Setup Client Certificate Authentication from S4HANA On Prem to CPI

In today’s interconnected business landscape, seamless and secure data integration is essential for ensuring smooth operations and efficient communication between various systems. CPI plays a critical role in this ecosystem, enabling the integration of on-premise systems with cloud applications. One of the key aspects of this integration is client authentication, which ensures secure data exchange and mitigates potential security risks.

In this blog, we will go through the process of configuring client authentication from  S4HAHA on-prem system to CPI. This step-by-step guide will provide you with a comprehensive understanding of the necessary configurations and best practices to establish a secure and reliable connection.

We will be covering the essential topics such as certificate management, configuring the on-premise system, and setting up CPI for secure communication.

Step 1 – Get a certificate signed by a CA which is supported by CPI Load Balancer.

To set up a secure connection between S4HANA and CPI, you therefore need to make sure that the sender system’s keystore contains a client certificate that is signed by one of those certification authorities (CAs) that are trusted by the load balancer component of CPI.

SAP Note containing the SAP Global Trust List – https://me.sap.com/notes/2801396

Step2- Get the PSE deployed in the STRUST of S4HANA with a reference of CPI

Once you receive the certificate from a trusted CA authority, get the PSE deployed in Tcode STRUST of S4HANA with a folder name referring to CPI, like below.

Detailed View-

Step3- Create RFC destination of type G

CPI Endpoint-

As shown below,

Select “Do Not Use a User”.Set SSL as “Active”Set SSL Client PSE as “CPI CPI NETWORK CLIENT”. This name is referred from STRUST (step2).

SXMB_ADM Config-

This config will point our proxy program to the above created RFC destination.

Step4 – Create a dummy user in CPI with name “SAPUser” and assign it “ESBMessaging.send” role. This role allows the user to send messages into CPI. You will receive a “HTTP 403 Forbidden” error in the absence of this role.

In case of Integration Suite, you can assign the role “MessageSend” to your user of choice as shown below-

Step5 – Perform Certificate-To-User mapping in CPI

Certificate to user mapping in CPI allows you to link a user’s digital certificate to their user account. When S4HANA attempts to connect to CPI using the certificate, CPI validates the certificate and maps it to the corresponding user account “SAPUser”. This ensures that only authorized users with valid certificates can access and execute integration flows.

With this configuration, we are now ready to perform Client Certificate authentication.

Let’s test if this configuration works as expected.

Case 1 – Trigger a sample outbound proxy program from S4HANA and check if the message flows into CPI. Attaching a very simple outbound proxy code for your reference.

*&———————————————————————*
*& Report ZACCOUNT_TEST
*&———————————————————————*
*&
*&———————————————————————*
REPORT ZACCOUNT_TEST.

DATA: lo_proxy TYPE REF TO zre_co_si_account_os,
lo_exception TYPE REF TO cx_ai_system_fault.

DATA:
ls_input TYPE zre_mt_account_response,
ls_output TYPE zre_mt_account,
ls_account TYPE zre_dt_account_response_accoun,
iv_customer TYPE bu_partner.

DATA:
lv_partner TYPE bu_partner.

TRY.

CREATE OBJECT lo_proxy.
iv_customer = ‘0001124043’.

lv_partner = |{ iv_customer ALPHA = IN }|.
ls_output-mt_account-records-business_partner = ”” && lv_partner && ””.

IF lo_proxy IS BOUND.

*Call proxy method si_account_os
CALL METHOD lo_proxy->si_account_os
EXPORTING
output = ls_output
IMPORTING
input = ls_input.
ENDIF.

CATCH cx_ai_system_fault INTO lo_exception.
RETURN.
ENDTRY.
LOOP AT ls_input-mt_account_response-account INTO DATA(ls_abc).
WRITE: / ‘AccountValidatity: ‘ && ls_abc-Crd_Chk.

ENDLOOP.

Message processed in S4HANA monitoring-

Payload-

CPI Monitoring-

Message is successfully received in CPI

Received CPI payload matches the payload sent from S4HANA, confirming it’s the same message.

Therefore, it shows that our client authentication setup works.

Case 2 – Remove Certificate to user mapping in CPI and trigger message (Negative Test)

The message fails in S4HANA-

Error Log-

Reason- 403 Unauthorized.

Therefore, as expected, removing the certificate to user mapping in CPI causes the interface to fail.

In this blog, we’ve walked through the detailed process of configuring client authentication, including obtaining and deploying a certificate, configuring STRUST in S4HANA, creating a user in CPI, and performing certificate-to-user mapping.

By following these steps, you have established a secure and reliable connection between your S4HANA on-premise system and CPI, safeguarding your data and enhancing your integration capabilities. The successful configuration ensures that only authorized users with valid certificates can access and execute integration flows, mitigating potential security risks.

As demonstrated in our testing scenarios, the setup allows for secure message transmission from S4HANA to CPI, validating the effectiveness of the client authentication configuration. In the event of removing the certificate-to-user mapping, the connection rightfully fails, highlighting the importance of this security measure.

With this comprehensive setup, you are now equipped to ensure secure communication between your S4HANA on-premise system and CPI.

References:

SAP Note 2801396: SAP Global Trust List

SAP Help Portal:

https://help.sap.com/docs/cloud-integration/sap-cloud-integration/client-certificate-authentication-inbound-cloud-foundry-environment

https://help.sap.com/docs/cloud-integration/sap-cloud-integration/client-certificate-authentication-inbound-neo-environment 

SAP Community Blogs:

https://community.sap.com/t5/technology-blogs-by-sap/cloud-integration-how-to-setup-secure-http-inbound-connection-with-client/ba-p/13336237

https://community.sap.com/t5/technology-blogs-by-members/client-certificate-based-authentication-for-https-idoc-inbound-connection/ba-p/13437495 

​ In today’s interconnected business landscape, seamless and secure data integration is essential for ensuring smooth operations and efficient communication between various systems. CPI plays a critical role in this ecosystem, enabling the integration of on-premise systems with cloud applications. One of the key aspects of this integration is client authentication, which ensures secure data exchange and mitigates potential security risks.In this blog, we will go through the process of configuring client authentication from  S4HAHA on-prem system to CPI. This step-by-step guide will provide you with a comprehensive understanding of the necessary configurations and best practices to establish a secure and reliable connection.We will be covering the essential topics such as certificate management, configuring the on-premise system, and setting up CPI for secure communication.Step 1 – Get a certificate signed by a CA which is supported by CPI Load Balancer.To set up a secure connection between S4HANA and CPI, you therefore need to make sure that the sender system’s keystore contains a client certificate that is signed by one of those certification authorities (CAs) that are trusted by the load balancer component of CPI.SAP Note containing the SAP Global Trust List – https://me.sap.com/notes/2801396Step2- Get the PSE deployed in the STRUST of S4HANA with a reference of CPIOnce you receive the certificate from a trusted CA authority, get the PSE deployed in Tcode STRUST of S4HANA with a folder name referring to CPI, like below.Detailed View-Step3- Create RFC destination of type GCPI Endpoint-As shown below,Select “Do Not Use a User”.Set SSL as “Active”Set SSL Client PSE as “CPI CPI NETWORK CLIENT”. This name is referred from STRUST (step2).SXMB_ADM Config-This config will point our proxy program to the above created RFC destination.Step4 – Create a dummy user in CPI with name “SAPUser” and assign it “ESBMessaging.send” role. This role allows the user to send messages into CPI. You will receive a “HTTP 403 Forbidden” error in the absence of this role.In case of Integration Suite, you can assign the role “MessageSend” to your user of choice as shown below-Step5 – Perform Certificate-To-User mapping in CPICertificate to user mapping in CPI allows you to link a user’s digital certificate to their user account. When S4HANA attempts to connect to CPI using the certificate, CPI validates the certificate and maps it to the corresponding user account “SAPUser”. This ensures that only authorized users with valid certificates can access and execute integration flows.With this configuration, we are now ready to perform Client Certificate authentication.Let’s test if this configuration works as expected.Case 1 – Trigger a sample outbound proxy program from S4HANA and check if the message flows into CPI. Attaching a very simple outbound proxy code for your reference. *&———————————————————————*
*& Report ZACCOUNT_TEST
*&———————————————————————*
*&
*&———————————————————————*
REPORT ZACCOUNT_TEST.

DATA: lo_proxy TYPE REF TO zre_co_si_account_os,
lo_exception TYPE REF TO cx_ai_system_fault.

DATA:
ls_input TYPE zre_mt_account_response,
ls_output TYPE zre_mt_account,
ls_account TYPE zre_dt_account_response_accoun,
iv_customer TYPE bu_partner.

DATA:
lv_partner TYPE bu_partner.

TRY.

CREATE OBJECT lo_proxy.
iv_customer = ‘0001124043’.

lv_partner = |{ iv_customer ALPHA = IN }|.
ls_output-mt_account-records-business_partner = ”” && lv_partner && ””.

IF lo_proxy IS BOUND.

*Call proxy method si_account_os
CALL METHOD lo_proxy->si_account_os
EXPORTING
output = ls_output
IMPORTING
input = ls_input.
ENDIF.

CATCH cx_ai_system_fault INTO lo_exception.
RETURN.
ENDTRY.
LOOP AT ls_input-mt_account_response-account INTO DATA(ls_abc).
WRITE: / ‘AccountValidatity: ‘ && ls_abc-Crd_Chk.

ENDLOOP.  Message processed in S4HANA monitoring-Payload-CPI Monitoring-Message is successfully received in CPIReceived CPI payload matches the payload sent from S4HANA, confirming it’s the same message.Therefore, it shows that our client authentication setup works.Case 2 – Remove Certificate to user mapping in CPI and trigger message (Negative Test)The message fails in S4HANA-Error Log-Reason- 403 Unauthorized.Therefore, as expected, removing the certificate to user mapping in CPI causes the interface to fail.In this blog, we’ve walked through the detailed process of configuring client authentication, including obtaining and deploying a certificate, configuring STRUST in S4HANA, creating a user in CPI, and performing certificate-to-user mapping.By following these steps, you have established a secure and reliable connection between your S4HANA on-premise system and CPI, safeguarding your data and enhancing your integration capabilities. The successful configuration ensures that only authorized users with valid certificates can access and execute integration flows, mitigating potential security risks.As demonstrated in our testing scenarios, the setup allows for secure message transmission from S4HANA to CPI, validating the effectiveness of the client authentication configuration. In the event of removing the certificate-to-user mapping, the connection rightfully fails, highlighting the importance of this security measure.With this comprehensive setup, you are now equipped to ensure secure communication between your S4HANA on-premise system and CPI. References:SAP Note 2801396: SAP Global Trust ListSAP Help Portal:https://help.sap.com/docs/cloud-integration/sap-cloud-integration/client-certificate-authentication-inbound-cloud-foundry-environmenthttps://help.sap.com/docs/cloud-integration/sap-cloud-integration/client-certificate-authentication-inbound-neo-environment SAP Community Blogs:https://community.sap.com/t5/technology-blogs-by-sap/cloud-integration-how-to-setup-secure-http-inbound-connection-with-client/ba-p/13336237https://community.sap.com/t5/technology-blogs-by-members/client-certificate-based-authentication-for-https-idoc-inbound-connection/ba-p/13437495     Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog