Skip to Content
Technical Articles
Author's profile photo James Taylor

Use Self-Signed SSL Client Certificate to connect SAP backend to SCPI with Custom Domain configured


This document aims at showing how to connect your SAP backend (in this case SAP ECC 6.0) with your SCPI configured with a Custom Domain using the Client Certificate as authentication method. This is to avoid paying a CA to get your Client Certificate signed and to use  Self-Signed certificate created from STRUST instead.

The main idea behind this demo is taken from Mandy Krimmel’s blog How to Setup Secure HTTP Inbound Connection with Client Certificates.


Involved Systems

SAP backend connected to SCPI via (synchronous) SOAP WS.


  • SCPI Custom Domain correctly configured with a Server/Domain Certificate bound to the respective SSL Host. For more information, please refer to the following links:

Custom domain, overview

Using Custom Domain

  • Sap neo-java-web-sdk installed on your local system, to download the tool click on this link.
  • Basic concepts behind Custom Domain in SCPI.


Configure STRUST

Create a new SSL Client PSE (aka SSL Client Identities).

Run tcode STRUST, from the toolbar-> Environment -> SSL Client Identities.

Click on New Entries and add your new Identity.

Save the changes.

Right click on the just created SSL Identity and click on Create.

Insert the value in accordance with your requirement, set the Key Length to at least 2048.

The new entry will appear as follows.

Double click on the Owner value and export the certificate (in this case we use Base64).

Before going on, load the root Server/Domain certificate in your Certificate list, this certificate depends on what you bound as your Domain certificate.

After importing it, save the new STRUST configuration. You’re done with this part.

The previously exported Client SSL certificate can now be uploaded into you SCPI account. The reason is that the SCPI Load Balancer would trust only CA signed Certificates. The list of trusted CA supported by SCPI are listed here Load Balancer Root Certificates Supported by SAP.

Instead, with a Custom Domain correctly set up, you’re the Domain administrator and you can trust your SAP Self-signed Client certificate, no need to pay additional license.


Upload the Self-signed Client Certificate to SCPI (Add your CA)

The entity which holds certificates in your SCPI SSL Host is called bundle. The bundle allows you to hold certificates that enables external applications to call your Custom Domain and authenticate themselves against SCPI. One bundle can hold up to 150 certificates.

Run neo-java-web-sdk and add your CA, in this case use the previously created client certificate. Please notice that I’m adding my CA to an existing bundle. If this is the first CA you add, a new bundle will be created automatically.

To display the content of what you’ve just loaded, run the list-cas command as follows.

If it’s the first bundle you create, you must run the set-ssl-host command too afterwards. For more details about this command and its implications, please have a look at this link.


Certificate-to-User Mapping

Create a new Certificate-To-User Mapping using the SAP ERP Client SSL certificate created in the first step.

Once you’re in the view, click Add and chose an appropriate username (it doesn’t need to exist in your Subaccount Members). In this demo I use SAPERPUSER. Then choose your SAP ERP SSL Client certificate and click OK.

The result is the following.

Add this user to the ESBMessaging.send role in your subaccount Subscribed Application (you access it from

Proxy Consumer configuration (SOAMANAGER)

In your Consumer Proxy, create a Logical Port (here I’m using the Manual Configuration).

In the Authentication Settings, chose X.509 SSL Client Certificate so to use the security material stored in your STRUST.

Then choose the previously created SSL PSE.

Configure the Transport Setting (url, etc.) in accordance with your SCPI exposed Web Service and save it.

Ping your web service (you might get an error back at this point, this is not necessarily worrying). Then go to the SCPI System Log Files.

Download the first http_access*.log file you find there to verify the user information sent to connect to SCPI.

Here you will see the SAPERPUSER being used to establish the connection and the http status 500 as SOAMANAGER ping result.

After calling the service from SAP backend, the log reports the correct http status 200.

This concludes the demo. Thanks for reading.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      Hi James


      I remember you were asking in the Q&A sections on setting up this ERP to CPI connectivity. Glad that you managed to figure it out, and more importantly you came back and provided such a thorough contribution back to the community.


      Kudos on that! This will definitely help others who might go through the same journey in the future.



      Eng Swee

      Author's profile photo Suresh Sakthivel
      Suresh Sakthivel

      Hi James Taylor,

      Thanks for the wonderful blog.

      We have same scenario in establishing Client based Authentication between SAP ECP and SAP CPI.

      1. If we have SSL CA signed certificates already at ECC level, does it still requires SAP CPI Custom Domain Configuration?
      2. Is Custom Domain a separate licensing one (separate cost)?
      3. Is it mandate to have custom domain configuration?
      4. I am unable to add custom roles in SAP CPI level (hana cloud cockpit -->sub accounts). I could see Platform roles are only available. PFB screenshot (which doesn't have ESBMessaging.send)

      Kindly check and confirm on below.

      Best Regards,
      Suresh S

      Author's profile photo James Taylor
      James Taylor
      Blog Post Author

      Hi Suresh Sakthivel,

      regarding your questions:

      1. If you already have a CA signed certificate on ECC (Geotrust, Digicert, GoDaddy, etc.) you don't need to use a Self-signed certificate to connect to your SCPI because the SCPI load balancer trusts CA signed certificate listed here
      2. Yes, it is. For details have a look at SAP Custom Domain website
      3. There are many reasons why you might need a Custom Domain in place and I suggest you to have a look here. Custom Domain might be mandatory or not depending on your purpose
      4. Do you have administrator permission for editing that platform role? Anyway, if you need to have the role ESBMessaging.send, go to (from the same page) Security -> Authorization and then you add that role either to your user or to the group your user assigned to
      5. first of all, erpuser is just a name mapped to a SSL CLient certificate, it's not an actual account. When you use such an approach (certificate-to-user mapping), remember to add this username among the users with role ESBMessaging.send which you can see in you subtenant cockpit under Applications->Subscriptions <tenantName>iflmap->Roles



      Author's profile photo Suresh Sakthivel
      Suresh Sakthivel

      Hi James Taylor ,

      One more query, where do you configure erpuser (maintained in CPI) at ECC Webservice configuration?

      Best Regards,
      Suresh S

      Author's profile photo Denis Rossi
      Denis Rossi

      Hello James,

      very interesting information.

      by the way it looks like host my be detailled with the region part and account must be <subaccount_technical_name>.

      Neo add-ca –account sxxxxxx –host –user Sxxxxxx –bundle verallia_bundle –location C:\Temp\SSL_client_xxx_V2.cer

      Nevertheless I implemented it on my quality ECC system 6 unsuccessfully, I still have this message :

      SRT Framework exception: Service Ping ERROR: Error when calling SOAP Runtime functions: SRT: Processing error in Internet Communication Framework: (“ICM_HTTP_SSL_PEER_CERT_UNTRUSTED”)


      Author's profile photo James Taylor
      James Taylor
      Blog Post Author

      Hi Denis,

      the region must be indicated when is not the eu1.

      Regarding your error, if you followed all the steps above, did you try to restart your ICM on SAP ECC side (SAP note 2746647)?