Skip to Content
Technical Articles
Author's profile photo Shreya Jaiswal

Get the Certificates right when integrating Electronic Tax Register Books for Spain Cloud Integration.

I intend to address the common issues faced by many customers while integrating the SAP Integration Suite (or SAP Cloud Integration if you were onboarded before July 2020) with Electronic Tax Register Books for Spain Cloud Integration through this blog.

Most issues, that the customers face, are related to certificates, that is its uploading of, or expiration. I am writing this blog, in order to provide a step-by-step procedure for resolving the issues and helping you solve them in a speedy manner.

1. How to upload Certificates/Key Pair

In order to establish a connection between the SAP Cloud Integration and tax agency servers, you must obtain several certificates, and then deploy them to the SAP Integration Suite/ SAP Cloud Integration tenant.

The following information gives a detailed step-by-step overview for Private Key Pair and Public Certificates:

1.1 Add Certificate for Client Authentication [PRIVATE KEY PAIR]

SAP Integration Suite/ SAP Cloud Integration client certificate is used to authenticate the communication with the external systems. For the Spain SII scenario, you must include the certificates that are recognized by the relevant tax agency, basically, AEAT or regional tax agency. Optionally, the tax agencies also support certificates for the electronic seal (ɯcertificado de sello). This certificate is specific to your company’s Tax Identity Number and/or Fiscal Identity Number (NIF).

1.1.1 Steps to Upload Private Key Pair

  • You have to collect the Key Pair from the regional tax office. This key pair is always tax ID-specific.
  • Navigate to the Operations view, and choose Keystore under Manage Security.

Navigation%20To%20Key%20Pair 

Navigation to Keystore

  • Choose Add -> Key Pair and Add the key pair that you collected from the tax office.

How%20to%20Add%20Keypair

How to Add Keypair

1.2 Add Public Certificates of Relevant Tax Agency [PUBLIC CERTIFICATE]

In order to establish an SSL connection to the tax agency servers, the SAP Integration Suite/ SAP Cloud Integration needs to trust the SSL certificate from the relevant tax agency servers. To achieve this, you must download the entire certificate chain from the relevant servers and upload it to the specific SAP Integration Suite/ SAP Cloud Integration tenant.

The following are the relevant domains for Spain:

Region of the Tax Authority reportTo Values, Recognized by the Integration Flow

Supported Services

Usage Mode (not case sensitive)

Service Website Address

(Server Addresses)

Spain (AEAT) Spain, default, España, Espana SII Test (test, testing)

prewww1.aeat.es

 

SII Test – electronic seal (testseal, testing-seal, test-eseal, testing-eseal)

prewww10.aeat.es

 

 

SII Production (production, prod, productive)

www1.agenciatributaria.gob.es

 

 

SII Production – electronic seal (prod-seal, productionseal, production-eseal, prodeseal, eseal, e-seal) www10.agenciatributaria.gob.es

 

1.2.1 Steps to check whether Public Certificate has been correctly uploaded.

  • Navigate to Monitor -> Manage Security -> Connectivity Tests.

Navigation%20To%20Connectivity%20Tests

Navigation To Connectivity Tests

  • For the TLS Protocol, you should tick the “Valid Server Certificate Required” checkbox in Test Connectivity and populate the endpoint [without https] in Host and Click on Send.

Populate%20Host%20and%20Click%20Send

Populate Host and Click Send

  • If the response is successful, the following Response is captured:

Response%20is%20successful

Response is successful

  • In case the response is not successful.

The iFlow tries to send data to the receiver system, but the message processing fails in SAP        Integration Suite/ SAP Cloud Integration because of the errors:

  1. Fault:Could not send Message.”, caused by “SunCertPathBuilderException: unable to find valid certification path to requested target”
  2. In Test Connectivity, for the same receiver system, in the response section, you’ll see a similar error:

Error%20Details

Error Details

If the public certificate authentication is not successful in CPI Connectivity test, follow the below steps to upload and download the tax authority public certificates:

  • You should download the Root CA Certificate.

