This blog outlines the steps needed to be performed for achieving Client Certificate based authentication, while sending messages from SAP SuccessFactors Integration Center to SAP Cloud Integration.
Pre-Read:
Cloud Integration on CF – How to Setup Secure HTTP Inbound Connection with Client Certificates | SAP...
Scenario:
Design:
Pre-Requisites:
Note:
Steps to be followed:
Create a specific user role in the SAP Cloud Integration tenant, this will be used in the sender adapter
Note: This image was taken from a Test, Develop, Demonstration License based system
Note: This image was taken from a Test, Develop, Demonstration License based system
Note: This image was taken from a Test, Develop, Demonstration License based system
The cert will look like this
Obtain the X509 certificate from SAP SFSF Security Center and while copying the certificate into the service instance key, ensure to copy full certificate (-----BEGIN CERTIFICATE-----<certificate>-----END CERTIFICATE-----)
Assign the role in the HTTP Adapter in the sender based iflow
Deploy the iflow and obtain the URL to maintain it in the SAP SuccessFactors Integration Center destination settings
Note: This image was taken from a Test, Develop, Demonstration License based system
Conclusion:
Pre-Read:
Cloud Integration on CF – How to Setup Secure HTTP Inbound Connection with Client Certificates | SAP...
Scenario:
- System to system Employee data Integration scenario
- Target system needs real-time Employee data synchronization.
- Integration scenario involves SAP SuccessFactors Intelligent services, SAP Cloud Integration and SAP SuccessFactors Integration Center
Design:
Pre-Requisites:
- SAP BTP Cloud Foundry based account
- SAP SuccessFactors which is Employee Central enabled
- Ensure that you have assigned “Process Integration Runtime” assigned for the Global Account in SAP BTP, under entity assignments
- Ensure that your SAP Cloud Integration tenant has the “sap_cloudintegrationcertificate” (Understanding sap_cloudintegrationcertificate) as the keypair, in manage keystore (Monitor)
Note:
- SAP Cloud Integration trial tenants does not have “sap_cloudintegrationcertificate”.
- SAP Cloud Integration tenant purchased through the Non-Commercial Licensing (NCL) (formerly known as SAP Partner Licensing Services) agreement has the “sap_cloudintegrationcertificate”
- The below steps are written by using “http” sender adapter in SAP Cloud Integration and the SAP SuccessFactors Integration Center destination type “REST”
Steps to be followed:
Create user role in the SAP Cloud Integration Tenant
Create a specific user role in the SAP Cloud Integration tenant, this will be used in the sender adapter
Note: This image was taken from a Test, Develop, Demonstration License based system
Create a service Instance in SAP BTP Sub Account
- Basic Info to be chosen is as follows
- Service = Process Integration Runtime
- Plan = integration-flow
- Parameters should be created with
- grant-type “Client Credentials” (Previously if you had chosen client_x509, this will no more be available.)
- The above available Role Template should be bound to the service instance (This ensures the role to certificate mapping)
Note: This image was taken from a Test, Develop, Demonstration License based system
Create key pair in SAP SuccessFactors Security Center
- For creating service key in the service instance, you should have the public key
- The key pair must be created in SAP SuccessFactors, as it is the client in this scenario
- While generating the certificate, please use Certificate Authority as “SAP Cloud Root CA”. (By default, the validity is 1 year only)
Note: This image was taken from a Test, Develop, Demonstration License based system
The cert will look like this
Create service Instance key with the above public certificate
Obtain the X509 certificate from SAP SFSF Security Center and while copying the certificate into the service instance key, ensure to copy full certificate (-----BEGIN CERTIFICATE-----<certificate>-----END CERTIFICATE-----)
Configure the SAP Cloud Integration Process flow and SAP SuccessFactors Integration Center
Assign the role in the HTTP Adapter in the sender based iflow
Deploy the iflow and obtain the URL to maintain it in the SAP SuccessFactors Integration Center destination settings
Note: This image was taken from a Test, Develop, Demonstration License based system
Conclusion:
- This is a public key-based authentication (SAP SuccessFactors Integration Center to SAP Cloud Integration)
- This type of Client certificate-based authentication should be used only for data integration scenarios and is not a preferred method for scenarios where user propagation is required
- This is a preferred method for Production grade deployments, as it separates the handling of keys to the SAP BTP cockpit/Security admin and Integration Developers need to only use the roles
- Once the validity of the Key Pair in SAP SuccessFactors security center is completed/expired, a new key pair must be generated, Integration Center definition needs to be updated with this new certificate key pair and a new service instance key must be created in SAP BTP cockpit and the old one needs to be deleted.
- SAP Managed Tags:
2 Comments
