MX IntegrationGuide OP&ERP CF 06232021
MX IntegrationGuide OP&ERP CF 06232021
MX IntegrationGuide OP&ERP CF 06232021
1 Disclaimer .......................................................................................................................................... 3
2 Introduction ....................................................................................................................................... 3
3 Prerequisites ..................................................................................................................................... 3
3.1 Registration at SAT ........................................................................................................................... 3
3.2 eDocument Full Solution .................................................................................................................. 4
4 Secure Connection ........................................................................................................................... 4
4.1 Setup of Secure Connection ............................................................................................................ 4
4.1.1 Setup of Your Tenants.................................................................................................................. 4
4.1.2 Retrieve and Save Public Certificates......................................................................................... 4
4.1.3 Upload the Certificates ................................................................................................................. 5
4.1.4 Authenticate Integration Flow...................................................................................................... 5
5 Configuration Steps in SAP Integration Suite ................................................................................ 6
5.1 Deploy the Customer Certificate and Credentials to SAP Integration Suite ............................... 6
5.2 Copy Integration Package ................................................................................................................ 7
5.3 Deploy Integration Flows ................................................................................................................. 8
6 Configuration Steps in SAP ERP or SAP S/4HANA ..................................................................... 11
6.1 Create Logical Ports in SAP ERP or SAP S/4HANA .................................................................... 11
7 Appendix .......................................................................................................................................... 15
7.1 Generate and Import Certificates .................................................................................................. 15
7.1.1 Prerequisites ............................................................................................................................... 15
7.1.2 Generate PKCS#12 File from the Certificate and Key File ...................................................... 15
7.1.3 Import the Handshake Certificate.............................................................................................. 15
2
1 Disclaimer
This documentation refers to links to websites that are not hosted by SAP. By using such links, you agree (unless
expressly stated otherwise in your agreements with SAP) to this:
• The correctness of the external URLs is the responsibility of the host of the Web site. Please check the validity of
the URLs on the corresponding Web sites.
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP
based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and
correctness. SAP shall not be liable for any damages caused by the use of such content unless damages have
been caused by SAP's gross negligence or willful misconduct.
2 Introduction
The communication part of processing electronic documents in Mexico is taken care of by SAP Integration Suite. In
order to get SAP Integration Suite working, there are some required steps on both your SAP S/4HANA or SAP ERP
system and SAP Integration Suite tenant.
These steps are typically taken care of by an SAP Integration Suite consulting team, who is responsible for configuring
the SAP S/4HANA or SAP ERP - SAP Integration Suite connection and maintaining the integration content and
certificates/credentials on the SAP Integration Suite tenant.
Note: Although the service name SAP Integration Suite is used in the guide title and throughout the guide, this guide
also applies to SAP Cloud Integration running in the Cloud Foundry environment. If you were onboarded before
July 2020, the service you use is SAP Cloud Integration. The initial setup steps for the two services are different, while
the integration flow settings and configuration steps in your back-end system are the same. See the Setup of Your
Tenants section for their respective initial setup steps.
Note: This document describes functionality that is provided by the Integration Package itself, that is, by the artifacts
that are deployed in the SAP Integration Suite tenant. It may happen, however, that in the SAP S/4HANA or SAP ERP
system the access to such functionality is only partially implemented. Additionally, it may also happen that the tax
authority servers do not provide all services that are described in this document. Please refer to SAP S/4HANA or SAP
ERP documentation and to the relevant tax authority information, respectively.
3 Prerequisites
Before you start with the activities described in this document, ensure that the following prerequisites are met:
3
Create a keystore using the private key and public key information available. Refer to chapter 7 on how to create
a certificate using private and public key information available.
3.2 eDocument Full Solution
The eDocument Full solution is installed in your test and production systems.
For the generic part, refer to the Installation Guide for eDocument attached to SAP Note 2134248.
For the Mexico-specific part, refer to SAP Note 2526771 for SAP ERP systems, and SAP Note 2565791 for
SAPS/4HANA systems.
4 Secure Connection
4.1 Setup of Secure Connection
You establish a trustworthy SSL connection to set up a connection between the SAP back-end systems and the
SAP Integration Suite.
Inbound HTTP connections are not required for Mexico. Outbound HTTP connections are required, and are
supported with specific, public certificates.
You use SAP ERP Trust Manager (transaction STRUST) to manage the certificates required for a trustworthy SSL
connection. The certificates include public certificates to support outbound connections, as well as trusted
certificate authority (CA) certificates to support integration flow authentication.
Refer to the system documentation for more information regarding the certificate deployment to SAP back-end
systems. In case of issues, refer to the following SAP notes:
Note: If you encounter any issues in the information provided in the SAP Integration Suite product page, open a
customer incident against the LOD-HCI-PI-OPS component.
Client Certificate
If you are using a client certificate, this must be signed by one of the root certificates supported by the load
balancer. A self-signed certificate is not suitable. For more information see Load Balancer Root Certificates
Supported by SAP.
· If you have subscribed to Process Integration, perform all the initial setup steps described in Initial
Setup of SAP Cloud Integration in Cloud Foundry Environment.
· If you have subscribed to Integration Suite, perform all the initial setup steps described in Initial
Setup. Note that the SAP Document Compliance solution requires the Cloud Integration capability.
You need to activate this capability in the step Provisioning the Capabilities.
Context
Find and save the public certificates from your SAP Integration Suite worker node.
4
Procedure
1. Access the SAP BTP cockpit, and navigate to your subaccount (tenant) page.
2. Click the subscriptions link to display the subscriptions for your subaccount.
3. Use the tenant URL you created as defined in the prerequisites of this document. The URL has the following
format: https://<tenant>.cfapps.<data center>.hana.ondemand.com, where XXXXXXX corresponds to the
dynamic part and is unique for each subaccount.
4. Choose Manage Integration Content and select All to display the integration flows available.
5. Select an integration flow to display its details.
6. Copy the URL listed within the Endpoints tab and paste the URL into your web browser.
7. When prompted by the Website Identification window, choose View certificate.
8. Select the root certificate, and then choose Export to file to save the certificate locally.
9. Repeat these steps for each unique root, intermediate and leaf certificate, and repeat for both your test and
production tenants.
Store the public certificates used for your productive and test tenants.
Context
You use the SAP ERP Trust Manager (transaction STRUST) to store and manage the certificates required to
support connectivity between SAP back-end systems and SAP Integration Suite.
Procedure
6. Choose Add to Certificate List to add the certificates to the Certificate List.
7. Save your entries.
Create an own certificate and get it signed by a trusted certificate authority (CA) to support integration flow
authentication.
Context
You use the SAP ERP Trust Manager (transaction STRUST) for this purpose.
This process is required only if you use certificate-based authentication (that is, you choose the X.509 SSL Client
Certification option in your settings for SOAMANAGER).
Procedure
5
2. Create your own PSE (for example, Client SSL Standard) and then generate a certificate sign request.
3. Export the certificate sign request as a *.csr file.
4. Arrange for the certificate to be signed by a trusted certificate authority (CA).
If you are using a client certificate, this must be signed by one of the root certificates supported by the load
balancer. A self-signed certificate is not suitable. For more information see Load Balancer Root Certificates
Supported by SAP.
The CA may have specific requirements and request company-specific data, they may also require time to
analyze your company before issuing a signed certificate. When signed, the CA provides the certificate for
import.
5. Navigate to the PSE for SSL Client Standard and open it by double-clicking the PSE.
6. Switch to edit mode.
7. Choose the Import certificate button.
8. In the Import Certificate dialog box, enter or select the path to the CA-signed certificate and choose Enter.
The certificate is displayed in the Certificate area.
9. Choose Add to Certificate List to add the signed certificate to the Certificate List.
Ensure that you import the CA root and intermediate certificates to complete the import.
10. Save your entries.
The certificates can now be used in the SOA Manager (transaction SOAMANAGER).
If your PAC is Edicom, you can use an Edicom-specific integration flow to communicate with Edicom. If your
PAC is Pegaso, you can use a Pegaso-specific integration flow to communicate with Pegaso. Before sending an
XML file using either of the two integration flows, SAP Integration Suite signs it using a private/public key pair
and client certificate. In these cases where the signing is done by SAP, you need to provide an SSL certificate
recognized by the tax authority and a pair of private/public key. This information must be available in the keystore
on your SAP Integration Suite tenant.
This integration package also provides a generic integration flow, which is meant to work with any PAC. If you
use this generic integration flow to communicate with your PAC, the PAC does the signing.
Do the following to deploy your credentials and certificate on SAP Integration Suite:
1. Deploy the certificate (as private key with an alias <RfcEmisor>) in the JAVA_KEYSTORE.
See chapter 7 on how to create a single certificate chain containing both the private key and public certificate.
Here’s an example:
For Edicom, credentials for the endpoint must be obtained and stored in the tenant under the name
<RfcEmisor>_EDICOM. If you have multiple company codes, you do not need to copy the package for every
company code. You just need to maintain the credentials for every <RfcEmisor>.
Here’s an example:
Note: Your <RfcEmisor> may contain special characters that are not supported in credentials names. In this
case, you need to replace the special characters with underscores (_). For example, your <RfcEmisor> is
HH&9504107WA_EDICOM. The character & is invalid. You need to enter HH_9504107WA_EDICOM as your
credentials name.
6
For Pegaso, credentials (username and password) for the endpoint must be obtained and stored in the tenant
under the name PEGASO_CREDENTIALS. If you have multiple company codes, you must copy the package for
every company code.
Here’s an example:
For other PACs, credentials (username and password) for the endpoint must be obtained and stored in the
tenant under the name MX_GENERIC_CREDENTIALS. If you have multiple company codes, you must
copy the package for every company code.
Here’s an example:
2. Deploy the public certificate for testing in the JAVA_KEYSTORE of the test tenant. Deploy the public certificate
for production use in the JAVA_KEYSTORE of the production tenant.
There are two integration flow deployment options. The option that you should choose depends on your PAC.
Option 1
If your PAC is Edicom or Pegaso, you can use this deployment option. Deploy the following integration flows on
your tenant:
Mexico Document Compliance Edicom If your PAC is Edicom, in addition to the integration flow
Mexico Document Compliance, deploy this integration
flow as well.
Mexico Document Compliance Pegaso If your PAC is Pegaso, in addition to the integration flow
Mexico Document Compliance, deploy this integration
flow as well.
Option 2
If you choose a PAC other than Edicom or Pegaso, use this deployment option. Deploy the following integration
flow on your tenant:
7
Integration Flow Name in WebUI Explanation
Mexico Document Compliance Generic You can find PACs who are SAP partners and can
handle requests from this integration flow from SAP App
Center.
Search with the keyword "SAP Document Compliance".
4. In the search field, enter SAP Document Compliance: Electronic Documents for Mexico and press
ENTER.
5. Select the package SAP Document Compliance: Electronic Documents for Mexico. In the upper right
corner, choose Copy.
· Authentication: This setting depends on the Pegaso web service that you use.
If you use the Gateway service from Pegaso, select the Client Certificate authentication type and
then make the following settings:
o Options: Select Plain Text Password.
o Credential Name: Enter the credential name that you’ve configured in the keystore.
8
If you use the Azure service from Pegaso, select the Basic authentication type and then make the
following settings:
o Credential Name: Enter the credential name that you’ve configured in the keystore.
o Options: Select None.
· Submission URL: Enter the endpoint URL of the web service that submits electronic invoices and
payment documents.
· Cancellation URL: Enter the endpoint URL of the web service that cancels electronic invoices and
payment documents.
· Get Status URL for eInvoice: Enter the endpoint URL of the web service that gets statuses of
invoice cancellation requests.
· Get Status URL for ePayment: Enter the endpoint URL of the web service that gets statuses of
payment cancellation requests.
· loggingEnabled: Enable or disable the logging of request and response messages. To enable it,
enter YES. To disable it, enter NO.
9
3. Before testing, download the handshake certificate from the endpoint which Edicom has provided and store
itin the tenant’s keystore. There is no dependency on the alias name which you use to store this certificate.
You can store it under any name.
Configurable Parameters:
For the generic integration flow Mexico Document Compliance Generic, follow the instructions below:
10
After deploying all the required integration flows, note down the URLs of the endpoints for each service. The endpoints
are used in the SOAMANAGER configurations.
Proxies must be connected to the SAP Integration Suite tenant via logical ports. In the SAP ERP or SAP S/4HANA test
system, the logical ports are configured to connect to the test SAP Integration Suite tenant. In the productive SAP ERP
or SAP S/4HANA system, the logical ports are configured to connect to the productive SAP Integration Suite tenant.
