Using SAP Credential Store - AWS SDK for SAP ABAP
Configuration stepsUsing SAP Credential Store with the SDK

Using SAP Credential Store

SAP Credential Store is used in SAP Business Technology Platform to securely store credentials for secret access key authentication to AWS. You must have a subscription to use the service.

The following instructions assume that you have already configured an SDK profile. For more information, see Configuring AWS SDK for SAP ABAP.

Before commencing the configuration, ensure that you meet the prerequisites. For more information, see SAP Credential Store.

Configuration steps

Step 1: Configure settings for authentication

Use the following steps to configure the Credential Store settings for authentication.

  1. Navigate to the Settings tab of the SAP Credential Store instance.

  2. Select Edit Configurations:

    • Choose Mutual TLS as the Default Authentication Type.

    • Select Disabled for Payload Encryption Status. The payload is encrypted in transit with HTTPS. However, the payload cannot currently be double-encrypted.

  3. Select Save.

Step 2: Create a service key

Use the following steps to create a service key for Credential Store.

  1. In the left pane of the SAP Credential Store application, navigate to Service Keys.

  2. Select Create Service Key.

  3. Enter a name for the service key, and select Create.

The service key is created on the basis of the chosen authentication type. Download the service key, and keep it secure for later usage.

Step 3: Convert service key into .p12 format

A client certificate in the .p12 format is required to create an outbound user for communication system. Use the following steps to generate a .p12 certificate from the certificate details provided in the Credential Store Service key.

  1. Download the SAP Cloud Root CA certificate (required by SAP) from SAP Trust Center Services.

  2. Open the SAP Cloud Root CA certificate in any text file format. At the end of the file, press Enter, and copy-paste the certificate from the certificate field of the service key. Replace new line characters \n with actual new line (Enter), and save the entire certificate in .cer file format.

  3. Copy the key from the key field of the service key. This private key must be treated as sensitive data. Paste it in a text file, and replace new line characters \n with actual new line (Enter). Save the private key in a text file.

  4. With the certificate and private key generated in the previous steps, run the following command to generate a .p12 certificate.

    openssl pkcs12 -export -out <.p12_filename> -inkey <private_key.key> -in <certificate.cer>

    The command required verification of the export password. Retain the password for further use.

Delete the .key text file saved in your private key.

Step 4: Connect to SAP BTP, ABAP environment

Configure SAP BTP, ABAP environment to connect with SAP Credential Store.

Communication system

Use the following steps to create a communication system that enables communication from SAP BTP, ABAP environment to SAP Credential Store.

  1. Open the Fiori launchpad of the ABAP environment system.

  2. Select the Communication Systems tile to open the application.

  3. Select New.

  4. Enter a name and ID for the communication system, and select Create. For example, you can name the system ZSAP_CREDSTORE.

  5. Enter other required information:

    • Host name: Copy the host name from the Service Key URL. For example, if the URL is https://credstore.mesh.cf.us10.hana.ondemand.com/api/v1/credentials, then the host name is credstore.mesh.cf.us10.hana.ondemand.com.

    • Users for Outbound Communication: Select + to add a new user.

      1. Select SSL Client Certificate as the Authentication mechanism.

      2. Select Upload New Certificate:

        • Browse the .p12 certificate generated in the preceding step.

        • Enter a description.

        • Enter the export password that was used to generate the .p12 certificate.

        • Select Upload.

      3. Select Create to create an outbound user.

  6. Select Save.

  7. Delete the service key downloaded in the previous step.

Communication arrangement

Use the following steps to create a communication arrangement to provide a communication scenario for outbound communication.

  1. Open the Fiori launchpad of the ABAP environment system.

  2. Select the Communication Arrangements tile to open the application.

  3. Select New.

  4. Select communication scenario /AWS1/CRED_COMM_SCENARIO, and enter a name for the communication arrangement. For example, Z_AWS_SDK_TO_SAP_CREDSTORE.

  5. Select Create.

  6. In the Communication System field, browse for the the Communication System created in the previous step. Other information is auto-populated post selection of the system.

  7. Select Save.

  8. Select Check Connection to test your connection.

Once this setup is complete, the ABAP environment can use the communication arrangement to use the SAP Credential Store service via outbound service (HTTP).

Using SAP Credential Store with the SDK

Step 1: Create a namespace and credential(s)

Create a namespace and credential in SAP Credential Store with SAP Help – Create, Edit, and Delete a Credential.

Enter the following details to create a credential of type Key.

  • Namespace – Enter a name for the namespace, and group related credentials together.

  • Name – Enter a name for the key. We recommend aws-0123456789012-username, where:

    • 0123456789012 is the AWS account ID to which the credential grants access

    • username is the IAM user name to which the credential belongs

  • Value – Enter a base-64 encoded secret access key. Use the following command to base-64 encode your secret access key.

    xargs echo -n | base64 # just press enter, do not enter arguments on the command line
MySecretAccessKey
Ctrl-D

    The command reads the secret access key from standard input, and passes it to base64 without a trailing newline. It outputs the base-64 encoded secret access key to the screen. Clear or close your terminal after copying the value into SAP Credential Store.

  • Username – Enter your access key ID.

  • Select Create.

A new namespace with one credential is created, and credentials can be added, deleted or modified within this namespace.

Follow the principle of least privilege to manage access to the credentials stored in the namespace.

Step 2: Configure Custom Business Configuration application

Use the following steps to configure Custom Business Configuration application to define the credential to use for authentication by the SDK.

  1. Open the Fiori launchpad of the ABAP environment system.

  2. Browse Custom Business Configuration tile to open the application.

  3. Open SDK Profile Business Configuration.

  4. Select the SDK profile for which authentication settings must be configured for SAP Credential Store.

  5. In the Authentication and Settings tab for the selected profile, select Edit, and enter the following details:

  6. Select Apply to go to the AWS SDK Profile screen.

  7. Select Select Transport to select the transport using the value help.

  8. Select Save.