On the SAP backend, only few transactions will be required:
Update: RZ11, STRUST, CERTRULE, SICF and SMICM.
Right click on the ping and select “Test Service”. Your browser will open and navigate to a similar URL to this one: http://vmw6281.wdf.sap.corp:50000/sap/bc/ping.
NOTE: If you don’t know, which port to use, you can check it from the third icon in transaction SMICM called “Service”
In order to have the Gateway request a certificate rather than prompt for a username and a password, certain profile parameters need to be maintained. This configuration is done using the transaction RZ10
Note: You can view profiles of active server by going to : Utilities –> Check all profiles –> of active server
The screenshot above shows the instance profile for our backend.Pressing the new parameter button will allow you to insert a new parameter into the profile by presenting the screen below.
Here we need to maintain the 4 profile parameters listed below. *You can use the Default profile
1. login/certificate_mapping_rulebased = 1 This parameter allows the GW to map, based on a rules defined in CERTRULE, the identity contained in an identity certificate received during the authentication with an internal user. 2. icm/HTTPS/verify_client = 1 This parameter instructs the GW to request a certificate from clients trying to access any resource in the GW. 3. icm/HTTPS/trust_client_with_issuer = "Copy the values CA certificate from previous exercise. See the image below. Value corresponding to the Issuer of the SAP Cloud Connector System Certificate. This parameter contributes to the establishment of a trust between the SAP Cloud Connector and the SAP Gateway System. 4. icm/HTTPS/trust_client_with_subject Value corresponding to the subject of the SAP Cloud Connector System Certificate.This parameter contributes to the establishment of a trust between the SAP Cloud Connector and the SAP Gateway System.
Update the above parameters by clicking new parameter button as mentioned in the previous step which will allow you to insert a new parameter into the profile by presenting the screen below. To save the values click <<(green icon) to get a popup to save.
Now that the system requests a certificate as its primary login mechanism, we need to complement this configuration by configuring a rule that helps identify the individual user being authenticated.
Login to SAP transaction CERTRULE. Click the arrow near the subject to load the SCP principle propogation certificate (the certificate that you generated by giving your scp email address) downloaded from your Cloud connector.
Click +Rule option for rule entry pop-up screen.
Change login as value to email and click green tick mark and save.
We will simply create a destination using the details from the virtual system we created in our SAP Cloud connector.
Name: Use the virtual host you provided in Cloud connector (sapgedemo) Type: Choose HTTP URL: httt://"use your virtual host and port you in Cloud connector Proxy Type: Onpremise Authentication: Principle propogation
You can click on New Property and add the following property
Add this value by copying PropogationAccount: True sap-client: You SAP client WebIDEEnabled: True WebIDESystem:S4E
Congratulations! You have now set up principal propagation using the HTTPS scenario.