How to Access SAP Credential Store Using Mutual TLS (mTLS) Authentication with Python

Estimated read time 6 min read

What Is SAP Credential Store? SAP Credential Store is a repository on SAP BTP (Business Technology Platform) where you can securely store credentials, passwords, keys, and other sensitive data. For enhanced security, you can configure it to use mTLS, which verifies both the client and server identities before granting access.

Setting Up the Credential Store in SAP BTP for mTLS

Go to your SAP BTP sub-account, then select Instances and Subscriptions to create a new Credential Store instance if you haven’t done so already.


Click Create. Default Authentication type for credential store is mTLS.
After creating the Credential Store instance, click View Dashboard to open the Credential Store console.

SAP Credential Store organizes data by namespaces for logical separation. Click Create Namespace and name it according to your application.

Choose the credential type as needed, such as password, key, keyring. For our example, we’ll use an password type.

For Deployment of Basic Python App in Cloud Foundry refer the blog, Integrating a Python App with SAP BAS 
 
Now, let’s bind the credential store to an application called summary


Navigate to the app -> Environment Variables

For mTLS, you’ll need:

A client certificate (issued by a trusted Certificate Authority)A private keyA server certificate (provided by SAP Credential Store)

 

 

{
“VCAP_SERVICES”: {
“credstore”: [
{
“label”: “credstore”,
“provider”: null,
“plan”: “trial”,
“name”: “trial-cred”,
“tags”: [
“credstore”,
“securestore”,
“keystore”,
“credentials”
],
“instance_guid”: “0068a9eb-d4b5-4570-a7c8-fce5163eb95f”,
“instance_name”: “trial-cred”,
“binding_guid”: “60346d93-9d88-4a50-bfd4-59ae49df5b87”,
“binding_name”: null,
“credentials”: {
“expires_at”: “2025-01-01T14:28:44.5Z”,
“encryption”: {
“client_private_key”: “”,
“server_public_key”: “”,
“parameters”: {
“authorization”: {
“default_permissions”: [
“create”,
“decrypt”,
“delete”,
“encrypt”,
“info”,
“list”,
“namespaces”,
“read”,
“update”
]
},
“encryption”: {
“payload”: “enabled”,
“key”: {
“size”: 3072
}
},
“authentication”: {
“type”: “mtls”
},
“access_policy”: {
“creds_api”: “public”,
“token_api”: “public”,
“kms_api”: “public”,
“encryption_api”: “public”
}
},
“url”: “https://credstore.mesh.cf.us10.hana.ondemand.com/api/v1/credentials”,
“key”: “”,
“username”: “60346d93-9d88-4a50-bfd4-59ae49df5b87.0.PXDf09rhPs7MkShqWt2be9CdoGLG1VmaAKW4D3kzWPg=”
},
“syslog_drain_url”: null,
“volume_mounts”: []
}
]
}
}

 

Python Code to Access the Credential Storage API

 

from dotenv import load_dotenv
import os
import json
import requests
from jwcrypto import jwk, jwe

namespace = “PasswordHub”
name = “Password”

cred_headers = {
“sapcp-credstore-namespace”: namespace
}
cred_params = {
“name”: name
}

load_dotenv()
vcap_services = os.getenv(“VCAP_SERVICES”)

if vcap_services:
binding = json.loads(vcap_services)[‘credstore’][0][‘credentials’]
rsa_private_key = f”{binding[‘key’]}”
primary_certificate = f”{binding[‘certificate’]}”
api_url = binding[“url”]
else:
raise ValueError(“VCAP_SERVICES not found in environment.”)

try:
with open(“rsa_key.pem”, “w”) as key_file:
key_file.write(rsa_private_key)

with open(“client_cert.pem”, “w”) as cert_file:
cert_file.write(primary_certificate)

response = requests.get(
url=f”{api_url}/password”,
cert=(“client_cert.pem”, “rsa_key.pem”),
verify=True,
headers=cred_headers,
params=cred_params
)
private_key_pem =f”—–BEGIN PRIVATE KEY—–n{binding[‘encryption’][‘client_private_key’]}n—–END PRIVATE KEY—–“
private_key = jwk.JWK.from_pem(private_key_pem.encode(‘utf-8’))
jwetoken = jwe.JWE()
jwetoken.deserialize(response.text, key=private_key)
resp = jwetoken.payload.decode(‘utf-8’)
json_payload = json.loads(resp)
api_key_val = json_payload[‘value’]

print(f”Password stored in credential store for {cred_params[‘name’]} is :-“, api_key_val)
finally:
os.remove(“rsa_key.pem”)
os.remove(“client_cert.pem”)

 

Requirements:

 

python-dotenv
jwcrypto
requests

 

