Part 2: Connect to on-premise APIs from SAP Cloud ...

divyamary · ‎06-25-2020

SAP Cloud Connector enables you to securely connect applications on SAP Cloud Platform with your on-premise systems. Using SAP Cloud Connector, you can manage your on-premise APIs via SAP Cloud Platform API Management. In this blog, steps to connect SAP Cloud Connector to your SAP Cloud Platform Cloud Foundry environment and its usage from SAP Cloud Platform API Management is covered.

SAP Cloud Platform API Management is not yet available in Cloud Foundry trial environment and therefore this steps can be tried out from a production account. For SAP Cloud Platform Integration Suite, you can also follow this blog to enable the API Management capabilities.

Prerequisites

Subscribed to API Management, API portal tile in Cloud Foundry ( details in this blog).

Alternatively you have enabled API Management capabilities from Integration Suite ( details in this blog)

Installed and configured SAP Cloud Connector ( details in this tutorials)

Connect your SAP Cloud Connector to SAP Cloud Platform sub account

To connect SAP Cloud Platform API Management to an on-premise system via the Cloud Connector, you will need to configure the SAP Cloud Platform sub-account where API Management, API portal service is enabled/subscribed in SAP Cloud Connector.

Logon to SAP Cloud Platform and navigate to your SAP Cloud Platform sub-account.

Navigate to Overview tab and copy the sub-account ID available in the Subaccount Details section.

SAP Cloud Platform Overview page

Log on to the Cloud Connector administration console.

Select Connector tab and then select Add Subaccount

Add a new subaccount in SAP Cloud Connector

In the Add Subaccount dialog, select your SAP Cloud Platform Region from the drop down, paste your previously copied Subaccount ID, optionally provide a Display Name, enter your SAP Cloud Platform cockpit administrator's email address and password, optionally provide a Location ID. Finally click Save.

Connect Cloud Connector with your on-premise system

To access your on-premise system from SAP Cloud Platform via SAP Cloud Connector, you will need to provide a mapping between your internal on-premise system host/port to a virtual host in the Access Control section. After the access control is set up you can use the virtual host on SAP Cloud platform to allow applications to connect to services on your on-premise system. In this blog, access to SAP Gateway system was enabled.

In the Cloud Connector Administration console, expand the name of your sub account and select Cloud To On-Premise tab. Select the plus ( + icon) in the section Mapping Virtual to Internal System.

In the Add System Mapping select your Back-end system type and select Next.

Select your protocol HTTPS, select Next.

Enter your Internal Host and Port, select Next.

Enter your Virtual Host and Port, select Next.

Select your Authentication type or Principal type between SAP Cloud Connector and your target system. In this blog, None was selected so that the authentication value passed by the client is passed as if to the target SAP Gateway. Select Next.

Select which field should be used in the Request Header. You can chose between Use Virtual Host or Internal Host. Select Next.

Finally click Finish to create the necessary mapping between Virtual host & Internal host

Next you will need to allow access to the service paths in each of your SAP Gateway services. Select + button next to the Resources section.

Add in the URL paths and also select the option to access path & all sub-paths and select Save. In the blog, since the connection is for SAP Gateway OData APIs the URL path value was set to /sap/opu/odata.

You can select on the highlighted icons to check on the status of the newly added virtual host & internal host mapping.

You can also check the status of your SAP Cloud Connector connection by navigating your SAP Cloud Platform cockpit , selecting the sub-account which was used in the connection from SAP Cloud Connector. Select Cloud Connectors under Connectivity.

Create API Provider in SAP Cloud Platform API Management for connecting to on-premise APIs

API Providers features of SAP Cloud Platform API Management enables you to provide your technical configuration details like host, port, authentication type and discovery API URL.

Navigate to your API Management, API portal service available within your SAP Cloud Platform Cloud Foundry environment ( available under Subscription tab).

Navigate to Configure tab and then select Create.

Enter name for your API Provider say SAPGatewayTest

In the Connection tab, select On-Premise as the Type, enter your virtual host and port from SAP Cloud Connector, enter the Location ID ( if specified on SAP Cloud Connector during connectivity to SAP Cloud Platform sub-account). For the authentication type you can select None or Principal Propagation. In this blog , None was selected therefore the client connecting to API Proxy should provide the target endpoint credentials. In the upcoming blogs, Principal propagation configuration will be covered.

For discovering of OData APIs from SAP S/4HANA or SAP Gateway system, you can additionally maintain the catalog service information. In Catalog Service Settings, enter your Service Collection URL. Based on the SAP Gateway & SAP S/4HANA system the endpoint could be either /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection or /sap/opu/odata/IWFND/CATALOGSERVICE/ServiceCollection

Select Basic from the Authentication type and enter your SAP Backend user name and password and select Save. This credentials will be used only for discovery of OData APIs and will not be used during the actual API Proxy execution.

To check on your configured value, you can select Test Connection.

Create API Proxy in SAP Cloud Platform API Management for connecting to on-premise APIs

API Proxy enables you to create a facade layer over your actual target endpoint and add policies like Quota, Spike Arrest, message validation and more.

Navigate to Develop tab, then select API and click Create.

Select the newly created API Provider and select Discover

Search & select the on-premise OData service that you would like to manage with SAP API Management

Enter a title, description, base path your API Proxy and select Create.

This will generate the OpenAPI documentation for your selected on-premise OData API service. Select Deploy to activate the API Proxy. This will generate your API Proxy endpoint URL

Select your API Proxy URL and then open it in new browser tab to quick connectivity to your On-Premise API

You will be promoted to enter your target or back-end credentials and after a successful login you will see the data from your on-premise back-end via SAP Cloud Platform API Management.

Stay tuned, more blogs on API Management in Cloud Foundry environment to come:

Enable API Management capability

Connect to on-premise APIs (current blog)

Service Plans of API Management

Manage integration flow from Cloud Integration

To learn more about SAP Cloud Platform API Management, visit us at SAP Community.

swathivuddala8 · ‎07-01-2020

Hi Divya

Very detailed and useful blog. Will try out this !

Thank you very much.

Regards

Swathi Vuddala

divyamary · ‎07-03-2020

Hi Swathi,

Thanks for your kind words on the blog.

Best Regards,

Divya

rahul_s · ‎07-07-2020

Hi Divya,

Thanks for detailed explanation.

When principal propagation blog will be available?

Regards

Rahul

divyamary · ‎07-08-2020

Hi Rahul,

Thanks for your suggestion on the principal propagation blog. The part 3 of the blog would be on the principal propagation and hopefully soon it would be available as well. In terms of the steps to enable principal propagation at a high level it would be as follows :-

Enable the entitlement to use the API Management, api portal service in your cloud foundry space, select the on-premise connectivity plan.

Create a service instance of this API Management service from the service market place and then select plan of on-premise connectivity.

Create or Edit the API Provider and select Principal Propagation for the authentication type from the drop down.

Thanks and Best Regards,

Divya

vodela · ‎07-14-2020

Divya

Thanks for this blog

When I try this in Cloud Foundry Trial Account under the Connectivity tab there is only Destination Option but not the option you have mentioned to check connector connection. Does this mean we can't try out the cloud connector in the Trail environment?

I created the Destination for on Prem SAP but it fails while a similar destination in NEO works along with all APIs.

Best regards

Ramesh

boonsom_la-orrattanasak · ‎09-21-2020

Hi Divya,

same as mine, I could not find "Cloud Connector" under Connectivity, but it used to work with my id which is Neo environment.

have you solve this problem?

regards,

Boonsom

M5L · ‎10-14-2020

Hi Divya,

if I try to create an API Provider with type "on-premise" I´m always getting this error;

Unable to Configure API Provider
[Request ID: a914cb19-f69e-4575-a364-1da911ecae76]
dest: Name or service not known_ON_PREM

Do you have any idea or suggestion to solve this problem?

In Cloud Cockpit trial account in a Cloud Foundry subaccount I subscribted to "Integration Suite" and activated API Management.

When setting a "on-premise" connection in a iFlow in Integration Suite everything goes fine.

Best regardes,

Markus

divyamary · ‎10-21-2020

Hi Markus,

Thanks for bringing this issue on trial to our notice. This issue has been reported to our DevOps team, so will keep you posted on the progress soon.

Thanks and Best Regards,

Divya

PeterAlexander · ‎10-21-2020

Dear Divya,

I have the same problem when I am try to configure an API Provider based on the cloud connector. I tried with an factoryaccount and the integration suite plan trial (Frankfurt) and standard ( Netherland).

Unable to Configure API Provider

[Request ID: 3c65d43b-bcae-4e04-af5a-def03c5e8a15]
An internal error occurred, contact SAP administrator for details

Beside that the Test Connection Button is not activ.

Best regards

Peter

divyamary · ‎10-22-2020

Hi Peter,

Kindly create an incident on the component OPU-API-OD-OPS so that our DevOps team can assist you in resolving this issue.

Thanks and Best Regards,

Divya

divyamary · ‎10-22-2020

Hi Markus,

The issue for trial is fixed now. Kindly retest and let us know if this issue continues to persist for your account.

