Understanding Client Authentication

Objective

After completing this lesson, you will be able to explain basic and certificate-based authentication methods, their differences, and how to maintain client authentication details in SAP systems

Client Authentication

Client authentication is a process used in computer networks and systems to verify the identity of a client (user or device) attempting to access a server or a service. It's a security mechanism that ensures that only authorized clients can gain access to protected resources.

The client is required to provide credentials to the server before being granted access. The server then validates these credentials to determine if the client is who it claims to be. We'll focus on the two relevant credential types/authentication methods that are used for integrating SAP Sales and Service Cloud with SAP S/4HANA using Cloud Integration. These are:

  • Basic Authentication: The client sends a username and a password (the secret).
  • Certificate-Based Authentication: The client proves its identity by solving a cryptographic challenge with its private key, without exposing the private key (the secret) to the server.

Basic Authentication

Basic authentication is a simple authentication method used in the HTTP protocol where the client proves its identity by sending a username and a password in an HTTP request header to the server. In the HTTP request header, the username and the password are Base64 encoded, but not encrypted. Hence, this authentication method strongly relies on transport layer encryption, such as HTTPS.

  • Advantages:

    The setup is simple and there are no external dependencies. It is easy to implement and easy to understand, which makes it widely used across the internet.

  • Disadvantages:

    Apart from transport layer encryption, the password is sent in plain text to the server. Given the connection is intercepted or the server compromised, someone could steal the password and hence impersonate the client's identity. Moreover, network components that terminate encrypted TLS connections on a regular basis (for instance, reverse proxies) can also see the password in plain text. If logging procedures for these components is configured incorrectly, the password could even be written to log files.

  • Summary for Basic Authentication:

    Basic authentication should only be used with protocols that offer transport layer encryption, like HTTPS does. Moreover, passwords should be strong. That means not too short, not easily guessable, and consisting of different character classes to ensure sufficient complexity. Furthermore, passwords should be changed after a certain amount of time.

Certificate-Based Authentication

Certificate-based authentication is an authentication method that relies on digital certificates to verify the identity of users or devices. Hence, it involves the use of public key infrastructure (PKI) to issue and manage certificates.

Certificate-based authentication takes place when the connection gets established during the TLS handshake. The process works similarly to establishing the trust relationship to a server, but this time the client presents a certificate that has been issued by a certificate authority (CA) that the server trusts. Because both the server and the client prove their identities in this authentication method, it is often referred to as mutual authentication.

As part of the authentication process, the client sends its certificate including the public key (but not the private key!) to the server. After the server has verified that the certificate is valid and trusted, the client must prove that it owns the certificate, meaning it is in possession of the corresponding private key. The client can do so by signing data with its private key and sending it to the server, which can in turn verify the signature with the corresponding public key.

If this process is successful, a secure communication channel is established that uses a new, unique secret, also called the session key. That mitigates the chance for replay attacks, where the communication is intercepted and retransmitted in a malicious manner.

Note

An important difference to basic authentication is that the client does not send any secret to the server.

  • Advantages:

    Certificate-based authentication provides strong security because it uses public key cryptography. The private key associated with the certificate is kept secret and never transferred to the server during authenticating. Even if an attacker was able to eavesdrop an existing communication, this could not be used to impersonate the client's identity.

  • Disadvantages:

    Implementing or setting up certificate-based authentication is more complex due to the PKI. It requires a certificate authority, managing certificates, and ensuring the secure storage of private keys. This typically goes along with additional costs for either using an existing public PKI or running your own one. Finally, certificates are created with a specified validity period and must be renewed before they expire. While this is actually an advantage from the security perspective, it increases the maintenance effort and adds the risk of missing the expiry date, which leads to a broken connection and is a common pitfall.

  • Summary for Certificate-Based Authentication:

    Certificate-based authentication provides strong security in return to more effort for setup and maintenance. Keeping track of the certificate's validity periods is an important step to keep integration scenarios running without interruption.

Overall Summary

Note

Using client certificates ensures higher security in the communication process. They are the clear recommendation, especially for productive environments.

Basic authentication can be useful at the beginning of an integration project, when setting up the integration, in order to test basic connectivity. For test environments, it might be sufficient to keep basic authentication, depending on the role of the system and the data that is stored there. However, in productive environments, basic authentication is to be avoided.

Maintenance of Client Credentials in SAP Systems

Maintaining client credentials is handled differently in different SAP solutions. The following listing gives a brief overview on the involved solutions. More details will be shown during the configuration lessons.

SAP Sales and Service Cloud

No matter if SAP Sales and Service Cloud acts as the client or the server, credentials are maintained per communication arrangement for both basic or certificate-based authentication. They can be found in:

Work Center AdministratorView General SettingsCommunication Arrangements

Cloud Integration

Credentials for inbound connections are maintained in the SAP Business Technology Platform (BTP) cockpit.

Credentials for outbound connections are maintained in the Monitor/Operations view:

  • Security Materials for passwords
  • Keystore for certificates

Note

Cloud Integration has a load balancer in front of it that terminates the TLS connection and is responsible for the verification of client certificates. That means when using client certificates for authentication to Cloud Integration, the client certificate must be signed by one of those certification authorities (CAs) that are trusted by the load balancer component. You can find more details on that on the SAP Help Portal. Please note that this is the reason why you can't use the client certificates of your own PKI, even if you add the relevant CA certificates to Cloud Integration's keystore.

SAP S/4HANA

Client credentials are maintained in different places depending on the used protocol (IDoc/SOAP) and certificates are maintained in another, central place:

  • RFC Destination in transaction SM59 for iDoc based communication
  • Consumer Proxy in transaction SOAMANAGER for web service-based communication
  • Certificate maintenance in transaction STRUST

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn