Introduction:

There are already few examples of principal propagation implementation in PI/PO but in this blog, you will learn on how to employ it in a SOAP to RFC scenario which could be applied to integration of 3^rd party system to SAP. It is also common to use user id and password for authentication but a certificate based authentication will be used here. Below is a brief description on the scenario.

• Sender SOAP channel will use HTTPS with Client Authentication
  
  
  
  • Please refer to this blog for more information
  
  
  
  


• Client certificate will be used for authentication on the sender side and SAP logon ticket will be used to authenticate on the receiver sideNote: The scenario on the receiver side is calling the IDOC_INBOUND_SINGLE which is a function module that creates an IDoc.

Note: The scenario on the receiver side is calling the IDOC_INBOUND_SINGLE which is a function module that creates an IDoc.

Assumptions:

• SSL is already setup in PO
  
  
  
  • Please refer to this blog for more information
  
  
  • The Client Authentication Mode of the SSL Access Points is set to Request
  
  
  
  

• 
  
  
  
  • Identical logon ids in both PO and ECC are available
  
  
  • PO
  
  
  • 
  
  
  
  
  • ECC
  
  
  • 
  
  
  
  

 

Steps:

For learning purposes, we will only use PO system to create the client certificate.

• Go to NWA --> Configuration --> Security --> Certificates and Keys


• Add a View to store client certificates (will serve as storage for all client certificates)


• 


• Create a new certificate under the newly created view


• 


• Provide the certificate information


• 


• Select the Signing Key Pair which should be the private key used in your ICM_SSL_<Node#>


• 




• 

Export/Import of the client certificates

• Export the public client certificate


• 


• Import the public client certificate into ICM_SSL_<Node#> view


• 


• 


• Click Export View to PSE button after the import


• 


• Goto Identity Management (http://<hostname>:<port>/useradmin)


• Import the public client certificate into the logon user id


• 

Export/Import of SAPLogonTicket

• Export the public logon ticket of PO system as Binary


• 


• Import the logon ticket into ECC


• 

Add CreateTicketLoginModule module in the ticket template

• Go to NWA --> Configuration --> Security --> Authentication and Single Sign-On


• By default SOAP adapter is using ticket as template for defining the Login module to use for authentication.


• Modify the ticket template in order to add the CreateTicketLoginModule login module so that SOAP adapter will allow authentication using certificates.


• 


• 


• 

Set the sender SOAP adapter to use HTTPS with Client Authentication

• 

Enable the Principal Propagation in the ICO

• Inbound Processing tab


• 


• Outbound Processing tab


• 

Testing

• Export the private client certificate in PKCS12 format, set a password and then generate the certificate export


• 


• We will only use SOAP UI for testing


• Set the KeyStore and KeyStore Password of the SSL Settings of the SOAP UI Preferences. KeyStore value would the path to your private client certificate and the KeyStore Password must be the same as your private client certificate export password.


• 


• Submit the SOAP request


• 


• Verify the UNAME value in the table EDIDS of ECC. It should match the PO logon id that owns the client certificate used for submitting the request in SOAP UI


• 

 

I hope this post provide you a good basis for the doing your own scenario in taking advantage of principal propagation. Certificate based authentication will also provide more security and less maintenance as compared to using user id/password as most companies have security policy around password expiration.