This blog  gives the check points/solution to establish/troubleshoot the connectivity between on-premise ERP/CRM system, SAP C4C (ondemand CRM version) to SAP’s new generation cloud integration HCI-Hana Cloud Integration.

HCI->ERP/CRM:


Network:

  1. HCI’s public IP’s needs to be whitelisted at customer’s inbound firewall
  2. Customer system/network should be exposed to internet
  3. Customer must allow/open port-443 for inbound connection to his systems

     Web Despatcher

    1. If webdespatcher/Reverse proxy is present in front of customer system, then above network properties applies for webdespatcher/Reverse proxy

Note: Load Balancer comes under reverse proxy family


Certificates:

  1. Customer server’s root certificate needs to be present in trust list(keystore) of HCI

  If it’s client certificate authentication

  1. Customer trust list should have HCI client’s certificate root CA and intermmediate
  2. Web despatcher
    1. If webdespatcher is used
      1. Then above points 1 & 2  applies for webdispatcher instead of customer server
    1. SSL termination at Web Despatcher
      1. If SSL is getting terminated at Web Despatcher and communication between WD and backend server ERP/CRM is http, then you should configure WD such a way that it should forward the client certificate in http header to back end server, also you should maintain the parameter icm/accept_forwarded_cert_via_http = TRUE in back end server.
      2. If SSL is getting terminated at Web Despatcher and communication between WD and backend server ERP/CRM is https, then back end server should trust the webdespatcher client certificate ROOT so maintain below two parameters in back end server

                         icm/HTTPS/trust_client_with_subject = CN=Your Proxy,*

                         icm/HTTPS/trust_client_with_issuer = CN=issue of Proxy CA,*

  • v.     Upload the HCI client certificate’s root and intermediate in trust list of back end server
  • vi.     Additionally make sure that, you should configure WD such a way that it should forward the client certificate in https header to back end server
  1. SSL termination at Back end server
    1. If SSL terminates at back end server then points 1 & 2 are sufficient to handle
    2. Also your webdespacther has to act as a router

User mapping:

  1. All the services/actions in back end server ERP/CRM can be performed with a user
  2. So certificate has to be mapped to user(user should have all necessary technical roles)
  3. You have to create a technical ABAP user with proper roles and permissions to execute the web-services needed for you integration scenario. Coordinate the technical user setup with your ABAP-basis and -application experts.
  4. You need to link the client certificate authentication to your technical user authorization through maintaining an entry in the view VUSREXTID using transaction SM30.
  5. Choose work area “DN” as shown in the screenshot
  6. Click new entry
  7. Use the Import icon on the external ID to import your client certificate, similar to the import you did in the STRUST transaction before. The certificate import file needs to have the certificate “PEM” format with file extension .cer
  8. If you got the certificate PEM file with a different extension, just rename the file to have a .cer extension for this import step.
  9. Associate that user to web service for performing respective actions

CRM/ERP->HCI

Network:

  • HCI IP range needs to be whitelisted at customer out bound firewall
  • Customer should open port 443 for communication to HCI , since listens only on 443 port

Certificate

  • HCI Load balancer’s root and intermediate needs to be present in trust list of customer client PSE
  • Customer has to get the client certificate signed by SAP approved CA’s.Check with SAP for approved CA’s for HCI
  • Customer’s client certificate’s root CA needs to be present in HCI loadbalancer
  • Customer’s client certificate has to be attached to iflow for certificate authentication(Not needed if basic authentication is used)
  • Customer’s client certificate enhanced key usage must be set to client Authentication
  • Customer system has to be set in such a way that it should send the client certificate chain except top most root CA.
  • Check in RFC , whether they are using correct client PSE, where the HCI trusted certificates are present

Authentication

  • If customer is using basic authentication then the user should be a ID services/SCN user and also should have role “ESBMessaging.send”

C4C->HCI

Network:

  1. HCI Load balancer is open to internet, there is no IP filtering in front of HCI.
  2. Since C4C and HCI are from SAP, no need of C4C ip’s need to be whitelisted at HCI
  3. HCI listens only on 443 port, since C4C already allowed 443 port, there is no issue with ports



Certificates:


  1. C4C trust list should have HCI Load balancers ROOT and Intermediate CA
  2. HCI load balancer should have C4C client’s root certificate in its trust store
  3. C4C client certificate needs to be associated to HCI iflow
  4. C4C client certificate enhanced key usage must be set to client Authentication

Authentication:

  1. If C4C is using basic authentication then the user should be a ID services/SCN user and also should have role “ESBMessaging.send”
  2. Point 3 in certificate section is not needed


HCI->C4C

Network:

  • Since C4C webdespacther/load balancer is open to internet , no need of IP filtering in front of C4C to filter HCI IP range
  • HCI outbound is also open to internet, there is no restriction of IP, so no need of C4C IP’s filtering at HCI outbound proxy
  • As C4C allows port 443, there is no issue with ports

Certificate:

  • C4C client certificate’s ROOT has to be present in HCI trust list (Keystore)
  • HCI client certificate’s root needs to be present in C4C trusted list also the HCI client certificate needs to be associated to user in C4C
  • SSL terminates at webdespatcher, which is front of C4C systems
  • From web despatcher to C4C systems, again there is a SSL connection
  • C4C backend systems trust webdespatcher and web despatcher forwards the client certificate of HCI to back end C4C  system
To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply