SAP settings
On the on-premise SAP backend, some settings must be checked if you want Principal Propagation to work. The transactions are: RZ10, STRUST, CERTRULE, SICF and SMICM.
Set ping service
The ping service is always provided in the app. Go to SICF transaction and activate the /sap/bc/ping service.
TIP
If you do not want to setup principal propagation, enter a service user for this service and skip the rest of this chapter.
RZ10
In order to have your oData Gateway service request a certificate rather than prompt for a username and a password, certain profile parameters need to be maintained. This configuration is done using the transaction RZ10.
icm/HTTPS/verify_client
- Instructs the system to request a certificate from the client
- Value = 1
login/certificate_mapping_rulebased
- Indicate how to interpret the certificates received
- Value = 1
icm/HTTPS/trust_client_with_issuer
- This is the issuer of the system certificate
- Copy Subject of the issuer exactly as is
- For testing purpose enter
*
icm/HTTPS/trust_client_with_issuer
- This is the Subject of the system certificate itself
- For testing enter
*
STRUST
In transaction STRUST, the issuer of the System Certificate needs to be added to the Certificate list of the SSL server Standard. Again, it is the issuer of the System Certificate of the SAP Cloud Connector that is required here!
CERTRULE
Go to your Cloud Connector : Connector > Configuration, tab ON PREMISE, subtab PRINCIPAL PROPAGATION and click on the button create a sample certificate. Enter your SAP login emailaddress as CN attribute and download the certificate. Upload the created sample certificate in CERTRULE. Connect the CN with a SAP User ID.
SMICM
Restart ICM after changes in RZ10.
Use ICM trace for troubleshooting.
Create SAP Gateway Service
Beyond this scope. Ask your SAP developer.