Introducing SAP Cloud Platform Credential Store
by Dimitar Mihaylov, SAP Labs Bulgaria, and Gerlinde Zibulski, SAP SE
No software application runs completely alone in a technology landscape — there is always some type of connection and integration with other applications. This is especially true in the modern age of hyperconnectivity, where even the most basic SAP S/4HANA implementation connects to a wide variety of other services and extensions in all combinations, including cloud to cloud, on premise to cloud, and cloud to on premise. For example, many SAP customers extend their on-premise SAP S/4HANA implementations with cloud applications such as SAP SuccessFactors and SAP Concur solutions, which means that employee payroll results or travel expenses have to be transferred from these solutions into the SAP S/4HANA system to keep the accounting information correct and up to date.
A secure connection to another application in an SAP environment requires some form of login credentials — for example, to book wages from an HR system into a financials system, you need an application-to-application connection where you maintain a technical user and a password. In the on-premise world, this is done using remote function call (RFC) and HTTP connections in SAP NetWeaver Application Server ABAP or using system connections via an SAP Process Integration server. To support this requirement in the cloud world, with its heightened need for both connectivity and security, SAP offers the SAP Cloud Platform Credential Store service as a part of SAP Cloud Platform.
This article introduces SAP Cloud Platform Credential Store and provides system administrators and application developers with an overview of the configuration tasks that are required to use this service.
A Secure Repository for Credentials
Released in February 2019, the SAP Cloud Platform Credential Store service provides a secure repository of passwords and keys for applications running on SAP Cloud Platform. Applications can retrieve these credentials and use them, for instance, to authenticate to external applications and perform cryptographic operations, such as signing and verifying digital signatures or encrypting and decrypting data. The service is exposed to applications via a REST application programming interface (API), and all communications are encrypted via the Transport Layer Security (TLS) protocol and an additional payload encryption to ensure end-to-end confidentiality of the data in transit.
SAP Cloud Platform Credential Store is enabled for all SAP Cloud Platform accounts that have the consumption-based commercial model. The service runs on the Cloud Foundry environment, and is globally available for the following Cloud Foundry regions and platforms:
- Europe (Frankfurt) running on Amazon Web Services
- Europe (Netherlands) running on Microsoft Azure
- Australia (Sydney) running on Amazon Web Services
- Brazil (São Paulo) running on Amazon Web Services
- Canada (Montreal) running on Amazon Web Services
- Japan (Tokyo) running on Amazon Web Services
- Singapore running on Amazon Web Services
- US East (Virginia) running on Amazon Web Services
- US West (Washington) running on Microsoft Azure
Figure 1 provides an overview of the architecture of the SAP Cloud Platform Credential Store service. In the following sections, we will walk through the steps required to enable the service for consumption by applications, including how to create an instance of the service, how to provision credentials to an application by either binding the instance to an application or creating a service key, and how to enable applications to access those credentials using the REST API.
Creating an Instance of the Service
To consume the SAP Cloud Platform Credential Store service, you must create an instance of the service. There are two ways to create this instance — you can use the SAP Cloud Platform cockpit or, alternatively, you can use the Cloud Foundry Command Line Interface (CLI), which is best suited for use in automation scripts and continuous integration/continuous deployment pipelines. Let’s take a closer look at the tasks involved in each approach.
Using the SAP Cloud Platform Cockpit
To create an instance of the SAP Cloud Platform Credential Store service using the SAP Cloud Platform cockpit, navigate to your SAP Cloud Platform global account and the relevant subaccount in the cockpit. In your Cloud Foundry space, open the Service Marketplace section to view the available services and click on the tile for the SAP Cloud Platform Credential Store service (see Figure 2).
In the service, click on Instances > New Instance (Figure 3). Enter a name for the new service instance (my-credstore in the example) and then follow the guidance of the creation wizard to complete the definition (see Figure 4) — leave the default settings. As you can see, the “standard” service plan is preselected during the service instance creation and it includes a predetermined quota for number of credentials, storage size, API calls per second, and number of bindings.
Once the definition is complete, the new instance of the service is created and listed (see Figure 5).
Using the Cloud Foundry CLI
In addition to using the SAP Cloud Platform cockpit, you can also use the Cloud Foundry CLI to view services, and create and view service instances. To use the Cloud Foundry CLI, you must first install it.
Once the Cloud Foundry CLI is installed, you can view the available services in the Service Marketplace using the “cf marketplace” command, as shown in Figure 6. As you can see, it lists the services available from the Service Marketplace along with brief details about each service. The SAP Cloud Platform Credential Store service is listed as “credstore” with a description and information about the various plans available for the service.
To create an instance of the service, use the “cf create-service” command and to view the created service, use the “cf services” command. Figure 7 shows the creation of the my-credstore service and the display of the created service using these commands in the Cloud Foundry CLI.
Provisioning the Required Credentials
Once the service instance is created, you need to provision the credentials required for an application to access the instance. Depending on the application, you can either bind the service instance to an application or you can create a service key. As with creating an instance of the service, you can use either the SAP Cloud Platform cockpit or the Cloud Foundry CLI for these tasks.
Binding the Instance to an Application
Binding can be used with an application — such as a custom-developed application or third-party application that has an integration with the service — that runs on Cloud Foundry. To use the cockpit to bind the instance to an application, go to the newly created instance of the service (my-credstore in the example), choose Bind Instance, and then specify the application to which you want to bind the instance.
In the example, we bind the service instance my-credstore to my-demoapp (see Figure 8), which is a sample application that uses the service — that is, it reads and writes credentials from and to the service. Figure 9 shows the newly defined binding of the service instance to the application.
Alternatively, you can use the Cloud Foundry CLI to bind the service to the application using the “cf bind-service” command. In Figure 10, the command is used to bind the my-credstore service instance to the application my-demoapp.
Creating a Service Key
If the service instance will be used by applications or services that are running in another Cloud Foundry space or outside of Cloud Foundry, then you can create a service key.
As with the service instance and the binding, the service key can be created using either the SAP Cloud Platform cockpit (by selecting Service Keys in the relevant service instance) or the Cloud Foundry CLI (by using the command “cf create-service-key”).
Enabling Applications to Access Credentials
Once the service instance is bound to an application, that application is able to access the SAP Cloud Platform Credential Store service via the REST API, which is used to perform operations such as read and write on stored credentials.
The service supports two types of credentials — password and key. The password credential has a name, a text value up to 4,096 characters, and the optional attribute username. The key credential has a name, a binary value up to 32KB, and the optional attributes username and format. Via the REST API, credentials of these types can be listed, created, read, updated, and deleted. The stored credentials are logically isolated using namespaces, which can correspond to a customer, a subaccount (tenant), or anything else specific to an application. Each credential operation is executed in the context of a namespace.
To heighten security, the service uses an encrypted TLS connection, encrypts all response payloads, and requires that clients — that is, the applications that read and write credentials into a service instance — encrypt the request payloads.
The SAP Cloud Platform Credential Store service allows SAP customers to securely manage, administer, and store credentials to enable application-to-application connections in the cloud. Going forward, SAP plans to extend its support for secure connections in customer landscapes by building a key management service that integrates with SAP Cloud Platform Credential Store, integrates with major hyperscalers’ key management services, and allows customers to use their own private keys.
Learn more at https://bit.ly/CredentialStore.
Dimitar Mihaylov (email@example.com) works in SAP Labs Bulgaria as a Development Manager in the SAP Global Security organization. His team is responsible for the development and operations of the SAP Cloud Platform Credential Store service. Dimitar received a Master of Science degree in Computer Science from Sofia University in Bulgaria.
Gerlinde Zibulski (firstname.lastname@example.org) works at SAP as a Senior Security Development Manager. She leads a team of security developers and architects that builds products such as the SAP Cloud Platform Credential Store service and consults with internal developers about how to develop software securely. In her almost 21-year tenure with SAP, Gerlinde has spent 16 years in the area of security.