Public Certificate Installation for Integration Scenarios

Please Note: This does not cover all integration scenarios and provides a few examples.  Customers should review their current configurations for integrations with their IT department to determine the proper process to update the public certificates.

What certificate type should be used for integrations (ECC or RSA)?

Certificate type depends on the algorithm that is supported within the customer’s landscape and was chosen by the customer.

We are currently not using an Ariba certificate for web services.  Should we add new certificate now?

Some integrations with Ariba may use certificate pinning which means that the system interface that connects to the Ariba cloud systems only trust a specific web server certificate and not just any valid webserver certificate that is signed by a trusted certificate authority. Please be aware that you will need to import our new certificate if you use certificate pinning.

What changes are required for inbound webservices?

Customers must trust the new Ariba certificate to establish the HTTPS connection. The customer should add the new Ariba certificate to their trust store (key store). General instructions cannot be provided because this depends on the application that the customer uses in their integration with the SAP Ariba products.

What changes are required for outbound webservices?

Customers should modify the authentication settings in their application(s) that integrate with the SAP Ariba by replacing the existing Ariba Public Key with the new one. General instructions cannot be provided because the exact steps are dependent on the application that the customer is using to integrate with SAP Ariba.

How can obtain the Ariba Public Key?

To obtain the public key:

1. Open Certificate
2. Navigate to Details tab
3. Select Public Key

What changes are required for Standalone Integration Toolkit (ITK) – No PI?

Please refer to this Knowledge Article for more information.

What changes are required for Standalone Integration Toolkit (ITK) on PI?

Customers should add the new certificate to PI KeyStore.

 

Creating a View in SAP NetWeaver PI KeyStore  

1. Log on to SAP NetWeaver PI Administrator.  
2. Click the Configuration tab and click Certificates and Keys.  
3. In the Key Storage tab, click Add View.  

  

  

4. Enter a name and description for the view and click Create.   

  

  

Importing Server and Client Certificates into a View Procedure  

1. In the View Entries tab, click Import Entry.  

  

  

2. Click Select entry type pull-down and select X.509 Certificate.  
3. Enter the path to the location of the server certificate.  

  

4. Click Import.  

Note: To import the client certificate, repeat steps 1 to 4 above  

  

1. To import the key pair, in the View Entries tab, click Import Entry again.  
2. Click Select entry type pull-down and select PKCS#8 Key Pair.  
3. Enter the path to the location of the key file.  
4. Enter the path to the location of the client certificate.  

  

  

5. Click Add.  

  

  

6. Click Import.  

  

Results:

The following graphic displays the details of the certificates imported into the ITK_Certificates view.  

  

Note  

In the above graphic, the server and client certificates are imported into the same view. However, you can have different views for server and client certificates.  

  

 

Granting Permissions for the Keystore  

1. In the Key Storage tab, select the view for which you want to assign permissions.  
2. Click the Security link next to the word Content.  

  

3. Click the Permissions per Domain tab.   

  

4. Select ariba.com/ariba_JobBean and click Modify.  
5. Click Grant New Permission.  

  

  

6. Select All Actions check box.  
7. In the Keystore View field, select the view name and click OK.  

What changes are required for ERP integration using Direct or Mediated Connectivity (master data/SIPM)?

For mediated connectivity, see section “Creating a View and Importing Certificates into SAP NetWeaver Keystore” in this document for steps on how to add new certificate in PI.

For Direct Connectivity, steps are as follows:

1. Download the new certificate
2. Convert to DER-encoded binary file
3. Login to SAP
4. Go to transaction code (tcode) STRUST
5. Double click “SSL System Client SSL Client”
6. Click the Import Certificates button  
7. Choose the certificate you exported from step 1 > click Check icon > click Allow on security question
8. Click Add to Certificate List button
   • You should get a message at the bottom about successful import and also you should see the certificate in the certificate list 
   • Click Save icon at the top to save the certificate changes. You should get a message at the bottom about the save