X.509 certificate-based authentication(mTLS) – Communicating with services using SAP destination service(Java)

Written in collaboration with: Santosh Kumar

Previous Blogs:

1. [Blog Series] X.509 certificate-based authentication(mTLS) – Demystified
2. Generating X.509 certificates of BTP managed services

Introduction:

This is the third blog in this blog post series. This blog will focus on how to communicate to various services which support x.509 certificate authentication using the SAP Destination service.

Content:

1. Uploading certificate to destination service
2. Creating destination with certificate authentication
3. Using the destination in code to call the service endpoint
4. Summary

1) Uploading certificate to destination service

There are multiple formats supported by SAP Destination Service like JKS, PFX, PEM and P12. For more info, please refer here

Steps to upload certificate:

1. Go to the SAP BTP subaccount and click on Destinations on the left-hand side
2. Click on Certificates
3. Click on Upload Certificate and select the .p12 (or any valid format) certificate we generated in
   the blog Generating X.509 certificates of BTP managed services
   
   

2) Creating destination with certificate authentication

1. Once the certificate is uploaded, click on New Destination
2. Select the Authentication as OAuth2ClientCredentials
3. Click the Use mTLS for token retrieval for changing client secret to certificate-based input
4. If the Use mTLS for token retrieval is disabled, enter the Token Service URL to enable it
5. URL field should contain the base URL of the service with which our microservice will communicate
6. In the Token Service Key Store Location, we select the certificate uploaded in the previous step
7. Token Service Key Store Password is the password we set in the blog Generating X.509 certificates of BTP managed services
8. for creating the certificate
9. The Token Service URL is different from the regular token URL, it would be mentioned as certurl in the service key file, and then we append /oauth/token to it.
10. The destination is now ready to be consumed in the code.

3) Using the destination in code to call the service endpoint

• SAP Cloud SDK has made it easier to call the destination we configured without any custom call using WebClient or RestTemplate in Java. Refer to this for documentation
• The SAP Cloud SDK leverages the existing API of HttpClient and applies conveniently managed properties according to the destination configuration.
• Code sample for sending a POST call to the service endpoint:

  public HttpResponse postUsingCertificateOAuth(HttpDestination httpDestination, String body, String url) {
  	final HttpClient httpClient = HttpClientAccessor.getHttpClient(httpDestination);
      HttpPost post = new HttpPost(url);
  	StringEntity entityInput = null;
  	try {
  		entityInput = new StringEntity(body);
  	} catch (UnsupportedEncodingException e) {
  		LOGGER.error("Json processing exception thrown", e.getMessage(), e.getCause());
  		throw new CertificateOAuthException(e.getMessage());
  	}
  
  	post.setHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE);
      post.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);     
      post.setEntity(entityInput);
  
  	HttpResponse response=null;
      try {
      	response = httpClient.execute(post);
  	} catch (IOException e){
  		LOGGER.error(e.getMessage(), e.getCause());
  		throw new CertificateOAuthException(e.getMessage());
  	}
      return response;
  }

• In the above code:
  • The HttpDestination is the destination we configured above, which can be fetched using the Destination library provided by Cloud SDK
  • The request body is sent to the service endpoint in the POST call
  • URL is the service endpoint to which we send the POST call. It can be fetched from the URL parameter we configured in Destination and appended as per requirement.
  • Similarly, GET and PUT requests can also be sent to the service using HttpClient

4) Summary

In this Blog, we have learnt how to communicate to a service using destination service and certificate-based authentication. The following blog will cover communicating to services bound to our application using VCAP environment variables.

Upcoming Blogs:

1. Communicating with services using VCAP environment variables(Java)

Please let us know if you find this content helpful and share any inputs and feedback.