Get the Certificates right when integrating Electronic Tax Register Books for Spain Cloud Integration.
I intend to address the common issues faced by many customers while integrating the SAP Integration Suite (or SAP Cloud Integration if you were onboarded before July 2020) with Electronic Tax Register Books for Spain Cloud Integration through this blog.
Most issues, that the customers face, are related to certificates, that is its uploading of, or expiration. I am writing this blog, in order to provide a step-by-step procedure for resolving the issues and helping you solve them in a speedy manner.
1. How to upload Certificates/Key Pair
In order to establish a connection between the SAP Cloud Integration and tax agency servers, you must obtain several certificates, and then deploy them to the SAP Integration Suite/ SAP Cloud Integration tenant.
The following information gives a detailed step-by-step overview for Private Key Pair and Public Certificates:
1.1 Add Certificate for Client Authentication [PRIVATE KEY PAIR]
SAP Integration Suite/ SAP Cloud Integration client certificate is used to authenticate the communication with the external systems. For the Spain SII scenario, you must include the certificates that are recognized by the relevant tax agency, basically, AEAT or regional tax agency. Optionally, the tax agencies also support certificates for the electronic seal (ɯcertificado de sello). This certificate is specific to your company’s Tax Identity Number and/or Fiscal Identity Number (NIF).
1.1.1 Steps to Upload Private Key Pair
- You have to collect the Key Pair from the regional tax office. This key pair is always tax ID-specific.
- Navigate to the Operations view, and choose Keystore under Manage Security.
- Choose Add -> Key Pair and Add the key pair that you collected from the tax office.
1.2 Add Public Certificates of Relevant Tax Agency [PUBLIC CERTIFICATE]
In order to establish an SSL connection to the tax agency servers, the SAP Integration Suite/ SAP Cloud Integration needs to trust the SSL certificate from the relevant tax agency servers. To achieve this, you must download the entire certificate chain from the relevant servers and upload it to the specific SAP Integration Suite/ SAP Cloud Integration tenant.
The following are the relevant domains for Spain:
|Region of the Tax Authority||reportTo Values, Recognized by the Integration Flow||
Usage Mode (not case sensitive)
Service Website Address
|Spain (AEAT)||Spain, default, España, Espana||SII Test (test, testing)||
|SII Test – electronic seal (testseal, testing-seal, test-eseal, testing-eseal)||
|SII Production (production, prod, productive)||
|SII Production – electronic seal (prod-seal, productionseal, production-eseal, prodeseal, eseal, e-seal)||www10.agenciatributaria.gob.es|
1.2.1 Steps to check whether Public Certificate has been correctly uploaded.
- Navigate to Monitor -> Manage Security -> Connectivity Tests.
- For the TLS Protocol, you should tick the “Valid Server Certificate Required” checkbox in Test Connectivity and populate the endpoint [without https] in Host and Click on Send.
- If the connection test is successful, the following Response is captured:
- In case the connection test is not successful.
The following error will be visible:
“Fault:Could not send Message.”, caused by “SunCertPathBuilderException: unable to find valid certification path to requested target”
If the public certificate authentication is not successful in CPI Connectivity test, follow the below steps to upload and download the tax authority public certificates:
- You should download the Root CA Certificate.
For TLS Protocol, you should untick “Valid Server Certificate Required” checkbox in Test Connectivity.
- Upon connectivity test to the untrusted receiver system, you can see and download the certificate chain via the Download icon in the Response section on the right side.
- In the downloaded zip file, you will be able to view the Root CA Certificate.
- Now, import the Certificate to CPI Keystore.
a. Navigate to the Monitor -> Keystore.
b. Navigate to Add -> Certificate.
c. Browse the corresponding Root CA Certificate file and add.
2. Generic Checks after uploading the Certificate/Key Pair:
In case of “Add Certificate for Client Authentication” ensure that it is uploaded as a Key Pair, whereas in the case of “Add Public Certificates of Relevant Tax Agency” ensure that is uploaded as a Certificate.
Steps to check:
- Navigate to Monitor -> Keystore:
- Check the column “Type” to ensure that is uploaded correctly or not.
3. COMMON ISSUES
There are a few common issues that are faced by many customers. Below you can find information on how to solve them:
3.1 PRIVATE KEY PAIR ISSUES
Certificate/ Key Pair is already uploaded, but the NIF value does not match:
While uploading the Certificate/ Key Pair ensure that the NIF mentioned in the Certificate/Key Pair of the company code, should match with the NIF mentioned in the documents that are being submitted for the same company code.
If it is not the same, reach out to the tax authority to get the correct certificate.
Steps to check:
- Navigate to Monitor -> Keystore:
- Navigate to the Key Pair [For e.g: spainsiiprivatekey].
- Compare the Tax ID values that is mentioned in the Key Pair with the Tax ID in the document XML.
- In case all the steps are okay, and still there is an issue in submitting the documents, tax authority can be contacted for the same.
3.2 PUBLIC CERTIFICATE ISSUES
The errors are of the following nature:
- SOAP error text: Integration exception: ### Could not generate the XML stream caused by: ### path building failed: ### unable to find valid certification path to requested target’
- SOAP error code: Error writing to XMLStreamWriter’.
- SCI Iflow fails with Unexpected EOF in prolog.
Certificate has either expired or has not been uploaded.
Steps to resolve the above errors:
- Please refer to the steps mentioned in 1.2.1 for “Response not successful”.
- The public certificates are downloaded in the form of a zip file from Connectivity Tests. All the three files have to be uploaded as public certificates in the keystore.
3.3 CONNECTION RESET ISSUES
The error is of the following nature:
“org.apache.cxf.interceptor.Fault: Could not generate the XML stream caused by: com.ctc.wstx.exc.WstxIOException: Connection reset., cause: java.net.SocketException: Connection reset” while submitting the documents to Tax Authority.
This could be due to Tax Authority blocking the IP Address of the customers.
Steps to resolve the above error:
- Customers can open a ticket under SAP Component “BC-NEO-IT-NW” to get their respective IP Address.
- You can reach out to the tax authority to unblock the IP address.
- SAP Note 2872857 – eDocument Spain Troubleshooting Guide
- SAP Note 2354153 – SunCertPathBuilderException in SAP Integration Suite/ SAP Cloud Integrationoutbound communication
- For more information on Spain SII CPI Artifacts, please refer to Reference Guides in the Electronic Tax Register Books for Spain package directly in the SAP Business API Hub.
Note: Image/data in this KBA is from SAP internal system, sample data, or demo systems. Any resemblance to real data is purely coincidental.
I highly encourage you to share your thoughts and feedback in the form of comments below.
If you are still more interested in exploring the topic, you can go through the related resources that are mentioned in the references above.
For more information and to stay updated, I encourage you to follow Document Reporting and Compliance. You can also post & answer questions here and read other posts on the topic here.
Great blog! I loved it. Surely very helpful.
Excellent blog! It explains all relevant customizing step by step in CPI. Thank you very much indeed!!!
Great blog!! Useful tips!!
How do you get the certificates? do you need to request in any special website?
Very useful and applicable blog related to CPI troubleshooting. Thank you!