Reference Link:

SAP Credential Store 
Credential Management (Example: NodeJs) 

 

 

 

​ What Is SAP Credential Store? SAP Credential Store is a repository on SAP BTP (Business Technology Platform) where you can securely store credentials, passwords, keys, and other sensitive data. For enhanced security, you can configure it to use mTLS, which verifies both the client and server identities before granting access.Setting Up the Credential Store in SAP BTP for mTLSGo to your SAP BTP sub-account, then select Instances and Subscriptions to create a new Credential Store instance if you haven’t done so already.Click Create. Default Authentication type for credential store is mTLS.After creating the Credential Store instance, click View Dashboard to open the Credential Store console.SAP Credential Store organizes data by namespaces for logical separation. Click Create Namespace and name it according to your application.Choose the credential type as needed, such as password, key, keyring. For our example, we’ll use an password type.For Deployment of Basic Python App in Cloud Foundry refer the blog, Integrating a Python App with SAP BAS  Now, let’s bind the credential store to an application called summaryNavigate to the app -> Environment VariablesFor mTLS, you’ll need:A client certificate (issued by a trusted Certificate Authority)A private keyA server certificate (provided by SAP Credential Store)  {
“VCAP_SERVICES”: {
“credstore”: [
{
“label”: “credstore”,
“provider”: null,
“plan”: “trial”,
“name”: “trial-cred”,
“tags”: [
“credstore”,
“securestore”,
“keystore”,
“credentials”
],
“instance_guid”: “0068a9eb-d4b5-4570-a7c8-fce5163eb95f”,
“instance_name”: “trial-cred”,
“binding_guid”: “60346d93-9d88-4a50-bfd4-59ae49df5b87”,
“binding_name”: null,
“credentials”: {
“expires_at”: “2025-01-01T14:28:44.5Z”,
“encryption”: {
“client_private_key”: “”,
“server_public_key”: “”,
“parameters”: {
“authorization”: {
“default_permissions”: [
“create”,
“decrypt”,
“delete”,
“encrypt”,
“info”,
“list”,
“namespaces”,
“read”,
“update”
]
},
“encryption”: {
“payload”: “enabled”,
“key”: {
“size”: 3072
}
},
“authentication”: {
“type”: “mtls”
},
“access_policy”: {
“creds_api”: “public”,
“token_api”: “public”,
“kms_api”: “public”,
“encryption_api”: “public”
}
},
“url”: “https://credstore.mesh.cf.us10.hana.ondemand.com/api/v1/credentials”,
“key”: “”,
“username”: “60346d93-9d88-4a50-bfd4-59ae49df5b87.0.PXDf09rhPs7MkShqWt2be9CdoGLG1VmaAKW4D3kzWPg=”
},
“syslog_drain_url”: null,
“volume_mounts”: []
}
]
}
} Python Code to Access the Credential Storage API from dotenv import load_dotenv
import os
import json
import requests
from jwcrypto import jwk, jwe

namespace = “PasswordHub”
name = “Password”

cred_headers = {
“sapcp-credstore-namespace”: namespace
}
cred_params = {
“name”: name
}

load_dotenv()
vcap_services = os.getenv(“VCAP_SERVICES”)

if vcap_services:
binding = json.loads(vcap_services)[‘credstore’][0][‘credentials’]
rsa_private_key = f”{binding[‘key’]}”
primary_certificate = f”{binding[‘certificate’]}”
api_url = binding[“url”]
else:
raise ValueError(“VCAP_SERVICES not found in environment.”)

try:
with open(“rsa_key.pem”, “w”) as key_file:
key_file.write(rsa_private_key)

with open(“client_cert.pem”, “w”) as cert_file:
cert_file.write(primary_certificate)

response = requests.get(
url=f”{api_url}/password”,
cert=(“client_cert.pem”, “rsa_key.pem”),
verify=True,
headers=cred_headers,
params=cred_params
)
private_key_pem =f”—–BEGIN PRIVATE KEY—–n{binding[‘encryption’][‘client_private_key’]}n—–END PRIVATE KEY—–“
private_key = jwk.JWK.from_pem(private_key_pem.encode(‘utf-8’))
jwetoken = jwe.JWE()
jwetoken.deserialize(response.text, key=private_key)
resp = jwetoken.payload.decode(‘utf-8’)
json_payload = json.loads(resp)
api_key_val = json_payload[‘value’]

print(f”Password stored in credential store for {cred_params[‘name’]} is :-“, api_key_val)
finally:
os.remove(“rsa_key.pem”)
os.remove(“client_cert.pem”) Requirements: python-dotenv
jwcrypto
requests Reference Link:SAP Credential Store Credential Management (Example: NodeJs)      Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author