Recently, we had a requirement to integrate HCI with an On-Premise ERP Instance using standard SAP IDoc’s. The ground rules for the Integration were,
- Only Client Authentication aka 2 Way SSL is to be used.
- HANA Cloud Connector to be used for Interfacing from Cloud to the On-Premise ERP.
So what’s different out here you might ask considering that HCI Supports Client Authentication natively for its IDoc Adapter.
The short answer:
When using HANA Cloud Connector, your IDoc Adapter configuration would require your Proxy Type as “On-Premise”. When your Proxy Type is “On-Premise”, HCI does not allow you to provide an Option for Client Authentication.
Below is what my initial configuration looked like:
When trying to deploy my iFlow with this configuration, HCI prompts an error: “Certificate based authentication is not supported for Proxy Type On-Premise”
Does this mean that HCI does not allow Client Authentication when Integrating with ERP System with a Receiver IDoc Adapter using HANA Cloud Connector? The answer my friends, lies in the details 🙂
The Long Answer
HANA Cloud Connector Configuration
Configure your HCC Account
Configure your HCC Account by providing the required HCI Details
Set Up your access control by mapping to an On-Premise ABAP System
Provide the Protocol. In my case HCC connects to On-Premise ERP using HTTPS Protocol.
Provide the Internal SAP System Host Name and the corresponding HTTPS Port.
Provide the Virtual HostName that should be used in HCI in your IDoc Adapter. In this case I have called it: bhavesh.hcc.com
The Next Step is the most critical as this step enables Client Authentication between HCC and the On-Premise ERP System.Select Option for Principal Type as: X.509 Certificate.
This setting makes sure that the Connectivity between HCC and the On-Premise ERP System now uses Client Authentication.
Click on Add Resource
Below is now what your Access Control should look like,
Add System Certificate for Client Authentication
To enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format.
Click on Import, the KeyPair should be imported successfully,
Backend SAP Configuration for User Mapping
Go to SM30 : Table Name : VUSREXTID
External ID Type: DN
Create a new entry by Importing the Public Certificate of the Key Pair you imported into HANA Cloud Connector and providing a User ID for the same.
HCI IDoc Adapter Configuration
Configure your IDoc Adapter with the below options:
- ProxyType : OnPremise
- Authentication : Basic Authentication Enabled
- Credentials: Provide any Credentials. This is not going to be used in the runtime. In my case I created a Dummy Credentials with a Dummy User / Password.
Save and Deploy your Integration Flow.
Your scenario should now use Client Authentication and Authenticate itself to the BackEnd ERP System!
So What happens Behind the scenes?
What you will notice is that if remove the KeyPair from the Settings –> System Certificate in your Hana Cloud Connector, then the IDoc Adapter will try to use Basic Authentication. If you have maintained valid credentials, then the Login goes through and IDoc gets posted. If you have used maintained Invalid credentials a HTTP 401 Unauthorized Error is returned.
In Summary, HANA Cloud Connector has been instructed to use a X509 Certificate to authenticate itself to the Back End ERP System. Hence, when the IDoc from HCI is sent to HCC, HCC uses the X509 Certificate to authenticate itself which leads to a Client Authentication aka 2 Way SSL with HANA Cloud Connector & HCI’s IDoc Adapter!