Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

X.509 certificate-based authentication(mTLS) – Communicating with services using SAP destination service(Java)

rishabhdhakarwal
Product and Topic Expert
Product and Topic Expert
‎10-01-2022 7:05 AM
Written in collaboration withsantosh.kumar97

Previous Blogs:

  1. [Blog Series] X.509 certificate-based authentication(mTLS) – Demystified

  2. Generating X.509 certificates of BTP managed services


Upcoming Blog:

  1. Communicating with services using VCAP environment variables(Java)


Introduction:


This is the third blog in this blog post series. This blog will focus on how to communicate to various services which support x.509 certificate authentication using the SAP Destination service.

Content:



  1. Uploading certificate to destination service

  2. Creating destination with certificate authentication

  3. Using the destination in code to call the service endpoint

  4. Summary


1) Uploading certificate to destination service


There are multiple formats supported by SAP Destination Service like JKS, PFX, PEM and P12. For more info, please refer here

Steps to upload certificate:

  1. Go to the SAP BTP subaccount and click on Destinations on the left-hand side

  2. Click on Certificates

  3. Click on Upload Certificate and select the .p12 (or any valid format) certificate we generated in
    the blog Generating X.509 certificates of BTP managed services



2) Creating destination with certificate authentication



  1. Once the certificate is uploaded, click on New Destination

  2. Select the Authentication as OAuth2ClientCredentials

  3. Click the Use mTLS for token retrieval for changing client secret to certificate-based input

  4. If the Use mTLS for token retrieval is disabled, enter the Token Service URL to enable it

  5. URL field should contain the base URL of the service with which our microservice will communicate

  6. In the Token Service Key Store Location, we select the certificate uploaded in the previous step

  7. Token Service Key Store Password is the password we set in the blog Generating X.509 certificates of BTP managed services

  8. for creating the certificate

  9. The Token Service URL is different from the regular token URL, it would be mentioned as certurl in the service key file, and then we append /oauth/token to it.

  10. The destination is now ready to be consumed in the code.


3) Using the destination in code to call the service endpoint



  • SAP Cloud SDK has made it easier to call the destination we configured without any custom call using WebClient or RestTemplate in Java. Refer to this for documentation

  • The SAP Cloud SDK leverages the existing API of HttpClient and applies conveniently managed properties according to the destination configuration.

  • Code sample for sending a POST call to the service endpoint:
    public HttpResponse postUsingCertificateOAuth(HttpDestination httpDestination, String body, String url) {
    
	final HttpClient httpClient = HttpClientAccessor.getHttpClient(httpDestination);
    
    HttpPost post = new HttpPost(url);
    
	StringEntity entityInput = null;
    
	try {
    
		entityInput = new StringEntity(body);
    
	} catch (UnsupportedEncodingException e) {
    
		LOGGER.error("Json processing exception thrown", e.getMessage(), e.getCause());
    
		throw new CertificateOAuthException(e.getMessage());
    
	}
    

    
	post.setHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE);
    
    post.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);     
    
    post.setEntity(entityInput);
    

    
	HttpResponse response=null;
    
    try {
    
    	response = httpClient.execute(post);
    
	} catch (IOException e){
    
		LOGGER.error(e.getMessage(), e.getCause());
    
		throw new CertificateOAuthException(e.getMessage());
    
	}
    
    return response;
    
}


  • In the above code:

    • The HttpDestination is the destination we configured above, which can be fetched using the Destination library provided by Cloud SDK

    • The request body is sent to the service endpoint in the POST call

    • URL is the service endpoint to which we send the POST call. It can be fetched from the URL parameter we configured in Destination and appended as per requirement.

    • Similarly, GET and PUT requests can also be sent to the service using HttpClient




4) Summary


In this Blog, we have learnt how to communicate to a service using destination service and certificate-based authentication. The following blog will cover communicating to services bound to our application using VCAP environment variables.

Upcoming Blogs:

  1. Communicating with services using VCAP environment variables(Java)


Please let us know if you find this content helpful and share any inputs and feedback.
2 Comments
Labels in this area
Popular Blog Posts