cancel
Showing results for 
Search instead for 
Did you mean: 

In SCC is Obligatory replace the default UI Certificate for Principal propagation?

yerlan1
Explorer
0 Kudos
2,613

Hello Community.

I enable the principal propagation through the following steps:

1. Configuration of the Cloud Connector

a. Update the principal type of the Access Control

b. Set up a trust with the identity provider

c. Export the system certificate so that you can import it in the backend system later on

d. Configure the CA certificate for the short-living certificate

e. Adapt the subject pattern for principal propagation

f. Generate a sample certificate in order to import it in the backend.

2. Configuration of the on-premise backend system

a. Import the system certificate of the Cloud Connector to establish trust

b. Configure the Internet Communication Manager (ICM) to ensure the communication to the outside world.

c. Set the view VUSREXTID.

3. Update of the destination in SAP Cloud Platform

a. Change the authentication type of the destination to “Principal Propagation”

My question is with point 3 of the configuration in the Cloud Conector is Obligatory replace the default UI Certificate for Principal propagation.

I use the UI certificate by default and I have a problem in validating the certificate in ECC.

View Entire Topic
pjcools
Active Contributor
0 Kudos

If your version does not allow for Rule based mapping then there is no need to perform steps e and f of your Configuration of the Cloud Connector. This will have no impact at all and there is no need to generate the short-lived certificate and just make sure you are not loading this into STRUST as this is not required.

I've actually started signing the UI certificate first and then use this certificate as the System Certificate - which is then loaded into the backend systems. This has worked well for me in recent installations. You must make sure the ICM parameters are EXACTLY matching the System Certificate Issuer - even an additional space can cause the certificate not to be trusted. The ICM parameters I've summarised in this table. As gregorw stated rule based certificate mapping is ideal however I always make sure the External ID mapping (transaction EXTID_DN) is working successfully prior to performing this step and as you said you can only use rule based certificate mapping on later versions of SAP ERP.

The other important step is to make sure the CA certificate has the right attributes. It needs to have the KeyCertsign attribute included.

Lastly, just make sure you are carrying out a Synchronisation of the Principal Propagation settings in the Cloud Connector. You need to synchronise the AD you are using AND also synchronise other services (dispatcher) if you are using OData provisioning etc so check this as well.

Thanks

Phil Cooley