Connecting A Customer System To SAP HCI: Getting Started
Connecting A Customer System To SAP HCI: Getting Started
Getting Started:
You can set up the technical connection between a tenant and different kinds of remote systems (in
many cases located in the customer landscape).
The process of connecting a remote system to the integration platform (SAP HCI) – also referred to
as onboarding process - depends on the chosen security option. This task requires the cooperation of
experts at SAP and at customer's side.
Throughout this documentation we assume the following basic setup of technical components and
communication paths: A remote system (which is not specified) is being connected to one of the
tenants that are assigned to the customer. The remote system can act either as a sender or a receiver
of messages. The setup and the detailed configuration procedure differ according to the
communication direction that is being set up: whether a remote system is supposed to send a message
to the integration platform or the other way round.
Throughout this documentation, the terms inbound and outbound reflect the perspective of the
integration platform.
Inbound refers to message processing from a remote system (in many cases, located in the
customer landscape) to the integration platform (which is based on SAP HANA Cloud
Platform). Here, the integration platform is the server.
Outbound refers to message processing from the integration platform to a remote system
(where the integration platform is the client).
Introduction
You can connect various kinds of remote systems to the cloud-based integration platform using
protocols such as HTTP/S, SSH and SMTP/S. Each communication protocol comes with certain options
to protect the message exchange (security options).
To give you an idea of which kinds of remote systems can be connected to the integration platform,
here are some typical examples (this is not a complete list):
To support dedicated kinds of systems (through dedicated communication protocols), the integration
platform provides certain adapters. An adapter allows you to configure the details of the technical
communication channel between the remote system and the integration platform.
Supported Protocols
First task when setting up an integration scenario is to set up a secure transport channel between the
remote system and SAP HCI. The following protocols can be used: Hypertext Transfer Protocol Secure
(HTTPS), SSH File Transfer Protocol (SFTP) and Simple Mail Transfer Protocol (SMTP), respectively
SMTP secured with transport layer security (SMTPS).
Note: That HTTPS is based on the Transport Layer Security (TLS) protocol.
The following table provides more information on the different aspects to consider for each protocol.
Table 1: Protocols
HTTP, HTTPS Inbound HTTP/S sender HTTP/S proxy Firewall to set up and
system (for example, configure
SAP ERP Central
Component
Table 1: Protocols
Component
SSH Outbound SFTP server (to store Tooling for ssh key Virus scanner on
files) management inbound directory
SMTP, SMTPS Outbound Mail server SMTPS (SMTP over Virus scanner on
SSL/TLS) support of inbound mail boxes
mail server
For each protocol, different authentication options are supported - ways how the connected systems
prove their trustworthiness against each other during connection setup. Connection setup is
performed differently, depending on whether inbound communication (when a remote system as a
sender calls SAP HCI) or outbound communication (when SAP HCI calls a remote system which, in
turn, is then considered as the receiver) is configured. The detailed procedure also depends on the
chosen protocol and authentication option.
Adapters
The following figure illustrates some options for kinds of systems to connect to SAP HCI. Both
communication directions are considered: systems sending messages to SAP HCI and systems that
receive messages from SAP HCI. The figure also shows which communication protocols and the SAP
HCI adapters that are to be configured in order to enable SAP HCI to connect to the respective kind of
system. Note that the figure only shows some typical use cases and is not complete.
Connect a tenant to the Ariba network (this allows SAP and non-SAP cloud applications to
send and receive business-specific documents in cXML format to and from the Ariba network).
Access and extract information from Facebook based on certain criteria such as keywords or
user data.
Connect to a remote system using the SSH File Transfer protocol (also referred to as Secure
File Transfer protocol) to read (poll) files from the system.
Connect to a remote system using the SSH File Transfer protocol to write files to the system.
Exchange messages with another system that supports SOAP 1.1 or SOAP 1.2.
Exchange messages with another system based on the SOAP communication protocol and
SAP RM as the message protocol.
Connect to a SuccessFactors system using the SOAP, OData, and REST message protocol.
