Professional Documents
Culture Documents
2
INTRODUCTION
In order to send events to eSocial government systems, the XML files must be signed using a digital certificate
compliant with ICP-Brasil standards. The connection between the SAP system and the government's servers
uses the same certificate to secure the data transmission.
To obtain the digital certificate, you should interact with a certification authority. You can find a complete and
updated list of certification authorities on the National Information Technology Institute (ITI Brazil) website:
http://www.iti.gov.br.
The certification authorities can issue certificates in the form of a physical token; so, make sure you request
the digital certificate that can be used for e-commerce transactions in PKSC#12 format.
This document aims at helping customers to import the digital certificates in the SAP system to sign XML files
and connect to the eSocial restricted production environment.
Prerequisites
You have authorization to manage certificates on the STRUST transaction.
To prevent that the XML signature check fails if inclusive canonicalization is specified, the following SAP
Notes must be applied/reviewed:
• 510007 - Setting up SSL on Application Server ABAP
• 662340 - SSF Encryption Using the SAPCryptolib
• 2097272 - Error in XML canonicalization
• 2291377 - SAML2: Error in Signature Validation
• 2427966 - Fixes in CommonCryptoLib 8.5.10
3
CREATE PSE FILE
Use tool SAPGENPSE to create PSE on the command prompt from the existing private certificate, as
described in SAP Note 662340 - SSF Encryption Using the SAPCryptolib.
Recommendations:
• In case of an error that the .pfx is missing the certificate chain, you can complete the chain by
adding the missing certificates with option '-r'. The command line should look like this:
• APPLIC = 'ZESO01' (Note that this is an example name. You can enter your own APPLIC name,
and use this name all over the process.)
• B_TOOLKIT = 'X'
• B_FORMAT = 'X'
• B_PAB = 'X'
• B_PROFID = 'X'
• B_PROFILE = 'X'
• B_HASHALG = 'X'
• B_ENCRALG = 'X'
• B_INCCERTS = 'X'
• B_DETACHED = 'X'
• B_ASKPWD = ' '
• B_DISTIB = 'X'
• DESCRIPT = <description of the SSF-application>
4
Set Application Parameters
3. Access transaction SSFA and create a configuration for the application you created on step 2.
5
Import PSE file
1. Access transaction STRUST.
2. Double click on File.
6
3. Select the PSE file previously created.
7
4. At this moment, the certificate is imported in the transaction.
8
5. Associate the certificate to the SSF Application ZESO01 by choosing PSE Gravar como.
9
ENTER DIGITAL CERTIFICATE FOR CONNECTING THE ESOCIAL RESTRICTED PRODUCTION
ENVIRONMENT
10
3. Double click on File.
11
4. Select the PSE file previously created
12
5. At this moment, the certificate is imported in the transaction.
13
6. Associate the certificate to the SSL Client ZESO01, option Mandante SSL, by choosing PSE
Gravar como.
14
8. Get the public certificate of eSocial URL service at
https://webservices.producaorestrita.esocial.gov.br/
Web browsers like Google Chrome and Firefox have the feature to obtain the certificate.
9. Add the certificate of restricted environment service by accessing transaction STRUST, then
choosing Certificado Importar.
15
10. At this moment the certificate is imported. Choose Incluir na lis.certificados, according to the figure
below.
16
11. The certificate must appear in the Lista de Certificado field.
17
TEST THE CONNECTION WITH ESOCIAL RESTRICTED PRODUCTION ENVIRONMENT
18
3. Fill the following field values under the tab Configurações técnicas:
• Host destino: webservices.producaorestrita.esocial.gov.br
• Nº Serviço: 443
• PrefCaminh: /servicos/empregador/enviarloteeventos/WsEnviarLoteEventos.svc
• Host proxy: customer proxy host
• Serviço proxy: customer proxy port
19
4. Fill the following field values under the tab Logon e Segurança:
• SSL: ativo
• Certificado SSL: ZESO01
Verify if the remaining fields are filled with default values according to the figure below:
20
5. Save the record.
6. Test the connection using the button Teste Conexão.
7. If the result is according the figure below, the certificate configuration is properly done.
8. If the connection fails, review all configurations according to this document. Additionally, check the
SAP Note 510007 - Setting up SSL on Application Server ABAP. This SAP Note describes all
configurations and parameters that can impact the connection. The following items can be highlighted
from this SAP Note:
a. Enable the HTTPS service on transaction SMICM.
b. Check/Update the library CommonCryptoLib (recommended version 8.4.49).
c. Adjust the parameters ssl/ciphersuites and ssl/client_ciphersuites on transaction RZ10.
Recommended values:
i. ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ii. ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
21
www.sap.com/contactsap
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.