What Is SAP Credential Store? SAP Credential Store is a repository on SAP BTP (Business Technology Platform) where you can securely store credentials, passwords, keys, and other sensitive data. For enhanced security, you can configure it to use mTLS, which verifies both the client and server identities before granting access.
Setting Up the Credential Store in SAP BTP for mTLS
Go to your SAP BTP sub-account, then select Instances and Subscriptions to create a new Credential Store instance if you haven’t done so already.
Click Create. Default Authentication type for credential store is mTLS.
After creating the Credential Store instance, click View Dashboard to open the Credential Store console.
SAP Credential Store organizes data by namespaces for logical separation. Click Create Namespace and name it according to your application.
Choose the credential type as needed, such as password, key, keyring. For our example, we’ll use an password type.
For Deployment of Basic Python App in Cloud Foundry refer the blog, Integrating a Python App with SAP BAS
Now, let’s bind the credential store to an application called summary
Navigate to the app -> Environment Variables
For mTLS, you’ll need:
A client certificate (issued by a trusted Certificate Authority)A private keyA server certificate (provided by SAP Credential Store)
{
“VCAP_SERVICES”: {
“credstore”: [
{
“label”: “credstore”,
“provider”: null,
“plan”: “trial”,
“name”: “trial-cred”,
“tags”: [
“credstore”,
“securestore”,
“keystore”,
“credentials”
],
“instance_guid”: “0068a9eb-d4b5-4570-a7c8-fce5163eb95f”,
“instance_name”: “trial-cred”,
“binding_guid”: “60346d93-9d88-4a50-bfd4-59ae49df5b87”,
“binding_name”: null,
“credentials”: {
“expires_at”: “2025-01-01T14:28:44.5Z”,
“encryption”: {
“client_private_key”: “”,
“server_public_key”: “”,
“parameters”: {
“authorization”: {
“default_permissions”: [
“create”,
“decrypt”,
“delete”,
“encrypt”,
“info”,
“list”,
“namespaces”,
“read”,
“update”
]
},
“encryption”: {
“payload”: “enabled”,
“key”: {
“size”: 3072
}
},
“authentication”: {
“type”: “mtls”
},
“access_policy”: {
“creds_api”: “public”,
“token_api”: “public”,
“kms_api”: “public”,
“encryption_api”: “public”
}
},
“url”: “https://credstore.mesh.cf.us10.hana.ondemand.com/api/v1/credentials”,
“key”: “”,
“username”: “60346d93-9d88-4a50-bfd4-59ae49df5b87.0.PXDf09rhPs7MkShqWt2be9CdoGLG1VmaAKW4D3kzWPg=”
},
“syslog_drain_url”: null,
“volume_mounts”: []
}
]
}
}
Python Code to Access the Credential Storage API
from dotenv import load_dotenv
import os
import json
import requests
from jwcrypto import jwk, jwe
namespace = “PasswordHub”
name = “Password”
cred_headers = {
“sapcp-credstore-namespace”: namespace
}
cred_params = {
“name”: name
}
load_dotenv()
vcap_services = os.getenv(“VCAP_SERVICES”)
if vcap_services:
binding = json.loads(vcap_services)[‘credstore’][0][‘credentials’]
rsa_private_key = f”{binding[‘key’]}”
primary_certificate = f”{binding[‘certificate’]}”
api_url = binding[“url”]
else:
raise ValueError(“VCAP_SERVICES not found in environment.”)
