Set Up Trust Between SAPCP Cloud Connector and Your On-Premise ABAP Systems (BW or S/4HANA)

Configure your on-premise SAP ABAP system so that it trusts the cloud connector. This step is needed only if your live connection uses single sign-on.

Prerequisites

Note
Make sure that you've already configured the SAPCP Cloud Connector. For details, see Configure Your On-Premise Systems to Use the SAPCP Cloud Connector.

Context

  • The cloud connector needs to trust the identity provider (IdP) that the customer uses (via syncing the IdPs in the cloud connector interface).
  • The live system needs to trust the cloud connector (via the system certificate).
  • The live system needs to be configured to accept a short-lived X.509 certificate that is forwarded by the cloud connector.
  • The following steps are for uploading the certificate that you previously downloaded from the SAPCP cloud connector (see related link) to an SAP BW on-premise system, and configuring the BW system to use principal propagation. For more information, see Configure Principal Propagation to an ABAP System for HTTPS.

Procedure

  1. Establish trust between the ABAP System and the cloud connector by importing the CA-issued system certificate.
    1. Start SAP Logon.
    2. Log on to your on-premise ABAP system.
    3. Open the Trust Manager.
      You can type strust to find the Trust Manager.
    4. Double-click SSL server Standard.
    5. Switch to Edit mode.
    6. Select the Import certificate icon at the bottom of the screen.
    7. Choose the system certificate file that you previously downloaded from the SAPCP cloud connector (not the sample certificate file).
    8. Select Continue, and then select Allow to grant access to the file.
      The details of the certificate are displayed.
    9. Select Add to Certificate List.
    10. Verify that your system certificate appears in the Certificate List, and then save the configuration.
  2. Configure the Internet Communication Manager (ICM).
    The ICM ensures that communication between the SAP system and external sites via the HTTP, HTTPS, and SMTP protocols works properly. In its role as a server, the ICM processes requests from the Internet that arrive as URLs with the server/port combination that the ICM listens to. The ICM then calls the relevant local handler for the URL in question.
    1. Open the Edit Profiles screen (rz10).
    2. Select the DEFAULT profile.
    3. Select the Extended maintenance option.
    4. Select Change.
    5. Select Parameter (create) and enter this Parameter name: icm/HTTPS/trust_client_with_issuer.
      For the Parameter val field, enter the Issuer of the system certificate, which you can find in the Cloud Connector Administration application, on the Configuration screen, on the On Premise tab, in the System Certificate section.
    6. Select the Back icon and save your changes.
      The new parameter appears in the parameter list.
    7. Create a second parameter, which is the subject of the system certificate.

      Select Parameter (create) and enter this Parameter name: icm/HTTPS/trust_client_with_subject.

      For the Parameter val field, enter the Subject DN of the system certificate, which you can also find in the System Certificate section.
      Note

      The preceding steps describe how to configure one trusted proxy. If you want to configure multiple trusted proxies, use the parameter icm/trusted_reverse_proxy_0, which can be included in the profile multiple times, instead of the icm/HTTPS/trust_client_with_issuer and icm/HTTPS/trust_client_with_subject parameters. (Add the parameter multiple times using an incremented index at the end.)

      For more information, and examples, see this SAP note: 2052899 Information published on SAP site.

    8. When both parameters appear in the parameter list, select the Back icon, and select Yes to update the profile.
    9. Save the profile, and select Yes to activate the profile.
    10. Select the Back icon to go back to the SAP Easy Access screen.
    11. Open the ICM Monitor (smicm).
    12. Select Start of the navigation pathMore Next navigation step Administration Next navigation step ICM Next navigation step Exit Hard Next navigation step GlobalEnd of the navigation path.
    13. Select Start of the navigation pathMore Next navigation step Goto Next navigation step Parameters Next navigation step DisplayEnd of the navigation path.
      The two new parameters are visible under HTTPS (SSL) settings.
  3. Map the short-lived certificate.

    You can do the mapping manually in the system, or make use of an identity management solution. For example, for large numbers of users, rule-based certificate mapping can save time and effort. The following steps describe the second option.

    For detailed information, see Rule-based Mapping of Certificates.

    1. Open the Maintain Profile Parameters screen (rz11).
    2. In the Parameter Name field, type login/certificate_mapping_rulebased, and then select Display.
    3. Select Change Value.
    4. In the New Value field, type 1, and then save the change.
    5. Select the Back icon twice to go back to the SAP Easy Access screen.
    6. Open the Rule based Certificate Mapping - Display screen (certrule).
    7. Select Display/Change.
    8. Select Start of the navigation pathMore Next navigation step Configuration Next navigation step Upload certificateEnd of the navigation path.
    9. Choose the sample certificate file that you previously downloaded from the SAPCP cloud connector (not the system certificate file).
    10. Select Open, and then select Allow to grant access to the file.
    11. Select the Rule button to create a new rule.

      For the Certificate Attr. field, select CN=<valid user identifier>. See Configure Your On-Premise Systems to Use the SAPCP Cloud Connector for details.

      For the Login As field, this setting depends on which attribute you configured in your identity provider as your user identifier. If you used a user name or email address, you can select those options from the drop-down list. If you chose any other attribute, select Alias from the list.

    12. Select Continue to create the rule.
    13. In the Rules list, double-click the check box in the Ext. Attributes or Attr column for the new rule, to open the Extended Attributes dialog.
    14. Select the check box Ignore case sensitivity in certificate entries, and select Continue.
    15. Verify that the rule has been added, and then save the change.
    16. Check that the user is mapped in the Certificate Status based on Persistence area.
  4. Access ICF Services.
    1. In the ABAP system, choose transaction code SICF and go to Maintain Services.
    2. Select the GetServerInfo service.
    3. Double-click the service, and go to the Logon Data tab.
    4. Switch to Alternative Logon Procedure, and ensure that the Logon Through SSL Certificate logon procedure is listed before SAML LOGON.