SAP Cloud Integration (aka CPI) allows to send messages from an iFlow to an Event Broker via AMQP.
The AMQP adapter can be configured with Basic Authentication or with Client Certificate.
This blog post shows how to configure client certificate authentication in iFlow for sending messages to Solace PubSub+ Event Broker.
Overview
Part 1: Introduction
Part 2 : Create Client Certificate Chain
Part 3 : Configure Solace
Part 4 : Configure CPI (this blog post)
4.1. Upload Certificate Chain
4.2. Create iFlow
4.3. Run Scenario
Part 4: CPI
Finally, all of the tutorial up to now was done to get a successful iFlow execution.
In CPI, just 2 tasks are waiting for us:
- Upload the security artifact (key and chain in p12 file)
- Create iFlow
Both build upon the previous sections.
4.1. Upload certificate chain to CPI Keystore
We have to make our private key and the certificate (chain) available on CPI.
To do so, we upload the p12 file (created in section 1.4) to the Keystore in CPI.
We logon to our tenant, then navigate to
“Monitor -> Integratons -> Manage Security -> Keystore”
Press “Add -> Keystore”
“Browse” to c:\solace\demostore.p12
Enter the password “abcd”
Press “Deploy”.
Afterwards, we can check the uploaded artifact:
We can see the chain with all the 3 certificates and corresponding metadata.
4.2. Create iFlow
We create a simple iFlow which does really nothing but sending messages to the Solace Event Broker.
It does even less than that: we don’t even need a message body.
Just make sure that the authentication works fine.
🔶 The iFlow is triggered once after deploy, by a "Timer" start event.
🔶The adapter is of type AMQP and Transport Protocol: TCP
🔸 Connection Tab
Host: copy & paste from solace connection data (see chapter 2.4. above)
Remove the protocol and the port from the copied URI
Port: Paste the port 5671
Authentication: Client Certificate
Private Key Alias: "democlient" (copied from the CPI Keystore)
This is the name which we gave in the openssl pkc12 command.
🔸Processing Tab
Here we have to configure that target as “Queue”
Enter the name, which in our example was the nice name “demo”:
That’s it already about iFlow configuration.
(See here for "Advanced Event Mesh" adapter)
Summary
🔹We need the URL from Solace "Connection" tab.
🔹We need the alias name from CPI Keystore.
4.3. Run Scneario
Now we can deploy the iFlow and check the result:
1. In CPI : The log at “Monitor Message Processing” should show success message:
With that we can be happy.
🙂
We just wanted to see how certificate-based authentication can be realized with CPI and Solace via AMQP adapter.
Troubleshooting
If you get below error, don't be surprised, the text is misleading.
The reason probably: The CA certificate is missing in Solace.
Or the intermediate certificate is not being sent to solace.
org.apache.qpid.jms.exceptions.JMSSecuritySaslException:
Client failed to authenticate using SASL: EXTERNAL
Summary
In this tutorial we’ve learned how to configure client certificate authentication for connecting CPI to Solace Event Broker.
We’re tried to cover nearly all involved steps.
Including:
🔹Understanding some basic knowledge about certificates.
🔹Creating and validating a certificate chain with OpenSSL.
🔹Configuring CBA in Solace.
🔹Configuring CBA in CPI
(See here for "Advanced Event Mesh" adapter)
Quick Guide
🔷Certificate Chain:
🔹The intermediate certificate must have CA:TRUE
🔹The verify command is executed against the chain.
🔹The chain must be packed into the container (p12 or jks).
🔹The chain order: Root Rear.
🔷OpenSSL:
🔹Use -extfile option.
🔹Build intermediate chain.
🔹Apply verify command.
🔷Solace:
🔹Upload the root cert.
🔹Create username equal to “CN”.
🔹Username must be set to "Enabled".
🔷CPI:
🔹Upload the chain, not only client cert.
Reason: the chain must be sent to Solace, as at Solace only the root is known.
🎉🎉🎉🎉🎉🎉🎉
- SAP Managed Tags:
