Trust configuration SCI - SCP - Gateway R/3 (Part ...

Technology Blogs by Members

Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!

Hello again,

In the Part I of the tutorial we saw how to configure SCI with SCP. In this part II we will see how to configure SAP Gateway and SCP for the trust connection.

This point includes the following software:

Keytool: Included with java jdk (Download JDK 8)

OPENSSL: Download OpenSSL

Let’s go.

Generate certificate with the following commands in CMD (windows):
- Create certificate: add password and press intro and in the following next question about “alias password” just press intro (with blank password).
```
keytool -genkey -keyalg DSA -alias alias -keystore certificate_dsa.jks -dname "CN=HCP"
```
- Export certificate using: add password and press intro, in the following question add password created in the previous step “Enter source keystore password”.
```
keytool -importkeystore -srckeystore certificate_dsa.jks -destkeystore certificate_dsa.p12 -srcstoretype jks -deststoretype pkcs12
```
- Create certificate in base64: Use password added in previous step
```
openssl pkcs12 -in certificate_dsa.p12 -nodes -out certificate_dsa.pem
```

Modify certificate files as follow:
- Copy file “certificate_dsa.pem” and rename to “pub.crt”
- Edit file “pub.crt” with notepad to eliminate PRIVATE KEY, we will also delete this text “----BEGIN CERTIFICATE-----” and “----END CERTIFICATE----”:
- Copy file “certificate_dsa.pem” and rename to “priv.pem”
- Edit file “priv.pem” with notepad to eliminate CERTIFICATE, we will also delete this text “----BEGIN PRIVATE KEY-----” y “----END PRIVATE KEY----”

Create destination in SAP Cloud Platform to connect with SAP GATEWAY:
- Goes to the “Connectivity” -> “Destinations” in SCP coockpit
- The destination should have the following parameters:
  - URL: URL of the Gateway service deployed in the on-premise system (this URL can be changed if the Cloud Connector is used, where we will use the virtual address and port)
  - Recipient SID: System ID of Gateway
  - Recipient Client: Mandant of Gateway
  - Certificate: Copy string content from “pub.crt”
  - Signing key: Copy string content from “priv.pem”

Configuration in SAP Gateway:
- Before we start, we will verify the SAP Gateway SSO configuration, so lets go to the transaction: RZ10
  - Select system configuration in search help
  - Click the option “Extended Maintenance” and then press “display”
  - In the following screen the following values should appear:
    - login/create_sso2_ticket = 2
    - login/accept_sso2_ticket = 1
- We add the created certificate to transaction TRUSTSSO2 following the next steps:
  - Select folder “System PSE”
  - Press edit button
  - Upload the file “pub.crt” with upload button
  - After upload file has finished insert certificate with button “Add to certificate List”
  - Push button to create el ACL with “Add to ACL”
- Add the following values (this data must match those indicated in the generation of the certificate and the information of the destination in SCP

Now, when logging in with the user created in SCI we can access a UI5 application deployed in SCP and that obtains data from an onpremise system.

Thank you for your attention

References: https://www.youtube.com/watch?v=pcTcmfOZrjE

2 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Count

Trust configuration SCI - SCP - Gateway R/3 (Part II)

Generate certificate with the following commands in CMD (windows):

Create certificate: add password and press intro and in the following next question about “alias password” just press intro (with blank password).

Export certificate using: add password and press intro, in the following question add password created in the previous step “Enter source keystore password”.

Create certificate in base64: Use password added in previous step

Modify certificate files as follow:

Copy file “certificate_dsa.pem” and rename to “pub.crt”

Edit file “pub.crt” with notepad to eliminate PRIVATE KEY, we will also delete this text “----BEGIN CERTIFICATE-----” and “----END CERTIFICATE----”:

Copy file “certificate_dsa.pem” and rename to “priv.pem”

Edit file “priv.pem” with notepad to eliminate CERTIFICATE, we will also delete this text “----BEGIN PRIVATE KEY-----” y “----END PRIVATE KEY----”

Create destination in SAP Cloud Platform to connect with SAP GATEWAY:

Goes to the “Connectivity” -> “Destinations” in SCP coockpit

The destination should have the following parameters:

URL: URL of the Gateway service deployed in the on-premise system (this URL can be changed if the Cloud Connector is used, where we will use the virtual address and port)

Recipient SID: System ID of Gateway

Recipient Client: Mandant of Gateway

Certificate: Copy string content from “pub.crt”

Signing key: Copy string content from “priv.pem”

Configuration in SAP Gateway:

Before we start, we will verify the SAP Gateway SSO configuration, so lets go to the transaction: RZ10

Select system configuration in search help

Click the option “Extended Maintenance” and then press “display”

In the following screen the following values should appear:

login/create_sso2_ticket = 2

login/accept_sso2_ticket = 1

We add the created certificate to transaction TRUSTSSO2 following the next steps:

Select folder “System PSE”

Press edit button

Upload the file “pub.crt” with upload button

After upload file has finished insert certificate with button “Add to certificate List”

Push button to create el ACL with “Add to ACL”

Add the following values (this data must match those indicated in the generation of the certificate and the information of the destination in SCP

SAP PI for Beginners

ABAP 7.40 Quick Reference

Fiori: technical installation and configuration of one app from A - Z