How-To Guide SAP Cloud for Customer Document Version: 2.0-2014-04-23 How to Configure SAP HCI Basic Authentication for SAP Cloud for Customer
Document History Document Version Description 1.0 First official release of this guide How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI Document History 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
Table of Contents 1 Business Scenario... 4 2 Prerequisites... 4 3 Concept... 4 4 Step-by-Step Procedure... 6 4.1 Configure Basic Authentication for an Integration Flow where SAP ERP is the Sender and SAP Cloud for Customer is the Receiver.... 6 SAP Cloud for Customer Configuration: Enable Basic Authentication in Inbound Communication Arrangement... 6 SAP On-Premise Configuration: Enable Basic Authentication in HTTP Destinations for External System... 7 SAP HCI Configuration: Configure the Sender Application to use Basic Authentication... 8 SAP HCI Configuration: Deploy Cloud Credential Artifacts... 9 SAP HCI Configuration: Configure the Receiver Application to Use Basic Authentication... 12 SAP HCI Configuration: Deploy project from Eclipse to SAP Hana Cloud Integration... 14 SAP HCI Configuration: Check if the projects got deployed from the Deployed Artifacts... 15 4.2 Configure Basic Authentication for an Integration Flow where SAP Cloud for Customer is the Sender and SAP ERP is the Receiver... 17 SAP HCI Configuration: Configure the Sender Application to use Basic Authentication... 17 SAP HCI: Deploy ERP Credential Artifacts... 18 SAP HCI Configuration: Configure the Receiver Application to Use Basic Authentication... 19 SAP HCI and SAP ERP: Establish trust... 19 How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI Table of Contents 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
1 Business Scenario You can now use of the basic authentication connectivity option in SAP HANA Cloud Integration, in addition to the existing certificate based connectivity option, for communicating between your SAP on-premise and SAP Cloud for Customer application. 2 Prerequisites 1. SAP SCN User id/password using http://scn.sap.com. 2. Assign role to enable Basic Authentication(Raise a CSS ticket in component LOD- HCI to assign role esbmessaging.send) 3. Installation of SAP HANA Cloud Integration Eclipse tooling. 4. End points for services are maintained (described in integration configuration guides and other C4C HCI guides). 3 Concept To establish basic authentication it is necessary to consider two aspects, a. SSL trust between servers b. Basic Authentication setting for client authentication Business Scenario 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
Basic authentication for HTTPS-based inbound calls works the following way: 1. The (sender) participant sends a message to SAP HCI. The HTTP header of the message contains user name and password. 2. SAP HCI authenticates itself against the participant when the connection is being set up (SSL handshake). In this case, SAP HCI acts as server (BigIP load balancer) and the SSL handshake is based on certificates. 3. Authentication of the participant: The identity of the participant is checked by SAP HCI evaluating the credentials against the user stored in the SCN data base. 4. Authorization check: The permissions of the sender participant are checked in a subsequent step according to roles assigned to the user. Basic authentication for HTTPS-based outbound calls works the following way: 1. The (sender) participant sends a message from SAP HCI. The HTTP header of the message contains user name and password from the deployed artifact. 2. SAP Cloud for Customer authenticates itself against the participant when the connection is being set up (SSL handshake). In this case, SAP Cloud for Customer acts as server and the SSL handshake is based on certificates. 3. Authentication of the participant: The identity of the participant is checked by SAP Cloud for Customer by evaluating the credentials against the user stored in the Cloud Application certificate store. Concept 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
4. Authorization check: The permissions of the sender participant are checked in a subsequent step according to roles assigned to the user. The following diagram is a brief summary on what users are used when and the major steps this guide covers. 4 Step-by-Step Procedure This step-by-step procedure describes steps required when the integration flow is from on-premise to cloud, and step-by-step required when the communication is from cloud to on-premise. The example used is SAP ERP to SAP Cloud for Customer and SAP Cloud for Customer to SAP ERP. The steps are the same when using SAP CRM. 4.1 Configure Basic Authentication for an Integration Flow where SAP ERP is the Sender and SAP Cloud for Customer is the Receiver. The following steps describe what must be done for an integration flow that uses basic authentication from SAP ERP to HCI and from HCI to SAP Cloud for Customer. SAP Cloud for Customer Configuration: Enable Basic Authentication in Inbound Communication Arrangement 1. Go to the Communication Arrangements under the Administrator Work center and for the Inbound Request, maintain the password for the generated user. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
SAP On-Premise Configuration: Enable Basic Authentication in HTTP Destinations for External System 2. In transaction code SM59 of your on-premise application (RFC Destinations), go to the Logon and Security tab for each of the HTTP destinations. Set the user ID to be the SCN user ID created as described in the prerequisites. 3. Repeat the same steps in by entering the SCN user ID in the user field for all outbound destinations from SAP ERP. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
SAP HCI Configuration: Configure the Sender Application to use Basic Authentication 4. Basic authentication requires Eclipse for the configuration. Open the integration flow. In this example we will use the integration flow for SAP ERP to SAP Cloud for Customer material replication. 5. Select the sender system 6. Select the check box Basic Authentication Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
