Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
santhosh_kumarv
Active Contributor

Disclaimer


The method shown in this blog exposes all security materials deployed in a tenant. Hence the usage of it should be carefully evaluated and should be used at your own risk.

Introduction


A few weeks ago I wrote a blog SAP CPI – High Availability using Azure Traffic Manager about HA solution. The foundation of HA is to clone the Primary Instance and build a Secondary SAP CPI instance. While cloning of Package and IFlow Configuration can be done with Platform APIs the security artifacts require a custom solution since the platform API doesn't allow reading the passwords or private key. In this blog, I will show how we can leverage an IFlow (which by architecture has access to the security artifact at runtime for connectivity) to read the security material and respond to an API call. This API response can be used to programmatically create/update the security artifacts in the secondary tenant using platform APIs. This approach can also be used in Neo to CF migration for fetching Security Materials.


The scope of this blog will limit only to fetching the Security artifacts and not replicating them to a target instance.



The Solution



Integration Flow


Create an IFlow to expose individual endpoint for below

  • User Credentials - Default, Open Connectors, SuccessFactors, and Security Parameter

  • OAuth Client Credentials

  • Keypair - Private and Public key in PEM format


In each resource branch, we will fetch the respective Security Artifacts deployed in the tenant using the platform APIs. Then loop through the artifacts to read the credentials from Runtime using Groovy Script that will leverage API interfaces such as com.sap.it.api.securestore.* and com.sap.it.api.keystore.* accessed through Factory class i.e. ITApiFactory.


Important: Do not have this IFlow protected with the default ESBMessaging.send role. Create a Custom role and limit the assignment.



The Script


Below is the Script line(s) that are key for retrieving the password / private key (but not the complete executable script that is part of the IFlow solution).



//Get the Service Instance of the SecureStoreService API 
def service = ITApiFactory.getService(SecureStoreService.class, null);
//Read the credential of a given alias
def credential = service.getUserCredential(<alias>);
//Read the User Name or password
def unm = credential.getUsername();
def pwd = credential.getPassword();

The above code is to retrieve the password of the User Credential(default, OpenConnectors & Successfactors), Security Parameters, and OAuth-Client Credentials.


Similarly, the below code is to read the Key Pair and retrieve the Public and Private Key.



//Get the Service Instance of the KeystoreService API 
KeystoreService service = ITApiFactory.getService(KeystoreService.class, null);
//Read the Public Certificate of a given alias
Certificate pCer = service.getCertificate(<alias>);
//Get Byte encoded data of the Certificate, then Base64 encode it to a String
String pCerB64Enc = new String(Base64.getEncoder().encode(pCer.getEncoded()));
//Read the Private Key of a given alias
Key pKey = service.getKey(Alias);
//Get Byte encoded data of the Private Key, then Base64 encode it to a String
String pKeyB64Enc = new String(Base64.getEncoder().encode(pKey.getEncoded()));

 

API Endpoint and Testing


This IFlow will listen and respond to below 3 Endpoints.


Get User Credential Testing



Get OAuth Client Credential Testing



Get Key Pair Testing


 

Download the IFlow


You can download the IFlow as Utility_SecurityMaterial.zip from this SAP_CPI GIT Repository. It has below 4 Configuration Parameter


























Name Value
Address API URL Path
User Role Role to protect this API Endpoint
Host Your SAP CPI TMN Host URL
Credential Name Alias of the Credential to invoke Platform APIs

 
8 Comments
Labels in this area