cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Outbound Authentication within an iFlow using a Client Certificate Service Key

Go to solution
GregorSchuetz
Explorer

on ‎07-11-2023 8:45 AM

0 Kudos

Hello Everyone

I'm trying to use the "Integration Content" API, which is the API of your CPI, where e.g. you cean read and write data about your deployed artifacts.


My goal is, to read all deployed artifacts and then check the configurations of all Flows checking wether the iFlow is using a credential (Alias) from the security material or not. Basically, I want to create an iFlow that gives me more monitoring capabilities on used credentials.

So far I've managed to setup the needed API calls and authentication in Postman and it works. But I can't seem to find a way to use that (see pictures below) type of authentication on the CPI.


Since I have to use a servicekey with a certificate, we don't have our typical oAuth credentials with clientid and clientsecret but clientid, certificate and key. So our servicekey would look something like this:

{
  "oauth": {
    "createdate": "123",
    "clientid": "123",
    "url": "123",
    "certificate": "-----BEGIN CERTIFICATE-----123-----END CERTIFICATE-----",
    "key": "-----BEGIN RSA PRIVATE KEY-----123-----END RSA PRIVATE KEY-----,
    "tokenurl": "123",
    "certificatedetails": {
      "issuerdn": "123",
      "subjectdn": "123",
      "validuntil": "123",
      "serialnumber": "123"
    }
  }
}

The CPI also won't let you store oAuth 2.0 credentials like these, because we don't have a clientsecret, which is a mandatory field.

You may ask yourself, why I'm not using a servicekey, where I have the oAuth credentials with clientid and clientsecret. Well, I get a "403: Forbidden", when I try to read the configurations of deployed artifacts. To clarify, yes I did indeed use the same serviceinstance, so I had the same parameters for both servicekeys. If you're wondering which parameters I'm currently using in the instance:

{
  "grant-types": [
    "client_credentials"
  ],
  "redirect-uris": [],
  "roles": [
    "MessagePayloadsRead",
    "MonitoringDataRead",
    "MessageProcessingLocksRead",
    "AccessAllAccessPoliciesArtifacts",
    "AccessPoliciesRead",
    "AuthGroup_ReadOnly",
    "CatalogPackageArtifactsRead",
    "CatalogPackagesRead",
    "DataArchivingRead",
    "DataStorePayloadsRead",
    "DataStoresAndQueuesRead",
    "HealthCheckMonitoringDataRead",
    "SecurityMaterialDownload",
    "TraceConfigurationRead",
    "WorkspaceArtifactLocksRead",
    "WorkspacePackagesRead"
  ]
<br>
Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Daniil_Bolobono
Product and Topic Expert
Product and Topic Expert
‎07-12-2023 5:09 PM

Hi gregor_schuetz

Please see my response to this question here: https://blogs.sap.com/2022/05/29/step-by-step-guide-to-set-up-inbound-client-certificate-authenticat...

Show replies
Show replies
GregorSchuetz
Explorer
‎07-12-2023 8:58 PM
0 Kudos

Hey Daniil


I wrote you an answer there.

Thank you and best regards
Gregor

Answers (1)

Answers (1)

VijayKonam
Active Contributor
‎07-12-2023 4:33 PM
0 Kudos

With service key /secret it should be achievable. I suspect that the roles were not sufficient and hence you were getting a 403. However even using a certificate and client id you do have to define the role that service key has access to. You may just want to recheck the roles you gave to the service key.

Show replies
Show replies
GregorSchuetz
Explorer
‎07-12-2023 8:57 PM
0 Kudos

Hey Vijay

Thank you for your answer but I don't think that's the issue here, since both keys have been created in the same instance, so they both should have the same parameters, which includes the roles.

Best Regards,
Gregor

Ask a Question