7. Save the iflow. Note that the SCN user ID is not used in the iflow, it is only configured in SAP ERP in the HTTP RFC destination. SAP HCI Configuration: Deploy Cloud Credential Artifacts In order to use basic authentication in HCI for integration flows that are from SAP ERP to SAP Cloud for Customer, the SCN user ID is used for ERP to HCI. For HCI to the cloud the cloud user ID is used. The credentials for SAP Cloud for Customer need to be deployed to HCI. 8. In Eclipse, go to the Integration Operations perspective and select double-click on the runtime node. 9. Click in the Deployed Artifacts tab Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
10. Click in the Deploy button 11. Select Basic Authentication and click Next Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
12. Select the Type Default, Enter a Name, Description, the User and Password for the user used to connect to SAP Cloud for Customer. 13. Click OK when it finishes the deployment of the artifact 14. Now this artifact will be showed in the deployed artifacts tab Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
SAP HCI Configuration: Configure the Receiver Application to Use Basic Authentication 15. So far you have configured the sender (ERP) to use basic authentication and you have deployed the user credential for SAP Cloud for Customer to HCI. In order to use the artifact to login to SAP Cloud for Customer, open the integration flow. 16. Select the connection to the receiver system and double click on it 17. Select the Adapter Specific tab Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 12
18. Select the checkbox option for Connect using Basic Authentication 19. Enter the name of the Basic Authentication artifact that was previously deployed. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
20. Save and close the iflow. SAP HCI Configuration: Deploy project from Eclipse to SAP Hana Cloud Integration 21. Now that both the sender and the receiver are configured to use basic authentication, you can deploy the iflow. 22. Click in the option of Deploy Integration Content Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
23. Enter the name of the HCI tenant and click OK 24. Click OK SAP HCI Configuration: Check if the projects got deployed from the Deployed Artifacts 25. Using the Integration Operations perspective, use the Deployed Artifact tab sort the artifact using the Deployed On column to see the latest deployed artifact. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
26. From there you will see all the deployed artifacts and validate that the artifact was deployed. Congratulations! You have now configured and deployed an iflow that uses basic authentication when sending a message from SAP ERP to SAP Cloud for Customer! Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
4.2 Configure Basic Authentication for an Integration Flow where SAP Cloud for Customer is the Sender and SAP ERP is the Receiver The following steps describe the required configuration to use basic authentication for integration flows where SAP Cloud for Customer is the sender and SAP ERP is the receiver. SAP HCI Configuration: Configure the Sender Application to use Basic Authentication 1. In this example for cloud to on-premise, we will use the customer master replicate from SAP Cloud for Customer to SAP ERP. The steps for the configuration of the sender application are the same. You select the basic authentication option for the sender application and save the iflow. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
SAP HCI: Deploy ERP Credential Artifacts 2. Deploying the ERP credentials is the same as described in the previous section SAP HCI Configuration: Deploy Cloud Credentials. You can use the steps described previously, the difference will be the information you provide is for the ERP system, using the technical user (for example, CODINTG). Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
SAP HCI Configuration: Configure the Receiver Application to Use Basic Authentication 3. The next step is to configure the receiver application for basic authentication. Here the steps are also the same for both directions. The only difference is that you provide the deployed artifact for the ERP system. 4. Once this is completed you can save and deploy your iflow. SAP HCI and SAP ERP: Establish trust For HCI to communicate with on-premise, trust needs to be established, even when basic authentication is used. This requires exporting the server certificate from HCI and importing it into STRUST. This will most likely need to be performed by a BASIS administrator. 5. To establish trust between SAP HCI and SAP ERP or SAP CRM, Open a web explorer and enter the URL of the worker node that was provided in the onboarding email adding the path /cxl at the end, by example https://<host>:<port>/cxf Note: We recommend you do this in Google Chrome. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
HINT: You can get the URL of your worker node from the Integration Operations perspective. Double-click on the IFLMAP node and copy the Dispatcher URL. 6. Once you enter the URL(recommended to do this in Google Chromse), click on the lock icon at the left of the URL and then click in certificate information. 7. From the Certification Path select first root certificate Baltimore CyberTrust Root and click View Certificate Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
8. Click in the menu Details and the click the button Copy to file 9. Click Next 10. Select Base-64 encoded x.509 (.CER) and click Next. 11. Select the location of the file and click Next. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
12. Click Finish. 13. Follow the above steps for the second root certificate, Cybertrust Public SureServer SV CA. 14. Login to SAP ERP and go to transaction code STRUST. Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
15. Open the SSL Client SSL client Standard PSE 16. In the Certificate area, click in the Import Certificate button. 17. Depending of the format of the certificate, select either Binary or Base64 and find the root certificate used to sign the HCI SSL server certificate (Import the two certificates that were saved in the previous step). Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
18. Add the imported certificate into the certificate list clicking in the Add to Certificate List button. 19. Repeat the previous two steps for the second root certificate, and save the changes. Congratulations! You have now configured SAP HANA Cloud Integration basic authentication for use with SAP Cloud for Customer! Step-by-Step Procedure 2014 SAP AG or an SAP affiliate company. All rights reserved. 24
www.sap.com/contactsap www.sdn.sap.com/irj/sdn/howtoguides 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.