Contents

Introduction: ....................................................................................................................................... 1
Pre-requisites ...................................................................................................................................... 1
Generating passports for S-user ....................................................................................................... 1
Generating a public key certificate from pfx file ............................................................................... 1
Section – 1: From SAP BTP (Neo) DCS à SCI ........................................................................................ 2
Maintaining the pfx in destination (BTP) for connectivity ................................................................. 2
Authorization with Client Certificate ................................................................................................ 2
Testing the connectivity (Authentication + Authorization)................................................................ 3
Section – 2: From Source System à SAP BTP (Neo) DCS ...................................................................... 5
Configure the reverse proxy............................................................................................................. 5
Enabling Client Certificate auth type in BTP...................................................................................... 5
Adding Additional JVM Arguments................................................................................................... 6

Introduction:
This document will guide to setup client certificate-based authentication for

1. Integration from SAP Business Technology Platform, Neo environment DCS application to SAP
Cloud Integration (SCI).
2. Integration from the Source system (ECC/S4H/Others) to the SAP Business Technology Platform,
Neo environment DCS application.

Client certificate-based authentication can be setup for either or both integration scenarios above. The
scenarios are independent.

Pre-requisites are mandatory if you want to setup Client certificate-based authentication for either or
both integration scenarios above.

Pre-requisites
Generating passports for S-user

Any S-user can apply for an SAP passport(digital certificate) by following the instructions in
https://support.sap.com/en/my-support/single-sign-on-passports.html

Once this is generated user will be provided with *.pfx extension file which is password protected.

Generating a public key certificate from pfx file

This can be done by adding the .pfx file as keypair into SCI under manage Keystore.
Once this is successfully imported, you can download the certificate (.cer file) by searching with alias
name as shown below.

Section – 1: From SAP BTP (Neo) DCS à SCI

Maintaining the pfx in destination (BTP) for connectivity

Set the authentication type as ClientCertificateAuthentication, upload the pfx extension file generated
as part of Pre-requisites. Update the keystorename and keystorepass accordingly. And click on save.

Authorization with Client Certificate

Maintain the mapping between user and certificate (generated in the Pre-requisite step) by clicking on
Certificate-to-User Mappings tile in SCI. Once its successfully maintained you will see an entry like
below.

In the integration flow connection properties select the authorization type to “Client Certificate” and
select the client certificate generated in the Pre-requisite step.

Testing the connectivity (Authentication + Authorization)

Postman: Maintain the pfx file and its passphrase by providing the appropriate SCI host name in
postman > settings > certificate tab.
Trigger the request and you get a response with HTTP status code 200. Which indicates the integration
flow URL request is successful with certificate-based authentication and respective user roles. Ignore the
response, not all the required parameters are sent through postman.

From the DCS application using the Health Check application you can verify the SAP SCI connectivity
check, or from GSP communication Details application > Manage GSP > Check connection
Section – 2: From Source System à SAP BTP (Neo) DCS

Notes:

1. Pre-requisite steps mentioned above in this document is mandatory if you wish to used Client
Certificate based Authentication.

2. Configuration steps to be performed in the backend ERP (ECC/S4H) are given in the document
“Integrate_to_DCS.pdf” attached to Note : 2465014.

Configure the reverse proxy

Configure the reverse proxy to request for client certificate authentication by running below neo
command

neo add-platform-domain --account <TENANT_ID> --application gstrapp --user <USER_ID> --host

<HOST> --platform-domain cert.<HOST>

Ex. neo add-platform-domain --account cf7855382 --application gstrapp --user I349215 --host
ap1.hana.ondemand.com --platform-domain cert.ap1.hana.ondemand.com

After which you see additional hosts generated for gstrapp application with cert.

Enabling Client Certificate auth type in BTP

Under active authentication configuration for Method Name “Form” select and add Client certificate as
shown below and save the configuration.
Adding Additional JVM Arguments

For mapping client certificate with a username we need to be update the Java application with
additional JVM arguments and then re-start the java application

-Dcom.sap.cloud.crypto.clientcert.mapping_mode=CN

This indicates mapping need to be carried out on Common Name (CN) which is available in certificate.
Now restart the java application. And ensure that the CN username is provided granted with the
necessary roles in Authorizations.