GRC
HR
SCM
CRM
BI
Expand +


Article

 

Introducing SAP Cloud Platform Credential Store

A Secure Repository of Credentials for Applications Running on SAP Cloud Platform

by Dimitar Mihaylov and Gerlinde Zibulski | SAPinsider, Volume 20

November 20, 2019

Introducing SAP Cloud Platform Credential Store

Secure connections between applications is critical in modern, hyperconnected landscapes. The SAP Cloud Platform Credential Store service enables highly secure connections between applications in cloud-based landscapes by storing the required credentials and making them available to applications via a REST API. This article provides an overview of the key concepts and configuration tasks that are required to use this service in SAP Cloud Platform landscapes.


No software application runs completely alone in a technology landscape — there is always some type of connection and integration with other applications. This is especially true in the modern age of hyperconnectivity, where even the most basic SAP S/4HANA implementation connects to a wide variety of other services and extensions in all combinations, including cloud to cloud, on premise to cloud, and cloud to on premise. For example, many SAP customers extend their on-premise SAP S/4HANA implementations with cloud applications such as SAP SuccessFactors and SAP Concur solutions, which means that employee payroll results or travel expenses have to be transferred from these solutions into the SAP S/4HANA system to keep the accounting information correct and up to date.

A secure connection to another application in an SAP environment requires some form of login credentials — for example, to book wages from an HR system into a financials system, you need an application-to-application connection where you maintain a technical user and a password. In the on-premise world, this is done using remote function call (RFC) and HTTP connections in SAP NetWeaver Application Server ABAP or using system connections via an SAP Process Integration server. To support this requirement in the cloud world, with its heightened need for both connectivity and security, SAP offers the SAP Cloud Platform Credential Store service as a part of SAP Cloud Platform.

This article introduces SAP Cloud Platform Credential Store and provides system administrators and application developers with an overview of the configuration tasks that are required to use this service.

A Secure Repository for Credentials

Released in February 2019, the SAP Cloud Platform Credential Store service provides a secure repository of passwords and keys for applications running on SAP Cloud Platform. Applications can retrieve these credentials and use them, for instance, to authenticate to external applications and perform cryptographic operations, such as signing and verifying digital signatures or encrypting and decrypting data. The service is exposed to applications via a REST application programming interface (API), and all communications are encrypted via the Transport Layer Security (TLS) protocol and an additional payload encryption to ensure end-to-end confidentiality of the data in transit.

SAP Cloud Platform Credential Store is enabled for all SAP Cloud Platform accounts that have the consumption-based commercial model. The service runs on the Cloud Foundry environment, and is globally available for the following Cloud Foundry regions and platforms:

  • Europe (Frankfurt) running on Amazon Web Services

  • Europe (Netherlands) running on Microsoft Azure

  • Australia (Sydney) running on Amazon Web Services

  • Brazil (São Paulo) running on Amazon Web Services

  • Canada (Montreal) running on Amazon Web Services

  • Japan (Tokyo) running on Amazon Web Services

  • Singapore running on Amazon Web Services

  • US East (Virginia) running on Amazon Web Services

  • US West (Washington) running on Microsft Azure

Figure 1 provides an overview of the architecture of the SAP Cloud Platform Credential Store service. In the following sections, we will walk through the steps required to enable the service for consumption by applications, including how to create an instance of the service, how to provision credentials to an application by either binding the instance to an application or creating a service key, and how to enable applications to access those credentials using the REST API.


Figure 1 — An architectural overview of the SAP Cloud Platform Credential Store service


Creating an Instance of the Service

To consume the SAP Cloud Platform Credential Store service, you must create an instance of the service. There are two ways to create this instance — you can use the SAP Cloud Platform cockpit or, alternatively, you can use the Cloud Foundry Command Line Interface (CLI), which is best suited for use in automation scripts and continuous integration/continuous deployment pipelines. Let’s take a closer look at the tasks involved in each approach.

Using the SAP Cloud Platform Cockpit

To create an instance of the SAP Cloud Platform Credential Store service using the SAP Cloud Platform Cockpit, navigate to your SAP Cloud Platform global account and the relevant subaccount in the cockpit. In your Cloud Foundry space, open the Service Marketplace section to view the available services and click on the tile for the SAP Cloud Platform Credential Store service (see Figure 2).


Figure 2 — Select the tile for SAP Cloud Platform Credential Store from the Service Marketplace


In the service, click on Instances > New Instance (Figure 3). Enter a name for the new service instance (my-credstore in the example) and then follow the guidance of the creation wizard to complete the definition (see Figure 4) — leave the default settings. As you can see, the “standard” service plan is preselected during the service instance creation and it includes a predetermined quota for number of credentials, storage size, API calls per second, and number of bindings.


Figure 3 — Creating a new instance in the SAP Cloud Platform cockpit


Figure 4 — Define the new instance using the creation wizard


Once the definition is complete, the new instance of the service is created and listed (see Figure 5).


Figure 5 — The newly defined instance of the SAP Cloud Platform Credential Store service


Using the Cloud Foundry CLI 

In addition to using the SAP Cloud Platform cockpit, you can also use the Cloud Foundry CLI to view services, and create and view service instances. To use the Cloud Foundry CLI, you must first install it

Once the Cloud Foundry CLI is installed, you can view the available services in the Service Marketplace using the “cf marketplace” command, as shown in Figure 6. As you can see, it lists the services available from the Service Marketplace along with brief details about each service. The SAP Cloud Platform Credential Store service is listed as “credstore” with a description and information about the various plans available for the service.


Figure 6 — Using the Cloud Foundry CLI to view the available services in the Service Marketplace


To create an instance of the service, use the “cf create-service” command and to view the created service, use the “cf services” command. Figure 7 shows the creation of the my-credstore service and the display of the created service using these commands in the Cloud Foundry CLI.


Figure 7 — Using the Cloud Foundry CLI to create and view the service instance


Provisioning the Required Credentials

Once the service instance is created, you need to provision the credentials required for an application to access the instance. Depending on the application, you can either bind the service instance to an application or you can create a service key. As with creating an instance of the service, you can use either the SAP Cloud Platform cockpit or the Cloud Foundry CLI for these tasks.

Binding the Instance to an Application 

Binding can be used with an application — such as a custom-developed application or third-party application that has an integration with the service — that runs on Cloud Foundry. To use the cockpit to bind the instance to an application, go to the newly created instance of the service (my-credstore in the example), choose Bind Instance, and then specify the application to which you want to bind the instance. 

In the example, we bind the service instance my-credstore to my-demoapp (see Figure 8), which is a sample application that uses the service — that is, it reads and writes credentials from and to the service. Figure 9 shows the newly defined binding of the service instance to the application.


Figure 8 — Binding the service instance to an application in the SAP Cloud Platform cockpit


Figure 9 — The newly created binding


Alternatively, you can use the Cloud Foundry CLI to bind the service to the application using the “cf bind-service” command. In Figure 10, the command is used to bind the my-credstore service instance to the application my-demoapp.


Figure 10 — Using the Cloud Foundry CLI to bind the service instance to an application


Creating a Service Key

If the service instance will be used by applications or services that are running in another Cloud Foundry space or outside of Cloud Foundry, then you can create a service key.

As with the service instance and the binding, the service key can be created using either the SAP Cloud Platform cockpit (by selecting Service Keys in the relevant service instance) or the Cloud Foundry CLI (by using the command “cf create-service-key”).

Enabling Applications to Access Credentials 

Once the service instance is bound to an application, that application is able to access the SAP Cloud Platform Credential Store service via the REST API, which is used to perform operations such as read and write on stored credentials.

The service supports two types of credentials — password and key. The password credential has a name, a text value up to 4,096 characters, and the optional attribute username. The key credential has a name, a binary value up to 32KB, and the optional attributes username and format. Via the REST API, credentials of these types can be listed, created, read, updated, and deleted. The stored credentials are logically isolated using namespaces, which can correspond to a customer, a subaccount (tenant), or anything else specific to an application. Each credential operation is executed in the context of a namespace.

To heighten security, the service uses an encrypted TLS connection, encrypts all response payloads, and requires that clients — that is, the applications that read and write credentials into a service instance — encrypt the request payloads.

Looking Ahead 

The SAP Cloud Platform Credential Store service allows SAP customers to securely manage, administer, and store credentials to enable application-to-application connections in the cloud. Going forward, SAP plans to extend its support for secure connections in customer landscapes by building a key management service that integrates with SAP Cloud Platform Credential Store, integrates with major hyperscalers’ key management services, and allows customers to use their own private keys.

Learn more at http://bit.ly/CredentialStore.

An email has been sent to:





 

Dimitar Mihaylov
Dimitar Mihaylov

Dimitar Mihaylov (dimitar.mihaylov@sap.com) works in SAP Labs Bulgaria as a Development Manager in the SAP Global Security organization. His team is responsible for the development and operations of the SAP Cloud Platform Credential Store service. Dimitar received a Master of Science degree in Computer Science from Sofia University in Bulgaria.


Gerlinde Zibulski
Gerlinde Zibulski

Gerlinde Zibulski (gerlinde.zibulski@sap.com) works at SAP as a Senior Security Development Manager. She leads a team of security developers and architects that builds products such as the SAP Cloud Platform Credential Store service and consults with internal developers about how to develop software securely. In her almost 21-year tenure with SAP, Gerlinde has spent 16 years in the area of security.




COMMENTS

Please log in to post a comment.

SAPinsider
FAQ