Trust configuration SCI – SCP – Gateway R/3 (Part II)
Hello again,
In the Part I of the tutorial we saw how to configure SCI with SCP. In this part II we will see how to configure SAP Gateway and SCP for the trust connection.
This point includes the following software:
- Keytool: Included with java jdk (Download JDK 8)
- OPENSSL: Download OpenSSL
Let’s go.
-
Generate certificate with the following commands in CMD (windows):
-
Create certificate: add password and press intro and in the following next question about “alias password” just press intro (with blank password).
keytool -genkey -keyalg DSA -alias alias -keystore certificate_dsa.jks -dname "CN=HCP"
-
Export certificate using: add password and press intro, in the following question add password created in the previous step “Enter source keystore password”.
keytool -importkeystore -srckeystore certificate_dsa.jks -destkeystore certificate_dsa.p12 -srcstoretype jks -deststoretype pkcs12
-
Create certificate in base64: Use password added in previous step
openssl pkcs12 -in certificate_dsa.p12 -nodes -out certificate_dsa.pem
-
-
Modify certificate files as follow:
-
Copy file “certificate_dsa.pem” and rename to “pub.crt”
-
Edit file “pub.crt” with notepad to eliminate PRIVATE KEY, we will also delete this text “—-BEGIN CERTIFICATE—–” and “—-END CERTIFICATE—-”:
-
Copy file “certificate_dsa.pem” and rename to “priv.pem”
-
Edit file “priv.pem” with notepad to eliminate CERTIFICATE, we will also delete this text “—-BEGIN PRIVATE KEY—–” y “—-END PRIVATE KEY—-”
-
-
Create destination in SAP Cloud Platform to connect with SAP GATEWAY:
-
Goes to the “Connectivity” -> “Destinations” in SCP coockpit
-
The destination should have the following parameters:
-
URL: URL of the Gateway service deployed in the on-premise system (this URL can be changed if the Cloud Connector is used, where we will use the virtual address and port)
-
Recipient SID: System ID of Gateway
-
Recipient Client: Mandant of Gateway
-
Certificate: Copy string content from “pub.crt”
-
Signing key: Copy string content from “priv.pem”
-
-
-
Configuration in SAP Gateway:
-
Before we start, we will verify the SAP Gateway SSO configuration, so lets go to the transaction: RZ10
-
Select system configuration in search help
-
Click the option “Extended Maintenance” and then press “display”
-
In the following screen the following values should appear:
-
login/create_sso2_ticket = 2
-
login/accept_sso2_ticket = 1
-
-
-
We add the created certificate to transaction TRUSTSSO2 following the next steps:
-
Select folder “System PSE”
-
Press edit button
-
Upload the file “pub.crt” with upload button
-
After upload file has finished insert certificate with button “Add to certificate List”
-
Push button to create el ACL with “Add to ACL”
-
-
Add the following values (this data must match those indicated in the generation of the certificate and the information of the destination in SCP
-
Now, when logging in with the user created in SCI we can access a UI5 application deployed in SCP and that obtains data from an onpremise system.
Thank you for your attention
References: https://www.youtube.com/watch?v=pcTcmfOZrjE
Hi, nice post. I have a question, this way, I will have to create every user in SCI and set their SAP user in the login name, right? Is there a way to use their SAP user instead of creating it on SCI? thanks!
Hi!
Thanks! Yes, in this scenario is necessary create users in SCI and exist user in SAP Gateway. This is one of the way.
You can see my question where @milen.dobtcheff clarify this topic.
https://answers.sap.com/questions/536045/best-strategy-to-use-the-ui5-application-in-cloud.html