SAP CC Secured Connection (3.2)
In one-way mode, only SAP CC Client validates the SAP CC Core Server to ensure that it receives data from the intended SAP CC Core Server. For implementing one-way mode, the SAP CC Core Server shares its Certificate(s) with the SAP CC Client.
To allow SAP CC agents to connect to the SAP CC Core Server with TLS enabled, you must:
Configure SAP CC Core Server with one-way authentication for the respective Instance and Services.
Configure Client to trust SAP CC Core Server.
Configure SAP CC Core Server
To secure SAP CC Core Server communication service, follow this SAP Support page: Secure an SAP CC Core Server communication service
Before we can start configuring SAP CC Core Server, we need to know that SAP CC agents in MZ are connecting to the Dispatcher
instance through the TCP-IP layer:
SAP CC Architecture Diagram including SAP CM() as a third party element.
Info!
For more information, please read Identifying services involved in the Client/Server communication
For our case, you will turn on one-way for ExternalSecure
targeted service on the Dispatcher
instance.
Example!
Example SAP CC Core Server Instance Map:
#InstanceId ; HCISecure ; HCIHost ; HCIPort ; WSSecure ; WSHost ; WSPort ; ExternalSecure ; ExternalHost ; ExternalPort ; InternalSecure ; InternalHost ; InternalPort updater#1 ; off ; ec2-13-229-84-66.ap-southeast-1.compute.amazonaws.com ; 9000 ; off ; ec2-13-229-84-66.ap-southeast-1.compute.amazonaws.com ; 9080 ; ; ; ; ; ; dispatcher#1 ; off ; ec2-13-229-84-66.ap-southeast-1.compute.amazonaws.com ; 9100 ; off ; ec2-13-229-84-66.ap-southeast-1.compute.amazonaws.com ; 9180 ; oneway ; ec2-13-229-84-66.ap-southeast-1.compute.amazonaws.com ; 2000 ; off ; ec2-13-229-84-66.ap-southeast-1.compute.amazonaws.com ; 2100
Configure MZ To Trust SAP CC Core Server
Take the SAP CC Core Server’s Public Certificate (X.509v3 format encoded in DER), and configure in MZ client to trust the SAP CC Core Server.
One of the example method is using the keytool
command to add this server certificate to client truststore, and use this truststore for your SAP CC agent.
Example!
Import the server certificate “certificate.x509.pem“ to generate “client.truststore” file.
keytool -importcert -alias sapcc -file certificate.x509.pem -keystore client.truststore -storetype pkcs12 -storepass examplepw
In the SAP CC agent, tick Enable Secured Connection checkbox and configure the following fields:
Keystore Path: /path/to/client.truststore
Keystore Password: examplepw
Note!
SAP CC agent will only support a Keystore that is in PKCS#12 format.