Principal Propagation Setup for HTTPS and RFC (SNC) Protocol from SAP BTP to S/4HANA

In this blog, we’ll walk through how to configure Principal Propagation from SAP Business Technology Platform (BTP) to an on-premises S/4HANA system, using SAP Cloud Connector and SAP Web Dispatcher. We are configuring principal propagation to an S/4HANA system for HTTPS communication and RFC communication using SNC.

References

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configuring-principal-propagation

About

Principal propagation is the secure process of forwarding a cloud user’s identity from a cloud environment to an on-premise system, enabling single sign-on (SSO) and ensuring the user’s personal authorizations apply. It relies on a trusted relationship between the cloud and on-premises systems, using mechanisms like JSON Web Tokens (JWTs) or certificates to pass the user’s context unchanged, allowing the backend system to recognize the individual user and their permissions.

Scenario: Cloud to On-Premises

A user logs in to the cloud application. Its identity is established by an identity provider (this can be the default IdP for the subaccount or another trusted IdP).The cloud application then uses a user exchange token (or a designated secondary header) to propagate the user to the Connectivity service. Optionally, the application may use the Destination service to externalize the connection configuration that points to the target on-premise system.The Connectivity service forwards the JWT (that represents the user) to the Cloud Connector.The Cloud Connector receives the JWT, verifies it, extracts the attributes, and uses its STS (security token service) component to issue a new token (for example, an X.509 certificate) with the same or similar attributes to assert the identity to the backend (BE1-BEm). The Cloud Connector and the cloud application share the same trust settings.The Cloud Connector sends the new token (for example, an X.509 certificate) to the backend system.

Pre-requisite

Ensure that the SAP Cloud Connector (SCC) is installed and its initial setup has been completed. Refer to the SAP Help documentation.The Cloud Connector should be connected to your SAP BTP subaccount by adding the subaccount details within the SCC. Refer to the SAP Help documentationAdditionally, trust must be established between your subaccount and the SAP Cloud Identity Services tenant. This trust setup allows integration with any corporate identity provider and is essential for enabling Single Sign-On (SSO) in your cloud application. Refer to the SAP Help documentation

Configuration Steps

StepsAction Items1Configure Principal Propagation to an ABAP System for HTTPS1.1Generate Certificates in SAP Cloud Connector (SCC)1.2Add Certificates to the SCC Trust Store1.3Synchronize the cloud trust with Subaccount IDP1.4Configure SAP S/4HANA for Principal Propagation (HTTPS)2Configure SAP Web Dispatcher for Principal Propagation2.1Import Certificates into SAP Web Dispatcher2.2Maintain Required Parameters in Web Dispatcher3Configure Principal Propagation to an ABAP System for RFC using SNC3.1PSE Setup in SAP Cloud Connector for SNC3.2Configure the S/4HANA System for RFC SNC Propagation4Create System Mappings in SAP Cloud Connector4.1Map HTTPS Connections to SAP Web Dispatcher4.2Map RFC SNC Connections to S/4HANA Backend5Create Destination in SAP BTP subaccount for HTTPS and RFC SNC scenario

Step 1: Configure Principal Propagation to an ABAP System for HTTPS

Step 1.1: Generate Certificates in SAP Cloud Connector (SCC)

We must configure the following certificates in Cloud Connector:

System CertificateCA CertificateUser Certificate (Subject Pattern for Principal Propagation)

Note: It is recommended to use signed certificates. Self-signed certificates will also work.

Generating System Certificate

To configure the System Certificate, go to Configuration → On Premise → System Certificate → Create and import a self-signed certificate. Fill the required details in the pop-up window. The Common Name (CN) represents the server’s name protected by the SSL certificate.

Generating CA Certificate

A CA certificate signs all the certificates that are used when a request is forwarded from the Cloud with the Cloud principals.

To create the CA certificate, scroll down to the corresponding section and click on the “Create and import a self-signed certificate” button.

Generating User Certificate

This sample certificate is used to define the rules in the S/4HANA system under the Transaction code (CERTRULE).

Scroll down to the principal propagation section and edit the Subject Pattern Select the Subject Pattern from the list to assert the user IDs. For example, select ${email} to assert the user against the user’s mail address propagated from the Cloud.

click on the Create Sample Certificate button.

