SSL

Enabling HTTPS/SSL

The communication between the CRMConnectorSAP and the SAP system can be established via HTTPS/SSL. Thereafter, the SOAP messages will be exchanged using a HTTPS/SSL connection with client authentication and session caching. This will encrypt the transmitted data and identify the caller by a client certificate. Both HTTPS/SSL partners need a server certificate. The root certificate of the certification authority (CA, e.g. VeriSign or SAP CA) that issued the server certificate has to be known to the client system. Normally, either it will already be contained in the system or it can easily be imported.

note

Please note that the use of HTTPS/SSL impacts performance. Supported number of agents and call rates are lower than without secure connection enabled.

Required certificate and key files needed for SSL

In order to have a secured communication (SSL), certificates must be imported on the SAP CRM side and on the connector side. These must meet some basic conditions outlined in this document.

One CA Certificate

Both certificates are derived from the same CA certificate.

The certificates must all be generated as PEM (ASCII format files) and derived from a CA certificate. It is possible to have one PEM file with both, certificate and key, or two separate PEM files.

One PEM file for certificate and key

(Connects for SAP Certificate).pem:

-----BEGIN CERTIFICATE-----
...key... 
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...key...
-----END PRIVATE KEY-----

Files needed in installation folder of Connects for SAP:

• C:\Program Files (x86)\BucherSuter\MCAforSAP\CRMConnectorSAP\
  • ssl.ini
  • SAP\
    • (Company CA Certificate).pem
    • (Connects for SAP Certificate).pem

Definition in ssl.ini:

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(Company CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate).pem

Separate PEM files for certificate and key

(Connects for SAP Certificate – cert file).pem:

-----BEGIN CERTIFICATE-----
...key...
-----END CERTIFICATE-----

(Connects for SAP Certificate – key file).pem:

-----BEGIN PRIVATE KEY-----
...key...
-----END PRIVATE KEY-----

Files needed in installation folder of Connects for SAP:

• C:\Program Files (x86)\BucherSuter\MCAforSAP\CRMConnectorSAP\
  • ssl.ini
  • SAP\
    • (Company CA Certificate).pem
    • (Connects for SAP Certificate – cert file).pem
    • (Connects for SAP Certificate – key file).pem

Definition in ssl.ini:

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(Company CA Certificate).pem
CRT_FILE=./ssl/(Connects for SAP Certificate – cert file).pem
KEY_FILE=./ssl/(Connects for SAP Certificate – key file).pem

Separate CA Certificates

Each side has its own CA certificate.

The certificates must all be generated as PEM (ASCII format files) and derived from a CA certificate. It is possible to have one PEM file with both, certificate and key, or two separate PEM files.

One PEM file for certificate and key

(Connects for SAP Certificate).pem:

-----BEGIN CERTIFICATE-----
...key...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...key...
-----END PRIVATE KEY-----

Files needed in installation folder of Connects for SAP:

• C:\Program Files (x86)\BucherSuter\MCAforSAP\CRMConnectorSAP\
  • ssl.ini
  • SAP\
    • (CRM Side CA Certificate).pem
    • (Connects for SAP Certificate).pem

Definition in ssl.ini:

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(CRM Side CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate).pem

Separate PEM files for certificate and key

(Connects for SAP Certificate – cert file).pem:

-----BEGIN CERTIFICATE-----
...key...
-----END CERTIFICATE-----

(Connects for SAP Certificate – key file).pem:

-----BEGIN PRIVATE KEY-----
...key...
-----END PRIVATE KEY-----

Files needed in installation folder of Connects for SAP:

• C:\Program Files (x86)\BucherSuter\MCAforSAP\CRMConnectorSAP\
  • ssl.ini
  • SAP\
  • (Connects for SAP Certificate – key file).pem
  • (Connects for SAP Certificate – cert file).pem
  • (CRM side CA Certificate).pem

Definition in ssl.ini:

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(CRM side CA Certificate).pem
CRT_FILE=./ssl/(Connects for SAP Certificate – cert file).pem
KEY_FILE=./ssl/(Connects for SAP Certificate – key file).pem

Create Certificate

The certified certificate must be derived from a CA certificate described in chapter 2. The following information must be provided:

Subject	host.domain
Signature algorithms	sha256RSA
Signature hash algorithms	sha256

A Windows certificate with a '.cer' extension can be converted on the machine by opening the certificate and selecting “Copy to File”.

Deployments

Direct Connection

One or more SAP CRMs can communicate directly with Connects for SAP. This installation works with the model “One CA Certificate”

Configuration on Connects for SAP

Relevant Configuration in CRMConnectorSAP_SAP1.ini:

[Config]
...
TpiDllParameter=SSL
...

Relevant Configuration in ssl.ini:

[SSL]
METHOD=0

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(Company CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate).pem

Requests and Responses via Proxy (Failover), Events directly

A reverse proxy is required for automatic CRMConnectorSAP failover. Requests from SAP CRM to Connects for SAP, or more precisely the CRMConnectorSAP component, must travel through a proxy. The same applies for responses from the CRMConnectorSAP to SAP CRM. However, Events are sent from CRMConnectorSAP directly to SAP CRM and do not travel through the proxy.

Configuration on Connects for SAP

Relevant Configuration in CRMConnectorSAP_SAP1.ini / Side A/B:

[Config]
...
TpiDllParameter=SSL
...

Relevant Configuration in ssl.ini / Side A:

[SSL]
METHOD=0

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(Company CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate Side A).pem

Relevant Configuration in ssl.ini / Side B:

[SSL]
METHOD=0

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(Company CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate Side B).pem

Requests & Responses via Proxy (Failover), Events via Static Proxy Route

A reverse proxy is used for automatic CRMConnectorSAP failover. Requests from SAP CRM to Connects for SAP, or more precisely the CRMConnectorSAP component, must travel through a proxy. The same applies for responses from the CRMConnectorSAP to SAP CRM. Events sent from CRMConnectorSAP to SAP CRM also travel through the proxy by using a static route. This means that the proxy sends data packages, which it receives on port xy, to port xy of the CRM host.

Configuration on Connects for SAP

Relevant Configuration in CRMConnectorSAP_SAP1.ini / Side A/B:

[Config]
...
TpiDllParameter=SSL PROXY=(Proxy Ip Adress):xy
...

Relevant Configuration in ssl.ini / Side A:

[SSL]
METHOD=0

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(CRM Side CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate Side A).pem

Relevant Configuration in ssl.ini / Side B:

[SSL]
METHOD=0

[SSL_SERVER_CLIENT]
CA_FILE=./ssl/(CRM Side CA Certificate).pem
PEM_FILE=./ssl/(Connects for SAP Certificate Side B).pem

Appendix

SAP CRM Interaction Center Configuration Tips

It is necessary that the SAP ICWC profile of a user is assigned to an RFC Destination for which SSL is enabled. This profile to RFC Destination assignment happens via the so called Communication Management Software Profile and the related Communication Management Software System.

Shortcut for this setting: SM59

To ensure that the Communication Server also expects SSL, it must also be configured for SSL.

Shortcut for this setting: CRMM_BCB_ADM