How to configure HTTPS

Inbound Connection in
Cloud Integration using
Client Certificate
Authentication Step-by-
Step
SAP BTP - SAP Cloud Integration in Cloud Foundry
By Ali Chalhoub

© 2021 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in Germany and
other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Business
Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and
other Sybase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Sybase Inc.
Document History

Document Version Authored By Description Date Created

1.0 Ali Chalhoub First release of this whitepaper March 25, 2021

Document Version Reviewer Description

Anoop Singh Developer June 21, 2021
Amar Kumar Developer June 21, 2021
Ali Chalhoub Updated November 30, 2021

2
How to configure HTTPS Inbound Connection in Cloud Integration
using Client Certificate Authentication Step-by-Step www.sap.com

TABLE OF CONTENTS

Document History ...................................................................................................................................................... 2

ABSTRACT .....................................................................................................................................................4
Chapter 1 - Overview ................................................................................................................................................. 4
Chapter 2 – Configuring Integration Flow with Client Certificate ............................................................................. 4
Chapter 3 – Configuring Backend .............................................................................................................................. 4
Chapter 4 – Troubleshooting ..................................................................................................................................... 4
CHAPTER 1 OVERVIEW ..................................................................................................................................5
Overview .................................................................................................................................................................... 6
Creating the Integration Flow .................................................................................................................................... 6
Testing the connection with Basic Authentication .................................................................................................. 18
Testing the connection with Basic Authentication using POSTMAN ....................................................................... 19
CHAPTER 2 CONFIGURING INTEGRATION FLOW WITH CLIENT CERTIFICATE ................................................... 27
Generate Client Certificate .PFX file ........................................................................................................................ 27
Download the Load Balancer Certificates ............................................................................................................... 28
Generate Client X.509 Certificate ............................................................................................................................ 29
Configuring Client User Certificate to an Instance .................................................................................................. 34
Testing Certificate Authentication with POSTMAN ................................................................................................. 42
CHAPTER 3 CONFIGURING BACKEND ........................................................................................................... 44
Adding X.509 CAs Certificates to the Trust Manager Certificate Trusted List ......................................................... 51
Configuring RFC Connection .................................................................................................................................... 57
CHAPTER 4 TROUBLESHOOTING ................................................................................................................... 61
Error 1 – You are not authorized to perform this operation ................................................................................... 61
Error 2 – RFC connection Error SSL Handshake error .............................................................................................. 62
Error 3 – STRUST Add to Certificate List is grayed it out ......................................................................................... 63
Error 4 – Using trial account, Client Certificate Authentication is failing ................................................................ 63
Error 5 – You do not have permission to work in Cloud Foundry ........................................................................... 64
Abstract
Chapter 1 - Overview
1.1. Architecture
1.2. Creating the Integration Flow
1.3. Testing the connection with Basic Authentication using POSTMAN

Chapter 2 – Configuring Integration Flow with Client Certificate

2.1. Generate Client Certificate .PFX file using SAP Passport
2.2. Download the Load Balancer Certificates
2.3. Generate Client X.509 Certificate
2.4. Configuring Client User Certificate to an Instance
2.5. Testing Certificate Authentication with POSTMAN

Chapter 3 – Configuring Backend

3.1. Adding Client Certificate to STRUST
3.2. Adding X.509 CAs Certificates to the Trust Manager Certificate Trusted List
3.3. Configuring RFC Connection
3.4. Test RFC Connection

Chapter 4 – Troubleshooting
4.1. Error 1 – You are not authorized to perform this operation
4.2. Error 2 – RFC connection Error SSL Handshake error
4.3. Error 3 – STRUST Add to Certificate List is grayed it out
4.4. Error 4 – Using trial account, Client Certificate Authentication is failing
4.5. Error 5 - You do not have permission to work in Cloud Foundry

4
 Chapter 1
Overview

Welcome to How to configure Cloud Integration to support Client Certificate Authentication using HTTPS
Inbound Connection Step-by-Step in Cloud Foundry. In this whitepaper you will find all the details that are
needed to let you configure an RFC connection to connect to Cloud Integration using client certificate for HTTPS
inbound connection. The whitepaper will go in details explaining how to configure the client certificate in
S/4HANA backend and how to establish an RFC connection to Cloud Integration. As well it will explain to you
how to configure POSTMAN to test the Integration Flow using client certificate.