Choose an email that already exists on the backend system. Please remember that this is only a sample certificate and will be used to create a rule-based mapping on the backend AS ABAP system

Step 1.2: Add Certificates to the SCC Trust Store

In trust store add below certificates

S4HANA SSL server standardWeb dispatcher server certificate

Step 1.3: Synchronize the cloud trust with Subaccount IDP

By default, the Cloud Connector does not trust any entries which issues tokens for principal propagation. For this reason, we must establish the trust between the Cloud Connector and the IDP of your subaccount on BTP.

Navigate to the “Cloud to On-Premise” and select the tab Principal Propagation. Click on Synchronise this populate the trust configuration.

Step 1.4: Configure SAP S/4HANA for Principal Propagation (HTTPS)

Now we will do the required configuration in ABAP system.

Step 1.4.a: Import Certificates into the ABAP SSL Server Standard (Transaction: STRUST)

Below certificates need to be imported.

cloud connector system certificate imported in s4hana ssl server standardweb dispatcher client certificate imported in s4hana ssl server standard

Step 1.4.b: Define Rule-Based Mapping with User Certificate (Transaction: CERTRULE)

Click on the “Import Certificate” button to import the User certificate that was downloaded from the Cloud Connector. In the “Certificate Attr.” choose you attribute mapping from the drop-down menu. In the “Login As” select E-Mail and press enter.

Once you save your new rule you should see a similar screen as below where the “Mapping Status” and “User Status” are both green.

Step 1.4.c: Maintain Reverse Proxy and other parameters in the Default Profile (Transaction: RZ10)

Copy Subject and issuer values from web dispatcher client certificate and Cloud Connector System Certificate

For following parameter: icm/trusted_reverse_proxy_<x> = SUBJECT=”<subject>”, ISSUER=”<issuer>”.

Select a free index for <x>.<subject> is the subject of the certificate (example data: CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE).<issuer> is the issuer of the certificate (example data: CN=MyCompany CA, O=Trust Community, C=DE).

Example: icm/trusted_reverse_proxy_2 = SUBJECT=”CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE”, ISSUER=”CN=MyCompany CA, O=Trust Community, C=DE”.

Parameter name

Value

icm/trusted_reverse_proxy_0

Copy subject and issuer values from web dispatcher client certificate

icm/trusted_reverse_proxy_1

Copy subject and issuer values from cloud connector system certificate

login/certificate_mapping_rulebased

1

icm/HTTPS/verify_client

1

Step 1.4.d: Set Logon Procedure to “Required with SSL Certificate” for Relevant SICF Services

To access ICF services via certificate logon, make sure that all required ICF services allow Logon Through SSL Certificate as logon method.

Step 2: Configure SAP Web Dispatcher for Principal Propagation

If you are using an intermediate SAP Web Dispatcher to connect to your ABAP backend system, you must set up a trust chain between the involved components Cloud Connector, SAP Web Dispatcher, and ABAP backend system.

We need to Configure SAP Web Dispatcher to trust the Cloud Connector’s certificate for identity propagation. Parameters and certificates need to be added.

Make sure your SAP Web Dispatcher supports SSL and configuration done for Web Dispatcher to Forward SSL Certificates for X.509 Authentication. Refer SAP Help documentation for pre-requisites.

Step 2.1: Import Certificates into SAP Web Dispatcher

Below Certificates to be added in web dispatcher PSEs.

cloud connector CA certificate in web dispatcher server standard pse (SAPSSLS.pse )s4hana ssl server standard certificate in web dispatcher client pse (SAPSSLC.pse)

Step 2.2: Maintain Required Parameters in Web Dispatcher

Create icm trusted reverse proxy parameters same as we did in Step 1.4.c

Parameter name

Value

icm/trusted_reverse_proxy_0

Copy subject and issuer values from cloud connector CA certificate

icm/trusted_reverse_proxy_1

Copy subject and issuer values from s4hana ssl server standard certificate

Make sure icm/HTTPS/verify_client parameter is set to 1 (request certificate) or 2 (require certificate). If set to 0, trust cannot be established. The default value is 1, so it is OK if the parameter is not set at all.

Your HTTPS Principal Propagation configuration is now complete for the scenario where a Web Dispatcher is used as an intermediary between the ABAP backend system.

Step 3: Configure Principal Propagation to an ABAP System for RFC using SNC

For enabling Principal Propagation over RFC using Secure Network Communication (SNC), follow the steps below.
If you’ve already configured HTTPS-based principal propagation on the same S/4HANA system, steps such as certificate generation, trust setup, and user mapping (via STRUST and CERTRULE) may have already been completed. You only need to ensure the SNC-specific configurations.

