Best practices Cloud Integration Content in SAP Process Orchestration – Deploy security artifacts

This is a blog within a series of best practices blogs for cloud integration content in SAP Process Orchestration. For an overview of all blogs published within this series so far, refer to the overview blog.

The following blog shows how to deploy security artifacts on SAP Process Orchestration. The required security settings depend on your particular scenario. You may have to maintain a known host file for trusted sftp servers, user credentials, OAuth authentication, etc. If you have already set up the integration content and hence the required security settings on SAP Cloud Platform Integration, and would like to run the integration flows on SAP Process Orchestration instead, at least the known host file can be reused. For all other security artifacts, since we do not display the passwords or secrets in plain text, you need to create them from scratch.

Known host file

If you like to test a scenario using sftp connection, you need to maintain all trusted sftp servers in the known host file. In the following we assume that you have setup a known host file on your SAP Cloud Platform Integration tenant already. For running cloud integration content on SAP Process Orchestration, the same known host file can be used.

Access your SAP Cloud Platform Integration tenant, and switch to the Operations view by selecting Monitor from the navigation pane.

In the Operations view, scroll down to the Manage Security section, and click on the Security Material tile.

In the Security Material view, select the known_hosts file entry, and click on the Download button. This will trigger the download of the file.

Launch the Process Integration Tools overview page of your SAP Process Orchestration system (via http(s)://host:port/dir), and select the link Cloud Integration Content below the Integration Directory section.

This brings up the Cloud Integration Content Management cockpit. You can also directly open the cockpit via http(s)://host:port/IGWGBDeploy/Admin. Switch to the Security Artifacts tab, and select button Deploy.

In the upcoming pop-up, select the artifact type Known Host (SSH), navigate to your beforehand downloaded known_hosts file, and select button Save.

If not already displayed, select button Refresh. You should see a new entry known_hosts in the deployed security artifacts table.

Note: if you upload your own known host file to SAP Process Orchestration you will overwrite an existing known host file. So, be careful, and double-check beforehand with your peers using the same server for their tests. As of release 7.5 SP8, you can download the deployed known host file, add your entries into the existing known host file, then deploy the modified file.

Setting up user credentials

On the Cloud Integration Content Management cockpit, tab Security Artifacts, select deploy again. In the upcoming dialog, select the artifact type User Credentials. Here you have two options, either Default or SuccessFactors. In our example we chose the type SuccessFactors.

Maintain an alias name (this has to be identical to the name chosen in the Integration Flow of your scenario), your user name and password, and a Company ID. For default type, the Company ID is omitted. Then save.

A new entry is added to the deployed security artifacts table.

Setting up OAuth 2.0 authentication

select deploy again. In the upcoming dialog, select the artifact type OAuth2 Authentication. Maintain alias name (this has to be identical to the name chosen in the Integration Flow of your scenario), the authentication URL (URL of the token service), Client ID, Client Secret, and Scope. Then save.

A new entry is added to the deployed security artifacts table. You can see the details of the credentials below except for the secret.