How-To Guide

4
SAP NetWeaver
Document Version: 1.0 - 2017-02-16

How to configure x.509 authentication for SAP PI

Systems to connect to/from SAP Hybris Cloud for
Customers
Document History
Document Version Description
1.0 First official release of this guide

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Document History © 2017 SAP AG or an SAP affiliate company. All rights reserved. 2
Table of Contents
1 Scenario........................................................................................................................................ 4

2 Background Information ................................................................................................................ 4

3 Prerequisites ................................................................................................................................. 4

4 Limitation ...................................................................................................................................... 4

5 Step-by-Step Procedure ................................................................................................................ 4

5.1 Export the outbound certificate from communication arrangements on SAP Hybris Cloud
for Customers ................................................................................................................................. 4
5.2 Export the root certificate used to sign the SAP Hybris Cloud for Customers x.509
certificate ......................................................................................................................................... 7
5.3 Import the root certificate used to sign the SAP Hybris Cloud for Customers certificate..... 10
5.3.1 Load certificate into SSL Server standard for ABAP .................................................. 10
5.3.2 Load certificate in ICM_SSL_<instanceID>_<port> view for JAVA ............................13
5.4 Set the value for VCLIENT on parameter icm/server_port_<xx> .............................................15
5.5 Adjust logging modules to accept certificates ............................................................................15
5.6 Enable mapping client certificates to user IDs in UME ...............................................................19
5.7 Maintain user certificate information...........................................................................................21
5.8 Export client x.509 certificate from inbound communication arrangements from SAP
Hybris Cloud for Customers ........................................................................................................ 23
5.9 Create a view in the Key Storage ................................................................................................. 28
5.10 Load certificate into view on NWA............................................................................................... 29
5.11 Adjust PI Receiver communication channel to use certificates. .............................................. 30

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Table of Contents © 2017 SAP AG or an SAP affiliate company. All rights reserved. 3
1 Scenario
Use this procedure to configure the use of client certificates for authentication when connecting from
SAP Hybris Cloud for Customer to an OnPremise system for an integration scenario.

2 Background Information
Client certificates enable you to authenticate users without the need for a user name and password
provided as part of the communication arrangement in SAP Hybris Cloud for Customers. With this
method the consumer proxy will be capable to connect to the SAP PI SOAP adapter providing a client
x.509 certificate.

3 Prerequisites
 The AS Java is configured to support SSL with the given certificates on SAP PI OnPremise

4 Limitation
This procedure is based in the manual storing of the certificate for the mapping of the certificate with the
corresponding User ID on the UME of the SAP PI OnPremise system.

5 Step-by-Step Procedure

5.1 Export the outbound certificate from communication

arrangements on SAP Hybris Cloud for Customers
1. Logon to the SAP Hybris Cloud for Customers using the following URL http://<hostname>:<port>/

2. Provide user and password to connect to SAP Hybris Cloud for Customers

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Scenario © 2017 SAP AG or an SAP affiliate company. All rights reserved. 4

 3. Open the Administrator work center

4. Click in Communication Arrangements under Integration Section

5. Open for Edit any of the communication arrangements that were already configured by selecting it and
clicking on Edit

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 5
 6. Click in the Technical Data tab

7. In the Outbound communication click in the Download button for the Certificate

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 6
 8. Save the x.509 certificate locally in the computer

5.2 Export the root certificate used to sign the SAP Hybris
Cloud for Customers x.509 certificate
1. Open the certificate that was downloaded in the previous step

2. Click on the Certification Path tab

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 7
 3. Select the root certificate and click in the View Certificate button

4. Select the Details tab and click in the Copy to File button

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 8
 5. Click Next

6. Select the option Base-64 encoded X.509 (.CER) and click Next

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 9
 7. Specify the location on where the file will be stored and click Next

8. Click Finish

5.3 Import the root certificate used to sign the SAP Hybris
Cloud for Customers certificate
Depending of the configuration of the PI system and which is the PSE provider the location on where the root
certificate has to be imported change. This is determined by the parameter ssl/pse_provider.
If the parameter ssl/pse_provider is equal to ABAP proceed with section 5.3.1, if the parameter
ssl/pse_provider is equal to JAVA or this is a SAP PI AEX (JAVA only) proceed with section 5.3.2

5.3.1 Load certificate into SSL Server standard for ABAP

1. Using SAPGUI logon to the ABAP stack of the SAP PI system and open transaction STRUST

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 10
 2. Open the SSL Server Standard and click in the import button

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 11
 3. Select the location of the root certificate exported in the previous step and click Continue

4. Click the button “Add to Certificate List”

5. Save the changes

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 12
5.3.2 Load certificate in ICM_SSL_<instanceID>_<port> view
for JAVA
6. Logon to the NWA of the SAP PI system using the following URL http://<hostname>:<port>/nwa

