SAP Cloud Platform API Management – Client Certificate Authentication for API calls
SSL is the standard security technology for establishing an encrypted link between a web server and a web client, such as a browser or an app. An encrypted link ensures that all data passing between the server and the client remains private. To use SSL, a client makes a secure request to the server by using the encrypted https:// protocol, instead of the unencrypted http:// protocol. In API Management, you can associate the certificates with the API Provider at the time of API provider registration. This process provides more secure way to access API provider.
SAP Cloud Platform API Management requires certificates containing private key and root certificates in PEM format. These certificates are then packaged in JAR which is uploaded into the Key Store. In this blog, we have captured the steps to connect to an API endpoint with X509 based client certificate authentication from SAP Cloud Platform API Management.
Existing X509 Certificate for Client Certificate Authentication
In this section, we have captured the steps to download an existing Client Certificate using internet explorer and then convert certificate to PEM format.
Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped
Download Certificate with private Key
- Open Internet explorer -> settings -> internet options, navigate to the tab content and then click on certificates
- From the personal tabs, select the certificate that you would like to download and then click Export
- Select option Yes, export the private key and click Next
- Select PFX option and then click Next
- Select Password option and then enter and confirm password say abcd. This password should be used during upload certificate jar on API Portal and would be required while generating the certificate with private key in .pem format in section Generate Root Certificate (.cert) and Certificate Private Key (.pem)
- Select the file system path to download Certificate and then click Next
- Click Finish to download the certificate with Private key
Validate Certificate/Key for completeness
All the following steps depend on having the full chain of certificates / trust within the pfx/p12 file.
- To validate this following command in Open SSL can be used
openssl pkcs12 -info -in <filename>The file must contain the full chain as shown below.
Incomplete chains can potentially be fixed through browser import and export (requires all root/intermediate certificates to be present in trust stores).
If this check is not passed all subsequent steps will not yield expected result.
Generate Root Certificate (.cert) and Certificate Private Key (.pem)
The below steps are executed using Open SSL
- Extract certificate with private key in .pem file format
openssl pkcs12 -in <input filename> -nocerts -out <keyfilename>.pem –nodes- Extract root certificate with certificate chain in .cert format
pkcs12 -in <input filename> -nokeys -out <keyfilename>.pem -nodes
Self signed X509 Certificate for Client Certificate Authentication
In this section, we have captured the steps to generate a self signed X509 certificate with private key in PEM which can then be used for Client Certificate authentication. In this case the generated root certificate would have to be imported into the target server.
Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped
- Generate a certificate with private key (using Open SSL)
- Create a new folder to place the certificate
- In the cmd prompt navigate to the certificate folder and then use the openssl commands to generate the certificates
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730- Enter the password when prompted say abcd. This password should be used during Upload certificate jar on API Portal
Generate JAR with Certificates to upload to SAP Cloud Platform API Management
The below steps package the certificate into a jar file. Details is available in SAP Cloud Platform API Management help link.
- Create a JAR file containing your private key, certificate, and a manifest. For example, the JAR file must contain the following files and directories: /META-INF/descriptor.properties,<main>.pem, <privateKey>.pem
A keystore JAR can contain only one certificate. If you have a certificate chain, all certs in the chain must be appended into a single PEM file, where the last certificate is signed by a CA. The certs must be appended to the PEM file in the correct order, meaning: cert -> intermediate cert(1) -> intermediate cert(2) -> … -> root
- In the directory containing your key pair and certificate, create a directory called /META-INF. Then, create a file called descriptor.properties in /META-INF with the following contents: certFile=<main>.pemkeyFile=<privateKey>.pem
- Generate the JAR file containing your key pair and certificate:
jar -cf myKeystore.jar main.pem privateKey.pem- Add descriptor.properties to your JAR file:
jar -uf myKeystore.jar META-INF/descriptor.propertiesUpload JAR containing certificate to SAP Cloud Platform API Management
- Logon to your SAP Cloud Platform account (say https://account.hanatrial.ondemand.com/cockpit).
- Navigate to the Services tab, search for API Management service tile and click to open API Management service.
- Click on the link Access API Portal to open API Portal.
- Select the option Certificate and click on the option Create
- In the UI, select the certificate type as Key Store, select the option New Store. In the store name provide name as idpKeSytore, Name as mykeys. Using the Browse option select the jar created in section Generate JAR for Certificate Upload on API Portal and then click on Create button as shown in the screenshot. The password which was used in Generate Certificates section should be passed as well. (abcd)
- Select API Provider tab and then click on Create button
- In the create API Provider screen fill system details (important is to check use ssl flag) and then Go to tab AUTHENTICATION and Select previously uploaded key store in parameter Key Store Certificate
- Select the Authentication type to None
- Select the APIs tab and then click Create button to create an API Proxy which requires the Certificate Authentication and the from the API Provider drop down select the provider created and enter the details your API Proxy and then click Create
With this client certificate defined in the API Provider would be used for connecting to your target end points.
Hi Divya,
Thank You for the useful blog,
Can you please also post a blog about calling the API Proxy from the external application with client certificate authentication?
