Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Secure Authentication Strategy for HTTP Sender Channels in Cloud Integration

adarshrao_rao
Product and Topic Expert
Product and Topic Expert
‎2024 Aug 20 7:26 AM
6,822

In complex integration landscapes, where numerous HTTP sender channel interfaces are in place, security concerns often arise. The challenge is finding an authentication method that avoids using basic credentials or client ID and secret as the username and password. Additionally, changing the sender channels across all interfaces to a different adapter is not practical, as it would require significant effort. Moreover, certificate-based authentication is not a feasible option for all sender systems. This situation calls for a solution that enhances security without requiring extensive changes or effort in the iFlow.

1.   Introduction

This blog outlines the use case for securing an iFlow in Cloud Integration, which has an HTTP sender channel. The aim is to ensure that the iFlow cannot be triggered directly via basic authentication using a username and password while maintaining a secure interface connection.

2.   Requirement

The requirements for this use case are as follows:

  • The iFlow should not be triggered directly via basic authentication (username and password).
  • The channel used must remain HTTP and cannot be changed.
  • The interface connection should be secure

3.   Analysis

The demo iFlow under consideration in Cloud Integration is named "Http Sender iFlow". This iFlow currently has an HTTP sender channel, which is illustrated in the image below.

adarshrao_rao_0-1724095549450.png

Currently, this iFlow can be successfully triggered by any user with the role ESBMessaging.send.

If the grant type of the service key is changed to anything else, the sender channel must be adjusted accordingly.

 Additionally, using the client ID and secret for basic authentication is not acceptable as per the requirement.

adarshrao_rao_1-1724095549452.png

adarshrao_rao_2-1724095549452.png

adarshrao_rao_3-1724095549453.png

3.1. High-level architecture diagram of the current solution:

 

adarshrao_rao_3-1724110589467.png

 

4.   Proposed Solution:

To meet the outlined requirements for the iFlow in Cloud Integration, a robust solution is necessary to prevent direct triggering via basic authentication, ensure the continued use of the HTTP channel, and enhance the overall security of the interface connection. By integrating OAuth 2.0 authorization via SAP APManagement, basic authentication with a more secure method can be replaced, ensuring that only authenticated and authorized users can trigger the iFlow.

Additionally, configuring certificate-based authentication between SAP API Management and SAP Cloud Integration further strengthens security by verifying identities through certificates. Lastly, leveraging custom user roles allows for precise control over access permissions, aligning with the goal of maintaining a secure and efficient integration environment. This multi-faceted approach not only addresses the immediate security concerns but also provides a scalable and robust framework for future enhancements.

4.1. High-level architecture diagram of the proposed solution:

adarshrao_rao_5-1724095549461.png

To achieve this, following steps have to be performed.

  • Create a custom role
  • Create an instance which has service key with client certificate as the grant type
  • Create a .PFX certificate
  • Create API provider and proxy
  • Create a product and application

4.2. Create a custom role

  • Go to User Roles under Manage Security

adarshrao_rao_6-1724095549464.png

  • Add a new user role as http.flow

adarshrao_rao_7-1724095549464.png

  • Update the same in the iflow sender channel

adarshrao_rao_8-1724095549465.png

4.3. Create an instance which has service key with client certificate as the grant type

  • Select the service and plan as below

adarshrao_rao_9-1724095549467.png

  • Add the custom role http.flow under Roles and remove the role ESBMessaging.send

adarshrao_rao_10-1724095549468.png

  • Once the instance is created, you will be able to see parameters as below

adarshrao_rao_11-1724095549468.png

 

  • create a service key with key type as certificate and Download the service key

adarshrao_rao_12-1724095549469.png

 

Note: Please make sure no other service keys are created in this instance

 

  • Open the downloaded file and -
    • copy the certificate contents to a separate file and name it as main.pem
    • copy the key contents to separate file and name is as key.pem

adarshrao_rao_13-1724095549470.png

 

  • Once done, you will have two files, main.pem and key.pem as below.

Note: replace \n with enter and remove double quotes)

 

  • Screenshot of main.pem file:

adarshrao_rao_14-1724095549472.png

 

  • Screen shot of key.pem file:

adarshrao_rao_15-1724095549473.png

  • Now, to create a .PFX certificate, change the directory in the terminal and run below command

    openssl pkcs12 -inkey key.pem -in main.pem -export -out pfx_certificate.pfx

adarshrao_rao_16-1724095549474.png

  • Enter a password of your choice say, abcd and verify it
  • Now, you will be able to see a .pfx certificate generated based on the .pem files

adarshrao_rao_17-1724095549474.png

 

4.4. Create API provider and proxy

  • Go to Configure --> APIs -->Under API Providers --> Create

adarshrao_rao_18-1724095549476.png

 

  • Configure the connection as below. This API provider named CloudIntegration will be used only to discover the iflows and not during run time.