• The whitepaper assumes the administrator has access to the URL of

the tenant where the Integration Flow is located and needed to be
configured

• The whitepaper assumes the administrator does have access to the

Cloud Foundry Cockpit where the administrator can configure the
authorization role for Cloud Integration

• POSTMAN version to be used 8.5.1 or higher

Note
• If you are not familiar with Integration Flow, Chapter 1 will start from
scratch and will do first Basic Authentication test and then in Chapter
2 and on will discuss the creation of Client Certificate. If you are
familiar with Integration Flow or you have your own Integration
Flow, you can jump to Chapter 2.
• The whitepaper uses the acronym CPI sometimes which refers to
Cloud Integration

This whitepaper should be tested in a development environment and tested

Disclaimer in quality before implementing the configuration directly in production.

1. Administrator can login successfully to SAP BTP Cockpit successfully on Cloud

Foundry
Requirement 2. Administrator already have an Integration Flow configured for HTTPS inbound
connection
3. Administrator already have the authorization to request an S-User from SAP

5
Overview

We need to understand first the architecture that we are dealing with in order to configure the environment.
What we need todo is the following:
1. We have an on-premise S/4HANA or a NetWeaver System
2. SAP Load Balancer
3. Cloud Integration on Cloud Foundry
4. A client certificate to be used to authenticate

What we have here above is a system in the backend which is S/4HANA or a NetWeaver. The administrator
wants to connect the backend to Cloud Integration for the inbound connection using HTTPS connection.
Therefore, the administrator wants to configure in the backend an RFC external HTTPS connection in order
to establish such connection. In order to do that, the administrator needs to generate a client certificate
and configure the HTTPS RFC connection to use such certificate in order to establish such connection. Let us
start the configuration of the environment.

Creating the Integration Flow

Let’s us first create an Integration Flow so we can test it with a client certificate
1. Open your Cloud Integration designer in Chrome, i.e
https://<TENANT>.cfapps.us10.hana.ondemand.com/itspaces/shell/design

6
2. Create a package if no one exists, by clicking on the Pencil icon and then Create button

3. Name the package anything you like, in our example we called it “My CPI Pkg”

4. Click on Save once you are done

5. Now click on Artifacts

7
6. Click on Add and select Integration Flow

7. Fill the dialog with the required information. i.e

8. We should have the following:

9. Click on the Integration Flow, MyClientCertificateConnection

8
10. We should see the following:

11. Click on the Edit link on the top right

9
12. Drag an arrow from the arrow pointed below to the Start icon

10
13. Select HTTPS Adapter as shown below:

14. After selecting HTTPS Adapter type, click on the connection tab and type under Address
/test/clientcert. Note on the three dots on the bottom, you can drag up in order to see the connection

11
 properties

15. Click on Arrow between Start and End as shown and click on the + icon below:

12
16. Select Groovy Script

13
17. The Groovy Script 1 should be added now to your Integration Flow

18. Click on the Create icon as shown below

19. Update the code message.setBody to look like this below:

message.setBody("Connected Successfully to CPI!");

14
20. We should have the following code:

21. Click on OK on the top right corner to save our modification

15
22. We should have the following:

23. Click on Save as version

16
24. Click on OK

25. Once it is successfully saved, next we need to click on Deploy button

26. Click Yes on the Confirmation message

27. Click OK on the Deployment message. The deployment may take up to 30 minutes or more before it
can be started

28. Now we need to test our Integration Flow to make sure it is working

17
Testing the connection with Basic Authentication

To test the Integration Flow, we need to go to the Operation View, to do that:

1. Click on the Operation View icon

2. You may see something like that. We are interested in two tiles under Manage Integration Group
a) All
b) Started

c) In our case we can see we have only one Integration Flow being deployed and started successfully

18
3. Click on the Tile that says All Started. Note: if Under All Started did not see your Integration Flow click on tile
All All
4. Now we should see if everything goes well, the following:

Testing the connection with Basic Authentication using POSTMAN

In order to test in Cloud Foundry Basic Authentication, we need to create what we call an instance of “Process
Integration Runtime” so we can generate an oauth client key and client secret. In order to do that, we need to
follow the following steps:
1. Using Chrome or a supported browser by Microsoft and SAP, connect to your Cloud Foundry Cockpit
2. Expand Services
3. Click Instances and Subscriptions
4. Click on Create as shown below:

19
5. Fill the screen as shown below. Regarding the space, you need to select your existing space or create one

20
6. Click on Next

21
7. Click on Next

8. Click on Create
9. Once the instance is created, we should see something like that below:

22
10. Now we need to create the service key, click on the three dots where the arrow is pointing

11. Give the service key a name, in our case, we called oauthcpikey

12. Click on Create

23
13. To get now the clientid and clientsecret information in order to use them in POSTMAN, click on View
Credential

14. We should get the following screen

15. Now for POSTMAN, the clientid is going to be the actual User ID we are going to use in POSTMAN. So you
need to copy everything in the double quotation which in our case it starts with sb-48ad…
16. For the User Password, we are going to copy everything in the double quotation under Clientsecret. Notice I
put an orange line from the first quotation all the way until the end of the other quotation. This is the
password we will be using in POSTMAN

24
Now that we generated the User ID and Password for POSTMAN, we need to get the Integration Flow Endpoint,
to get the End point, go back to this screen and copy the Endpoint:

1. Under the Endpoints copy the full URL so we can test our Integration Flow in POSTMAN
2. In POSTMAN, we need to issue a GET REQUEST for the following Endpoint that we copied for our Integration
Flow
a) URL Endpoint: https://...cfapps.sap.hana.ondemand.com/http/test/clientcert (Note: Yours may be
different)
b) Under Authorization select Basic Auth and enter the clientid and clientsecret that we copied from the
oauthcpikey. It should like like this screen below:

c) Click on Send

25
 d) A message “Connected Successfully to CPI!” is displayed. That means our connection is successful

In the next chapter we will learn now how to configure X.509 client certificate using .PFX file to establish a
connection to Cloud Integration from POSTMAN and from S/4HANA using an RFC connection.

26
 Chapter 2
Configuring Integration Flow with Client Certificate

Now that we have configured the Integration Flow and tested it with POSTMAN, that means it is working with
Basic Auth. The next step now is we need to configure our Integration Flow to support Client Certificate and
connects our S/4HANA System to it using an RFC connection. To do that, please follow the following steps below.

Generate Client Certificate .PFX file

The first step we need to do is to generate a client certificate for the S-User that we need to use. To generate a
.PFX file for the S-User, do the following:
1. We will use SAP passport in order to generate client certificate for our S/4HANA backend system, go to this
URL:https://support.sap.com/en/my-support/single-sign-on-passports.html
2. Click on Apply for SAP

a) Under the S-User you want to generate a PFX file for

b) Enter the Password or what we call the passphrase
Note: The password here should be different than the actual S-User password that you are using with
SAP. This is will be referred to as a passphrase. Make sure you remember this passphrase because we
need it later
c) Click on Apply for SAP Passport
3. The *.PFX file is now downloaded to your computer
4. Save it somewhere because we need it later

27
Download the Load Balancer Certificates

Now that we have a client certificate generated, next we need to download the X.509 certificates for the BTP
Integration Flow Load Balancer. In order to download them, do the following:
1. In the Cloud Integration cockpit, click on the Eye Icon, Overview

2. Under the Manage Security Group, click on Connectivity Tests tile

3. Under TLS, enter the Endpoint the hostname or domain name the way it is shown below

Note: Under the host field, you only enter the domain without https://

28
4. Click on the Download button to download the Server Certificate Chain

5. A certificates.zip file is download

6. In the zip file, there are 3 certificates,
a) The Root Certificate: DigiCert Global Root CA.cer
b) The intermediate Certificate: DigiCert SHA2 Secure Server CA.cer
c) The load balancer certificate
Note: Your certificates may vary and may not be the same name(s). This is OK. Just follow the
fundamental of the whitepaper.
7. Unzip the zip file and save them somewhere because we need them later in the S/4HANA system when we
configure the RFC connection

Generate Client X.509 Certificate

We need to generate the X.509 Certificate so it can be used later to-do the mapping user to certificate. Todo
that, do the following:
1. Back to the Cloud Integration Editor Cockpit Click on the Overview section the Eye icon
2. Under Manage Security, click on Keystore tile as shown below

29
3. Click on the top right on the Add list and select Key Pair

a) Provide a name to the Alias, any name

b) Under File click on Browse
c) Password: Enter the password or what we said before the passphrase of the client certificate from the
previous step when we generated the *.PFX file under SAP Passport
d) We should have something similar to the screen below:

30
 e) The following warning is displayed, click on Confirm

f) Now our certificate has been added

4. Next we need to generate the X.509 certificate of our client certificate, to do that:

31
a) Click on the Action button and click on Download Certificate Chain

b) A file <Aliasname>.p7b. In our case it is called myclientcertsuser.p7b is downloaded

c) After successfully downloaded, double click on it, the CERTMGR opens in Window, you should see
something like this one

d) From the Action menu select Export as shown below:

32
 e) Click on Next

f) From the next screen select Base-64 encode X.509 (.CER)

g) Browse to a folder and give it a name with ext. cer
h) Click Finish
i) Repeat the same process for the other two intermediate and root certificates
j) We should have 3 certificates exported:
4.j.1. S-user X.509
4.j.2. SAP Passport CA G2
4.j.3. SAP Cloud Root CA
5. In Summary now we have the following certificates:
a) 3 X.509 certificates for the S-User
b) A client certificate .PFX for the S-User
c) 3 X.509 Certificates for the Load Balancer
6. Next step is to map the user to the client X.509 certificate

33
Configuring Client User Certificate to an Instance

In order for Cloud Integration to support client certificate authentication, we need to create an instance and a
generate a service key for the certificate, to do that, do the following:
1. Back to the SAP BTP Cockpit
2. Click on Instances and Subscriptions
3. Click on Create as show below:

34
4. Give a name to your instance as shown below for example clientcertificate and make sure the Service is
“Process Integration Runtime”

The user must have “Space Developer” role in the CF space in order to be able to create
service instances and service keys.

Note

35
5. Click on Next

36
6. In this screen we need to select JSON instead of Form as shown below

37
7. In this screen we need to replace client_credentials with client_x509 under grant-types. The screen should
look like this

8. Click on Next
9. Click Create. Note if the screen gets stuck on Creation in Progress… reload the page

10. If everything goes well, we should see green icon with label created as shown below:

38
11. Now we need to provide the X509 client certificate to the service key, click on the three dots and select
Create Service Key

12. We should see this screen

39
13. Under the X.509 field, we need to copy the content of the X.509 certificate of the S-user that we generated
in the section “Generate Client X.509 Certificate”. In my case our certificate is called “S00xxxxx.cer”. But
before we can copy the content, we need to open the certificate in a text editor and remove all the line
feed, otherwise, we cannot put the content in the X.509 field in the previous screen
a) We need to open this certificate in a Text Editor and remove all the line feed, it should look like this

b) After removing the line-feed, copy the content everything and paste it under the X.509 field of the
instance as shown below:

14. Give the Service Key a name. For example, x509auth and Click on Create

40
15. Once it is created, click on the View Credentials, we should see the following:

16. You have now successfully configured the Service Key with a x509 certificate. Next step is to test our
configuration with POSTMAN

41
Testing Certificate Authentication with POSTMAN

In order to test using the client certificate, we need to tell POSTMAN where to find the PFX file and what host
the certificate will be used against. To do that, follow the following steps:
1. In POSTMAN, click on the gear icon and select Settings as shown below:

2. Click on Certificates. Note: If you cannot see Certificates tab, you need to upgrade POSTMAN to a version
8.5.1 or higher

3. Click on Add Certificate

4. Under the Host field, enter the Endpoint of your Integration Flow. Just the domain name
5. Under the PFX file, enter the S-User PFX file

42
6. Under the Passphrase, enter the password of the certificate that was provided under SAP Passport when the
file was generated. The end result, should look like this

7. Click on Add
8. Close the dialog by clicking on the X on the top right corner
9. Back to POSTMAN assuming the Endpoint still there and GET is selected and make sure under Authorization,
you have Type selected No Auth as shown below:

10. Click on Send. If everything goes well, we should see the following result: “Connected Successfully to CPI!”

Next chapter will explain how to configure an RFC connection to connect to Cloud Integration using client
certificate.

43
 Chapter 3
Configuring Backend

When reaching this section, that means your Integration Flow has been configured successfully and at least it
was tested with POSTMAN using Basic Authentication and Client Certificate Authentication. Next step in this
section, we are going to provide all the steps needed to configure an RFC connection in S/4HANA or NetWeaver
in order to connect to Cloud Integration.

1. Login to your S/4HANA or NetWeaver

2. Execute tCode STRUST
3. Let’s create a Client PSE so we can import our client PFX file to it
3.1. Click on More and select Environment and then SSL Client Identities

3.2. Click on Edit on the top right corner

44
3.3. Click on the green check mark icon

3.4. Click on New Entries as shown below

3.5. Under Identity type: CPI

3.6. Under Description type: SSL CPI Client

3.7. Click on Save

45
 3.8. You will be prompted for a workbench request

3.9. Once the workbench is provided, click on the check mark icon
3.10.Then click on Save
4. We should have our SSL client SSL CPI Client PSE has been created

Note: If you are using NetWeaver, you may not have the “More” section in the menu, instead you may have
Environment, just follow the same steps
5. Now we need to import our Client Certificate PFX file
5.1. Make sure you are in Edit more if not, click on the Edit icon

5.2. Click on More

46
5.3. Select PSE and then Import. Note: If import is grayed out, you need to be in Edit mode

5.4. You will be asked to provide a *.pse, *.p12,*.pfx,*.key. Browse to the S-User .PFX file
Note: If you are running a NetWeaver version that supports only PSE file, you need to follow this KBA,
2148457 – How to convert the keypair of PKCS#12/PFX container into a PSE file, to convert the .PFX file
to .PSE, https://launchpad.support.sap.com/#/notes/0002148457

5.5. Click on Open

47
5.6. Enter the password or the passphrase of the S-Use certificate

5.7. If everything goes well, we should see something like the screen below:

5.8. Note: The Certificate has not been imported yet into the SSL Client SSL CPI Client, it is in the File as
shown above. To import this certificate into the SSL CPI Client that we created, do the following:
5.8.1. Select More and then PSE and the Save as…

48
5.8.2. Select SSL Client and then Click on the Value help as shown below:

5.8.3. Select SSL CPI Client or whatever name you called it

5.8.4. Click the green check mark

5.8.5. Click again the green check mark under Save PSE As

49
5.8.6. Now we should see the following:

5.8.7. Click on Save on the bottom right of the Trust Manager

50
Adding X.509 CAs Certificates to the Trust Manager Certificate Trusted List

Now that the PSE has been created. We need now to import the CAs certificates of the Client Certificate and
Integration Flow Load Balancer. To do that, follow the following steps:
1. Back to STRUST
2. Double click on the SSL client SSL CPI Client PSE contain as shown below

51
3. Under Issuer Certificates, double click on the SAP Cloud Root CA or whatever it is called in your case, we
should see the following:

