This is the second part (click here for the first part) of the two blogs to describe how SAP Mobile Documents running on the HANA Cloud Platform can be connected to an on-premise KM system using SAP Assertion tickets. However, the trust settings will apply to any other application that you want to connect from HCP to an AS Java system.

0. Prerequisites

The SAP Assertion Ticket technology requires the user names to be identical for the HCP application and the AS Java System.

1. Set up trust with SAP Assertion Tickets

In the first part I described how to connect SAP Mobile Documents on HCP to an on premise KM (AS Java) using a service user connection.

In this second part, I describe how to use the same user in AS Java (KM) using the SAP Assertion Ticket technology.

For more information about AS Java and SAP Assertion Tickets see the official documentation.

To enable the trust I did create a signing certificate for the HCP destination with the AS Java, as there is no option in HCP to create one. To simplify the overall process, I created this certificate directly in the view LogonTicketKeypair. By doing so, you automatically have the certificate trust enabled.

2. Creating a Signing Certificate for the HCP Destination

In the AS Java system, go to the NetWeaver Administrator of your AS Java (https://<YourServerURL>:<Port>/nwa).

Search for Key

Click on Key Storage

Select View TicketKeystore

In the tab View Entries click Create

Enter the following values:

Choose a meaningful name for the HCP certificate

Select the algorithm DSA

Leave the Key Length and Validity (or change them according to your needs)

Select Store Certificate

Click Next

Enter the country name value (e.g. DE for Germany - this does not have a functional affect)

Enter the commonName for the HCP destination (e.g. HCP) - this will identify the HCP as a client.

Click Next

As in this case I chose to create a self signed certificate, I skipped this screen. If you choose to have your certificate signed by some other certificate authority, you could select a signing key pair here.

Click Next

In the summary, just click Finish

The certificate and the private key is now available in the list (you can distinguish them by the description in column Entry Type).

3. Exporting the Certificate

You can now export the HCP certificate to put it into the trust ACL of the AS Java.

To do this, select the certificate entry (with postfix -cert) and click Export Entry

Choose the export format Base64 X.509

Click Download

Save the file on your hard drive.

In addition, export the HCP certificate including the private key (to import into the HCP destination later):

Select the HCP certificate (with Entry Type PRIVATE KEY)

Click Export Entry

Select PKCS#12 Key Pair as the export format

Provide a password to protect access to the export.

Click Generate

Click Download

Save the file on your hard disk.

4. Maintain Trusted Systems List of AS Java

To finalize the trust settings of the newly created certificate to the AS Java, you need to add it to the list of Trusted Systems.

Navigate to the NetWeaver Administrator - Configuration Management - Security Management - Trusted Systems (/nwa/trusted-systems)

In Trusted Systems view select Add Trusted System - By Uploading Certificate Manually

Enter a System ID for the HCP destination (e.g. HCP)

Enter 000 as the client

Upload the certificate file (not the one containing the private key) that you have exported before.

Click Next

Click Finish

Now you have done all the steps required to set the trust in the AS Java System.

You now need to enter the certificate and the private key into the HCP destination fields.

Before you can do this, you need to convert it to a .pem file.

5. Converting the HCP Certificate into the Correct Format for HCP

To convert the .p12 file to a PEM format that allows you to copy and paste the required information, I used an Open Source tool called OpenSSL.

It is available for different platforms. Just google for it and install it on your local machine.

Once installed, to make life easier, copy the .p12 file that you have exported in one of the previous steps into the OpenSSL sub-folder bin

Open a Command Prompt Window and navigate into the bin subfolder of the OpenSSL installation.

I converted the .p12 file to a so-called .pem file using the following command (the file name of my file is HCPCert.p12):

openssl.exe pkcs12 -in HCPCert.p12 -out HCPCert.pem -nodes

This will create a file called HCPCert.pem in the .bin directory.

You will need this file in the next configuration step.

6. Change the HCP Destination to use SAP Assertion Tickets

Navigate into the HCP Cockpit of your HCP account.

Navigate to Destinations on the left navigation menu

Open the destination that you did create in the previous step (or create a new one)

Switch the Authentication to SAPAssertionSSO

Maintain the Issuer SID and Client (this needs to be the SID that you have entered in the Trusted Systems list in chapter 4.)

Maintain the Recipient SID and Client (This info you find also the screen Trusted Systems under Accepting System)

Open the .pem file (that you have generated in the previous step) with Wordpad.

It will look similar to this one here:

Now copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- and paste it into the Certificate field of the HCP destination.

Copy the text between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY---- and paste it into the Signing Key field of the HCP destination.

Click Save.

Now you have done all required steps -- Ufff! :smile:

To check if the SAP Mobile Documents Connection to KM is working, go to the Web UI of SAP Mobile Documents and click on Corporate.

If you now create a text file within the KM repository from Mobile Documents, you will see that it is now created with the user that is logged on to SAP Mobile Documents.