Skip to Content

SAP Cloud Platform API Management – Client Certificate Authentication for API calls

SSL is the standard security technology for establishing an encrypted link between a web server and a web client, such as a browser or an app. An encrypted link ensures that all data passing between the server and the client remains private. To use SSL, a client makes a secure request to the server by using the encrypted https:// protocol, instead of the unencrypted http:// protocol. In API Management, you can associate the certificates with the API Provider at the time of API provider registration. This process provides more secure way to access API provider.

SAP Cloud Platform API Management requires certificates containing private key and root certificates in PEM format. These certificates are then packaged in JAR which is uploaded into the Key Store.  In this blog, we have captured the steps to connect to an API endpoint with X509 based client certificate authentication from SAP Cloud Platform API Management.

Existing X509 Certificate for Client Certificate Authentication

In this section, we have captured the steps to download an existing Client Certificate using internet explorer and then convert certificate to PEM format.

Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped

Download Certificate with private Key

  • Open Internet explorer -> settings -> internet options, navigate to the tab content and then click on certificates




  • From the personal tabs, select the certificate that you would like to download and then click Export

 

  • Select option Yes, export the private key and click Next

 

  • Select PFX option and then click Next

 

 

  • Select Password option and then enter and confirm password say abcd. This password should be used during upload certificate jar on API Portal and would be required while generating the certificate with private key in .pem format in section Generate Root Certificate (.cert) and Certificate Private Key (.pem)

 

  • Select the file system path to download Certificate and then click Next

 

  • Click Finish to download the certificate with Private key

 

Validate Certificate/Key for completeness

All the following steps depend on having the full chain of certificates / trust within the pfx/p12 file.

  • To validate this following command in Open SSL can be used
openssl pkcs12 -info -in <filename>

The file must contain the full chain as shown below.

Incomplete chains can potentially be fixed through browser import and export (requires all root/intermediate certificates to be present in trust stores).

If this check is not passed all subsequent steps will not yield expected result.

 

Generate Root Certificate (.cert) and Certificate Private Key (.pem)

The below steps are executed using Open SSL

  • Extract certificate with private key in .pem file format
openssl pkcs12 -in <input filename> -nocerts -out <keyfilename>.pem –nodes
  • Extract root certificate with certificate chain in .cert format
pkcs12 -in <input filename> -nokeys -out <keyfilename>.pem -nodes

 

Self signed X509 Certificate for Client Certificate Authentication

In this section, we have captured the steps to generate a self signed X509 certificate with private key in PEM which can then be used for Client Certificate authentication. In this case the generated root certificate would have to be imported into the target server.

Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped

  • Generate a certificate with private key (using Open SSL)
  • Create a new folder to place the certificate
  • In the cmd prompt navigate to the certificate folder and then use the openssl commands to generate the certificates
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730
  • Enter the password when prompted say abcd. This password should be used during Upload certificate jar on API Portal

 

Generate JAR with Certificates to upload to SAP Cloud Platform API Management

The below steps package the certificate into a jar file. Details is available in SAP Cloud Platform API Management help link.

  • Create a JAR file containing your private key, certificate, and a manifest. For example, the JAR file must contain the following files and directories: /META-INF/descriptor.properties,<main>.pem, <privateKey>.pem

A keystore JAR can contain only one certificate. If you have a certificate chain, all certs in the chain must be appended into a single PEM file, where the last certificate is signed by a CA. The certs must be appended to the PEM file in the correct order, meaning: cert -> intermediate cert(1) -> intermediate cert(2) -> … -> root

  • In the directory containing your key pair and certificate, create a directory called /META-INF. Then, create a file called descriptor.properties in /META-INF with the following contents: certFile=<main>.pemkeyFile=<privateKey>.pem

  • Generate the JAR file containing your key pair and certificate:
 jar -cf myKeystore.jar main.pem privateKey.pem
  • Add descriptor.properties to your JAR file:
jar -uf myKeystore.jar META-INF/descriptor.properties

Upload JAR containing certificate to SAP Cloud Platform API Management

 

 

  • Click on the link Access API Portal to open API Portal.

 

  • Select the option Certificate and click on the option Create

 

  • In the UI, select the certificate type as Key Store, select the option New Store. In the store name provide name as idpKeSytore, Name as mykeys. Using the Browse option select the jar created in section Generate JAR for Certificate Upload on API Portal and then click on Create button as shown in the screenshot. The password which was used in Generate Certificates section should be passed as well. (abcd)

 

  • Select API Provider tab and then click on Create button

 

  • In the create API Provider screen fill system details (important is to check use ssl flag) and then Go to tab AUTHENTICATION and Select previously uploaded key store in parameter Key Store Certificate

 

  • Select the Authentication type to None

 

  • Select the APIs tab and then click Create button to create an API Proxy which requires the Certificate Authentication and the from the API Provider drop down select the provider created and enter the details your API Proxy and then click Create

 

With this client certificate defined in the API Provider would be used for connecting to your target end points.

28 Comments
You must be Logged on to comment or reply to a post.
  • Hi Divya,

    Thank You for the useful blog,

    Can you please also post a blog about calling the API Proxy from the external application with client certificate authentication?

    Regards,

    Rajesh Kannan K

    • Hi Rajesh,

      Thanks for the feedback and suggestion.

      We will be posting a blog on calling API Proxy with client certificate authentication soon. The client certificate based authentication from client to SAP Cloud Platform API Management tenant requires  customization to be done by our DevOps team as well. Therefore for this you would have to first raise an incident on the component OPU-API-DT-OPS with details about your tenant, virtual host ( API Proxy host details) and certificate details. After the necessary configurations are done by our DevOps team, then you would have to create an API Proxy selecting your new virtual host (with client certificate authentication) configured.

      Best Regards,

      Divya

    • Hi Christoffer,

      Client Certificate Authentication is not supported for On Premise API Providers. This is supported only for cloud based API Providers.

      For On Premise API Providers we support authentication via Principal Propagation & Cloud Connectors. Is there any specific use cases that you are looking for Client Certificate authentication for on premise endpoint.

      Thanks and Best Regards,

      Divya

      • Hi Divya,

        Thanks for your reply. I would like to do the following scenario:

        A user calls from his Backend System my API Proxy of type “On-Premise” to access my Odata Service in my Backend System. So I want to use the API Management Service as a middleware between his and my Backend System. The user sends a client certificate to authenticate on API Management and the user is matched and gets forwarded via Principal Propgation via Cloud Connector to my Backend System.

        Is this sceanrio possible? If not, do you have any other ideas what I can do?

        Best Regards and Thnaks in advance,

        Chris

         

        • Hi Chris,

          The above mentioned should work with SAP Cloud Platform API Management. For enabling of the client authentication from client to SAP Cloud Platform API Management  would require  customization to be done by our DevOps team as well. Therefore for this you would have to first raise an incident on the component OPU-API-DT-OPS with details about your tenant, virtual host ( API Proxy host details) and certificate details. After the necessary configurations are done by our DevOps team, then you would have to create an API Proxy selecting your new virtual host (with client certificate authentication) configured.

          Best Regards,

          Divya

           

      • Hi Divya,

         

        As per the SAML assertion policy you mentioned in the reply, specifically below statement in the 3rd paragraph,

        ‘The API platform can act as an identity provider and as a service provider.’

        what does the API platform mean here? I think mentioning IDP here it should be SAP Cloud Platform which hosts APIM service correct? Since APIM itself doesnt has user store, SCP ID service supports its backend authentication.

        Please help to correct me if i’m wrong.Thanks!

         

  • Hi Divya,

    We’re using C4C (Cloud for Customer) and call multiple SOAP services using HCI all using SSL certificates. I want to showcase for the business that we can use SAP API Management (APIM) to call the same C4C services but  really struggling to understand how to configure APIM with the SSL certificates. i.e keystore and truststore entries etc

    So far I’ve made little progress as I’m not sure what certificates we need to add in to APIM and whenever I try to upload a certificate I get the same error message shown below…

     

    Are you able to help?

    /
    • Hi Jones,

      If you would like to connect to a target endpoint ( say C4C APIs) using certificate authentication from SAP Cloud Platform API Management , then you would have to do the following :-

      a) Create jar containing your certificates private key and public key as explained in this blog

      b) Upload the jar containing certificates into SAP Cloud Platform API Management certificates tab, certificate type should be Key Store.

       

      Thanks and Best Regards,

      Divya

  • Hi Divya,

    Did you post a blog to the question from Rajesh on January 20, 2018 re:  calling API Proxy with client certificate authentication?

    I am interested in how to implement such a authentication.

     

    Thank you,

    Raj

    • Hi Raj,

      Enabling client certificate authentication for your API Proxy endpoint requires configurations to be done by our operations team. Therefore it would be great to open an incident on the component OPU-API-DT-OPS mentioning your tenant details. Our operations team would share the detailed steps for securely sharing the client certificate and would guide you through the necessary configurations.

