How to Configure SAP HCI basic authentication for
SAP Cloud for Customer
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI
Document History © 2014 SAP AG or an SAP affiliate company. All rights reserved.
2
Document Version Description
4.1 Installation of SAP Web Dispatcher ... Error! Bookmark not defined. 4.2 Update SAP Web Dispatcher Kernel ... Error! Bookmark not defined. 4.3 SAP Web Dispatcher SSL Configuration ... Error! Bookmark not defined. 4.4 SAP Web Dispatcher Configuration for x.509 ... Error! Bookmark not defined. 4.5 Add client root certificate from WD into SSL Server Standard .. Error! Bookmark not defined. 4.6 Add Parameters to the SAP ABAP Profile ... Error! Bookmark not defined.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Business Scenario © 2014 SAP AG or an SAP affiliate company. All rights reserved.
4
1
Business Scenario
You can now use of the basic authentication connectivity option in SAP HANA Cloud Integration, in addition to the existing certificate based connectivity option, for communicating between your SAP on-premise and SAP Cloud for Customer application.
2
Prerequisites
1. SAP SCN User id/password using http://scn.sap.com
2. Assign roles to User (Raise a CSS ticket in component XX-INT-CLD-HCI-PI) 3. Installation of SAP HANA Cloud Integration Eclipse tooling
4. Use Basic Authentication option when configuring and deploying the iFlows 5. Select Basic Authentication option in the sender system(s) configuration
3
Concept
Basic authentication for HTTPS-based inbound calls works the following way:
1. The (sender) participant sends a message to SAP HCI. The HTTP header of the message contains user name and password.
2. SAP HCI authenticates itself against the participant when the connection is being set up (SSL handshake). In this case, SAP HCI acts as server (BigIP load balancer) and the SSL handshake is based on certificates.
3. Authentication of the participant: The identity of the participant is checked by SAP HCI evaluating the credentials against the user stored in the SCN data base.
4. Authorization check: The permissions of the sender participant are checked in a subsequent step according to roles assigned to the user.
Basic authentication for HTTPS-based outbound calls works the following way:
1. The (sender) participant sends a message from SAP HCI. The HTTP header of the message contains user name and password from the deployed artifact.
2. SAP Cloud for Customer authenticates itself against the participant when the connection is being set up (SSL handshake). In this case, SAP Cloud for Customer acts as server and the SSL handshake is based on certificates.
3. Authentication of the participant: The identity of the participant is checked by SAP Cloud for Customer by evaluating the credentials against the user stored in the Cloud Application certificate store.
4. Authorization check: The permissions of the sender participant are checked in a subsequent step according to roles assigned to the user.
4
Step-by-Step Procedure
SAP cloud application Configuration: Enable Basic
Authentication in Inbound Communication Arrangement
Go to the Communication Arrangements under the Administrator Work center and for the InboundHow to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved.
6
SAP HCI Configuration: Create credentials artifact for basic
authentication and assign to iFlow
1. There is an option to configure basic authentication from HCI to either SAP Cloud for Customers using basic authentication instead of x.509 certificates. For this the first step is to deploy a basic
authentication artifact, from Eclipse open the tenant by double clicking in the tenant name from the node explorer section in the integration designer perspective
3. Click in the Deploy … button
4. Select Basic Authentication and click Next
5. Select the Type Default, Enter a name, description, the user ID and password for the user used to connect to the remote system and click Finish
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved.
8
6. Click OK when it finishes the deployment of the artifact
7. Now this artifact will be showed in the deployed artifacts tab
8. To use the artifact to login to a remote system, we need to configured from within the iFlow in the receiver system, open the iFlow that needs to be adjusted
9. Select the connection to the receiver system and double click on it
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved.
10
11. Select the checkbox option for Connect using Basic Authentication
OnPremise to SAP HCI using basic authentication, this has to be configured within the iFlow on the sender system, using Eclipse open the iFlow.
15. Select the sender system
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved.
12
17. Now it is possible to use a valid SCN user that was provided with the required permissions to consume the web service for this specific scenario
18. Save and close the iFlow
SAP HCI Configuration: Deploy project from Eclipse to SAP
Hana Cloud Integration
19. Once the artifact were adjusted we can deploy them to the tenant selecting the artifact (project) and right click on it
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved.
14
21. Enter the name of the HCI tenant and click OK
22. Click OK
SAP HCI Configuration: Check if the projects got deployed from
the Deployed Artifacts
23. From Deployed Artifact tab sort the artifact using the Deployed On column to see the latest deployed artifact
24. From there you will see all the deployed artifacts and validate that the artifact was deployed.
SAP on-premise Configuration: Enable Basic Authentication in
HTTP Destinations for External System
25. Go to the Logon and Security tab for each of the HTTP destinations.
How to Configure SAP Web Dispatcher as Reverse Proxy for SAP CRM or ECC Systems Using SAP HCI C O N F I D E N T I A L Step-by-Step Procedure © 2014 SAP AG or an SAP affiliate company. All rights reserved.
16
© 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as constituting an additional warranty.
