Skip to Content
Author's profile photo Bhavesh Kantilal

HCI: Integrate On Premise ERP with HCI IDoc Adapter using HANA Cloud Connector & Client Authentication

Recently, we had a requirement to integrate HCI with an On-Premise ERP Instance using standard SAP IDoc’s. The ground rules for the Integration were,

  • Only Client Authentication aka 2 Way SSL is to be used.
  • HANA Cloud Connector to be used for Interfacing from Cloud to the On-Premise ERP.

So what’s different out here you might ask considering that HCI Supports Client Authentication natively for its IDoc Adapter.

The short answer:

When using HANA Cloud Connector, your IDoc Adapter configuration would require your Proxy Type as “On-Premise”. When your Proxy Type is “On-Premise”, HCI does not allow you to provide an Option for Client Authentication.

Below is what my initial configuration looked like:

/wp-content/uploads/2016/03/1_918441.png

When trying to deploy my iFlow with this configuration, HCI prompts an error: Certificate based authentication is not supported for Proxy Type On-Premise


/wp-content/uploads/2016/03/2_918449.png

Does this mean that HCI does not allow Client Authentication when Integrating with ERP System with a Receiver IDoc Adapter using HANA Cloud Connector? The answer my friends, lies in the details 🙂

The Long Answer

The Scenario


/wp-content/uploads/2016/03/3_918450.png


HANA Cloud Connector Configuration


Configure your HCC Account

Configure your HCC Account by providing the required HCI Details

/wp-content/uploads/2016/03/4_918451.png

/wp-content/uploads/2016/03/5_918470.png

Access Control

Set Up your access control by mapping to an On-Premise ABAP System


/wp-content/uploads/2016/03/6_918471.png

Provide the Protocol. In my case HCC connects to On-Premise ERP using HTTPS Protocol.

          /wp-content/uploads/2016/03/7_918472.png

Provide the Internal SAP System Host Name and the corresponding HTTPS Port.

/wp-content/uploads/2016/03/8_918473.png

Provide the Virtual HostName that should be used in HCI in your IDoc Adapter. In this case I have called it: bhavesh.hcc.com


/wp-content/uploads/2016/03/9_918474.png


The Next Step is the most critical as this step enables Client Authentication between HCC and the On-Premise ERP System.Select Option for Principal Type as: X.509 Certificate.


/wp-content/uploads/2016/03/10_918521.png


This setting makes sure that the Connectivity between HCC and the On-Premise ERP System now uses Client Authentication.

/wp-content/uploads/2016/03/11_918488.png

/wp-content/uploads/2016/03/12_918522.png


Add Resource

Click on Add Resource

          /wp-content/uploads/2016/03/13_918490.png

Below is now what your Access Control should look like,

          /wp-content/uploads/2016/03/14_918491.png


Add System Certificate for Client Authentication

To enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format.

/wp-content/uploads/2016/03/15_918492.png

Click on Import, the KeyPair should be imported successfully,

/wp-content/uploads/2016/03/16_918493.png

Backend SAP Configuration for User Mapping

Go to SM30 : Table Name : VUSREXTID

/wp-content/uploads/2016/03/17_918497.png

External ID Type: DN

/wp-content/uploads/2016/03/18_918498.png


Create a new entry by Importing the Public Certificate of  the Key Pair you imported into HANA Cloud Connector and providing a User ID for the same.

/wp-content/uploads/2016/03/19_918499.png

HCI IDoc Adapter Configuration

Configure your IDoc Adapter with the below options:

  • ProxyType : OnPremise
  • Authentication : Basic Authentication Enabled
  • Credentials: Provide any Credentials. This is not going to be used in the runtime. In my case I created a Dummy Credentials with a Dummy User / Password.

/wp-content/uploads/2016/03/20_918500.png

Save and Deploy your Integration Flow.

Your scenario should now use Client Authentication and Authenticate itself to the BackEnd ERP System!

So What happens Behind the scenes?

What you will notice is that if remove the KeyPair from the Settings –> System Certificate in your Hana Cloud Connector, then the IDoc Adapter will try to use Basic Authentication. If you have maintained valid credentials, then the Login goes through and IDoc gets posted. If you have used maintained Invalid credentials a HTTP 401 Unauthorized Error is returned.

In Summary, HANA Cloud Connector has been instructed to use a X509 Certificate to authenticate itself to the Back End ERP System. Hence, when the IDoc from HCI is sent to HCC, HCC uses the X509 Certificate to authenticate itself which leads to a Client Authentication aka 2 Way SSL with HANA Cloud Connector & HCI’s IDoc Adapter!


References / Additional Reading


HCI Securing your communications

HANA Cloud Connector SetUp



Assigned Tags

      14 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo suchita tomar
      suchita tomar

      Thanks bhavesh..!! Very usefull document..!! Keep sharing..!!

