cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Multiple communication systems with certificate based authentication

JaySchwendemann
Active Contributor

on ‎11-24-2017 11:02 AM

0 Kudos

Dear all,

we want to integrate SAP ERP and SAP BW (Analytics Integration) to our C4C system via CPI.

All went "well" when first integrated SAP ERP. We created an communication system "ERP" and used the pre-delivered "hcicertificate" private key pair from CPI.

Obviously, when I now created another communication system "BW" what happened is that communication flowing through CPI gets assigned the wrong user (as it enters C4C with the "hcicertificate" private key pair / client certificate.

My questions:

1. What's the best practice in this situation? Should I opt for creating private key pairs on CPI or should I use the "download PKS#12" button on C4C side and import those in CPI?

2. If I create private keys on CPI side, would those be needed to be signed with an allowed CA? If so, are that the same CAs as for CPI (https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/4509f605e83c4c939a91b81eb3a6cdea.html) or different ones?

Many thanks and kind regards

Jens

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member183486
Explorer
‎11-28-2017 10:38 AM

Hi Jens,

We solved this by creating a new keypair in the first communication arrangement for that system in C4C and uploading that in CPI.

That way you can create a keypair for each system and it is signed automatically by SAP (so no need to have it signed by a third party CA).

We found this the easiest way.

Kind regards,

Martin

Show replies
Show replies
JaySchwendemann
Active Contributor
‎11-29-2017 11:25 AM
0 Kudos

Yeah, we opted (due to time - project constraints) also for this. However, as I'm new to the subject I like to get a feeling for best practices / doing things the right way.

Probably this method (creating the keypair in C4C and importing to CPI) is fine from a security perspective, not sure though what other drawbacks it might have comparing to creating a CSR and have that signed by an (allowed by C4C) CA. Maybe you or others might give their 2c on this.

Thanks and kind regards

Jens

JaySchwendemann
Active Contributor
‎11-29-2017 11:29 AM
0 Kudos

For reference, mandy.krimmel also answered on this topic here:

https://blogs.sap.com/2017/06/19/cloud-integration-how-to-setup-secure-outbound-http-connection-usin...

However, as stated in above comments I like to get a feeling for best practice / up- and downsides of the two possible approaches here, so I may leave this question open a little longer and would be happy to get some inputs from you guys.

Thanks a ton

Cheers

Jens

Show replies
Show replies
KarthikBangeraM
Active Participant
‎11-27-2017 7:35 PM
0 Kudos

Hi Jens,

Below are the answers-

1. You can use the p12 already present in in your CPI java keystore and then deploy the corresponding CPI client x509 certificate into the Inbound Communication section under communication agreements at c4c.

2. No you need not get the CPI p12(in case you decide to create a new key pair and deploy into CPI java keystore) signed by a CPI load balancer supported CA. This only applies in case when CPI acts as a server/target in which case the call first hits CPI’s load balancer and therefore the sending system (in your case ERP) needs to have a P12 (in pse format of course) which is signed by a CA that is supported by CPI’s load balancer.

Hope this answers your query 🙂

Regards,

Karthik

Show replies
Show replies
JaySchwendemann
Active Contributor
‎11-29-2017 11:22 AM
0 Kudos

Hi Karthik,

thanks for your suggestions, let me further explain...

1. This will probably not work. We are currently facing this situation where we already used the standard "hcicertificate" of CPI in C4C. This is then mapped to a user which is 1:1 to a communication system. Obviously we are in that exact dilemma having one certificate (from hcicertificate) but would need two users (distinguishable). That cannot work (if I did not overlook something obvious)

2. Ok got it. But It probably would need to be a certificate allowed by C4C then (if C4C happens to have load ballancers before it, then allowed by those). Right?

Thanks and kind regars

Jens

Ask a Question