- SAP Managed Tags:
Rotation of keys is crucial to security, so every customer should have in place an automated or manual process for rotating the keys at least every 90 days, as a general recommendation
In this blog post we will try to explain the below topics:
- When is need to take action
- Rotate your service credentials via BTP Cockpit
- How to check the certificate validity
- Create new service keys and bindings using CF CLI operations
In the case of PostgreSQL on SAP BTP, hyperscaler option the rotation of the keys is done by recreating a new service key and the corresponding binding with the application that use it for database connection.
When is need to take action?
From time to time there are other reasons for rotation of keys required. For example when the Certificates CA rotation happens. The Certificate CA is used by the service keys, if a Certificate CA gets invalid the service key gets also invalid.
For example this year (2024) the Certificates CA used in AWS and Azure for PostgreSQL services are being set to expire* and this impacts the use of the services keys.
- * AWS PostgreSQL related Certificate Authority certificates are set to expire by August 22nd, 2024 (Switch on August 19th).
- * AZURE PostgreSQL related Certificate Authority certificates are set to expire by September 17th, 2024.
What is the IMPACT: All service keys/bindings will stop working due to invalid credentials.
ACTION NEED: Users need to create new service keys and bindings so the new certificates can be used for authentication.
!! Please be aware that when deleting the service key or binding it can cause issues to the running applications, you may need to restart/restage the relevant applications to apply the new service key !!
For the case of PostgreSQL on SAP BTP, hyperscaler option since June 8th, users can recreated the service keys and bindings, as they will include already the new Certificates CA and the service keys will be valid after above mentioned expiration dates.
No need to wait until the Certificates CA gets invalid/expired to generate a new service key and binding.
For example, you can go to https://www.sslshopper.com/certificate-decoder.html and paste the certificate content from your current service key(s) and check the validity.
How rotate the service keys (credentials) via BTP Cockpit
To rotate manually the service keys, you just need to access your Global Account and Sub-Account, go to instances and subscriptions and select the desired instance.
Then you just need to delete both the application binding(s) and the service key(s).
After delete you can create the new service key(s) and binding(s) using the new Certificate CA
✅ How to check the certificate validity
Check the dates when the service keys were created (if greater than June 8th ) then your service key(s) and binding(s) are already using the new Certificate CA.
You may go to https://www.sslshopper.com/certificate-decoder.html and paste the certificate content from the service key and check the validity.
Please note that your binding will contains both the old and the new certificate (because your instance uses still the root CA valid until the expiration date). So if you want to check the validity please select the last certificate in the chain to see that it is valid beyond August/September depending on the case.
Create new service keys and bindings using CF CLI operation
You may use also Cloud Foundry (CF) commands to execute the rotation of the service keys.
List service key(S)
cf service-keys <SERVICE_INSTANCE>
Delete service key(s)
cf delete-service-key <SERVICE_INSTANCE> <SERVICE_KEY>
Create service key(s)
cf create-service-key <SERVICE_INSTANCE> <SERVICE_KEY> [-c] '{"name":”<value>","name":”<value>”}'Unbind the service instance
cf unbind-service <APP_NAME> <SERVICE_INSTANCE>
Bind the service instance
cf bind-service <APP_NAME> <SERVICE_INSTANCE
Restage the application
cf restage <APP_NAME>
Please refer always to the product official documentation at SAP Help Portal .
Check also other interesting blogs regarding PostgreSQL:
Thanks for your reading,
SAP BTP Backing Services – Product Management
4 Comments
