4.2 L’etapa Rubió: 1920-1925
4.2.2 La vida de les biblioteques
7.1 Technical Landscape for On Premise-On Demand Integration
As one example for certificate-based connectivity, customer intends to connect a customer-based SAP on-premise system (based on SAP Application Server ABAP with SAP HCI.
The following figure illustrates the required keystores and security artifacts for the mentioned landscape.
Note
We use the following abbreviations in this documentation:
● AS for SAP Application Server
● WD for SAP Web Dispatcher
● HCI for SAP HANA Cloud Integration
Connecting a Customer System to SAP HCI Specific Use Cases
P U B L I C
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 117
In the proposed system landscape, SAP Web Dispatcher is used in the on premise customer landscape to receive incoming calls from SAP HCI. SAP Web Dispatcher (as reverse proxy) is the entry point for HTTPS requests into the customer system landscape.
Communication SAP HCI to SAP Application Server
In the proposed landscape, two SSL connections have to be implemented on the way in between HCI and AS, because SAP Web Dispatcher - interconnected in between - terminates all SSL calls from SAP HCI. Therefore, the folowing traust relationships have to be implemented:
● Trust relationship between SAP Web Dispatcher and SAP HCI.
As this connection spans the Internet, it is strongly recommended to use certificates that are signed by a certification authority (CA) that both parties (SAP Web Dispatcher and SAP HCI) trust.
● Trust relationship between SAP Web Dispatcher and AS.
As this connection resides within the customer landscape, it might be an option to use self-signed certificates for this connection.
Note
For reasons of simplicity, within this guide we assume that self-signed certificates are used for this connection.
The following table summarizes the required certificates and the related keystores.
Table 30: Keystores
Keystore Certificate/Key Description
HCI client keystore HCI client certificate (private and public key)
Required to authenticate SAP HCI as sender of messages.
This security artifact has to be gener
ated at SAP side and contains the pub
lic and private key of SAP HCI.
The certificate has to be signed by a certification authority (CA) that both SAP (HCI) and the customer (WD) trust.
WD server root certificate (of the CA that has signed the server certificate)
Required to authenticate WD as re
ceiver od messages.
This certificate identifies the CA that has signed the WD server certificate.
WD server keystore (SSL server PSE)
HCI client root certificate Required to identify SAP HCI as trusted communication partner.
This certificate identifies the CA that has signed the HCI client certificate.
118
P U B L I C
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
Connecting a Customer System to SAP HCI Specific Use Cases
Keystore Certificate/Key Description
WD server certificate Required to authenticate WD as trusted communication partner to receive calls.
This certificate is signed by the CA to which both WD and HCI have estab
lished a trust relationship.
WD client keystore (SSL client PSE)
WD client certificate (private and public key)
Required to authenticate WD as sender of messages.
This security artifact has to be gener
ated at customer side and contains the public and private key of the WD.
As the related communication path re
sides within the customer landscape, it might be sufficient to use a self-signed certificate.
Note
Customers can extend the use case in a way that also this certificate is signed by a CA. This is not covered in this guide.
AS server keystore (SSL server PSE)
WD client certificate (public key) Required to authenticate WD as sender of messages.
This public key has to be imported it into the AS server keystore.
Communication SAP Application Server to SAP HCI
In the proposed landscape, the SSL connection is not terminiated on the way in between AS and SAP HCI (transparent proxy). Therefore, a trust relationship has to be set up between AS and SAP HCI.
As this connection spans the Internet, it is strongly recommended to use certificates that are signed by a certification authority (CA) that both parties (AS and HCI) trust.
The following table summarizes the required certificates and the related keystores.
Connecting a Customer System to SAP HCI Specific Use Cases
P U B L I C
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 119
Table 31: Keystores
Keystore Certificate/Key Description
AS client keystore AS client certificate (private and public key)
Required to authenticate AS as sender of messages.
This security artifact has to be gener
ated at customer side and contains the public and private key of AS.
The certificate has to be signed by a certification authority (CA) that both SAP (HCI) and the customer (AS) trust.
HCI server root certificate Required to authenticate SAP HCI as trusted receiver of messages.
This certificate identifies the CA that has signed the HCI server certificate.
HCI server keystore AS client root certificate Required to authenticate AS as sender of messages.
This certificate identifies the CA that has signed the AS client certificate.
This artifact has to be provided by the customer for SAP during the connec
tion setup process, and the expert at SAP side has to import it into the HCI server keystore.
HCI server certificate Required to authenticate HCI as trusted communication partner to re
ceive calls.
This certificate is signed by the CA to which both AS and HCI have estab
lished a trust relationship.
You can find more information on this landscape in the Technical Connectivity Guide for SAP Cloud for Travel:
at https://service.sap.com/ondemand under SAP Cloud for Travel and Expense.
120
P U B L I C
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
Connecting a Customer System to SAP HCI Specific Use Cases
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as
"sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
Connecting a Customer System to SAP HCI Important Disclaimers and Legal Information
P U B L I C
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 121
go.sap.com/registration/
contact.html
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.