SAP Knowledge Base Article - Public

3284822 - Third party system provider requests a password to enable communication with SAP Business Bydesign


During the setup of a communication arrangement, authentication method SSL Client Certificate with SAP Business ByDesign system key pair is selected. In such a case, a private key of the key pair is stored in the communication arrangement. Public key has to be extracted by click on button Download. This public key has to be implemented in the third party system for encrypting and accepting the XML messages.

But in some cases, the third party system provider also requests the password. It is not clear why this happens and whether this is justified or not. Making the provider aware of the password might also raise some concerns regarding data protection.


SAP Business ByDesign


In inbound communication, ByDesign will be the target system and the third party system will be the source. For SSL certificate based authentication of the communication user, the user in the source (third party system) needs to have the key pair, and the corresponding user in target (ByDesign) only needs to have the public key of the key pair. Since the key pair (.p12 file) is needed at third party system, the third party system provider needs its password to be able to access the private key. In ByDesign, the certificate (which contains the public key of the key pair) is automatically assigned to the communication user when the key pair is downloaded from the UI.


In the Edit Communication Arrangement UI, the SSL Client Certificate you are assigning to the user must be from a key pair downloaded by clicking Create and Download Key Pair action on the Edit Credentials dialog. It is not the SAP Business ByDesign System Key Pair, which is actually the tenant certificate itself.

The explanation is shown in the Edit Credentials modal dialog: "You can upload a public key certificate that has been provided by your communication partner. If your communication partner cannot provide a certificate, you can create and download a PKCS#12 key pair file. The PKCS#12 file is password encrypted and contains a public key certificate and a private key. You need to provide the PKCS#12 file to your communication partner."

In short, giving the downloaded .p12 key pair along with its password to the communication partner is how the key pair for the communication will work.

Looking at another angle, instead of downloading the key pair from ByDesign and giving it to third party system, it is also possible to let third party system obtain a key pair from a certificate authority and give the certificate (public key) to ByDesign. Likewise, third party system by default will have the password to the key pair.


external, partner, encryption, p12, SSL certificate based authentication , KBA , SRD-CC-SEC , Security , Problem


SAP Business ByDesign 2211