Get the Certificates right when integrating Electronic Tax Register Books for Spain Cloud Integration.
I intend to address the common issues faced by many customers while integrating the SAP Integration Suite (or SAP Cloud Integration if you were onboarded before July 2020) with Electronic Tax Register Books for Spain Cloud Integration through this blog.
Most issues, that the customers face, are related to certificates, that is its uploading of, or expiration. I am writing this blog, in order to provide a step-by-step procedure for resolving the issues and helping you solve them in a speedy manner.
1. How to upload Certificates/Key Pair
In order to establish a connection between the SAP Cloud Integration and tax agency servers, you must obtain several certificates, and then deploy them to the SAP Integration Suite/ SAP Cloud Integration tenant.
The following information gives a detailed step-by-step overview for Private Key Pair and Public Certificates:
1.1 Add Certificate for Client Authentication [PRIVATE KEY PAIR]
SAP Integration Suite/ SAP Cloud Integration client certificate is used to authenticate the communication with the external systems. For the Spain SII scenario, you must include the certificates that are recognized by the relevant tax agency, basically, AEAT or regional tax agency. Optionally, the tax agencies also support certificates for the electronic seal (ɯcertificado de sello). This certificate is specific to your company’s Tax Identity Number and/or Fiscal Identity Number (NIF).
1.1.1 Steps to Upload Private Key Pair
- You have to collect the Key Pair from the regional tax office. This key pair is always tax ID-specific.
- Navigate to the Operations view, and choose Keystore under Manage Security.
- Choose Add -> Key Pair and Add the key pair that you collected from the tax office.
1.2 Add Public Certificates of Relevant Tax Agency [PUBLIC CERTIFICATE]
In order to establish an SSL connection to the tax agency servers, the SAP Integration Suite/ SAP Cloud Integration needs to trust the SSL certificate from the relevant tax agency servers. To achieve this, you must download the entire certificate chain from the relevant servers and upload it to the specific SAP Integration Suite/ SAP Cloud Integration tenant.
The following are the relevant domains for Spain:
|Region of the Tax Authority||reportTo Values, Recognized by the Integration Flow||
Usage Mode (not case sensitive)
Service Website Address
|Spain (AEAT)||Spain, default, España, Espana||SII Test (test, testing)||
|SII Test – electronic seal (testseal, testing-seal, test-eseal, testing-eseal)||
|SII Production (production, prod, productive)||
|SII Production – electronic seal (prod-seal, productionseal, production-eseal, prodeseal, eseal, e-seal)||www10.agenciatributaria.gob.es|
1.2.1 Steps to check whether Public Certificate has been correctly uploaded.
- Navigate to Monitor -> Manage Security -> Connectivity Tests.
- For the TLS Protocol, you should tick the “Valid Server Certificate Required” checkbox in Test Connectivity and populate the endpoint [without https] in Host and Click on Send.
- If the response is successful, the following Response is captured:
- In case the response is not successful.
The iFlow tries to send data to the receiver system, but the message processing fails in SAP Integration Suite/ SAP Cloud Integration because of the errors:
- “Fault:Could not send Message.”, caused by “SunCertPathBuilderException: unable to find valid certification path to requested target”
- In Test Connectivity, for the same receiver system, in the response section, you’ll see a similar error:
If the public certificate authentication is not successful in CPI Connectivity test, follow the below steps to upload and download the tax authority public certificates:
- You should download the Root CA Certificate.
For TLS Protocol, you should untick “Valid Server Certificate Required” checkbox in Test Connectivity.
- Upon connectivity test to the untrusted receiver system, you can see and download the certificate chain via the Download icon in the Response section on the right side.
- In the downloaded zip file, you will be able to view the Root CA Certificate.
- Now, import the Certificate to CPI Keystore.
a. Navigate to the Monitor -> Keystore.
b. Navigate to Add -> Certificate.
c. Browse the corresponding Root CA Certificate file and add.
2. Generic Checks after uploading the Certificate/Key Pair:
In case of “Add Certificate for Client Authentication” ensure that it is uploaded as a Key Pair, whereas in the case of “Add Public Certificates of Relevant Tax Agency” ensure that is uploaded as a Certificate.
Steps to check:
- Navigate to Monitor -> Keystore:
- Check the column “Type” to ensure that is uploaded correctly or not.
3. COMMON ISSUES
There are a few common issues that are faced by many customers. Below you can find information on how to solve them:
3.1 COMMON ISSUES FOR PRIVATE KEYPAIR:
3.1.1 Certificate/ Key Pair is already uploaded, but the NIF value does not match:
While uploading the Certificate/ Key Pair ensure that the NIF mentioned in the Certificate/Key Pair of the company code, should match with the NIF mentioned in the documents that are being submitted for the same company code.
If it is not the same, reach out to the tax authority to get the correct certificate.
Steps to check:
- Navigate to Monitor -> Keystore:
- Navigate to the Key Pair [For e.g: spainsiiprivatekey].
- Compare the Tax ID values that is mentioned in the Key Pair with the Tax ID in the document XML.
- In case all the steps are okay, and still there is an issue in submitting the documents, tax authority can be contacted for the same.
3.2 COMMON ISSUES FOR PUBLIC CERTIFICATES
3.2.1 The errors are of the following nature:
- SOAP error text: Integration exception: ### Could not generate the XML stream caused by: ### path building failed: ### unable to find valid certification path to requested target’
- SOAP error code: Error writing to XMLStreamWriter’.
- SCI Iflow fails with Unexpected EOF in prolog.
Certificate has either expired or has not been uploaded.
Steps to resolve the above errors:
- Please refer to the steps mentioned in 1.2.1 for “Response not successful”.
- The public certificates are downloaded in the form of a zip file from Connectivity Tests. All the three files have to be uploaded as public certificates in the keystore.
- SAP Note 2872857 – eDocument Spain Troubleshooting Guide
- SAP Note 2354153 – SunCertPathBuilderException in SAP Integration Suite/ SAP Cloud Integrationoutbound communication
- For more information on Spain SII CPI Artifacts, please refer to Reference Guides in the Electronic Tax Register Books for Spain package directly in the SAP Business API Hub.
Note: Image/data in this KBA is from SAP internal system, sample data, or demo systems. Any resemblance to real data is purely coincidental.
I highly encourage you to share your thoughts and feedback in the form of comments below.
If you are still more interested in exploring the topic, you can go through the related resources that are mentioned in the references above.