      Thanks and Best Regards,

      Divya

  • Hi Divya,

    I’ve raised a sprat question on this as I’ve followed your instructions in this blog when trying to set up a call to a C4C service and get a 401 error. I’m fairly sure the config in C4C (comm arrangements, certs etc) is correct as I’ve managed to call the service direct from SOAPUI. I’ve tried several attempts at creating the keystore (.Jar) file following your instructions and every time it all looks ok and matches your example but nothing seems to help resolve the issue!

    Any ideas what else is worth trying?

     

    NOTE:- I’m using the API Manager trial and our C4C Dev environment….

     

    I assume 401 Unauthorized indicates that there is connectivity between API Mgr and C4C and that it is an issue with the authentication that is causing the error?

     

  • Hi Divya,

    I see that the certificate communication applies only for API providers. Is there a way to establish the certificates communication with an API proxy that is created using the URI option? This is because, I cannot get the catalog service on Hybris Market and Commerce and hence, have to create each API individually using the URI option. Thanks in advance.

    Regards

    Anil Kumar VEEPURI

    • Hi Anil,

      Certificate based authentication is possible via API Providers only.  In case you have multiple APIs in your scenario and all these API Proxies point to the same target system, then you can just link the same API Provider to multiple API Proxies. This way you would be able to re-use the configurations done by you across multiple API Proxies.

      Thanks and Best Regards,

      Divya

  • Hi Divya Mary

     

    thanks for your help with this topic.

     

    I need to consuming a endpoint SOAP API (wsdl), but first i need to config cert auth. It is possible to do it from APIM SCP.? and if this is possible then how do i do?

     

    NOTE:

    i just have a URL (endpoint), certs and WSDL file ( SOAP Service)

     

    Thanks

    • Hi Alfredo,

       

      If you are using certificates for transport level security ( TLS) ; then steps to connect to your SOAP endpoint via SAP Cloud Platform API Management  would remain similar to the steps mentioned in this blog.

      Best Regards,

      Divya

  • Hi Divya,

     

    Your post is amazing! Congratulations!

    Do you know how APIM validate a client certificate for access the published API ?

    I mean… I need the APIM validate the client certificate instead of pass a client certificate via Provider.

     

    Best Regards,

    Rodrigo

    • Hi Rodrigo,

      Thanks a lot for your kind words. Glad to hear that you are liking our blog series.

      If your question is around validation of the certificate presented by the target endpoint in API Management , then steps are as follows :-

      • Upload the root certificate of the target server in API Management under configure->certificate tab. The certificate type in this case would be Trust Store.
      • Create the API Provider, select the use SSL flag and then select your trust store that you would like to use in your certificate validation before calling the target endpoint.

      Details available in help documentation

      If your question is around validation of the certificate presented by the calling application to an API Proxy URL then for this steps are as follows :-

      • Raise a customer incident against component OPU-API-DT-OPS mentioning your tenant details. Our operations team would share the detailed steps for securely sharing the client certificate and would guide you through the necessary configurations.
      • We will be creating a new virtual host with client certificate authentication enabled . You would have to create the API Proxies that you would like to be validated with client certificate authentication using this newly created virtual host.

      Thanks and Best Regards,

      Divya

       

       

      • Hi Divya, Thank you for the reply and for your time.

        We are talking about the second option.

        I have some questions for this model. Could you please share your opinion / experience for the next questions?

        1 – With a client certificate in virtual host level, we can access any API with the same certificate. For our security team this is a issue. What does your team think about that? There are a solution where we could setup different certificates for different API’s, like CPI’s?

        2 – It’s possible setup the Sap Passaport CA for a virtual host, instead of a single certificate?

        3 – It’s possible setup the CA of my company (only CA of my company and no any other) for a virtual host?

         

        Again, thank you for your time. We will apreciate if you help us with this doubts.

        Thank you.

         

        Best Regards,

        Rodrigo

        • Hi Rodrigo,

          For your point no 1) you could always combine certificate based authentication along with the API key or OAuth or API Key based access.  For this you can group your APIs into API Products and publish the API Products into the Developer portal. Developers can create an application subscribing to the API Products and then get access to only those APIs which are grouped/associated within that API Products.

          In case of client authentication, the root certificates are shared by you during the certificate set up process so based on the root certificate shared by you, the client certificate authentication calls will be triggered. You could give your company CA and therefore restrict the authentication to client certificates for your company CA.

          Thanks and Best Regards,

          Divya