Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
36,518
This blog post aims to provide you with a step-by-step tutorial on how to generate a client certificate (issued by SAP) and use it to trigger integration flow deployed on SAP Cloud Integration tenant in the Cloud Foundry environment. In this example we will be using Postman to mock a sender system.

Please refer to SAP Help Portal documentation Client Certificate Authentication for Integration Flow Processing for any additional information on the process.

Please note:
This key pair is not preinstalled when you operate a Cloud Integration trial tenant. Therefore, client certificate inbound authentication is not supported for trial.

Configure and Deploy Integration Flow


In this example we will use a simple integration flow with a single step – Groovy Script. This iFlow is configured to generate a response based of the payload it was initialized with.


Make sure to set Authorization as ‘User Role’ in connection details of your Sender Adapter. You can either leave User Role parameter as ‘ESBMessaging.send’ (which is default) or specify a custom role (see Managing User Roles, Cloud Foundry Environment for details).


If you have made any changes to your integration flow, make sure to save it and deploy.

Create Service Instance and Service Key in SAP BTP Cockpit


Next, we need to generate a client certificate that we can use to authenticate a sender when calling the integration flow that we have just deployed. This can be done quite easily in SAP BTP Cockpit.

Please go through Creating Service Instance guide and create an instance with ‘integration-flow’ service plan.


Then go through Creating Service Key guide and create a service key with a ‘Certificate’ key type.


With that, you should be presented with a credentials of the key in JSON format. Click ‘Download’ to store the file on your device.



Create Certificate and Key Files


Next, we need to retrieve certificate and key pair values, format and save them in the separate files.

For that, open the .txt file you have just downloaded, locate ‘certificate’ attribute, copy its value (it starts with ‘-----BEGIN CERTIFICATE-----’ and ends with ‘-----END CERTIFICATE-----\n’) and paste into your favorite text/code editor (I have used VSCode).

Now, we need to format the certificate by replacing all ‘\n’ occurrences with line breaks. To achieve this task, you can utilize Find & Replace feature of your editor.


Validate that your certificate looks similar to the one on the screenshot below:


Notice that there are in fact 3 certificates bundled in one – that is because Process Integration Runtime service instance generates a PEM-encoded certificate chain. The certificate chain contains a root certificate supported by SAP (see Load Balancer Root Certificates Supported by SAP).

Save the certificate with .pem extension – I named it as ‘cert.pem’.

Now, we need to do the same formatting for a key pair. Locate ‘key’ attribute in the same .txt file (it starts with ‘-----BEGIN RSA PRIVATE KEY-----’ and ends with ‘-----END RSA PRIVATE KEY-----\n’), paste the value into your favorite text/code editor and replace all ‘\n’ occurrences so it looks similar to the one on the screenshot below:


Save the key pair with .key extension – I named it as ‘key.key’.




Note: in case your text editor (e.g., Notepad++) doesn’t provide an option to replace all ‘\n’ occurrences with line breaks, what you can do is the following:
Click on Service Key you’ve created to open credentials information, select 'Form' tab and copy contents of certificate attribute (here you can see that it doesn’t have any ‘\n’ characters).


Paste the certificate value to your text editor and format it by adding line breaks before and after ‘-----BEGIN CERTIFICATE-----' and ‘-----END CERTIFICATE-----', so that it looks similar to the one below (remove all ‘\n’ characters as well if they are automatically added by your text editor)


Save the file with .pem extension.

Proceed with doing the same for key attribute. Make sure that it has the similar structure to the key you see on the screenshot below.


Save the file with .key extension.




Set Up Postman Environment and Send the Request


In your Postman application open Settings.


Navigate to Certificates tab and click on ‘Add Certificate’.

Locate ‘url’ attribute in your .txt file, copy its value (everything apart from https://) – this is your Host. Attach .pem file (as CRT file) and .key file. Finally, click on ‘Add’.


Next, add new request in Postman and enter the endpoint of your deployed integration flow as a request URL. You can grab this URL from Cloud Integration Web UI by navigating to Monitor -> Manage Integration Content.


Finally, set Authorization Type as ‘No Auth’ and send.


This concludes the step-by-step guide on how to set up inbound client certificate authentication for SAP Cloud Integration in Cloud Foundry environment. By following steps described above you should be able to generate a certificate and a key pair issued by SAP and use them to authenticate a sender when executing a call to Cloud Integration iFlow.
46 Comments
Martin-Pankraz
Active Contributor
Hi daniil.bolobonov,

thanks for sharing. There is quite the large amount of this kind of CPI posts about certificate handling already since 2017 like this one by Mandy. I'd like to see more emphasis on actually operationalising the approach. Certificates expire and handling them on individual iFlow level for hundreds of interfaces is impractical.

