Credential Management
This section explains how to register and manage credentials required for connecting ReleaseOwl with Integration suite, SAP Cloud Identity Services and SAP Passport.
Credential Management
Credential Management is classified into two primary domains:
1. CPI (Cloud Platform Integration)
The CPI domain manages credentials required for securing integration scenarios and internal SAP communications. It supports both system-level and user-level authentication mechanism.
a. Service Keys
Service Keys are used for system-to-system authentication and are primarily consumed by CPI runtime components. They enable secure, automated communication between ReleaseOwl and SAP Integration Suite without user interaction
Process Integration Runtime – API Access:
A Process Integration Runtime (PIR) instance is required in SAP BTP for ReleaseOwl to securely manage and deploy CPI artifacts across environments. It is used to authenticate and authorize API-based integration endpoints that are exposed or consumed by SAP Cloud Platform Integration (CPI). This setup involves creating PIR instances with two different service plans — api and IFLOW — followed by credential registration in ReleaseOwl for secure system integration.
1. Create a PIR Instance with Plan: API
APIPurpose: This instance enables programmatic access via APIs for integration, automation, and artifact management tasks.
Steps:
Log in to your SAP BTP Cockpit.
Navigate to your Global Account > Subaccount.
Go to Instances and Subscriptions from the left menu.
Click on Create.
In the "New Instance or Subscription" wizard:
Service: SAP Process Integration Runtime
Plan:
apiRuntime Environment: Cloud Foundry
Space: Select your development space (e.g.,
dev)Instance Name: Choose a name like
CPI_API_Instance
Click Next, then Create.
Note: The api plan provides programmatic access to the SAP Process Integration Runtime, allowing you to connect via APIs for integration tasks.
Assign Required Roles
In the Parameters step, assign the following roles to allow artifact management:
Role
Description
MessagePayloadsRead
Read message payloads in the integration runtime.
MonitoringDataRead
View monitoring data for integration flows.
TraceConfigurationEdit
Edit tracing configurations.
TraceConfigurationRead
View current tracing configuration.
WorkspaceArtifactsDeploy
Deploy artifacts from workspace to runtime.
WorkspacePackagesConfigure
Configure packages, parameters, and dependencies.
WorkspacePackagesRead
Read-only access to integration packages.
WorkspacePackagesEdit
Modify and configure integration packages.
Create Service Key (for api plan)
api plan)After instance creation:
Go to Instances and Subscriptions.
Expand your newly created
apiinstance.Click Create Service Key.
Enter a name (e.g.,
cpi-api-key) and leave parameters blank.Click Create.
Click View Credentials to retrieve:
Client ID
Client Secret
Token URL
Register SAP CPI (API Access) Credential in ReleaseOwl
Credential registration enables secure communication between ReleaseOwl and SAP CPI environments.
✅ Steps:
Log in to the ReleaseOwl Platform.
Go to Administration > Credential Manager.
Click Register Credential.
Fill in the details:
Credential Name: Any identifiable name for the credential.
Authentication Type: Select OAuth2
Client ID: Provide the details from the above created API service key.
Client Secret: Provide the details from the above created API service key.
Token URL: Provide the details from the above created API service key.
Click Save.
The credential will now appear in your list and can be used in pipelines and deployments.
2. Create a PIR Instance with Plan: IFLOW
IFLOWThis is used for managing and testing integration artifacts (iFlows).
✅ Steps:
Go to your SAP BTP Cockpit.
Select your subaccount that hosts SAP CPI.
Go to Services > Service Marketplace.
Select SAP Process Integration Runtime → Click Create.
Fill in the following:
Service: SAP Process Integration Runtime
Plan:
IFLOWRuntime Environment: Cloud Foundry
Space: Provide the appropriate space (e.g.,
dev)Instance Name: (e.g.,
CPI_IFLOW_Instance)
Click Next and then Create.
Create Service Key (for IFLOW plan)
IFLOW plan)The IFlow plan service key is required to execute test cases from ReleaseOwl
Navigate to Instances and Subscriptions.
Locate the
IFLOWinstance.Click Actions > Create Service Key.
Enter a name for the key (e.g.,
cpi-iflow-key) → Click Create.
Click on the service key name to view the key details.
You will need these values when setting up ReleaseOwl credentials.
Register SAP CPI Credential (Iflow) in ReleaseOwl
This step allows ReleaseOwl to securely interact with CPI for artifact deployment and management via the IFLOW plan.
Steps:
Navigate to Credential Manager from the Administration menu in the ReleaseOwl Platform.
