Preparing Credentials for Cloud Integration

Objective

After completing this lesson, you will be able to set up credentials in Cloud Integration and SAP BTP Cockpit for inbound and outbound authentication

Cloud Integration Authentication

Since all integration messages are processed by Cloud Integration, sender systems must authenticate at Cloud Integration, and when forwarding messages to the respective receiver system, Cloud Integration must authenticate there. With two directions that messages can flow between Cloud Integration and the outer systems, that makes four pathways, resulting in four cases where systems need to authenticate, as shown in the following landscape diagram.

  1. From SAP S/4HANA to Cloud Integration
  2. From Cloud Integration to SAP Sales and Service Cloud Version 2
  3. From SAP Sales and Service Cloud Version 2 to Cloud Integration
  4. From Cloud Integration to SAP S/4HANA
Simple System Landscape with 4 arrows visualizing data flows between CI, SSCv2 and S4

Communication Direction

In this lesson, we focus on maintaining authentication details in Cloud Integration for these four cases. We split the four system-specific cases into two direction-specific cases, meaning we distinguish between inbound and outbound communication from Cloud Integration’s perspective, because credentials for those two directions are maintained in different places:

  • Inbound Connections: BTP CockpitInstances (paths 1 and 3 in the landscape diagram)
  • Outbound Connections: Cloud Integration WebUIMonitor view (paths 2 and 4 in the landscape diagram)

Note

If you work on integration flows and need to maintain credentials for outbound and inbound connections, you will require additional access rights beyond Cloud Integration for the BTP cockpit, because credentials are maintained in different locations.

We’ll take a closer look at maintaining authentication details for these two directions in the next section.

Supported Authentication Methods

Regardless of the communication direction, the integration flows used to integrate SAP S/4HANA with SAP Sales and Service Cloud Version 2 support two authentication methods.

  • Basic Authentication (username and password)
  • Client Certificates

Note

While Basic Authentication is simple to set up, it is less secure than client certificates. Therefore, it is recommended to use certificate-based authentication, especially in production environments.

This course demonstrates both authentication methods: Basic authentication is used between SAP S/4HANA and Cloud Integration, while certificates are used between the cloud CRM and Cloud Integration.

This course covers the handling of certificates at a high, task-oriented level. Basic knowledge of digital certificates and cryptography is recommended. This topic is explained in more detail in the course about Integrating SAP Sales and Service Cloud (Version 1) with SAP S/4HANA.

Prepare Inbound Authentication

When other systems connect to Cloud Integration (lanes 1 and 3 in the landscape diagram), it functions as the server. The authentication details provided by the client need to be verified, and it must be checked whether the client is authorized to call a specific integration flow.

You can set the authorization for each integration flow. As shown in the following graphic, you can choose between User Role and Client Certificate.

iFlow Sender tab with User Role configured

The recommended approach for larger setups is to use User Roles. Let’s elaborate on this:

When you choose Client Certificate in the integration flow configuration, you can upload a certificate into that integration flow. This applies to all integration flows in use. While this can be a simple way for testing, it may require significant effort in larger setups when the certificate needs to be replaced and carries the risk of missing integration flows during the certificate replacement.

Authorization: User Role

Selecting User Role (by default ESBMessaging.send) for authorization is a more flexible approach and still allows you to use different authentication methods, including client certificates. It delegates sender authentication to SAP BTP. Consequently, credential maintenance is also performed in the SAP BTP Cockpit using Service Keys.

Service Keys and the user role can be managed for the Cloud Integration's runtime instance in the SAP BTP cockpit.

SAP BTP cockpit showing the runtime instance of Cloud Integration and configuration dialogs for credentials and the role visible.

You can also create custom roles to control access to integration flows. This involves setting up the role in the Monitor view in Cloud Integration and creating a new, parameterized instance of the SAP Process Integration Runtime in the SAP BTP cockpit. However, this is outside the scope of this training and will not be covered here. For more information, see the SAP Help Portal.

Service Keys

Service Keys are like technical user accounts that grant access to services on SAP BTP. You can maintain them for the runtime instance of Cloud Integration in the Instances and Subscriptions section of the SAP BTP Cockpit (see the following screenshot).

You can create different types of service keys:

  • ClientId/Secret: Service key containing a clientId and clientSecret (client credentials) that can be used like a username and password for Basic authentication.
  • Certificate: Service key containing a clientId and an x509 client certificate (including a private/public key pair) generated by SAP. The certificate, including the private key, can be exported from BTP and imported into another system. Conversion to a specific file format may be required.
  • External Certificate: Service key where you can upload an existing x509 client certificate, generated by a tool of your choice (other than SAP BTP).

In this course, we will use the ClientId/Secret service key for authentication from SAP S/4HANA and the SAP BTP-generated Certificate for authentication from SAP Sales and Service Cloud Version 2.

Hint

If you want to use the External Certificate type, remember that the certificate must be signed by one of the certificate authorities that the Load Balancer trusts. You can find more details about this in the following section.

Once a Service Key is created, you can view it in the SAP BTP Cockpit either as a form dialog or as JSON.

