How to .. Test SOAP/REST services on SAP Cloud Platform Integration, with Client Certificate Authentication
If you have been working with SCP Integration (HCI) probably you noticed that testing your scenarios with basic authentication sometimes is just not enough, as ultimately you will end up using client certificate authentication in your production environment and probably need to test your developments, your keystore settings and certificates, and doing so not always throughout the application. This document will walk you through step by step to test web services on SCP Integration using the soapUI client.
For the complete case, we are going to take advantage of the pre-packaged integration scenarios from SAP for SuccessFactor Integration.
- You have access and authorization to a Dev Tenant.
- Eclipse IDE installed and configured.
- You have imported Integration Package to your tenant.
- You have configured communication between your tenant and your receiver system (SuccessFactors).
- soapUI client
- Keystore Explorer
- Marketplace user
Obtain SAP CA Passport certificate with key-pair and SCP Integration tenant certificates.
Step 1.1: In Firefox open SMP. https://support.sap.com/home.html
Step 1.2: Login
Step 1.3: Select “Get a browser certificate (SAP Passport)” from the user menu.
And follow the instructions.
If successful you would get a confirmation and will find your certificate installed.
Step 1.4: On your Firefox explorer go to..
Menu -> Options -> Advanced -> Certificates
Click on View Certificates
Step 1.5: Select your certificate and click backup.
Save screen will open. Input a name and click Save
You will be asked to enter a Certificate password, input a strong password and click ok.
The browser will present a successful message of your certificate and private key backup.
Step 1.6: From Certificate Manager, select your certificate and click View…
Step 1.7: On the Details tab, click on Export… and Save
To this point, you should have the following files: one .p12 and one .crt
Step 1.8: Download certificates for SCP Integration tenant.
In your Tenant welcome email, you should have the direct link to download your certificates. Open the link
Step 1.9: Select “CRT” under Base 64 Der Encoding and click download. Zip file will be downloaded
Step 1.10: Extract the zip file, you will have a tenant certificate and load balancer certificates.
Now we have all the certificates needed to create our security artifacts.
Configure iFlow to authenticate with SAP Passport CA certificate.
Assumptions: You have already created your flow, in this case, we have copied the Integration Package to our tenant and configured receiver connectivity.
Step 2.1: Open your flow, Select Edit and select your sender system.
Step 2.2: Change the Authorization to Client Certificate
Step 2.3: Click Add button
Step 2.4: click the browse button
Step 2.5: Select you S-User certificate the one you obtain in step 1.7 and Click Open
Step 2.6: You will see your certificates details then click Save and Deploy
Step 2.7: Retrieve your endpoint URL from the Monitor page.
Now we have setup iFlow to accept only calls from our certificate.
To be able to call our service we must simulate having the correct keystore with the proper certificates to go through the Load Balancer and Authenticate versus the iFlow.
We will accomplish this with help of KeyStore Explorer software.
Step 3.1: Open KeyStore Explorer and select Create a new KeyStore
Step 3.2: Select “PKCS #12” as soapUI uses .pfx, and click OK
Step 3.3 Import Certificates.
Click on Menu ->Tools -> Imported Trusted Certificate
Select Load Balancer Certificates, one at a time.
You are prompted for an alias, click ok
Repeat for all certificates.
Step 3.4 Import Key pair
Click on Menu -> Tools ->Import Key Pair
Select PCKS #12 and OK
Step 3.5: Click on Import and browse for your S-User certificate with private Key
Prompt for alias, click OK
Prompt for Password, click OK
Step 3.6: Click Save button and input password.
Include a descriptive file name: soapUI_SUser_Keystore.p12 (extension p12 because is PKCS #12)
Step 3.7: Change the extension of your file to .pfx (.p12 and .pfx are the same binaries)
Now we need to configure the soapUI client.
Assumptions: You have downloaded the soapUI client and also downloaded WSDL file from service.
Step 4.1: Open soapUI and click new project.
Step 4.2: Click Browse… and Select WSDL file
Step 4.3: Navigate your Project on the upper left section and double click on “Request 1”
Open the request view
Step 4.4: Select current Endpoint and replace with SCP Integration Endpoint that you obtain in step 2.7
Step 4.5: Configure Client Authentication, Open File Menu à Preferences
Select SSL tab
Step 4.6: Click on Browse.. and Select your .pfx file you created in step 3.7
Step 4.7: Input Password for your keystore (same you input in step X.X ) and enable “Client Authentication” check box.
Now you are ready to execute.
Test and Monitoring
Step 5.1 Fill your payload requirements and click Run.
Step 5.2: Open Monitor page on SCP Integration.
Select All Integration Flows
Select Message Processing Log
Now you are ready to test all your services using Client Certificate Authentication.