Dear SAP Support Team,
We need to create and host two secure APIs in SAP to integrate with Bank for authentication and transaction processing. These APIs will facilitate automated authentication and transaction status updates between SAP and Bank, ensuring seamless, secure, and efficient communication.

Business Requirement:

Bank requires two endpoints:

Authentication API – Bank will send an authentication request to SAP, which should validate the credentials and return an authentication token. This token will then be used for further API interactions, eliminating the need for manual username/password entry.

Late Return Payment Status API – Bank will send encrypted status updates for late return payments via HTTPS. SAP must decrypt the request, validate the data, update the transaction status, and send a response.

These APIs must be externally accessible, enforce strong security mechanisms, and comply with banking and SAP security standards.

Technical Requirements:

Authentication Mechanism: The API should support automatic authentication and prevent unauthorized access. SBI should be able to call the authentication URL securely without requiring manual login like API URL.

Encryption & Security: Data should be encrypted in transit and at rest. Authentication and late return status updates should be processed securely using encryption, signature verification, and request integrity validation.

External Hosting Considerations: The URLs must be accessible externally with proper security controls.

Token Management: The authentication API should generate a secure token that SBI can use for further API requests to SAP.

Logging & Monitoring: All incoming API requests should be logged for audit purposes, and SAP should monitor API activity to detect anomalies.

Authentication API Flow:

BANK→ [HTTPS Request] → SAP (Authentication URL)

SAP → [Validate Credentials] → Internal Authentication Logic

SAP → [Generate Auth Token] → Internal Token Storage

SAP → [HTTPS Response with Token] →BANK

BANK → [Use Token for API Calls] → SAP Transactions

Late Return Payment Status API Flow:

BANK→ [HTTPS Request with Encrypted Data] → SAP (Late Return API URL)

SAP → [Decrypt Request] → Internal Processing

SAP → [Validate & Update Payment Status] → SAP Database

SAP → [HTTPS Response: Status Updated] →BANK

We need to securely expose two REST-based APIs in SAP for integration with SBI Bank using JSON over HTTPS. These APIs will handle authentication and transaction status updates.

1. Authentication API – Bank calls this API for authentication, and SAP responds with an authentication token.

1. Late Return Status API – Bank calls this API with encrypted late return payment status updates, which SAP decrypts, processes, and acknowledges.

Technical Details:

Data Format: JSON

Protocol: REST (HTTPS)

Authentication: Client certificate authentication (mutual TLS) and token-based authentication

Security: TLS 1.2/1.3, digital signature verification, IP whitelisting

SSL Certificate: Signed by a trusted CA (not self-signed)

Hosting: SAP should securely expose the APIs externally for Bank access

Request for Support:

1.What are the recommended SAP-supported approaches for hosting secure REST-based APIs?

2.Which SAP authentication mechanisms align best with mutual TLS and token-based authentication?

3.What SAP components and configurations are recommended for secure REST API exposure?

Looking forward to your expert guidance.