Identity Provisioning handles the following tasks related to X.509 client certificates for inbound connection: importing and deleting.
Importing client certificates for inbound connection to Identity Provisioning is used in two scenarios: configuring real-time provisioning and configuring proxy systems for provisioning user data to and from a central identity management solution. Therefore, inbound client certificates can be configured for source and proxy systems only.
Certificate files with the following filename extensions are supported: .crt, .pem and .der.
Depending on the infrastructure/environment your Identity Provisioning tenant is running, you manage the inbound certificates in the administration console of Identity Provisioning or SAP Cloud Identity Services.
Bundle or standalone tenants running on SAP Cloud Identity infrastructure manage certificates for inbound connections in the SAP Cloud Identity Services admin console, where the certificate must be uploaded for the technical user of type System. For more information, see Add System as Administrator.
If this technical user will be used to connect to Identity Provisioning proxy system, enable the Access Proxy System API permission.
Bundle or standalone tenants running on SAP BTP, Neo environment manage certificates for inbound connections in the Identity Provisioning admin console.
For standalone tenants, the following requirements must have been fulfilled in SAP BTP cockpit in the consumer subaccount:
-
Create an OAuth client for Platform API and choose the Keystore and Authorization Management API options. Save the generated client credentials. For more information, see Using Platform APIs
-
Create a destination with the following properties:
-
Name:
IPS_MANAGE_AUTHORIZATIONS -
URL:
https://oauthasservices.<neo-region-host>/oauth2/apitoken?grant_type=client_credentials -
ProxyType:
Internet -
Type:
HTTP -
Authentication:
BasicAuthentication -
User:
<client-id-platform-api-client> -
Password:
<client-secret-platform-api-client>
-
You can import client certificates from various systems to establish a trusted inbound connection to a given source or proxy system. You are allowed to import and manage as many certificates as you need for your scenarios.
To import a certificate, proceed as follows:
-
In the Identity Provisioning admin console, select your source or proxy system.
-
Select the Inbound Certificates tab and choose Import.
The name of the imported certificate is generated following the pattern:
cert_client_<fingerprint>. -
View the details of the certificate and periodically check its validity.
Each certificate contains fields specifying the subject name, the issuer, the algorithm used by the issuer to sign the certificate, validity period, key size and the fingerprint, which is the certificate unique identifier.
Delete a certificate when it is expired.