m

Products and Technology Groups Partners Topics Events What's New Get Started Explor
u
ni
SAP Community  Products and Technology  Technology  Technology Blogs by SAP  Step-by-step Guide to Set Up Inbound Client Certif...
t
Technology
y Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA,
and more.

All community  What are you looking for today?

 Entering Final Stages!

The SAP Community migration is back on track, and the site is ready for final steps. You may already see new areas
starting to appear. We are cautiously optimistic that we will launch the new platform on January 25. Here’s what you
need to know to prepare.


Step-by-step Guide to Set Up Inbound Client Certificate Authentication, Cloud Foundry
Environment

Daniil_Bolobono
Member

‎05-29-2022 8:11 AM

 19 Kudos
This blog post aims to provide you with a step-by-step tutorial on how to generate a client certificate (issued by SAP) and
use it to trigger integration flow deployed on SAP Cloud Integration tenant in the Cloud Foundry environment. In this
example we will be using Postman to mock a sender system.

Please refer to SAP Help Portal documentation Client Certificate Authentication for Integration Flow Processing for any
additional information on the process.

Please note:
This key pair is not preinstalled when you operate a Cloud Integration trial tenant. Therefore, client certificate
inbound authentication is not supported for trial.

Configure and Deploy Integration Flow

In this example we will use a simple integration flow with a single step – Groovy Script. This iFlow is configured to generate
a response based of the payload it was initialized with.
Make sure to set Authorization as ‘User Role’ in connection details of your Sender Adapter. You can either leave User Role
parameter as ‘ESBMessaging.send’ (which is default) or specify a custom role (see Managing User Roles, Cloud Foundry
Environment for details).

If you have made any changes to your integration flow, make sure to save it and deploy.
Create Service Instance and Service Key in SAP BTP Cockpit

Next, we need to generate a client certificate that we can use to authenticate a sender when calling the integration flow
that we have just deployed. This can be done quite easily in SAP BTP Cockpit.

Please go through Creating Service Instance guide and create an instance with ‘integration-flow’ service plan.

Then go through Creating Service Key guide and create a service key with a ‘Certificate’ key type.
With that, you should be presented with a credentials of the key in JSON format. Click ‘Download’ to store the file on your
device.
Create Certificate and Key Files

Next, we need to retrieve certificate and key pair values, format and save them in the separate files.

For that, open the .txt file you have just downloaded, locate ‘certificate’ attribute, copy its value (it starts with ‘-----BEGIN
CERTIFICATE-----’ and ends with ‘-----END CERTIFICATE-----\n’) and paste into your favorite text/code editor (I have used
VSCode).

Now, we need to format the certificate by replacing all ‘\n’ occurrences with line breaks. To achieve this task, you can utilize
Find & Replace feature of your editor.

Validate that your certificate looks similar to the one on the screenshot below:
Notice that there are in fact 3 certificates bundled in one – that is because Process Integration Runtime service instance
generates a PEM-encoded certificate chain. The certificate chain contains a root certificate supported by SAP (see Load
Balancer Root Certificates Supported by SAP).

Save the certificate with .pem extension – I named it as ‘cert.pem’.

Now, we need to do the same formatting for a key pair. Locate ‘key’ attribute in the same .txt file (it starts with ‘-----BEGIN
RSA PRIVATE KEY-----’ and ends with ‘-----END RSA PRIVATE KEY-----\n’), paste the value into your favorite text/code editor
and replace all ‘\n’ occurrences so it looks similar to the one on the screenshot below:
Save the key pair with .key extension – I named it as ‘key.key’.
Note: in case your text editor (e.g., Notepad++) doesn’t provide an option to replace all ‘\n’ occurrences with line breaks,
what you can do is the following:
Click on Service Key you’ve created to open credentials information, select 'Form' tab and copy contents of certificate
attribute (here you can see that it doesn’t have any ‘\n’ characters).
Paste the certificate value to your text editor and format it by adding line breaks before and after ‘-----BEGIN CERTIFICATE-
----' and ‘-----END CERTIFICATE-----', so that it looks similar to the one below (remove all ‘\n’ characters as well if they are
automatically added by your text editor)

Save the file with .pem extension.

Proceed with doing the same for key attribute. Make sure that it has the similar structure to the key you see on the
screenshot below.

Save the file with .key extension.

Set Up Postman Environment and Send the Request

In your Postman application open Settings.

Navigate to Certificates tab and click on ‘Add Certificate’.

Locate ‘url’ attribute in your .txt file, copy its value (everything apart from https://) – this is your Host. Attach .pem file (as
CRT file) and .key file. Finally, click on ‘Add’.
Next, add new request in Postman and enter the endpoint of your deployed integration flow as a request URL. You can
grab this URL from Cloud Integration Web UI by navigating to Monitor -> Manage Integration Content.

Finally, set Authorization Type as ‘No Auth’ and send.

This concludes the step-by-step guide on how to set up inbound client certificate authentication for SAP Cloud Integration
in Cloud Foundry environment. By following steps described above you should be able to generate a certificate and a key
pair issued by SAP and use them to authenticate a sender when executing a call to Cloud Integration iFlow.

SAP Managed Tags:

 SAP Integration Suite, Cloud Integration

Labels:

Technology Updates

Tags:

client certificate authentication Client Certificate based Authentication SAP CPI Client Certificate Authentication

42 Comments

An Unexpected Error has occurred.

Labels In This Area

Business Trends 1,664 Event Information 1,403 Expert Insights 177 Life at SAP 791 Product Updates 4,603

Technology Updates 6,935

Related Content
SAP Cloud Connector Upgrade and High Availability Configuration #ATR 
in Technology Blogs by Members 2 weeks ago

SAP CLOUD INTEGRATION-Consolidated email error report for Integration Packages 

in Technology Blogs by Members 2 weeks ago

mTLS connectivity between CPI and Ariba 

in Technology Q&A 2 weeks ago

SAP Cloud Integration: How to call DocuSign from iFlow: Authentication 

in Technology Blogs by SAP 2 weeks ago

SAP BTP Neo environment to the SAP Cloud Identity Services first 
in Technology Q&A 2 weeks ago

Popular Blog Posts

Get Your SAP HANA Idea Incubator Badge Today!

Former Member

 28036  252  1280

SCN Mission - SAP HANA Quiz Challenge is now retired

ThomasJenewein
Employee

 30042  202  804

 Follow

Top Kudoed Authors

dvankempen
Privacy Terms of Use  4243