Historically, many users preferred the simplicity of "set-and-forget" basic authentication over the hassle of expiring certificates. However, rising security scrutiny has shifted this mindset.
In SAP Cloud for Customer (C4C), switching to inbound certificate-based integration seems straightforward:
- Open your Communication Arrangement.
- Set the Authentication Method to "SSL Client Certificate."
- Upload your certificate (or - though not recommended - let the system generate one).
However, as I had to find out recently, the field Authentication Method is effectively meaningless. While you might expect the system to now require a certificate, the old username and password remain active. An attacker (or an old middleware setup) can still bypass your new certificate and log in via Basic Authentication.
A little background: Integration in C4C is based on communication systems and communication arrangements. Each (logical) endpoint is a separate communication system (e.g. ERP, Business One etc.). And for each communication system, multiple communication arrangements can be created (Ticket Integration, Quote Integration etc.). For unknown reasons, the credentials for those integrations are maintained on the communication arrangement level but apply on the communication system level (i.e. to all inbound communication arrangements of that communication system). The integration user is created automatically by C4C, but under Edit Credentials, you can set the password or the client certificate ... or both. While the password can be changed or unlocked (when locked) it cannot be locked (when unlocked).
This leaves users, wanting to switch to certificate based authentication, with only one option: In addition to uploading your new certificate you must also intentionally trigger a password lock. This is done by calling the interface five times with incorrect credentials. Only then is the "back door" closed, forcing the system to rely solely on the certificate.
Users should keep this C4C quirk in mind or their switch to Certificate Based authentication, because otherwise - instead of enhancing security - they will only create another way of getting in.
Note: I've raised this issue with SAP who maintain that they don't consider this a priority, as their main focus is now on C4C V2 . I have asked them to at least release a note and will update once and if they do.