Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Client Certificate Authentication for Integration Flow Processing in SAP CPI from POSTMAN

Naga_Uday1
Newcomer

‎2025 Jan 27 9:44 AM - edited ‎2025 Jan 30 12:28 PM

3,997

Client Certificate Authentication for Integration Flow Processing in SAP CPI

In this blog, we will discuss Client Certificate Authentication for inbound integration in SAP Cloud Platform Integration (CPI).

Authentication Options

When it comes to authentication, we have two main options:

  1. Client Certificate
  2. User Role

For Client Certificate Authentication in the HTTP sender adapter of CPI, we will be using the User Role option.

In this scenario, we will share our client certificate with the requester (in this case, Postman) to authenticate the requests to our SAP CPI instance.

Step 1: Log on to CPI BTP Tenant

  • Create a new instance of Service Process Integration Runtime and select the plan Integration Flow.

Step 2: Create and Configure the Service Key

  • In this step, we need to create a Service Key. This includes:
    • Service Key Name: Define a name for your service key.
    • Key Type: Choose one of the following:
      • Client ID/Secret: The service key contains a client ID and client secret (client credentials).
      • Certificate: SAP generates a client certificate and public/private key pair with the service key.
      • External Certificate: If a third party shares the certificates, choose this option.

In our case, we will select the Certificate option.

 

Naga_Uday1_0-1737989414305.png

Select the instance> Right hand side select the service key > Click on Create
Add Service Key Name
Key Type- Certificate
Click on create

Naga_Uday1_1-1737989414308.png 

 

Naga_Uday1_2-1737989414315.png

Click on View> select form

Naga_Uday1_0-1738239837967.png

Arrange the certificate like below format after copying certificate value into notepad and save as xxx.PEM.

Naga_Uday1_1-1737990085341.png

 

  1. Also, copy the private key value to a text editor arrange it like below, and save it as certificate. Key.

Example format:

Naga_Uday1_2-1737990152268.png

Step 4: Copy Host URL

  • After downloading both certificates, copy the host URL from the form and save it for later use.

Example URL:
https://9368e858trial.it-cpitrial06-rt.cfapps.us10-001.hana.ondemand.com

Naga_Uday1_6-1737989414340.png

Now move on the Post man tool

Step 5: Configure Postman

  1. In Postman, provide the CPI URL that was created during the I-flow deployment.
  2. Create an I-flow using the HTTPS adapter and configure it as required. After deploying the flow in CPI, you will get the URL  under the integration content to use in Postman.
  3. Set the authorization type as No AUTH in Postman.

Naga_Uday1_7-1737989414342.png

Step 6: Add Certificates in Postman

  1. Go to the Settings option in Postman (top right corner of the screen).
  2. Click on Certificates.
  3. Add the .pem and .key files here.
  4. Add the host name (URL) you saved earlier when creating the service key.

Naga_Uday1_8-1737989414351.png

Naga_Uday1_9-1737989414358.png

and give the CPI URL which was created in CPI.

Step7: In CPI create a I-flow using Https adapter and maintain as like below.

Naga_Uday1_10-1737989414361.png

After deploying the flow we will get the URL and use the same in POSTMAN tool. And authorization type as No AUTH

Step 8: Test the Integration

  1. Close the settings screen.
  2. Trigger a test message from Postman.
  3. You should now be able to see the message in CPI.

Trigger test message from POSTMAN.

Naga_Uday1_11-1737989414370.png

We can see message in CPI.

Naga_Uday1_12-1737989414374.png

Summary

When setting up secure communication between external systems (like Postman) and SAP Cloud Platform Integration, one commonly used method is Client Certificate Authentication. This method ensures that only authorized clients with the appropriate certificates can access your CPI integration flow. In this process, we create and configure a service key with a certificate, then share this certificate with the external requester.

We walked through the steps required to:

  1. Log in to the SAP CPI BTP tenant.
  2. Create and configure a service key with the certificate option.
  3. Download and properly format the .pem and .key files.
  4. Configure Postman to use these certificates for authentication.
  5. Deploy the integration flow and test the connection using Postman.

Conclusion

Client Certificate Authentication is a robust and secure method for ensuring that only trusted clients can access your SAP CPI integration flows. By following the steps outlined in this blog, you can successfully set up certificate-based authentication, which offers a higher level of security compared to basic authentication methods like username and password.

This approach is particularly useful when integrating with external systems or APIs where maintaining a secure communication channel is critical. By leveraging SAP’s capability to generate certificates, you can simplify the authentication process while maintaining security standards.

Labels

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (0)

Ask a Question