Make sure SNC setup on the ABAP System is already present. Ensure SAP Cryptographic library is installed as a pre-requisite in cloud connector.

Note: It is important that you use the same SNC implementation on both communication sides. When using the SAP Cryptographic Library, it is recommended that you use an ABAP system SNC identity and a Cloud Connector system identity signed by the same CA for mutual authentication.

Step 3.1: PSE Setup in SAP Cloud Connector for SNC

Step 3.1.a: Login to OS level of SCC then Download and extract the SAP Cryptographic Library. You can refer SAP Help documentation.

Step 3.1.b: Ensure you have set the Environment variables SECUDIR and SNC_LIB

Step 3.1.c: Create SNC PSE at OS level. Navigate to path Crypto and execute below commands

You can Refer SAP Help documentation and below note.

2642538 – How to enable SNC from external programs to ABAP using SAP RFC Connectors

To Create SNC PSE: sapgenpse gen_pse -p SCC.pse “CN=SCC, OU=<name>, O=<name>, C=<name>”

It is recommended that you sign the CSR of PSE with a trusted CA and then import it. Self-signed will also work.

Import Signed Certificate: sapgenpse import_own_cert -p SCC.pse -x <pin> -c SCC.cer -r <RootCA>.cer

Create credentials for the SNC PSE: sapgenpse seclogin -p SCC.pse -O <sccuser>

Note: sccuser is the user under which cloud connector is running.

Adding ABAP SNC certificate in Cloud connector PSE (download from S/4HANA, STRUST –> SNC): sapgenpse maintain_pk -p SCC.pse -a S4HANA.cer

Step 3.1.d: Restart Cloud connector below SNC SECUDIR parameter will appear in Cloud connector UI Configuration tab. (Library path and My name details we need to give).

Once you have created the SNC PSE and imported the required certificates into it, take restart and login to cloud connector UI to define the SNC name

Step 3.2: Generate Certificates in Cloud Connector

(This step is identical to the HTTPS scenario Step1.1. You may skip it if the certificates were already generated during the HTTPS setup.)

Step 3.3: Add Certificates to the Trust Store in SCC

(This step is identical to the HTTPS scenario Step 1.2. S4hana SSL server standard certificate needs to be added.)

Step 3.4: Synchronize Cloud Trust with Subaccount Identity Provider (IdP)

(This step is identical to the HTTPS scenario Step 1.3. You can skip this step if already done.)

Step 3.5: Configure the S/4HANA System for RFC SNC Propagation

Step 3.5.a: Import Certificates into the SSL Server Standard (Transaction: STRUST)

Below certificates needs to be added.

cloud connector system certificate imported in S/4HANA SSL server standardcloud connector PSE SNC certificate imported in S/4HANA SNC cryptolib

Step 3.5.b: Define Rule-Based Mapping for the user certificate (Transaction: CERTRULE)

(This step is identical to the HTTPS scenario Step 1.4.b. You can skip this step if user mapping has already been configured and login/certificate_mapping_rulebased parameter set to 1)

Step 3.5.c: Configure SNC Identity in the backend system (Transaction: SNC0)

Login to backend ABAP system and execute transaction SNC0 and add cloud connector’s SNC identity. Note the SNC name from SAP Cloud connector.

Step 4: Create System Mappings in SAP Cloud Connector

We need to create Mapping Virtual To Internal System in the Cloud To On-Premise tab for your subaccount in Cloud connector.

Step 4.1: Map HTTPS Connections to SAP Web Dispatcher

Since we are using a Web Dispatcher as an intermediary to the ABAP backend system, we will define the Web Dispatcher host in the HTTPS destination configuration instead of the ABAP system directly. The flow will be like this.

BTP (Service) –> cloud connector –> web dispatcher –> S/4HANA

Parameter

Value

Backendtype

Other SAP system

Protocol

HTTPS

Internal Host

Host of the web dispatcher

Internal Port

Port of the web dispatcher

Virtual Host

Enter any value but avoid underscores in the name.
Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.

Virtual Port

Enter any numerical value.
Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.

Principal Type

X.509 Certificate (General Usage)

Host In Request Header

Use Internal Host

Select the mapping you just created and add the Resources as per your requirement.

