Technical Articles
Cloud Integration – How to Setup Secure Outbound HTTP Connection using Keystore Monitor
This blog describes how to setup secure outbound connections with client certificates using the keystore monitor (available with 24-June-2017 release (2.29*)) for maintaining the keys and certificates in the cloud integration system. It gives a step by step description what needs to be configured where. Furthermore, test options are described for testing outbound connectivity.
Setup Secure Outbound HTTP Connection using Keystore Monitor
A typical task in an integration project is to connect remote systems to the SAP Cloud Integration Tenant. Before going into detailed configuration of the outbound communication lets first have a short look at the basics.
Basics of Secure System Configuration
The remote system can act either as a sender or a receiver of messages. The setup and the detailed configuration procedure differ according to the communication direction that is being set up: whether a remote system is supposed to send a message to the integration platform or the other way round.
For more detailed information about the different authentication and authorization options refer to the SAP Cloud Platform Integration Documentation, section ‘Connecting a Customer System to Cloud Integration’.
As Secure inbound communication does not need a keystore we focus only on the outbound communication in this blog. Inbound Communication is described in blog ‘How to setup secure HTTP Inbound Communication’.
Secure Outbound Communication
For HTTPS based outbound communication with client certificate authentication, keys and certificates have to be maintained in the receiver system and in the cloud integration tenant keystore.
Configure Connection in Receiver and Cloud Integration Tenant
Download Root Certificate from Receiver System
For HTTPS based communication the receiver system needs to have a private key and its certificate chain, which typically consists of the server certificate and the intermediate certificate. The intermediate certificate is signed by a CA’s root certificate. The integration tenant trusts the backend server if the CA’s root certificate is available in its keystore.
For the configuration as a first step this root certificate needs to be downloaded from receiver system or provided by the receiver system administrator to add it to the cloud integration tenant in the next step.
Configurations in Cloud Integration Tenant
For HTTPS based communication in the cloud integration tenant, the root certificate of the receiver system provided in previous step is needed in the cloud integration tenant’s keystore. Furthermore, for using client certificate authentication, a signed key pair including complete certificate chain is required in the cloud integration tenant’s keystore.
Add Root Certificate of the Receiver Backend
To maintain certificates and keys in the keystore open the Keystore Monitor available in the Operations View in Web in section Manage Security. All certificates and private key pairs contained in the tenant keystore are shown.
To add the root certificate of the receiver backend, select the option Add -> Certificate from the action buttons on top of the table:
Define an Alias and select the *.cer file containing the root certificate of the receiver system:
Select Deploy to add the certificate to the keystore.
Maintain Signed Key in the Cloud Platform Integration Tenant (Option to be used with 28-October-2018 release)
As all newly provisioned cloud integration tenants already have a private key pair pre-delivered by SAP, which you can use this for your communications. But, if required, you can also create your own private key pairs in the cloud integration tenant. To create a new private key pair in the Keystore Monitor select the option Create -> Key Pair from the action buttons on top of the table:
In the creation dialog enter the Alias you want to use, select and define the key specific values and define a validity period. Select Deploy to create the key. If a key with the defined alias already exists, an error message is given. In this case you have to use a different Alias.
To be able to use this new key pair for a secure outbound connection you need to get this key pair signed by a Certification Authority supported by the receiver system. To do this, select the link for the key pair you want to use to get the details screen for the key pair. In the details screen use the option Download -> Download Signing Request to download the signing request. The download creates a file with the name <alias>.csr. This file can be send to a CA for signing the key.
Once you received the signing response from the CA, you can upload this using the option Update -> Signing Response in the details screen for the key pair. Select the file containing the signing response and select Update. The signature details are shown in the details of the key pair when you navigate through the certificate chain.
Now the key pair can be used for connecting to the receiver backend with client certificates.
For more details also refer to the SAP Cloud Platform Integration Documentation in chapter ‘Creating X.509 keys’.
