cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CPI->Cloud Connector->S4 using client certificates

JonBlack
Explorer

on ‎06-17-2021 2:47 AM

I'm trying to consume as service in S/4HANA from CPI via the Cloud Connector. In the receiver adapter the only authentication options available are

  • None
  • Basic
  • Principal Propagation

The first two options are no good for as our security team will not endorse those to methods. I can use principal propagation where I have a client (Sender) but I have a problem where the iFlow is started by a Timer event in CPI. In this scenario I have no Principal.

A sample scenario is CPI polls an SFTP site for Journal file produced by another system. It picks up this file and consumes the API in S/4HANA to post the Journal.

My question are:

  1. Can I manually set a Principal in the iFlow
  2. Can the Cloud Connector authenticate to S/4 on my behalf

It seems bizarre that the cloud connector is forcing me to use a less secure authentication method.

I can get secure certificate based authentication if I don't go via the cloud connector but this means I need to expose the S/4 API to the internet which is not ideal.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

VijayKonam
Active Contributor
‎02-23-2023 6:41 PM
0 Kudos

Looks like the situation did not change. I do want to use Client Cert based authentication for my backend on-prem S4 systems.

Show replies
Show replies
jawahar30
Member
‎08-10-2023 11:54 AM
0 Kudos

Hi Vijay,
I have been looking for client certificate authentication implementation for cloud connector, please share if you have any documentation it would be helpful.

daviddasilva
Active Contributor
‎06-18-2021 3:10 PM
0 Kudos

Hi Jon,

The Cloud Connector is actually a secure connection to the on-prem system which may explain why you do not need "extra" security.

I'm assuming you have S/4 On-prem? Are APIs also exposed via a communication arrangement? If so, then only the Communication User can ever access the exposed endpoints (at least that is how it works in the Cloud.)

Kind regards,

Show replies
Show replies
JonBlack
Explorer
‎06-22-2021 3:02 AM
0 Kudos

Hi David,

Yes this is for on-prem. The API are just exposed via SOAMANAGER.

The issue I have is that our security team don't want any user to authenticate to the system using BASIC authentication otherwise the user account must have a PWD set in SU01 which is something they don't want.

Cheers

Jon

PriyankaChak
Active Contributor
‎06-17-2021 3:52 PM
0 Kudos

Hi Jon,

Please go through this blog post if it helps.

principal propagation in Cloud Connector

Regards,

Priyanka

Show replies
Show replies
JonBlack
Explorer
‎06-22-2021 3:08 AM
0 Kudos

Hi Priyanka,

I've been through that blog and the SAP help. It implies that we can get the SCC to authenticate but when we tried we still need to provide a principal or BASIC auth from CPI.

Have you managed to get this to work without a principal from CPI?

Cheers

Jon

Ask a Question