cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service Key doesnt rotate when rebinding

Animatron56
Participant

on ‎11-22-2021 8:01 AM

I'm currently working on Feature-Set-A on the SAP BTP and try to rotate the service keys of our services for more security.

This is done by unbinding and binding the services again.

I have noticed that for some service (i.e. the portal service) the service keys doesnt change. (Everything including the clientsecret stay the same).

Therefore I was wondering, if this behavior works as designed or if there is an issue with the service key?

I would also appreciate if someone could link me a good documentation about how service keys work and how they rotate (I somehow only found docu for how to create and rotate service keys)

Thank you very much in advance!

Show replies
Show replies
pfefferf
Active Contributor
‎11-22-2021 9:08 AM
0 Kudos

What are you using? Instance or Binding Secrets?

Animatron56
Participant
‎11-22-2021 12:36 PM
0 Kudos

I used instance secret.

Another thing I was wondering about is that when I create service Keys in the cockpit, the keys get created in different ways (instance-secret and binding secret) . The instance secret doesnt change and the binding secrets does. What is the difference between these and can I somehow influence the secret type?

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎11-22-2021 7:28 PM

Hi beniseeger_98,

The documentation clearly states that in order to rotate secrets, you must unbind and rebind the instance so the secrets will rotate properly:

https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/618441ba629e4348831e5e5e51521592....?

Keep in mind that in order to be able to use rotating binding secrets you must enable it on the xs-security.json file when you create your xsuaa instance:

https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/dcee867db42e48d7b4f3243e41695a7a....?

Instance secrets are by-design non-rotatable. Meaning: if you you really need the instance secret to change, you must first change the xsappname and redeploy both application and xsuaa instance. This is also explained on the documentation:

https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/8bfbbf5fb2094f8fafc9295ce6ea37a1....?

Hope this helps.

Best regards,
Ivan

Show replies
Show replies
Animatron56
Participant
‎11-23-2021 4:57 PM
0 Kudos

Hi ivan.mirisola

yes that helps a lot thank you very much!

So the portal service uses an instance secret which is currenlty not very easy to rotate.

Does SAP change the secret type of the portal service to binding secret in the future?

Is there a list of services which use the instance / binding secret today?

Best regards,

Benjamin

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎11-23-2021 7:04 PM
0 Kudos

Hi beniseeger_98,

The Portal Service has been replaced by Launchpad Service on BTP. This newer service doesn't allow multiple instances as it is subscription based. Therefore, there is no service secret for it. Also, there is no API for the Launchpad service yet.

Would you mind stating the use case you are trying to achieve with binding secrets?

Perhaps with a concrete example we could better assist you.

Best regards,

Ivan

Ask a Question