Skip to Content
Technical Articles

SAP Cloud Platform Integration – Automated Notification for Client Certificates Reaching Expiry

This blog describes how to send automated notifications (after the March-24-2019 update) in case the client certificates in User-to-Certificate Mapping reaching the expiry date. The notification is sent using an integration flow.

Automated Notification for Client Certificates Reaching Expiry

The Certificate-to-User Mapping allows a tenant administrator to maintain the client certificates to be used for inbound authentication and authorization. Details can be found in the blog ‘How to Setup Secure HTTP Inbound Connection with Client Certificates’. Renewal of a client certificate is an important task to be done before expiry, else it will lead to message failure for productive scenarios using this client certificate. The tenant administrator can be notified about those client certificates which are about to expire, so that he can take in-time actions for renewal of the same. He needs to get a new client certificate from the sender system administrator and exchange it in the Certificate-to-User Mapping monitor.

You can model an integration flow to get notifications via mail for entries reaching their expiry. This blog provides the description of the steps to model a scenario triggered via scheduler which checks all entries of the certificate-to-user mapping and sends a mail with information about those entries reaching their expiry.

Scenario Description

To enable the notification, we use the OData APIs for certificate-to-user mapping in an integration flow. These APIs can be consumed via https://<tmnUrl>/api/v1 where <tmn> is the address of the tenant management node. Here we will use the API for the certificate-to-user mapping via https://<tmnUrl>/api/v1/CertificateUserMappings . Note that the ValidUntil option of the API is only available after the March-24-2019 update.

Overall scenario looks like this:

The integration flow is triggered by a timer, fetches the client certificate data via an OData adapter, evaluates the certificate status in a script and send a notification mail if the client certificates are about to expire.

Let’s create the flow.

Create Integration Flow with Timer Start Event and OData Receiver

Create an integration flow with Start Timer Event. Using a Request-Reply step, call the OData APIs to fetch details of the certificate-to-user mapping via an OData receiver channel. Below you find the configuration of the OData receiver channel:

Note, that you need to use Operation Query(Get) and enter CertificateUserMappings as Resource Path.

Use General Splitter to Split the List of Certificate

In a General Splitter step you split the received list of certificate-to-user mappings into single entities. Do the split based on XPath /CertificateUserMappings/CertificateUserMapping:

Read Client Certificate Details into Properties in Content Modifier

In a subsequent Content Modifier step you read all the client certificate-specific details via XPath into properties:

Create the following properties:

  • CertificateValidUntil
    • Type: XPath
    • Data Type: java.lang.Long
    • Value: /CertificateUserMappings/CertificateUserMapping/ValidUntil
  • CertificateUserMappingID
    • Type: XPath
    • Data Type: java.lang.String
    • Value: /CertificateUserMappings/CertificateUserMapping/Id
  • CertificateUser
    • Type: XPath
    • Data Type: java.lang.String
    • Value: CertificateUserMappings/CertificateUserMapping/User

 

Evaluate Client Certificate Expiry Status via Groovy Script

In a Groovy Script we calculate the expiry status of the client certificates. Use the following script code:

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.text.SimpleDateFormat;

def Message processData(Message message) {
    // Get Properties
    map = message.getProperties();
    long certExpirydate = map.get("CertificateValidUntil");
    // Calculate Expiry 
    long dateNow = System.currentTimeMillis(); 
    long dateDiff = certExpirydate - dateNow;
    def daysToExpire = TimeUnit.DAYS.convert(dateDiff, TimeUnit.MILLISECONDS); 
    // Set Properties
    Date certExpirydateDate = new Date(certExpirydate); 
    message.setProperty("daysToExpire", daysToExpire);
    message.setProperty("CertExpirydate", certExpirydateDate);
   return message;
}

 

Check Client Certificate Status in Router

In a Router step check the days to expire for the client certificate and route to the mail receiver in case the certificate is about to expire. In my configuration I send the notification for certificates the expire in 10 days or less:

Define Non-XML Expression ${property.daysToExpire} > ’10’ for the branch going to the End event. Default branch is the branch to the Mail receiver which is executed if the client certificate expires in 10 days or less.

Configure Mail Receiver

Now we configure the Mail receiver channel sending out the notification. Configure the mail server and authentication you want to use. In the Mail Attributes define the mail receiver and sender mail address and the Mail Subject and Mail Body:

Subject: Client Certificate Expiry Notification

Mail Body:

Dear Administrator,
one Client Certificate for user ${property.CertificateUser} expires by ${property.CertExpirydate}.
Please contact the Administrator of the sender system to provide a new Client Certificate.

Deploy and Run the Integration Flow

Configure the Timer start event to run the flow every day or any other interval that suits your requirements. Deploy the integration flow.

Now you will get an email as soon as a client certificates in the certificate-to-user mapping is about to expire.

5 Comments
You must be Logged on to comment or reply to a post.
  • Thanks Mandy Krimmel  for the blog but data type – Long is not working in SAP CPI runtime where content modifier failed to catch this XPath value so passing Null to script and conversion Null to long cause whole iflow to fail so I have changed the Xpath datatype to String and modified your code as below –

    import com.sap.gateway.ip.core.customdev.util.Message;
    import java.util.Date;
    import java.util.concurrent.TimeUnit;
    import java.text.SimpleDateFormat;
    import java.time.*;

    def Message processData(Message message) {

    def body = message.getBody(java.lang.String) as String;

    // Get Properties
    map = message.getProperties();
    def Expirydate = map.get(“CertificateValidUntil”);

    // Calculate Expiry
    def time = Date.parse(“yyyy-MM-dd’T’HH:mm:ss.SSS”, Expirydate);
    def certExpiryTime = time.getTime();
    def timeNow = System.currentTimeMillis();
    def timeDiff = certExpiryTime – timeNow;
    long dateDiff = Long.valueOf(timeDiff);
    long daysExpire = TimeUnit.MILLISECONDS.toDays(dateDiff);
    def daysToExpire = String.valueOf(daysExpire);
    def certExpiryDate = Date.parse(“yyyy-MM-dd’T’HH:mm:ss.SSS”, Expirydate).format(“MM/dd/yyyy”);

    // Set Properties
    message.setProperty(“daysToExpire”, daysToExpire);
    message.setProperty(“CertExpirydate”, certExpiryDate);

    // Log Certificate
    def messageLog = messageLogFactory.getMessageLog(message);
    if(messageLog != null){
    messageLog.addAttachmentAsString(“Certificate Details”, body, “text/plain”);
    }

    return message;
    }

    •  

      Hello

      my flow works with Long without any issue. Could you maybe send me your integration flow getting the error? Or even better, open a ticket on LOD-HCI-PI-RT.

      Best regards,

      Mandy

  • Hi Mandy,

    This blog was very descriptive. I made some alterations to the blog and customized the alert as per my design. I also tried to fetch “Message processing Log” using https://<tmnUrl>/api/v1/MessageProcessingLogs . That also worked fine. But, when I try to use https://<tmnUrl>api/v1/MessageProcessingLogErrorInformations , I get an exception saying not Implemented

    Can you please tell me a wokaround that could help me to activate the same ?

     

    Thanks,

    Sidharth VR