Client Certificate Based Authentication for HTTPS/IDOC Inbound Connection in SAP CPI
HTTPS Inbound Connection :
A system sending a message to the Cloud-based integration platform using HTTPS as secure transport channel is not directly connected to the tenant. Instead of this, a load balancer component is interconnected that terminates all inbound HTTPS requests, and re-establishes a new secure connection.
In this blog, i am going to explain about the inbound HTTP connection via Client Certificate based authentication. I did long time back by following Mandy’s blog. Below is the flow diagram for the request propagation from sender to i-flow and certificate exchange between Sender and SAP CPI.
Its pretty straight forward configuration once you follow all the steps in sequence.I will provide steps for pushing data to SAP CPI via postman with Client Certificate Based authentication.
- Postman Application which supports Certificate based authentication.
- SAP CPI Access for generating I Flow and getting Load Balancer root certificate
- Client Certificate signed by CA
CA list trusted by SAP Cloud Platform Load Balancer:
We are mocking Postman as our Sender client and hence will be using SAP Passport as Client certificate. You can go to below URL and sign with any S User and request for a Passport. You can enter any passphrase during request. This passphrase can be different from your account password.
URL for Generating SAP Passport:
This Passport will work as CA signed Sender Client certificate which contains Private Key, Public Key including chain Certificate.
Getting Load Balancer Certificate: ( Ref From Mandy’s Blog)
The easiest way to get the Load Balance root certificate would be to use the Connectivity Test in the cloud integration tenant. The Connectivity Test is available in Operations View in Web, in section Manage Security Material. Selecting the Connectivity Tests tile from Overview page opens the test tool offering tests for different protocols. To connect to a cloud integration tenant via the load balancer to get the root certificate select the TLS option. Enter the URL of your runtime node (the URL you want to call from your sender backend) in the Host field. The host name of the runtime node has the format: <tenant>-iflmap.<data center>.hana.ondemand.com:
Execute the connectivity test. If there is in error you may have to uncheck the option ‘Validate Server Certificate‘. The response screen provides the list of certificates from the load balancer because the SSL/TLS connection is terminated by the load balancer. You can use the Download option to download the certificates. A certificates.zip file is created in your local download directory containing all the certificates. From the *zip file select the *.cer file of the root certificate and import this into the trust store of the sender system.
Furthermore, if you want to use Client Certificate authentication, the sender system keystore needs to contain a key pair signed by one of the CAs supported by the load balancer.
Note, that only root certificates are being imported into the Keystore of the SAP Load Balancer ! Therefore you as a customer must always assign the whole certificate chain to the certificate to enable the connected component to evaluate the chain of trust.
You need to exchange the SAP CP Load Balancer certificate with the client so that they can add it in their Trust Store. Client will share their CA signed root certificate which needs to be imported in SAP CPI Key Store so that Load balancer can authenticate incoming request and can establish a connection between client and CPI tenant.
SAP Cloud Platform configuration:
You can enable certificate based authentication in below two ways :
- Directly importing client certificate in our I-Flow
- Create a custom role and user. Map your certificate with the custom user.
SAP recommends 2nd option as you need not to redeploy your i-flow in case of certificate update. Same user can be used for multiple certificates too.For this you need to map all the certificates related to this user in certificate to user mapping tab.
Creating a Custom Role and User:
Goto -> Subaccount -> Subscription -> <tenant>iflmap
Click on Roles -> Custom Role
You can create Role name & User name of your own choice. It need not to be a S/P user. Same will be reflected in I-Flow under User Role drop down along with ESBMessaging.Send.
You are done with the User and Role creation in Cockpit. To configure Certificate-to-User Mappings your user needs the Group Role AuthGroup.Admin or Single Roles IntegrationOperationServer.read, NodeManager.deploysecuritycontent and NodeManager.read.
Generating the Client Certificate from SAP Passport ( Client Certificate) :
As SAP passport is a Private and Public key pair. You need to generate the Certificate from it. Simplest method is to import Passport as Key Pair in SAP CPI Keystore. Once it is imported click on Download certificate to get client certificate. This certificate will be used in SAP Keystore and Certificate to user mapping tab.
Note : If you want you can delete the Key pair as it is not needed for our integration.
Next Step will be to import the SAP Passport certificate generated in above step to the KeyStore.
After that you need to define user to certificate mapping in the Manage security tab of CPI. This will be same user defined in the subaccount.
Last step for SAP CPI will be selecting Custom Role in I Flow.
We are done with the required configuration in SAP CPI. Now we will configure the Client/Postman to send the data to our flow.
Configure Certificate based authentication in Postman.
Click on Settings tab in top right bar of Postman.
After selecting this you will get a popup for adding Certificates. Add the Passport Key here which is a pfx file and provide the passphrase you used for creation.
Host will be the CPI tenant endpoint.
Create a Post Request. Enter the CPI I-Flow endpoint in url. In Authorization select No Auth.
Once you click on Send button, message will flow through CPI without any issue. You can see Status 200 Ok in postman.
Note : You need not to import Load balancer root Certificate in postman as it doesn’t validate the Load Balancer. If you are doing testing with client then you need to share Load balancer root certificate with sender.
You may not get an option for importing certificate in Chrome extension and you will need desktop version of Postman.
Reference Blogs :