URL Path

Access Policy

/

Path and All Sub-Paths

Step 4.2: Map RFC SNC Connections to S/4HANA Backend

Parameter

Value

Backend-type

ABAP System

Protocol

RFC SNC

Application Server

host for the S/4 HANA backend services

Instance Number

Instance number of the S/4 HANA backend

Virtual Application Server

Enter any value but avoid underscores in the name.
Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.

Virtual Instance Number

Enter any numerical value.
Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.

Principal Type

X.509 Certificate (General Usage)

SNC Partner Name

ABAP system’s SNC identity name (for example, p:CN=SID, O=Trust Community, C=DE). Copy from profile parameter snc/identity/as

Select the mapping you just created and add the Resources as per your requirement.

Function Name

Naming Policy

ZSAP

Exact Name

BAPI

Prefix

Step 5: Create Destination in SAP BTP

Create destinations in BTP subaccount to allow communication between S/4HANA and SAP BTP for HTTPS and RFC SNC protocol.

Step 5.1: For HTTPS scenario, enter the below information:

Parameter

Value

Name

S4Hana _HTTP

Type

HTTP

Proxy Type

On-Premise

Location ID

Copy this from cloud connector subaccount overview section

URL

http://<host:port as defined in Cloud Connector>

Proxy Type

OnPremise

Authentication

PrincipalPropagation

Additional Properties

sap-client

Client number of your system

Step 5.2: For RFC scenario, enter the below information:

Parameter

Value

Name

S4Hana_RFC

Type

RFC

Proxy type

On-Premise

Authorization Type

Principal Propagation

Location ID

Copy this from cloud connector subaccount settings

Repository User

create Technical User in S/4HANA and enter user id and

Repository Password

password

Additional Properties

jco.client.ashost

 

<host as defined in Cloud Connector>

jco.client.client

Client number in SAP S/4HANA

jco.client.sysnr

<instance number as defined in Cloud Connector>

Conclusion

By completing these steps, you have successfully configured Principal Propagation from SAP BTP to your on-premises ABAP system for both HTTPS and RFC (via SNC) communication. You can now integrate any SAP BTP service and use Principal Propagation as the authentication method to ensure secure, user-specific access.

For troubleshooting Cloud Connector principal propagation over HTTPS, Refer SAP Help documentation.

Feel free to share your feedback or questions in the comments.😊

 

​ Principal Propagation Setup for HTTPS and RFC (SNC) Protocol from SAP BTP to S/4HANAIn this blog, we’ll walk through how to configure Principal Propagation from SAP Business Technology Platform (BTP) to an on-premises S/4HANA system, using SAP Cloud Connector and SAP Web Dispatcher. We are configuring principal propagation to an S/4HANA system for HTTPS communication and RFC communication using SNC.Referenceshttps://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configuring-principal-propagationAboutPrincipal propagation is the secure process of forwarding a cloud user’s identity from a cloud environment to an on-premise system, enabling single sign-on (SSO) and ensuring the user’s personal authorizations apply. It relies on a trusted relationship between the cloud and on-premises systems, using mechanisms like JSON Web Tokens (JWTs) or certificates to pass the user’s context unchanged, allowing the backend system to recognize the individual user and their permissions.Scenario: Cloud to On-PremisesA user logs in to the cloud application. Its identity is established by an identity provider (this can be the default IdP for the subaccount or another trusted IdP).The cloud application then uses a user exchange token (or a designated secondary header) to propagate the user to the Connectivity service. Optionally, the application may use the Destination service to externalize the connection configuration that points to the target on-premise system.The Connectivity service forwards the JWT (that represents the user) to the Cloud Connector.The Cloud Connector receives the JWT, verifies it, extracts the attributes, and uses its STS (security token service) component to issue a new token (for example, an X.509 certificate) with the same or similar attributes to assert the identity to the backend (BE1-BEm). The Cloud Connector and the cloud application share the same trust settings.The Cloud Connector sends the new token (for example, an X.509 certificate) to the backend system.Pre-requisiteEnsure that the SAP Cloud Connector (SCC) is installed and its initial setup has been completed. Refer to the SAP Help documentation.The Cloud Connector should be connected to your SAP BTP subaccount by adding the subaccount details within the SCC. Refer to the SAP Help documentationAdditionally, trust must be established between your subaccount and the SAP Cloud Identity Services tenant. This trust setup allows integration with any corporate identity provider and is essential for enabling Single Sign-On (SSO) in your cloud application. Refer to the SAP Help documentationConfiguration StepsStepsAction Items1Configure Principal Propagation to an ABAP System for HTTPS1.1Generate Certificates in SAP Cloud Connector (SCC)1.2Add Certificates to the SCC Trust Store1.3Synchronize the cloud trust with Subaccount IDP1.4Configure SAP S/4HANA for Principal Propagation (HTTPS)2Configure SAP Web Dispatcher for Principal Propagation2.1Import Certificates into SAP Web Dispatcher2.2Maintain Required Parameters in Web Dispatcher3Configure Principal Propagation to an ABAP System for RFC using SNC3.1PSE Setup in SAP Cloud Connector for SNC3.2Configure the S/4HANA System for RFC SNC Propagation4Create System Mappings in SAP Cloud Connector4.1Map HTTPS Connections to SAP Web Dispatcher4.2Map RFC SNC Connections to S/4HANA Backend5Create Destination in SAP BTP subaccount for HTTPS and RFC SNC scenarioStep 1: Configure Principal Propagation to an ABAP System for HTTPSStep 1.1: Generate Certificates in SAP Cloud Connector (SCC)We must configure the following certificates in Cloud Connector:System CertificateCA CertificateUser Certificate (Subject Pattern for Principal Propagation)Note: It is recommended to use signed certificates. Self-signed certificates will also work.Generating System CertificateTo configure the System Certificate, go to Configuration → On Premise → System Certificate → Create and import a self-signed certificate. Fill the required details in the pop-up window. The Common Name (CN) represents the server’s name protected by the SSL certificate.Generating CA CertificateA CA certificate signs all the certificates that are used when a request is forwarded from the Cloud with the Cloud principals.To create the CA certificate, scroll down to the corresponding section and click on the “Create and import a self-signed certificate” button.Generating User CertificateThis sample certificate is used to define the rules in the S/4HANA system under the Transaction code (CERTRULE).Scroll down to the principal propagation section and edit the Subject Pattern Select the Subject Pattern from the list to assert the user IDs. For example, select ${email} to assert the user against the user’s mail address propagated from the Cloud.click on the Create Sample Certificate button.Choose an email that already exists on the backend system. Please remember that this is only a sample certificate and will be used to create a rule-based mapping on the backend AS ABAP systemStep 1.2: Add Certificates to the SCC Trust StoreIn trust store add below certificatesS4HANA SSL server standardWeb dispatcher server certificateStep 1.3: Synchronize the cloud trust with Subaccount IDPBy default, the Cloud Connector does not trust any entries which issues tokens for principal propagation. For this reason, we must establish the trust between the Cloud Connector and the IDP of your