Modern cloud environments demand a secure and well-defined way of handling sensitive data. In SAP Commerce Cloud, security files play a critical role in ensuring that certificates, keys, and credentials are handled safely — without ever being exposed in the codebase.Yet, security files are often treated as “just configuration”. In reality, they are a first-class part of the cloud configuration lifecycle and must be managed carefully to avoid broken integrations, security risks, or unexpected deployment issues.

This article walks through:
  • what security files are,
  • how they are managed using the Cloud Portal,
  • how they are deployed to runtime environments,
  • and why understanding this lifecycle is essential for stable and secure SAP Commerce Cloud setups.

Security Files in SAP Commerce Cloud – Overview

diagram managing security files in sap commerce
Security files are used to store certificates, SFTP keys, and other credentials. These files should never be hardcoded and must never be committed to Git repositories.SAP Commerce Cloud provides a secure mechanism to manage these files via the Cloud Portal, allowing teams to upload, store, and attach security files to specific environments without exposing them in the application source code.This entire workflow is managed outside of the codebase and consists of a simple three-step process:
  1. Upload security files
  2. Attach them to specific environments
  3. Deploy an application build

Important Note: There is no need to create a new build just to associate security files with an environment. The files are transferred automatically on the next deployment.

Step 1 – Uploading Security Files

The first step is uploading security files to your subscription using the Cloud Portal.

sap cloud security dashboard

Supported File Types

SAP Commerce Cloud supports a wide range of file formats, including:
CER, CRT, DER, HYBRIS, KEY, JKS, P12, P7B, P7S, PEM, PFX, TXT

Filename Requirements

Before uploading, ensure that:

  • filenames do not contain spaces,
  • filenames are unique within the subscription.

These checks are important because the original filename is preserved when the file is transferred to the runtime environment.

Upload Process

Using the Cloud Portal:Navigate to Security → Security FilesClick Create
  1. Provide a logical name (used only inside the Cloud Portal)
  2. Upload the file (drag & drop or browse)
  3. Optionally add a description
  4. Save the file
At this stage, the file is stored securely in the subscription but not yet available to any environment.

Step 2 – Attaching Security Files to an Environment

Uploading a security file alone is not enough. To make it available at runtime, the file must be attached to a specific environment using Deployment Configuration.

sap cloud deployment configuration screen

Attaching the File

  1. Navigate to Environments
  2. Select the target environment (for example, staging or production)
  3. Open Deployment Configuration
  4. Add the security file in the Security Files section
  5. Save the configuration

Note: The combined size of all security files attached to a single environment must not exceed 1 MB.

This step defines where the security file will be used, but the file is still not present in the filesystem until a deployment occurs.

Step 3 – Deploying the Application Build

Once the deployment configuration is updated, the next deployment of any build to that environment triggers the transfer of the attached security files.During deployment, SAP Commerce Cloud automatically places the files into:

Copy to Clipboard

This directory is where the application expects security-related configuration to be available at runtime.
Crucially:

  • no code changes are required,
  • no new build is required,
  • redeployment alone is sufficient.

Using Security Files at Runtime

Once deployed, security files can be referenced from configuration or code depending on how they are used.

Absolute File Path

When an absolute path is required, the file can be referenced as a FileSystemResource:
Copy to Clipboard

This explicitly tells the system to treat the file as a filesystem resource.

Relative File Path

In cases where the file should be treated as a servlet context resource, the file: prefix must not be used:
Copy to Clipboard

Choosing the correct approach is important and depends on how the consuming component resolves resources.

Key Takeaways

Security files in SAP Commerce Cloud are not just files — they are an integral part of the platform’s cloud configuration model.
Key points to remember:

  • Never store secrets in code or Git repositories
  • Always manage sensitive files via the Cloud Portal
  • Attach files explicitly to environments
  • Understand when redeployment is required
  • Be mindful of size limits and filename rules

A solid understanding of how security files flow from the Cloud Portal to the runtime filesystem helps prevent:

  • broken integrations due to missing certificates,
  • accidental exposure of sensitive data,
  • and deployment-time surprises in critical environments.

If you want help validating your setup (certificates, keys, SFTP integrations) or preventing deployment surprises across environments, we can help.

Explore our SAP Commerce services