Using Adapter Outbound Security

Objective

After completing this lesson, you will be able to use outbound security for adapters

Adapter Outbound Security

In this lesson, the following topics are discussed:

  • Outbound Security for Adapters.
  • Establishing a secure connection to the receiver using certificates.
  • Implement the required authentication and authorization process for the OData adapter to communicate with the receiver.

Outbound Security for Adapters

The procedures for implementing authentication and authorization against the receiver vary depending on the type of adapter used, and sometimes, can be different. However, there are similarities when using TCP-based adapters. The process involves creating an HTTPS connection via certificates and performing real authentication. In practice, it means that the recipient's certificate must be imported into the Cloud Integration tenant.

The establishment of a secure TCP connection requires the use of TLS with certificates. SAP provides a dedicated tool for verifying and importing the necessary certificates specific to the recipient.

The authentication and authorization process is adapter-specific and is described below for the OData adapter.

Establishing a Secure Connection to the Receiver involves using Certificates

How can we ensure that the message is delivered to the recipient properly? In this scenario, the connection is established directly between the receiver adapter and the receiver.

The graphic shows an example of a direct receiver and a sender adapter and the connection between them. Information about the connection is provided in the next paragraph.

To establish a secure connection with the receiver, it is necessary to perform authentication and authorization. This process also involves setting up an HTTPS connection through certificates, which can be used for more authentication and authorization. Ultimately, the type of authentication and authorization used is decided by the receiver.

We demonstrate it again with the example of the OData adapter. In this training's exercises, we have set up policies for the API Management to avoid the need for authentication.

Locate and Import the Certificates for the Receiver and the Certificate Chain for the Server

We can use a helpful tool in cloud integration called Test Connectivity to find and import the required receiver certificates and their server certificate chain.

Procedure

  • Navigate to MonitorIntegrationsManage SecurityTest Connectivity.
  • Choose your protocol.
  • Fill in the necessary data.
  • Choose the Send button.
  • Download the certificates.
  • Import the certificates at MonitorIntegrationsManage SecurityManage KeystoreAddCertificate.

Note

The following screenshots address twitter.com as receiver.

Further explanations:

Choose the Protocol and Enter all Necessary Data

Choose the protocol and enter all necessary data:

Choose TLS, enter all necessary data, and choose Send.

Choosing the Send button provides the certificates. Choose the Download button:

Choose Download.

Decompress the downloaded file:

Screenshot of the certification.

Navigate to MonitorIntegrationsManage SecurityManage KeystoreAddCertificate. Add all certificates separately from your decompressed file.

The server certificates chain:

Screenshot of the server certificates chain.

The Twitter certificate:

Screenshot of the Twitter certificate.

The imported certificates:

Screenshot of the imported certificates.

A secure HTTPS connection to twitter.com can now be established from your integration flow.

Implement the Necessary Authentication and Authorization Against the Receiver for OData Adapters

As previously mentioned, certificates are primarily used to establish the HTTPS connection. So, more procedures are often required for authentication and authorization.

The Connection tab of the OData Adapter offers various options for authentication and authorization.

These are:

  • Basic
  • Client Certificate
  • None
  • OAuth2 Client Credentials
  • OAuth2 SAML Bearer Assertion

All these options must first be configured under MonitorIntegrationsManage SecurityManage Security Material. Except for the client certificate, all authentication options can be found there.

Screenshot of the security options.

Implement an API key based authentication and authorization

It is common to use an API key for authentication and authorization, even though there is no configuration option for it in the setting options of the OData Adapter. It is demonstrated here:

Procedure

  • Copy the API key from your API.
  • Place and configure an Content Modifier in front of the call component with the OData adapter.
  • Enter an Message Header with the API key value.
  • Configure the OData adapter at the Connection tab at Authentication with None.
  • At the Processing tab, enter the APIkey in the Request headers fields.
The graphic shows the setup of the API key within the Content Modifier component.
The graphic shows the Authentication set to None.
The graphic shows the APIkey set in Request Headers under the Processing tab.
Screenshot of the Message Content.

Summary

The process of establishing secure connections and authentication must be distinguished. Initially, a TSL connection is established, similar to the inbound case. However, in this scenario, the communication, and exchange of certificates occur directly between the Cloud Integration tenant (subaccount) and the receiver. To identify and import these certificates, SAP provides a Test Connection tool. The actual authentication is performed by the adapter, and various options are available, such as those provided by the OData adapter.

  • Basic
  • Client Certificate
  • None
  • OAuth2 Client Credentials
  • OAuth2 SAML Bearer Assertion

Create a Request and Reply to an External Call (3.OData Adapter)

Business Scenario

The used and cached SalesOrderIDs and ItemPositionIDs are required to identify the customer name and customer number. In this step, it is essential to carry out another query via an OData adapter on the backend system (API) and to expand the query to include the customer name and customer number.

Task Flow

In this exercise, you will perform the following tasks:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create and configure an OData Adapter.
  3. Save as version, deploy, and debug your integration process.

Prerequisites

You have completed the final step of creating and configuring a Router.

Screenshots of the prerequisites.

Outcome After This Exercise

The first external API call will be implemented by you.

outcome

What Do You Learn Within This Exercise?

Learn to configure the OData adapter within an external call to an API.

Task 1: Log on to the Integration Flow DelayedDelivery_Process

Steps

  1. Log on to the integration flow DelayedDelivery_Process via SAP Integration Suite.

    1. Navigate within the Integration Suite Welcome page to DesignIntegrationsDelayedDelivery_Package_CLD900_NumberDelayedDelivery_Process_Number.

    2. Check the status after the last exercise step:

      Screenshots of the prerequisites.

    3. Imagine that the integration flow is more edited.

Task 2: Create and Configure an OData Adapter

Steps

  1. Set a Receiver.

    1. To create a request and reply, choose theCall menu and select External CallRequest Replyor use the context menu.

    2. Select the line between the Router and the End_Message_with_SalesOrderID.

      Screenshot of the context menu.Choose Request Reply.

    3. Name the request reply: Call_fetch_ToHeader.

      Name of the request reply.

  2. Set the Receiver via the context menu.

    Set the receiver.

    1. Rename the Receiver to API_SalesOrder_ProductSet_ToHeader.

    Rename the receiver.

    1. Connect the Request Reply with the Receiver by using the interactive context menu as shown in the screenshot.

    2. Select the ODataV2 adapter.

      Connect the receiver and select the ODataV2 adapter.

    3. Select the OData connection between the Request Reply and Receiver.

    4. Set your known API URL from the API Management in the OData Connection tab. (e.g. "<API URL>/<version>/GWSAMPLE_BASIC")

    5. Your API URL can be found in the ConfigureAPIsAPI Proxiessection.

      The graphic shows the Connection tab.

    6. Switch to the Processing tab and choose the Select button.

    Switch to the Processing tab and choose the Select button.

  3. Configure the OData Adapter.

    1. All required information is automatically filled in. Choose the Step 2 button to move forward.

      Choose Step 2.

    2. Select the Sub Level 1 and select the Entity SalesOrderLineItemSet.

      Select the Sub Level 1 and select the Entity SalesOrderLineItemSet.

    3. Now, select the Field you want to get via the API from your backend system.

    4. Use the following selection for the Entity and Operations. After you have selected all, you move forward by choosing the Step 3 button.

      select fields
      Select DeilveryStatus and choose Step 3.

      Select the following fields:

      • ToHeader
      • CustomerID
      • CustomerName
      • DeliveryStatus

    5. Set two filters on the cached Exchange Properties in the Content Modifier.

      Screenshot of the Filter configuration.
      Field NameInput
      FilterSalesOrderID
      OperationEqual
      Value${property.SalesOderID}
      Second Filter 
      FilterItemPositionID
      OperationEqual
      Value${property.ItemPositionID}
      Be careful to write the Simple Expression Notation correctly, as mentioned in the step.

    6. Your OData Adapter configuration under Processing looks like this:

      Screenshot of a sample OData adapter configuration.

Task 3: Save as Version, Deploy, and Debug Your Integration Process

Steps

  1. Save as version, deploy, and debug your integration process.

    1. Perform the following steps.

      1. Save as version.
      2. Deploy.
      3. Jump to OverviewManage Integration Content.
      4. Set the log level to trace.
      5. Deploy again.
      6. Jump again to OverviewManage Integration Content.

    2. Navigate to your Integration Flow Model in OverviewMonitor Message ProcessingMessage Processing Run. Select the End artifact and choose the Message Content tab.

    3. Choose the End_Message_with_SalesOrderID artifact and select the Message Content tab.

      Select Message Content.

    4. To see the message, choose the Payload tab.

      Screenshot of the Payload.

    5. Save and deploy again. Check your trace. The result must have some CustomerNames and CustomerIDs entries.

  2. Learn more about the OData Adapter component.

    1. Return to your integration process.

    2. Open the configuration bar of the OData component and choose the question mark symbol.

    3. Here, you find all the information about the different adapters and how they can be used in a familiar way.

Create and Configure a Content Modifier for the CustomerName

Business Scenario

You want to read the customer name via an exchange property. To do this, you use a Content Modifier.

Task Flow

In this exercise, you will perform the following tasks:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create and configure a Content Modifier.
  3. Save as version, deploy, and debug your integration process.

Prerequisites

The step of creating of an OData Call has been completed by you.

Outcome After This Exercise

The CustomerName values are saved as Exchange Properties using a Content Modifier.

Screenshot of the integration process.

What do you learn within this exercise?

Review the exercise to create and configure a Content Modifier component.

Steps

  1. Log on to the integration flow DelayedDelivery_Process via SAP Integration Suite.

    1. Navigate within the Integration Suite Welcome page to DesignIntegrationsDelayedDelivery_Package_Date_NumberDelayedDelivery_Process_Number.

    2. Following the status after the last exercise step.

      outcome

    3. Be aware that the integration flow is in the edit state.

  2. Create and configure a Content Modifier.

    1. Add a Content Modifier component after the Call_fetch_ToHeader OData Call component.

    2. Rename it to: Modify_setCustomerNameasProperty.

      Screenshot of the Name of the Content Modifier.

    3. Configure an Exchange Property with the following entries.

      Add a Content Modifier.
      Field NameValue
      NameCustomerID
      Source TypeXPATH
      Source Value//CustomerID
      Data Typejava.lang.String (S is upper case)
      Screenshot of the Content Modifier setup.

  3. Save as version, deploy, and debug your integration process.

    1. Perform the following steps:

      1. Save as version.
      2. Deploy.
      3. Jump to OverviewManage Integration Content.
      4. Set the log level to trace.
      5. Deploy again.
      6. Jump again to OverviewManage Integration Content .

    2. Navigate to your Integration Flow Model in OverviewMonitor Message ProcessingMessage Processing Run.

  4. Check out the Exchange Properties.

    1. Navigate to the Message Content tab and first choose the End_Message_with_SalesOrderID.

    2. Select the Exchange Properties tab and search for the CustomerName.

      Screenshot of the monitor highlighting the Message Content tab.Screenshot of the monitor highlighting the Exchange Properties.

Create a Data Store Operation

Business Scenario

The preceding step involves writing the CustomerNames stored as Exchange Properties in each loop to a Data Store, and removing duplicates.

Task Flow

In this exercise, you will perform the following steps in one task:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create a Data Store Operation.
  3. Configure a Data Store Operation.
  4. Save as version, deploy, and debug your integration process.
  5. Check the Data Store.
  6. Delete the data store entries.
  7. Learn more about Data Store operations.

Prerequisites

The step to create and configure a Content Modifier has been completed by you.

Screenshot of the integration flow process.

Outcome After This Exercise

You add a Data Store containing all CustomerNames for the given ProductIDs to your integration flow.

Screenshot of the integration flow process.

What do you learn within this exercise?

Learn to create and use a Data StoreWrite operation.

Task 1: Create a Data Store Operation

Steps

  1. Log on to the integration flow DelayedDelivery_Process via SAP Integration Suite.

    1. Navigate within the Integration Suite Welcome page to DesignIntegrations and APIsDelayedDelivery_Package_CLD900_Date_NumberDelayedDelivery_Process_Number.

    2. Following the status after the last exercise step. Imagine that the integration flow has been further modified.

  2. Create a Data Store Operation.

    1. Set PersistenceData Store OperationsWrite component after Modify_setCustomerNameasProperty, or use the context menu as shown.

      Set Persistence, Data Source Operations, Write in the context menu.

    2. Rename it to Write_CustomerName.

      Rename the Write artifact.

  3. Configure a Data Store Operation.

    1. Switch to the Processing tab, and enter the following data:

      Field NameValue
      Data Store NameDelayedDelivery_CustomerName_List_Number
      VisibilityGlobal (external processes can read these entries )
      Entry ID${property.CustomerID} (is shown as the header)
      RetentionThreshold for Alerting (in d)2
      Expiration Period (in d)3
      Encrypt Stored Messageflagged
      Overwrite Existing Messageflagged (remove duplicates )
      Include Message Headersflagged
      Screenshot of the configuration of the Data Store.

    2. Again, we use the Simple Expression Language for addressing the CustomerName as an Exchange property with ${property.CustomerName}.

    3. Rename the End_Message_with_SalesOrderID to End_Message_with_CustomerName.

      Screenshot of the renaming.

  4. Save as version, deploy, and debug your integration process.

    1. Perform the following steps.

      1. Save as version.
      2. Deploy.
      3. Jump to OverviewManage Integration Content.
      4. Set log level to trace.
      5. Deploy again.
      6. Jump again to OverviewManage Integration Content.

    2. Navigate to your Integration Flow Model in OverviewMonitor Message ProcessingMessage Processing Run.

  5. Check the Data Store.

    1. Navigate to MonitorIntegrations and APIs from the left-side menu.

    2. Find Manage StoresData Stores.

      Choose Monitor and then Integrations and APIs.

    3. Choose the Data Store tile.

      Choose the Data Store tile.

    4. After selecting the correct Data Store name, you are able to see the entries. Choose the Data Store name.

    5. Now, check the Payload in the Monitoring, by selecting the End_Message_with_CustomerName artifact and choose the Message Content tab to switch to the Payload tab.

      Screenshot of the Payload in the Monitoring.
      Check Payload.

  6. Learn more about Data Store operations.

    1. Navigate back to your Integration Process, open the configuration bar of the Write_CustomerName component, and choose the question mark symbol.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn