3630513 - HTTP Certificate Prerequisites for SAP CPM for PI

Symptom

SAP Cloud Print Manager for Pull Integration cannot establish a connection to the S/4HANA Public Cloud.
During a detailed tracing/analysis, it turned out that there is a Certificate error in the connection.

IMPORTANT: in this KBA, the term "Certificate" here only means the X.509 Certificate to build up the HTTPS connection. It has nothing to do with the "Client Certificate Authentication Method".

Environment

SAP S/4HANA Public Cloud, version independent

Cause

SAP CPM for PI uses a HTTPS connection to connect to the S/4HANA Public Cloud. Consequently, an X.509 Certificate exchange is mandatory to build up this HTTPS connection.
When there is a Certificate-related error, similar entries will be logged in the CPM for PI detailed trace:


(<timestamp>)    *** ERROR ***    [8]    SslPolicyError: certificate =      *****  [ OurVerify in HttpAngel.cs at line 44 ]  *****
(<timestamp>)    *** ERROR ***    [8]    [Subject]
  CN=*.s4hana.cloud.sap, O=SAP SE, L=Walldorf, S=Baden-Württemberg, C=DE

[Issuer]
  CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US

<... few lines omitted ...>

     *****  [ OurVerify in HttpAngel.cs at line 45 ]  *****
(<timestamp>)    *** ERROR ***    [8]    SslPolicyError: sslPolicyError = RemoteCertificateChainErrors     *****  [ OurVerify in HttpAngel.cs at line 46 ]  *****
(<timestamp>)    *** ERROR ***    [8]    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. WebException from Get_PrintQueuesOfUserExt, System = <System Name>     *****  [ GetAllPrintQueuesExtInternal in PrintQueueAccess.cs at line 906 ]  *****
(<timestamp>)    *** ERROR ***    [8]    Get_PrintQueuesOfUserExt Uri = https://my<XXXXXX>-api.s4hana.ondemand.com/sap/opu/odata/SAP/API_CLOUD_PRINT_PULL_SRV/Get_PrintQueuesOfUserExt?     *****  [ GetAllPrintQueuesExtInternal in PrintQueueAccess.cs at line 907 ]  *****
(<timestamp>)    *** ERROR ***    [8]    InnerException: The remote certificate is invalid according to the validation procedure.     **  [ GetAllPrintQueuesExtInternal in PrintQueueAccess.cs at line 911 ]  **

Resolution

SAP CPM for PI uses a Windows certificate API to handle Certificates.
SAP CPM for PI does not have any built-in Certificate processing modules. It only uses Windows API. Consequently, if there is a Certificate error (like the one shown above), it means that the Windows API does not trust the Certificate received from S/4HANA Public Cloud.

This also means that the solution is to install the Certificate on Windows level.

Basically, there are two scenarios here:

A self-signed Certificate is used
- See the very end of the SAP CPM for PI documentation, under "Self-signed Certificate".
- To quote the document:
  - "To use self-signed certificates, they must be installed in the Windows® computer Certificate Store under the ‘Personal’ folder. After the certificate is installed successfully, the SAP Cloud Print Manager for Pull Integration service must be restarted. You can then add connections to the system using the self-signed certificate."
Not a self-signed Certificate is used
- On the Windows server where SAP CPM for PI is running, open the Windows Manage Certificate application by running the program certmgr.msc
- Under "Trusted Root Certification Authorities" and "Intermediate Certification Authorities" the DigiCert Certificates have to be available. Of importance is the Certificate "DigiCert Global G2 TLS RSA SHA256 2020 CA1".
  Missing Certificates can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm
  Furthermore, the Certificate Chain can be also checked when accessing the URL via browser (for example: via Google Chrome).

Keywords

Connection test failed, CPM certificate, Zertifikat, CPM Zertifikat, CPM for PI Zertifikat , KBA , BC-CCM-PRN , Print and Output Management , BC-CCM-PRN-OM-PM , S/4HANA Output Management Print Manager , Problem

Product

SAP S/4HANA Cloud Public Edition all versions