To be able to use client certificate authentication, you need to configure both SAP S/4HANA Cloud and SAP BTP sides.
To use client certificate authentication, you first start with creating and configuring the communication settings in the SAP S/4HANA Cloud tenant. To do that, you have to:
-
Obtain a client certificate signed by a trusted certificate authority (CA) in .pem format.
You can find a list of the trusted CA in the SAP S/4HANA Cloud tenant using the Maintain Certificate Trust List application. See Maintain Certificate Trust List.
-
Create a communication user and upload the public key. See Maintain Communication Users.
-
Create a communication system and add the communication user as User for Inbound Communication with an authentication method SSL Client Certificate.
-
Log into the SAP Fiori launchpad in the SAP S/4HANA Cloud system.
-
Select the Communication Systems tile.
-
Choose New to create a new system.
-
Enter a system ID and a system name.
-
Choose Create.
-
Enter information about SAP BTP in the Technical Data section.
-
Choose + (Add) under User for Inbound Communication.
-
In the dialog box that appears, select SSL Client Certificate from the Authentication Method drop-down list.
The username corresponds to the communication user.
-
Choose OK to confirm.
-
Choose Save.
-
-
Create a communication arrangement using an existing or create a new scenario that supports client certificate authentication. See Maintain Communication Arrangements.
You can use the already created communication system. The settings in the Inbound Communication section are filled in automatically. Save the value from the URL field, you will need it when creating a destination in the subaccount in SAP BTP.
You have logged into the SAP BTP cockpit from the SAP BTP landing page for your subaccount.
-
In the cockpit, navigate to your subaccount.
-
Choose Connectivity > Destinations in the navigation panel.
-
Choose New Destination and fill in the following properties:
Parameter
Value
NameEnter a meaningful name.
TypeHTTP
Description(Optional) Enter a meaningful description.
URLThe service URL from the communication arrangement.
Make sure you use the HTTPS protocol, otherwise the ClientCertificateAuthentication option would not appear in the Authentication doropdown list.
Proxy TypeInternet
AuthenticationClientCertificateAuthentication
Once you have selected this option, the system displays the Upload and Delete Certificate link.
-
(Optional) If you are using SAP Business Application Studio to develop your application, you have to specify another set of additional properties. See What is SAP Business Application Studio.
In the Additional Properties, choose New Property to define the following properties related to the SAP Business Application Studio:
Parameter
Value
WebIDEUsageSpecify this property with value odata_gen to consume an OData service in your application.
WebIDEEnabledIf your application does not run on Cloud Foundry, you have to establish a connection to an external system by setting this property to true.
HTML5.DynamicDestinationIf your application does not run on Cloud Foundry, you have to establish a connection to an external system by setting this property to true.
product.nameSAP S/4HANA Cloud
The type of the SAP System for which you create this HTTP destination.
communicationScenarioIDThe ID of the communication scenario.
-
Choose Upload and Delete Certificate link to upload your keystore. The keystore format .jks. When you finish uploading, choose Close.
The keystore contains the key/pair signed by the trusted certificate authority (CA) in Set Up SAP S/4HANA Cloud Side, step 1.
-
From the Key Store Location drop-down menu, select your keystore.
-
In the Key Store Password, enter the keystore password.
-
-
Select the Use default JDK truststore checkbox.
-
Save your entries.
Related Information