Background

In Part 1 of this blog series, we looked at steps to trigger an IDoc from SAP ERP to HCI from the scratch using Basic Authentication.

In Part 2 of this blog series , we looked at how to use IDoc Numbers to search for IDocs in HCI Message Monitoring.

In Part 3 of this blog series ( this blog ), we will look at how to use Client Authentication aka Certificate Based Authentication when triggering IDocs from ERP to HCI.

Pre-Requistes

  • We will continue to use the Integration Flow from our previous blog of this series and enhance this to use Client Authentication.
  • For ECC to connect to HCI using Client Authentication, you need to have your ECC KeyPair in the P12 or PFX format. This Key Pair should be signed by a TrustedCA as per the list here.
  • You have the SAP Cryptographic tool downloaded from Service Market place – This is required to convert the P12 / PFX KeyPair into a SAP supported PSE format. If you do not have this, download the same as per SAP documentation : Downloading the SAP Cryptographic Library – Search – SAP Library


Convert PFX / P12 KeyPair to a PSE

Normally your Signed Key-pair is in the format of a P12 / PFX File. SAP STRUST requires this to be in the format of a PSE File. You can use the sapgenpse command available as a part of the SAP Cryptographic tool downloaded in the pre-requistes to convert the PFX/P12 format into PSE format.  The command to do this is described in this SAP Documentation link – Importing a PKCS#12 File – Network and Transport Layer Security – SAP Library

Command: sapgenpse import_p12 <additional options> [-p <pse file>] <filename>.p12

Example: sapgenpse import_p12 -p E:\ClientAuth\privatekey.pse E:\ClientAuth\privatekey.p12 , where,

  • E:\ClientAuth is the directory where my PrivateKey exists in the P12 format.
  • privatekey.p12 is the key-pair in the P12 format
  • privatekey.pse is the key-pair to be generated in the pse format.

SAP ERP Configuration

Configuration
ScreenShot

Tcode: STRUST

Add a SSL Client Identity as below

  • Go to Environment –> SSL Client Identities
  • Add an entry as below and save
    • Identity – HCI ( Can also be any other name you prefer)
    • Description – HCI Client Authentication
  • Your new entry added should now be visible in STRUST in the tree in the left side navigation

Tcode: STRUST

Load the Private Key for Client Authentication into your Client View in STRUST

  • Double Click on the “File” option in your STRUST Navigation Tree on the left
  • Select the Privatekey.pse that was created in the previous section.
  • Provide the password of your Privatekey.pse
  • Your PSE should be loaded and be shown on the Left Pane.
  • Click on PSE –> Save AS
  • Select SSL Client and select your SSL Client View created in previous step

Download HCI SSL Certificate

  • Go to your HCI URL, View Certificate ( from padlock ) –> Details –> Copy to File  –> Select Default Options
  • Save the certificate to your local desktop

Transaction :STRUST

  • Go to view – SSL Client HCI Client ( The view created in previous steps and where the private key was imported)
  • Import your HCI SSL Certificate here.
    • Click on Import Certificate
    • Select your certificate from previous step
    • Click on Add to Certificate List
  • This is required to establish a SSL connection between your SAP ERP and SAP HCI. This was already done in Part 1 of this blog series but was done in a different view. In this case as we have a new view this step has to be repeated.

Transaction : SM59

  • Go to SM59 to the Type G Destination that was created as in Part 1 of this blog.
  • Go to Tab Log&Security
    • Select Option – Do Not use a User
    • Under Security Options
      • Select SSL Certificate – The Client View that was created previously – HCI Client Authentication in our case

Transaction : SM59

Perform a Test Connection of your Destination

  • Response returned should be HTTP 403 Forbidden.
  • This is because your HCI Integration Flow still expects Basic Authentication whereas your Destination now uses Client Authentication
  • Also check the Tail Log of your HCI Tenant. You will see the error that the Certificate was received but is not authorized ( As Integration Flow does not have Certificate based authentication enabled )

Update your Integration Flow to use Certificate Based Authentication

Configuration Screenshot
  • Change the configuration of Your Integration Flow such that the authentication uses Certificate Based Authentication
  • The Certificate used here should be the public certificate of the Key-Pair loaded in STRUST in ECC

Test Your Integration Flow

Configuration Screenshot

Transaction: SM59

  • Go to your HTTP Type G Destination
  • Test Connection.
    • Connection should now return HTTP 500 – Internal Server Error
    • The error will be the same as when you tested the destination in part 1 of the blog series

  • Trigger your IDoc and the IDoc should now successfully be sent to HCI.
  • Your SM59 HTTP Destination now uses a Client Authentication and does not use Basic Authentication

Summary

With this we are done with one part of ourseries dealing with the Sender IDoc Adapter of HCI. As you would have seen, in comparison to PI, the IDoc adapter using SOAP over HTTP which has meant most of the configuration involved in ERP has been around Securing your HTTP Connection ( in STRUST ).

In the next part of this series (Part 4) we will look at using a Receiver IDoc Adapter in HCI and understanding how the receiver IDoc Adapter works!

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply