Skip to Content

SSL is the standard security technology for establishing an encrypted link between a web server and a web client, such as a browser or an app. An encrypted link ensures that all data passing between the server and the client remains private. To use SSL, a client makes a secure request to the server by using the encrypted https:// protocol, instead of the unencrypted http:// protocol. In API Management, you can associate the certificates with the API Provider at the time of API provider registration. This process provides more secure way to access API provider.

SAP Cloud Platform API Management requires certificates containing private key and root certificates in PEM format. These certificates are then packaged in JAR which is uploaded into the Key Store.  In this blog, we have captured the steps to connect to an API endpoint with X509 based client certificate authentication from SAP Cloud Platform API Management.

Existing X509 Certificate for Client Certificate Authentication

In this section, we have captured the steps to download an existing Client Certificate using internet explorer and then convert certificate to PEM format.

Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped

Download Certificate with private Key

  • Open Internet explorer -> settings -> internet options, navigate to the tab content and then click on certificates




  • From the personal tabs, select the certificate that you would like to download and then click Export

 

  • Select option Yes, export the private key and click Next

 

  • Select PFX option and then click Next

 

 

  • Select Password option and then enter and confirm password say abcd. This password should be used during upload certificate jar on API Portal and would be required while generating the certificate with private key in .pem format in section Generate Root Certificate (.cert) and Certificate Private Key (.pem)

 

  • Select the file system path to download Certificate and then click Next

 

  • Click Finish to download the certificate with Private key

 

Validate Certificate/Key for completeness

All the following steps depend on having the full chain of certificates / trust within the pfx/p12 file.

  • To validate this following command in Open SSL can be used
openssl pkcs12 -info -in <filename>

The file must contain the full chain as shown below.

Incomplete chains can potentially be fixed through browser import and export (requires all root/intermediate certificates to be present in trust stores).

If this check is not passed all subsequent steps will not yield expected result.

 

Generate Root Certificate (.cert) and Certificate Private Key (.pem)

The below steps are executed using Open SSL

  • Extract certificate with private key in .pem file format
openssl pkcs12 -in <input filename> -nocerts -out <keyfilename>.pem –nodes
  • Extract root certificate with certificate chain in .cert format
pkcs12 -in <input filename> -nokeys -out <keyfilename>.pem -nodes

 

Self signed X509 Certificate for Client Certificate Authentication

In this section, we have captured the steps to generate a self signed X509 certificate with private key in PEM which can then be used for Client Certificate authentication. In this case the generated root certificate would have to be imported into the target server.

Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped

  • Generate a certificate with private key (using Open SSL)
  • Create a new folder to place the certificate
  • In the cmd prompt navigate to the certificate folder and then use the openssl commands to generate the certificates
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730
  • Enter the password when prompted say abcd. This password should be used during Upload certificate jar on API Portal

 

Generate JAR with Certificates to upload to SAP Cloud Platform API Management

The below steps package the certificate into a jar file. Details is available in SAP Cloud Platform API Management help link.

  • Create a JAR file containing your private key, certificate, and a manifest. For example, the JAR file must contain the following files and directories: /META-INF/descriptor.properties,<main>.pem, <privateKey>.pem

A keystore JAR can contain only one certificate. If you have a certificate chain, all certs in the chain must be appended into a single PEM file, where the last certificate is signed by a CA. The certs must be appended to the PEM file in the correct order, meaning: cert -> intermediate cert(1) -> intermediate cert(2) -> … -> root

  • In the directory containing your key pair and certificate, create a directory called /META-INF. Then, create a file called descriptor.properties in /META-INF with the following contents: certFile=<main>.pemkeyFile=<privateKey>.pem

  • Generate the JAR file containing your key pair and certificate:
 jar -cf myKeystore.jar main.pem privateKey.pem
  • Add descriptor.properties to your JAR file:
jar -uf myKeystore.jar META-INF/descriptor.properties

Upload JAR containing certificate to SAP Cloud Platform API Management

 

 

  • Click on the link Access API Portal to open API Portal.

 

  • Select the option Certificate and click on the option Create

 

  • In the UI, select the certificate type as Key Store, select the option New Store. In the store name provide name as idpKeSytore, Name as mykeys. Using the Browse option select the jar created in section Generate JAR for Certificate Upload on API Portal and then click on Create button as shown in the screenshot. The password which was used in Generate Certificates section should be passed as well. (abcd)

 

  • Select API Provider tab and then click on Create button

 

  • In the create API Provider screen fill system details (important is to check use ssl flag) and then Go to tab AUTHENTICATION and Select previously uploaded key store in parameter Key Store Certificate

 

  • Select the Authentication type to None

 

  • Select the APIs tab and then click Create button to create an API Proxy which requires the Certificate Authentication and the from the API Provider drop down select the provider created and enter the details your API Proxy and then click Create

 

With this client certificate defined in the API Provider would be used for connecting to your target end points.

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Rajesh Kannan K

    Hi Divya,

    Thank You for the useful blog,

    Can you please also post a blog about calling the API Proxy from the external application with client certificate authentication?

    Regards,

    Rajesh Kannan K

    (0) 
    1. Divya Mary Post author

      Hi Rajesh,

      Thanks for the feedback and suggestion.

      We will be posting a blog on calling API Proxy with client certificate authentication soon. The client certificate based authentication from client to SAP Cloud Platform API Management tenant requires  customization to be done by our DevOps team as well. Therefore for this you would have to first raise an incident on the component OPU-API-DT-OPS with details about your tenant, virtual host ( API Proxy host details) and certificate details. After the necessary configurations are done by our DevOps team, then you would have to create an API Proxy selecting your new virtual host (with client certificate authentication) configured.

      Best Regards,

      Divya

      (0) 
    1. Divya Mary Post author

      Hi Christoffer,

      Client Certificate Authentication is not supported for On Premise API Providers. This is supported only for cloud based API Providers.

      For On Premise API Providers we support authentication via Principal Propagation & Cloud Connectors. Is there any specific use cases that you are looking for Client Certificate authentication for on premise endpoint.

      Thanks and Best Regards,

      Divya

      (0) 
      1. Christoffer Fuss

        Hi Divya,

        Thanks for your reply. I would like to do the following scenario:

        A user calls from his Backend System my API Proxy of type “On-Premise” to access my Odata Service in my Backend System. So I want to use the API Management Service as a middleware between his and my Backend System. The user sends a client certificate to authenticate on API Management and the user is matched and gets forwarded via Principal Propgation via Cloud Connector to my Backend System.

        Is this sceanrio possible? If not, do you have any other ideas what I can do?

        Best Regards and Thnaks in advance,

        Chris

         

        (0) 
        1. Divya Mary Post author

          Hi Chris,

          The above mentioned should work with SAP Cloud Platform API Management. For enabling of the client authentication from client to SAP Cloud Platform API Management  would require  customization to be done by our DevOps team as well. Therefore for this you would have to first raise an incident on the component OPU-API-DT-OPS with details about your tenant, virtual host ( API Proxy host details) and certificate details. After the necessary configurations are done by our DevOps team, then you would have to create an API Proxy selecting your new virtual host (with client certificate authentication) configured.

          Best Regards,

          Divya

           

          (1) 
          1. Christoffer Fuss

            Hi Divya,

            this sounds great, thank you very much for your help. I just opened the incident and hopefully this will work for us. Maybe you should consider to add this information to the offical API Management Service Documentation.

            Best Regards,

            Chris

            (0) 
          2. Christoffer Fuss

            Hi Divya,

            Is it possible to use the “API Test Console” for certificate protected virtual hosts? Is there any way to pass the certificate to API Test Console?

            Best regards,

            Chris

             

            (0) 

Leave a Reply