Authenticating to SAP Cloud Platform Integration
In this blog, we shall see how you can authenticate applications communicating to SAP Cloud Platform Integration (f.k.a HCI). This blog is part of the series on Understanding Authentication & Testing Connectivity in SAP Cloud Platform Integration. You can access all the blogs here.
The message sending application can use the following types to communicate with SAP Cloud Platform Integration: basic authentication and certificate-based authentication.
The type of authentication is chosen at every integration flow. You configure the option in the Sender Channel of an integration flow. See the diagram below:
To communicate to SAP Cloud Platform Integration using basic authentication, you have to meet two requirements:
- An SCN-based user
- SAP Cloud Platform Integration role assigned to the user (role name: ESBMessaging.Send).
SAP Cloud Platform Integration authenticates based on the SCN credentials. The identity of the back-end is checked by SAP evaluating the credentials against the user stored in the SCN database.
Note: Every customer is provisioned two tenants – test tenant and productive tenant. It is highly recommended that you restrict the use of basic authentication to your test tenant only.
Let us take an example of a simplified landscape to understand how the certificate-based authentication works:
The ERP system works as the client. And BigIP load balancer authenticates itself against the ERP system (as trusted server) when the connection is set up. In this case, load balancer acts as server and the authentication is based on certificates. The identity of the customer system is checked by SAP Cloud Platform Integration evaluating the client certificate chain of the customer. This means you have to get the ERP certificates signed by a Certifying Authority recognized by SAP.
The list of certifying authorities currently recognized by SAP Cloud Platform Integration is provided in the documentation. (Documentation link: https://cloudintegration.hana.ondemand.com/PI/help -> Connecting a Customer System to SAP Cloud Platform Integration -> Concepts of Secure Communication -> HTTPS-Based Communication -> Load Balancer Root Certificates Supported by SAP)
An integration flow must authenticate the user making the request. As prerequisite for this authentication process, the client root certificate has to be made available for SAP prior to the connection set up. You have to import the certificate in the integration flow’s sender component –
When you want to authenticate to SAP Cloud Platform Integration, you can do so using basic authentication or certificate-based authentication. The authentication of the customer system happens at the BigIP server. After a system is authenticated, the authorization of the message happens at the integration flow.