Hello Colleagues!
In this blog, we shall see how you can authenticate applications communicating to SAP HANA Cloud Integration. This blog is part of the series on Understanding Authentication & Testing Connectivity in HANA Cloud Integration. You can access all the blogs here.
The message sending application can use the following types to communicate with HANA Cloud Integration: basic authentication and certificate-based authentication.
The type of authentication is chosen at every integration flow. You configure the option in the Sender Channel of an integration flow. See the diagram below:
Basic Authentication
To communicate to HANA Cloud Integration using basic authentication, you have to meet two requirements:
- An SCN-based user
- HANA Cloud Integration role assigned to the user (role name: ESBMessaging.Send).
HANA Cloud Integration authenticates based on the SCN credentials. The identity of the back-end is checked by SAP evaluating the credentials against the user stored in the SCN database.
Note: Every customer is provisioned two tenants - test tenant and productive tenant. It is highly recommended that you restrict the use of basic authentication to your test tenant only.
Certificate-based Authentication
Let us take an example of a simplified landscape to understand how the certificate-based authentication works:
The ERP system works as the client. And BigIP load balancer authenticates itself against the ERP system (as trusted server) when the connection is set up. In this case, load balancer acts as server and the authentication is based on certificates. The identity of the customer system is checked by HANA Cloud Integration evaluating the client certificate chain of the customer. This means you have to get the ERP certificates signed by a Certifying Authority recognized by SAP.
The list of certifying authorities currently recognized by HANA Cloud Integration is provided in the documentation. (Documentation link: https://cloudintegration.hana.ondemand.com/PI/help -> Connecting a Customer System to SAP HCI -> Concepts of Secure Communication -> HTTPS-Based Communication -> Load Balancer Root Certificates Supported by SAP)
An integration flow must authenticate the user making the request. As prerequisite for this authentication process, the client root certificate has to be made available for SAP prior to the connection set up. You have to import the certificate in the integration flow's sender component -
Conclusion
When you want to authenticate to HANA Cloud Integration, you can do so using basic authentication or certificate-based authentication. The authentication of the customer system happens at the BigIP server. After a system is authenticated, the authorization of the message happens at the integration flow.
Best Regards,
Sujit