Step by Step HCI Integration with SAP ECC/CRM with SSL Termination at Web dispatcher

HCI Integration with SAP ECC/CRM System

Content

1.    Introduction to Digital certificate and SSL Handshake

2.    Customer Landscape’s and certificate request

3.    Connection setup from SAP ERP – HCI – C4C

4.    Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination

1.     Introduction to SSL certificate and SSL Handshake

What is SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the https protocol and allows secure connections from a web server to a browser or an application.

Certificate Information:

In certificate general information you can find “Issued to”,” Issued by” and Validity of the certificate.

Certification Path:

When a certificate is signed by Certificate authority, it has a root and the signed certificate (It might also have intermediate or a chain certificate)

What is SSL Handshake?

In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.

Two-way SSL authentication is also referred to as client authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.

2.     Customer Landscape’s and certificate request

Every customer landscape is unique. There are couple of scenarios I would like to discuss here when you are applying a certificate.

a.       Multiple Domain architecture – Public and internal domain

b.      Single Domain architecture – Public registered domain

A.      Multiple Domain architecture

In the above network landscape, there are two domains. “Internaldomain.com” is the internal domain and it’s not registered. As it’s not registered, Certificate Authority will not sign the CSR (Certificate signing request). If you have a public registered domain you can create a CSR with that domain and get it signed by a CA.

B.      Single Domain architecture

Customer has only one domain and its public registered. You can create a CSR on the same domain.

3.     Connection setup from SAP ERP – HCI – C4C

     Go to STRUST transaction

Below is the example show DN of the certificate:

DN = CN=erpc.externaldomain.com, OU=Information Technology, O=mycompany Inc, L=Location, S=State, C=Country

This is the CSR. Copy the CSR and get it signed by a Certificate Authority.

Note: CA should be in the Trust list of HCI. Please check for the latest HCI trust list.

https://www.entrust.net/cisco/

Signing Algorithm: Select the algorithm SHA1 or SHA2. Certificate root may change based on the algorithm selected. Make sure that root is in the trust list of the HCI.

Proceed to the next step and check the summery of the certificate. Provide the necessary contact information. You will get the signed certificates in 3-4 days from the CA.

Downloaded certificate contains three certificates as below:

1. entrustcert.crt – Signed server certificate

2. L1Cchain.txt – Chain certificate (change file extension from txt to crt)

3. L1Croot.txt – Root certificate (change file extension from txt to crt)

Import the certificate response in STRUST.

Copy and import the response.

Import the chain and root certificate to the certificate list and add it to the database.

Adding certificate to Database:

Similarly add the other certificate to certificate list and database.

Go to HCI tenant url:

Export the certificate to X.509 format.

Similarly save the “CybertrustPublic SureServer SV CA” certificate to X.509.

Import the certificate Baltimore CyberTrustRoot and Cybertrust Public SureServerSV CA to the certificate list and database in STRUST.

We have deployed the required certificates on the SAP ERP/CRM system.

On HCI tenant we can deploy a keystoreartifact. This keystore contains certificates required to authenticate the client. There is only one keystoreper tenant and this file is called system.jks. In this scenario we have to load the server certificate’s chain and root (L1Cchain.crt and L1Croot.crt). To load this certificates you need to raise a ticket with SAP.

System.jks can be seen in Eclipse in deployed artifacts.

SAP provides HCI tenant certificate and the “Issued to” of the certificate looks like HCI tenant url.

In the below example, the certificate is signed by “Cybertrust Public SureServer SV CA”. This certificate and its root should be loaded in the Trust list of the C4C.

SAP CRM/ERP – HCI – C4C connection is established successfully.

4.     Connection setup from C4C – HCI – Web-Dispatcher – SAP ERP with SSL Termination:

HCI certificate exchange mechanism:

Step-by-Step Procedure (On Premise):

1.       1. Install SAP Web dispatcher and Configure it to the CRM or ECC system

2.       2. Download the latest SAP Cryptographic tools.

3.       3. Copy the SAP cryptographic binaries to the location of the Web Dispatcher kernel.

sapgenpse.exe

sapcrypto.dll

Location – D:usrsapSYSexe
ucNTAMD64

Copy sapgenpse.exe, sapcrypto.dll to above folder location

4.       4. Copy the file ticket to the sec directory under the Web Dispatcher instance directory.

Ticket file Location – D:usrsapWHCW04sec

You have successfully installed SAPCryptographicLib files.

5.       5. Creating Server PSE and certificate requestusing “sapgenpse.exe” via Command prompt

Go to web dispatcher kernal folder in cmd

Command: sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <Distinguished_Name>

Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.

sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:usrsapWHEW00seccert.req “CN=wd.externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country”

Domain name should be a public registered domain. This “CN=wd.externaldoamin.com” will be used by HCI to communicate with CRM/ERP system.

For example:

CN= wd.externaldomain.com

So, your public domain is “externaldomain.com”; your public IP should be linked with ”WD” in the domain’s DNS Manager of the domain.

DNS Manager of “externaldomain.com”

Run below “sapgenpse” command to create SAPSSLS.pse file and certificate request.

sapgenpseget_pse -p SAPSSLS.pse -x 123456 -r D:usrsapWHEW00seccert.req ” CN=wd.externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country “

Get the cert.reqsigned by any HCI trusted CA’s below

List of HCI Trusted CAs:

TC TrustCenterCA

TC TrustCenterClass2L1CAXI

VeriSign Class 1 Public Primary Certification Authority – G3

Verisign Class3 Public Primary certificate Authority – G5

Verisign Class3 Public Primary certificate Authority – G5 – Intermediate

Entrust.net Certification Authority (2048)

TCTrustCenterClass2CAII

CN=TC TrustCenterClass 2 L1 CA XI

Go Daddy Class 2 Certification Authority

Entrust Certification Authority – L1C

VeriSign Class 3 International Server CA – G3

VeriSign Class 3 Secure Server CA – G3

DigiCertSecureServerCA.cer

DigiCertGlobalRootCA.cer

AddTrustExternalCARoot.cer

COMODOHigh-AssuranceSecureServerCA.crt

Baltimore CyberTrustRoot

Cybertrust Public SureServer SV CA

CN = CertumCA, O = Unizeto Sp. z o.o., C = PL

CN = CertumLevel IV CA, OU = Certum Certification Authority O = Unizeto Technologies S.A., C = PL

Note: Entrust Certification Authority – L1C provides free 90 day trial

6.       6. Similarly, Create Client PSE and certificate request using “sapgenpse.exe” via Command prompt

Go to web dispatcher kernal folder in cmd

sapgenpseget_pse -p SAPSSLC.pse -x 123456 -r D:usrsapWHEW00secclientcert.req “CN=Wdc. externaldomain.com, OU= Information Technology, O= mycompanyInc, l=Location, S=State, C=Country”

If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in same landscape.

7.       7.Create a certificate request for “SSL Server Standard” on the backend ERP system in STRUST

     Right click on “SSL Server Standard” – Create a certificate request

     CN=erps. externaldomain.com, OU= Information Technology, O= mycompany Inc, l=Location, S=State, C=Country

     Export the certificate request as “erps.req”. If you have your own CA, get this certificate signed or use the selfsigned certificate, if both the system are in      trusted zone(Same landscape)

8.       8. From the steps 5, 6 and 7. We have generated the below certificate requests

a.       cert.req – Web dispatcher Server

b.      clientcert.req – Web dispatcher Client

c.       ERPS.req – Strust ERP Server

9.       9. Get certificate “a ” signed by HCI trusted CA’s

    Get certificate “b & c” signed by your company internal CA or use self-signed certificate

10. 10. Import the certificate response along with Root certificate and chain certificate(If applicable)

      When a certificate is signed you will get signed certificate, Root certificate and you may also get a chain certificate.

     sapgenpse import_own_cert -p SAPSSLS.pse -c D:usrsapWHEW00sec
esponseCert.crt -r  D:usrsapWHEW00sec
oot.crt -r D:usrsapWHEW00secchain.crt -x      123456 responseCert.crt

      (signed server certificate)

     Providing access to the PSE file for the system users

     sapgenpseseclogin -p D:usrsapWHEW00secSAPSSLS.pse -x 123456 -O SAPService

11.   11. Similarly, import the certificate response for the SAPSSLC.pse (If you are using selfsignedcertificate this step is not required )

     sapgenpse import_own_cert -p SAPSSLC.pse -c D:usrsapWHEW00secCResponseCert.crt -r  D:usrsapWHEW00sec
oot.crt -x 123456 CResponseCert.crt 

     (signed server certificate)

     Providing access to the PSE file for the system users

     sapgenpseseclogin -p D:usrsapWHEW00secSAPSSLC.pse -x 123456 -O SAPService

12.   12. Add below parameters in the web dispatcher profile:

DIR_INSTANCE = D:usrsapWHEW00

ssl/ssl_lib=D:usrsapWHESYSexe
ucNTAMD64sapcrypto.dll

ssl/server_pse=D:usrsapWHEW00secSAPSSLS.pse

ssl/client_pse=D:usrsapWHEW00secSAPSSLC.pse

icm/server_port_2 = PROT=HTTPS, PORT=443, TIMEOUT=900

            wdisp/ssl_encrypt=1

            icm/HTTPS/forward_ccert_as_header = true

            icm/HTTPS/verify_client=1

            wdisp/ssl_auth = 2

            wdisp/ssl_cred = D:usrsapWHEW00secSAPSSLC.pse

13.   13. Creating trust between ERP system and Web dispatcher by exchanging root certificates

     Maintain the root certificate of the ERP – SSL Server Standard in SAPSSLC.pse

     sapgenpsemaintain_pk -a D:usrsapWHEW00secERPSCert.cer -p SAPSSLC.pse -x 123456

14.   14. Download and Import HCI x.509 Certificate to SAPSSLS.pse in Web Dispatcher

Similarly, download the chain certificate.

Saved it as “hcicrtchain.cer”

Maintain the root and chain certificate of HCI in SAPSSLS.pse

a.       sapgenpse maintain_pk -a D:usrsapWHEW00sechcicrtroot.cer -p SAPSSLS.pse -x 123456

b.      sapgenpse maintain_pk -a D:usrsapWHEW00sechcicrtchain.cer -p SAPSSLS.pse -x 123456

15.   15. Restart Web dispatcher

16.   16. Add following parameters to the ERP profile file.

     T-code : RZ10

     icm/HTTPS/trust_client_with_issuer = Issuer of the SAPSSLC signed

     icm/HTTPS/trust_client_with_subject