7. Click in the Configuration Tab and then on Certificates and Keys

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 13
 8. Verify if the root certificate used to sign the SAP Hybris Cloud for Customers x.509 certificate is already
imported into the ICM_SSL_<instanceID>_<port> view within the key storage

9. If the root certificate is not there it can be imported by clicking Import Entry from the View Entries tab

10. Select the entry type “X.509 Certificate” and then the location of the file that was saved in the previous
step and click Import

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 14
5.4 Set the value for VCLIENT on parameter
icm/server_port_<xx>

Using the VCLIENT profile parameter of ICM will tell the ICM how to behave in regards of the use of
certificates for client authentication, either using RZ10 transaction in the case of SAP PI dual stack or
editing the instance profile directly in file editor for a SAP PI AEX adjust the parameter
icm/server_port_<xx> for the corresponding SSL port used.

Set the profile parameter to use VCLIENT = 1 like the following example

5.5 Adjust logging modules to accept certificates

1. Open the NWA and click in the menu Configuration  Security  Authentication and Single Sign-On

2. Click in Add to create a new customer policy configuration template

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 15
 3. Enter the custom name and click create

4. Select the newly created template and click Edit

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 16
 5. Under the Authentication Stack tab click in Add and add the following login modules

ClientCertLoginModule SUFFICIENT
EvaluateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule REQUISITE
CreateTicketLoginModule OPTIONAL

6. Verify that the ClientCertLoginModule has the option Rule1.getUserFrom with the value wholeCert
configure

7. Click Save

8. Look for the SOAP adapter typing *SOAP* in the Policy Configuration Name and with the Type Web

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 17
 9. Select the policy sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter and click Edit

10. Change the Used Template to the one previously created

11. Click Save

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 18
5.6 Enable mapping client certificates to user IDs in UME
1. Open the NWA and click in the menu Configuration  Infrastructure  Java System Properties

2. Click in the Service Tab

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 19
 3. Search for the service *user* and select the service User Management Engine

4. Search for the property ume.logon.allow_cert

5. Change the value of the property to “true” by clicking in the modify button and click Set

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 20
 6. Click in the Save button

7. Restart the JAVA stack

5.7 Maintain user certificate information

1. Connect to the UME on the JAVA stack of SAP PI using the following URL
http://<host>:<port>/useradmin

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 21
 2. Search for the user that will be used as service account in PI to connect from SAP Hybris Cloud for
Customer to SAP PI

3. Select the account, click in the Certificates tab

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 22
 4. Click modify and browse from the certificate that was exported from the SAP Hybris Cloud for
Customers and upload the certificate

5. Once uploaded click on the Save button

5.8 Export client x.509 certificate from inbound

communication arrangements from SAP Hybris Cloud for
Customers
1. Logon to the SAP Hybris Cloud for Customers using the following URL http://<hostname>:<port>/

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 23
 2. Provide user and password to connect to SAP Hybris Cloud for Customers

3. Open the Administrator work center

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 24
 4. Click in Communication Arrangements under Integration Section

5. Open for Edit any of the communication arrangements that were already configured by selecting it and
clicking on Edit

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 25
 6. Click in the Technical Data tab

7. In the Inbound communication click in the Edit Credentials button

8. Click in the Certificate tab and then click in Create and Download Key Pair

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 26
 9. Select the location where you want to save the keypair and click Save

10. Enter a password to secure the PKCS12 certificate and click OK

11. Click OK

12. Click in Save and Reactivate button to save the communication arrangement

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 27
5.9 Create a view in the Key Storage
1. Logon to the NWA of the SAP PI system using the following URL http://<hostname>:<port>/nwa

2. Click in the Configuration Tab and then on Certificates and Keys

3. Click in the Add View button

How to configure x.509 authentication for SAP PI Systems to connect from
SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 28
 4. Enter a name, description and click create

5.10 Load certificate into view on NWA

5. Having select the view created in the previous step click in Import Entry

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 29
 6. Select the entry type PKCS#12 Key Pair, select the file and enter the password use while the key pair
was created from the SAP Hybris Cloud for Customers, then click Import

5.11 Adjust PI Receiver communication channel to use

certificates.
1. From the Integration Builder open all the receiver communication channel that point to the SAP Hybris
Cloud for Customers and adjust the authentication checking the option Configure Certificate
Authentication

2. From the dropdown button select the KeyStore Entry that was imported and KeyStore View created in
the previous steps

3. Save and activate the changes in the communication channel

How to configure x.509 authentication for SAP PI Systems to connect from

SAP Cloud for Customers

Step-by-Step Procedure © 2017 SAP AG or an SAP affiliate company. All rights reserved. 30
 www.sap.com/contactsap

www.sdn.sap.com/irj/sdn/howtoguides

© 2017 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in
any form or for any purpose without the express permission of SAP
AG. The information contained herein may be changed without
prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The
only warranties for SAP Group products and services are those
that are set forth in the express warranty statements
accompanying such
products and services, if any. Nothing herein should be construed
as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.