To simplify the management of secrets for service instances of the SAP Authorization and Trust Management service, we recommend that you configure service instances to use binding secrets.
By default, service instances of the SAP Authorization and Trust Management service use the instance secret for all bindings of the service instance. In the application security descriptor (xs-security.json), enable binding secrets for service instances. All bindings have their own secret. You can enable both at once for the following plans:
- Application plan
The API access plan only uses binding secrets.
-
Modify the application security descriptor (
xs-security.jsonservice use the instance) to support both instance secrets and binding secrets.Edit the OAuth client configuration of the
xs-security.jsonas follows:"oauth2-configuration": { "credential-types": ["binding-secret","instance-secret"] } -
Update the service instance with the new application security descriptor.
-
Unbind and rebind any consuming applications.
With each new binding, the system creates a new binding secret.
-
Replace any service keys with new service keys.
At this point, none of the applications consuming your service instance need the instance secret anymore.
-
Modify the application security descriptor (
xs-security.json) to disable support for instance secrets.Edit the OAuth client configuration of the
xs-security.jsonas follows:"oauth2-configuration": { "credential-types": ["binding-secret"] } -
Update the service instance with the new application security descriptor.
Related Information