Scribd
Upload
23 views6 pages

Secure Communication For Outbound Integration

Secure Communication for Outbound Integration

Uploaded by

venulaca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views6 pages

Secure Communication For Outbound Integration

Secure Communication for Outbound Integration

Uploaded by

venulaca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Secure Communication for Outbound Integration

Secure communication is required in all integration


scenarios that connect SAP S/4HANA Cloud to
other systems.
These outbound integration scenarios may include:
 other SAP cloud systems

 your on-premise systems

 third party systems (cloud, non-cloud)

When a connection between SAP S/4HANA


Cloud and the external system is established, this
happens in two steps. In the first step, the SAP
S/4HANA Cloudsystem validates the identity of the
external system to ensure there’s no man in the
middle impersonating the external system. In the
second step, SAP S/4HANA Cloud authenticates
against the external system (if required by the
external system).
Step 1: SAP S/4HANA Cloud Verifies the Identity of
the External System
When establishing the secure communication, the
external system must prove its identity using a
server certificate that is signed by a trusted
certificate authority (CA).
For secure communication to SAP-owned systems
and services, SAP S/4HANA Cloud contains a
preconfigured list of trusted CAs (marked
as Managed By SAP, not changeable by
customers).
For integration to non-SAP systems, you can
maintain the list of trusted CAs (Managed By
Customer) in the Maintain Certificate Trust
List app.
Expiration of Certificates of Trusted CAs
When a certificate from the list of trusted
certificates reaches its expiration date, it needs to
be deleted from the list in your SAP S/4HANA
Cloud system. You can do this using the Maintain
Certificate Trust List app.
In case of certificates that are managed by SAP, you
need to update the list of certificates in the app.
You can choose between manual and automatic
updating. When you check for updates manually,
you will be prompted to select which updates
you’d like to apply, if any are available. If you
choose to set up automatic updating instead, you
can select if you’d like to apply updates regarding
both newly introduced and deleted certificates, or
only new certificates. These changes will be
applied by the system each time the global
certificate trust list is updated by SAP.
Certificates that have been added manually need
to be deleted manually as well.
Remember
If your external system that SAP S/4HANA
Cloud communicates with uses a certificate that is
signed with an expiring root CA certificate,
remember to change that certificate. Otherwise,
the communication will fail.
Step 2: SAP S/4HANA Cloud Authenticates as Client
Different methods can be used to authenticate.
The availability of these options depends on the
capabilities of the external system.
The credentials for outbound communication are
configured in the Maintain Communication
Systems app.
Authentication Using a Client Certificate (mTLS)
For authentication against an external system, SAP
S/4HANA Cloud may use the certificate-based
authentication method. In this method, SAP
S/4HANA Cloudpresents a client certificate to the
external system.
The client certificate is linked to a private key that
serves as a secret for identifying SAP S/4HANA
Cloud. The client certificates must be trusted by
the target system or be signed by a CA the target
system trusts.
Expiration of Client Certificates and the Default
Client Certificate
When client certificates expire, the external system
will not accept them for authentication anymore.
Consequently, your SAP S/4HANA Cloud system
will not be able to connect to the external system
anymore. You must update the trust between the
system in time before this happens by uploading a
new client certificate (private key) in the Maintain
Client Certificates app. The corresponding public
key must be made known to the external system.
Every SAP S/4HANA Cloud system has a default
client certificate that you can use to for
authentication. When this certificate is about to
expire, a new one will automatically be created in
the system. You must exchange the old certificate
for the new one in all relevant communication
systems. In the Communication Systems app, you
can also download the public key of the certificate
to upload it to your external system.
Authentication Using OAuth
OAuth-based authentication is a two-step process
(the so-called “client credential flow”). In the first
step, the SAP S/4HANA Cloud system contacts a
token provider to obtain an access token. During
this step, the SAP S/4HANA Cloud system
authenticates against the token provider using
basic authentication using client ID and client
secret or mTLS using a client certificate (only
available in OAuth 2.0). The authentication
endpoints of the token provider are maintained in
the Communication Systems app.
As the second step, the call to the external system
is made and the access token is passed to the
external system.
Authentication Using User Name and Password
SAP S/4HANA Cloud also supports basic
authentication (user name and password). As there
is a high risk of the credentials leaking, we
recommend using certificate-based authentication
instead.
No Authentication
Some external systems do not require
authentication. They just offer public endpoints
available to everybody.

You might also like