Recently, we had a requirement to integrate HCI with an On-Premise ERP Instance using standard SAP IDoc’s. The ground rules for the Integration were,

• Only Client Authentication aka 2 Way SSL is to be used.
• HANA Cloud Connector to be used for Interfacing from Cloud to the On-Premise ERP.

So what’s different out here you might ask considering that HCI Supports Client Authentication natively for its IDoc Adapter.

The short answer:

When using HANA Cloud Connector, your IDoc Adapter configuration would require your Proxy Type as “On-Premise”. When your Proxy Type is “On-Premise”, HCI does not allow you to provide an Option for Client Authentication.

Below is what my initial configuration looked like:

When trying to deploy my iFlow with this configuration, HCI prompts an error: “Certificate based authentication is not supported for Proxy Type On-Premise”

Does this mean that HCI does not allow Client Authentication when Integrating with ERP System with a Receiver IDoc Adapter using HANA Cloud Connector? The answer my friends, lies in the details :smile:

The Long Answer

The Scenario

HANA Cloud Connector Configuration

Configure your HCC Account

Configure your HCC Account by providing the required HCI Details

Access Control

Set Up your access control by mapping to an On-Premise ABAP System

Provide the Protocol. In my case HCC connects to On-Premise ERP using HTTPS Protocol.

Provide the Internal SAP System Host Name and the corresponding HTTPS Port.

Provide the Virtual HostName that should be used in HCI in your IDoc Adapter. In this case I have called it: bhavesh.hcc.com

The Next Step is the most critical as this step enables Client Authentication between HCC and the On-Premise ERP System.Select Option for Principal Type as: X.509 Certificate.

This setting makes sure that the Connectivity between HCC and the On-Premise ERP System now uses Client Authentication.

Add Resource

Click on Add Resource

Below is now what your Access Control should look like,

Add System Certificate for Client Authentication

To enable Client Authentication you would need to ensure your Private Key is added to the System Certificate in your HANA Cloud Connector. Navigate to Settings --> System Certificate. Select your Key-pair in a P12 File Format.

Click on Import, the KeyPair should be imported successfully,

Backend SAP Configuration for User Mapping

Go to SM30 : Table Name : VUSREXTID

External ID Type: DN

Create a new entry by Importing the Public Certificate of  the Key Pair you imported into HANA Cloud Connector and providing a User ID for the same.

HCI IDoc Adapter Configuration

Configure your IDoc Adapter with the below options:

• ProxyType : OnPremise
• Authentication : Basic Authentication Enabled
• Credentials: Provide any Credentials. This is not going to be used in the runtime. In my case I created a Dummy Credentials with a Dummy User / Password.

Save and Deploy your Integration Flow.

Your scenario should now use Client Authentication and Authenticate itself to the BackEnd ERP System!

So What happens Behind the scenes?

What you will notice is that if remove the KeyPair from the Settings --> System Certificate in your Hana Cloud Connector, then the IDoc Adapter will try to use Basic Authentication. If you have maintained valid credentials, then the Login goes through and IDoc gets posted. If you have used maintained Invalid credentials a HTTP 401 Unauthorized Error is returned.

In Summary, HANA Cloud Connector has been instructed to use a X509 Certificate to authenticate itself to the Back End ERP System. Hence, when the IDoc from HCI is sent to HCC, HCC uses the X509 Certificate to authenticate itself which leads to a Client Authentication aka 2 Way SSL with HANA Cloud Connector & HCI’s IDoc Adapter!

References / Additional Reading

HCI Securing your communications

HANA Cloud Connector SetUp