Proceed as follows:
1. In your SAP ERP or SAP S/4HANA system, go to transaction SOAMANAGER and select Web Service
Configuration.
11
2. Search for the proxies for Mexico with the search term CO_EDO_MX_*
If you use the Pegaso-specific or Edicom-specific integration flow, use one of the following proxies:
See SAP Note 2825133 for information about what the proxy CO_EDO_MX_CFDIE_EDOCUMENTS does.
If you use the generic integration flow, use the following proxy:
Note: You must maintain the maintenance view EDOSOASERV for each company code in your SAP ERP or SAP
S/4HANA system.
For example:
SOA SERVICE NAME Company code Logical Port SOA Service Description
MX_EDOCUMENT XXXX MX_EDOCUMENT Mexico eDocument SOA service
12
3. In the result list, select a proxy and create a logical port for it. Choose Create > Manual Configuration.
5. The Consumer Security configuration depends on the security being used for the SAP ERP or SAP S/4HANA -
SAP Integration Suite communication.
a. If you use the basic authentication, enter the value of the clientid for User Name, and the value of
clientsecret for Password. You create these values for your service instance in SAP Integration Suite. See
Creating Service Instances.
b. If you use certificate-based authentication, select X.509 SSL Client Certification and choose the certificate
you have uploaded to STRUST. You must configure this certificate in SAP Integration Suite too. For that you
create a service instance using the required grant type. You create the service key using the certificate
uploaded to the STRUST. For more information, see Defining a Service Key for the Instance in the Cloud
Foundry Environment.
6. On the HTTP Settings tab page, select the URL components radio button and make the following settings:
13
Setting Value
Protocol Select HTTPS.
Host Enter the host name of the integration flow that you want to communicate with.
Port Enter 443, which is the standard port for the HTTPS protocol.
Path Find the path of the related integration flow from your SAP Cloud Integration tenant or SAP
Integration Suite tenant.
Proxy Enter the information about your company's network proxy.
To find the Host, go to SAP Integration Suite Web UI. Under Managed Integration Content, go to Monitor -> All. Use
the search to find your integration flow as shown in the screenshot below:
:
The entries for the Proxy fields depend on your company’s network settings. The proxy server is needed to enable the
connection to the Internet through the firewall.
7. On the Messaging tab page, set the value of the Message ID Protocol field to Suppress ID Transfer.
14
8. No settings are required in the tabs Identifiable Business Context and Operation Settings. Just select Next and
then Finish.
7 Appendix
7.1.1 Prerequisites
7.1.2 Generate PKCS#12 File from the Certificate and Key File
After the successful installation of openssl for Windows, follow the steps below to generate the keystore file that you can
import into SAP Integration Suite:
1. Open Command Prompt in the folder where openssl is installed.
2. Convert the key file to pkcs8 format.
openssl pkcs8 -inform DER -in aaa010101aaa_CSD_01.key -passin pass:a0123456789 -outform
PEM -out CSD_01.key.pem -passout pass:a0123456789
3. Convert the certificate to pkcs8 format.
openssl x509 -inform DER -in aaa010101aaa_CSD_01.cer -outform PEM -out CSD_01.cer.pem.
4. Append the certificate and key file to one file.
copy CSD_01.key.pem+CSD_01.cer.pem CSD_01_chain.pem.
5. Convert the pem file to pkcs12.
openssl pkcs12 -in CSD_01_chain.pem -passin pass:a0123456789 -export -out CSD_01.p12 -
name SAT -passout pass:a0123456789
1. Click on Create a New Keystore. Select JKS as the type of the new Keystore.
2. Choose Tools -> Import Key Pair and select the pkcs12 file.
3. Enter a password and click on Save.
As the next step, you import the JKS file into the Keystore of SAP Integration Suite under the alias described in step 1 of
the section Deploy the Customer Certificate and Credentials to SAP Integration Suite.
Irrespective of whether the signing happens in SAP Integration Suite or not, you must download the handshake
certificate from the endpoint that is used to connect to the PAC.
15
2. Click on View certificate -> Copy to file, choose Next and select options as below until you reach Finish. You
can import this certificate into a keystore and load it to the SAP Integration Suite tenant keystore.
16
17
18
www.sap.com