Introduction
Assumption
Process flow
Configuration guide
- EC Payroll: Exporting the certificate from EC Payroll
- SAP BTP: Importing the EC Payroll’s certificate to SAP Integration Suite
  - Add the service Process Integration Runtime to your subaccount
  - Create the service instance
  - Create a service key
Connection Testing
- SAP Integration Suite: Integration flow for testing
- EC Payroll: Make a connection test
Finally…

Introduction

As you may know, SAP advises using certificate-based authentication instead of user/password authentication, and they have good reason to do so. Because compared to the traditional username and password combination, it's a far more secure option.

So, the purpose of this blog is to instruct you on configuring the client certificate-based authentication between EC Payroll system and SAP Integration Suite.

I know (and understand) that most people can follow a guide from SAP. But as you can see, the SAP Help page has an extensive amount of content. Therefore, the goal of this blog is to help you to visualize what SAP is describing in its configuration guide.

References:

Assumption

Using Employee Central Payroll (EC Payroll)
Using SAP Integration Suite on SAP BTP
Most importantly, you have basic knowledge of EC Payroll, SAP Integration Suite, and SAP BTP

Process flow

Configuration guide

EC Payroll: Exporting the certificate from EC Payroll

These steps are similar if you have previously configured the Point-to-Point data replication between EC Payroll and SuccessFactors applications.

Go to Trust Manager (tcode STRUST), then select the SSL client (100_SD).
Double-click on your own certificate
Export the certificate in the Base64 format

SAP BTP: Importing the EC Payroll’s certificate to SAP Integration Suite

Here comes the tricky parts.

The following actions must be taken if you are unlucky enough that all necessary services have already been enabled in SAP BTP.

Add the service Process Integration Runtime to your subaccount.

Under your subaccount’s entitlements, add a new service plan.

Search for the service Process Integration Runtime, and then select the below plans.

Save it.

Create the service instance

Go to Services & Instances and Subscriptions, then click Create.

Under the new instance creation, select the below information.

Service: Process Integration Runtime
Plan: integration-flow
Runtime Environment: Cloud Foundry
Space: <if you don’t have space yet, create it>

You can use the default values under the parameters tab. Technically, the role ESBMessaging.send will be granted to those who have the client certificate.

Now, we are ready to create it.

Create a service key

Under the newly created instance, click on Create Service Key.

Select the key type as External Certificate and then copy the EC Payroll’s certificate to External Certificate.

Here we go.

Connection Testing

SAP Integration Suite: Integration flow for testing

For testing purposes, you can utilize either your integration flow or the SAP standard-delivered integration packages. In my case, I employ my custom integration flow.

EC Payroll: Make a connection test

I create an RFC connection to SAP Integration Suite.

Make sure you choose the SSL certificate that you exported in the first step under the Logon & Security tab.

After you make a connection test, you should receive the successful HTTP response (status 200).

Finally…

There’s nothing lasts forever as well as the certificate. The certificate will usually expire after a year.

Setting up the notification for expiring certificates is therefore advised.

Configuration guide: https://help.sap.com/docs/SAP_SUCCESSFACTORS_RELEASE_INFORMATION/9da5856ba3dc42bc8f9c050c42cf3d51/4d...

Setting up a Client Certificate-Based Authentication between EC Payroll and SAP Integration Suite

Contents