HCI Client Certificate Authorization
The idea of this blog is show how to generate a certificate for a s-user and use it to authenticate in CPI.
There is many reasons to use the certificate for authentication, the user will not be blocked because someone put wrong password, you can restrict the service that you are creating only for a specific user, security better than basic authentication, and others. In our case we used to restrict a webservice to specific users.
Just think that all technical user have the roleĀ ESBMessaging.send, they can access any service if they know the url š
So let’s start, to create the certificate for your s-user, use the link below and click in “Apply for an SAP Passport“.
https://support.sap.com/en/my-support/single-sign-on-passports.html
In the next screen, you can see your name and s-user, put the password and click inĀ “Apply for an SAP Passport“.
Create a password for the certificate and click in Apply
In the next step, you can download the certificate and make a backup.
Now we have your pfx file that we will use to authenticate in CPI, but we need to get the .cer from your certificate, so one of the easy way is install the pfx in your pc, and use the Internet Explorer to export.
Let install first, double click in your pfx file, next, next, put the password of your pfx and select the three options, next and finish.
Now let generate the .cer that we will use in the integration flow, open your Internet Explorer and go to menu “Internet Options”.
In the tab “Content”, click in “Certificates”.
Select your s-user certificate and click in “Export” and next, (keep the option “No, do not export the private key” and next, next.
Select a folder to save the .cer file and Next, Finish.
Now we are ready to go to your iflow, it is very simple iflow with Soap Sender and a content modify just to create a xml for return.
The Soap adapter is in this case a SOAP 1.x, and here is the configuration.
In the Authentication, select Client Certificate, after that you should select you .cer. Save it and deploy the integration flow.
Now let’s test with SoapUI, go in to Menu -> Preferences, in the left side select SSL Settings, Select your pfx file and put the password.
Import your wsdl in to SoapUI and you don’t need to put user and password now, just execute and you can see the response xml created by the Content Modifier.
In the message monitoring you can see the message OK.
I also turn on the trace to get more information, if you go to traceMessage, you can see the certificate information used for authentication.
Thank you and I hope I’ve helped.
Kaleo
Dear Kaleo,
Thank you for this blog! I was able to reproduce it in my system, it was a little victory for me since I barely understand about certificates and always struggle with this kind of point.
I'm wondering were would we put the .pfx certificate if we wanted to perform the SOAP call from the backend. In STRUST in SSL Client (Anonymous) or SSL Client (Standard)?
Regards,
Marco Silva
Hi Marco,
I'm wondering the same as you... did you find the way to do it?
Regards,
AdriƔn
Dear Kaleo,
Very interesting! Excellent solution for greater security and to facilitate developments/tests/use.
Thanks for sharing this solution.
Best regards,
Lucas M. Goncalves.
Hi Kaleo,
we are trying to use passport for callingĀ API https://api.sap.com/package/CloudIntegrationAPI?section=Artifacts
But we receive 401.
Error Details