BTP cockpit showing the 2 service keys of the course, one opened

Depending on the service key type, it will contain different fields. In addition to the credential information, you can for instance find the hostname of the Cloud Integration runtime in the URL field of the service key. This can be useful when configuring other systems, especially if you haven’t deployed an integration flow where you could otherwise look up the runtime endpoint.

You can find more details on service key types in the SAP Help Portal.

Load Balancer and Client Certificates

A Load Balancer positioned in front of Cloud Integration terminates incoming TLS connections and consequently verifies client certificates. Therefore, client certificates must be signed by Certificate Authorities (CAs) that the Load Balancer trusts. Customers do not have access to the Load Balancer’s trust store and, as a result, cannot use client certificates issued by any other publicly or privately operated CA.

You can find further information about this, including the supported CAs in the SAP Help Portal.

ClientId/Secret Service Key for Connections from SAP S/4HANA

In this course, Basic Authentication is used to connect SAP S/4HANA to Cloud Integration (lane 1 in the landscape diagram). Therefore, a Service Key of the type ClientId/Secret is created.

This service key contains the username in the clientId field and the password in the secret field. These details must be provided in the Consumer Proxy (or the Logon Data if Service Groups are used) for the web service call from SAP S/4HANA.

The name of the service key can be chosen freely. It is only needed to identify and manage the service key. Unlike security materials within Cloud Integration, which are referenced by integration flows and used for outbound connections, it is not needed elsewhere.

The video at the end of this section demonstrates how to create the service key.

Certificate Service Key for Connections from SAP Sales and Service Cloud Version 2

In this course, SAP Sales and Service Cloud Version 2 uses a client certificate to authenticate against Cloud Integration (lane 3 in the landscape diagram). Unlike Cloud Integration, which is shipped with a client certificate, the cloud CRM does not offer one.

However, SAP BTP can generate a client certificate by creating a Service Key of the type Certificate. You can find more information about this in the SAP Help Portal.

The only challenge with this approach is that SAP Sales and Service Cloud requires an encrypted pfx file containing the client certificate, including the private key, whereas SAP BTP only provides these details as separate text snippets. Therefore, the pfx certificate file must be created manually using third-party tools, which is not covered in this course. However, the necessary procedure is explained, for instance, in this SAP Community article.

Video: Preparing Service Keys for Inbound Authentication in SAP BTP

The following video demonstrates how to create the service keys in the SAP BTP Cockpit.

Prepare Outbound Authentication

In outbound communication scenarios (lanes 2 and 4 in the landscape diagram), Cloud Integration acts as the client and must authenticate itself to the target system. Authentication details for outbound connections are maintained within the Cloud Integration WebUI and are only referenced by integration flows that are intended to use them. This method ensures that integration flows do not need to store secret data, such as passwords.

Depending on the authentication method, they can be maintained in the following locations:

  • Basic Authentication:
    • MonitorManage SecuritySecurity Material tile.
    • The security artifact for username and password is called User Credential.
  • Client Certificates:
    • MonitorManage SecurityKeystore tile.
    • Cloud Integration comes with a valid client certificate, which can be found in the keystore under the name sap_cloudintegrationcertificate with the type Key Pair.
Overview with tiles of the Monitor view

Basic Authentication for Connections to SAP S/4HANA

In this course, Basic Authentication is used to connect Cloud Integration to SAP S/4HANA (lane 4 in the landscape diagram). Therefore, a Security Material of type User Credential must be created to store the username and password of the SAP S/4HANA technical communication user.

You can freely choose the name for the security material. It’s advisable to create a consistent naming convention that matches your environment and requirements, especially in larger setups with multiple systems and users. Use clear, organized names that indicate the purpose, direction, and systems involved.

In the video at the end of this section that shows the creation of the security material, the credential is called SSCv2_to_S4 to indicate that it is used for the integration scenario between SAP Sales and Service Cloud Version 2 and SAP S/4HANA.

Client Certificate for Connections to SAP Sales and Service Cloud Version 2

In this course, Cloud Integration’s client certificate is used to authenticate against SAP Sales and Service Cloud Version 2 (lane 2 in the landscape diagram).

This certificate is automatically available in every Cloud Integration tenant. You don’t need to generate or request it. You can find it in MonitorKeystore with the name sap_cloudintegrationcertificate and the type Key Pair.

To use it, download the certificate from Cloud Integration’s keystore and upload it to the target system (SAP Sales and Service Cloud Version 2).

Finally, configure the Receiver of the integration flow to use Client Certificate as the authentication method and either enter its name sap_cloudintegrationcertificate into the Private Key Alias field or leave that field empty. In this case, the sap_cloudintegrationcertificate certificate will be used by default.

This allows secure and reliable certificate-based authentication without revealing usernames or passwords. The process is also shown in the following video.

Please note that the private key of Cloud Integration’s client certificate always remains within Cloud Integration. In this case, the certificate you download and upload to another system is only the public key certificate without any secret information. Therefore, it does not need to be encrypted. This certificate is used by the target system to verify that the client is indeed the trusted Cloud Integration using cryptographic methods.

Video: Preparing Credentials for Outbound Authentication in Cloud Integration

The following video shows how to set up the authentication details for outbound connections in the connected systems, including:

  • Creation of a security material for authentication against SAP S/4HANA.
  • Download the Cloud Integration client certificate and upload it to SAP Sales and Service Cloud Version 2.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn