Principal Propagation setup between S4HANA and BTP portal
We are configuring Principal Propagation (SSO) using email ID as common user between BTP and S4HANA system.
SAP Cloud connector must install and destination for backend system created and reachable, subaccount for BTP must added and status should be connected.
Below are the steps which we need to perform on backend system(S4HANA), Sap cloud Connector (SCC) and BTP (Hana on demand)
Configuration Steps on SCC:
- Add BTP Sub-account into SCC: After installation of SCC, login with default username and password and click on Add Subaccount, below popup will appear, provide the details of purchased subscription of Subaccount and other information and save it.
- Create Backend Destination on SCC: Please create backend destination under Cloud to On-premises tab using HTTPS protocol click on plus button, we will get below popup screen.
- Create & download System certificate from SCC: Go to Configuration->on-premises tab and for system certificate click on button create and import self-signed certificate, for production environment, it is recommended to use signed certificate, to get signed certificate, we can generate CSR response from the left hand side button, and can import.
Download and save the system certificate to import into backend system for later use.
- Create CA Certificate: Repeat the same step as it is for the CA certificate as well, under CN name we can put <hostname>.<domain-name> or *.<domain-name>, click on create button and it will create and import self-signed certificate as per below screen, for production environment, it is recommended to use signed certificate, to get signed certificate, we can generate CSR response from the left hand side button, and can import.
- Generate Principal Propagation (PP) certificate: Generate PP certificate for backend system, for that first you must click on edit button.
It will generate SCC_Sample certificate as below.
Fill the details as below for SCC backend destination URL and other related information as shown in below screen for reference.
Now Click on New Properties
If everything is okay, it will display as successful message, see screen below.
Now click on check connection, it will display connection test as successful.
Backend System setup:
- Create user in S4HANA and put email address under email address filed under su01, see below screen for example, our email address is equal to our user-id in BTP portal
- Login to S4HANA application, run t-code STRUST, double click on SSL server standard and press edit button, click import certificate button on the bottom and upload the system certificate download from the third step of Configuration Step on SCC. If we are uploading third party signed system certificate, then we must also get signed our SSL Standard Own certificate as well, and after import of signed certificate, it will import both CA and root certificate, see screen below for reference purpose.
- if we want SSO for one user, we must import and map PP certificate under Rule, if we want SSO for multiple users then we must generate explicit certificate for additional user and do the explicit mapping for each user, using explicit mapping button. a) Add Rule for one user: Generate PP certificate as per 5th Step of Configuration Steps on SCC, put our email address under CN name
b) Explicit Mapping for other users: Generate additional user certificate for PP from SCP, put our email address and generate it.
Now Click on save button, mapping will be created, and Mapping status will show as certificate mapped explicitly and user status will become green
- Maintain RZ10 Parameter: as below.
icm/trusted_reverse_proxy = SUBJECT=”CN=*.zyx.com”, ISSUER=”CN=*.zyx.com”
icm/trusted_reverse_proxy =SUBJECT=”CN=<>”, ISSUER=”CN=<>” (SAMPLE TYPE)
icm/HTTPS/trust_client_with_issuer = CN= *.cloudapp1-hcl.net icm/HTTPS/trust_client_with_subject = *
icm/HTTPS/verify_client = 1
login/certificate_mapping_rulebased = 1
Take Complete SAP App re-start after changing the parameter
To setup Principal Propagation, we can find many articles around it, my attempt was also in the same direction to include my experience and to add more detailed steps, so that anybody can try and do it easily, feedback and suggestions are most welcome.