Have a look at this post for instance to automatically synch secrets across multiple CPI tenants. In addition to that the feature to assign a technical user with certificates and re-use as availavable in the NEO environment would key to ease the burden of maintainance. It would be a lot more helpful to see content around those lines.

Thanks for bringing topics back up again in the community.

KR

Martin
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert

Hi Martin,


Thank you for your comment!


Indeed, there are quite some blogs and documentation on this topic. However, we saw that some customers were still struggling with the setup. Therefore, we decided to come up with this detailed step-by-step guide.


Regarding operational topic. Please note that the client certificate can be reused for many iFlows. In case of this blog, the certificate and the key pair generated here can be reused for every iFlow on a tennant that has ‘ESBMessaging.send’ as User Role parameter in a sender adapter configuration. There is definitely no need to handle certificates on individual iFlow level. Also, please note that validity period of certificate can be configured up to 365 days.


That said, I agree that blogs that focus on operational side of things (like the one you’ve shared) are really helpful and bring a lot of value. We will definitely review what approach can be suggested here and invite you to collaborate as well!


Best regards,


Daniil

vidyadhar2k2
Explorer
0 Kudos

Hi daniil.bolobonov,

To establish connectivity between S4 and CPI via CERT based authentication, can we import these .pem and .key file into SSL Standard PSE of SAP S4 via STRUST t-code? or this method works only with third parties i.e. non SAP?

Regards,

Vidyadhar

Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert

Hi vidyadhar.kurmala2,


Yes, you can use these files to establish connectivity between S/4HANA and Cloud Integration.


You may need to generate .pfx out of .pem and .key. You can do it with the help of openssl, e.g.:



openssl pkcs12 -export -inkey key.key -in cert.pem -out cert.pfx

Then you can import this .pfx certificate to S/4HANA via STRUST.


Also, make sure to import CA certificates to Certificate List in STRUST, so it look similar to this:



You can find the info on how to download those files from you Cloud Integration tennant in 'Configurations in Sender System’ section of this blog


Hope this helps.

Best Regards,
Daniil

vidyadhar2k2
Explorer

Hi daniil.bolobonov,

Thank you very much for your quick response! I worked with Basis few years ago to import the same kind of certs in SAP ECC to establish connectivity between ECC and Neo cloud integration, however during that time, we followed these steps

  1. Create a certificate request in STRUST.
  2. Export the request and get it signed by SAP Trusted list (GoDaddy or DIgicert) by paying certain amount to accept it by CPI load balancer.
  3. import the Signed CSR into Strust.
  4. Add this signed cert to "Certificate to user mapping" in Neo cloud integration overview screen.

In this scenario, i.e. S4 to CF Cloud integration, since BTP is giving option to choose the certificate while creating the service key, so I believe we can avoid the additional amount to SAP trusted partners to get signed the certificate request and establish connectivity between S4 and CPI by importing the converted pfx file into STRUST.

Thanks,

Vidyadhar K

Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi vidyadhar.kurmala2

Yes, SAP certificate generated by SAP BTP is already signed. So, as you said, you can just import converted ,pfx file into STRUST (together with Load Balancer Root Certificate). So, no need to sign anything separately.

Best regards,
Danill
vinaymittal
Contributor
This blog is certainly better than the one by Mandy, This lists the steps in a systematic and easy to follow way.
lsteinfeld
Discoverer
0 Kudos
Hi daniil.bolobonov ,

great blogpost. We had to fid out ourselves. This will help many people when starting with CPI on BTP.

One Question: Is there any way to generate and fetch a Certificate via API Request? We have a similar issue as vidyadhar.kurmala2 described. We dock individual Customers to our CPI. In this Case every Customer needs it's own client certificate and role to ensure that this customer is only able to access his own iflows.

Wie would love to use API access to automate the process of certificate generation.

 

Many Thanks!

Lars
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Lars,

Thank you!

You can automate the process of creating and fetching details of service keys with the help of CF CLI. Please see Retrieve Credentials for Remote Applications for details.

