SAP Cloud Platform Integration (CPI) Part 21 – Automate the KeyStore Certificates/Keypair Renewal through Cloud Integration API

1 year ago 33

SAP cloud Platform Integration

This is the 21st post in my blog series on “SAP CPI – Cloud Platform Integration for beginners”. In this post we will see the how to get the certificate/keypair details that are deployed in CI tenant through the Security Content OData API provided by SAP.

Overview of this blog series:

1. SAP CPI Introduction
2. SAP BTP tools and features overview (BTP, Global Account, Sub-Account, Entitlements, Connectivity, Security)
3. SAP CPI Web IDE overview
4. Registering a trial account and enrolling to SAP CPI service
5. Deep dive into Cloud Integration features with real world scenario example
6. Use cases of palette functions
7. Adapter configurations
8. Using Cloud connector for connecting to backend SAP systems
9. Overview on API Management & Open Connectors
10. Integration using Open Connectors with real world example

In short, below is the content we will elaborate in this tutorial:

1. Requirement
2. IFlow development


Before we proceed with our tutorial, we would like to give you an opportunity to join our ZAPYard’s learning community where we have more than 32 groups and more than 1000 real SAP Consultants interacting with each other daily. Only SAP topics and not BS. Else, they will be banned from the community without warning. 👇👇👇👇

If you want to be part of ZAPYard’s Discussion Community, please feel free to check the below Link. We Ask, Answer, Help and Learn Together. There are more than 32 groups from different topics like RAP, BPT, Fiori, iRPA, CAI, CPI, PI/PO, ABAP on HANA, SAPUI5, SAP Build, SAP Adobe Forms, ChatBots, SAC etc. Join any group of your interest and interact with our Community.

Join ZAPYard’s WhatsApp Community

1. Requirement

Recently I got a mail from my client stating that, the third-party certificate which was uploaded in the CI tenant is about to get expired, so the same has to be renewed. As an integration consultant we are supposed to monitor those and inform the client. To physically monitor daily/weekly/yearly is not a good approach that the client would like. So, we thought to have  a monitoring IFlow which should run daily to see the available certificates/keypair in keystore and check their validity and trigger an alert mail to business stating the certificate details and in how many days it will expire.

Now we have come up with an approach. Next is to have a OData API or service which should provide the deployed certificate entries. And interestingly, SAP has provided a Cloud Integration OData V2 API for this requirement.

Refer the below URL – Business Accelerator Hub

https://api.sap.com/package/CloudIntegrationAPI/odata

The API which we are going to use is – Security Content OData API V2

So, we got the OData to be used for our case. Let’s proceed.

Approach – Get all the keystore entries. Split into each keystore entry. Calculate the expiry days in mapping. Through Router, route it to respective branch. Prepare the mail body. For each certificate, one mail body is logged, as we have used splitter.

NOTE: Due to an issue in our SMTP server, I won’t be able to show you the mail configuration.

2. IFlow development

Let’s begin with the development.

a. We can start with a timer, otherwise every time we have to use postman to trigger the IFlow and also, we don’t have to pass any payload from source.

b. Next is, to setup the OData connection. Bring in the Request reply and choose OData V2 version. Address – https:// <tenant_management_URL>/api/v1

-> To get this tenant management URL, simply copy the URL from the browser address bar while you are in Cloud integration.

Proxy type – Internet

Authentication – Basic

Credential Name – (your BTP cockpit credential can be deployed in CI – Manage Artifact)

In the Processing tab, Choose GET operation. In the OData model editor, choose KeystoreEntries entity and select the required fields.

There is one limitation in this, we are not able to add any filter in the OData query. While executing IFlow, getting an error “Filter not supported”. If we have to filter out some results, then we have to try in message mapping or in some other ways.

c. Now try executing the IFlow and see the response of the OData adapter. There were 10 entries in keystore.

Fields available inside each keystore entry.

d. We got the keystore entries. Next is to split it individually through General Splitter.

e.

  1. In the next message mapping,

Source message:

We can get the XSD from OData model editor by enabling Generate XML Schema Definition option.

Target Message:

We will be transforming the date components and, we don’t need all fields for that, instead map only the required fields, in our case its 3. Alias (Name of the keystore entry), ValidNotAfter (last date of the certificate/keypair) and daysToExpire (ValidNotAfter – CurrentDate).

Before proceeding on the difference calculation, transform those dates into desirable format.

In – yyyy-MM-dd’T’HH:mm:ss.SSS

Out – yyyy/MM/dd

Script used:

import com.sap.it.api.mapping.*; import java.text.SimpleDateFormat; import java.util.Date; import java.io.* import java.lang.*; import java.util.*; def String customFunc1(String P1,String P2) { String inpStartDate =P1.toString(); String inpEndDate = P2.toString(); SimpleDateFormat sdf = new SimpleDateFormat("yyyy/MM/dd"); Date EmpStartDate = sdf.parse(inpStartDate); Date EmpEndDate = sdf.parse(inpEndDate); //Use dateDiffInDays to get difference in days def dateDiffInDays=EmpStartDate - EmpEndDate return dateDiffInDays.toString(); }

Let’s test run the mapping with a sample file.

Its correctly calculating.

f. Next is to store those 3 values in the content modifier.

g. Next is to add a router. For no issues in certificate, it will be in default branch. The other branch is set to the below condition:

${property.daysToExpire} < '1580' and ${property.daysToExpire} > '0'

Pick me certificates whose validity will expire in 1580 days and not already expired.

h. In the content modifier, set the mail body as below, as per the need.

Hi Team, The below certificate is expiring. Kindly renew it. KeyPair/Certificate Name - ${property.EntryName} ExpiryDate - ${property.ExpiryDate} Expires in - ${property.daysToExpire} days. Thanks.

Output:

Here we can see that there are 3 tabs, which means 3 certificates are about to expire and 3 mails will be sent to business.

That’s it. After this you can connect the mail adapter to send the mails to business. Thanks for reading this blog. Happy learning !

Please follow our LinkedIn PageLinkedIn Group , Facebook PageFacebook GroupTwitter , Instagram and Telegram SAP Technical Group Signal Group

Do not forget to SUBSCRIBE to our YouTube Channel for Free Courses and Unconventional Interesting Videos.

Do join ZAPYard’s Learning Community.

Read Entire Article