try:
with open(“rsa_key.pem”, “w”) as key_file:
key_file.write(rsa_private_key)
with open(“client_cert.pem”, “w”) as cert_file:
cert_file.write(primary_certificate)
response = requests.get(
url=f”{api_url}/password”,
cert=(“client_cert.pem”, “rsa_key.pem”),
verify=True,
headers=cred_headers,
params=cred_params
)
private_key_pem =f”—–BEGIN PRIVATE KEY—–n{binding[‘encryption’][‘client_private_key’]}n—–END PRIVATE KEY—–“
private_key = jwk.JWK.from_pem(private_key_pem.encode(‘utf-8’))
jwetoken = jwe.JWE()
jwetoken.deserialize(response.text, key=private_key)
resp = jwetoken.payload.decode(‘utf-8’)
json_payload = json.loads(resp)
api_key_val = json_payload[‘value’]
print(f”Password stored in credential store for {cred_params[‘name’]} is :-“, api_key_val)
finally:
os.remove(“rsa_key.pem”)
os.remove(“client_cert.pem”)
Requirements:
python-dotenv
jwcrypto
requests
Reference Link:
SAP Credential Store
Credential Management (Example: NodeJs)
What Is SAP Credential Store? SAP Credential Store is a repository on SAP BTP (Business Technology Platform) where you can securely store credentials, passwords, keys, and other sensitive data. For enhanced security, you can configure it to use mTLS, which verifies both the client and server identities before granting access.Setting Up the Credential Store in SAP BTP for mTLSGo to your SAP BTP sub-account, then select Instances and Subscriptions to create a new Credential Store instance if you haven’t done so already.Click Create. Default Authentication type for credential store is mTLS.After creating the Credential Store instance, click View Dashboard to open the Credential Store console.SAP Credential Store organizes data by namespaces for logical separation. Click Create Namespace and name it according to your application.Choose the credential type as needed, such as password, key, keyring. For our example, we’ll use an password type.For Deployment of Basic Python App in Cloud Foundry refer the blog, Integrating a Python App with SAP BAS Now, let’s bind the credential store to an application called summaryNavigate to the app -> Environment VariablesFor mTLS, you’ll need:A client certificate (issued by a trusted Certificate Authority)A private keyA server certificate (provided by SAP Credential Store) {
“VCAP_SERVICES”: {
“credstore”: [
{
“label”: “credstore”,
“provider”: null,
“plan”: “trial”,
“name”: “trial-cred”,
“tags”: [
“credstore”,
“securestore”,
“keystore”,
“credentials”
],
“instance_guid”: “0068a9eb-d4b5-4570-a7c8-fce5163eb95f”,
“instance_name”: “trial-cred”,
“binding_guid”: “60346d93-9d88-4a50-bfd4-59ae49df5b87”,
“binding_name”: null,
“credentials”: {
“expires_at”: “2025-01-01T14:28:44.5Z”,
“encryption”: {
“client_private_key”: “”,
“server_public_key”: “”,
“parameters”: {
“authorization”: {
“default_permissions”: [
“create”,
“decrypt”,
“delete”,
“encrypt”,
“info”,
“list”,
“namespaces”,
“read”,
“update”
]
},
“encryption”: {
“payload”: “enabled”,
“key”: {
“size”: 3072
}
},
“authentication”: {
“type”: “mtls”
},
“access_policy”: {
“creds_api”: “public”,
“token_api”: “public”,
“kms_api”: “public”,
“encryption_api”: “public”
}
},
“url”: “https://credstore.mesh.cf.us10.hana.ondemand.com/api/v1/credentials”,
“key”: “”,
“username”: “60346d93-9d88-4a50-bfd4-59ae49df5b87.0.PXDf09rhPs7MkShqWt2be9CdoGLG1VmaAKW4D3kzWPg=”
},
“syslog_drain_url”: null,
“volume_mounts”: []
}
]
}
} Python Code to Access the Credential Storage API from dotenv import load_dotenv
import os
import json
import requests
from jwcrypto import jwk, jwe
namespace = “PasswordHub”
name = “Password”
cred_headers = {
“sapcp-credstore-namespace”: namespace
}
cred_params = {
“name”: name
}
load_dotenv()
vcap_services = os.getenv(“VCAP_SERVICES”)
if vcap_services:
binding = json.loads(vcap_services)[‘credstore’][0][‘credentials’]
rsa_private_key = f”{binding[‘key’]}”
primary_certificate = f”{binding[‘certificate’]}”
api_url = binding[“url”]
else:
raise ValueError(“VCAP_SERVICES not found in environment.”)
try:
with open(“rsa_key.pem”, “w”) as key_file:
key_file.write(rsa_private_key)
with open(“client_cert.pem”, “w”) as cert_file:
cert_file.write(primary_certificate)
response = requests.get(
url=f”{api_url}/password”,
cert=(“client_cert.pem”, “rsa_key.pem”),
verify=True,
headers=cred_headers,
params=cred_params
)
private_key_pem =f”—–BEGIN PRIVATE KEY—–n{binding[‘encryption’][‘client_private_key’]}n—–END PRIVATE KEY—–“
private_key = jwk.JWK.from_pem(private_key_pem.encode(‘utf-8’))
jwetoken = jwe.JWE()
jwetoken.deserialize(response.text, key=private_key)
resp = jwetoken.payload.decode(‘utf-8’)
json_payload = json.loads(resp)
api_key_val = json_payload[‘value’]
print(f”Password stored in credential store for {cred_params[‘name’]} is :-“, api_key_val)
finally:
os.remove(“rsa_key.pem”)
os.remove(“client_cert.pem”) Requirements: python-dotenv
jwcrypto
requests Reference Link:SAP Credential Store Credential Management (Example: NodeJs) Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog