cancel
Showing results for 
Search instead for 
Did you mean: 

SSL certificates for C4C/HCI/ECC integration

florianbus
Contributor
0 Kudos

Hi,

is it possible to use self signed certificate from ECC "SSL client SSL Client (Standard)" for the HCI integration?

If yes, what else must be done besides using this certificate within the iFlows?

Best Regards

Florian

Accepted Solutions (1)

Accepted Solutions (1)

0 Kudos

Hi Florian

No - HCI will not trust self-signed.  recently wrote a blog on this that explains it well: 

-ginger

florianbus
Contributor
0 Kudos

Hi Ginger,

we have the secario as follows at our customer.

C4C <> HCI <> Reverse Proxy (apache2) <> SAP

Can you or anybody else tell me, with which CAs the Reverse Proxy needs to be signed in order to have a working connection established between HCI and the Reverse Proxy?

Cheers

Florian

0 Kudos

Hi Florian

For trust, not authentication, HCI provides a signed server cert.   The customer must purchase a signed certificate for the reverse proxy.  Assuming they are already using the reverse proxy for something else, then they will have this.   The list of trusted CA's in the in the online help of HCI.  

The minimum required is signed server certs for ERP and the reverse proxy.   

In the C4C50 we do a very cost efficient way to secure - consider this:

ERP already had a SSL server certificate.

The reverse proxy was already being used and had a signed certificate.

The ERP and the reverse proxy are the minimum server certificates that must be purchased and signed when using HCI.

ERP to C4C we used basic authentication.  This was a  low risk because the ERP system is already in a very private network within our education department with additional proxies and firewalls and such.  This required:

SSL for ERP, which the training dept alreadyhad. 

C4C to ERP we used certificate authentication.  There was not a requirement to purchase a client certificate.  C4C provides one, this was exported and used in the iFlow.  HCI also provides a client certificate. This certificate was sent to the reverse proxy, which forwarded it to ERP and we mapped it to the user in VSUSREXTID table. 

This met the security requirements and required no additional certificate purchases.  As mentioned, the ERP and reverse proxy already had signed certificates.  Customers may not have SSL for ERP yet- but if they are using a reverse proxy, this will be in place.  You just need to check that the CA is trusted by HCI.

Does this make sense? 

-ginger

florianbus
Contributor
0 Kudos

Hi Ginger,

unfortunately the courses we wanted to attend before our project were canceled

So just to verify, can you comment on this....

  • Reverse Proxy (apache2) -> needs signed certificate from HCI trusted CA
  • SAP (server and client) -> needs signed certificate from HCI trusted CA
  • Forward Proxy (from ECC outbound) -> no need to have any certificates

Regards

Florian

0 Kudos
  • Reverse Proxy (apache2) -> needs signed certificate from HCI trusted CA
    • Yes
  • SAP (server and client) -> needs signed certificate from HCI trusted CA
    • Yes
  • Forward Proxy (from ECC outbound) -> no need to have any certificates
    • I haven't ever configured the forward proxy - so can't say. 

- please correct where needed. 

0 Kudos

Yes Ginger you are right:

  • The Apache (acting as Reverse Proxy) must be able to terminate SSL connection initiated from HCI. therefore Apache needs a server Certificate which is trusted from HCI. And it needs to trust the HCI client cert.
  • For client certificate based logon - the Apache must be configured in a way that it forwards the HCI client certificate as http header field.
  • From Apache to ERP (Server) you have a new SSL connection (or you use plain http unencrypted->which is not recommended). This means the ERP server certificate must be trusted on Apache and not on HCI
  • SAP client needs a CA signed client certificate. Ideally it should be signed by one of those:

     SAP HANA Cloud Integration

  • The forward proxy for outbound connection ERP to HCI should be transparrent, which means that it does not terminate SSL - therefore no certificates are needed here. If you intercept SSL here (not recommended) then you'll need again certificates.

Best regards,

Berthold

florianbus
Contributor
0 Kudos

Hi Berthold,

In case we communicate from ECC to HCI, can we use an ECC client certificate that is signed by an own root CA?

Can this root CA be imported to the HCI key store that the ECC client certificate will be trusted?

Best Regards

Florian

0 Kudos

Thanks, Berthold! 

0 Kudos

Hi Florian,

what do you mean by "own CA"?

There is an approval process if a new public CA can be added to Load Balancers Key store. This will be carefully reviewed by our security experts and not many CA's will pass this check....

So if you are thinking about any kind of "private" CA - this will for sure not beeing accepted .

Best regards,

Berthold

florianbus
Contributor
0 Kudos

Hi Berthold

allright... that helps a lot while discussing the certification topic with our customer.

Best Regards

Florian

Answers (0)