How-To Guide SAP Cloud for Customer Document Version: 1.0-2014-03-20 How to Configure SAP HCI basic authentication for SAP Cloud for Customer
Document History Document Version Description 1.0 First official release of this guide Document History 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
Table of Contents 1 Business Scenario... 4 2 Background Information... 4 3 Prerequisites... 4 4 Step-by-Step Procedure... 5 4.1 Installation of SAP Web Dispatcher... Error! Bookmark not defined. 4.2 Update SAP Web Dispatcher Kernel... Error! Bookmark not defined. 4.3 SAP Web Dispatcher SSL Configuration... Error! Bookmark not defined. 4.4 SAP Web Dispatcher Configuration for x.509... Error! Bookmark not defined. 4.5 Add client root certificate from WD into SSL Server Standard.. Error! Bookmark not defined. 4.6 Add Parameters to the SAP ABAP Profile... Error! Bookmark not defined. Table of Contents 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
1 Business Scenario You can now use of the basic authentication connectivity option in SAP HANA Cloud Integration, in addition to the existing certificate based connectivity option, for communicating between your SAP on-premise and SAP Cloud for Customer application. 2 Prerequisites 1. SAP SCN User id/password using http://scn.sap.com 2. Assign roles to User (Raise a CSS ticket in component XX-INT-CLD-HCI-PI) 3. Installation of SAP HANA Cloud Integration Eclipse tooling 4. Use Basic Authentication option when configuring and deploying the iflows 5. Select Basic Authentication option in the sender system(s) configuration 3 Concept Basic authentication for HTTPS-based inbound calls works the following way: 1. The (sender) participant sends a message to SAP HCI. The HTTP header of the message contains user name and password. 2. SAP HCI authenticates itself against the participant when the connection is being set up (SSL handshake). In this case, SAP HCI acts as server (BigIP load balancer) and the SSL handshake is based on certificates. 3. Authentication of the participant: The identity of the participant is checked by SAP HCI evaluating the credentials against the user stored in the SCN data base. 4. Authorization check: The permissions of the sender participant are checked in a subsequent step according to roles assigned to the user. Business Scenario 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
Basic authentication for HTTPS-based outbound calls works the following way: 1. The (sender) participant sends a message from SAP HCI. The HTTP header of the message contains user name and password from the deployed artifact. 2. SAP Cloud for Customer authenticates itself against the participant when the connection is being set up (SSL handshake). In this case, SAP Cloud for Customer acts as server and the SSL handshake is based on certificates. 3. Authentication of the participant: The identity of the participant is checked by SAP Cloud for Customer by evaluating the credentials against the user stored in the Cloud Application certificate store. 4. Authorization check: The permissions of the sender participant are checked in a subsequent step according to roles assigned to the user. 4 Step-by-Step Procedure SAP cloud application Configuration: Enable Basic Authentication in Inbound Communication Arrangement Go to the Communication Arrangements under the Administrator Work center and for the Inbound Request, maintain the password for the generated user. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
SAP HCI Configuration: Create credentials artifact for basic authentication and assign to iflow 1. There is an option to configure basic authentication from HCI to either SAP Cloud for Customers using basic authentication instead of x.509 certificates. For this the first step is to deploy a basic authentication artifact, from Eclipse open the tenant by double clicking in the tenant name from the node explorer section in the integration designer perspective 2. Click in the Deployed Artifacts tab Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
3. Click in the Deploy button 4. Select Basic Authentication and click Next 5. Select the Type Default, Enter a name, description, the user ID and password for the user used to connect to the remote system and click Finish Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
6. Click OK when it finishes the deployment of the artifact 7. Now this artifact will be showed in the deployed artifacts tab 8. To use the artifact to login to a remote system, we need to configured from within the iflow in the receiver system, open the iflow that needs to be adjusted Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
9. Select the connection to the receiver system and double click on it 10. Select the Adapter Specific tab Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
11. Select the checkbox option for Connect using Basic Authentication 12. Enter the name of the Basic Authentication artifact that was deployed before Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
13. Save and close the iflow. Optional, SAP HCI Configuration: Configure iflow to accept basic authentication 14. In case it is desire to use basic authentication to connect from SAP Cloud for Customers or SAP ERP OnPremise to SAP HCI using basic authentication, this has to be configured within the iflow on the sender system, using Eclipse open the iflow. 15. Select the sender system 16. Select the check box Allow Basic Authentication Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
17. Now it is possible to use a valid SCN user that was provided with the required permissions to consume the web service for this specific scenario 18. Save and close the iflow SAP HCI Configuration: Deploy project from Eclipse to SAP Hana Cloud Integration 19. Once the artifact were adjusted we can deploy them to the tenant selecting the artifact (project) and right click on it Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
20. Click in the option of Deploy Integration Content Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
21. Enter the name of the HCI tenant and click OK 22. Click OK SAP HCI Configuration: Check if the projects got deployed from the Deployed Artifacts 23. From Deployed Artifact tab sort the artifact using the Deployed On column to see the latest deployed artifact Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
24. From there you will see all the deployed artifacts and validate that the artifact was deployed. SAP on-premise Configuration: Enable Basic Authentication in HTTP Destinations for External System 25. Go to the Logon and Security tab for each of the HTTP destinations. Repeat the same steps in HCI by deploying a new Basic Authentication artifact with user CODINTG. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
www.sap.com/contactsap www.sdn.sap.com/irj/sdn/howtoguides 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.