Regarding this particular case, the command for creating a service key with Key Type 'Certificate' could look like this:
cf create-service-key SERVICE_INSTANCE_NAME SERVICE_KEY_NAME -c '{"key-type": "certificate","X.509": "","validity": 365,"key-length": 2048}'

Then you would retrieve details of service key with a following command:
cf service-key SERVICE_INSTANCE SERVICE_KEY

Hope this helps.

Best regards,
Daniil
joel_langoyan
Participant
0 Kudos
I tried and followed exact same steps but does not seem to work for me on a trial account. It is always error 500..
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi joel.langoyan

As per Client Certificate Authentication (Inbound), Cloud Foundry Environment

This key pair is not preinstalled when you operate a Cloud Integration trial tenant. Therefore, client certificate inbound authentication is not supported for trial.

Best regards,
Daniil

billy610
Associate
Associate
0 Kudos
I followed the steps, but I'm getting this error in POSTMAN

Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE

Has anyone come across this? Thanks.

 
venkatsnag
Discoverer
0 Kudos

'Yes, check the beginning and ending after each "begin" and "end" of certificate. Each being and end should have equal 5 dashes.

0 Kudos
Hi Daniil Bolobonov,

thank you for your great blog post. I want to use the certificate authentication for Core Hybrid Integration and have followed your steps twice now but keep on receiving a http 401.

The Cloud Integration Trace Log shows the following message "Neither client certificate nor Authorization header found. Returning no auth type". This error seems to be related to this kba https://launchpad.support.sap.com/#/notes/3240194, stating that the root certificate is not trusted by the load balancer.

Did you had problems with the certificates not being trusted? Do you might know if the error is caused by something else?

Best Regards,

Maximilian

 

 
huijiezhang
Product and Topic Expert
Product and Topic Expert
0 Kudos
All, thanks to Daniil for writing this blog. It's very helpful.

Quick question: The Neo has a concept of Certificate-to-User mapping. Is it not implemented for the CF version?

Thank you.

 
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
HI huijie.zhang

Thank you!

As mentioned in Mandy's blog:

this option is not recommended because changes to the certificate will always cause short downtimes as the integration flow needs to be restarted. Furthermore, in the Cloud Foundry environment the client certificate has to be added to the service key additionally.

Best regards,

Daniil
huijiezhang
Product and Topic Expert
Product and Topic Expert
0 Kudos
Understood. Thank you Daniil. I have found the instructions for setting it up on CF:

https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection...

 
frank1606
Employee
Employee

Hi Daniil,

Is this approach avaiable in the trail tenant?

I just find the note from Mandy's blog.(https://blogs.sap.com/2019/08/14/cloud-integration-on-cf-how-to-setup-secure-http-inbound-connection-with-client-certificates/)

Check for Key Pair ‘sap_cloudintegrationcertificate’ in Keystore Monitor

As already stated, in the Cloud Foundry environment the SAP key pair provisioned on the tenant is required in the tenants keystore in order to use client certificate-based inbound authentication and authorization. Check in the Keystore monitor in section Manage Security that the key pair with alias sap_cloudintegrationcertificate is available and that the key is not expired.

Note that in Trial accounts no SAP key pair is provisioned. Because of this client certificate-based inbound authentication and authorization cannot be used. You can only use basic authentication.

Thanks

rishabhdhakarwal
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Daniel,


 

I am able to generate the certificate and key using the service instance.

Using postman, if using the certificate and key I try to fetch the JWT token using the tokenurl given in the service key, I am able to get the bearer token and am successfully able to make the call to the iFlow using the same.

But if I configure the key and certificate for the iFlow URL as host in Postman I am getting HTTP Status 500 - Internal Server Error. Below is the raw Postman log of the POST call.


Postman Log


Can you please let me know whether that certificate and key are used to fetch the token or directly make the call to the iFlows?

Thanks & Regards,

Rishabh Dhakarwal
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi frank1606

As per Client Certificate Authentication (Inbound), Cloud Foundry Environment
This key pair is not preinstalled when you operate a Cloud Integration trial tenant. Therefore, client certificate inbound authentication is not supported for trial.

Best regards,
Daniil
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi rishabhdhakarwal,

No need to fetch the token if you follow the approach described in the blog. You can call the iFlow directly.

Best regards,
Daniil
biswajit_singh1
Participant
0 Kudos
Hi Daniil,

Great blog. For this certificate authentication to work for inbound requests to CI, do we need to upload any sender system's(S4 in our case)certificate on the CI keystore ? If so, which certificates would we need ?

