cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Can Cloud Connector enable mTLS between BTP and my intranet's API Gateway?

Go to solution
moeka_matsumura
Explorer

on ‎2024 Dec 25 8:03 AM

0 Kudos
769

Hello,

I would like to establish mTLS authentication between BTP and the API Gateway within the intranet, but I can't find any documentation to achieve this. Can mTLS authentication be achieved between BTP and the API Gateway within the intranet using Cloud Connector?
If mTLS authentication is available, is it possible to identify the access user on the Cloud Connector side?
Attached is an image showing the mTLS authentication flow that we would like to achieve.

Thank you.

Best regards,
moeka matsumura

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

gregorw
SAP Mentor
SAP Mentor
‎2024 Dec 25 8:16 AM
0 Kudos

That is exactly what Cloud Connector does when you connect to an ABAP System and you would like to enable Principal Propagation. It must be a mTLS connection betwenn CC and the ABAP System. The same can be achieved by any other mTLS capable backend.

Show replies
Show replies
moeka_matsumura
Explorer
‎2024 Dec 25 8:31 AM

Dear  gregorw,

Thank you for your reply.

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/authenticating-users-against-on-premi...

Is the relevant document the one at the URL above? I will take a look at it.

Best regards,
moeka matsumura

moeka_matsumura
Explorer
‎2025 Jan 08 5:07 AM
0 Kudos

Dear gregorw,

I've registered a mapping for a Virtual To Internal System in Cloud Connector, and its status is "Reachable" (Back-end Type: Non-SAP System, Principal Type: X.509 Certificate). I’ve also imported both the System Certificate and CA Certificate.

In BTP Destinations, I’ve configured the destination with the following settings:

Type: HTTP
URL: https://[Virtual Host set in Cloud Connector]
Proxy Type: OnPremise
Authentication: PrincipalPropagation
However, when my application uses this destination to call an API, I receive the error: {"message":"Domain not found"}.
There were no corresponding error logs recorded in the ljs_trace.log of the Cloud Connector.

Could this be an issue with the backend system?
I’ve already registered the CA Certificate (imported into Cloud Connector) in the backend system. Is this the correct approach?

Best regards,
moeka matsumura

gregorw
SAP Mentor
SAP Mentor
‎2025 Jan 08 6:45 AM

Hi Moeka

have you configured "Host In Request Header" to "Use Internal Host":

gregorw_0-1736318742954.png

Best regards,
Gregor

 

moeka_matsumura
Explorer
‎2025 Jan 10 2:27 AM

Dear gregorw,

It is working well.
Thank you for your support!

Answers (0)

Ask a Question