Maintain Keystore in Keystore Explorer (Option to be used until 28-October-2018 release)
As the current version of the Keystore Monitor is not able to create signing requests, the signed private key including certificate chain has to be maintained in an external keystore maintenance tool, for example the Keystore Explorer.
As all newly provisioned cloud integration tenants already have a private key pair pre-delivered by SAP, which you can use this for your communications. But, if required, you can also create your own private key pairs for the cloud integration tenant using an external tool, for example the keystore explorer. Use the external tool to create a new key pair, create the signing request, send it to an CA and import the signing response. Make sure you use an alias name in the customer namespace – do not use the prefix sap.
This is described in detail in SAP Cloud Platform Integration Documentation in chapter ‘Creating X.509 keys’.
Afterwards import the keystore in Keystore Monitor. To import the created keystore file, open the Keystore Monitor available in the Operations View in Web in section Manage Security.
Upload the keystore via Add -> Keystore button on the top of the monitor.
Browse the *.jks file and enter the password you gave in previous step when creating the keystore. The private key pair contained in the keystore file will be added to the existing entries for owner Tenant Administrator with the aliases used in Keystore Explorer.
More information about maintaining keys and certificates in Keystore Monitor, about migration of existing keystores into the new monitor and about existing naming conventions can be found in blog ‘How to use Keystore Monitor to maintain your keys and certificates’.
Authorization
To maintain keys and certificates in Keystore Monitor your user needs the Group Role AuthGroup.Admin or Single Roles IntegrationOperationServer.read, NodeManager.read and
NodeManager.deploysecuritycontent.
Download Certificate and Root Certificate from Keystore Monitor (Option to be used with 28-October-2018 release)
For client certificate based authentication at the receiver system the root certificate and the client certificate of the cloud integration tenants private key are needed in the receiver system. For this, export the certificate and the root certificate of the private key pair in the Keystore Monitor. These options are available as single line options.
To download the public certificate select Download Certificate from the actions button in the line of the private Key Pair:
Download Certificate for a Key Pair will create a file with the name <alias>.cer in the download directory. The file contains the public certificate for the private key.
To download the root certificate select Download Root Certificate from the actions button in the line of the private Key Pair:
Download Root Certificate for a Key Pair will create a file with the name <alias>_rootCA.cer in the download directory. The file contains the root certificate for the private key.
Both certificates need to be imported into the receiver system in the next step.
Download Certificate Chain from Keystore Monitor (Option to be used until 28-October-2018 release)
For client certificate based authentication at the receiver system the root certificate and the client certificate of the cloud integration tenants private key are needed in the receiver system. For this, export the certificate chain of the private key pair in the Keystore Monitor. This option is available as single line option, select Download from the actions Button in the line of the private Key Pair.
Download for a Key Pair will create a file with the name <alias>.p7b in the download directory. The file contains the whole certificate chain assigned to the private key. The certificate chain file can, for example, be opened with the Certificates Snap-in of Microsoft Management Console (Certmgr.msc), which is usually available on Windows systems.
Open the downloaded <alias>.p7b file with the Certificates Snap-in on your system and open the tab Certificate Path. There, the whole certificate chain can be seen.
The entry on the top is the root certificate. Open the root certificate via double click. This will open the root certificate. In the tab Details export the root certificate into a file via Copy to File. In the Certificate Export Wizard export the root certificate as DER encoded binary X.509 file. Use any arbitrary file name to save the certificate as *.cer file.
The same way you exported the root certificate, also export the client certificate, which is the one at the bottom of the certificate chain.
Both certificates need to be imported into the receiver system in the next step.
Authorization
To download entries from Keystore Monitor your user needs the Group Role AuthGroup.IntegrationDeveloper or Single Roles IntegrationOperationServer.read and NodeManager.read.
Import Certificates to Receiver System
For outbound communication using client certificate authentication, in the receiver system the root certificate and the client certificate of the cloud integration tenant’s private key are to be imported into the backend.
