Quick & Dirty – How to setup OAuth2 authentication from NW7.5 to SAP BTP CI

I was looking for a one page documentation on how to setup the OAuth2 authentication method to connect an on prem S/4 system (acting as client) to SAP BTP CI. I couldn’t find one and so I hope I can save you some time by writing this blog post.

The advantage I see in using OAuth compared to an S-User or certificate approach is that you centrally configure the authentication and you can use the settings and credentials in the consumer proxies which makes is easier to maintain in case of changes in the credentials are needed.

I used several links to compile this documentation:

  1. a very good blog post on how to setup OAuth for SAP BTP CI in general not specific to a connected system:  https://blogs.sap.com/2018/03/12/part-1-secure-connectivity-oauth-to-sap-cloud-platform-integration/ – Thank you Divya Mary!
  2. Link to SAP help on how to prepare the OAuth client: https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/916a7da9481e4265809f28010a113a6a/76cb524e55b0492db48d4468876f6ddc.html?locale=en-US make sure to create the client type in TAC OA2C_TYPE first.

Here the procedure I used:

  1. Create an customizing entry for a new OAuth client type using TAC OA2C_TYPES
  2. Create an OAuth client profile following the documentation in this link: https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/916a7da9481e4265809f28010a113a6a/76cb524e55b0492db48d4468876f6ddc.html?locale=en-US
  3. Following the blog post from Divya Mary configure the SAP BTP tenant: Got to Security -> OAuth and then to the tab “Clients” and register a new client / IMPORTANT! In the field “Name” enter something short such as an SID and make sure to select the correct subscription and enter a password Screenshot%20of%20client%20creation
  4. Assign the ESBMessaging.send permission to this client. The user name for the assignment is oauth_user_+<short name you assigned to the client> e.g. oauth_user_E41 assignment%20of%20permissions
  5. on the NW 7.5 system now go to transaction OA2C_CONFIG to configure the client profile OAuthClientconfig1of2OAuthClientconfig2of2 you might need to enter the proxy information further down if you need this connect to the SAP web services. Make sure to select the correct “Access Settings”.
  6. You can now user this configuration in all your consumer proxies SOAMANAGERConsumer

Since the setup is quite quick and easy to implement this seems to be the way to got for on-prem NetWeaver systems to authenticate against SAP BTP as this approach can be centrally managed in case of a security breach (e.g. compromised password) and you don’t have to change the password on every consumer proxy. Also you no longer have to worry about expiring certificates or passwords. Just please keep in mind to use a proper password policy with long and complex passwords – use a password manager application!

Screen shot have been taken from a NW7.56 system and they might differ a little bit depending on your release. If there is something to add or correct – please let me know.

Have fun!