In Part 1 of this blog series, we looked at steps to trigger an IDoc from SAP ERP to HCI from the scratch using Basic Authentication.
In Part 2 of this blog series , we looked at how to use IDoc Numbers to search for IDocs in HCI Message Monitoring.
In Part 3 of this blog series ( this blog ), we will look at how to use Client Authentication aka Certificate Based Authentication when triggering IDocs from ERP to HCI.
- We will continue to use the Integration Flow from our previous blog of this series and enhance this to use Client Authentication.
- For ECC to connect to HCI using Client Authentication, you need to have your ECC KeyPair in the P12 or PFX format. This Key Pair should be signed by a TrustedCA as per the list here.
- You have the SAP Cryptographic tool downloaded from Service Market place – This is required to convert the P12 / PFX KeyPair into a SAP supported PSE format. If you do not have this, download the same as per SAP documentation : Downloading the SAP Cryptographic Library – Search – SAP Library
Convert PFX / P12 KeyPair to a PSE
Normally your Signed Key-pair is in the format of a P12 / PFX File. SAP STRUST requires this to be in the format of a PSE File. You can use the sapgenpse command available as a part of the SAP Cryptographic tool downloaded in the pre-requistes to convert the PFX/P12 format into PSE format. The command to do this is described in this SAP Documentation link – Importing a PKCS#12 File – Network and Transport Layer Security – SAP Library
Command: sapgenpse import_p12 <additional options> [-p <pse file>] <filename>.p12
Example: sapgenpse import_p12 -p E:\ClientAuth\privatekey.pse E:\ClientAuth\privatekey.p12 , where,
- E:\ClientAuth is the directory where my PrivateKey exists in the P12 format.
- privatekey.p12 is the key-pair in the P12 format
- privatekey.pse is the key-pair to be generated in the pse format.
SAP ERP Configuration
Update your Integration Flow to use Certificate Based Authentication
Test Your Integration Flow
With this we are done with one part of ourseries dealing with the Sender IDoc Adapter of HCI. As you would have seen, in comparison to PI, the IDoc adapter using SOAP over HTTP which has meant most of the configuration involved in ERP has been around Securing your HTTP Connection ( in STRUST ).
In the next part of this series (Part 4) we will look at using a Receiver IDoc Adapter in HCI and understanding how the receiver IDoc Adapter works!