Regards,
Rajesh Kannan K
Hi Rajesh,
Thanks for the feedback and suggestion.
We will be posting a blog on calling API Proxy with client certificate authentication soon. The client certificate based authentication from client to SAP Cloud Platform API Management tenant requires customization to be done by our DevOps team as well. Therefore for this you would have to first raise an incident on the component OPU-API-DT-OPS with details about your tenant, virtual host ( API Proxy host details) and certificate details. After the necessary configurations are done by our DevOps team, then you would have to create an API Proxy selecting your new virtual host (with client certificate authentication) configured.
Best Regards,
Divya
Hi Divya,
Thank you so much for your response.
Best Regards,
Rajesh Kannan K
Is it possible to do Client Certificate Authentication also for API-Providers of type "On-Premise"?
Hi Christoffer,
Client Certificate Authentication is not supported for On Premise API Providers. This is supported only for cloud based API Providers.
For On Premise API Providers we support authentication via Principal Propagation & Cloud Connectors. Is there any specific use cases that you are looking for Client Certificate authentication for on premise endpoint.
Thanks and Best Regards,
Divya
Hi Divya,
Thanks for your reply. I would like to do the following scenario:
A user calls from his Backend System my API Proxy of type "On-Premise" to access my Odata Service in my Backend System. So I want to use the API Management Service as a middleware between his and my Backend System. The user sends a client certificate to authenticate on API Management and the user is matched and gets forwarded via Principal Propgation via Cloud Connector to my Backend System.
Is this sceanrio possible? If not, do you have any other ideas what I can do?
Best Regards and Thnaks in advance,
Chris
Hi Chris,
The above mentioned should work with SAP Cloud Platform API Management. For enabling of the client authentication from client to SAP Cloud Platform API Management would require customization to be done by our DevOps team as well. Therefore for this you would have to first raise an incident on the component OPU-API-DT-OPS with details about your tenant, virtual host ( API Proxy host details) and certificate details. After the necessary configurations are done by our DevOps team, then you would have to create an API Proxy selecting your new virtual host (with client certificate authentication) configured.
Best Regards,
Divya
Hi Divya,
this sounds great, thank you very much for your help. I just opened the incident and hopefully this will work for us. Maybe you should consider to add this information to the offical API Management Service Documentation.
Best Regards,
Chris
Hi Divya,
Is it possible to use the "API Test Console" for certificate protected virtual hosts? Is there any way to pass the certificate to API Test Console?
Best regards,
Chris
Hi Chris,
In API Test console only Basic authentication is supported. For certificate based authentication browser or test consoles like postman can be used.
Thanks and Best Regards,
Divya
Hi Divya,
thank you so much for your help. Maybe you can help me with another problem:
https://answers.sap.com/questions/549084/handling-of-in-sap-api-management-odata-calls.html
So nice to have people like you.
Best Regards,
Chris
Hi Chris,
Thanks for the appreciation. I have posted few trouble shooting tips to identify the issue and in general it would be great to raise an incident on OPU-API-DT component .
Thanks and Best Regards,
Divya
Is this possible to read a Client Certfificate with the Extract Variable Policy and pass the matched user to Cloud Connector via Principal Propgation?
Hi Chris,
In the help documentation details about the certificate related variables are documented. Then using SAML assertion policy would be required to generate a short SAML assertion and pass it to your backend via Cloud Connector.
Best Regards,
Divya
Hi Divya,
As per the SAML assertion policy you mentioned in the reply, specifically below statement in the 3rd paragraph,
'The API platform can act as an identity provider and as a service provider.'
what does the API platform mean here? I think mentioning IDP here it should be SAP Cloud Platform which hosts APIM service correct? Since APIM itself doesnt has user store, SCP ID service supports its backend authentication.
Please help to correct me if i'm wrong.Thanks!
Hi Divya,
We're using C4C (Cloud for Customer) and call multiple SOAP services using HCI all using SSL certificates. I want to showcase for the business that we can use SAP API Management (APIM) to call the same C4C services but really struggling to understand how to configure APIM with the SSL certificates. i.e keystore and truststore entries etc
So far I've made little progress as I'm not sure what certificates we need to add in to APIM and whenever I try to upload a certificate I get the same error message shown below...
Are you able to help?
Hi Jones,
If you would like to connect to a target endpoint ( say C4C APIs) using certificate authentication from SAP Cloud Platform API Management , then you would have to do the following :-
a) Create jar containing your certificates private key and public key as explained in this blog
b) Upload the jar containing certificates into SAP Cloud Platform API Management certificates tab, certificate type should be Key Store.
Thanks and Best Regards,
Divya
Hi Divya,
Did you post a blog to the question from Rajesh on January 20, 2018 re: calling API Proxy with client certificate authentication?
I am interested in how to implement such a authentication.
Thank you,
Raj
Hi Raj,
Enabling client certificate authentication for your API Proxy endpoint requires configurations to be done by our operations team. Therefore it would be great to open an incident on the component OPU-API-DT-OPS mentioning your tenant details. Our operations team would share the detailed steps for securely sharing the client certificate and would guide you through the necessary configurations.
