Inbound Client Certificate authentication to SAP Cloud Integration using SAP BTP Destinations

This blog post describes how to set up Client Certificate authentication for inbound requests to SAP Cloud Integration (CI) in the Cloud Foundry through an SAP BTP Destination service that can then be easily used by other services within SAP BTP.

There will be a brief introduction followed by the main steps to follow to set up CI for inbound requests with a Destination and then a short conclusion.

Introduction

It is very common for SAP Cloud Integration to receive inbound requests, for example from a custom app developed in SAP BTP. Many customers want to avoid using Basic Authentication and opt for more secure authentication methods such as Client Certificate authentication.

You can find out more on the basics of this secure method of authentication here.

By the end of this blog post you will have a Destination setup with Client Certificate authentication so that other services developed on SAP BTP can easily make inbound requests to SAP Cloud Integration.

The steps covered are:

  1. Provision Private Key Pair
  2. Import Root Certificate of Sender system into SAP Cloud Integration
  3. Create Service Instance and Service Key for SAP Cloud Integration
  4. Configure Destination

1. Provision Private Key Pair

In my experience, it has not been possible to use self-signed certificates for Client Certificate authentication from a Destination into SAP Cloud Integration. Therefore, you will need to provision a Private Key Pair through the relevant IT department.

Note: It is possible to generate one in SAP Cloud Integration where it can be used for outbound requests but there is no mechanism to export this private key pair which you will need to configure against the Destination later on for the inbound requests.

Your key pair (referred to as .pfx or .p12 file in this blog post) is typically a .pfx file however I ran into difficulties using this format through the destination. I overcame this by using a free open-source tool called Keystore Explorer where you can create a .p12 file and import the .pfx file into it. Please save the .p12 for use later on.

2. Import Root Certificate of Sender system into SAP Cloud Integration

First you will need to open your .pfx file with the Keystore Explorer (or a tool of your choice) by selecting the option “Examine a Certificate” once you have launched the app.

Home%20screen%20of%20the%20Keystore%20Explorer

Home screen of the Keystore Explorer

You will then need to select your .pfx file to open it within the Keystore Explorer – note that you will need the private key pair’s passcode in order to be able to continue. You should see something like this:

Private%20Key%20Pair%20being%20accessed%20through%20the%20Keystore%20Explorer

Private Key Pair being accessed through the Keystore Explorer

Double click on the entry and it will show you the Certificate details for your .pfx file – from here you can save the Root certificate and the CA certificate by selecting the respective one and pressing on “Export” – select the X.509 format and Export to a folder that you choose. Do this for both the Root and CA certificates as you will need to import these into the Keystore of your SAP Cloud Integration tenant.

Certificates%20within%20the%20Private%20Key%20Pair

Certificates within the Private Key Pair

Additionally, you will need the last certificate in the list so go ahead and export this one too. It will be relevant for the Service Key.

Now that you have the required certificates, login to your SAP Cloud Integration tenant and navigate to the Monitor tab -> Manage Security – Keystore, where you will be able to import the 2 certificates you just saved. You can follow these steps provided in the SAP Help documentation

3. Create Service Instance and Service Key for SAP Cloud Integration

With the Root and CA certificates of your .pfx file now safely imported into the SAP Cloud Integration Keystore, next is to create a service instance and service key to allow external calls INTO your CI tenant.

Login to the relevant Subaccount in you BTP tenant and navigate to the Instance and Subscriptions tab. Here you will need to create a new Instance.

Press on Create and enter the following details.

Service: Process Integration Runtime

and then allow the rest of the fields to populate automatically – if they don’t then you may need to ensure you have a valid Plan and also create a new Space if necessary.

Then give it an Instance Name – in this example I called it sap-blog-test-instance.

You should have something that looks like this:

Create%20a%20new%20Instance

Create a new Instance

Click on Next and change the Grant type from client-credentials to client_X509 and ensure that the Roles field has the role ESBMessaging.send or another relevant role if you are using a custom role, then click on Create.

Once it has finished being created, press on your new instance and a window will slide in from the right hand side. In this window, press on the Service Keys tab and click on Create.

Give this Service Key a name.

After this, click on the JSON option and you will be presented with the following:

Create%20a%20new%20Service%20Key

Create a new Service Key

What you will need to do here is LAST certificate that you exported from step 2. Find this certificate in your folder and open it with Notepad or another text editor. You should see a value like:

“—–BEGIN CERTIFICATE—–MI…..g==—–END CERTIFICATE—–”

You may notice that there are carriage returns between the lines, please ensure that you delete these as the Service Key will not accept it. Once you have done this, copy and paste this entire text into the JSON above as the value pair of the key “X.509” and press create.

Once this Service Key is created, you can View it and validate that the key has the correct certificate assigned to it and that it also has the assigned role ESBMessaging.send (or custom role if that is the route you took).

Ok! Now almost everything is in place to allow easy inbound requests to you CI tenant – only one step remains and that is to configure the destination.

4. Configure Destination

Navigate to the relevant Subaccount that wishes to access SAP CI through the destination and on the left hand side of your screen, under the Connectivity tab, click on Destinations.

In this screen, first step in to import you Private Key Pair (please use the .p12 version that was created in step 1). Find the option Certificates and click on Upload Certificate and select the relevant file.

Next, click on New Destination where you will be presented with the following fields:

Name*: Enter a name for your destination

Type: HTTP

Description: Enter a description for you destination

URL*: Here you will need to enter the URL of the iFlow endpoint you wish to send a request to

Proxy Type: Internet

Authentication: ClientCertificateAuthentication

Key Store Location: Select the .p12 file you Uploaded previously

Key Store Password: Enter the password you configured when you created the p12 version of your Private Key Pair in the Keystore Explorer app

Ok, now save this Destination and click on on Check Connection. Currently you receive a 401 status code however this is expected.

The real test would be to use the Destination through your developed app and check that you can execute the relevant requests.

Conclusion

The steps in this blog post should help you set up inbound requests to your SAP Cloud Integration tenant through a Destination but please ask questions through the comments in this blog post or through the SAP Community pages SAP Cloud Integration Community or the SAP BTP Community

That is the end of this blog post – please use the following links for more information on SAP Cloud Integration and SAP BTP.