Documente Academic
Documente Profesional
Documente Cultură
4
SAP NetWeaver
Document Version: 1.0 - 2017-02-16
Document History © 2017 SAP AG or an SAP affiliate company. All rights reserved. 2
Table of Contents
1 Scenario........................................................................................................................................ 4
3 Prerequisites ................................................................................................................................. 4
4 Limitation ...................................................................................................................................... 4
Table of Contents © 2017 SAP AG or an SAP affiliate company. All rights reserved. 3
1 Scenario
Use this procedure to configure the use of client certificates for authentication when connecting from
SAP Hybris Cloud for Customer to an OnPremise system for an integration scenario.
2 Background Information
Client certificates enable you to authenticate users without the need for a user name and password
provided as part of the communication arrangement in SAP Hybris Cloud for Customers. With this
method the consumer proxy will be capable to connect to the SAP PI SOAP adapter providing a client
x.509 certificate.
3 Prerequisites
The AS Java is configured to support SSL with the given certificates on SAP PI OnPremise
4 Limitation
This procedure is based in the manual storing of the certificate for the mapping of the certificate with the
corresponding User ID on the UME of the SAP PI OnPremise system.
5 Step-by-Step Procedure
2. Provide user and password to connect to SAP Hybris Cloud for Customers
5. Open for Edit any of the communication arrangements that were already configured by selecting it and
clicking on Edit
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 5
6. Click in the Technical Data tab
7. In the Outbound communication click in the Download button for the Certificate
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 6
8. Save the x.509 certificate locally in the computer
5.2 Export the root certificate used to sign the SAP Hybris
Cloud for Customers x.509 certificate
1. Open the certificate that was downloaded in the previous step
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 7
3. Select the root certificate and click in the View Certificate button
4. Select the Details tab and click in the Copy to File button
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 8
5. Click Next
6. Select the option Base-64 encoded X.509 (.CER) and click Next
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 9
7. Specify the location on where the file will be stored and click Next
8. Click Finish
5.3 Import the root certificate used to sign the SAP Hybris
Cloud for Customers certificate
Depending of the configuration of the PI system and which is the PSE provider the location on where the root
certificate has to be imported change. This is determined by the parameter ssl/pse_provider.
If the parameter ssl/pse_provider is equal to ABAP proceed with section 5.3.1, if the parameter
ssl/pse_provider is equal to JAVA or this is a SAP PI AEX (JAVA only) proceed with section 5.3.2
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 10
2. Open the SSL Server Standard and click in the import button
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 11
3. Select the location of the root certificate exported in the previous step and click Continue
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 12
5.3.2 Load certificate in ICM_SSL_<instanceID>_<port> view
for JAVA
6. Logon to the NWA of the SAP PI system using the following URL http://<hostname>:<port>/nwa
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 13
8. Verify if the root certificate used to sign the SAP Hybris Cloud for Customers x.509 certificate is already
imported into the ICM_SSL_<instanceID>_<port> view within the key storage
9. If the root certificate is not there it can be imported by clicking Import Entry from the View Entries tab
10. Select the entry type “X.509 Certificate” and then the location of the file that was saved in the previous
step and click Import
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 14
5.4 Set the value for VCLIENT on parameter
icm/server_port_<xx>
Using the VCLIENT profile parameter of ICM will tell the ICM how to behave in regards of the use of
certificates for client authentication, either using RZ10 transaction in the case of SAP PI dual stack or
editing the instance profile directly in file editor for a SAP PI AEX adjust the parameter
icm/server_port_<xx> for the corresponding SSL port used.
Set the profile parameter to use VCLIENT = 1 like the following example
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 15
3. Enter the custom name and click create
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 16
5. Under the Authentication Stack tab click in Add and add the following login modules
ClientCertLoginModule SUFFICIENT
EvaluateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUISITE
CreateTicketLoginModule OPTIONAL
6. Verify that the ClientCertLoginModule has the option Rule1.getUserFrom with the value wholeCert
configure
7. Click Save
8. Look for the SOAP adapter typing *SOAP* in the Policy Configuration Name and with the Type Web
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 17
9. Select the policy sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter and click Edit
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 18
5.6 Enable mapping client certificates to user IDs in UME
1. Open the NWA and click in the menu Configuration Infrastructure Java System Properties
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 19
3. Search for the service *user* and select the service User Management Engine
5. Change the value of the property to “true” by clicking in the modify button and click Set
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 20
6. Click in the Save button
1. Connect to the UME on the JAVA stack of SAP PI using the following URL
http://<host>:<port>/useradmin
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 21
2. Search for the user that will be used as service account in PI to connect from SAP Hybris Cloud for
Customer to SAP PI
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 22
4. Click modify and browse from the certificate that was exported from the SAP Hybris Cloud for
Customers and upload the certificate
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 23
2. Provide user and password to connect to SAP Hybris Cloud for Customers
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 24
4. Click in Communication Arrangements under Integration Section
5. Open for Edit any of the communication arrangements that were already configured by selecting it and
clicking on Edit
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 25
6. Click in the Technical Data tab
8. Click in the Certificate tab and then click in Create and Download Key Pair
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 26
9. Select the location where you want to save the keypair and click Save
11. Click OK
12. Click in Save and Reactivate button to save the communication arrangement
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 27
5.9 Create a view in the Key Storage
1. Logon to the NWA of the SAP PI system using the following URL http://<hostname>:<port>/nwa
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 28
4. Enter a name, description and click create
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 29
6. Select the entry type PKCS#12 Key Pair, select the file and enter the password use while the key pair
was created from the SAP Hybris Cloud for Customers, then click Import
2. From the dropdown button select the KeyStore Entry that was imported and KeyStore View created in
the previous steps
Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 30
www.sap.com/contactsap
www.sdn.sap.com/irj/sdn/howtoguides