X509 certificate based authentication

[gaurav-sap]

Hello All,

I am trying to authenticate using the X509 certificate and as per the documentation https://registry.terraform.io/providers/SAP/btp/latest/docs
we need the private key and public key information.
For this, I have created a public key and then a self signed certificate.
I have uploaded the certificate as described here, https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-x-509-client-certificates-for-user-authentication
though while uploading the public key, the config throws error asking for the full keychain.

I believe the self signed certificate as an issue. Could someone confirm how can we get through this?

Best Regards,
Gaurav

[vipinvkmenon]

We are looking into this and we'll get back

[vipinvkmenon]

Hi @gaurav-sap ,

As stated in the documentation, the validity of the certificate is determined by the SAP Cloud Identity Services. The documentation states there is no support for self-signed certificates. Clients such as the BTP Terraform Provider or BTP CLI, therefore, would not be able to influence this certificate creation or be able to work with any certificate not accepted in SAP Cloud Identity Services

Certificates used must either be from the default list of Trusted CAs (as mentioned in the documentation) or a ticket must be raised in the SAP Support Portal (Component:- BC-IAM-IDS) for adding your own CA. You can use the same component to create tickets in general for support regarding configuring SAP Cloud Identity Services with regards to the certificate creation as well.

[gaurav-sap]

Hi @vipinvkmenon ,

I was able to sign the certificate with the "SAP Cloud Root CA", though I have the same error.
Could you please let me know your setup?

[vipinvkmenon]

Following are the steps to login to SAP BTP from the Terraform (using SAP BTP Terraform Provider) using X509 certificates from SAP Cloud Identity Services.

Configure Trust between SAP BTP and SAP Cloud Identity Services

• Follow the standard approach of configuring trust between SAP Cloud Identity Service and BTP. Please refer to the following guide for a walkthrough on creating a tenant and establishing trust with BTP.
• Log in to the SAP Cloud Identity Service tenant and add a user as required.

You should see the name of the configured IDP in the Trust Configuration. Take a note of the name of the Custom IDP (Platform Users) under Origin Key, this is the idp value used when initialising the BTP Terraform Provider. Usually, the name would have -platform as postfix.

Assign necessary role collections

• Depending on your use case, either add the user in BTP or assign the user in SAP Cloud Identity Service to a Group and map the necessary role-collections to the user/group. (Global Account Administrator role if you are managing the GA using the Terraform Script)

Obtain the Certificate

• Open the profile page in SAP Cloud Identity Service tenant:- https://<tenant-id>.accounts.sap.comui/protected/profilemanagement
• Click on Generate in the Certificates section. A new certificate will be generated, and a prompt to download it should appear. Please refer following documentation for details of the same. Download the file to a safe location with an appropriate name.

• The certificate downloaded will be of the format .p12

Convert Certificate to PEM

The Terraform provider needs the certificates to be in PEM format

• To extract the certificate in pem form from the p12 file, run the command:-

openssl pkcs12 -in <downloaded-p12-certificate>.p12 -clcerts -nokeys -out <certificate-for-terraform>.pem

• To extract the key in pem format from the p12 certificate, run the command:-

openssl pkcs12 -in <downloaded-p12-certificate>.p12 -nocerts -nodes -out <certificate-key-for-terraform>.pem

Configure the Provider

The provider can now use the certificates form accessing and working on BTP. A sample configuration is as follows:-

provider "btp" {
  globalaccount          = "<Global Account Subdomain>"
  idp                    = "<Origin Key>" # The origin key as mentioned in step above
  username               = "<Username>"
  tls_client_certificate = file("<certificate-for-terraform>.pem")
  tls_client_key         = file("<certificate-key-for-terraform>.pem")
  tls_idp_url            = "https://<tenant>.accounts.ondemand.com" # URL of the SAP IAS Tenant
}

Notes

• If there are issues in creation the certificates in IAS, or you need to use a custom Certificate, please create a ticket for the component BC-IAM-IDS
• If you are facing issues in the generation of certificates with openssl, please refer documentation for the same.