Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dobrints
Product and Topic Expert
Product and Topic Expert
1,689

Hello, readers! Today I will share with you some new authentication methods for inbound and outbound authentication that you can select when extending SAP S/4HANA Cloud in the SAP BTP, Cloud Foundry runtime and SAP BTP, Kyma runtime.

The topic of security is constantly evolving and nowadays it is becoming mandatory to use certificate-based authentication. Because of that, we are now happy to share that we support ClientCertificateAuthentication for inbound authentication and ClientCertificateAuthentication and OAuth2mTLS for outbound authentication.

If you want to try out these authentication types, you need the following prerequisites:

In this blog post I am going to be enabling the Business Partner, Customer and Supplier Integration(SAP_COM_0008) communication scenario.

Client Certificate Authentication for inbound and outbound authentication

Let us first go through the client certificate authentication method for inbound authentication to the SAP S/4HANA Cloud system and outbound authentication from the SAP S/4HANA Cloud system. Make sure the communication scenario you are enabling has inbound communication, outbound communication and supports this authentication method by following these steps:

  1.  Go to the Display Communication Scenario application in the corresponding SAP S/4HANA Cloud system. Find and click the relevant scenario. In the Details section the Contains Inbound and Contains Outbound checkboxes should be ticked.
    dobrints_0-1707491618857.png

  2. Go to the Inbound section and check that the X.509 checkbox is ticked.
    dobrints_1-1707491634175.png

  3. In the Outbound section, check that the X.509 checkbox is ticked.
    dobrints_2-1707491651167.png

Let's now create an instance of the SAP S/4HANA Cloud Extensibility service:

  1. Go to your subaccount in SAP BTP and from the left-side navigation select Services > Service Marketplace. Click the SAP S/4HANA Cloud Extensibility tile and click Create.
    dobrints_3-1707491667964.png

  2. In the service instance creation wizard, select Cloud Foundry as environment, select your Cloud Foundry space and the previously registered system. Enter an Instance Name of your choice and click Next.
    dobrints_4-1707491685309.png

  3. On the next step, enter the JSON that describes your needed communication arrangement which uses ClientCertificateAuthentication for inboundAuthentication and outboundAuthentication. For example:

 

{
    "systemName": "<your_system_name>",
    "communicationArrangement": {
        "communicationArrangementName": "blog",
        "scenarioId": "SAP_COM_0008",
        "inboundAuthentication": "ClientCertificateAuthentication",
        "outboundAuthentication": "ClientCertificateAuthentication",
        "outboundServices": [
            {
                "name": "Replicate Customers from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Suppliers from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Company Addresses from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Workplace Addresses from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Personal Addresses from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Business Partner - Replicate from SAP S/4HANA Cloud to Client",
                "isServiceActive": false
            },
            {
                "name": "Business Partner Relationship - Replicate from SAP S/4HANA Cloud to Client",
                "isServiceActive": false
            },
            {
                "name": "BP Relationship - Send Confirmation from SAP S/4HANA Cloud to Client",
                "isServiceActive": false
            }
        ],
        "communicationSystem": {
            "communicationSystemHostname": "localhost.com"
        }
    }
}

 

Make sure to replace <your_system_name> with your actual registered system's name. Click Create and wait for the service instance to reach the Created status.

During the creation, a keystore will be created in the SAP Destination service. The certificate from this keystore will be attached to a Communication User in the SAP S/4HANA Cloud system.

dobrints_0-1707491839551.png

Additionally, a Communication Arrangement with the specified name will be created and it will use the previously mentioned Communication User with Authentication Method SSL Client Certificate for Inbound Communication.

dobrints_1-1707491859024.png

SSL Client Certificate will also be selected as the Authentication Method for Outbound Communication with the Client Default certificate being selected.

dobrints_2-1707491886056.png

Finally, in the subaccount in SAP BTP a new destination will be created with the ClientCertificateAuthentication authentication method.

dobrints_3-1707491901295.png

OAuth2 mTLS for outbound authentication

Now let us go through the other new outbound authentication method - OAuth2mTLS. Almost all the steps will be the same as with the previous example except the JSON that you provide during the service instance creation:

 

{
    "systemName": "<your_system_name>",
    "communicationArrangement": {
        "communicationArrangementName": "blogOauthMtls",
        "scenarioId": "SAP_COM_0008",
        "inboundAuthentication": "ClientCertificateAuthentication",
        "outboundAuthentication": "OAuth2mTLS",
        "outboundServices": [
            {
                "name": "Replicate Customers from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Suppliers from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Company Addresses from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Workplace Addresses from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Replicate Personal Addresses from S/4 System to Client",
                "isServiceActive": false
            },
            {
                "name": "Business Partner - Replicate from SAP S/4HANA Cloud to Client",
                "isServiceActive": false
            },
            {
                "name": "Business Partner Relationship - Replicate from SAP S/4HANA Cloud to Client",
                "isServiceActive": false
            },
            {
                "name": "BP Relationship - Send Confirmation from SAP S/4HANA Cloud to Client",
                "isServiceActive": false
            }
        ],
        "communicationSystem": {
            "communicationSystemHostname": "localhost.com",
            "oAuthAuthEndpoint": "oauth.com/oauth/authorize",
            "oAuthTokenEndpoint": "oauth.com/oauth/token",
            "outboundCommunicationUser": {
                "username": "DefaultUser"
            }
        }
    }
}

 

The resulting artifacts will also be similar but now OAuth 2.0 (mTLS) will be selected as the Authentication Method for Outbound communication in the resulting Communication Arrangement.

dobrints_4-1707491928782.png

Conclusion

This blog showed you how you can leverage the newly supported certificate-based authentication methods for inbound and outbound authentication to an SAP S/4HANA Cloud system. We went through the ClientCertificateAuthentication inbound authentication and the resulting keystore and destination in SAP Destination service and the Communication User and Communication Arrangement in the SAP S/4HANA Cloud system. 

We also looked at  ClientCertificateAuthentication and OAuth2mTLS for outbound authentication and the resulting differences in the Outbound Communication section of the created Communication Arrangement.

Check our official documentation for more in-depth explanations: