Ax3: Certificates for SCP
Task: Configuring the certificates on the SAP Cloud Connector
NOTE: Please take some time to review the section below before starting on the config steps themselves. It will save a lot of time in troubleshooting at a later stage if these steps are executed precisely and you also know the reasoning behind each of these steps.
The configuration in the cloud connector relevant to Principal Propagation relies on three different configuration elements: System Certificate, CA Certificate and, finally, the principal propagation itself.
➡️ In a nutshell, the configuration of each certificate is done in three steps.
- We generate a certificate signing request.
- We use the PKI to sign the certificate
- Finally, we upload the signed certificate in the appropriate place of the Cloud Connector.
Step 1: Generate System Certificate
- In our implementation, we use the following values for the System and CA certificate:
For CN you can use the same virtual host that you gave for Cloud connector tunnel setup.
- Access configuration and Click Onpremises option. In the system certificate section -> Click Generate certificate sign in and input the above values.
Step 2: Generate CA Certificate
- Access configuration and Click Onpremises option. In the CA certificate section -> Click Generate certificate sign as mentioned in above steps after you input the same values
- Download the CA certificate by clicking the download option.
Step 2: Principal Propagation
Under Principal Propagation generate a sample certificate (the first icon in the row). One of the roles of the sample certifcate in the context of Principal propagation is to generate short-lived certificates based on some identity information retrieved from the logged in user.
- Access configuration and Click Onpremises option. In the Principle propogation section -> Click Generate certificate sign. Input the email ID that was used for the SCP account to generate the dummy certificate. Save the generated certificate for later use.
Note: You will upload the dummy user certificate in cloud connector for using in CERTRULE transaction.