Setting Up a Secure Connection for MII Queries

TLS Connection

If you want to set up the connection between SAP MII and PCo using TLS, you have to make the corresponding settings in both systems. In the security settings of the Management Console, you define a server certificate for the MII query server that the SAP MII system must trust as a client. Conversely, you have to store a client certificate in MII so that MII can authenticate itself to the PCo system as a server. PCo must also trust this certificate.

Generation of Certificates for PCo and MII

You require certificates with a private key for both the MII system and the PCo computer. You can generate the certificates yourself or procure them from your IT organization. It is important that the attribute CN (Common Name) contains the name of the respective server or client and that the certificate is suitable for server and client authentication. The Use of Certificates section in the PCo Security Guide contains instructions for generating a self-signed certificate using the Windows PowerShell.

Import the PCo certificate to the certificate folder Personal of the Windows Certificate Store Local Computer.

For the MII certificate, create a keystore view of the SAP NetWeaver instance on which SAP MII is installed. Then import the certificate into this keystore view. You can make these settings in NetWeaver in the menu under Start of the navigation pathConfiguration Next navigation step  Certificates and KeysEnd of the navigation path.

Establishing Trust Relationship Between PCo and MII

Export the public key of the PCo server certificate, and import this key into the keystore view of the MII system mentioned above.

You must also export the public key of the MII client certificate and import it into the Trusted Publishers certificate folder of the Windows Certificate Store Local Computer.

If your IT organization has generated the certificates, you must ensure that the certificates of your intermediate and root certification authorities are also stored in the relevant certificate stores of the Windows system and in the MII keystore view.

Settings in the PCo Management Console

  1. In the SAP MII Settings screen area, select for the connection a port that is not being used.

  2. In the Security field, select the Connection with TLS setting for the MII server.

  3. In the Server Certificate field, assign the server certificate with private key generated in the first step to the MII server.

    This certificate should be located in the Personal certificate folder of the certificate store Local Computer.

Settings in SAP MII

  1. In SAP MII, create a data server of type PCoConnector in the Start of the navigation pathData Services Next navigation step  Data ServersEnd of the navigation path area.

    To set it up, you need the URL of the management service in PCo. You can find this information in the PCo Management Console when you call the menu under Start of the navigation pathTools Next navigation step Options Next navigation step Global Settings Next navigation step Main ServiceEnd of the navigation path and choose the pushbutton Copy WSDL URL to Clipboard.

  2. On the detail screen of the PCoConnector, enter the following information:

    Detail Screen PCoConnector
    Field Description
    Agent Name The name of the agent instance in PCo.
    Agent Port The port number that you defined in the MII query server settings of the agent instance.
    Agent IP Either the name of the PCo computer or its IP address.
    Certificate Key Store The name of the keystore view in which you have stored the MII client certificate and the public key of the PCo server certificate.
    Certificate Name Can be left empty if the MII certificate contains the server name in the attribute CN.
    Use SSL The checkbox must be selected.