Use Self-Signed SSL Client Certificate to connect SAP backend to SCPI with Custom Domain configured

Purpose

This document aims at showing how to connect your SAP backend (in this case SAP ECC 6.0) with your SCPI configured with a Custom Domain using the Client Certificate as authentication method. This is to avoid paying a CA to get your Client Certificate signed and to use  Self-Signed certificate created from STRUST instead.

The main idea behind this demo is taken from Mandy Krimmel’s blog How to Setup Secure HTTP Inbound Connection with Client Certificates.

 

Involved Systems

SAP backend connected to SCPI via (synchronous) SOAP WS.

Prerequisite

  • SCPI Custom Domain correctly configured with a Server/Domain Certificate bound to the respective SSL Host. For more information, please refer to the following links:

Custom domain, overview

Using Custom Domain

  • Sap neo-java-web-sdk installed on your local system, to download the tool click on this link.
  • Basic concepts behind Custom Domain in SCPI.

 

Configure STRUST

Create a new SSL Client PSE (aka SSL Client Identities).

Run tcode STRUST, from the toolbar-> Environment -> SSL Client Identities.

Click on New Entries and add your new Identity.

Save the changes.

Right click on the just created SSL Identity and click on Create.

Insert the value in accordance with your requirement, set the Key Length to at least 2048.

The new entry will appear as follows.

Double click on the Owner value and export the certificate (in this case we use Base64).

Before going on, load the root Server/Domain certificate in your Certificate list, this certificate depends on what you bound as your Domain certificate.

After importing it, save the new STRUST configuration. You’re done with this part.

The previously exported Client SSL certificate can now be uploaded into you SCPI account. The reason is that the SCPI Load Balancer would trust only CA signed Certificates. The list of trusted CA supported by SCPI are listed here Load Balancer Root Certificates Supported by SAP.

Instead, with a Custom Domain correctly set up, you’re the Domain administrator and you can trust your SAP Self-signed Client certificate, no need to pay additional license.

 

Upload the Self-signed Client Certificate to SCPI (Add your CA)

The entity which holds certificates in your SCPI SSL Host is called bundle. The bundle allows you to hold certificates that enables external applications to call your Custom Domain and authenticate themselves against SCPI. One bundle can hold up to 150 certificates.

Run neo-java-web-sdk and add your CA, in this case use the previously created client certificate. Please notice that I’m adding my CA to an existing bundle. If this is the first CA you add, a new bundle will be created automatically.

To display the content of what you’ve just loaded, run the list-cas command as follows.

If it’s the first bundle you create, you must run the set-ssl-host command too afterwards. For more details about this command and its implications, please have a look at this link.

 

Certificate-to-User Mapping

Create a new Certificate-To-User Mapping using the SAP ERP Client SSL certificate created in the first step.

Once you’re in the view, click Add and chose an appropriate username (it doesn’t need to exist in your Subaccount Members). In this demo I use SAPERPUSER. Then choose your SAP ERP SSL Client certificate and click OK.

The result is the following.

Add this user to the ESBMessaging.send role in your subaccount Subscribed Application (you access it from https://ift.tt/1LneY7D).

Proxy Consumer configuration (SOAMANAGER)

In your Consumer Proxy, create a Logical Port (here I’m using the Manual Configuration).

In the Authentication Settings, chose X.509 SSL Client Certificate so to use the security material stored in your STRUST.

Then choose the previously created SSL PSE.

Configure the Transport Setting (url, etc.) in accordance with your SCPI exposed Web Service and save it.

Ping your web service (you might get an error back at this point, this is not necessarily worrying). Then go to the SCPI System Log Files.

Download the first http_access*.log file you find there to verify the user information sent to connect to SCPI.

Here you will see the SAPERPUSER being used to establish the connection and the http status 500 as SOAMANAGER ping result.

After calling the service from SAP backend, the log reports the correct http status 200.

This concludes the demo. Thanks for reading.

from SAP Blogs https://ift.tt/2Dg4RJJ



from WordPress https://ift.tt/2zfbRBX




Comments

Post a Comment

Popular posts from this blog

Add Custom Field in Output of Standard Report of ME2N

Image
Author: Vedarth Desai  A very common requirement from customer is to modify the outputs of standard reports. Here I have tried to explain how to modify the standard report  ME2N  output. Requirement Purchase Documents per Document Number: T-code:  ME2N  is a standard report that retrieves a purchase order details via a document number and other user-defined parameters. Minimum parameters in selection-screen we need to pass are valid  Scope of list  and Either of remaining fields. Scope of List defines the format in which report will get display. In general, Report output looks like below.   Here in this output we need to add one additional column which will display some information as per the requirement.  Here let’s add an extra field/column and display ‘Net Order Value Incl. Tax’.      There are mainly 2 steps to do the modification. Add desired field in Output structure. Write code to populate the value in th...
Read more

UK to Receive Egyptian LNG Cargo

British gas terminal Dragon LNG will receive a liquefied natural gas (LNG) shipment from Egypt at the end of October, LNG World News reported. The cargo is being shipped in the Shell-chartered Maran Gas Spetses which will arrive at Dragon LNG’s Milford Haven terminal on October 31. The gas was shipped from Egypt’s Idku liquefaction plant and was sailing in the Mediterranean Sea on October 24. Shell had increased the amount of natural gas exported from its Idku liquefaction plant to 250 million standard cubic feet per day (mmscf/d), up from 150 mmscf/d in fiscal year (FY) 2016/17, an industry source told Al Borsa in September. The Dutch oil giant’s ownership of the Idku plant has enabled it to export natural gas from its offshore Burullus and Rosetta fields. Shell aims to export a LNG argo every 15 days based on the facility’s current liquefaction capacity, the source added. from News – Egypt Oil & Gas https://ift.tt/2ORNMvH
Read more

HANA Housekeeping using HANACleaner

Image
Purpose The blog provide guidelines on the necessary steps that needs to be followed to automate housekeeping task using SAP HANACleaner script. Background It’s really a good practice to set up housekeeping task from the early stage of your project as there are some task which you know in advance whereas some housekeeping task comes after your production system go-live like Table Growth. This blog demonstrate the steps involved to perform housekeeping for cleanup of backup catalog entries. The idea behind performing this activity is that, with time entries in backup catalog table grows which result in higher data footprint at persistent level results in more memory utilization. So, this is one of many tables on which we can perform housekeeping task and keep it under threshold. Overview This section will provide an overview on what is HANA Catalog and where it used and how to check its size etc. and all the relevant information with respect to backup. Backup Files – Delet...
Read more