Thanks and Best Regards,

Divya

former_member693524 · ‎11-01-2020

Hi Divya,

Need your Help

When trying to test the API, using CDS view. I am getting error.

https://**.prod.apimanagement.eu10.hana.ondemand.com/Z_TOR_ROOT_CDS

{"fault":{"faultstring":"Unsupported Encoding \"br\"","detail":{"errorcode":"protocol.http.UnsupportedEncoding"}}}



Best Regards,

Rohit

divyamary · ‎11-02-2020

Hi Rohit,

Kindly check if you are able to call your API from the test console of SAP API Management or from any external API test tooling like Postman by passing in the additional header named Accept-Encoding with value gzip,deflate . If this helps, then you can assign this header value using the AssignMessage policy.

In case the issue continue to happen kindly raise a customer incident on the component OPU-API-OD-OPS.

Thanks and Best Regards,

Divya

radar_lei · ‎11-23-2020

Hi Divya,

If there’s a big tenant solution which means one CPI tenant connects to several customers' backend systems, is ‘Connect to On-Premise APIs via SCP API management’ still a recommended way or it is better not use the SCP API management to expose the API from on-premise system?

Thanks and Best regards,
Radar

former_member712397 · ‎11-27-2020

Hello Divya,

I am getting same error when I try to create API Provider with on-premise Cloud Connector.

[Request ID: 42afcf77-4319-4def-9010-2705b140cc28]
dest: Name or service not known_ON_PREM

What was the root-cause and resolution for this error? Please share details for the benefit of others who may encounter the same issue.

Thank you and Best Regards

Lokesh

ElijahM · ‎12-02-2020

Hi Radar,

This question is more of an EA question, and based on the expectation, quantity and usage the decision could be made.

Many customers put in place SAP API Management as the default for all API exposures within their organization, cloud or onprem, to serve as a centralized security and discovery point for APIs.

API Management doesn't necessary need to be exclusive to CPI - CPI can be a connectivity point for multiple backend systems, and then expose the connections/aggregations as APIs in to SAP API Management. This is part of the coming roadmap for "Low Code API development" between CPI and APIM.

Or if no aggregation, encryption, transformation, etc. is required APIs can be brought directly into API Management. Again however, these are all possibilities that would need to be evaluated on a case by case basis.

Regards,
Elijah

vodela · ‎12-04-2020

Divya

I was trying this on the Cloud Foundry Trial account - When I click on Test connection Step I got the message

System is up and reachable. However, the ping check responded with code : 405; Message : Method Not Allowed

When I checked the log in the cloud connector I found exception occurred with this message.

sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#Thread-29# #Unexpected exception while establishing tunnel connection for tunnel: account:///4d66160b-e6ad-4a7c-9208-9857f24a8b9c/RCloudConn
io.netty.resolver.dns.DnsResolveContext$SearchDomainUnknownHostException: Search domain query failed. Original hostname: 'connectivitytunnel.cf.eu10.hana.ondemand.com' failed to resolve

Best regards

Ramesh

vodela · ‎01-11-2021

Boonsom

It appears to me that SAP has resolved some issues in the trial version. you can look at this

https://blogs.sap.com/2021/01/10/cloud-foundry-api-portal-and-cpi-api-using-a-premise-odata-service/

Regards

Ramesh

dnguyen_31 · ‎03-10-2021

Hi Divya,

Isn't true that SAP API Management will not be available after Jan 1, 2021?

Thanks

David

enricobarsali · ‎06-12-2021

I have the same issue, did you solve it?

DeepikaB · ‎06-05-2022

Hi Divya,

In order to connect to my On premise systems I have used cloud connector and SAP BTP , in BTP when I defined the destination a technical user ( Communications user in the backend) has been given and the related resources include IDENTITY_MODIFY FM as well.

All of a sudden all the users in the backend got modified by this user, and roles were removed. The FM has caused this ..> Please let me know your thoughts on this.

Deepika.

Keerthana · ‎06-30-2022

Hi divya.mary ,

I have set up the cloud connector and created an api provider but when trying to create api using API Provider created and clicking on discover button ,I am getting the error,Unable to discover the system.Could you please help me with this.

Note: This is in trial account.After creating API Provider and doing Test Connection i didn't get any response message but when i do the inspect i could see 200 Ok .

Thanks & Regards,
Keerthana

parvez9khan · ‎01-10-2023

Hi,

while trying to test API I'm getting 502

https://XXXXXXXetrial-trial.integrationsuitetrial-apim.us10.hana.ondemand.com/XXXXXetrial/bestrun/bp...

Any help would be great assist

Thanks, Parvez