cancel
Showing results for 
Search instead for 
Did you mean: 

In SCC is Obligatory replace the default UI Certificate for Principal propagation?

yerlan1
Explorer
0 Kudos
2,595

Hello Community.

I enable the principal propagation through the following steps:

1. Configuration of the Cloud Connector

a. Update the principal type of the Access Control

b. Set up a trust with the identity provider

c. Export the system certificate so that you can import it in the backend system later on

d. Configure the CA certificate for the short-living certificate

e. Adapt the subject pattern for principal propagation

f. Generate a sample certificate in order to import it in the backend.

2. Configuration of the on-premise backend system

a. Import the system certificate of the Cloud Connector to establish trust

b. Configure the Internet Communication Manager (ICM) to ensure the communication to the outside world.

c. Set the view VUSREXTID.

3. Update of the destination in SAP Cloud Platform

a. Change the authentication type of the destination to “Principal Propagation”

My question is with point 3 of the configuration in the Cloud Conector is Obligatory replace the default UI Certificate for Principal propagation.

I use the UI certificate by default and I have a problem in validating the certificate in ECC.

View Entire Topic
gregorw
Active Contributor

The UI Certificate doesn't have an influence in the Principal Propagation setup. But you sill should replace it with a valid certificate matching the FQDN of your Cloud Connector to avoid browser warnings.

What I'm missing in step 2 of your description are the profile parameters that need to be set to trust the system certificate. Instead of using VUSREXTID I would suggest to use Rule-based Mapping of Certificates.

yerlan1
Explorer
0 Kudos

Gregor Thanks for your answer. I understand your point, but how i reuse the UI certificate in System certificate if i dont have a validate certificate this is probably my problem, for this the question.

In the step the Rule-based Mapping of certificates, i can not use this because the backend version is not available.

Thanks