Recently, we had a requirement to integrate HCI with an On-Premise ERP Instance using standard SAP IDoc’s. The ground rules for the Integration were,

  • Only Client Authentication aka 2 Way SSL is to be used.
  • HANA Cloud Connector to be used for Interfacing from Cloud to the On-Premise ERP.

So what’s different out here you might ask considering that HCI Supports Client Authentication natively for its IDoc Adapter.

The short answer:

When using HANA Cloud Connector, your IDoc Adapter configuration would require your Proxy Type as “On-Premise”. When your Proxy Type is “On-Premise”, HCI does not allow you to provide an Option for Client Authentication.

Below is what my initial configuration looked like:

/wp-content/uploads/2016/03/1_918441.png

When trying to deploy my iFlow with this configuration, HCI prompts an error: Certificate based authentication is not supported for Proxy Type On-Premise


/wp-content/uploads/2016/03/2_918449.png

Does this mean that HCI does not allow Client Authentication when Integrating with ERP System with a Receiver IDoc Adapter using HANA Cloud Connector? The answer my friends, lies in the details 🙂

The Long Answer

The Scenario


/wp-content/uploads/2016/03/3_918450.png


HANA Cloud Connector Configuration


Configure your HCC Account

Configure your HCC Account by providing the required HCI Details

/wp-content/uploads/2016/03/4_918451.png

/wp-content/uploads/2016/03/5_918470.png

Access Control

Set Up your access control by mapping to an On-Premise ABAP System


/wp-content/uploads/2016/03/6_918471.png

Provide the Protocol. In my case HCC connects to On-Premise ERP using HTTPS Protocol.

          /wp-content/uploads/2016/03/7_918472.png

Provide the Internal SAP System Host Name and the corresponding HTTPS Port.

/wp-content/uploads/2016/03/8_918473.png

Provide the Virtual HostName that should be used in HCI in your IDoc Adapter. In this case I have called it: bhavesh.hcc.com


/wp-content/uploads/2016/03/9_918474.png


The Next Step is the most critical as this step enables Client Authentication between HCC and the On-Premise ERP System.Select Option for Principal Type as: X.509 Certificate.


/wp-content/uploads/2016/03/10_918521.png


This setting makes sure that the Connectivity between HCC and the On-Premise ERP System now uses Client Authentication.

/wp-content/uploads/2016/03/11_918488.png

/wp-content/uploads/2016/03/12_918522.png


Add Resource

Click on Add Resource

          /wp-content/uploads/2016/03/13_918490.png

Below is now what your Access Control should look like,

          /wp-content/uploads/2016/03/14_918491.png


Add System Certificate for Client Authentication

To enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format.

/wp-content/uploads/2016/03/15_918492.png

Click on Import, the KeyPair should be imported successfully,

/wp-content/uploads/2016/03/16_918493.png

Backend SAP Configuration for User Mapping

Go to SM30 : Table Name : VUSREXTID

/wp-content/uploads/2016/03/17_918497.png

External ID Type: DN

/wp-content/uploads/2016/03/18_918498.png


Create a new entry by Importing the Public Certificate of  the Key Pair you imported into HANA Cloud Connector and providing a User ID for the same.

/wp-content/uploads/2016/03/19_918499.png

HCI IDoc Adapter Configuration

Configure your IDoc Adapter with the below options:

  • ProxyType : OnPremise
  • Authentication : Basic Authentication Enabled
  • Credentials: Provide any Credentials. This is not going to be used in the runtime. In my case I created a Dummy Credentials with a Dummy User / Password.

/wp-content/uploads/2016/03/20_918500.png

Save and Deploy your Integration Flow.

Your scenario should now use Client Authentication and Authenticate itself to the BackEnd ERP System!

So What happens Behind the scenes?

What you will notice is that if remove the KeyPair from the Settings –> System Certificate in your Hana Cloud Connector, then the IDoc Adapter will try to use Basic Authentication. If you have maintained valid credentials, then the Login goes through and IDoc gets posted. If you have used maintained Invalid credentials a HTTP 401 Unauthorized Error is returned.

In Summary, HANA Cloud Connector has been instructed to use a X509 Certificate to authenticate itself to the Back End ERP System. Hence, when the IDoc from HCI is sent to HCC, HCC uses the X509 Certificate to authenticate itself which leads to a Client Authentication aka 2 Way SSL with HANA Cloud Connector & HCI’s IDoc Adapter!


References / Additional Reading


HCI Securing your communications

HANA Cloud Connector SetUp



To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Ossi Makinen

    Hi Bhavesh!

    Thanks for good blog! I have one question: in the section Add System Certificate for Client Authentication you say that “to enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings –> System Certificate. Select your Key-pair in a P12 File Format.”

    What exactly is “your private key” that needs to be in P12 format and where/how do I get it?

    Thanks for the patience to instruct us beginners 🙂

    (0) 
  2. Alex Liao

    Hi Kantilal,
    One doubt about the trust configuration.  You configure the System certificate,  I think the certificate of issue should be added into ERP Trust manager(T-code STRUST) , right?
    Could you share sth. about this?

    Thanks ,
    Alex.

    (0) 
  3. Aman Raj

    Hi Bhavesh,

    I have used this method to post data from HCI in to ERP system for web service. I have done SM30 settings and maintained system certificate in SCC and I am using dummy credential for Basic Authentication in SOAP receiver channel in HCI.

    But, I am getting unauthorized 401 error. I am using SCC UI certificate as system certificate in SCC and also my certificate is not signed, is this issue is due to use of unsigned certificate.

    Thanks,

    Aman

     

    (0) 
  4. Amitabh Dubey

    Hi Bhavesh,

    Excellent Blog!! Thanks for sharing this information. Now I am working on a PoC where I would like to to do below.

    • I will be using a sensor device to fetch information on HCP (IoT Service)
    • I want to send this info fetched from the sensor to my Backend ECC (on-premise)
    • And get some response back into the sensor device

    Now I have setup the HANA Cloud Connector. I am able to receive data from sensor in IoT Cockpit. But I am not sure how can I pass this data to HCC and then get this into either PI or directly in ECC as an IDoc. I am working on an innovation pack license and do not have HCI so will have to manage the scenario only with HCC.

    Can you please suggest how I could achieve this?

     

    Regards

    Amitabh

     

     

    (0) 

Leave a Reply