For TLS Protocol, you should untick “Valid Server Certificate Required” checkbox in Test Connectivity.

Download%20the%20Root%20Certificate

Untick “Valid Server Certificate Required”

  • Upon connectivity test to the untrusted receiver system, you can see and download the        certificate chain via the Download icon in the Response section on the right side.

Click%20on%20Download%20icon

Click on Download icon

  • In the downloaded zip file, you will be able to view the Root CA Certificate.

Zip%20File

Zip File for Certificate

  • Now, import the Certificate to CPI Keystore.

a. Navigate to the Monitor -> Keystore.

Navigation%20to%20Keystore

Navigation to Keystore

b. Navigate to Add -> Certificate.

Add%20Certificate

Add Certificate

c. Browse the corresponding Root CA Certificate file and add.

Choose%20Corresponding%20Certificate%20for%20Upload

Choose Corresponding Certificate for Upload

 

2. Generic Checks after uploading the Certificate/Key Pair:

In case of “Add Certificate for Client Authentication” ensure that it is uploaded as a Key Pair, whereas in the case of “Add Public Certificates of Relevant Tax Agency” ensure that is uploaded as a Certificate.

Steps to check:

  • Navigate to Monitor -> Keystore:

Navigation%20To%20Keystore

Navigation To Keystore

  • Check the column “Type” to ensure that is uploaded correctly or not.

Check%20for%20the%20correct%20type

Check for the correct type

 

3. COMMON ISSUES

There are a few common issues that are faced by many customers. Below you can find information on how to solve them:

3.1 COMMON ISSUES FOR PRIVATE KEYPAIR:

3.1.1 Certificate/ Key Pair is already uploaded, but the NIF value does not match:

While uploading the Certificate/ Key Pair ensure that the NIF mentioned in the Certificate/Key Pair of the company code, should match with the NIF mentioned in the documents that are being submitted for the same company code.

If it is not the same, reach out to the tax authority to get the correct certificate.

Steps to check:

  • Navigate to Monitor -> Keystore:

Navigation%20to%20Keystore

Navigation to Keystore

  • Navigate to the Key Pair [For e.g: spainsiiprivatekey].

Navigate%20to%20Key%20Pair

Navigate to Key Pair

  • Compare the Tax ID values that is mentioned in the Key Pair with the Tax ID in the document XML.

Check%20NIF%20value%20for%20Key%20Pair

Check NIF value for Key Pair

Check%20NIF%20value%20in%20XML

Check NIF value in XML

  • In case all the steps are okay, and still there is an issue in submitting the documents, tax authority can be contacted for the same.

3.2 COMMON ISSUES FOR PUBLIC CERTIFICATES

3.2.1 The errors are of the following nature:

  1. SOAP error text: Integration exception: ### Could not generate the XML stream caused by: ### path building failed: ### unable to find valid certification path to requested target’
  2. SOAP error code: Error writing to XMLStreamWriter’.
  3. SCI Iflow fails with Unexpected EOF in prolog.

Resolution:

Certificate has either expired or has not been uploaded.

Steps to resolve the above errors:

  • Please refer to the steps mentioned in 1.2.1 for “Response not successful”.
  • The public certificates are downloaded in the form of a zip file from Connectivity Tests. All the three files have to be uploaded as public certificates in the keystore.

4. References

Note: Image/data in this KBA is from SAP internal system, sample data, or demo systems. Any resemblance to real data is purely coincidental.

I highly encourage you to share your thoughts and feedback in the form of comments below.

If you are still more interested in exploring the topic, you can go through the related resources that are mentioned in the references above.

For more information and to stay updated, I encourage you to follow Document Reporting and Compliance. You can also post & answer questions here and read other posts on the topic here.

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Eduardo Nedel
      Eduardo Nedel

      Great blog! I loved it. Surely very helpful.

      Author's profile photo J Francisco Fernandes
      J Francisco Fernandes

      Excellent blog! It explains all relevant customizing step by step in CPI. Thank you very much indeed!!!

      Author's profile photo Jose Luis Basalo
      Jose Luis Basalo

      Great blog!!  Useful tips!!