Thanks,Biswajit.
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi biswajit_singh

Thank you!

No need to updload sender's certificate to Cloud Integration keystore when you follow the approach described in the blog. You would rather need to import certificates of Cloud Integration to your sender system to establish communication.

Please follow this comment thread to understand more on how to set up communication with SAP S/4HANA system.

Best regards,
Daniil

former_member262051
Participant
0 Kudos
HI daniil.bolobonov,

 

I followed the same steps as mentioned in this blog. But i am getting 401 authorization error while testing from postman tool to real time CPI account.

Kindly help me with your inputs.

Regards,

Naga Uday.

 
MAVR
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Rishabh,

This might be late, but you are using a trial and cca is not available in trial accounts.

Regards,
JosephEltoukhy
Explorer
Hi daniil.bolobonov

I could not import to s/4 HANA strust,  i got an error saying "cannot analyze certificate".

thank you
Wanling
Associate
Associate
0 Kudos
Hi Daniil ,

I have several attemps to test the iFlow endpoint in CF environment using postman, and keep getting invalid_client error. It is mentioned "The client certificate is not configured in a service key of a Process Integration Runtime service instance." All string "\n" has been cleaned up, and I am running out of the clues on what could go wrong. Any suggestion?

Best regards,

Wanling
Wanling
Associate
Associate
0 Kudos
The issue is resolved now. The problem is caused by the replacement of the string "\n" with line break. Looks like different text editors will have different option to achieve it.
szimara_1
Explorer
0 Kudos
Thanks for your nice Blog. It helped me a lot.

But this Architecture from SAP does not really look perfect. At the moment I only see the connection between Certificate, instance and role. But I would prefer a link between certificate and user.

On security reasons we don't work with the standard role ESBMessaging.send. We have
for Integration flow or a group of flow a dedicated role.

But with that architecture I have to create for each role a single instance 😞

 
GregorSchuetz
Explorer
0 Kudos
Hey Daniil

I'm currently trying to use the CPI API (Integration Content) in an iFlow but can't seem to figure out, how I can now use this very same authentication in an iFlow. Do you have any Blog or Instructions on how to do this authentication within an iFlow?

Best Regards
Gregor
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert

Hi gregor_schuetz  


Do I understand correctly you want to call Cloud Integration API with Client Certificate authentication? If yes, then you need to create a service instance with api plan. Please see the documentation: Client Certificate Authentication for API Clients.


Then, to understand how to call endpoint with Client Certificate authentication from Cloud Integration iFlow, see the relevant docu: Setting Up Outbound HTTP Connections (with Client Certificate Authentication).


Essentially, what you’d probably have to do is generate .pfx from certificate and key present in your Service Key (of Service Instance with plan api). You can do it with the help of openssl, e.g.:



openssl pkcs12 -export -inkey api_key.key -in api_cert.pem -out api_cert.pfx


Then you’d be able to add this certificate as Key Pair in Manage Keystore tab.



 

Last part is to configure your HTTP Receiver adapter to call Cloud Integration API endpoint with Authentication type ‘Client Certificate’ and specify Private Key Alias to the Key Pair you’ve added.



 

I hope this answers your question.


Kind regards,
Daniil

GregorSchuetz
Explorer
0 Kudos

Hey Daniil

Exactly! I've already created the instance you mentioned and I created the certificate and key file. So I have two of them. But for me I can't really figure out how this works.

I already checked these documentations beforehand but all of them had just a certificate file but as I mentioned I have not only a cvertificate but also a key file.

So I can combine these files into a keypair (.pfx) using openSSL?

Unfortunately I'm not familiar with openSSL but I'll check it out.

Thank you very much and I will tell you once I tried.

Best Regards,
Gregor

GregorSchuetz
Explorer
0 Kudos
Hey Daniil


It worked! As you said, I only had to merge the key with the certificate and then upload it to the CPI.

 

Thank you very much and best regards,

Gregor
billy610
Associate
Associate
0 Kudos
Sorry.. I cannot get past this error in POSTMAN

Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE

 

Can someone help point out what I'm doing wrong here?


I replaced all \n using Mac and Windows and renamed the txt file to CRT and/or PEM. Neither worked for me.
Do you people select PEM file under CA certificates in POSTMAN?


Do you put a space between -----END CERTIFICATE------ and -----BEGIN CERTIFICATE----- ?

