Use Self-Signed SSL Client Certificate to connect SAP backend to SCPI with Custom Domain configured
This document aims at showing how to connect your SAP backend (in this case SAP ECC 6.0) with your SCPI configured with a Custom Domain using the Client Certificate as authentication method. This is to avoid paying a CA to get your Client Certificate signed and to use Self-Signed certificate created from STRUST instead.
The main idea behind this demo is taken from Mandy Krimmel’s blog How to Setup Secure HTTP Inbound Connection with Client Certificates.
SAP backend connected to SCPI via (synchronous) SOAP WS.
- SCPI Custom Domain correctly configured with a Server/Domain Certificate bound to the respective SSL Host. For more information, please refer to the following links:
Using Custom Domain
- Sap neo-java-web-sdk installed on your local system, to download the tool click on this link.
- Basic concepts behind Custom Domain in SCPI.
Create a new SSL Client PSE (aka SSL Client Identities).
Run tcode STRUST, from the toolbar-> Environment -> SSL Client Identities.
Click on New Entries and add your new Identity.
Save the changes.
Right click on the just created SSL Identity and click on Create.
Insert the value in accordance with your requirement, set the Key Length to at least 2048.
The new entry will appear as follows.
Double click on the Owner value and export the certificate (in this case we use Base64).
Before going on, load the root Server/Domain certificate in your Certificate list, this certificate depends on what you bound as your Domain certificate.
After importing it, save the new STRUST configuration. You’re done with this part.
The previously exported Client SSL certificate can now be uploaded into you SCPI account. The reason is that the SCPI Load Balancer would trust only CA signed Certificates. The list of trusted CA supported by SCPI are listed here Load Balancer Root Certificates Supported by SAP.
Instead, with a Custom Domain correctly set up, you’re the Domain administrator and you can trust your SAP Self-signed Client certificate, no need to pay additional license.
Upload the Self-signed Client Certificate to SCPI (Add your CA)
The entity which holds certificates in your SCPI SSL Host is called bundle. The bundle allows you to hold certificates that enables external applications to call your Custom Domain and authenticate themselves against SCPI. One bundle can hold up to 150 certificates.
Run neo-java-web-sdk and add your CA, in this case use the previously created client certificate. Please notice that I’m adding my CA to an existing bundle. If this is the first CA you add, a new bundle will be created automatically.
To display the content of what you’ve just loaded, run the list-cas command as follows.
If it’s the first bundle you create, you must run the set-ssl-host command too afterwards. For more details about this command and its implications, please have a look at this link.
Create a new Certificate-To-User Mapping using the SAP ERP Client SSL certificate created in the first step.
Once you’re in the view, click Add and chose an appropriate username (it doesn’t need to exist in your Subaccount Members). In this demo I use SAPERPUSER. Then choose your SAP ERP SSL Client certificate and click OK.
The result is the following.
Add this user to the ESBMessaging.send role in your subaccount Subscribed Application (you access it from https://account.hana.ondemand.com).
Proxy Consumer configuration (SOAMANAGER)
In your Consumer Proxy, create a Logical Port (here I’m using the Manual Configuration).
In the Authentication Settings, chose X.509 SSL Client Certificate so to use the security material stored in your STRUST.
Then choose the previously created SSL PSE.
Configure the Transport Setting (url, etc.) in accordance with your SCPI exposed Web Service and save it.
Ping your web service (you might get an error back at this point, this is not necessarily worrying). Then go to the SCPI System Log Files.
Download the first http_access*.log file you find there to verify the user information sent to connect to SCPI.
Here you will see the SAPERPUSER being used to establish the connection and the http status 500 as SOAMANAGER ping result.
After calling the service from SAP backend, the log reports the correct http status 200.
This concludes the demo. Thanks for reading.