
Hello, readers! Today I will share with you some new authentication methods for inbound and outbound authentication that you can select when extending SAP S/4HANA Cloud in the SAP BTP, Cloud Foundry runtime and SAP BTP, Kyma runtime.
The topic of security is constantly evolving and nowadays it is becoming mandatory to use certificate-based authentication. Because of that, we are now happy to share that we support ClientCertificateAuthentication for inbound authentication and ClientCertificateAuthentication and OAuth2mTLS for outbound authentication.
If you want to try out these authentication types, you need the following prerequisites:
In this blog post I am going to be enabling the Business Partner, Customer and Supplier Integration(SAP_COM_0008) communication scenario.
Let us first go through the client certificate authentication method for inbound authentication to the SAP S/4HANA Cloud system and outbound authentication from the SAP S/4HANA Cloud system. Make sure the communication scenario you are enabling has inbound communication, outbound communication and supports this authentication method by following these steps:
Let's now create an instance of the SAP S/4HANA Cloud Extensibility service:
{
"systemName": "<your_system_name>",
"communicationArrangement": {
"communicationArrangementName": "blog",
"scenarioId": "SAP_COM_0008",
"inboundAuthentication": "ClientCertificateAuthentication",
"outboundAuthentication": "ClientCertificateAuthentication",
"outboundServices": [
{
"name": "Replicate Customers from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Suppliers from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Company Addresses from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Workplace Addresses from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Personal Addresses from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Business Partner - Replicate from SAP S/4HANA Cloud to Client",
"isServiceActive": false
},
{
"name": "Business Partner Relationship - Replicate from SAP S/4HANA Cloud to Client",
"isServiceActive": false
},
{
"name": "BP Relationship - Send Confirmation from SAP S/4HANA Cloud to Client",
"isServiceActive": false
}
],
"communicationSystem": {
"communicationSystemHostname": "localhost.com"
}
}
}
Make sure to replace <your_system_name> with your actual registered system's name. Click Create and wait for the service instance to reach the Created status.
During the creation, a keystore will be created in the SAP Destination service. The certificate from this keystore will be attached to a Communication User in the SAP S/4HANA Cloud system.
Additionally, a Communication Arrangement with the specified name will be created and it will use the previously mentioned Communication User with Authentication Method SSL Client Certificate for Inbound Communication.
SSL Client Certificate will also be selected as the Authentication Method for Outbound Communication with the Client Default certificate being selected.
Finally, in the subaccount in SAP BTP a new destination will be created with the ClientCertificateAuthentication authentication method.
Now let us go through the other new outbound authentication method - OAuth2mTLS. Almost all the steps will be the same as with the previous example except the JSON that you provide during the service instance creation:
{
"systemName": "<your_system_name>",
"communicationArrangement": {
"communicationArrangementName": "blogOauthMtls",
"scenarioId": "SAP_COM_0008",
"inboundAuthentication": "ClientCertificateAuthentication",
"outboundAuthentication": "OAuth2mTLS",
"outboundServices": [
{
"name": "Replicate Customers from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Suppliers from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Company Addresses from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Workplace Addresses from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Replicate Personal Addresses from S/4 System to Client",
"isServiceActive": false
},
{
"name": "Business Partner - Replicate from SAP S/4HANA Cloud to Client",
"isServiceActive": false
},
{
"name": "Business Partner Relationship - Replicate from SAP S/4HANA Cloud to Client",
"isServiceActive": false
},
{
"name": "BP Relationship - Send Confirmation from SAP S/4HANA Cloud to Client",
"isServiceActive": false
}
],
"communicationSystem": {
"communicationSystemHostname": "localhost.com",
"oAuthAuthEndpoint": "oauth.com/oauth/authorize",
"oAuthTokenEndpoint": "oauth.com/oauth/token",
"outboundCommunicationUser": {
"username": "DefaultUser"
}
}
}
}
The resulting artifacts will also be similar but now OAuth 2.0 (mTLS) will be selected as the Authentication Method for Outbound communication in the resulting Communication Arrangement.
This blog showed you how you can leverage the newly supported certificate-based authentication methods for inbound and outbound authentication to an SAP S/4HANA Cloud system. We went through the ClientCertificateAuthentication inbound authentication and the resulting keystore and destination in SAP Destination service and the Communication User and Communication Arrangement in the SAP S/4HANA Cloud system.
We also looked at ClientCertificateAuthentication and OAuth2mTLS for outbound authentication and the resulting differences in the Outbound Communication section of the created Communication Arrangement.
Check our official documentation for more in-depth explanations:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
7 | |
7 | |
7 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 |