Principal Propagation Setup for HTTPS and RFC (SNC) Protocol from SAP BTP to S/4HANA

In this blog, we’ll walk through how to configure Principal Propagation from SAP Business Technology Platform (BTP) to an on-premises S/4HANA system, using SAP Cloud Connector and SAP Web Dispatcher. We are configuring principal propagation to an S/4HANA system for HTTPS communication and RFC communication using SNC.

References

• https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configuring-principal-propagation

About

Principal propagation is the secure process of forwarding a cloud user’s identity from a cloud environment to an on-premise system, enabling single sign-on (SSO) and ensuring the user’s personal authorizations apply. It relies on a trusted relationship between the cloud and on-premises systems, using mechanisms like JSON Web Tokens (JWTs) or certificates to pass the user’s context unchanged, allowing the backend system to recognize the individual user and their permissions.

Scenario: Cloud to On-Premises

1. A user logs in to the cloud application. Its identity is established by an identity provider (this can be the default IdP for the subaccount or another trusted IdP).
2. The cloud application then uses a user exchange token (or a designated secondary header) to propagate the user to the Connectivity service. Optionally, the application may use the Destination service to externalize the connection configuration that points to the target on-premise system.
3. The Connectivity service forwards the JWT (that represents the user) to the Cloud Connector.
4. The Cloud Connector receives the JWT, verifies it, extracts the attributes, and uses its STS (security token service) component to issue a new token (for example, an X.509 certificate) with the same or similar attributes to assert the identity to the backend (BE1-BEm). The Cloud Connector and the cloud application share the same trust settings.
5. The Cloud Connector sends the new token (for example, an X.509 certificate) to the backend system.

Pre-requisite

• Ensure that the SAP Cloud Connector (SCC) is installed and its initial setup has been completed. Refer to the SAP Help documentation.
• The Cloud Connector should be connected to your SAP BTP subaccount by adding the subaccount details within the SCC. Refer to the SAP Help documentation
• Additionally, trust must be established between your subaccount and the SAP Cloud Identity Services tenant. This trust setup allows integration with any corporate identity provider and is essential for enabling Single Sign-On (SSO) in your cloud application. Refer to the SAP Help documentation

Configuration Steps

Step 1: Configure Principal Propagation to an ABAP System for HTTPS

Step 1.1: Generate Certificates in SAP Cloud Connector (SCC)

We must configure the following certificates in Cloud Connector:

• System Certificate
• CA Certificate
• User Certificate (Subject Pattern for Principal Propagation)

Note: It is recommended to use signed certificates. Self-signed certificates will also work.

Generating System Certificate

To configure the System Certificate, go to Configuration → On Premise → System Certificate → Create and import a self-signed certificate. Fill the required details in the pop-up window. The Common Name (CN) represents the server’s name protected by the SSL certificate.

Generating CA Certificate

A CA certificate signs all the certificates that are used when a request is forwarded from the Cloud with the Cloud principals.

To create the CA certificate, scroll down to the corresponding section and click on the “Create and import a self-signed certificate” button.

Generating User Certificate

This sample certificate is used to define the rules in the S/4HANA system under the Transaction code (CERTRULE).

Scroll down to the principal propagation section and edit the Subject Pattern Select the Subject Pattern from the list to assert the user IDs. For example, select ${email} to assert the user against the user’s mail address propagated from the Cloud.

click on the Create Sample Certificate button.

Choose an email that already exists on the backend system. Please remember that this is only a sample certificate and will be used to create a rule-based mapping on the backend AS ABAP system

Step 1.2: Add Certificates to the SCC Trust Store

In trust store add below certificates

• S4HANA SSL server standard
• Web dispatcher server certificate

Step 1.3: Synchronize the cloud trust with Subaccount IDP

By default, the Cloud Connector does not trust any entries which issues tokens for principal propagation. For this reason, we must establish the trust between the Cloud Connector and the IDP of your subaccount on BTP.

Navigate to the “Cloud to On-Premise” and select the tab Principal Propagation. Click on Synchronise this populate the trust configuration.

Step 1.4: Configure SAP S/4HANA for Principal Propagation (HTTPS)

Now we will do the required configuration in ABAP system.

Step 1.4.a: Import Certificates into the ABAP SSL Server Standard (Transaction: STRUST)

Below certificates need to be imported.

• cloud connector system certificate imported in s4hana ssl server standard
• web dispatcher client certificate imported in s4hana ssl server standard

Step 1.4.b: Define Rule-Based Mapping with User Certificate (Transaction: CERTRULE)

Click on the “Import Certificate” button to import the User certificate that was downloaded from the Cloud Connector. In the “Certificate Attr.” choose you attribute mapping from the drop-down menu. In the “Login As” select E-Mail and press enter.

Once you save your new rule you should see a similar screen as below where the “Mapping Status” and “User Status” are both green.

Step 1.4.c: Maintain Reverse Proxy and other parameters in the Default Profile (Transaction: RZ10)

Copy Subject and issuer values from web dispatcher client certificate and Cloud Connector System Certificate

For following parameter: icm/trusted_reverse_proxy_<x> = SUBJECT=”<subject>”, ISSUER=”<issuer>”.

• Select a free index for <x>.
• <subject> is the subject of the certificate (example data: CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE).
• <issuer> is the issuer of the certificate (example data: CN=MyCompany CA, O=Trust Community, C=DE).

Example: icm/trusted_reverse_proxy_2 = SUBJECT=”CN=SCC, OU=BTP Scenarios, O=Trust Community, C=DE”, ISSUER=”CN=MyCompany CA, O=Trust Community, C=DE”.

Step 1.4.d: Set Logon Procedure to “Required with SSL Certificate” for Relevant SICF Services

To access ICF services via certificate logon, make sure that all required ICF services allow Logon Through SSL Certificate as logon method.

Step 2: Configure SAP Web Dispatcher for Principal Propagation

If you are using an intermediate SAP Web Dispatcher to connect to your ABAP backend system, you must set up a trust chain between the involved components Cloud Connector, SAP Web Dispatcher, and ABAP backend system.

We need to Configure SAP Web Dispatcher to trust the Cloud Connector’s certificate for identity propagation. Parameters and certificates need to be added.

Make sure your SAP Web Dispatcher supports SSL and configuration done for Web Dispatcher to Forward SSL Certificates for X.509 Authentication. Refer SAP Help documentation for pre-requisites.

Step 2.1: Import Certificates into SAP Web Dispatcher

Below Certificates to be added in web dispatcher PSEs.

• cloud connector CA certificate in web dispatcher server standard pse (SAPSSLS.pse )
• s4hana ssl server standard certificate in web dispatcher client pse (SAPSSLC.pse)

Step 2.2: Maintain Required Parameters in Web Dispatcher

Create icm trusted reverse proxy parameters same as we did in Step 1.4.c

Make sure icm/HTTPS/verify_client parameter is set to 1 (request certificate) or 2 (require certificate). If set to 0, trust cannot be established. The default value is 1, so it is OK if the parameter is not set at all.

Your HTTPS Principal Propagation configuration is now complete for the scenario where a Web Dispatcher is used as an intermediary between the ABAP backend system.

Step 3: Configure Principal Propagation to an ABAP System for RFC using SNC

For enabling Principal Propagation over RFC using Secure Network Communication (SNC), follow the steps below.
If you’ve already configured HTTPS-based principal propagation on the same S/4HANA system, steps such as certificate generation, trust setup, and user mapping (via STRUST and CERTRULE) may have already been completed. You only need to ensure the SNC-specific configurations.

Make sure SNC setup on the ABAP System is already present. Ensure SAP Cryptographic library is installed as a pre-requisite in cloud connector.

Note: It is important that you use the same SNC implementation on both communication sides. When using the SAP Cryptographic Library, it is recommended that you use an ABAP system SNC identity and a Cloud Connector system identity signed by the same CA for mutual authentication.

Step 3.1: PSE Setup in SAP Cloud Connector for SNC

Step 3.1.a: Login to OS level of SCC then Download and extract the SAP Cryptographic Library. You can refer SAP Help documentation.

Step 3.1.b: Ensure you have set the Environment variables SECUDIR and SNC_LIB

Step 3.1.c: Create SNC PSE at OS level. Navigate to path Crypto and execute below commands

You can Refer SAP Help documentation and below note.

2642538 – How to enable SNC from external programs to ABAP using SAP RFC Connectors

To Create SNC PSE: sapgenpse gen_pse -p SCC.pse “CN=SCC, OU=<name>, O=<name>, C=<name>”

It is recommended that you sign the CSR of PSE with a trusted CA and then import it. Self-signed will also work.

Import Signed Certificate: sapgenpse import_own_cert -p SCC.pse -x <pin> -c SCC.cer -r <RootCA>.cer

Create credentials for the SNC PSE: sapgenpse seclogin -p SCC.pse -O <sccuser>

Note: sccuser is the user under which cloud connector is running.

Adding ABAP SNC certificate in Cloud connector PSE (download from S/4HANA, STRUST –> SNC): sapgenpse maintain_pk -p SCC.pse -a S4HANA.cer

Step 3.1.d: Restart Cloud connector below SNC SECUDIR parameter will appear in Cloud connector UI Configuration tab. (Library path and My name details we need to give).

Once you have created the SNC PSE and imported the required certificates into it, take restart and login to cloud connector UI to define the SNC name

Step 3.2: Generate Certificates in Cloud Connector

(This step is identical to the HTTPS scenario Step1.1. You may skip it if the certificates were already generated during the HTTPS setup.)

Step 3.3: Add Certificates to the Trust Store in SCC

(This step is identical to the HTTPS scenario Step 1.2. S4hana SSL server standard certificate needs to be added.)

Step 3.4: Synchronize Cloud Trust with Subaccount Identity Provider (IdP)

(This step is identical to the HTTPS scenario Step 1.3. You can skip this step if already done.)

Step 3.5: Configure the S/4HANA System for RFC SNC Propagation

Step 3.5.a: Import Certificates into the SSL Server Standard (Transaction: STRUST)

Below certificates needs to be added.

• cloud connector system certificate imported in S/4HANA SSL server standard
• cloud connector PSE SNC certificate imported in S/4HANA SNC cryptolib

Step 3.5.b: Define Rule-Based Mapping for the user certificate (Transaction: CERTRULE)

(This step is identical to the HTTPS scenario Step 1.4.b. You can skip this step if user mapping has already been configured and login/certificate_mapping_rulebased parameter set to 1)

Step 3.5.c: Configure SNC Identity in the backend system (Transaction: SNC0)

Login to backend ABAP system and execute transaction SNC0 and add cloud connector’s SNC identity. Note the SNC name from SAP Cloud connector.

Step 4: Create System Mappings in SAP Cloud Connector

We need to create Mapping Virtual To Internal System in the Cloud To On-Premise tab for your subaccount in Cloud connector.

Step 4.1: Map HTTPS Connections to SAP Web Dispatcher

Since we are using a Web Dispatcher as an intermediary to the ABAP backend system, we will define the Web Dispatcher host in the HTTPS destination configuration instead of the ABAP system directly. The flow will be like this.

BTP (Service) –> cloud connector –> web dispatcher –> S/4HANA

Select the mapping you just created and add the Resources as per your requirement.

Step 4.2: Map RFC SNC Connections to S/4HANA Backend

Select the mapping you just created and add the Resources as per your requirement.

Step 5: Create Destination in SAP BTP

Create destinations in BTP subaccount to allow communication between S/4HANA and SAP BTP for HTTPS and RFC SNC protocol.

Step 5.1: For HTTPS scenario, enter the below information:

Step 5.2: For RFC scenario, enter the below information:

Conclusion

By completing these steps, you have successfully configured Principal Propagation from SAP BTP to your on-premises ABAP system for both HTTPS and RFC (via SNC) communication. You can now integrate any SAP BTP service and use Principal Propagation as the authentication method to ensure secure, user-specific access.

For troubleshooting Cloud Connector principal propagation over HTTPS, Refer SAP Help documentation.

Feel free to share your feedback or questions in the comments.😊

  Read More Technology Blog Posts by Members articles 

#abap