Click Register Credential.
Set the Credential Type to SAP Cloud Environment.
Fill in the following details:
Credential Name: Enter a meaningful name (e.g.,
CPI IFLOW Credential)Authentication Type: Select OAuth2
Client ID: Provide the details from the above created IFLOW service key.
Client Secret: Provide the details from the above created IFLOW service key.
Token URL: Provide the details from the above created IFLOW service key.
Click Save.
The new credential will now appear in the List of Credentials and can be used in Release Pipelines for IFLOW deployments.
b. Web Authentication
Web Authentication is used for interactive and user-based access to SAP services and applications.
SAP Cloud Identity Services – Identity Authentication (IAS) Instance : Acts as the Identity Provider (IdP) for SAP Integration Suite and is used to authenticate users accessing the platform. It provides browser-based authentication and Single Sign-On (SSO) using the OpenID Connect (OIDC) protocol.
SAP Cloud Identity Service: Create IAS Instance
Navigate to Instances & Subscriptions in your SAP BTP subaccount.
Click on the Create button.
In the Service field, select Cloud Identity Services.
In the Plan field, choose Default under Subscriptions, then click Next.
Click Create to provision the instance.
Activate Administrator Account
An activation email will be sent to the registered email address.
Open the email and click Activate Account.
Set your password and click on Continue.
Register SAP Cloud Identity Service Credential in Releaseowl
Log in to ReleaseOwl.
Go to Administration → Credential Manager.
Click on Register Credential.
Enter the following information:
Credential Type: SAP Cloud Identity
User Name: Cloud Identity Service Username
Password: Cloud Identity Service Password
Click Save to complete the credential registration.
2. SAP Passport: It enables secure authentication and establishes trusted communication between SAP internal systems and SAP Integration Suite. It ensures system-to-system trust and protects data exchanged across integrated SAP landscapes.
Steps to Create SAP Passport
Go to SAP for Me.
Navigate to the SAP Passport page (reference link: SAP Passport).
Enter your S-User password when prompted.
Click on the Apply for SAP Passport.
Give your SAP Passport Password in that box, then click on Apply button your SAP Passport will created.
After successful creation, click Download the SAP Passport.
The passport will be downloaded in .pfx format to your system.
Register SAP Passport Credential in ReleaseOwl
Go to Credential Manager in ReleaseOwl.
Click Register Credential.
Fill in the following details:
Credential Type: SAP Passport
Password: Enter the SAP Passport Password you provided during the apply process
Certificate: Upload your downloaded SAP Passport (.pfx)
Note: You must keep using the PFX if the server requires client certificate authentication.
Save the credential.
2. API Portal & Management
The API Portal & Management layer is responsible for managing credentials associated with external API consumers. It governs API exposure, access control, and security policies for third-party system integrations.
External API Credentials Used to authenticate external systems consuming APIs, typically via OAuth client credentials, API keys, or access tokens.
Create new instance : API Management, API Portal
Go to the SAP BTP Cockpit and log in with your credentials.
In the SAP BTP Cockpit, navigate to Instances and Subscriptions.
Click on the Create button.
Fill in the necessary details as follows:
Service: API Management, API Portal
Plan:
apiportal-apiaccessRuntime Environment: Cloud Foundry
Space: Dev
Instance Name: Enter a name of your choice
Click "Next".
In the JSON format, enter:
Click "Next".
Click "Create".
Create APIPortal-APIAccess Plan Service key
After the instance is created, click the three-dot menu (⋮) next to it.
Select "Create Service Key".
Enter a name for the key (e.g.,
api-access-key) and click Create.Once created, click on the key to view credentials like
clientid,clientsecret, andurl— used for API authentication.
Step-by-Step Guide: Registering Credentials in ReleaseOwl
From the Administration menu, go to Credential Manager.
Click Register Credential.
Credential Name: Enter any identifiable name for the credential.
Credential Type: Select API Management.
Scope – Select the scope of the credential:
Global – Visible to all users.
Private – Visible only to the user who created it.
Authentication Type: To register your credentials, you can choose one of the following methods:
Option A: Upload Credentials File :
This is the recommended and easiest method.
Click Browse.
Select and upload the credentials file downloaded from the SAP BTP Cockpit (API Management Service).
Once uploaded, the system will automatically extract and populate the required fields.
Option B: Manual Entry
Use this option if you prefer to enter the credentials manually.
Select Manual Entry as the authentication type.
Provide the required details from the API service key created in SAP BTP Cockpit.
Last updated