14 KiB
Security - Comprehensive Reference
Source: SAP BTP Integration Suite Documentation Documentation: https://github.com/SAP-docs/sap-btp-integration-suite/tree/main/docs/ci Last Updated: 2025-11-22
Table of Contents
- Security Overview
- Authentication Methods
- Keystore Management
- Credential Artifacts
- Message-Level Security
- Certificate Management
- Security Best Practices
Security Overview
Security Layers
┌─────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────┤
│ Transport Layer (TLS/SSL) │
│ ├─ Server certificates │
│ ├─ Client certificates (mTLS) │
│ └─ Cipher suites │
├─────────────────────────────────────────────────────────────┤
│ Authentication Layer │
│ ├─ Basic authentication │
│ ├─ OAuth 2.0 │
│ ├─ Client certificate │
│ ├─ SAML assertion │
│ └─ Principal propagation │
├─────────────────────────────────────────────────────────────┤
│ Message Layer │
│ ├─ Encryption (PGP, PKCS#7) │
│ ├─ Digital signatures │
│ └─ Message digest │
├─────────────────────────────────────────────────────────────┤
│ Access Control │
│ ├─ Role collections │
│ ├─ Access policies │
│ └─ Endpoint protection │
└─────────────────────────────────────────────────────────────┘
Security Material Types
| Type | Purpose | Storage |
|---|---|---|
| Keystore | Certificates and keys | Keystore artifact |
| User Credentials | Username/password | Credential artifact |
| Secure Parameters | Sensitive config values | Secure store |
| OAuth Credentials | OAuth tokens | Credential artifact |
| PGP Keys | Encryption/signing keys | Keyring artifact |
| SSH Keys | SFTP authentication | Keystore artifact |
Authentication Methods
Inbound Authentication (Senders calling Integration Suite)
Basic Authentication
Username/password in HTTP header.
Configuration:
- Create service instance for process integration
- Assign
ESBMessaging.sendrole - Use service key credentials
Client Certificate Authentication
X.509 certificate verification.
Configuration:
- Import client CA certificate to keystore
- Configure sender adapter for client certificate
- Map certificate to user (Neo) or use role-based auth (CF)
OAuth 2.0
Token-based authentication.
Grant Types:
- Client Credentials (machine-to-machine)
- Authorization Code (user-delegated)
- SAML Bearer Assertion (SSO scenarios)
Outbound Authentication (Integration Suite calling receivers)
Basic Authentication
Adapter → Authentication: Basic
→ Credential Name: [UserCredential artifact]
Client Certificate
Adapter → Authentication: Client Certificate
→ Private Key Alias: [Keystore alias]
OAuth 2.0 Client Credentials
Adapter → Authentication: OAuth2 Client Credentials
→ Token Service URL: [https://oauth.example.com/token](https://oauth.example.com/token)
→ Client ID: [from credential]
→ Client Secret: [from credential]
Principal Propagation
Forward user identity to backend systems.
Scenarios:
- SAP to SAP Cloud Identity
- Cloud Foundry to on-premise
- Subaccount to subaccount
Documentation: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/basic-authentication-outbound-f26152c.md
Keystore Management
Keystore Structure
Tenant Keystore
├── SAP Keys (managed by SAP)
│ ├── sap_cloudintegrationcertificate (client cert)
│ └── sap_cloudintegrationca (CA cert)
├── Customer Keys
│ ├── my_client_key (private key + cert)
│ ├── partner_ca_cert (CA certificate)
│ └── backend_server_cert (server certificate)
└── Key History
└── Rotated keys for reference
Key Types
| Type | Content | Use Case |
|---|---|---|
| Key Pair | Private key + certificate | Client authentication, signing |
| Certificate | Public certificate only | Server validation, CA trust |
| SSH Key | SSH private/public key | SFTP authentication |
Keystore Operations
Upload Certificate:
- Navigate to Monitor → Manage Security → Keystore
- Click Add → Certificate
- Upload .cer/.crt/.pem file
- Assign alias
Upload Key Pair:
- Navigate to Keystore
- Click Add → Key Pair
- Upload .p12/.pfx file with password
- Assign alias
Renew Certificate:
- Upload new certificate with new alias
- Update adapter configurations
- Test connectivity
- Delete old certificate after validation
Documentation: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-keystore-entries-2dc8942.md
Credential Artifacts
User Credentials
Store username/password combinations.
Deployment:
- Navigate to Monitor → Manage Security → Security Material
- Click Add → User Credentials
- Enter name, user, password
- Deploy
Usage in Adapter:
Authentication: Basic
Credential Name: MyCredential
OAuth2 Credentials
Store OAuth client credentials.
Types:
- Client Credentials Grant
- Authorization Code Grant
- SAML Bearer Assertion
Configuration:
- Token Service URL
- Client ID
- Client Secret
- Scope (optional)
- Token refresh settings
Secure Parameters
Store sensitive configuration values.
Deployment:
- Navigate to Security Material
- Click Add → Secure Parameter
- Enter name and value
- Deploy
Access in Script:
def secureStore = ITApiFactory.getService(SecureStoreService.class, null)
def value = secureStore.getSecureParameter("ParameterName")
Documentation: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-security-material-b8ccb53.md
Message-Level Security
Encryption
PGP Encryption
Encrypt payload using OpenPGP standard.
Encryptor Step:
| Parameter | Description |
|---|---|
| Public Key Alias | Recipient's public key |
| Algorithm | AES-256, etc. |
| Armor | ASCII armor output |
Decryptor Step:
| Parameter | Description |
|---|---|
| Private Key Alias | Your private key |
| Signatures Required | Verify sender signature |
PKCS#7/CMS Encryption
Enterprise encryption standard.
Supported Algorithms:
- AES (128, 192, 256 bit)
- 3DES
- DES (legacy, not recommended)
Digital Signatures
XML Digital Signature
Sign/verify XML documents.
Algorithms:
- RSA-SHA256 (recommended)
- RSA-SHA1 (legacy)
- ECDSA
Elements:
- Enveloped signature
- Enveloping signature
- Detached signature
PKCS#7/CMS Signature
Sign binary/text content.
Message Digest
Calculate hash of message content.
Algorithms:
- SHA-256 (recommended)
- SHA-1 (legacy)
- MD5 (not recommended)
Documentation: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Development/apply-message-level-security-9036c0c.md
Certificate Management
Certificate Types
| Certificate | Purpose |
|---|---|
| Server Certificate | Identify server to clients |
| Client Certificate | Identify client to servers |
| CA Certificate | Trust anchor for validation |
| Signing Certificate | Digital signature creation |
| Encryption Certificate | Message encryption |
Certificate Lifecycle
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Request │ → │ Issue │ → │ Active │ → │ Renew │
│ CSR │ │ Cert │ │ Usage │ │ Before │
│ │ │ │ │ │ │ Expiry │
└─────────┘ └─────────┘ └─────────┘ └─────────┘
│
▼
┌─────────┐
│ Replace │
│ & Test │
└─────────┘
Certificate Renewal Best Practices
-
Monitor Expiration
- Set alerts for 30-day warning
- Track all certificates in inventory
-
Prepare New Certificate
- Generate or request before expiry
- Use same key type and size
-
Staged Rollout
- Import with new alias
- Update configurations
- Test in lower environments
-
Validate
- Verify connectivity
- Check signature validation
- Confirm encryption/decryption
-
Cleanup
- Remove old certificate after validation
- Update documentation
Documentation: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/security-artifact-renewal-083fc8d.md
Security Best Practices
General
-
Use HTTPS everywhere
- No unencrypted HTTP
- TLS 1.2+ only
-
Rotate credentials regularly
- Passwords: 90 days
- Certificates: Before expiry
- API keys: As needed
-
Principle of least privilege
- Minimal role assignments
- Specific permissions only
-
Audit and monitor
- Enable audit logging
- Monitor security events
- Review access regularly
Integration Flow Security
-
Never hardcode credentials
// BAD def password = "mypassword" // GOOD def cred = secureStore.getUserCredential("MyCredential") -
Don't log sensitive data
// BAD log.info("Password: ${password}") // GOOD log.info("Authentication configured") -
Validate input data
- Check payload structure
- Validate against schema
- Sanitize user input
-
Use secure credential artifacts
- User Credentials for passwords
- Secure Parameters for config
- OAuth artifacts for tokens
API Management Security
-
Always authenticate APIs
- API keys at minimum
- OAuth 2.0 preferred
-
Apply threat protection
- JSON/XML threat policies
- Regular expression validation
- Input validation
-
Implement rate limiting
- Quota policies
- Spike arrest
- Concurrent limits
-
Use CORS carefully
- Restrict origins
- Limit methods
- Validate headers
Related Documentation
- Security Guidelines: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Development/apply-the-highest-security-standards-201fd43.md
- Keystore Management: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-keystore-entries-2dc8942.md
- Certificate Renewal: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/security-artifact-renewal-083fc8d.md
- PGP Keys: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-pgp-keys-cd478a7.md
- OAuth Configuration: https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/deploying-an-oauth2-client-credentials-artifact-801b106.md