Hello Colleagues!

 

In this blog, we shall see how you can authenticate applications communicating to SAP Cloud Platform Integration (f.k.a HCI). This blog is part of the series on Understanding Authentication & Testing Connectivity in SAP Cloud Platform Integration. You can access all the blogs here.

 

The message sending application can use the following types to communicate with SAP Cloud Platform Integration: basic authentication and certificate-based authentication.

 

The type of authentication is chosen at every integration flow. You configure the option in the Sender Channel of an integration flow. See the diagram below:

 

Sender_config_basic_auth.JPG

 

Basic Authentication

 

To communicate to SAP Cloud Platform Integration using basic authentication, you have to meet two requirements:

 

  1. An SCN-based user
  2. SAP Cloud Platform Integration role assigned to the user (role name: ESBMessaging.Send).

 

SAP Cloud Platform Integration authenticates based on the SCN credentials. The identity of the back-end is checked by SAP evaluating the credentials against the user stored in the SCN database.

 

Note: Every customer is provisioned two tenants – test tenant and productive tenant. It is highly recommended that you restrict the use of basic authentication to your test tenant only.

 

 

Certificate-based Authentication

 

Let us take an example of a simplified landscape to understand how the certificate-based authentication works:

Simplified_Connectivity_Diagram.JPG

The ERP system works as the client. And BigIP load balancer authenticates itself against the ERP system (as trusted server) when the connection is set up. In this case, load balancer acts as server and the authentication is based on certificates. The identity of the customer system is checked by SAP Cloud Platform Integration evaluating the client certificate chain of the customer. This means you have to get the ERP certificates signed by a Certifying Authority recognized by SAP.

The list of certifying authorities currently recognized by SAP Cloud Platform Integration is provided in the documentation. (Documentation link: https://cloudintegration.hana.ondemand.com/PI/help -> Connecting a Customer System to SAP Cloud Platform Integration -> Concepts of Secure Communication -> HTTPS-Based Communication -> Load Balancer Root Certificates Supported by SAP)

 

An integration flow must authenticate the user making the request. As prerequisite for this authentication process, the client root certificate has to be made available for SAP prior to the connection set up. You have to import the certificate in the integration flow’s sender component –

Sender_certificate_configuration.JPG

 

Conclusion

 

When you want to authenticate to SAP Cloud Platform Integration, you can do so using basic authentication or certificate-based authentication. The authentication of the customer system happens at the BigIP server. After a system is authenticated, the authorization of the message happens at the integration flow.

 

Best Regards,

Sujit

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Srivatsava Janaswamy

    Hi Sujit,

    A question on BasicAuthentication.

    Even though we give username/pass, the concept of SSL Handshake still applies. Correct?

    For eg., I took a screenshot of your SSL explanation within Certificate authentication. My question is that will this be applicable even during Basic Authentication that server certificates of each system should be uploaded in each other’s systems to establish a two-way trust required by HCI?

    Capture.PNG

    Best regards,

    Srivatsava J

    (0) 
  2. Ramanji Killani

    Hi Sujit,

    I am working with one SOAP to SOAP Scenario, where I cannot able to see the Sender Endpoint Properties due to that I cannot able to select Basic Authentication or Certificate based Authentication. Do need your help on this.

     

    Thanks & Regards,

    Ramanji Killani.

    (0) 

Leave a Reply