Skip to Content

SAP API Management Client Certificate Authentication for On-Premise System

Hello Community,

is it possible to pass a Client Certificate to API Management for an On-Premise System?

This blog describes how it works for type "Internet" but it is not working for type "On-Premise":

https://blogs.sap.com/2018/01/19/sap-cloud-platform-api-management-client-certificate-authentication-for-api-calls/

If it is not possible, which other options beside "Basic Authentication" are avialable? I also tried with "Principal Propagation" as described here:

https://help.sap.com/viewer/66d066d903c2473f81ec33acfe2ccdb4/Cloud/en-US/6304b22240784574b05a2210430a46e2.html

But this is also not working for me. Without using API Management and going directly from Cloud Application though Cloud Connector to On-Premise System, Principal Propagation is working fine.

With Basic Authentication everything is working fine as well but this is not safe enough?

What is the best way in your eyes to authenticate a user in a szenario of MachieneToMachiene Communication? In my eyes Client Certificates are good for that but I have no idea how to pass them over API Management to my Backend system.

Best Regards,

Chris

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • May 11 at 08:52 PM

    Dear Christoffer,


    As you successfully found that from API provider it is possible to use Cloud Connector:


    https://help.sap.com/viewer/66d066d903c2473f81ec33acfe2ccdb4/Cloud/en-US/6b263e2c1b2d4d9ba20bcd7872eedd9e.html


    It says: "Choose On Premise to connect to the on premise system through Cloud Connector". From SCP to onprem Cloud Connector is in most of the cases required and connection can be only on-pemise. The help describes all the destination parameters as well.


    Regarind your inquiry it is possible to use client certificate authentication from SAP Cloud platform. The following SAP help describes the procedure. I deem the option is available in API Managemtn as well. See hints from SAP help. You need to create such destination:


    https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/9018a9e54b3c48d98aa63538d47bdcd6.html?q=client%20certificate


    Then in Cloud Connector side it is described in the SCC Help how it should be configured:


    https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/d0c4d5675d4f4bc78a5b7a7b8687c841.html?q=client%20certificate


    By the way you can choose many options based on your requirements:


    https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/c84d4d0b12d34890b334998185f49e88.html


    Regards,
    Barnabás

    Add comment
    10|10000 characters needed characters exceeded

  • May 14 at 08:21 AM

    Hi Barnabás, Thanks for your reply :)

    As I said my Cloud Connector is configured for Principal Propagation and it is working fine in the scenario of HTML5 applications which are hosted on SCP. Here I get the user authentication from my SAML IDP and pass it to my destination of type "On-Premise" with authentication "PrincipalPropgation".

    Now I have the scenario where external vendors consume APIs (running on my SAP ERP system) in their backend systems without using HTML5 applications. So I dont have the oppurtunity of using my SAML IDP because no Web Browser is involved. Or is this possible? My idea here was to use Client Certificates which is the standard in the scenario of "MachineToMachine" communication.

    I dont want that the external vendors consume my APIs in my backend system directly so I want to route the API calls to the API Management service of SCP. Here I want to read the client certificate and pass it to my API Provider (Backend System) via Cloud Connector. Is this sceanrio possible or are there better solutions?

    In API Management it is not possible (in my eyes) to pass the certificate to Cloud Connector:

    Has anybody ideas how can I achieve my scenario 2?

    Many thanks and best regards,

    Chris

    Add comment
    10|10000 characters needed characters exceeded

  • May 16 at 10:21 AM

    Dear Christoffer,

    Based on the description of your scenario, it will not work with the settings you currently use (Proxy type=on-premise, using SCC). By the way in this scenario you can enable support for principal propagation with X.509 certificates, see SAP Help:

    https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/d0c4d5675d4f4bc78a5b7a7b8687c841.html

    However this is not the same as your requirements. From SAP Cloud Platform it is not possible to choose an option and initiate a client certificate authentication using proxy type on-premise. SCC can not handle those requests. It is supported only if you use "internet" type but in in this case SCC is not involved. Rather you can set a webdispatcher or loadbalancer where you can open https port 443.

    Other option can be for example if you choose an Authentication option "none" with proxy type on-premise use SCC and set your application to initiate client certificate authentication. In this case only one authentication will be needed in application side, but it is not a "real" principal propagation. Additioanlly it can work with principal propagation Authentication type on SCP API Management as well if you set client cert authentication on the application itself.

    Regards,
    Barnabás

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Barnabás, Thanks for your reply.

      What do you mean with "...and set your application to initiate client certificate authentication. In this case only one authentication will be needed in application side"? Which application? I call in API Management an ODATA Service in my Backend System, is this the "application"? I have set the Authentication in my API Provider now to "NONE" and in my Backend System in transaction SICF the authentication to SSL certificate. But it is still not working....

      Best regards,

      Chris

      3.jpg (68.3 kB)
  • May 17 at 04:12 PM

    Is there really no solution for consuming APIs in On-Premise systems without a Client Application involved? I have created a picture showing my scenario.

    The Red scenario where a Mobile Client uses a HTML5 application hosted on SCP works fine. Here the user authenticates via SAML on my IDP and this can be propagted through API Management though the Cloud Connector to my Backend System.

    In the Green scenario I dont have a mobile Client as a user and no application on SCP is involved. So I have no chance to include my SAML IDP for authentication. That is why I want to use a Client Certificate and pass this to API Management and then via Cloud Connector to my Backend System.

    Is this really not possible? If not what can I do instead?

    Best Regards,

    Chris

    Add comment
    10|10000 characters needed characters exceeded