CRM and CX Blogs by SAP
Stay up-to-date on the latest developments and product news about intelligent customer experience and CRM technologies through blog posts from SAP experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Sales Cloud and SAP Service Cloud version 2 - Client Certificate authentication (Outbound)

AbinashNanda
Product and Topic Expert
Product and Topic Expert
‎02-15-2024 9:10 AM

Steps:

  1. You have a client certificate signed by one of the CAs supported by the load balancer. More information on the supported CAs: Load Balancer Root Certificates Supported by SAP.
  2. Upload the key pair to communication system in SAP Sales Cloud and Service Cloud Version 2.
  3. Configure Client Certificate-Based Authentication in the Service Instance in SAP Cloud Platform Cockpit.

Let's cover the steps in more detail

Step 1 : Prepare Key-Pair in PKCS#12 (.p12) File format

Note: SAP Sales Cloud and Service Cloud Version 2 only supports .p12 not .pfx for now.

For this post I am using openssl to generate the key pair and the PKCS#12 file.

This is optional and you are free to use any other tool as preferred

First let's generate a key and certificate signing request

 

 

openssl genrsa -out an150224.key 2048
openssl req -new -key an150224.key -out an150224.csr

 

Next step is to get the certificate signed by one of the CAs supported by the SAP load balancer

Once you have the CA signed certificate, export the certificate and private key to .p12 (PKCS12) file format. Note : The certificate file should have whole certificate chain (including Intermediate certificate authorities in order)

 

openssl pkcs12 -export -out an150224.p12 -inkey an150224.key -in an150224certchain.cer

 

If needed, verify the content of .p12

 

openssl pkcs12 -info -nodes -in an150224.p12

 

 

Step 2:  Upload the key pair to communication system inSAP Sales Cloud and Service Cloud Version 2

Upload the .p12 file to the communcation system under Outbound as shown below

Communication System.png

Step 3 - Configure Client Certificate-Based Authentication in the Service Instance in SAP Cloud Platform Cockpit

Create a service key under Process Integration Runtime service for plan integration-flow.  Use key type as external certificate. 

Service Key.png

Note : Only client certificate in PEM format should be maintained under the External Certificate. CA certificates are not needed. More details on defining service keys in the Cloud Foundry environment can be found in the SAP online documentation at Creating Service Instance and Service Key for Inbound Authentication.

You are all set. Now messages coming from SAP Sales Cloud and Service Cloud V2 using the connector service will use mTLS (Client Cert) for authentication with SAP Cloud Integration.

You can also test it from curl if needed using the key and certificate chain.

 

curl -v --key an150224.key https://<CPI Runtime URL>/http/test/helloworld --cert an150224certchain.cer

 

Hint:

If you are getting 401 error, make sure the .p12 file has whole certificate chain including the private key.

That's all for this post. Happy Learning!!!

5 Comments
Popular Blog Posts