Can AS2 Sender iFlow be exposed with Basic Authent...

aditya_20 · ‎2026 Feb 03

Hello All,

I have been working with APIM and just wanted to know clarify few points related to AS2 interface:

1. Can an AS2 sender based iFlow be fronted by APIM?

2. If yes, can Basic Authentication be applied via API policies for AS2 sender iFlow?

3. If not, what are the supported and recommended security mechanism for inbound AS2 in this scenario?

I have came across a blog explaining the same scenario but with OAuth approach - https://community.sap.com/t5/technology-blog-posts-by-members/securing-as2-sender-adapter-with-oauth...

Could anyone provide some insight on this topic?

Thanks & Regards,

Aditya

MateuszPiotrowski · ‎2026 Feb 03

Hi @aditya_20

1. Can an AS2 sender based iFlow be fronted by APIM?
Ans. No, APIM are exposing HTTP based iflows, not with other sender adapters e.g. AS2 and rather synchronous Iflows (with business response, not with technical ack)

2. If yes, can Basic Authentication be applied via API policies for AS2 sender iFlow?

Ans. If you want to create Iflow with HTTP sender adapter (replacing AS2) as in your cited blog, then of course it is possible also to protect API proxy by Basic Auth (instead of Oauth Client credentials):
https://community.sap.com/t5/technology-q-a/sap-api-management-set-basic-authentication-for-api-prox...

Just use KVM for user + password storage and then compare with those coming from Authorization header.

two points:
- Honestly I do not see any value added for creation of API proxy to http Iflow (what is described in above blog). Http iflow can be exposed in secure manner directly to external sender system without API proxy layer. If this is only purpose of creating API (no other policy steps that are unique for APIM, not available in CI).

- In CI you can secure access via your suggested Basic Auth as well.

3. If not, what are the supported and recommended security mechanism for inbound AS2 in this scenario?
Ans. it was mentioned in comments of cited blog. Client certificate authentication is native for AS2.

hope it helps

Mateusz

aditya_20 · ‎2026 Feb 05

Hi @MateuszPiotrowski ,

Thank you for the response.

I was planning to implement this API Management (APIM) solution due to a recurring issue where certain partners are encountering a 401 Unauthorized error when attempting to connect to the AS2 sender at the IFlow level. I have created a specific client ID and client secret for these partners and shared them accordingly. Additionally, I have attempted to use client certificate-based authentication; however, none of these solutions have resolved the issue, as they continue to result in a 401 Unauthorized error. Could you please suggest any alternative approaches or workarounds to address this specific problem if APIM can't be utilized here?

Thanks,

Aditya

Punith_Oswal · ‎2026 Feb 05

Hello @aditya_20 ,

I fully agree with @MateuszPiotrowski 's comment here.

I am trying to help on the 401 Unauthorized error that you are facing, if you are using "client certificate-based authentication" in the AS2 Sender Adapter, It is also important to add the certificate of your AS2 Sender on the BTP Cockpit and create a service key for it.

Check out the below notes which explains the steps to do it.

https://help.sap.com/docs/integration-suite/sap-integration-suite/client-certificate-authentication-...

https://help.sap.com/docs/integration-suite/sap-integration-suite/creating-service-instance-and-serv...

Thanks!

aditya_20 · ‎2026 Feb 06

Hi Punith,

Thanks for the reply.

I will explore and try implementing this option.

Regards,

Aditya

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Can AS2 Sender iFlow be exposed with Basic Authentication via API Management?