52
4. After clicking on Add to Certificate List, we should see the following:

5. The Root CA of the User Certificate has been added to the Certificate list
6. Repeat the same steps to the intermediate certificate which is SAP Passport CA G2 so it can be added to the
Certificate List. We should have the following:

7. Finally click on Save on the bottom right of the screen

Now that we added the CA and Intermediate X.509 certificates of the client certificate, it is time to add now the
CA and intermediate certificate of the Load Balancer. To do that, do the following:

53
1. Back in STRUST
2. Double click on SSL client CPI Client
3. Under the Certificate section, click on the Import button

4. Select the Root CA certificate of the Load Balancer. In our case it is called “DigiCert Global Root CA”
5. Under File path click on the value help to select the X.509 certificate

54
6. We should see the following:

7. If the Add to Certificate List is grayed out, click on the Edit icon on the top left corner
8. After clicking on Add to Certificate List, we should have the following list

55
9. Repeat the same steps to add the intermediate certificate which is called in our case “DigiCert SHA2 Secure
Server CA”

10. Click on Add to Certificate List. We should have now the following certificates added to the Certificate List

11. Finally click on Save on the bottom right corner

56
Configuring RFC Connection

Now that we configured our Integration Flow and our PSE file, we are ready to configure our RFC connection to
test our connection to Cloud Integration.
1. Connect to your S/4HANA or NetWeaver system where the certificate has been imported and the CAs X.509
certificates have been imported
2. Execute SM59 tCode
3. Click on Create

4. Under Destination type CPI or any name you like

5. Connection Type “G” HTTP Connection to External Server. We should have something like that

57
6. Make sure the following configuration in place. Under Target System Settings, enter the Endpoint hostname
without https:// and under Path Prefix our endpoint /http/test/clientcert or whatever name you called it

7. Click on the Logon & Security tab. Make sure under Security Options
7.1. SSL is Active

58
 7.2. Under SSL Certificate, make sure our PSE is selected which is CPI SSL CPI Client

8. Now that the configuration in place, click on Save to save the configuration
9. Click on Connection Test as shown below:

59
10. If everything goes well, we should see the following:
Status HTTP Response 200

60
 Chapter 4
Troubleshooting

Error 1 – You are not authorized to perform this operation

Solution:

When trying to create a key pair under the key store, the error above occurred. To resolve this issue, you need
Business Expert Role. To add this Role do the following:
1. Open the SAP BTP Cockpit on Cloud Foundry
2. Expand Security
3. Click on Role Collections
4. Under Search field type PI_Business_Expert

5. Click on the Role

6. Click on Edit
7. Enter your Email
8. Click Save

61
 9. Repeat the creation of the Key Pair in the key store. The error should no disappear

Error 2 – RFC connection Error SSL Handshake error

Solution:

The reason for the SSL handshake error is because one of the CA certificates is missing. Make sure the following
certificates are imported into the Certificate List as shown below:

Note: You can omit the intermediate certificate of the Load Balancer, which is in our case, it is called DigiCert
SHA2 Secure Server CA. It is recommended to test the setup in Dev and Quality before moving it to production.

62
Error 3 – STRUST Add to Certificate List is grayed it out

When trying to click on Add to Certificate List, it is grayed it out.

Solution:
The reason for this issue is because you are not in edit mode. You need to click on the Edit or change button in
order to make the Add to Certificate list enabled. Please refer to Chapter 2 for more details on the CA
certificates.

Error 4 – Using trial account, Client Certificate Authentication is failing

Solution:
When trying to configure Client Authentication in trial account, it is failing. The reason for that is because Client
Authentication is not supported in trial account. The following key pair certificate does not exist.

This is mentioned as well in the documentation.

https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-
US/7f84d16aa42741efb08dc9875743e47c.html?q=sap_cloudintegrationcertificate

63
Error 5 – You do not have permission to work in Cloud Foundry

Solution:
The user must have “Space Developer” role in the Cloud Foundry (CF) space in order to create service instances
and service keys.

64