For this, import the root certificate retrieved in previous step into the trust store of the receiver system. In addition, you normally need to import the client certificate into a user to certificate mapping in the receiver backend.
With this last step the configuration of the outbound communication using client certificates is completed. To test the connectivity, continue as described below.
Alternative configuration options
Beside the recommended and most used configuration option to have the whole certificate chain including the root CA certificate assigned to the server’s private key available in the server keystore and only the root certificate in the client’s trust store, there are other configuration options possible with which the client can establish a trust relation to the server:
- If the server keystore contains only the server certificate including intermediate certificate, the client keystore needs to contain only the root certificate in its keystore.
- If the server keystore contains only the server certificate without the certificate chain the client keystore needs to contain the intermediate and root certificate.
- If the server uses a self-signed key (if the receiver accepts it) the client keystore needs to contain this certificate.
Similar options are possible when the server has to trust the client certificate in the client certificate authentication use case.
Connectivity Test
After setting up the connection toward the backend system, the connectivity test feature can be used to test the communication or even to download server certificates.
TLS Connectivity Test
The Connectivity Test is available in Operations View in Web, in section Manage Security Material. Selecting the Connectivity Test tile from Overview Page will open the test tool offering tests for different protocols. To test the HTTPS based outbound communication the TLS option is to be selected.
Enter the address of your cloud backend (Tests to On-Premise backends via cloud Connector cannot be done) as used in the outbound channel and execute the test. The test will give a success message or an error with detailed error information.
If there is an error with the SSL connectivity it is possible to execute the test without the option to Validate Server Certificate. In this case the server certificate is not checked, but can be downloaded via Download Button and added to the keystore in Keystore Monitor as described in the above chapter.
Client Certificate based authentication can be checked via option Authenticate with Client Certificate. It is possible to enter a specific alias contained in the keystore or to leave the field empty, in this case the first alias fitting to the server request will be used.
Well Explained. Thanks.
For a not too technical guy this is hard to read, especially the term receiver system etc is unclear to me - whether the receiver system refers to SAP ERP, AEAT or to the HCI tenant. I would prefer to read a step by step instruction specifically naming the receiver system.
What confuses me in addition is the use of some terms like certificate, root certificate and certificate chain.
Again, maybe I am not the intended audience but I couldn't do the keystore maintenance with this, sorry.
Hi,
thank you for your feedback. But I think for someone knowing cloud integration and doing system integration using cloud integration the terms certificate, root certificate and certificate chain should be familiar. It is not the goal of this blog to explain such basic terms.
Receiver system can be any external system called from cloud integration, this is also a very known term in cloud integration, where you configure the Receiver system in the integration flow.
BR,
Mandy
Hi Mandy,
I’ve done the steps follow your posting, but I have the following information when perform the connection test for ‘TLS’. The scenario is from a HCI (Demo) to one of internal SAP system (with port 44311).
The error message show as following: ” java.net.SocketTimeoutException: connect timed out (local port 57753 to address 10.104.183.xxx (vsa2783178.xxx.xx.sap.biz), remote port 44311 to address 10.97.194.xxx) “.
Could you kindly advise the potential cause for this error and how to resolve it? Thanks!
Best regards,
Radar Lei
Hello,
this error looks like some port needs to be opened. Please open a BCP ticket on component LOD-HCI-PI-OPS with the detailed information configured in your outbound channel.
Best regards,
Mandy
Hi Mandy,
Thanks, I'll try it.
Best regards,
Radar
HI Mandy,
My receiver system is SuccessFactors and I want to build a client certificate based connection between HCI to SuccessFactors.
I have SuccessFactors certificates, could you please explain me step by step how to build a connection between both the system.
Thanks & regards,
ManjunathChowdary.
Hello,
I would expect this is described step by step in the specific success factors scenario setup guide. In general the steps mentioned above are necessary, except that the certificates for the HTTPS connection to the SuccessFactors System should already be available in the CPI Keystore and do not need to be imported.
