Using Adapter Outbound Security

Objectives

After completing this lesson, you will be able to:

  • Utilize outbound security for adapters

Adapter outbound Security

In this Lesson, the Following Topics are Discussed:

  • Outbound Security for Adapters.
  • Establishing a secure connection to the receiver using certificates.
  • Implement the required authentication and authorization process for the OData adapter to communicate with the receiver.

Outbound Security for Adapters

The procedures for implementing authentication and authorization against the receiver vary depending on the type of adapter used, and in some cases, can be quite different. However, there are similarities when using TCP-based adapters. The process involves creating an HTTPS connection via certificates and performing real authentication. In practice, this means that the recipient's certificate must be imported into the Cloud Integration tenant.

The establishment of a secure TCP connection requires the use of TLS with certificates. SAP provides a dedicated tool for verifying and importing the necessary certificates specific to the recipient.

The authentication and authorization process is adapter-specific and will be described below for the OData adapter.

Establishing a Secure Connection to the Receiver involves using Certificates

How can we ensure that the message is delivered to the recipient properly? In this scenario, the connection is established directly between the receiver adapter and the receiver.

In order to establish a secure connection with the receiver, it is necessary to perform authentication and authorization. This process also involves setting up an HTTPS connection through certificates, which can be used for additional authentication and authorization. Ultimately, the type of authentication and authorization used is decided by the receiver.

We will demonstrate this again with the example of the OData adapter. In the exercises of this training, we have set up policies for theAPI Management API to avoid the need for authentication.

Locate and Import the Certificates for the Receiver and the Certificate Chain for the Server

We can use a helpful tool in cloud integration called Test Connectivity to find and import the required receiver certificates and their server certificate chain.

Procedure

  • Navigate to MonitorIntegrationsManage SecurityTest Connectivity.
  • Choose your protocol.
  • Fill in the necessary data.
  • Choose the Send button.
  • Download the certificates.
  • Import the certificates at MonitorIntegrationsManage SecurityManage KeystoreAddCertificate.
Note
The following screenshots address twitter.com as receiver.

Further explanations:

Choose the Protocol and Enter all Necessary Data

Choose the protocol and enter all necessary data:

Choosing the send button will provide the certificates. Choose the Download button:

Decompress the downloaded file:

Navigate to MonitorIntegrationsManage SecurityManage KeystoreAddCertificate. Add all certificates separately from your decompressed file.

The server certificates chain:

The twitter certificate:

The imported certificates:

A secure HTTPS connection to twitter.com can now be established from your integration flow.

Implement the Necessary Authentication and Authorization Against the Receiver for OData Adapters

As mentioned earlier, certificates are primarily used to establish the HTTPS connection. Hence, additional procedures are often required for authentication and authorization.

The Connection tab of the OData Adapter offers various options for authentication and authorization.

These are:

  • Basic
  • Client Certificate
  • None
  • OAuth2 Client Credentials
  • OAuth2 SAML Bearer Assertion

All these options must first be configured under MonitorIntegrationsManage SecurityManage Security Material. Except for the client certificate, all authentication options can be found there.

Implement an API key based authentication and authorization

It is common to use an API key for authentication and authorization, even though there is no configuration option for it in the setting options of the OData Adapter. I will demonstrate this possibility for you below.

Procedure

  • Copy the API key from your API.
  • Place and configure an Content Modifier in front of the call component with the OData adapter.
  • Enter an Message Header with the API key value.
  • Configure the OData adapter at the Connection tab at Authentication with None.
  • At the Processing tab, enter the APIkey in the Request headers fields.

Summary

The process of establishing secure connections and authentication must be distinguished. Initially, a TSL connection is established, similar to the inbound case. However, in this scenario, communication and exchange of certificates occur directly between the Cloud Integration tenant (subaccount) and the receiver. To identify and import these certificates, SAP provides a Test Connection tool. The actual authentication is performed by the adapter, and various options are available, such as those provided by the OData adapter.

  • Basic
  • Client Certificate
  • None
  • OAuth2 Client Credentials
  • OAuth2 SAML Bearer Assertion

Create a Request and Reply an external Call

Business Scenario

For a given product, we obtain the CustomerID and a set of SalesOrderID and ItemPosition associated with it.

The following overview image provides an understanding of where the new component operates. As this is a recurring exercise, a brief description is sufficient.

Task Flow

In this exercise, you will perform the following tasks:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create a request and reply external call.
  3. Save as version, deploy, debug, and check the result.

Prerequisites

The creation and configuration of a Content Modifier has been completed by you.

Outcome After This Exercise

You can make a third HTTP call to retrieve the CustomerID for a given set of SalesOrderID, ItemPosition, and ProductID.

What Do You Learn Within This Exercise?

Review exercise to create and configure a External Call component.

Exercise Options

To carry out this exercise, you can choose from the following options:

  1. Live Environment: Using the instructions provided below, you can perform the steps in your SAP BTP account.
  2. Platform Simulation: Follow the step-by-step instructions within the simulation.
  3. Side-by-side: Follow the step-by-step instructions within the simulation and perform the steps in your SAP BTP account simultaneously.
Note
We strongly recommend to perform the steps in the live environment.

Task 1: Log on to the Integration Flow DelayedDelivery_Process

Steps

  1. Log on to the integration flow DelayedDelivery_Process via Integration Suite.

    1. Navigate within the Integration Suite Welcome page to DesignIntegrationsDelayedDelivery_Package_randomNumberDelayedDelivery_Process.

    2. Following the status after the last exercise step.

    3. Imagine that the integration flow is more edited.

Task 2: Create a Request and Reply External Call

Steps

  1. Create a request and reply external call.

    1. Create a CallExternal CallRequest and Reply after the Modify_setSalesOrderIDAsProperty component.

  2. Create a new Receiver.

    1. Create a new Receiver with name API_SalesOrderLineItemSet_ToHeader.

  3. Configure the http connection between Call_SalesOrderHeader and API_SalesOrderLineItemSet_ToHeader.

    1. Enter the following data at tab Connection.

      Field NameInput Data
      Address

      < Your host API>

      /SalesOrderLineItemSet(SalesOrderID='${property.SalesOrderID}',ItemPosition='${property.ItemPosition}')/ToHeader

      Query$select=CustomerID,CustomerName,DeliveryStatus
      Proxy TypeInternet
      MethodGET
      AuthenticationNone
      Note
      The address does not contain a hyphen. If it displays in the table above, it is added by the publishing engine. Do not take it over.

      The other parameters can be applied.

Task 3: Save as Version, Deploy, Debug, and Check the Result

Steps

  1. Save as version, deploy, and debug your integration process.

    1. Perform the following steps:

      1. Save as version.
      2. Deploy.
      3. Jump to the OverviewManage Integration Content.
      4. Set log level to trace.
      5. Deploy again.
      6. Jump again to the OverviewManage Integration Content.
    2. Navigate to your integration flow model in OverviewMonitor Message ProcessingMessage Processing Run.

  2. Check out the result of this call.

    1. Remember, one product loop and two LineItem loops.

    2. Check out the first LineItem loop.

    3. Check out the second LineItem loop.

    4. You should get different CustomerIDs.

Create an XSLT Template as Mapping Component

Business Scenario

To read the CustomerID via XPATH, the namespaces from the returned feed must be removed again, as previously done in one of the last steps.

The next component's working can be better understood with the help of the following overview picture. However, since this is a repeated exercise, it will be briefly described.

Task Flow

In this exercise, you will perform the following tasks:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create an XSLT template as Mapping component.
  3. Save as version, deploy, and debug your integration process.

Prerequisites

The previous step of creating a Request and Reply external Call has been completed.

Outcome After This Exercise

We now have a functional XSL template that removes the namespaces from the payload, enabling us to access the values using XPath.

What do you Learn Within This Exercise?

Review exercise to create and configure a XSLT Mapping.

Exercise Options

To carry out this exercise, you can choose from the following options:

  1. Live Environment: Using the instructions provided below, you can perform the steps in your SAP BTP account.
  2. Platform Simulation: Follow the step-by-step instructions within the simulation.
  3. Side-by-side: Follow the step-by-step instructions within the simulation and perform the steps in your SAP BTP account simultaneously.
Note
We strongly recommend to perform the steps in the live environment.

Steps

  1. Log on to the integration flow DelayedDelivery_Process via Integration Suite.

    1. Navigate within the Integration Suite Welcome page to Design > Integrations >DelayedDelivery_Package_randomNumber > DelayedDelivery_Process.

    2. Following the status after the last exercise step.

    3. Imagine that the integration flow has been further edited.

  2. Expand the swim lane of your integration flow.

    1. Move the End event component and drag the right edge of the swim lane a few centimeters to the right.

  3. Create an XSLT template as a mapping component.

    1. Set of XSLT mapping component with the following known configuration. Name it XSLT_Mapping_removeNamespaces_2.

      Code snippet
      <?xml version="1.0" encoding="UTF-8"?>
      <xsl:stylesheet version="3.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      	 <xsl:template match="*">
                      <xsl:element name="{local-name()}" >
                              <xsl:apply-templates select="@* | node()"/>
                      </xsl:element>
              </xsl:template>
      </xsl:stylesheet>
      
      Expand
  4. Save as version, deploy, and debug your integration process

    1. Perform the following steps

      1. Save as version.
      2. Deploy.
      3. Jump to OverviewManage Integration Content.
      4. Set log level to trace.
      5. Deploy again.
      6. Jump again to OverviewManage Integration Content
    2. Navigate to your Integration Flow Model in Overview > Monitor Message Processing >Message Processing Run.

  5. Check the payload of the first LineItem loop.

    1. Navigate in a known way to the payload after XSLT mapping with name XSLT_Mapping_removeNamespaces_2.

  6. Check the payload of the second LineItem loop.

    1. Navigate in a known way to the payload after XSLT mapping with name XSLT_Mapping_removeNamespaces_2.

Create and Configure an Content Modifier for the CustomerID

Business Scenario

Now we will store the CustomerID as an Exchange Property.

The subsequent visual aid provides an overview of the component's functionality and its placement within the integration flow. This exercise is a repetition, and hence, briefly explained.

Task Flow

In this exercise, you will perform the following tasks:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create and configure an Content Modifier.
  3. Save as version, deploy, and debug your integration process.

Prerequisites

The step of creating an XSLT Mapping has been completed by you.

Outcome After This Exercise

The CustomerID values are saved as Exchange Properties using a Content Modifier.

What do you Learn Within This Exercise?

Review exercise to create and configure a Content Modifier component.

Exercise Options

To carry out this exercise, you can choose from the following options:

  1. Live Environment: Using the instructions provided below, you can perform the steps in your SAP BTP account.
  2. Platform Simulation: Follow the step-by-step instructions within the simulation.
  3. Side-by-side: Follow the step-by-step instructions within the simulation and perform the steps in your SAP BTP account simultaneously.
Note
We strongly recommend to perform the steps in the live environment.

Steps

  1. Log on to the integration flow DelayedDelivery_Process via Integration Suite.

    1. Navigate within the Integration Suite Welcome page to Design > Integrations > DelayedDelivery_Package_randomNumber > DelayedDelivery_Process.

    2. Following the status after the last exercise step.

    3. Imagine that the integration flow has been further modified.

  2. Create and configure an Content Modifier.

    1. Add a Content Modifier component after the XSLT_Mapping_removeNamespaces_2 component.

    2. Rename it to Modify_setCustomerID.

    3. Configure an Exchange Property with the following entries.

      Field NameValue
      NameCustomerID
      Source TypeXPATH
      Source Value//CustomerID
      Data Typejava.lang.String (S is upper case)
  3. Save as version, deploy, and debug your integration process.

    1. Perform the following steps:

      1. Save as version.
      2. Deploy.
      3. Jump to OverviewManage Integration Content.
      4. Set log level to trace.
      5. Deploy again.
      6. Jump again to OverviewManage Integration Content
    2. Navigate to your Integration Flow Model in OverviewMonitor Message ProcessingMessage Processing Run.

  4. Check out the Exchange Properties of the first LineItem loop.

    1. Navigate in a known way, to the payload after Modify_setCustomerID.

  5. Check out Exchange Properties of the second LineItem loop.

    1. Navigate in a known way to the payload after Modify_setCustomerID.

    2. You will see the two different CustomerIDs.

Create a Data Store Operation

Business Scenario

The preceding step involves writing the CustomerIDs stored as Exchange Properties in each loop to a Data Store and removing duplicates.

This overview image can aid in comprehending the functioning of the new component. It is a repeated exercise and will be concisely explained.

Task Flow

In this exercise, you will perform the following steps in one task:

  1. Log on to the integration flow DelayedDelivery_Process.
  2. Create a Data Store Operation.
  3. Configure a Data Store Operation.
  4. Save as version, deploy, and debug your integration process.
  5. Check the Data Store.
  6. Delete the data store entries.
  7. Learn more about Data Store operations.

Prerequisites

The step to create and configure a Content Modifier has been completed by you.

Outcome After This Exercise

You will add to your integration flow a Data Store containing all CustomerIDs for the given ProductIDs.

What do you Learn Within This Exercise?

Learn to create and use a Data StoreWrite operation.

Exercise Options

To carry out this exercise, you can choose from the following options:

  1. Live Environment: Using the instructions provided below, you can perform the steps in your SAP BTP account.
  2. Platform Simulation: Follow the step-by-step instructions within the simulation.
  3. Side-by-side: Follow the step-by-step instructions within the simulation and perform the steps in your SAP BTP account simultaneously.
Note
We strongly recommend to perform the steps in the live environment.

Task 1: Create a Data Store Operation

Steps

  1. Log on to the integration flow DelayedDelivery_Process via Integration Suite.

    1. Navigate within the Integration Suite Welcome page to DesignIntegrationsDelayedDelivery_Package_randomNumberDelayedDelivery_Process.

    2. Following the status after the last exercise step.

    3. Imagine that the integration flow has been further modified.

  2. Create a Data Store Operation.

    1. Set Persistence >Data Store Operations > Write component after Modify_setCustomerID.

    2. Rename it to Write_CustomerID.

  3. Configure a Data Store Operation.

    1. Switch to the Processing tab, and enter the following data:

      Field NameValue
      Data Store Name< Process name _timestamp_random no > (the name has to be unique)
      VisibilityGlobal (external processes can read these entries )
      Entry ID${property.CustomerID} (is shown as header)
      RetentionThreshold for Alerting (in d)2
      Expiration Period (in d)3
      Encrypt Stored Message<flagged>
      Overwrite Existing Message<flagged> (remove duplicates )
    2. We again use the Simple Expression Language for addressing the CustomerID as an Exchange property with ${property.CustomerID}.

  4. Save as version, deploy, and debug your integration process.

    1. Perform the following steps.

      1. Save as version.
      2. Deploy.
      3. Jump to OverviewManage Integration Content.
      4. Set log level to trace.
      5. Deploy again.
      6. Jump again to OverviewManage Integration Content.
    2. Navigate to your Integration Flow Model in OverviewMonitor Message ProcessingMessage Processing Run.

  5. Check the Data Store.

    1. Navigate to MonitorIntegrations and APIs from the left side menu.

    2. Find Manage StoresData Stores.

    3. Choose the Data Store tile.

    4. After selecting the correct data store name, you will be able to see two entries. Choose the data store name.

  6. Delete the data store entries.

    1. Navigate to the top right, to the Delete button.

    2. Choose the Delete button to delete all entries manually.

  7. Learn more about Data Store operations.

    1. Navigate back to your Integration Process, open the configuration bar of the Write_CustomerID component, and choose the question mark symbol.

Log in to track your progress & complete quizzes