Skip to Content
Technical Articles

Securing your Microservice on SAP Cloud Platform using API Management with Basic Authentication for Last-Mile Security

This technical blog post intends to guide you through the steps involved for protecting a Node.JS microservice with basic authentication and exposing it using API management on the SAP Cloud Platform.

To learn more about SAP API Management, have a look Elijah Martinez’s comprehensive collection of links : SAP API Management – Overview & Getting started.

Secure Access to the API with Basic Authentication

Let’s start with the target API. As an example, you can use the following “Hello World” Node.js application written with the Express web framework. A rudimentary way to protect it is to use the express-basic-auth middleware to enforce HTTP basic authentication:

const express = require('express');

const basicAuth = require('express-basic-auth');

const app = express();

app.use(basicAuth({

  users: {"admin": "supersecret"}

}));

app.get("/hello", (req, res) => res.send("Hello World!"));

var server = app.listen(process.env.PORT || 8080, () => {

  console.log('API started. Listening on port %d', server.address().port);

});

 

This ensures that unauthenticated requests to the API get a 401 Unauthorized response.

Your API should be accessible to API Management, for instance it can be pushed to Cloud Foundry using a manifest.yml file:

---

applications:

- name: helloworld-basicauth

  memory: 64M

  instances: 1

  buildpack: nodejs_buildpack

 

In the rest of this guide, we assume that your API is available at helloworld-basicauth.cfapps.eu10.hana.ondemand.com and that it can be accessed only by using the basic authentication credentials. The idea is that these credentials are known only to API Management, so that the API can be accessed only by traversing the API proxy.

Create an Instance of API Management on SAP Cloud Platform (Neo)

To create an instance of API Management on SAP Cloud Platform (Neo), you need a destination P-user for setting up secure connectivity between the API portal and the Developer portal. Please make sure that the password is not expired with the P-user you are trying to do the on-boarding with and try to perform all the process in incognito.

In the Neo subaccount, under Services, in the Integration section, enable API Management.

Ensure the following roles are being allocated for both API portal and Developer portal:

API portal :

  • APIPortal.Administrator
  • APIPortal.Service.CatalogIntegration

Developer portal :

  • AuthGroup.ContentAuthor (this role is for destination user)
  • AuthGroup.API.Admin (to access the Developer portal)

Onboard the account: Click Access API Portal to configure the API management service, enter a virtual host and the destination user. Wait for the account to be onboarded.

Complete the provisioning process: Follow the on-screen instructions, i.e. create an incident with the subject “Provisioning Request” with the account details on the component OPU-API-OD-OPS.

Create an Instance of API Management on SAP Cloud Platform (Cloud Foundry)

For a better overview, you can also link to your API Management instance on SAP Cloud Platform (Neo) out of SAP Cloud Platform (Cloud Foundry). For more information, see API Management as a Service on SAP Cloud Foundry and follow the instructions for the lite plan.

Note that with the starter plan, it is also possible to create an instance of API Management directly out of SAP Cloud Platform (Cloud Foundry), however this requires providing an SAP Cloud Platform (Neo) account admin user name and password.

Configure API Management to Use the Basic Authentication Policy

Store the basic authentication password in an encrypted key/value map:

  • In the API Portal, in the Configure tab, Create a Key Value Map with the name BasicAuthCredentials. Add two entries for username and password, providing the values required by your API, and check Encrypt Key Value Map before clicking the Save button.

Register the API, enable the proxy to access it, and protect the proxy :

  • In the API Portal, in the Develop tab, declare the API based on the URL where it is deployed, e.g. https://helloworld-basicauth.cfapps.eu10.hana.ondemand.com. Give it a name, e.g. HelloWorld, a Title, e.g. Hello World API. Also provide an API Base Path e.g. /v1.
  • Add the resources you want to expose, e.g. the GET operation for the Path Prefix /hello
  • While the API is in Edit mode, click the Policies button in the menu. This opens the Policy Editor. This editor works best in Chrome.
  • Read the basic authentication key/value map: Select the PreFlow from the TargetEndpoint and add Key Value Map Operations from the Mediation Policies section, e.g. with the name getCredentials.
    <KeyValueMapOperations mapIdentifier="BasicAuthCredentials" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
      <Get assignTo="private.BasicAuthUsername" index='1'>
        <Key><Parameter>username</Parameter></Key>
      </Get>
      <Get assignTo="private.BasicAuthPassword" index='1'>
        <Key><Parameter>password</Parameter></Key>
      </Get>
      <Scope>environment</Scope>
    </KeyValueMapOperations>
    
  • Pass the basic authentication credentials to the API by using the basic authentication policy (outbound encoding) : Still in the PreFlow from the TargetEndpoint, add a Basic Authentication policy from the Security Policies section. Give it a policy name, e.g. with the name ApplyBasicAuthHeaders. Note that the variable names for storing values from encrypted key/value maps need to be prefixed with private..
    <BasicAuthentication continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
      <Operation>Encode</Operation>
      <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
      <User ref='private.BasicAuthUsername'></User>
      <Password ref='private.BasicAuthPassword'></Password>
      <AssignTo createNew="true">request.header.Authorization</AssignTo>
    </BasicAuthentication>
    

  • Protect the API proxy by adding an API Key verification : Select the PreFlow from the ProxyEndpoint and add a Verify API Key policy, for instance with the name verifyAPIKey.
    <VerifyAPIKey continueOnError='false' enabled='true' 
    xmlns='http://www.sap.com/apimgmt'>
      <APIKey ref='request.header.APIKey '/>
    </VerifyAPIKey>
    

  • Confirm by clicking Update in the Policy Editor, then Save the changes to the API.
  • Finally, Deploy the API (the corresponding button is accessible in the  menu)

Publish the API on the Developer Portal:

  • In the Develop tab of the API PortalCreate a new Product containing the API and Publish it.
  • Now your API is available on your Developer Portal.

Consume the API

In the Developer Portal, create an Application and associate your Product so that the application will be granted access to your API. Take note of the Application Key.

Finally, using a REST client of your choice, send a GET request to the /hello resource of your API and provide the Application Key in the APIKey request header.

Voilà. The application is able to identify itself against the API proxy. The API proxy denies any other request, and it is able to get through the last-mile basic authentication protection of the API.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.