Thanks and Best Regards,
Divya
Hi Divya,
I've raised a sprat question on this as I've followed your instructions in this blog when trying to set up a call to a C4C service and get a 401 error. I'm fairly sure the config in C4C (comm arrangements, certs etc) is correct as I've managed to call the service direct from SOAPUI. I've tried several attempts at creating the keystore (.Jar) file following your instructions and every time it all looks ok and matches your example but nothing seems to help resolve the issue!
Any ideas what else is worth trying?
NOTE:- I'm using the API Manager trial and our C4C Dev environment....
I assume 401 Unauthorized indicates that there is connectivity between API Mgr and C4C and that it is an issue with the authentication that is causing the error?
Hi Divya,
I see that the certificate communication applies only for API providers. Is there a way to establish the certificates communication with an API proxy that is created using the URI option? This is because, I cannot get the catalog service on Hybris Market and Commerce and hence, have to create each API individually using the URI option. Thanks in advance.
Regards
Anil Kumar VEEPURI
Hi Anil,
Certificate based authentication is possible via API Providers only. In case you have multiple APIs in your scenario and all these API Proxies point to the same target system, then you can just link the same API Provider to multiple API Proxies. This way you would be able to re-use the configurations done by you across multiple API Proxies.
Thanks and Best Regards,
Divya
Hi Divya Mary
thanks for your help with this topic.
I need to consuming a endpoint SOAP API (wsdl), but first i need to config cert auth. It is possible to do it from APIM SCP.? and if this is possible then how do i do?
NOTE:
i just have a URL (endpoint), certs and WSDL file ( SOAP Service)
Thanks
Hi Alfredo,
If you are using certificates for transport level security ( TLS) ; then steps to connect to your SOAP endpoint via SAP Cloud Platform API Management would remain similar to the steps mentioned in this blog.
Best Regards,
Divya
Hi Divya,
Your post is amazing! Congratulations!
Do you know how APIM validate a client certificate for access the published API ?
I mean... I need the APIM validate the client certificate instead of pass a client certificate via Provider.
Best Regards,
Rodrigo
Hi Rodrigo,
Thanks a lot for your kind words. Glad to hear that you are liking our blog series.
If your question is around validation of the certificate presented by the target endpoint in API Management , then steps are as follows :-
Details available in help documentation
If your question is around validation of the certificate presented by the calling application to an API Proxy URL then for this steps are as follows :-
Thanks and Best Regards,
Divya
Hi Divya, Thank you for the reply and for your time.
We are talking about the second option.
I have some questions for this model. Could you please share your opinion / experience for the next questions?
1 - With a client certificate in virtual host level, we can access any API with the same certificate. For our security team this is a issue. What does your team think about that? There are a solution where we could setup different certificates for different API's, like CPI's?
2 - It's possible setup the Sap Passaport CA for a virtual host, instead of a single certificate?
3 - It's possible setup the CA of my company (only CA of my company and no any other) for a virtual host?
Again, thank you for your time. We will apreciate if you help us with this doubts.
Thank you.
Best Regards,
Rodrigo
Hi Rodrigo,
For your point no 1) you could always combine certificate based authentication along with the API key or OAuth or API Key based access. For this you can group your APIs into API Products and publish the API Products into the Developer portal. Developers can create an application subscribing to the API Products and then get access to only those APIs which are grouped/associated within that API Products.
In case of client authentication, the root certificates are shared by you during the certificate set up process so based on the root certificate shared by you, the client certificate authentication calls will be triggered. You could give your company CA and therefore restrict the authentication to client certificates for your company CA.
Thanks and Best Regards,
Divya
Hi Divya,
I followed your great instructions, but de jar is not excepted by API Management?
I think that something goos wrong with the creation of the root certificate.
everything else seems to look thesame.
The good jar was created on an Apple laptop. I created it on windows 10 and on CentOS(Linux).
I hope you can help me out.
Best regards,
Carlo
Hi All,
This process, of making a JAR, is not needed! You still can use it, but not needed.
You can also use *.p12 and *.pfx !!
So in my case, to transform a .pfx to a JAR was not needed. because you can just use the .pkx file.
Just Upload it with the needed password. And done
Hope this will help others.
Best regards,
Carlo
Hi Divya,
I have a 401 error when I run a REST WS (the REST is exposed by the SAP API manager). When run from postman it has no error but when run from C4C it has the 401 error.
The authentication methods is user/pass.I don't know if the user has character restrictions because it has a "/"; for example: User: app/kflkfdlsdlsdlsdfsdf-sdfertr.
Best regards
I created a JAR file using the directions stated about which contains my certificates, but when I try to create my Key Store and upload the JAR file I get invalid key file error. I did previously validate that the certificate and private key match by running the commands and comparing the results:
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privatekey.pem | openssl md5
Does anyone have any ideas of why I can't upload the JAR file?
Hi Divya,
Do you know how can I add client certificates in APIM so that only requests with this client certificate can be processed to my API, similar to how it's set up in the BTP Key instance ?
I hope you can help me out.
Best regards,
Hassen