As an exciting update to SAP API Management three major updates have been made for the Key Value Map concept.
#1 – You can now securely encrypt the actual data stored within a Key Value Map, allowing for storage of sensitive data. #2 – You can now access and update Key Value Map information through the SAP API Management Design Time UI in addition to API calls. #3 – You can now add Key Value Maps at an API proxy level rather than the environment level. Read more here.
In this Blog I will assume that you would have already read the excellent previous blog on using Key Value Maps (KVMs) located here to understand what a KVM is, what it is used for, and when to use it. I will be focusing on using the Design Time UI to generate an encrypted KVM in a codeless manner and accessing that Encrypted KVMs data at runtime. Note: I will also be working from the assumption that you have created the ES5_Gateway account and API Provider.
Use-case Background
Oftentimes customers would like to access data from the SAP ERP Backend and expose this for consumption into an application either within their organization or to partners / 3rd party providers. Since ERP data is extremely valuable and important there is a very tight security process in place for adding users, which makes it impractical to administer for an unknown and potentially high number of incoming users. This is where the common use case of Bi-Modal IT, with API Management as the "Umbrella" governance layer providing Agility and secure exposure on top of existing Legacy systems comes into the picture. SAP API Management will be the public facing access point, and will invisibly transform consumer requests into a service user provisioned on the Backend. One analogy is the funnel.
Exposing this sensitive ERP data will require some gating mechanism, so in this blog will explore utilizing the API Key as the new authentication mechanism, however API Management supports many other more advanced patterns, like OAuth, SAP IDP, callout to 3rd party IDP, IP whitelisting, etc. which I will not explore here.
Let’s get started!
As before we start by entering the API Portal from SAP Cloud Platform
Creating the Key Value Map
From the API Portal Home page expand the Menu and select Configure
In the Configure menu that comes up, select the Sub-tab Key Value Maps to pull up a list of Key Value Maps configured on your SAP API Management tenant. Click Create to generate a new KVM in the UI.
This will bring up the Create Key Value Map wizard. In this screen provide a distinct name for the KVM, this will be used in the API Proxy so make it something memorable but not too complex. Check the Encrypt Key Value Map box. You will notice when this box is checked, even in the Create Key Value Map screen the Value Data is hidden. Then under Entries enter a distinct Key name, and a value for this Key, then click Add to enter additional entries. For this Blog, since we will be defining a Service user I will enter Username and Password keys:
Once you have filled in all the KVM information, and are satisfied, click Save. Once you receive the message that it was saved successfully, we can create an API Proxy that leverages these credentials.
Creating an API Proxy
Open the Menu and select Develop to start creating an API Proxy. Then click Create to bring up the Create API Proxy window.
Now in the Create API Proxy Wizard, select the API Provider Radio Button and select your ES5 API Provider from the drop down list.
Click the Discover button to bring up the list of APIs defined in the ERP system. In the Search field search for GWSAMPLE and select the GWSAMPLE_BASIC service and click OK.
Enter distinct information for the API Proxy describing what the API is and what it does. For the Blog I will be naming this as an Open API integration for ERP, using the following information:
Click Create to get into the final page of API creation, and then Click Deploy to bring the API live. Once the API has been successfully deployed, if you like, you can try the API at this point, and if you do not provide credentials, it will provide a 401 Unauthorized error as expected.
Adding KVM & Auth Policy to API Proxy
Within the API Proxy window you just created, click the Policies button on the top right of the API Proxy to enter the Policy Editor.
For passing Authentication credentials to the backend, it makes sense to place this policy at the end of the API Flow, so I will be placing these Policies in the Target Endpoint PostFlow, although this could be done elsewhere in the flow as well. If you need a refresher on API Policy Flows I recommend reviewing this intro blog or this advanced blog on flows
In the Flows section first click the Edit button on the top right. Then in the Flows window in the top left, either collapse the ProxyEndpoint flows, or scroll down until you see TargetEndpoint, and select PostFlow to add Policies there.
