Skip to Content
Technical Articles
Author's profile photo Madhvendra Malviya

Principal Propagation setup between S4HANA and BTP portal

Introduction:

We are configuring Principal Propagation (SSO) using email ID as common user between BTP and S4HANA system.
SAP Cloud connector must install and destination for backend system created and reachable, subaccount for BTP must added and status should be connected.
Below are the steps which we need to perform on backend system(S4HANA), Sap cloud Connector (SCC) and BTP (Hana on demand)

Configuration Steps on SCC:

  1. Add BTP Sub-account into SCC: After installation of SCC, login with default username and password and click on Add Subaccount, below popup will appear, provide the details of purchased subscription of Subaccount and other information and save it.

It will download the Subaccount certificate and the status of BTP will show connected under SCC Dashboard.

 

  1. Create Backend Destination on SCC: Please create backend destination under Cloud to On-premises tab using HTTPS protocol click on plus button, we will get below popup screen.

Provide the host, port and other details of our backend system as per screen and choose principal propagation type as X.509 Certificate (General usage) and save it.

Please also add the sub account path and click on browse button under action tab, the destination must be reachable as per below screenshot

  1. Create & download System certificate from SCC: Go to Configuration->on-premises tab and for system certificate click on button create and import self-signed certificate, for production environment, it is recommended to use signed certificate, to get signed certificate, we can generate CSR response from the left hand side button, and can import.

 It will give you below popup, under CN name we can put as <hostname>.<domain-name> or  *.<domain-name>, the host name and domain name are where cloud connector is installed, click on create button and it will create and import the certificate

             Download and save the system certificate to import into backend system for later use.

 

  1. Create CA Certificate: Repeat the same step as it is for the CA certificate as well, under CN name we can put <hostname>.<domain-name> or *.<domain-name>, click on create button and it will create and import self-signed certificate as per below screen, for production environment, it is recommended to use signed certificate, to get signed certificate, we can generate CSR response from the left hand side button, and can import.
  2. Generate Principal Propagation (PP) certificate: Generate PP certificate for backend system, for that first you must click on edit button.

Under Common Name select $(name) and save it.

 

Now click on create a sample certificate

We will get below popup, put CN name as your email address, in our case SSO will be done via email address as user, please see screen below, click on generate PP certificate

It will generate SCC_Sample certificate as below.

 

 

BTP Configuration:

Login to BTP account, navigate to sub-account and click on Destination-> click on new destination.

Fill the details as below for SCC backend destination URL and other related information as shown in below screen for reference.

Now Click on New Properties

And add other properties from the drop-down menu according to our setup and need, see screen below for reference, and save it.

Click on check availability button as per below screen and test the BTP backend connection

If everything is okay, it will display as successful message, see screen below.

Now click on check connection, it will display connection test as successful.

 

Backend System setup:

  1. Create user in S4HANA and put email address under email address filed under su01, see below screen for example, our email address is equal to our user-id in BTP portal
  2. Login to S4HANA application, run t-code STRUST, double click on SSL server standard and press edit button, click import certificate button on the bottom and upload the system certificate download from the third step of Configuration Step on SCC. If we are uploading third party signed system certificate, then we must also get signed our SSL Standard Own certificate as well, and after import of signed certificate, it will import both CA and root certificate, see screen below for reference purpose.

Once uploaded click on Add certificate list button and save it.

  1. if we want SSO for one user, we must import and map PP certificate under Rule, if we want SSO for multiple users then we must generate explicit certificate for additional user and do the explicit mapping for each user, using explicit mapping button. a) Add Rule for one user: Generate PP certificate as per 5th Step of Configuration Steps on SCC, put our email address under CN name

Import certificate: Run t-code CERTRULE, click on edit button on the top left-hand side, click on import button top arrow and import sample certificate

 Click rule button and select the certificate attribute and login as email, click on okay

Certificate will add like below for reference

Click on save Button, Mapping status and user status will become green

        b) Explicit Mapping for other users: Generate additional user certificate for PP from SCP, put our email address and generate it.

Import new certificate using import button, click on explicit button, we will get user popup, enter user ID of the new user, and click okay

Now Click on save button, mapping will be created, and Mapping status will show as certificate mapped explicitly and user status will become green

  1. Maintain RZ10 Parameter: as below.

 

icm/trusted_reverse_proxy = SUBJECT=”CN=*.zyx.com”, ISSUER=”CN=*.zyx.com”

icm/trusted_reverse_proxy =SUBJECT=”CN=<>”, ISSUER=”CN=<>” (SAMPLE TYPE)

icm/HTTPS/trust_client_with_issuer = CN= *.cloudapp1-hcl.net icm/HTTPS/trust_client_with_subject = *

icm/HTTPS/verify_client = 1

login/certificate_mapping_rulebased = 1

Take Complete SAP App re-start after changing the parameter

Conclusion:

To setup Principal Propagation, we can find many articles around it, my attempt was also in the same direction to include my experience and to add more detailed steps, so that anybody can try and do it easily, feedback and suggestions are most welcome.

Regards,

Madhvendra Malviya

 

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Steven Foo
      Steven Foo

      In the Destination configuration under Authentication:

      What are the difference if we choose to use BasicAuthentication (is a technical username (BASIS) at backend S4 for example) with ProxyType: OnPremise vs PrincipalPropagation  ?

      PrincipalPropagation, understand that it enable single sign-on (SSO) by forwarding the identity of a cloud user to the Cloud Connector, and from there to the target on-premise system.

      Question:

      When a user ABC launch an application that link to the backend S4 system, if we have the Destination configuration Authentication set BasicAuthentication will the application prompt for user and password?

      We have a demo application case whereby there is no prompt when the application is launch. It straight bring us to the application with the screen.

      Does this mean for BasicAuthentication it will authenticate using the access of the techincal username (BASIS) at the backend (where fiori roles, business roles, technical roles are assigned)?

      Thank you.

       

      Author's profile photo Sabari Chandrasekar
      Sabari Chandrasekar

      Hi Steven,

       

      So the difference between Basic authentication and Principal progation is the Basic always connects the backend(S/4 HANA) with that specific user even if someone else access the application. But PP, you're defining the configuration to identify the logged in user in BTP(via their email or SAP ID) and routing the connection to backend(S/4 or ECC) as the logged in user.

       

      Hope that helps

      Thanks

      Sab