Connect SAP HANA Cloud Platform to an on-premise SAP AS Java using SAP Assertion Tickets
This is the second part (click here for the first part) of the two blogs to describe how SAP Mobile Documents running on the HANA Cloud Platform can be connected to an on-premise KM system using SAP Assertion tickets. However, the trust settings will apply to any other application that you want to connect from HCP to an AS Java system.
The SAP Assertion Ticket technology requires the user names to be identical for the HCP application and the AS Java System.
1. Set up trust with SAP Assertion Tickets
In the first part I described how to connect SAP Mobile Documents on HCP to an on premise KM (AS Java) using a service user connection.
In this second part, I describe how to use the same user in AS Java (KM) using the SAP Assertion Ticket technology.
For more information about AS Java and SAP Assertion Tickets see the official documentation.
To enable the trust I did create a signing certificate for the HCP destination with the AS Java, as there is no option in HCP to create one. To simplify the overall process, I created this certificate directly in the view LogonTicketKeypair. By doing so, you automatically have the certificate trust enabled.
2. Creating a Signing Certificate for the HCP Destination
In the AS Java system, go to the NetWeaver Administrator of your AS Java (https://<YourServerURL>:<Port>/nwa).
Search for Key
Click on Key Storage
Select View TicketKeystore
In the tab View Entries click Create
Enter the following values:
Choose a meaningful name for the HCP certificate
Select the algorithm DSA
Leave the Key Length and Validity (or change them according to your needs)
Select Store Certificate
Enter the country name value (e.g. DE for Germany – this does not have a functional affect)
Enter the commonName for the HCP destination (e.g. HCP) – this will identify the HCP as a client.
As in this case I chose to create a self signed certificate, I skipped this screen. If you choose to have your certificate signed by some other certificate authority, you could select a signing key pair here.
In the summary, just click Finish
The certificate and the private key is now available in the list (you can distinguish them by the description in column Entry Type).
3. Exporting the Certificate
You can now export the HCP certificate to put it into the trust ACL of the AS Java.
To do this, select the certificate entry (with postfix -cert) and click Export Entry
Choose the export format Base64 X.509
Save the file on your hard drive.
In addition, export the HCP certificate including the private key (to import into the HCP destination later):
Select the HCP certificate (with Entry Type PRIVATE KEY)
Click Export Entry
Select PKCS#12 Key Pair as the export format
Provide a password to protect access to the export.
Save the file on your hard disk.
4. Maintain Trusted Systems List of AS Java
To finalize the trust settings of the newly created certificate to the AS Java, you need to add it to the list of Trusted Systems.
Navigate to the NetWeaver Administrator – Configuration Management – Security Management – Trusted Systems (/nwa/trusted-systems)
In Trusted Systems view select Add Trusted System – By Uploading Certificate Manually
Enter a System ID for the HCP destination (e.g. HCP)
Enter 000 as the client
Upload the certificate file (not the one containing the private key) that you have exported before.
Now you have done all the steps required to set the trust in the AS Java System.
You now need to enter the certificate and the private key into the HCP destination fields.
Before you can do this, you need to convert it to a .pem file.
5. Converting the HCP Certificate into the Correct Format for HCP
To convert the .p12 file to a PEM format that allows you to copy and paste the required information, I used an Open Source tool called OpenSSL.
It is available for different platforms. Just google for it and install it on your local machine.
Once installed, to make life easier, copy the .p12 file that you have exported in one of the previous steps into the OpenSSL sub-folder bin
Open a Command Prompt Window and navigate into the bin subfolder of the OpenSSL installation.
I converted the .p12 file to a so-called .pem file using the following command (the file name of my file is HCPCert.p12):
openssl.exe pkcs12 -in HCPCert.p12 -out HCPCert.pem -nodes
This will create a file called HCPCert.pem in the .bin directory.
You will need this file in the next configuration step.
6. Change the HCP Destination to use SAP Assertion Tickets
Navigate into the HCP Cockpit of your HCP account.
Navigate to Destinations on the left navigation menu
Open the destination that you did create in the previous step (or create a new one)
Switch the Authentication to SAPAssertionSSO
Maintain the Issuer SID and Client (this needs to be the SID that you have entered in the Trusted Systems list in chapter 4.)
Maintain the Recipient SID and Client (This info you find also the screen Trusted Systems under Accepting System)
Open the .pem file (that you have generated in the previous step) with Wordpad.
It will look similar to this one here:
Now copy the text between —–BEGIN CERTIFICATE—– and –—-END CERTIFICATE—- and paste it into the Certificate field of the HCP destination.
Copy the text between —–BEGIN PRIVATE KEY—– and —–END PRIVATE KEY—- and paste it into the Signing Key field of the HCP destination.
Now you have done all required steps — Ufff! 🙂
To check if the SAP Mobile Documents Connection to KM is working, go to the Web UI of SAP Mobile Documents and click on Corporate.
If you now create a text file within the KM repository from Mobile Documents, you will see that it is now created with the user that is logged on to SAP Mobile Documents.