There's gotta be an easier way to do this..
Before this I requested a SAP passport file in PFX format and that works in POSTMAN without an issue. This steps seems so manual. I don't know if I prefer this over the passport file.




billy610
Associate
Associate
0 Kudos
ok. I resolved it...
Note:

  • space after each -----BEGIN CERTIFICATE-----

  • space before each -----END CERTIFICATE-----

  • space after each -----END CERTIFICATE-----


 
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Stefan,

Perhaps this blog can help you solve the challenge: Streamline Exposing and Managing Connections to Your Cloud Integration Flows with API Management

Kind regards,
Daniil
danfqa
Explorer
0 Kudos
Hello Daniil Bolobonov,

Could you assist me with these questions, please?:

Is there any way to configure the service keys so that they don't expire?
Is there a way to alert technical staff that the service keys are about to expire without using the SAP Alert Notification service in BTP?

Thank you!
Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi danfqa,

  1. To have more control over Validity period of a certificate, you can create a Service Key with type 'External Certificate'.
  2. SAP Cloud ALM can be used for that - it comes with embedded alerting for the metric Certificate Validity. Please see the blog Centralized health monitoring of SAP Cloud Integration using SAP Cloud ALM. Please note that in this case you would need to manually add a certificate to the Cloud Integration keystore.

 

Thanks and best regards,
Daniil

danfqa
Explorer
0 Kudos
Thank you very much, Daniil! I'm going to delve deeper into the solutions you mentioned. Best wishes!
0 Kudos
Hello Daniil Bolobonov,

Thank you for your post!

After read the thread, I was wondering if there is any way to install a custom certificate, provided from our company, in the root of the SAP Integration Suite, different from those provided by SAP.

The reason behind my question is that we need to make a call to a service of an external application, that is a legacy application in our company, but this application has an additional cybersecurity rule in place, other than the mTLS connection, that does not allow calls from applications using wildcard certificates.

Then when we try to consume the API Rest from an application we are creating in BTP, the connection is being refused.

As you can see below, our CPI is using the standard certificate provided by SAP.


 

Looking forward for your guidance!

Thanks in advance!

Marco
ognian_kalaydjiev4
Participant
0 Kudos

The issue is that pfx file is not used to import certificate but pse.

  1. So you need sapgense to create pse sapgenpse import_p12 -p \$LocalFolder\LocalPSE.pse
  2. GeNeratedSignCertificate.p12 (2148457 - How to convert the keypair of a PKCS#12 / PFX container into a PSE file)
  3. Than you need to create onw Clinet SSL Client PSE Identity. Like described in 2148372 - How to create an own SSL Client PSE Identity.
  4. Than you need to import all root certificates used in communication in newly created PSE.
  5. Than you need to import Import the Handshake Certificate like described: https://help.sap.com/docs/cloud-edition/sap-document-and-reporting-compliance-cloud-edition/uploadin...
  6. Setup your connection in SOMANGER or sm59 using new PSE
aman_jaiswal
Associate
Associate
0 Kudos
Hi Daniil,

I followed the steps and added all the required certificate configurations, but Im getting 403 - Forbidden error, when trying to hit the API through Postman.

Any suggestions here?


Thanks in advance!

Aman

 
laszloadamek
Explorer
0 Kudos

Hello Aman,

You need to change the Authorization at the endpoint to "User Role".

Las

Senthilkumar231
Newcomer
0 Kudos

Hi Experts,

Ideally, we should not share private key to external system for certificate based authentication. In this case, why private key ("key.key" file) is required in POSTMAN? if not adding this file, then i am getting 401 unauthorized error. Can someone give me insights to understand better on key process where private key added in POSTMAN?

Regards,

Senthil

Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi @Senthilkumar231 

To learn more about Client Certificate Authentication please see Client Certificate Authentication (Inbound).

Basically, you can think of a private key as a of a password that the sender needs to pass to get authenticated to a certain resource. 

With Cloud Integration you can also opt for establishing an inbound client certificate authentication with an External Certificate (Keypair). In this case, the owner of this external certificate doesn't need to share with you the whole Keypair or private key, but rather only a public SSL certificate. More on this you can find in the note 3297437.

Kind regards,
Daniil

mario_bisonti2
Participant
0 Kudos

I followed step by step but I obtain 401 Unauthorized

I tried to open the certificate, I see three sections:
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----

but, if I open it I see:
"unable to find the certificate authority"

is it right?
Ant suggestion about my issue?

I's like it doesn't see the chain

Thanks a lot

Mario

.