Principal propagation setup as SAP Java backend and SAP Business Technology Platform

Principal propagation setup as SAP Java backend and SAP Business Technology Platform
Estimated read time 10 min read

Principal Propagation Setup as Java Backend

SAP BTP =>Cloud Connector =>SAP NetWeaver AS Java

Introduction

This blog explains how to configure principal propagation using X.509 certificate for an SAP NetWeaver AS Java backend (HTTPS). SAP Cloud Connector generates a client certificate for the user and forward it to the backend system.

Architecture Overview

User =>BTP App/Work Zone =>BTP Destination (PrincipalPropagation) => SCC => AS Java Backend.

Key requirements:

Mutual TLS between SCC and backend for HTTPS propagation (backend must trust SCC system cert/CA chain).CA Certificate configured in SCC can issue user certificate.User mapping rules on AS Java (ClientCertLoginModule) to map certificate fields to UME users.Prerequisites Checklist

3.1 Backend user attribute alignment (SU01)

SAP Backend user email/user ID must match with BTP identity.

Ensure the email in the backend user record matches the email used to log in to BTP.

3.2 Cloud Connector certificates

You need three certificate

System Certificate (for trust between SCC and backend)CA Certificate (to issue client certificate)User Sample Certificate (rule based mappting).

NOTE : SAP Supports Self-signed certificate for ABAP based systems, but Java not supports Self-signed and the SCC system certificate/Backend server certificate must be signed by CA.

Java Systems: Java-based systems (like SAP Portal or PI/PO) use a KeyStore-based trust model. While they can technically support self-signed certificates, But SAP’s implementation for Principal Propagation via the Cloud Connector requires a Certificate Authority (CA) chain for validation.

3.3 Permissions & access

-SCC admin access

-BTP subaccount admin for Destinations

-AS Java admin access to NetWeaver Administrator (NWA) security and SSL configuration.

Step-by-Step Configuration

Step 1 – Maintain backend user mapping attribute (Email)

In backend user maintenance (ABAP SU01 / Java UME as applicable), fill E-Mail Address exactly as used in BTP.

Pick one mapping strategy (Email OR UserID) and use it consistently across BTP <-> IdP <->backend.

Here we taken Email strategy.

Step 2 – Generate/Import SCC certificates (System + CA + Sample User Cert)

2.1 System Certificate (SCC)

In Cloud Connector Admin UI:

Go to Configuration -> On Premise -> System CertificateCreate CSR and get it signed by CA (recommended).

Import the certificate received from your AD team.

 

Also import the signed system certificate in AS Java trust store (NWA=>Cert & keys=>key storage=>Trusted CA).

NOTE: Import chain certificate (binded=>actual certificate and RootCA).

2.2 CA Certificate (SCC)

Go to Configuration -> On Premise -> CA CertificateCA Certificate can be self-signed or the same way you can generate CSR & import the signed CA certificate.

 

2.3 User Sample Certificate

Maintain subject pattern as email and generate the sample certificate.

 

Create sample certificate.

 

-Import the created sample certificate in NWA=>Cert & keys=>key storage=>TicketKetstore

Step 3 – Sync Cloud Trust with IdP in SCC

Sync the trust configuration for principal propagation.

Go to Cloud To On-Premise -> Principal PropagationClick Sync to fetch IdP/trust configuration from the subaccount context.

 

Without this trust, SCC can’t validate the inbound identity and won’t be able to generate the user certificate.

Step 4 – Configure cloud to On-prem mapping Your backend system mapping must be configured for HTTPS and identity forwarding.

Go to Cloud To On-Premise → Access ControlCreate or edit your mapping for the backend system (HTTPS)Set Principal Type => X.509 CertificateMaintain resource paths (for example / or /sap/ depending on your requirement).

 

Set Principal Type = X.509 Certificate for the certificate-based identity.

 

Step 5 – Configure BTP Destination Authentication = PrincipalPropagation

In BTP:

Navigate to Connectivity -> DestinationsCreate/update the Runtime destination to the backend via SCCSet:

Proxy Type: OnPremise

Type : HTTP

Authentication: PrincipalPropagation

URL points to virtual host/port from SCC mapping

Backend Setup (SAP NetWeaver AS Java)

Step 6 – Activate HTTPS port in AS Java

AS Java must accept HTTPS and be able to request/require client certificates.

Configure SSL:

Open: http://<host>:<port>/nwa     =>sslAdd a new access point with protocol HTTPS (ignore if HTTPS already active)

Ensure SSL library is available and the SSL status becomes OKSecure/Apply SSL certificate for Java backend.

Your Java HTTPS endpoint certificate must be valid for the hostname used by SCC.

Create/generate CSR for CA signing and import your CA response and root CA

 

Note : While generate the CSR don’t, forgot to maintain SAN (Subject Alternate Name) address, without SAN URL cannot be secured.

Tip: SAN can be FQDN and hostname of Java backend.(if you have two java instance generate CN = *.domain.com.

You can refer the SAP Note to generate the CSR & Certificate import using sapgenpse cmd line.

       2275562 – How to import sapgenpse generated PSE file into AS Java

Step 7 – Define Rule-Based Mapping (ClientCertLoginModule)

Converting the certificate identity into a UME user.

-Add ClientCertLoginModule

-Define rules for mapping certificate fields (Subject CN / SubjectAlternativeName/email) to a UME user.

NWA=>Authentication and Single Sign-On =>Authentication

Maintain below authentication stacks for Policy client_cert.

 

– Configure Clientcertloginmodule (Create Mapping rules)

-Enable Certificate Logon

-PrincipalMappingLoginModule

Step 8 – Define Reverse Proxy parameters

Add the parameter
icm/trusted_reverse_proxy_<X> = <SCC System Certificate Subject, Issuer>

This reverse proxy parameter used to establish the trust relationship between the SAP Backend and SAP Cloud connector.

NOTE : This is mandatory for Principal propagation.

Step 9 – Restart the Java services

Verify everything and restart the java services to make the parameters effect.

Step 10 – Validate the SSO functionality with the work zone application URL.

SUMMARY:
After completing the successful principal propagation setup as java backend, below are the recommendations.

For Java based systems use the CA signed certificate.Ensure SAN entries are added in the SSL certificate.Generate sample certificate in SCC and import it in Ticketkeystore of NWA.Maintain only required fields => AttributeName, getUserFrom and UserMappingMode for ClientCertLoginModule.

 Thank you.

 

​ Principal Propagation Setup as Java BackendSAP BTP =>Cloud Connector =>SAP NetWeaver AS JavaIntroductionThis blog explains how to configure principal propagation using X.509 certificate for an SAP NetWeaver AS Java backend (HTTPS). SAP Cloud Connector generates a client certificate for the user and forward it to the backend system.Architecture OverviewUser =>BTP App/Work Zone =>BTP Destination (PrincipalPropagation) => SCC => AS Java Backend.Key requirements:Mutual TLS between SCC and backend for HTTPS propagation (backend must trust SCC system cert/CA chain).CA Certificate configured in SCC can issue user certificate.User mapping rules on AS Java (ClientCertLoginModule) to map certificate fields to UME users.Prerequisites Checklist3.1 Backend user attribute alignment (SU01)SAP Backend user email/user ID must match with BTP identity.Ensure the email in the backend user record matches the email used to log in to BTP.3.2 Cloud Connector certificatesYou need three certificateSystem Certificate (for trust between SCC and backend)CA Certificate (to issue client certificate)User Sample Certificate (rule based mappting).NOTE : SAP Supports Self-signed certificate for ABAP based systems, but Java not supports Self-signed and the SCC system certificate/Backend server certificate must be signed by CA.Java Systems: Java-based systems (like SAP Portal or PI/PO) use a KeyStore-based trust model. While they can technically support self-signed certificates, But SAP’s implementation for Principal Propagation via the Cloud Connector requires a Certificate Authority (CA) chain for validation.3.3 Permissions & access-SCC admin access-BTP subaccount admin for Destinations-AS Java admin access to NetWeaver Administrator (NWA) security and SSL configuration.Step-by-Step ConfigurationStep 1 – Maintain backend user mapping attribute (Email)In backend user maintenance (ABAP SU01 / Java UME as applicable), fill E-Mail Address exactly as used in BTP.Pick one mapping strategy (Email OR UserID) and use it consistently across BTP <-> IdP <->backend.Here we taken Email strategy.Step 2 – Generate/Import SCC certificates (System + CA + Sample User Cert)2.1 System Certificate (SCC)In Cloud Connector Admin UI:Go to Configuration -> On Premise -> System CertificateCreate CSR and get it signed by CA (recommended).Import the certificate received from your AD team. Also import the signed system certificate in AS Java trust store (NWA=>Cert & keys=>key storage=>Trusted CA).NOTE: Import chain certificate (binded=>actual certificate and RootCA).2.2 CA Certificate (SCC)Go to Configuration -> On Premise -> CA CertificateCA Certificate can be self-signed or the same way you can generate CSR & import the signed CA certificate. 2.3 User Sample CertificateMaintain subject pattern as email and generate the sample certificate. Create sample certificate. -Import the created sample certificate in NWA=>Cert & keys=>key storage=>TicketKetstoreStep 3 – Sync Cloud Trust with IdP in SCCSync the trust configuration for principal propagation.Go to Cloud To On-Premise -> Principal PropagationClick Sync to fetch IdP/trust configuration from the subaccount context. Without this trust, SCC can’t validate the inbound identity and won’t be able to generate the user certificate.Step 4 – Configure cloud to On-prem mapping Your backend system mapping must be configured for HTTPS and identity forwarding.Go to Cloud To On-Premise → Access ControlCreate or edit your mapping for the backend system (HTTPS)Set Principal Type => X.509 CertificateMaintain resource paths (for example / or /sap/ depending on your requirement). Set Principal Type = X.509 Certificate for the certificate-based identity. Step 5 – Configure BTP Destination Authentication = PrincipalPropagationIn BTP:Navigate to Connectivity -> DestinationsCreate/update the Runtime destination to the backend via SCCSet:Proxy Type: OnPremiseType : HTTPAuthentication: PrincipalPropagationURL points to virtual host/port from SCC mappingBackend Setup (SAP NetWeaver AS Java)Step 6 – Activate HTTPS port in AS JavaAS Java must accept HTTPS and be able to request/require client certificates.Configure SSL:Open: http://<host>:<port>/nwa     =>sslAdd a new access point with protocol HTTPS (ignore if HTTPS already active)Ensure SSL library is available and the SSL status becomes OKSecure/Apply SSL certificate for Java backend.Your Java HTTPS endpoint certificate must be valid for the hostname used by SCC.Create/generate CSR for CA signing and import your CA response and root CA Note : While generate the CSR don’t, forgot to maintain SAN (Subject Alternate Name) address, without SAN URL cannot be secured.Tip: SAN can be FQDN and hostname of Java backend.(if you have two java instance generate CN = *.domain.com.You can refer the SAP Note to generate the CSR & Certificate import using sapgenpse cmd line.       2275562 – How to import sapgenpse generated PSE file into AS JavaStep 7 – Define Rule-Based Mapping (ClientCertLoginModule)Converting the certificate identity into a UME user.-Add ClientCertLoginModule-Define rules for mapping certificate fields (Subject CN / SubjectAlternativeName/email) to a UME user.NWA=>Authentication and Single Sign-On =>AuthenticationMaintain below authentication stacks for Policy client_cert. – Configure Clientcertloginmodule (Create Mapping rules)-Enable Certificate Logon-PrincipalMappingLoginModuleStep 8 – Define Reverse Proxy parametersAdd the parametericm/trusted_reverse_proxy_<X> = <SCC System Certificate Subject, Issuer>This reverse proxy parameter used to establish the trust relationship between the SAP Backend and SAP Cloud connector.NOTE : This is mandatory for Principal propagation.Step 9 – Restart the Java servicesVerify everything and restart the java services to make the parameters effect.Step 10 – Validate the SSO functionality with the work zone application URL.SUMMARY:After completing the successful principal propagation setup as java backend, below are the recommendations.For Java based systems use the CA signed certificate.Ensure SAN entries are added in the SSL certificate.Generate sample certificate in SCC and import it in Ticketkeystore of NWA.Maintain only required fields => AttributeName, getUserFrom and UserMappingMode for ClientCertLoginModule. Thank you.   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author