As well as the transport-level security options, you can also secure the communication at message
level. This protects the content of the exchanged messages by means of digital encryption and
signatures. Various security standards are available to do this: PKCS#7, XML Digital Signature,
OpenPGP, and WS-Security.
A tenant client keystore is required for each tenant that sends messages to a receiver system (server).
It is the storage location for the tenant client certificate. Additionally, the required server root
certificates from the connected external systems have to be imported into the tenant client keystore.
For the procedure described in this documentation, it is assumed that you are using the KeyStore
Explorer. You can download this tool from http://keystore-explorer.sourceforge.net/ .
The information you need to enter depends on who is the owner of the tenant for which the
keystore and the contained client certificate are being generated.
o Password
o Common Name (CN)
o Country (C)
You do not need to make an entry for the Email (E) field.
9. Choose OK.
10. Enter a key alias.
When creating SSH keys (for SFTP), enter one the following kay aliases.
Option Description
Note: There is the option to specify different passwords to protect a private key and to
protect the keystore as a whole.To set up a tenant client keystore, it is mandatory that identical
passwords are used.
Note: When you specify the password, follow the password rules as described in a separate
topic.
The client certificate created initially is self-signed (owner and issuer are identical) and therefore needs
to be signed by a certification authority (CA). To initiate this step, create a certificate signing request
(CSR). The CA sends back the signed certificate, and you can then update your keystore accordingly.
When you import an existing key pair into the keystore, and you have the choice among different files
with different Key Pair Type, we recommend to choose the option PKCS #12 (in case one key pair file
corresponding to this format is available). This format contains the certificate in addition to the private
key. If you choose one of the other Key Pair Types, the certificate has to be specified separately.
You need X.509 keys to configure communication with certificate-based authentication over HTTPS and
if you want to configure digital encryption and signing of messages with security standards PKCS#7
and XML Digital Signature.
For the procedure described in this documentation, it is assumed that you are using the KeyStore
Explorer. You can download this tool from http://keystore-explorer.sourceforge.net/ .
1. Open the KeyStore Explorer and open a keystore or create a new one.
The information you need to enter depends on who is the owner of the tenant for which the
keystore and the contained client certificate are being generated.
Enter the relevant information to identify your tenant as the owner of the certificate.
o Password
o Common Name (CN)
Note: Note the following with regard to the usage of wildcards in the CN entries (for
example *.mycompany.com):
For inbound certificate-based client authentication (where the CA-signed certificate needs
to be imported into the customer’s back-end systems), wildcards in the CN field are allowed.
For outbound certificate-based client authentication (where you have to import the CA-
signed certificate into the tenant keystore), wildcards in the CN field are not allowed.
Note that the terms inbound and outbound always refer to the integration platform/tenant.
o Country (C)
You do not need to make an entry for the Email (E) field.
8. Choose OK.
9. Enter a key alias.
When creating SSH keys (for SFTP), enter one the following key aliases.
Option Description
Option Description
Note: There is the option to specify different passwords to protect a private key and to
protect the keystore as a whole.
To set up a tenant client keystore, it is mandatory that identical passwords are used.
Note: When you specify the password, follow the password rules as described in a separate
topic.
Use the same password as for the protection of the private key.
14. When you save the keystore, enter .jks as the file extension.
The client certificate created initially is self-signed (owner and issuer are identical) and therefore needs
to be signed by a certification authority (CA). To initiate this step, create a certificate signing request
(CSR). The CA sends back the signed certificate, and you can then update your keystore accordingly.
When you import an existing key pair into the keystore, and you have the choice among different files
with different Key Pair Type, we recommend to choose the option PKCS #12 (in case one key pair file
corresponding to this format is available). This format contains the certificate in addition to the private
key. If you choose one of the other Key Pair Types, the certificate has to be specified separately.
Basic Authentication
Basic authentication allows a the tenant to authenticate itself against the receiver through credentials (user
name and password).
How it Works
The following figure shows the setup of components required for this authentication option.
Basic authentication for HTTPS-based outbound calls works the following way:
The HTTP header of the message contains user credentials (name and password).
To protect the user credentials during the communication step, the connection is secured using SSL.
2. The customer back-end authenticates itself as server against the tenant using a certificate (the
customer back-end identifies itself as trusted server).
To support this, the keystore of the customer back-end system must contain a server certificate signed
by a certification authority. To be more precise, the keystore must contain the complete certificate
chain. On the other side of the communication, the keystore of the connected tenant must contain the
customer back-end server root certificate.
3. The tenant is authenticated by the customer back-end by evaluating the credentials against the
user stored in a related data base connected to the customer back-end.
Keystore (tenant-specific) Receiver server root certificate This certificate is required to identify the
root CA that is at the top of the
certificate chain that ultimately
guarantees the trustability of the
receiver server certificate.
Receiver keystore Receiver server certificate (signed by This certificate is required to identify the
CA with which the tenant has a trust receiver (to which the tenant connects
relationship) as the client) as a trusted server.
User credentials artefact User and password With these credentials the tenant
authenticates itself as client at the
receiver system.
The following figure shows the setup of components required for this authentication option.
How it Works
In this case, the receiver acts as server and the authentication is based on certificates.
3. Authentication of the tenant: The identity of the tenant is checked by the receiver by evaluating the
client certificate chain of the tenant.
As prerequisite for this authentication process, the client root certificate of the tenant has to be
imported into the receiver keystore (prior to the connection set up).
As CA who provides the root certificate, Cyber trust Public Sure Server SV CA is used.
4. Authorization check: The permissions of the client (tenant) are checked in a subsequent step by the
receiver.
On top of the secure transport channel (that is based either on HTTPS or SFTP), you can additionally protect
the message exchange by digital encrypting and signing the message.
On top of a secure transport channel (for example, based on HTTPS), you have the option to implement
message-level security capabilities. That way, you can protect the message by applying digital signing or
encryption. Asymmetric key technology is used in the following way to implement these features:
In the inbound case, the tenant acts as receiver that either decrypts or verifies a message.
To implement message-level security for the standards PKCS#7, WS-Security, and XML Digital Signature, you
use X.509 certificates (the same type of certificates as used for HTTPS-based transport-level security).
However, note that different keys are usually used for message-level security and SSL transport-level security.
XML Digital Signature supports only the use cases of signing/verifying messages.
Provide SAP with the public key (is used to verify messages sent to the tenant).
Depending on the desired option, configure the security-related integration flow steps.
Specify the Public Key Aliases in order to select the relevant keys from the tenant keystore.
Make sure that you specify the Public Key Aliases for all expected senders (only if you have
specified Enveloped or Signed and Enveloped Data or Signed and Enveloped
Data for Signatures in PKCS7 Message).
In general, an alias is a reference to an entry in a keystore. A keystore can contain multiple public keys. You
can use a public key alias to refer to and select a specific public key from a keystore.
On top of a secure transport channel (for example, based on HTTPS), you have the option to implement
message-level security capabilities. That way, you can protect the message by applying digital signing or
encryption. Asymmetric key technology is used in the following way to implement these features:
In the inbound case, the tenant acts as receiver that either decrypts or verifies a message.
1. Generate and configure the PGP keys and the storage locations (PGP secret and public keyrings) for
the sender system.
2. Import the related public keys from the tenant into the public PGP keyring of the sender and finish the
configuration of the sender system.
Provide SAP with the public key (is used to verify messages sent to the tenant).
When signatures are expected, make sure that you specify the Signer User ID of Key(s) from Public
Keyring for all expected senders.
Based on the signer user ID of key(s) parts, the public key (for message verification) is looked up in the PGP
public keyring. The signer user ID of key(s) key parts specified in this step restrict the list of expected senders
and, in this way, act as an authorization check
On top of a secure transport channel (for example, based on HTTPS), you have the option to implement
message-level security capabilities. That way, you can protect the message by applying digital signing or
encryption. Asymmetric key technology is used in the following way to implement these features:
In the outbound case, the tenant acts as sender that either encrypts or signs a message.
To implement message-level security for standards PKCS#7, WS-Security, and XML Digital Signature, you use
X.509 certificates (the same type of certificates as used for HTTPS-based transport-level security). However,
note that different keys are usually used for message-level security and SSL transport-level security. XML
Digital Signature supports only use cases for signing and verifying messages.
Provide SAP with the public key (is used to encrypt messages sent to the receiver).
Depending on the desired option, configure the security-related integration flow steps.
Specify the Public Key Aliases in order to select the relevant keys from the tenant keystore.
Make sure that you specify the Public Key Aliases for all expected senders (only if you have
specified Enveloped or Signed and Enveloped Data or Signed and Enveloped
Data for Signatures in PKCS7 Message).
In general, an alias is a reference to an entry in a keystore. A keystore can contain multiple public keys. You
can use a public key alias to refer to and select a specific public key from a keystore.
On top of a secure transport channel (for example, based on HTTPS), you have the option to implement
message-level security capabilities. That way, you can protect the message by applying digital signing or
encryption. Asymmetric key technology is used in the following way to implement these features:
In the outbound case, the tenant acts as sender that either encrypts or signs a message.
1. Generate the PGP keys and the storage locations (PGP secret and public keyrings) for the receiver
system.
2. Import the related public keys from the tenant into the public PGP keyring of the receiver and finish the
configuration of the receiver system.
Provide SAP with the public key ( used to encrypt messages sent to the receiver).
Depending on the desired option, configure the security-related integration flow steps.
Specify the User ID of Key(s) from Public Keyring in order to select the relevant public receiver keys
from the PGP public keyring.
As one example for certificate-based connectivity, customer intends to connect a customer-based SAP on-
premise system (based on SAP Application Server ABAP with SAP HCI.
The following figure illustrates the required keystores and security artifacts for the mentioned landscape.
In the proposed system landscape, SAP Web Dispatcher is used in the on premise customer landscape to
receive incoming calls from SAP HCI. SAP Web Dispatcher (as reverse proxy) is the entry point for HTTPS
requests into the customer system landscape.
In the proposed landscape, two SSL connections have to be implemented on the way in between HCI and
AS, because SAP Web Dispatcher - interconnected in between - terminates all SSL calls from SAP HCI.
Therefore, the folowing traust relationships have to be implemented:
As this connection spans the Internet, it is strongly recommended to use certificates that are signed by
a certification authority (CA) that both parties (SAP Web Dispatcher and SAP HCI) trust.
As this connection resides within the customer landscape, it might be an option to use self-signed
certificates for this connection.
Ankaiah Yerraboina (M.Tech)
+91-7993388825 Page 25
2. Connecting a Customer System to SAP HCI
Note: For reasons of simplicity, within this guide we assume that self-signed certificates are used
for this connection.
The following table summarizes the required certificates and the related keystores.
Table 1: Keystores
HCI client keystore HCI client certificate (private and public Required to authenticate SAP HCI as
key) sender of messages.
WD server keystore HCI client root certificate Required to identify SAP HCI as trusted
communication partner.
WD client keystore WD client certificate (private and public Required to authenticate WD as sender
key) of messages.
Table 1: Keystores
the WD.
In the proposed landscape, the SSL connection is not terminiated on the way in between AS and SAP HCI
(transparent proxy). Therefore, a trust relationship has to be set up between AS and SAP HCI.
As this connection spans the Internet, it is strongly recommended to use certificates that are signed by a
certification authority (CA) that both parties (AS and HCI) trust.
The following table summarizes the required certificates and the related keystores.
Table 2: Keystores
AS client keystore AS client certificate (private and public Required to authenticate AS as sender of
key) messages.
Table 2: Keystores
AS.
You can find more information on this landscape in the Technical Connectivity Guide for SAP Cloud for Travel:
at https://service.sap.com/ondemand under SAP Cloud for Travel and Expense.