Establishing Trust between Cloud Integration and SAP S/4HANA

Objective

After completing this lesson, you will be able to set up trust relationship between SAP S/4HANA and Cloud Integration by exchanging certificates

Trust Relationships in SSL/TLS Connections

Clients must trust the servers they connect to in order to prevent sending sensitive information, like passwords or other confidential data, to unauthorized parties. They need to verify the server's identity.

Servers prove their identity using digital certificates issued by Certificate Authorities (CAs). These certificates contain information about the server, such as the hostname and the server's public key, and are cryptographically signed by the issuing CA.

Clients can validate the integrity of a server’s certificate and its signature using cryptographic methods. To do this, clients need to recognize and trust the issuing certificate authority. Therefore, clients maintain trust stores that contain information about trusted, well-known certificate authorities.

In practice, there are usually two certificate authorities involved in building a chain: The CA that issues the server certificate is called the intermediate CA and can prove its identity with a certificate issued by a root CA. Root CAs are at the start of the chain and do not have another CA that can issue their certificates. A root CA’s certificate is self-signed. That’s why clients need to keep these certificates in their trust list: because there is no higher CA to prove their identity.

Relationship between the parties and certifications

Example: Browsers

Web browsers come with built-in trust stores or utilize the trust stores provided by the operating system to verify server certificates. Without this trust store, browsing the internet would be more difficult, and you would need to maintain the trust store yourself.

SAP systems also leverage trust stores; however, the number of trusted certificate authorities that the system trusts out of the box depends on the system.

SAP S/4HANA’s Trust Store - STRUST

Personal Security Environment (PSE)

A Personal Security Environment (PSE) is a secure storage location for digital certificates and private keys. You can compare it with a browser's certificate trust list or trust store, but with additional features. The terms PSE and trust store/list are used interchangeably here.

SAP S/4HANA leverages several PSEs for different purposes. Each PSE includes a Certificate List (the trust list) and the Own Certificate, which holds SAP S/4HANA’s server or client certificate.

The most common PSEs are:

SSL Server Standard: This store is typically used when SAP S/4HANA functions as the server. The Own Certificate must include the server certificate that matches SAP S/4HANA’s hostname. If clients are supposed to authenticate using client certificates (mutual authentication), the certificate list must contain the root CAs of the issuing CAs.
SSL Client Standard: This store is typically used when SAP S/4HANA acts as a client and authentication via client certificates is required. The client certificate that identifies SAP S/4HANA is placed into the Own Certificate slot. SAP S/4HANA may connect to all systems where the server certificate has been issued by a CA under the listed root CAs (Certificate List).
SSL Client Anonymous: This store is typically used for connections where SAP S/4HANA acts as a client and does not authenticate itself with client certificates. The Own Certificate slot remains empty. The Certificate List must include all trusted CAs, similar to the SSL Client Standard PSE.

Note

If you want to use client certificates from any system to connect to Cloud Integration, you must ensure that the client certificate is issued by one of the certificate authorities trusted by the Load Balancer in front of Cloud Integration. You can find more information about this in the SAP Help Portal.

Transaction STRUST

You can maintain PSEs in SAP S/4HANA's Trust Manager using transaction STRUST.

SAP S/4HANA typically comes with an empty trust store. All trusted root CAs must be maintained by the administrator. This means that before SAP S/4HANA can replicate data to another system via an SSL/TLS connection, the certificate of the root CA, which is part of the server certificate’s certificate chain, must be imported.

Screenshot of STRUST showing client cert and cert list

Choosing PSE for a Connection

For outbound connections, you can choose which PSE to use in the logical port definition of the consumer proxy (transaction SOAMANAGER) or in the configuration screens of the corresponding RFC destination, in case IDocs are used (transaction SM59 ).

The following screenshot displays two configuration variants of a consumer proxy.

Left: Using X.509 SSL Client Certificate with the SSL Client (Standard) – DEFAULT PSE on the left and
Right: Using User ID and Password along with the implicit use of the SSL Client Anonymous PSE on the right.

Screenshot of SOAMANAGER showing two configuration variants of a consumer proxy

Enable Trust from SAP S/4HANA to Cloud Integration

Since SAP S/4HANA comes with an empty trust store, establishing the trust relationship to Cloud Integration is especially important so that SAP S/4HANA can securely send data to Cloud Integration. For that, you must import the root CA that is part of Cloud Integration's server certificate chain into SAP S/4HANA's trust store.

System Landscape showing S/4 arrow to CI for trust

The required steps are as follows:

Find Cloud Integration's runtime hostname / endpoints via:
- Endpoint of a deployed integration flow
- URL of a service key
Obtain the root CA certificate from Cloud Integration’s runtime endpoint:
- By performing Cloud Integration's connectivity test
- By calling the URL in your browser
Upload the root CA certificate to the SSL Client (Anonymous) PSE in SAP S/4HANA STRUST

Find the Runtime Endpoint URL / Hostname

If you‘ve already deployed an integration flow, you can use its endpoint URL. This can be found in the Monitoring area under Manage Integration.

Screenshot of iFlow Endpoint URL in Monitoring area

Alternatively, if you have a service key for Cloud Integration, you can find the endpoint in its JSON description in the URL field.

Screenshot of BTP cockpit showing a service key for CI with the url field highlighted

It’s important to use the runtime endpoint URL and not the one from the WebUI because these are two different hostnames, and their certificates might be issued by different CAs.

Obtain the Root CA Certificate from Cloud Integration

There are several ways to obtain the root certificate of Cloud Integration. One common method is to export it from the web browser’s security dialog, which is usually accessible from the address bar as the following screenshot shows.

Screenshot of Google Chrome with the Certificate details window open and the root CA certificate and Export buttons highlighted.

Alternatively, the certificate chain can be downloaded directly via Cloud Integration itself, using the Connection Test in the Monitoring area.

Screenshot of Cloud Integration TLS Connection Test to download the certificate chain

Enter only the hostname of the runtime URL and run the test. Download the certificate chain as a ZIP file and extract the root CA certificate.

Upload the Root CA Certificate in SAP S/4HANA

To upload a new certificate to the trust list, use transaction STRUST in SAP S/4HANA and follow the steps shown in the screenshot.

Screenshot of STRUST where certificate is added

Switch to Edit mode.
Open the desired trust store. For basic authentication, SSL Client Anonymous is used.
(You can see that there is no client certificate because the Subject of the Own Certificate is CN=anonymous.)
Choose the Import Certificate button and select the certificate you want to import.
Before importing the certificate into the trust list, you will be able to review its details.
Finally, choose Add to Certificate List to include it in the trust store.

Next lesson