HCI Integration with SAP ECC/CRM System
Content
1. Introduction to Digital certificate and SSL Handshake
2. Customer Landscape’s and certificate request
3. Connection setup from SAP ERP – HCI – C4C
4. Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination
1. Introduction to SSL certificate and SSL Handshake
What is SSL Certificate?
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the https protocol and allows secure connections from a web server to a browser or an application.
Certificate Information:
In certificate general information you can find “Issued to”,” Issued by” and Validity of the certificate.
Certification Path:
When a certificate is signed by Certificate authority, it has a root and the signed certificate (It might also have intermediate or a chain certificate)
What is SSL Handshake?
In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.
Two-way SSL authentication is also referred to as client authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.
2. Customer Landscape’s and certificate request
Every customer landscape is unique. There are couple of scenarios I would like to discuss here when you are applying a certificate.
a. Multiple Domain architecture – Public and internal domain
b. Single Domain architecture – Public registered domain
A. Multiple Domain architecture
In the above network landscape, there are two domains. “Internaldomain.com” is the internal domain and it’s not registered. As it’s not registered, Certificate Authority will not sign the CSR (Certificate signing request). If you have a public registered domain you can create a CSR with that domain and get it signed by a CA.
B. Single Domain architecture
Customer has only one domain and its public registered. You can create a CSR on the same domain.
3. Connection setup from SAP ERP – HCI – C4C
Go to STRUST transaction
Below is the example show DN of the certificate:
DN = CN=erpc.externaldomain.com, OU=Information Technology, O=mycompany Inc, L=Location, S=State, C=Country
This is the CSR. Copy the CSR and get it signed by a Certificate Authority.
Note: CA should be in the Trust list of HCI. Please check for the latest HCI trust list.
Signing Algorithm: Select the algorithm SHA1 or SHA2. Certificate root may change based on the algorithm selected. Make sure that root is in the trust list of the HCI.
Proceed to the next step and check the summery of the certificate. Provide the necessary contact information. You will get the signed certificates in 3-4 days from the CA.
Downloaded certificate contains three certificates as below:
1. entrustcert.crt - Signed server certificate
2. L1Cchain.txt - Chain certificate (change file extension from txt to crt)
3. L1Croot.txt - Root certificate (change file extension from txt to crt)
Import the certificate response in STRUST.
Copy and import the response.
Import the chain and root certificate to the certificate list and add it to the database.
Adding certificate to Database:
Similarly add the other certificate to certificate list and database.
Go to HCI tenant url:
Export the certificate to X.509 format.
Similarly save the “CybertrustPublic SureServer SV CA” certificate to X.509.
Import the certificate Baltimore CyberTrustRoot and Cybertrust Public SureServerSV CA to the certificate list and database in STRUST.
We have deployed the required certificates on the SAP ERP/CRM system.
On HCI tenant we can deploy a keystoreartifact. This keystore contains certificates required to authenticate the client. There is only one keystoreper tenant and this file is called system.jks. In this scenario we have to load the server certificate’s chain and root (L1Cchain.crt and L1Croot.crt). To load this certificates you need to raise a ticket with SAP.
System.jks can be seen in Eclipse in deployed artifacts.
SAP provides HCI tenant certificate and the “Issued to” of the certificate looks like HCI tenant url.
In the below example, the certificate is signed by “Cybertrust Public SureServer SV CA”. This certificate and its root should be loaded in the Trust list of the C4C.
SAP CRM/ERP – HCI – C4C connection is established successfully.
4. Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination:
HCI certificate exchange mechanism:
Step-by-Step Procedure (On Premise):
1. 1. Install SAP Web dispatcher and Configure it to the CRM or ECC system
2. 2. Download the latest SAP Cryptographic tools.
3. 3. Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel.
sapgenpse.exe
sapcrypto.dll
Location - D:\usr\sap\<SID>\SYS\exe\nuc\NTAMD64
Copy sapgenpse.exe, sapcrypto.dll to above folder location
4. 4. Copy the file ticket to the sec directory under the Web Dispatcher instance directory.
Ticket file Location - D:\usr\sap\WHC\W04\sec
You have successfully installed SAPCryptographicLib files.
5. 5. Creating Server PSE and certificate requestusing “sapgenpse.exe” via Command prompt
Go to web dispatcher kernal folder in cmd
Command: sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>
Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.
sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\cert.req "CN=wd.externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country"
Domain name should be a public registered domain. This “CN=wd.externaldoamin.com” will be used by HCI to communicate with CRM/ERP system.
For example:
CN= wd.externaldomain.com
So, your public domain is “externaldomain.com”; your public IP should be linked with ”WD” in the domain’s DNS Manager of the domain.
DNS Manager of “externaldomain.com”
Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.
sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\cert.req " CN=wd.externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country "
Get the cert.reqsigned by any HCI trusted CA’s below
List of HCI Trusted CAs:
TC TrustCenterCA
TC TrustCenterClass2L1CAXI
VeriSign Class 1 Public Primary Certification Authority - G3
Verisign Class3 Public Primary certificate Authority - G5
Verisign Class3 Public Primary certificate Authority - G5 - Intermediate
Entrust.net Certification Authority (2048)
TCTrustCenterClass2CAII
CN=TC TrustCenterClass 2 L1 CA XI
Go Daddy Class 2 Certification Authority
Entrust Certification Authority - L1C
VeriSign Class 3 International Server CA - G3
VeriSign Class 3 Secure Server CA - G3
DigiCertSecureServerCA.cer
DigiCertGlobalRootCA.cer
AddTrustExternalCARoot.cer
COMODOHigh-AssuranceSecureServerCA.crt
Baltimore CyberTrustRoot
Cybertrust Public SureServer SV CA
CN = CertumCA, O = Unizeto Sp. z o.o., C = PL
CN = CertumLevel IV CA, OU = Certum Certification Authority O = Unizeto Technologies S.A., C = PL
Note: Entrust Certification Authority - L1C provides free 90 day trial
6. 6. Similarly, Create Client PSE and certificate request using “sapgenpse.exe” via Command prompt
Go to web dispatcher kernal folder in cmd
sapgenpseget_pse -p SAPSSLC.pse -x 123456 -r D:\usr\sap\WHE\W00\sec\clientcert.req "CN=Wdc. externaldomain.com, OU= Information Technology, O= mycompanyInc, l=Location, S=State, C=Country”
If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in same landscape.
7. 7.Create a certificate request for “SSL Server Standard” on the backend ERP system in STRUST
Right click on “SSL Server Standard” – Create a certificate request
CN=erps. externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country
Export the certificate request as “erps.req”. If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in trusted zone(Same landscape)
8. 8. From the steps 5, 6 and 7. We have generated the below certificate requests
a. cert.req - Web dispatcher Server
b. clientcert.req - Web dispatcher Client
c. ERPS.req - Strust ERP Server
9. 9. Get certificate “a ” signed by HCI trusted CA’s
Get certificate “b & c” signed by your company internal CA or use self-signed certificate
10. 10. Import the certificate response along with Root certificate and chain certificate(If applicable)
When a certificate is signed you will get signed certificate, Root certificate and you may also get a chain certificate.
sapgenpse import_own_cert -p SAPSSLS.pse -c D:\usr\sap\WHE\W00\sec\responseCert.crt -r D:\usr\sap\WHE\W00\sec\root.crt -r D:\usr\sap\WHE\W00\sec\chain.crt -x 123456 responseCert.crt
(signed server certificate)
Providing access to the PSE file for the system users
sapgenpseseclogin -p D:\usr\sap\WHE\W00\sec\SAPSSLS.pse -x 123456 -O <DOMAIN>\SAPService<SID>
11. 11. Similarly, import the certificate response for the SAPSSLC.pse (If you are using selfsignedcertificate this step is not required )
sapgenpse import_own_cert -p SAPSSLC.pse -c D:\usr\sap\WHE\W00\sec\CResponseCert.crt -r D:\usr\sap\WHE\W00\sec\root.crt -x 123456 CResponseCert.crt
(signed server certificate)
Providing access to the PSE file for the system users
sapgenpseseclogin -p D:\usr\sap\WHE\W00\sec\SAPSSLC.pse -x 123456 -O <DOMAIN>\SAPService<SID>
12. 12. Add below parameters in the web dispatcher profile:
DIR_INSTANCE = D:\usr\sap\WHE\W00
ssl/ssl_lib=D:\usr\sap\WHE\SYS\exe\nuc\NTAMD64\sapcrypto.dll
ssl/server_pse=D:\usr\sap\WHE\W00\sec\SAPSSLS.pse
ssl/client_pse=D:\usr\sap\WHE\W00\sec\SAPSSLC.pse
icm/server_port_2 = PROT=HTTPS, PORT=443, TIMEOUT=900
wdisp/ssl_encrypt=1
icm/HTTPS/forward_ccert_as_header = true
icm/HTTPS/verify_client=1
wdisp/ssl_auth = 2
wdisp/ssl_cred = D:\usr\sap\WHE\W00\sec\SAPSSLC.pse
13. 13. Creating trust between ERP system and Web dispatcher by exchanging root certificates
Maintain the root certificate of the ERP - SSL Server Standard in SAPSSLC.pse
sapgenpsemaintain_pk -a D:\usr\sap\WHE\W00\sec\ERPSCert.cer -p SAPSSLC.pse -x 123456
14. 14. Download and Import HCI x.509 Certificate to SAPSSLS.pse in Web Dispatcher
Similarly, download the chain certificate.
Saved it as “hcicrtchain.cer”
Maintain the root and chain certificate of HCI in SAPSSLS.pse
a. sapgenpse maintain_pk -a D:\usr\sap\WHE\W00\sec\hcicrtroot.cer -p SAPSSLS.pse -x 123456
b. sapgenpse maintain_pk -a D:\usr\sap\WHE\W00\sec\hcicrtchain.cer -p SAPSSLS.pse -x 123456
15. 15. Restart Web dispatcher
16. 16. Add following parameters to the ERP profile file.
T-code : RZ10
icm/HTTPS/trust_client_with_issuer = Issuer of the SAPSSLC signed
icm/HTTPS/trust_client_with_subject = Subject of the SAPSSLC certificate
icm/HTTPS/verify_client = 1
icm/server_port_0 = PROT=HTTPS,PORT=443,TIMEOUT=120,PROCTIMEOUT=120,VCLIENT=1
17. 17. Access the webgui and check the certificate
HCI integration connectivity is complete.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |