

    Attached is the screenshot for your reference.

    Thank so much

    Regards

    Edison EYC4C-HCI Connection Issue.jpg

    (0) 
      1. Edison EY

        Thanks Ginger for quick response.

        We have added the HCI Root certificate of Signed CA in the C4C trusted list and C4C root certificate we have added in the HCI Integration flow. Do we need to do any further steps for the SSL trust. The communication is not happening between C4C and HCI. We are not able to see any trace log in the webservice Message monitoring as well.

        Please help us with any example.


        Thanks

        Edison EY

        (0) 
        1. Pragya Pande

          Hello Edison,

          Please check the steps in the integration guide – every point where it talks of the setup in C4C and HCI.

          BTW is your ERP outside the customer network?

          It would also be better to first try ERP->C4C connection. Does that work for you?If not then you need to first check the config on your ERP and HCI to connect to ERP and then come to C4C and HCI. Trust between C4C and HCI are mostly handled by SAP already. The only thing that could be missing is the client certificate which would be for certificate based authentication.

          It would be easier if you have a separate thread to the issue…

          Best Regards,

          Pragya

          (0) 
        2. Ginger Gatling

          HI Edision

          Pragya’s point is write- maybe create another thread.

          First test should be:  ECC – HCI – C4C

          for C4C back down you need the reverse proxy – it also needs trust to HCI and ECC.  

          -ginger

          (0) 
  8. madhav poosarla

    HI Vanita,

    very nice blog, i have followed this and tried establishing connectivity between C4C to HCI. when i doing connection check in communication arrangement, i am getting below error.. any suggestion ?

    Error accessing service; Service Ping ERROR: Error when calling SOAP Runtime functions: SRT: Processing error in Internet Communication Framework: (“ICF Error when receiving the response: ICM_HTTP_CONNECTION_BROKEN”) ()

    (1) 
  9. ankit kesarwani

    Hello Vinita ,

    Thanks for the  Blog ! It is really helpfull

    but For ECC to HCI , don’t we need to update HCI system.jks file with ECC client certificate

    or is it suffice to upload the ECC client certificate in the IFLOW(Sender System) ?

    Ginger Gatling

    (0) 
    1. Sreehari Puliparambil Janardhanan

      No, for ECC to HCI we do not need to update the HCI tenant key store since the key store is not coming to picture in here ECC->HCI Load balancer (handshake is done between client and load balancer). But even though if you need to connect HCI to ECC (HCI as client ECC as server) in that case HCI key store needs to be loaded with ECC server root CAs (WD certificates if WD is used).

      (0) 
  10. Ossi M

    Very nice blog, thank you! I only wish there was a similar blog with images where the HANA Cloud Connector is used in place of the Web Dispatcher 🙂

    (0) 
    1. Simen Huuse

      Hi Ossi!

      Did you ever find this? Wondering if there is a clever way of using the Cloud Connector for outbound messaging from the backend to HCI. 🙂

       

      All the best,

      @simenhuuse

      (0) 
      1. Ossi Makinen

        Hello Simen! No, I didn’t find such a doc. Usually the assumption is that you should be able to connect from backed to HCI directly bypassing the SCC. Referring to this.

        However, it has been many months since I last looked into these, there might be new possibilities and better documents available. At least I hope so! 🙂

        (1) 
  11. David Sun

    hi vinita

    when HCI is client and ecc is service, we need to do two things:

    1. Actual HCI Client certificate that comes with the provisioning Mail – You can use this to do the User->Certificate mapping explained later

    2. The Certificate Chain of HCI as a client -> Request for this in LOD-HCI, and once obtained, import it to the STRUST list of the PSE Server (This may or may not be required, but for me it worked with having this complete information)

    I just can’t understand what’s the difference between ‘HCI Client certificate’ and ‘Certificate Chain of HCI’, can we just import the HCI client certificate into STRUST list of the PSE Server , not the Certificate Chain

     

    (0) 

Leave a Reply