The details of host, client id and secret can be identified from the service key which is explained in the next step

Host: url value without https://

Since connection type is Cloud Integration, catalog service setting is not applicable

adarshrao_rao_19-1724095549477.png

 

  • Make sure that you are using the service key which was created in the instance with plan as api

adarshrao_rao_20-1724095549478.png

adarshrao_rao_21-1724095549479.png

  • Create an API proxy and select the provider as CloudIntegration and click on Discover

adarshrao_rao_22-1724095549480.png

 

  • Select the iflow “Http_Sender_iFlow”

adarshrao_rao_23-1724095549481.png

  • Click on Next
  • Select the Authentication Type as Client Certificate
  • Select the New store under client certificate and browse for the previously generated .pfx certificate
  • Provide a store name, name and password which was used while generating .pfx certificate

adarshrao_rao_24-1724095549482.png

 

  • This connection will be used during the runtime from APIM to CI.
  • Modify the API name as required and short text as required. Click Create

adarshrao_rao_25-1724095549483.png

  • Perform a test and you should be able to get http 200 OK response

adarshrao_rao_26-1724095549485.png

  • If the test is successful add following policies under ProxyEndpoint  PreFlow
  • OAuth Verification

adarshrao_rao_27-1724095549487.png

  • Add below code

 

 

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<Operation>GenerateAccessToken</Operation>
<GenerateResponse/>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
</OAuthV2>

 

 

 

  • Create a API proxy to generate the token while authenticating using application key and secret as below

adarshrao_rao_28-1724095549487.png

adarshrao_rao_29-1724095549488.png

 

  • Under Resources add Token with operation as POST

adarshrao_rao_30-1724095549489.png

 

  • Under Policies, select ProxyEndPointtoken and add OAuth 2.0 to generate access token

adarshrao_rao_31-1724095549490.png

  • Add the below code

 

 

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">

<Operation>GenerateAccessToken</Operation>

<GenerateResponse/>

<SupportedGrantTypes>

<GrantType>client_credentials</GrantType>

</SupportedGrantTypes>

</OAuthV2>

 

 

adarshrao_rao_32-1724095549492.png

 

  • Update, save and Deploy

4.5. Create a product and application

 

  • Under Engage, create a product

adarshrao_rao_33-1724095549494.png

  • In the APIs tab, add the newly created APIs and publish the product

adarshrao_rao_34-1724095549495.png

 

  • Go to API Business Hub Enterprise and published product can be seen here

adarshrao_rao_35-1724095549498.png

 

  • Click on the product and it will take you to the next page

adarshrao_rao_36-1724095549504.png

  • Click on Subscribe --> Create New Application

adarshrao_rao_37-1724095549505.png

  • Click Create. New application will be created and under Application details, Application secret and key can be seen.

adarshrao_rao_38-1724095549509.png

5.   Testing

For testing the set-up, Insomnia API client is used to trigger the data. API client is configured as below.

Operation: POST

URL : End point of API_Http_Sender_iFlow_v1

Grant Type: Client Credentials

Access Token URL : End point of API_GenerateOAuthToken_v1

Client id : Application Key value

Client Secret : Application Secret Value

Click on Fetch Tokens and click on Send

 

adarshrao_rao_39-1724095549511.png

adarshrao_rao_40-1724095549512.png

Now, you will not be able to trigger this iflow with basic authentication because there is no service key with client id and secret for the custom role http.flow

6.   Additional Details

Now, the following questions arises.

  • Whether this is a one time activity or same procedure has to be followed for all the HTTP sender iflows?
  • If this has to be done for all HTTP sender iflows then the effort is too high for build. Hence, what can be done to make this a one time activity?
  • It is convenient if the above solution meets the below requirement

adarshrao_rao_41-1724095549512.png

The above requirement can be met by following the below steps.

 

6.1. Create 2 iFlows

  • iFlow 1 with name Http Sender iFlow1 and has the end point and user role as below

adarshrao_rao_42-1724095549516.png

 

  •  iFlow 2 with name Http Sender iFlow2 and has the end point and user role as below

adarshrao_rao_43-1724095549519.png

6.2. Testing

Now, based on the values provided in the API URL, respective iFlow is triggered.

 

  • To Trigger iFlow 1

adarshrao_rao_44-1724095549521.png

adarshrao_rao_45-1724095549522.png

  • To Trigger iflow 2

adarshrao_rao_46-1724095549524.png

adarshrao_rao_47-1724095549525.png

7.   References

Below mentioned blogs are two excellent references. I have used them to extend this strategy.

SAP Blog 1

SAP Blog 2

8.   Summary

This document outlines a proposed solution to enhance the security of an iFlow in Cloud Integration that uses an HTTP sender channel. The key requirements for this solution are:

  • Prevent Direct Triggering via Basic Authentication: The iFlow should not be triggered directly using basic authentication (username and password) to avoid potential security vulnerabilities.
  • Maintain HTTP Channel: The communication channel must remain HTTP, as changing the channel is not an option within the current constraints.
  • Ensure Secure Interface Connection: The interface connection must be secure, ensuring data integrity and protection against unauthorized access.

To address these requirements, the following solution is proposed:

  • Implement OAuth 2.0 authorization to replace basic authentication using SAP API management, ensuring that only authenticated and authorized users can trigger the iFlow.
  • Configure certificate based authentication between SAP API management and SAP Cloud Integration
  • Make use of custom user roles

Please feel free to discuss your experiences and provide your feedback in the comment section of this blog post.

2 Comments