subaccount on BTP.Navigate to the “Cloud to On-Premise” and select the tab Principal Propagation. Click on Synchronise this populate the trust configuration.Step 1.4: Configure SAP S/4HANA for Principal Propagation (HTTPS)Now we will do the required configuration in ABAP system.Step 1.4.a: Import Certificates into the ABAP SSL Server Standard (Transaction: STRUST)Below certificates need to be imported.cloud connector system certificate imported in s4hana ssl server standardweb dispatcher client certificate imported in s4hana ssl server standardStep 1.4.b: Define Rule-Based Mapping with User Certificate (Transaction: CERTRULE)Click on the “Import Certificate” button to import the User certificate that was downloaded from the Cloud Connector. In the “Certificate Attr.” choose you attribute mapping from the drop-down menu. In the “Login As” select E-Mail and press enter.Once you save your new rule you should see a similar screen as below where the “Mapping Status” and “User Status” are both green.Step 1.4.c: Maintain Reverse Proxy and other parameters in the Default Profile (Transaction: RZ10)Copy Subject and issuer values from web dispatcher client certificate and Cloud Connector System CertificateFor following parameter: icm/trusted_reverse_proxy_<x> = SUBJECT=”<subject>”, ISSUER=”<issuer>”.Select a free index for <x>.<subject> is the subject of the certificate (example data: CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE).<issuer> is the issuer of the certificate (example data: CN=MyCompany CA, O=Trust Community, C=DE).Example: icm/trusted_reverse_proxy_2 = SUBJECT=”CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE”, ISSUER=”CN=MyCompany CA, O=Trust Community, C=DE”.Parameter nameValueicm/trusted_reverse_proxy_0Copy subject and issuer values from web dispatcher client certificateicm/trusted_reverse_proxy_1Copy subject and issuer values from cloud connector system certificatelogin/certificate_mapping_rulebased1icm/HTTPS/verify_client1Step 1.4.d: Set Logon Procedure to “Required with SSL Certificate” for Relevant SICF ServicesTo access ICF services via certificate logon, make sure that all required ICF services allow Logon Through SSL Certificate as logon method.Step 2: Configure SAP Web Dispatcher for Principal PropagationIf you are using an intermediate SAP Web Dispatcher to connect to your ABAP backend system, you must set up a trust chain between the involved components Cloud Connector, SAP Web Dispatcher, and ABAP backend system.We need to Configure SAP Web Dispatcher to trust the Cloud Connector’s certificate for identity propagation. Parameters and certificates need to be added.Make sure your SAP Web Dispatcher supports SSL and configuration done for Web Dispatcher to Forward SSL Certificates for X.509 Authentication. Refer SAP Help documentation for pre-requisites.Step 2.1: Import Certificates into SAP Web DispatcherBelow Certificates to be added in web dispatcher PSEs.cloud connector CA certificate in web dispatcher server standard pse (SAPSSLS.pse )s4hana ssl server standard certificate in web dispatcher client pse (SAPSSLC.pse)Step 2.2: Maintain Required Parameters in Web DispatcherCreate icm trusted reverse proxy parameters same as we did in Step 1.4.cParameter nameValueicm/trusted_reverse_proxy_0Copy subject and issuer values from cloud connector CA certificateicm/trusted_reverse_proxy_1Copy subject and issuer values from s4hana ssl server standard certificateMake sure icm/HTTPS/verify_client parameter is set to 1 (request certificate) or 2 (require certificate). If set to 0, trust cannot be established. The default value is 1, so it is OK if the parameter is not set at all.Your HTTPS Principal Propagation configuration is now complete for the scenario where a Web Dispatcher is used as an intermediary between the ABAP backend system.Step 3: Configure Principal Propagation to an ABAP System for RFC using SNCFor enabling Principal Propagation over RFC using Secure Network Communication (SNC), follow the steps below.If you’ve already configured HTTPS-based principal propagation on the same S/4HANA system, steps such as certificate generation, trust setup, and user mapping (via STRUST and CERTRULE) may have already been completed. You only need to ensure the SNC-specific configurations.Make sure SNC setup on the ABAP System is already present. Ensure SAP Cryptographic library is installed as a pre-requisite in cloud connector.Note: It is important that you use the same SNC implementation on both communication sides. When using the SAP Cryptographic Library, it is recommended that you use an ABAP system SNC identity and a Cloud Connector system identity signed by the same CA for mutual authentication.Step 3.1: PSE Setup in SAP Cloud Connector for SNCStep 3.1.a: Login to OS level of SCC then Download and extract the SAP Cryptographic Library. You can refer SAP Help documentation.Step 3.1.b: Ensure you have set the Environment variables SECUDIR and SNC_LIBStep 3.1.c: Create SNC PSE at OS level. Navigate to path Crypto and execute below commandsYou can Refer SAP Help documentation and below note.2642538 – How to enable SNC from external programs to ABAP using SAP RFC ConnectorsTo Create SNC PSE: sapgenpse gen_pse -p SCC.pse “CN=SCC, OU=<name>, O=<name>, C=<name>”It is recommended that you sign the CSR of PSE with a trusted CA and then import it. Self-signed will also work.Import Signed Certificate: sapgenpse import_own_cert -p SCC.pse -x <pin> -c SCC.cer -r <RootCA>.cerCreate credentials for the SNC PSE: sapgenpse seclogin -p SCC.pse -O <sccuser>Note: sccuser is the user under which cloud connector is running.Adding ABAP SNC certificate in Cloud connector PSE (download from S/4HANA, STRUST –> SNC): sapgenpse maintain_pk -p SCC.pse -a S4HANA.cerStep 3.1.d: Restart Cloud connector below SNC SECUDIR parameter will appear in Cloud connector UI Configuration tab. (Library path and My name details we need to give).Once you have created the SNC PSE and imported the required certificates into it, take restart and login to cloud connector UI to define the SNC nameStep 3.2: Generate Certificates in Cloud Connector(This step is identical to the HTTPS scenario Step1.1. You may skip it if the certificates were already generated during the HTTPS setup.)Step 3.3: Add Certificates to the Trust Store in SCC(This step is identical to the HTTPS scenario Step 1.2. S4hana SSL server standard certificate needs to be added.)Step 3.4: Synchronize Cloud Trust with Subaccount Identity Provider (IdP)(This step is identical to the HTTPS scenario Step 1.3. You can skip this step if already done.)Step 3.5: Configure the S/4HANA System for RFC SNC PropagationStep 3.5.a: Import Certificates into the SSL Server Standard (Transaction: STRUST)Below certificates needs to be added.cloud connector system certificate imported in S/4HANA SSL server standardcloud connector PSE SNC certificate imported in S/4HANA SNC cryptolibStep 3.5.b: Define Rule-Based Mapping for the user certificate (Transaction: CERTRULE)(This step is identical to the HTTPS scenario Step 1.4.b. You can skip this step if user mapping has already been configured and login/certificate_mapping_rulebased parameter set to 1)Step 3.5.c: Configure SNC Identity in the backend system (Transaction: SNC0)Login to backend ABAP system and execute transaction SNC0 and add cloud connector’s SNC identity. Note the SNC name from SAP Cloud connector.Step 4: Create System Mappings in SAP Cloud ConnectorWe need to create Mapping Virtual To Internal System in the Cloud To On-Premise tab for your subaccount in Cloud connector.Step 4.1: Map HTTPS Connections to SAP Web DispatcherSince we are using a Web Dispatcher as an intermediary to the ABAP backend system, we will define the Web Dispatcher host in the HTTPS destination configuration instead of the ABAP system directly. The flow will be like this.BTP (Service) –> cloud connector –> web dispatcher –> S/4HANAParameterValueBackendtypeOther SAP systemProtocolHTTPSInternal HostHost of the web dispatcherInternal PortPort of the web dispatcherVirtual HostEnter any value but avoid underscores in the name.Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.Virtual PortEnter any numerical value.Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.Principal TypeX.509 Certificate (General Usage)Host In Request HeaderUse Internal HostSelect the mapping you just created and add the Resources as per your requirement.URL PathAccess Policy/Path and All Sub-PathsStep 4.2: Map RFC SNC Connections to S/4HANA BackendParameterValueBackend-typeABAP SystemProtocolRFC SNCApplication Serverhost for the S/4 HANA backend servicesInstance NumberInstance number of the S/4 HANA backendVirtual Application ServerEnter any value but avoid underscores in the name.Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.Virtual Instance NumberEnter any numerical value.Note: Remember your entry as you need it to configure the destination in your SAP BTP subaccount.Principal TypeX.509 Certificate (General Usage)SNC Partner NameABAP system’s SNC identity name (for example, p:CN=SID, O=Trust Community, C=DE). Copy from profile parameter snc/identity/asSelect the mapping you just created and add the Resources as per your requirement.Function NameNaming PolicyZSAPExact NameBAPIPrefixStep 5: Create Destination in SAP BTPCreate destinations in BTP subaccount to allow communication between S/4HANA and SAP BTP for HTTPS and RFC SNC protocol.Step 5.1: For HTTPS scenario, enter the below information:ParameterValueNameS4Hana _HTTPTypeHTTPProxy TypeOn-PremiseLocation IDCopy this from cloud connector subaccount overview sectionURLhttp://<host:port as defined in Cloud Connector>Proxy TypeOnPremiseAuthenticationPrincipalPropagationAdditional Propertiessap-clientClient number of your systemStep 5.2: For RFC scenario, enter the below information:ParameterValueNameS4Hana_RFCTypeRFCProxy typeOn-PremiseAuthorization TypePrincipal PropagationLocation IDCopy this from cloud connector subaccount settingsRepository Usercreate Technical User in S/4HANA and enter user id andRepository PasswordpasswordAdditional Propertiesjco.client.ashost <host as defined in Cloud Connector>jco.client.clientClient number in SAP S/4HANAjco.client.sysnr<instance number as defined in Cloud Connector>ConclusionBy completing these steps, you have successfully configured Principal Propagation from SAP BTP to your on-premises ABAP system for both HTTPS and RFC (via SNC) communication. You can now integrate any SAP BTP service and use Principal Propagation as the authentication method to ensure secure, user-specific access.For troubleshooting Cloud Connector principal propagation over HTTPS, Refer SAP Help documentation.Feel free to share your feedback or questions in the comments.😊   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog