Skip to Content
Product Information

Cloud Integration – Usage of the Elster Adapter

This blog describes the Elster ERiC libraries used in the new Elster adapter provided in SAP Cloud Integration. The adapter is planned for the March-24-2019 update. In the blog the End-to-end configuration and the monitoring options are described, links to further information sources are given. Furthermore the current restrictions are listed.

ERiC@SAP: What is ERiC?

In the areas of HR (employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)) and FI (advanced return for tax on sales/purchases (UStA)), electronic reporting data is transferred to the clearing house of the fiscal authority block for communication with the tax authorities.

Technical background: For the transfer, the data is summarized in an XML file, signed, and encrypted. The data is then transferred to the clearing house of the fiscal authority block.

The XML file is generated in the HR or FI system. From this system, the data is then transferred to the middleware used (Business Connector, PO/PI, or Cloud Integration). The signature, encryption, and transfer of the data from the employer’s network to the clearing house is done using the middleware.

Previous Solution – Open Interface

The standards used for the signature and encryption were published by the tax authority, as is the case for social insurance, and it was made possible for the software manufacturer to implement and deliver all components for the transfer using its own program components in its software solution. The solution is referenced to as an “open interface” in the ELSTER environment.

This model allows for a clear distinction between the software solutions involved and the parties responsible.

New Solution – ERiC

To support manufacturers when creating software products for communication with the tax authorities, the tax authorities have also been providing software components since the introduction of electronic communication. The software manufacturers can integrate these components into their products to minimize the implementation effort.

Initially Java-based program components were provided by the tax authority, now only fully compiled program components (C libraries) are provided. These are known as EriC (Elster Rich Client) libraries.

To make technical or subject-specific changes to the ERiC libraries, the tax authority updates the ERiC libraries twice a year (usually in May and November). The ERiC release in May delivers only technical changes but the subject-specific changes are provided with the main release in November. Therefore, you can find the bases necessary for the advance return for tax on sales/purchases (UStA) and the employment tax notification (LStA) for the subsequent year in the November release. This means that it is mandatory to include this ERiC main release in the manufacturer’s software. It must be delivered as soon as possible so that the ERiC libraries required for the new year can be used at the start of the year.

The new Elster Adapter provided in Cloud Integration uses those libraries to support the communication with the German tax authority. The ERiC libraries are updated automatically in Cloud Integration, there is no need for any manual action be the user of the integration scenario.

What changes does ERiC result in for the employer in the HR/FI system?

For the changeover to ERiC, some changes have to be made to the programs for transferring the tax notifications and to the HR/FI system.

The changeover from the previous solution to ERiC is done using Customizing in the HR/FI system. A prerequisite for this is that the ERiC-based solution has been imported or set up on the middleware used (Business Connector, PO/PI, Cloud Integration).


How does the ELSTER ERiC solution for Cloud Integration work?

The Cloud Integration solution for the Elster integration is based on two components. First of all, it is based on a newly created Elster adapter. It provides the latest ERiC libraries on the Cloud Integration tenant and offers an interface for using the functions contained in the libraries. The second component is the HR or FI-specific content that contains the integration flows for the communicating.

Communication procedure:

  1. The HR or FI application system sends tax data to the Cloud Integration tenant. The transfer is done using a HTTPS connection that was maintained using transaction SM59 in the application system.
  2. The HR or FI integration flow on the Cloud Integration tenant receives the tax data from the application system, sets the parameters required for calling the ERiC libraries (tax type, certificates, etc.), and passes on the data for transfer to the Elster adapter.
  3. The Elster adapter validates the XML data. This data is then signed, encrypted, and sent to the tax authority. The response provided by the tax authority is then received by the HR or FI integration flow, decrypted, and returned to the calling HR or FI application system.

Security Aspects

In the Elster integration scenario in the Cloud Integration system, the following security relevant aspects are relevant:

  • For the communication between the HR-/FI-system and the SAP Cloud Integration system, HTTPS is used. HTTPS is also used by ERiC for sending the data to the authority system.
  • The message payload is received by and processed in the cloud integration system as configured in the integration flow. The message payload data is only processed in memory in the cloud integration system. The message payloads are not stored in the cloud system, neither in the database nor in the system log files.
  • During processing of the message a message processing log is written and stored in the cloud integration system database for monitoring purpose. The message processing log only contains administrative data, like timestamps and the message ID, and the status of the message processing, but no message payload data. The message processing log is stored for 30 days and then automatically deleted. The access to the message processing log data is restricted to users with the Tenant Administrator or the Integration Developer role assigned in this integration tenant.
  • In case of an error during message processing, the error message is stored in the SAP Cloud Integration system in the message processing log and in the system log file. The system log file is stored for 7 days and automatically deleted afterwards. The access to the system log is restricted to the Tenant Administrator and the Integration Developer of the respective integration tenant.
  • If the log level for the integration artifact is set to TRACE (see blog Enabling Trace for Message Processing) for error analysis, also the payload is stored in the systems database. The access to this payload data is restricted to users with the Business Expert role assigned in this integration tenant. The trace data is stored for 1 hour only and automatically deleted afterwards.

If you want to know more about security aspects of SAP Cloud Integration and how customer specific data is secured, check out the help chapter Security. Various aspects of privacy and data storage security are discussed there.


Overview for Setting up the ELSTER ERiC Scenario in Cloud Integration

Initial Configuration of the Cloud Integration Tenant

Setup and configure the Cloud Integration tenant as described in the Get Started documentation for SAP Cloud Integration.

Configure Integration Flow

  • Select the required Integration Package ‘SAP HR ELSTER ERIC for Germany’ or ‘SAP Finance Applications Integration with ELSTER’ in the content store.
  • Deploy the required integration flow as described in the configuration guide contained in the integration package.
  • Retrieve the inbound end point of the integration flow from the Monitoring -> Monitor Integration Content -> End Points.

Set up the HTTPS connection

To setup a secure HTTPS connection between the application system (HR/FI) and the Cloud Integration tenant add the load balancer root certificate to the HR/FI trust store. Find further details in the blog How to setup secure http inbound connection with client certificates.

Set up Authentication (two options)

For the setup of the authentication two options exist, Basic Authentication or Client Certificate-based Authentication.  The more secure option is to use Client Certificates.

Basic Authentication

Create an user in Cloud Integration and assign ESBMessaging.send role. More information can be found in the documentation chapter Defining Permissions for senders to Process Messages on the Runtime Node.

Client certificate-based authentication

Neo Environment: Set up client certificate in HR/FI system and upload it in certificate-to-user mapping in Cloud Integration as described in the blog How to setup secure http inbound connection with client certificates.

Cloud Foundry Environment: Set up client certificate in HR/FI system and upload it in the service key as described in the blog CF -How to setup secure http inbound connection with client certificates.

Setup SM59 Destination

  • Create a SM59 Destination in the HR/FI application system.
  • Enter the end point retrieved for the integration flow from the Cloud Integration monitoring (see above)
  • Maintain logon details for the HTTPS connection (basis authentication or client certificate-based)

Upload Elster Certificates

Upload the ELSTER certificates (PFX file) to the key store monitor of the Cloud Integration tenant.

Execute HR/FI Customizing

You can find detailed instructions for setting up the scenario in the Implementation Guide in the content provided.


Operation of the Elster Scenario

Update of ERiC Libraries

The Elster adapter is automatically updated with the latest libraries in Cloud Integration. No manual steps are necessary.


Message Processing Log (MPL)

The processing of data in the cloud integration tenant can be monitored in the Message Processing Monitor. Each message processing generates an MPL (Message Processing Log), which can be found in the monitoring under Monitor Message Processing.

In the case of an error, the message has the status Failed and you can find further error information in the status area of the message on the right-hand side. All ERiC related error messages are issued here, for example if the message validation or the encryption was not successful.

Default Trace

In the case of an error, further information can be found in the default trace of the Cloud Integration tenant. The default trace can be found in the monitoring of the cloud integration tenant in the area Access Logs -> System Log Files. The logs are in the most up-to-date files with the name ljs_trace_<ID>_<Timestamp>.log.


  • Note that the information above only applies to tax types UStA, LStA, LStB, and ELStAM, and not to the use of ERiC in connection with the E-Bilanz.
  • The ELSTER ERiC Cloud Integration scenario only supports tax types employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)), and FI (advance return for tax on sales/purchases (UStA)). The HR tax types are covered by the Integration Content SAP HR ELSTER ERIC for Germany. The Integration Content for FI is under development, it is expected to be available mid of July 2019 under the name ‘SAP Finance Applications Integration with ELSTER’.
You must be Logged on to comment or reply to a post.
  • Hello, thanks a lot for this bunch of information!

    I got one question regarding the license modell of cloud plattform integration for ERiC.

    My customer acutally can use an SCI tennant for integration of SAP S4 with their C4C tennants because the SCI license was part of the C4C subscription.

    Would it be possible to also use their SCI tennant for ERiC integration or do they need to pay for the full SCI license? 

    Thanks in advance for an response!

    Best regards



      Ususal Answer: Reach out for your sales rep

      My Guts felling (being a customer with an CPI Licenses tied to a C4C integration = Application License Model): Your customer will not be able to use that CPI tenant for ERiC integration. They are pretty clear in wording: On one side of the integration has to be the product (application) you paid the 7,5% CPI Application License for. S/4 --> ERiC would not fit into this


      Cheers Jens



        I just got the confirmation that it should be possible to reuse the existing tenant because the application license can be used as long as one endpoint of the connection is a SAP system. And this is the case for the Elster integration as well.



        Comment: this is not correct, see below!  The C4C tenant cannot be re-used.



          Would love to hear that licensing is that flexible 🙂 However, I still have a doubt in the particular situation. OP said, the "CPI for SAP cloud applications" came with C4C. So I would assume "cloud application" in that case would be regarded as "C4C". The service description says:

          SAP Cloud Platform Integration for SAP cloud applications integrates processes and data between associated SAP cloud applications on one end and third party, cloud applications and on-premise solutions on the other end.

          If OP would have S/4 Cloud and S/4 being the "cloud application" I'll be in complete agreement.

          Anyways, you certainly have the direct link within SAP. I'll more than happily stay corrected (did I mention I was that pain-in-the-neck-nit-gritty-kinda-person 😉 ?)



            I now got the answer from the colleague responsible for the licensing and unfortunately you are correct. The C4C application licensed tenant cannot be re-used for the Elster integration. You need to purchase for example the PI edition to setup the Elster integration.

            Best regards,


          • Thanks Mandy. On the plus side of this is that licensing details seem (for SAP *SCNR*) being quite straight forward for CPI application license.





    Thanks Mandy Krimmel for the valuable information. Just being a curious / nit-picking kind of person, I'd like to ask some questions about that paragraph "Update of ERiC Libraries"

    1. So I got this right: You will internally host some instance where the ERiC client is running and CPI magically blackboxes this for me as a customer, right?
    2. There is no other service involved other than CPI license, right? So we don't need such things as a custom domain like in Italy e-Invoicing or other stuff, right?
    3. When there are ERiC updates, how would you carry them out? Let's say there's a need to update the ERiC client and also need to update mapping because of new fields or the like: How would you synchronize those for the customer (as the customer will get an update available for the iFlows, but I would not think that while deploying the iFlow, automatically your ERiC client, burried somewhere in the guts of your infrastructure will also be updated - of course would be astonished if it would 🙂
    4. Talking license (see also figure 2) for those, not on enterprise license: How many connections would be needed? 2 or more connections?


    Thanks again and kind regards




      let me answer your questions:

      1. correct
      2. no custom domain required, only a standard CPI tenant
      3. the update of the libraries will be done with the 'normal' update done every 4 weeks. If new fields or the like are required the application team responsible for the content package will also update the integration flow. The dependency between the ERiC libraries and the application sending a specific payload is handled via library version(s). Meaning in the integration flow there is a check done which version of the libraries is available in the Cloud Integration tenant and then the correct fields are sent by the application backend.
      4. Here I'm not that sure, but I think there are not more than 2 connections required. It is only one integration flow, but I dont know how often the application triggers this flow.



      • Hi Mandy,

        this is great news. I would think a great deal of thought / planning went into figure 3 (sync / versioning of libraries and integration content). Seemed you cracked that nut.

        Many thanks again for providing additional insights.



  • Hi all,

    the blog states the ELSTER ERiC Clound Integration scenario also supports (advance return for tax on sales/purchases (UStA) which is sent out of FI. The only Integration Package delivered for CPI is called “SAP HR Integration with ELSTER ERiC for Germany”( and says it supports LStA, LStB, and ELStAM. The documentation attached to the Integration Package does also not mention the FI part.

    Are there any plans to deliver content also for FI (UStA), will it be delivered by separate a Integration Package and is there any info about a release date for this?

    Quote from the blog above:

      • Note that the information above only applies to tax types UStA, LStA, LStB, and ELStAM, and not to the use of ERiC in connection with the E-Bilanz.

      • The ELSTER ERiC Cloud Integration scenario only supports tax types employment tax notification (LStA), employment tax statement (LStB), electronic employment tax deduction features (ELStAM)), and FI (advance return for tax on sales/purchases (UStA)). The HR tax types are covered by the Integration Content SAP HR ELSTER ERIC for Germany. The Integration Content for FI is under development.

    Thanks and kind regards


  • Hello,
    (slightly OT): since BC 4.8 assumably will not be supported beyond the end of 2020 SAP Cloud Platform integration seems to be a (the) valid alternative.

    Has SAP already stated, what their "official" (on-premise) solution should be, after BC 4.8 will be out of support / not continued?

    Kind regards,

    • Hello,

      I can not give you an official statement for all scenarios with BC or PI, but in general it would always be the best alternative to implement a scenario in SAP Cloud Platform integration if at least one endpoint of the scenario is in the cloud.

      In future more and more endpoints will be in the cloud, so using SAP Cloud Platform integration is a good choice for the future.

      Best regards,


  • Hi all,

    Thank you, Mandy Krimmel, for your very instructive blog post.

    In which mode is the ELSTER service billed on CPI? Is the number of API calls crucial, or is it only the end-to-end connection that matters for the pricing?

    Best regards,

    • Hello Andreas,

      the billing for CPI is done based on connections, this is not different for the Elster scenario.

      More details can be found here:

      Best regards,


  • More than one sales/purchases tax groups


    we have more than one sales/purchases tax groups.
    First we have to copy the published package “SAP Finance Applications Integration with ELSTER”.
    In total we have 3 different sales/purchases tax groups.

    Is it possible to use one copied package “SAP Finance Applications Integration with ELSTER” for all 3 different sales/purchases tax groups or we have to copy it 3 times?


    • Hallo Thomas,

      you can use one package for all tax groups. You just need to upload different certificates for the data exchange with the authority and maintain them in your FI Customizing for each sales/purchases tax group (see package documentation chapter 3. and 4.2.2).

      Best regards,


  • Hallo,

    in this blog is described how to setup the connection between ERP backend and elster scenario in CPI.

    Setup SM59 Destination

    • Create a SM59 Destination in the HR/FI application system.
    • Enter the end point retrieved for the integration flow from the Cloud Integration monitoring (see above)


    In the configuration guide "SAP Finance Applications Integration with ELSTER Finance Tax Integration for Germany (UStVA) 
SAP Cloud Platform Integration Configuration"

    is stated for SM59 connection under

    4.1 Set up HTTPS Connection to CPI System

    a) Target Host: < IFLMAP URL for the CPI tenant>
Note: Make sure that you don't enter https:// in the field Target Host Example:

    As we understood so far the cloud connector is the central component (single point of entry) between SCP - Cloud - onpremise and bidirectional.

    Now it seems for elster we have to maintain a direct connection to CPI tenant.
If its like that we have to consider some extra points with the networks like ports, firewalls etc.

    What is the best practice to connect the Elster scenario (API) in CPI and the on premise ERP system?


    Best regards


    • Hello Thomas,

      Cloud Connector is used to connect from CPI towards an On-Premise System.

      The connection from an On-Premise system to CPI is usually done via an outbound proxy in the on-premise landscape directly to the CPI tenant. The proxy is usually defined in the sm59 connection.

      Best regards,


  • Hello Mandy,

    obviously there are some experts (also from SAP) they recommend to use the SAP web dispatcher to connect On-Premise System towards CPI. They’re saying it’s Best Practice and almost every company following this approach.

    I never came across this in endless documentations, web sessions and courses. Now I’m confused.

    The Elster scenario is the first we try to implement.
    The the final goal is to tranfer all of our interfaces from our On-Premise PI System to the CPI.
    We use the PI for internal and external interfaces, multiple internal and external systems (SAP and non SAP).

    Can you kindly give some briefly updates?

    For what is the SAP web dispatcher used for to connect On-Premise System towards CPI?
    What are the pros and contra’s or better the use cases for this approach?
    In what case is it advised to use SAP web dispatcher in this context? Why it make sense to-do this?
    Is it really best practice and where can i read and learn more about this and the concept?

    Many thanks in advance for your patience and effort


    • Hello Thomas

      in your first comment you were refering to the Cloud Connector, not to the web dispatcher, these are different things.

      The Cloud Connector is usually used to connect SAP Cloud systems to On-prem systems:

      The cloud connector can be used against ABAB/java and external on-premise systems and is not restricted to http access.

      The Web Dispatcher can be used for HTTP access as kind of load balancer in front of SAP on-prem systems:

      The web dispatcher is recommended if you want to balance the load between multiple application servers for web access. It cannot process non-HTTP requests.

      For the connection from on-premise systems to the cloud usually the proxy server of the respective customer intranet is used.

      I hope this makes things clearer?

      Best regards,



      • Dear Mandy,

        maybe our problems coming from the circumstance that our CPI is running in the CF environment and your and the most other guides are posted for CPI in NEO environment?

        So, is it possible to use the Elster scenario on CPI in CF environment or only on CPI on NEO environment?

        Because if we try to configure the Client certificate-based authentication we end up to the point that's obviously not supported. Here is only Authorization=User Role an option in the flow.

        Can we also choose the Client certificate-based authentication for Elster in the CPI, running in CF environment?



        • Hello Thomas,

          please see this blog for configuring client cert based authentication in CF:

          The Elster Finance setup guide is currently being extended to also cover CF.

          Best regards,


          • Hello Mandy,

            I read this already but as you can see in my screenshot the iflow of the Elster scenario only support Authorization type 'User Role'. It is fix (grey) and we're not egible to change.

            So that means for this scenario we're only able to use basic authentication even it is recommendet the certificate based authentication?



          • But user role means you can use it with client certificate authentication as explained in the blog. So, I don't get your concern?

            User Role means this flow can be used with Basic Auth and also with Client Certificates.

            This is also described in the blog.



  • Hello Mandy,

    Thank you!

    Yeah. Sorry.

    For me it's not so clear why is it necessary/advise/helpful to use a web dispatcher in the Elster scenario. Obviously for us is the web dispatcher mandatory.

    So'll wait until my colleagues finish the setup of web dispatcher.


    Many Thanks!


    • Hello Thomas,

      I guess my comment is obsolete now, but for the sake of others I just add that for Elster integrations there are only calls from OnPremise towards CPI hence you dont need Could connector or WebDispatcher. The communication flow is: OnPrem SAP system -> OnPrem Proxy server (usually) -> CPI

      However there could be other integrations which are making calls from CPI towards OnPremise and here you need to have Could connector. In case of http calls you can add WebDispacther to distribute the load. The flow would be then: CPI -> Cloud Connector -> WebDisp -> OnPrem SAP system. At least that is what we are using at the moment, but NOT for ELSTER integration since calls for ELSTER are done from OnPrem towards CPI and not the other way around.


  • Hallo Mandy,

    Sie erwähnen "Beachten Sie, dass die obigen Informationen nur für die Steuerarten UStA , LStA, LStB und ELStAM gelten und nicht für die Nutzung von ERiC im Zusammenhang mit der E-Bilanz."

    Ist mit einer Lösung für die Übertragung der eBilanz zu rechnen? Es geht doch "nur" um die Validierung der xbrl-Datei und den Versand über ERiC, der ja über die CPI schon für die beschriebenen Steuerarten möglich ist. Wieso wird die eBilanz da außen vor gehalten?

    Herzlichen Dank vorab für eine Information dazu,


    • Hallo Claudia,

      für E-Bilanz gibt es eine eigene Lösung, diese wird nicht über Cloud Integration realisiert. Informationen über die E-Bilanz Lösung finden Sie in Hinweis 1755173.

      Viele Grüße,


      • Hallo Mandy,

        Danke für die Antowrt. Das Addon kenne ich, aber ich frage mich, warum eine integrierte Lösung über die CPI nicht möglich ist für die eBilanz? Die xbrl-Datei wird über SAP Query erstellt, aber kann dann anschließend nicht aus SAP heraus versandt werden. Warum muss das über das Excel-Addon passieren?

        Für eine Auskunft dazu wäre ich sehr dankbar!

        Viele Grüße,