      Author's profile photo Bhargava Krishna Talasila
      Bhargava Krishna Talasila

      thanks for sharing 🙂

      Author's profile photo Former Member
      Former Member

      Thanks for the articulate blog bhavesh...

      Author's profile photo Former Member
      Former Member

      Good one... thanks for blogging..

      Regards

      Rajesh

      Author's profile photo Harish Mistri
      Harish Mistri

      The complete how to guide by the Master !!!! Thanks Bhavesh for sharing !!! Looking forward for more blogs 🙂

      Author's profile photo Ossi Makinen
      Ossi Makinen

      Hi Bhavesh!

      Thanks for good blog! I have one question: in the section Add System Certificate for Client Authentication you say that "to enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format."

      What exactly is "your private key" that needs to be in P12 format and where/how do I get it?

      Thanks for the patience to instruct us beginners 🙂

      Author's profile photo Former Member
      Former Member

      Hi Bhavesh,

      Can you pls guide us(beginners and freshers) how to get the private key in P12 format to add to system certificate in HCC.

      Thanks,
      Anand T

      Author's profile photo Alex Liao
      Alex Liao

      Hi Kantilal,
      One doubt about the trust configuration.  You configure the System certificate,  I think the certificate of issue should be added into ERP Trust manager(T-code STRUST) , right?
      Could you share sth. about this?

      Thanks ,
      Alex.

      Author's profile photo Aman Raj
      Aman Raj

      Hi Bhavesh,

      I have used this method to post data from HCI in to ERP system for web service. I have done SM30 settings and maintained system certificate in SCC and I am using dummy credential for Basic Authentication in SOAP receiver channel in HCI.

      But, I am getting unauthorized 401 error. I am using SCC UI certificate as system certificate in SCC and also my certificate is not signed, is this issue is due to use of unsigned certificate.

      Thanks,

      Aman

       

      Author's profile photo Pragya Pande
      Pragya Pande

      Hello Bhavesh,

      I want to ask you about the integration setup and scenarios where you configured the HCI to use HCC. Could you please drop me a mail at Pragya.pande@sap.com so that we can connect?

      Best Regards,

      Pragya

       

      Author's profile photo Former Member
      Former Member

      Hi Bhavesh,

      Excellent Blog!! Thanks for sharing this information. Now I am working on a PoC where I would like to to do below.

      • I will be using a sensor device to fetch information on HCP (IoT Service)
      • I want to send this info fetched from the sensor to my Backend ECC (on-premise)
      • And get some response back into the sensor device

      Now I have setup the HANA Cloud Connector. I am able to receive data from sensor in IoT Cockpit. But I am not sure how can I pass this data to HCC and then get this into either PI or directly in ECC as an IDoc. I am working on an innovation pack license and do not have HCI so will have to manage the scenario only with HCC.

      Can you please suggest how I could achieve this?

       

      Regards

      Amitabh

       

       

      Author's profile photo Hemachandan A S
      Hemachandan A S

      Hi Amitabh,

      Your scenario can be achievable in multiple ways based on the your integration patterns like below:

      • From PI/PO/HCI : By consuming OData API of the IoT Service.
      • From back end SAP via Cloud Connector : Again by consuming OData API for the HCP IoT Service in ABAP program via RFC or SAP Gateway.
      • Data replication via Cloud Connector: Between hana cloud database that binding to IoT service to on premises database that binding to back end SAP.

      Hope this information would be sufficient to establish connection between back end SAP to IoT services.

      Thanks,

      Chandan

      Author's profile photo Former Member
      Former Member

       

      Thanks a lot Chandan for your help in understanding different ways. However in the meantime I followed few blogs (one from Fabien) and started the overall thing in below way.

      • I am using HCI and Cloud Connector both
      • to get IoT data, I am using OData adapter (but here it fails with certificate error)
      • previously I could define the OData receiver adapter and fetch IoT message type but after deploying the keystore in HCI, IoT path is no more reachable
      • I have 2 different tenants, 1 for HCI and 1 for IoT

      I am stuck at this point. Can you please help.

       

      Regards

      Amitabh

       

      Author's profile photo Anand Jha
      Anand Jha

      Hi Bhavesh,

      I am integrating Salesforce and S/4HANA using HCI as an integration tool.

      It's SOAP sender(for salesforce pushed messages) and IDoc receiver(for receiving in S/4HANA ) .

      But I am getting below error while sending message to IDoc endpoint in HCI:

      org.apache.cxf.transport.http.HTTPException: HTTP response '403: Forbidden' when communicating with http://host:port/sap/bc/srt/idoc?sap-client=800

      It is same endpoint which comes after testing sap/bc/srt/idoc service in SICF transaction.

      I have tried both hitting that URL directly from HCI and hitting that URL by creating access control and resource in HCC. It fails with same error.

      Also, Credentials used in IDoc receiver is correct.

      Can you please suggest how this can be resolved?

      Regards,

      Anand