Best regards,
Mandy
Hi Mandy,
Thank you for the great post, I find it really helpful.
Two questions:
- In our tenant keystore there are no Key Pair entries from Owner=SAP with a small lock icon. I assumed those entries are pre-delivered and also locked. Note that our tenant is ~2 years old. In your other post I read about the migration of old keystores following v2.29, currently we are on build 2.34.6 but the SAP owned entries are not there.
- On Test Connectivity I select "Authenticate with Client Certificate", enter the host name, port, and the alias (validate server certificate is also checked): the conection test is successful ("successfully reached host..."), the server certificates are also displayed, still it says "Client Certificate Used: NO" without any errors. What can be the problem? Is the selected Alias wrong or target host must explicitly require client certificate authentication?
Thanks for your help in advance,
Gabor
Hello Gabor,
do you have key pairs that fit to the SAP naming convention, hcicertificate or sap_? Normally these key pairs are then maintained by SAP. There is one exception; if you deployed the keystore on your own on the tenant without asking Cloud Operations, you are responsible for these keys.
Do you have SAP owned certificates in the keystore? This would mean the migration took already place.
Concerning the connectivity test: if the server does not require client certificate it will not be be used. The target host should require client certificate authentication.
regards,
Mandy
Hi Jens,
let me try to answer.
Best regards,
Mandy
excellent blog!! very well explained
A word of warning against using hcicertificate for integrating with mutual authentication against C4C (at least currently).
SAP has managed to NOT trust newly issued hcicertificate keypairs within C4C, see https://launchpad.support.sap.com/#/notes/2980997
(still in disbelief)
thank you Mandy its great blog
i have one question can we use same way for getting cpi certificate by giving runtime node in Connectivity Test rather than download it from keystore .
I mean is it same certificate that we give for sender and receiver ?
Regards,
Ghadeer
Hello
the certificate you can download in the connection test is the certificate from load balancer that is needed for the TLS handshake.
The certificate you can download from keystore is the one you need for client certificate based authentication towards the receiver.
Best regards
Mandy
thanks Mandy its much clear now , just one question if you don't mind now if i have system in my talent that acts as sender and receiver at the same time , should I upload both in its trust store?
Regards
Ghadeer
Hello,
in case CPI acts as server (receiver), you need to upload the root CA of the load balancer in the senders trust store, see: Cloud Integration – How to Setup Secure HTTP Inbound Connection with Client Certificates | SAP Blogs
BR
Mandy
Dear Mr Mandy,
I am working on the S4HANA Cloud send outbound delivery via CPI to external warehouse.
I use the basic authorization, and config as SAPHelp and your blog guide..
I test in the CPI test connectivity, the clond,CPI, external warehouse host are all ok.
but I receive an issue ,when I create the outbound delivery in S4HANA cloud.
the error is:
java.net.ConnectException: General SSLEngine problem, cause: java.security.cert.CertificateException: No subject alternative names present
the certificate without CPI, it works, even have this issue, external warehouse still can receive the outbound delivery..
Do you have any advice for this issue, Thanks!
Roger
Hello Roger,
I don't completely understand the issue. You get the error in the Cloud Integration Monitor? Or where do you see the error? Or do you see the error in the S4 Hana Cloud system?
The best would be you open a ticket on LOD-HCI-PI-RT and attach all the required details:
Best regards
Mandy
Dear Mr Mandy,
Yes, it's in the Cloud Integration Monitor.
ok, I will create an incident to SAP experts.
Thanks.
Hi Mandy,
Thank you for the wonderful blog.
For the outbound client certificate authentication option, in our case, the 3rd party will be creating a key-pair (CA trusted). In this case, besides the receiver server root certificate, do I also need to import -
Thanks
Saurabh
Hello,
if you want to use an externally created key pair you need to import this key pair with chain into the keystore of the CPI tenant.
best regards
Mandy