Define API Key Validation Policies

Define and Verify Key Policy

Add a Verify API Key policy to your API Proxy. This policy checks the API key passed in the x-api-key header against the keys associated with registered applications in the Developer Portal. Only authorized consumers with valid keys can access the API. The policy is typically applied in the PreFlow of the ProxyEndpoint.

Define the Key Value Map Operations Policy

Add a Key Value Map (KVM) Operations policy to your API Proxy. This policy retrieves stored credentials (for example, the SAP service user ID and password) from the Key Value Map and makes them available for downstream policies.

1. In the API Management console, select the relevant API Proxy.

2. Open the Policies tab and click Edit.

3. In the ProxyEndpoint, select PreFlow.

4. From Mediation Policies, select Key Value Map Operations and click +.

5. Enter the Policy Name, set Stream = Incoming Request, and click Add.

6. In the policy editor, replace the default content with the following XML:Policy Message:

   <!-- Key/value pairs can be stored, retrieved, and deleted from named existing maps by configuring this policy by specifying PUT, GET, or DELETE operations -->
   <!-- mapIdentifier refers to the name of the key value map -->
   <KeyValueMapOperations mapIdentifier="iCWPCredentials" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
   	<!-- PUT stores the key value pair mentioned inside the element -->
   	<Get assignTo="private.username">
       <Key>
         <Parameter>UserID</Parameter>
       </Key>
     </Get>
     <Get assignTo="private.password">
     <Key>
         <Parameter>Password</Parameter>
     </Key>
     </Get>
   	<!-- the scope of the key value map. Valid values are environment, organization, apiproxy and policy -->
   	<Scope>environment</Scope>
   </KeyValueMapOperations>
   

7. Click Update.

8. Click Save, then Redeploy the API Proxy so the policy is active.

Define the Basic Authentication Policy

Add a Basic Authentication policy to your API Proxy. This policy encodes the SAP service user credentials (retrieved from the Key Value Map) into the Authorization header, enabling secure downstream calls from API Management to the SAP backend.

1. In the API Management console, select the relevant API Proxy.

2. Open the Policies tab and click Edit.

3. In the ProxyEndpoint, select PreFlow.

4. From Security Policies, select Basic Authentication and click +.

5. Enter the Policy Name, set Stream = Incoming Request, and click Add.

6. In the policy editor, replace the default content with the following XML:

   Policy Message

   <BasicAuthentication async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
    	<!-- Operation can be Encode or Decode -->
   	<Operation>Encode</Operation>
   	<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    	<!-- for Encode, User element can be used to dynamically populate the user value -->
   	<User ref='private.username' />
    	<!-- for Encode, Password element can be used to dynamically populate the password value -->
   	<Password ref='private.password' />
    	<!-- Source is used to retrieve the encoded value of username and password. This should not be used if the operation is Encode-->
    	<Source>request.header.Authorization</Source>
    	<!-- Assign to is used to assign the encoded value of username and password to a variable. This should not be used if the operation is Decode -->
   	<AssignTo createNew="false">request.header.Authorization</AssignTo>
   </BasicAuthentication>
   

7. Click Update.

8. Click Save, then Redeploy the API Proxy to apply the changes.