[Question] [CJ] How will you deal with outdated XSUAA client certificates?

[newtork]

I'm from the SAP Cloud SDK team and I'm wondering what would be your response:

On Cloud Foundry as a consumer of your client libraries I will soon face the following situation:

• A service binding to XSUAA will result in configuration "credentials-type": "x509" (new default) instead of "binding-secret" or "instance-secret". With the binding comes an entry in environment variable "VCAP_SERVICES", containing a base64-encoded "certificate". This is being read by your library and used for communicating with XSUAA.

• Authorization and token exchange will work fine for 7 days. Afterwards the provided certificate is expired, the end of validity is reached.

• What do I do now?

[phschon]

The default validity of certificates is 7 days. Before the expiration is reached, you (or any operator/admin) has to make sure to renew the binding or service key by either unbind/rebind or creating a new service key. If this is not done, then each token request will be answered with 401 by XSUAA. You can also increase the certificate lifetime by requesting a longer validity in the binding request to XSUAA:

{
  "credential-type": "x509",
  "x509": {
    "key-length": 2048,
    "validity": 7,
    "validity-type": "DAYS"
  }
}

[MatKuhr]

increase the certificate lifetime by requesting a longer validity in the binding request to XSUAA

This will increase the lifetime of the certificate within the binding?

Or will it create an additional service key with an additional certificate that has a longer lifetime?

Also, am I correctly assuming that there is a maximum of 365 days for the validity?

[nenaraab]

Hi @MatKuhr

for now I would suggest to create an issue here to extend the SAP-internal documentation, in case boundary conditions are not sufficiently documented: https://github.wdf.sap.corp/pages/CPSecurity/Knowledge-Base/03_ApplicationSecurity/X509Authentication/ This might then be part of help.sap.com as well.

Kind regards, Nena