AX4: Configure SAP Gateway

Task: Set up the connection between SCP system to SAP Cloud Connector and SAP ECC

On the SAP backend, only few transactions will be required:

Update: RZ11, STRUST, CERTRULE, SICF and SMICM.

Step 1: Accessing a service through HTTP

  1. In SAP go to transaction SICF. and click execute.

Preparation menu

  1. Activate by drilling to the path = /sap/bc/soap/rfc in SICF transaction in SAP application. To check and test the service go to transaction SICF and drill down the structure to the following:

SAP->BC->PING

Preparation menu

Right click on the ping and select “Test Service”. Your browser will open and navigate to a similar URL to this one: http://vmw6281.wdf.sap.corp:50000/sap/bc/ping.

NOTE: If you don’t know, which port to use, you can check it from the third icon in transaction SMICM called “Service”

Preparation menu

Step 2: Enabling Certificate Based Login

In order to have the Gateway request a certificate rather than prompt for a username and a password, certain profile parameters need to be maintained. This configuration is done using the transaction RZ10

  1. In SAP go to transaction RZ10.. Choose the instance profile (could also be the DEFAULT profile) and mark the Extended maintenance radio button and then press the Change button. If you need help ask your instructor

Preparation menu

Note: You can view profiles of active server by going to : Utilities –> Check all profiles –> of active server

Preparation menu

  1. The screenshot above shows the instance profile for our backend.Pressing the new parameter button will allow you to insert a new parameter into the profile by presenting the screen below.

  2. Here we need to maintain the 4 profile parameters listed below. *You can use the Default profile


1. login/certificate_mapping_rulebased = 1

This parameter allows the GW to map, based on a rules defined in CERTRULE, the identity contained in an identity certificate received during the authentication with an internal user.

2. icm/HTTPS/verify_client = 1 

This parameter instructs the GW to request a certificate from clients trying to access any resource in the GW.

3. icm/HTTPS/trust_client_with_issuer = "Copy the values CA certificate from previous exercise. See the image below. 

Value corresponding to the Issuer of the SAP Cloud Connector System Certificate. This parameter contributes to the establishment of a trust between the SAP Cloud Connector and the SAP Gateway System.

4. icm/HTTPS/trust_client_with_subject 

Value corresponding to the subject of the SAP Cloud Connector System Certificate.This parameter contributes to the establishment of a trust between the SAP Cloud Connector and the SAP Gateway System.

Preparation menu

Update the above parameters by clicking new parameter button as mentioned in the previous step which will allow you to insert a new parameter into the profile by presenting the screen below. To save the values click «(green icon) to get a popup to save.

Preparation menu

Preparation menu

Step 3: Mapping your SCP email to SAP user.

  1. Go to transaction SU01 in SAP. Input your user name and click edit.

Preparation menu

  1. Map the email ID in the communication section of su01 and save.

Preparation menu

Step 4: Configuring the backend for Principal Propagation

  1. In transaction STRUST, the issuer of the certificate we used in the previous section needs to be added to the Certificate list of the SSL server Standard. Upload your CA certificate downloaded from your Cloud connector and save.

Preparation menu

Step 5: Configuring the Certrule

  1. Now that the system requests a certificate as its primary login mechanism, we need to complement this configuration by configuring a rule that helps identify the individual user being authenticated.

  2. Login to SAP transaction CERTRULE. Click the arrow near the subject to load the SCP principle propogation certificate (the certificate that you generated by giving your scp email address) downloaded from your Cloud connector.

  3. Click +Rule option for rule entry pop-up screen.

  4. Change login as value to email and click green tick mark and save.

Preparation menu

Step 6: Configuration of the SAP Cloud Platform

We will simply create a destination using the details from the virtual system we created in our SAP Cloud connector.

  1. Login to your SAP Cloud Platform –>Go to your trial page and access destination Path –>Click Create New Destinations. Update the following entries.

Name: Use the virtual host you provided in Cloud connector (sapgedemo)
Type: Choose HTTP
URL:  httt://"use your virtual host and port you in Cloud connector
Proxy Type: Onpremise
Authentication: Principle propogation 

You can click on New Property and add the following property


Add this value by copying PropogationAccount: True
sap-client: You SAP client
WebIDEEnabled: True
WebIDESystem:S4E

Preparation menu

  1. Click Save. Once you have saved the destination, pressing the check connection button provides a simple verification of the settings. This check is limited to connectivity.
Congratulations! You have now set up principal propagation using the HTTPS scenario.