HCI: Integrate On Premise ERP with HCI IDoc Adapter using HANA Cloud Connector & Client Authentication
Recently, we had a requirement to integrate HCI with an On-Premise ERP Instance using standard SAP IDoc’s. The ground rules for the Integration were,
- Only Client Authentication aka 2 Way SSL is to be used.
- HANA Cloud Connector to be used for Interfacing from Cloud to the On-Premise ERP.
So what’s different out here you might ask considering that HCI Supports Client Authentication natively for its IDoc Adapter.
The short answer:
When using HANA Cloud Connector, your IDoc Adapter configuration would require your Proxy Type as “On-Premise”. When your Proxy Type is “On-Premise”, HCI does not allow you to provide an Option for Client Authentication.
Below is what my initial configuration looked like:
When trying to deploy my iFlow with this configuration, HCI prompts an error: “Certificate based authentication is not supported for Proxy Type On-Premise”
Does this mean that HCI does not allow Client Authentication when Integrating with ERP System with a Receiver IDoc Adapter using HANA Cloud Connector? The answer my friends, lies in the details 🙂
The Long Answer
HANA Cloud Connector Configuration
Configure your HCC Account
Configure your HCC Account by providing the required HCI Details
Set Up your access control by mapping to an On-Premise ABAP System
Provide the Protocol. In my case HCC connects to On-Premise ERP using HTTPS Protocol.
Provide the Internal SAP System Host Name and the corresponding HTTPS Port.
Provide the Virtual HostName that should be used in HCI in your IDoc Adapter. In this case I have called it: bhavesh.hcc.com
The Next Step is the most critical as this step enables Client Authentication between HCC and the On-Premise ERP System.Select Option for Principal Type as: X.509 Certificate.
This setting makes sure that the Connectivity between HCC and the On-Premise ERP System now uses Client Authentication.
Click on Add Resource
Below is now what your Access Control should look like,
Add System Certificate for Client Authentication
To enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format.
Click on Import, the KeyPair should be imported successfully,
Backend SAP Configuration for User Mapping
Go to SM30 : Table Name : VUSREXTID
External ID Type: DN
Create a new entry by Importing the Public Certificate of the Key Pair you imported into HANA Cloud Connector and providing a User ID for the same.
HCI IDoc Adapter Configuration
Configure your IDoc Adapter with the below options:
- ProxyType : OnPremise
- Authentication : Basic Authentication Enabled
- Credentials: Provide any Credentials. This is not going to be used in the runtime. In my case I created a Dummy Credentials with a Dummy User / Password.
Save and Deploy your Integration Flow.
Your scenario should now use Client Authentication and Authenticate itself to the BackEnd ERP System!
So What happens Behind the scenes?
What you will notice is that if remove the KeyPair from the Settings –> System Certificate in your Hana Cloud Connector, then the IDoc Adapter will try to use Basic Authentication. If you have maintained valid credentials, then the Login goes through and IDoc gets posted. If you have used maintained Invalid credentials a HTTP 401 Unauthorized Error is returned.
In Summary, HANA Cloud Connector has been instructed to use a X509 Certificate to authenticate itself to the Back End ERP System. Hence, when the IDoc from HCI is sent to HCC, HCC uses the X509 Certificate to authenticate itself which leads to a Client Authentication aka 2 Way SSL with HANA Cloud Connector & HCI’s IDoc Adapter!
References / Additional Reading
HCI Securing your communications
Thanks bhavesh..!! Very usefull document..!! Keep sharing..!!
thanks for sharing 🙂
Thanks for the articulate blog bhavesh...
Good one... thanks for blogging..
The complete how to guide by the Master !!!! Thanks Bhavesh for sharing !!! Looking forward for more blogs 🙂
Thanks for good blog! I have one question: in the section Add System Certificate for Client Authentication you say that "to enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format."
What exactly is "your private key" that needs to be in P12 format and where/how do I get it?
Thanks for the patience to instruct us beginners 🙂
Can you pls guide us(beginners and freshers) how to get the private key in P12 format to add to system certificate in HCC.
One doubt about the trust configuration. You configure the System certificate, I think the certificate of issue should be added into ERP Trust manager(T-code STRUST) , right?
Could you share sth. about this?
I have used this method to post data from HCI in to ERP system for web service. I have done SM30 settings and maintained system certificate in SCC and I am using dummy credential for Basic Authentication in SOAP receiver channel in HCI.
But, I am getting unauthorized 401 error. I am using SCC UI certificate as system certificate in SCC and also my certificate is not signed, is this issue is due to use of unsigned certificate.
I want to ask you about the integration setup and scenarios where you configured the HCI to use HCC. Could you please drop me a mail at Pragya.email@example.com so that we can connect?
Excellent Blog!! Thanks for sharing this information. Now I am working on a PoC where I would like to to do below.
Now I have setup the HANA Cloud Connector. I am able to receive data from sensor in IoT Cockpit. But I am not sure how can I pass this data to HCC and then get this into either PI or directly in ECC as an IDoc. I am working on an innovation pack license and do not have HCI so will have to manage the scenario only with HCC.
Can you please suggest how I could achieve this?
Your scenario can be achievable in multiple ways based on the your integration patterns like below:
Hope this information would be sufficient to establish connection between back end SAP to IoT services.
Thanks a lot Chandan for your help in understanding different ways. However in the meantime I followed few blogs (one from Fabien) and started the overall thing in below way.
I am stuck at this point. Can you please help.
I am integrating Salesforce and S/4HANA using HCI as an integration tool.
It's SOAP sender(for salesforce pushed messages) and IDoc receiver(for receiving in S/4HANA ) .
But I am getting below error while sending message to IDoc endpoint in HCI:
org.apache.cxf.transport.http.HTTPException: HTTP response '403: Forbidden' when communicating with http://host:port/sap/bc/srt/idoc?sap-client=800
It is same endpoint which comes after testing sap/bc/srt/idoc service in SICF transaction.
I have tried both hitting that URL directly from HCI and hitting that URL by creating access control and resource in HCC. It fails with same error.
Also, Credentials used in IDoc receiver is correct.
Can you please suggest how this can be resolved?