Skip to Content
0

HCI to ECC - certificate based authentication

Jan 18 at 05:56 AM

504

avatar image
Former Member

Hi Experts

We are trying certificate based communication between HCI and ECC.

Steps we followed so far:

1. Exported HCI certifcates(complete chain root/intermediate/server) from keystore

2. ECC basis added these 3 to STRUST following the blog

https://blogs.sap.com/2015/03/24/quick-guide-on-using-certificates-for-integrating-c4c-and-ecc-using-hci/

 ECC should trust HCI as a Server: HCI is the server for ECC, and the
HCI Server Root Certificate has to be imported to STRUST in
ECC.  HCI Worker
node URL has the certificate chain which should be imported in STRUST – SSL
Client. The Root of the certificate chain is sufficient for this – in case you
get errors, you can import the Intermediate as well as shown below

We are getting 401 unauthorized error when we are trying to hit ECC from HCI

Its a new thing for us, any help would be appreciated.

Regards

Naina

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Muniyappan Marasamy Jan 18 at 10:51 AM
0

Have you done this step?

HCI should have this Signed ECC Client Certificate in its iFlows


you have to add the ECC client certificate into the iflow.

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi MUni

Its HCI to ECC, what i learnt is that certificate should be HCI iflow in case of ECC to HCI

Naina

0

That is correct. I got confused seeing this text

ECC should trust HCI as a Server: HCI is the server for ECC,and the
HCI Server Root Certificate has to be imported to STRUST in
ECC.  HCI Worker
node URL has the certificate chain which should be imported in STRUST – SSL
Client. The Root of the certificate chainis sufficient for this –incase you
geterrors, you can import the Intermediate as well as shown below

HCI to ECC case, HCI is client and ECC is server.

You have to check section"2. HCI is the Client and ECC is the server" in above you mentioned blog.

additionally check this also for SCC config.

https://blogs.sap.com/2016/03/03/a-simple-hci-to-sap-cloud-connector-to-on-premise-scenario/

1
Ashish Goel Jan 19 at 05:42 AM
0

Hi Naina,

Is your ECC system accessible from HCI directly? Usually CPI (Cloud) to On-Premise connectivity is through Hana Cloud connector which act as reverse proxy. Please check that first.

Thanks,

Ashish

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Jan 22 at 05:40 AM
0

no its not

we are suing hCC in between, does the Certificate based changes between HCI to ECC if HCC is involved

Show 4 Share
10 |10000 characters needed characters left characters exceeded

If there is a reverse proxy or HCC which receives the request from HCI then the root certificate of HCI should be placed in the trust store of the proxy server (HCC).

User->Certificate mapping is also required using HCI Client certificate that comes with the provisioning Mail. It will be done in your ECC system.

Thanks,

Ashish

1
Former Member
Ashish Goel

Ashish

Is ECC and HCC interchanged here in fist and second statement

If there is a reverse proxy or HCC which receives the request from HCI then the root certificate of HCI should be placed in the trust store of the proxy server (HCC).

User->Certificate mapping is also required using HCI Client certificate that comes with the provisioning Mail. It will be done in your ECC system.

As User->Certificate mapping as far as i know is done in HCC only not ECC. Kindly clear the confusion.

Naina

0
1
0
avatar image
Former Member Apr 04 at 06:21 AM
0

If you are using SAP Cloud Connector for integration scenarios keep in mind that Certificate based authentication is not supported you should use http as a the transfer protocol, the on premise proxy type and Basic as the Authentication to communicate with the SAP ECC using a communication user from the erp with the corresponding authorizations.

Keep in mind that the SAP Cloud Connector also requires some configuration paths for the on premise system that was configured to allow communication to the ERP, otherwise, it will not allow you to send information.

Share
10 |10000 characters needed characters left characters exceeded