Skip to Content

Multiple communication systems with certificate based authentication

Nov 24, 2017 at 11:02 AM


avatar image

Dear all,

we want to integrate SAP ERP and SAP BW (Analytics Integration) to our C4C system via CPI.

All went "well" when first integrated SAP ERP. We created an communication system "ERP" and used the pre-delivered "hcicertificate" private key pair from CPI.

Obviously, when I now created another communication system "BW" what happened is that communication flowing through CPI gets assigned the wrong user (as it enters C4C with the "hcicertificate" private key pair / client certificate.

My questions:

1. What's the best practice in this situation? Should I opt for creating private key pairs on CPI or should I use the "download PKS#12" button on C4C side and import those in CPI?

2. If I create private keys on CPI side, would those be needed to be signed with an allowed CA? If so, are that the same CAs as for CPI ( or different ones?

Many thanks and kind regards


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

M. Jaspers Nov 28, 2017 at 10:38 AM

Hi Jens,

We solved this by creating a new keypair in the first communication arrangement for that system in C4C and uploading that in CPI.

That way you can create a keypair for each system and it is signed automatically by SAP (so no need to have it signed by a third party CA).

We found this the easiest way.

Kind regards,


Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yeah, we opted (due to time - project constraints) also for this. However, as I'm new to the subject I like to get a feeling for best practices / doing things the right way.

Probably this method (creating the keypair in C4C and importing to CPI) is fine from a security perspective, not sure though what other drawbacks it might have comparing to creating a CSR and have that signed by an (allowed by C4C) CA. Maybe you or others might give their 2c on this.

Thanks and kind regards


Karthik Bangera Nov 27, 2017 at 07:35 PM

Hi Jens,

Below are the answers-

1. You can use the p12 already present in in your CPI java keystore and then deploy the corresponding CPI client x509 certificate into the Inbound Communication section under communication agreements at c4c.

2. No you need not get the CPI p12(in case you decide to create a new key pair and deploy into CPI java keystore) signed by a CPI load balancer supported CA. This only applies in case when CPI acts as a server/target in which case the call first hits CPI’s load balancer and therefore the sending system (in your case ERP) needs to have a P12 (in pse format of course) which is signed by a CA that is supported by CPI’s load balancer.

Hope this answers your query :)



Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Karthik,

thanks for your suggestions, let me further explain...

1. This will probably not work. We are currently facing this situation where we already used the standard "hcicertificate" of CPI in C4C. This is then mapped to a user which is 1:1 to a communication system. Obviously we are in that exact dilemma having one certificate (from hcicertificate) but would need two users (distinguishable). That cannot work (if I did not overlook something obvious)

2. Ok got it. But It probably would need to be a certificate allowed by C4C then (if C4C happens to have load ballancers before it, then allowed by those). Right?

Thanks and kind regars


Jens Schwendemann Nov 29, 2017 at 11:29 AM

For reference, Mandy Krimmel also answered on this topic here:

However, as stated in above comments I like to get a feeling for best practice / up- and downsides of the two possible approaches here, so I may leave this question open a little longer and would be happy to get some inputs from you guys.

Thanks a ton



10 |10000 characters needed characters left characters exceeded