Exposing Gateway Services from SAP Process Orchestration
When it comes to exposing data in the OData format from your SAP backend systems SAP Gateway is your go-to solution. There are a number of different deployment options how you can set up your system landscape for this scenario.
Since the release of SAP Process Orchestration 7.31 SP13 or SAP Process Orchestration 7.40 SP08 you have the additional option to expose SAP Gateway services from your SAP backend systems as OData services directly from your Process Orchestration server.
This has the benefit that it can replace the need to install a separate Gateway Hub server in many cases, thus lowering the TCO of your IT landscape. Also, it gives you the possibility to consolidate the exposure of your different web services in one location – the SAP Process Orchestration server.
Additionally, there are some technical upsides to this approach: For example, you might create a BPM process with some generated TaskUI screens, running directly on your SAP Process Orchestration server. If you now want to add some some SAP backend data that is not a part of your process context, you can now expose this data as an OData service from the same server, thus avoiding Cross-Origin Requests that would trigger security warnings otherwise.
At the moment, there are some scenarios in which you can’t use this feature:
- A SAP Process Orchestration Java Single Stack installation is a pre-requisite
- SAP Fiori app deployment is not yet supported
- Unified Inbox is not yet supported
The OData Provisioning feature is a part of the usage type AEX and therefore comes pre-installed with SAP Process Orchestration. The only thing left for you to do, is to assign the proper authorizations GW_ADMIN and GW_USER to the respective users.
You can find the official documentation for the feature Exposing Back-End Data as OData Service here:
I now want to show you how easy it is to expose a Gateway service on SAP Process Orchestration:
Adding a new destination to your backend system
First you want to add a new destination in your NetWeaver administrator console pointing to the IWBEP service in your SAP backend system. This is the “catalogue” from where all the Gateway services are exposed.
- Go to your NetWeaver Administrator interface:
http://<SAP Process Orchestration server>:<port>/nwa
- Go to Configuration –> Destinations
- In the Destination List, click on the Create button:
- In the Destination Wizard, select your Hosting System, assign a Destination Name and select the Destination Type „HTTP“:
- In the Connection and Transport Security Settings step enter the connection information to your SAP Gateway IW_BEP service and enter the Additional Settings for SAP Systems:
- If you use a HTTPS connection, select the Trusted Servers Certificates Keystore, where the (root) certificate of the backend server is stored:
- In the Logon step enter the logon information to authenticate against the IW_BEP service in the SAP backend:
- To test your destination, select the new entry and click on the Ping Destination button; you should receive a success message if everything is configured correctly:
Register Gateway Services in the OData Provisioning Administration interface
- Go to Integration Gateway OData Provisioning Administration:
http://<SAP Process Orchestration Server>:<Port>/igwj/Admin
- Click on Register a New Service
- Select the backend destination you created in the NetWeaver Administrator
- Perform a search for the service you would like to register from SAP Gateway
- Select the service and click on Register
- Open the Service Document
- View and work with your OData Service published on the Process Orchestration Server
This is all you need to do to expose an SAP Gateway service on your SAP Process Orchestration server. Apart from the not supported scenarios mentioned above, you can do everything to this service that you could do to a regular Gateway service.
this is again a very comprehensice and useful description.
Thanks for the detailed info ...
Is there any plan to combine the service registry and oData Provisioning models to provide unified provisioning...
I don't fully understand what you mean by Unified Provisioning. Could you please elaborate on what you want to do?
Thanks and regards
Currently to register the webservices we are using the service registry.. and i understood the Integration gateway is doing the same thing for the oData services... so going ahead can we expect to have single registry/repository to have these information ( both for soap and odata services..)..
this might come at some point in the future, but it won't be a part of the next releases.
Can you tell us if there is a way of providing an alias for use by consumers of these services? Something like ABAP transaction SICF-> External Aliases?
currently the service is exposed exactly the same way as it is modeled in SAP Gateway. There you can define how the service is supposed to be called for consumption. Is there a specific reason why you want to provide an alias name for a Gateway service?
There is a preference in our compmay to not show the full sap path to the service. So, instead of host:port/igwj/odata/SAP/ZGW_service_name;v=1/, it would be host:port/service_alias/v1.
We have used SICF to do this in the back end systems to hide the path .../sap/opu/odata/sap...
when exposing the service using the OData provisioning feature in Process Orchestration, you don't have this capability. The service will be exposed at the following URL:
We have used java gateway to consume gateway services from our UI application. SAPUI5 application is deployed on SAP PO sever and gateway services on ECC. With Java gateway we avoid typical cross origin issues. Also in the destination we have used a service user to connect to gateway system. I am assuming this user is used when gateway services are invoked from ui application. We don't have any sso between sap po and gateway since for sso same user should exist in both systems. We don't want that.
Second point is around usage of substringof function in gateway url. Strangely this is not working for us. However if I test the same in gateway client, it works. Any clues here ?
Hi Bjoern Woppmann,
Thanks for a wonderful descriptive document, I have a question can you please help.
I couldn't find the role GW_Admin and GW_User in identity manager. We are using the server NW 7.4 SP 08. Any pointers what might be wrong.
Thanks & Regards
I'd suggest opening a support ticket.
What are the plans to allow altering of these Services on the PO System? Can we adjust backend exposed Services on Gateway Java in any way or is it a 1:1 Routing through?
Is it possible to use the existing REST Adapter on PO to consume these Services and alter them?
In General, will we have an integrated Adapter on PO in future for OData Service provisioning or will Gateway Java be the strategic tool?
Which Approach is advisable for consumption in BPM? Should the BPM process rather call the OData Service via JGW or should BPM talk to PI via XI protocol and then PI calls the backend via Proxy or similar? Any adventages / disadvantages?
Right now, it's a 1:1 routing (aside from aggregation of multiple sources).
You could of course also use the PO REST adapter (or any other PO adapter) to do service adaptation, but you need to factor in the additional costs of the message processing in the PO pipeline.
While the OData provisioning is currently technically separated from the other PO adapters/integration scenarios, in the future this will merge (as you can also see in our road map).
So it is planned to support mapping/transformation and different source types (e.g. REST and SOAP) also for OData provisioning.
Regarding BPM, it depends on the use case. For triggering transactions in the backend system, e.g. creating a purchase order, this should go via XI as there you have full monitoring, error handling and retry functionality.
If you need data from the backend for display in a BPM task application UI, you can use the embedded Gateway. This actually allows you to keep the BPM process context small and load additional data directly from the UI, where it is needed.
Thank you for your explanation!
Regarding ODATA Service provisioning on PO - can you give us a hint how the merging will look like between Integration Gateway and the ODATA sender adapter?
Will they somehow work together or will they offer two alternative ways to provide ODATA services on PO? Let's assume we want to provide an ODATA service from an ABAP system which is known on PO (we have a RFC receiver channel) - can we leverage the existing channel on Integration gateway to wrap the RFC as ODATA or will we in this case use the ODATA sender adapter on PO for an ODATA to RFC synchronous scenario?
the plan is to have an OData sender adapter for exposing integration flows as OData services, but for ABAP-based services this can be bypassed by directly using the built-in Gateway runtime (as available today).
Nice blog, we used it expose our services to java gateway hub on our PO system. One of the services however is uploading a file (has a stream) and we're getting a "virus scan exception occured". In an ABAP HUB there're possibilities to make setting for this scan profiles for the gateway services.
For the java HUB we don't seem to find if there're specific settings we need to make. Do you know what we're missing.
please find the instructions for setting up a virus scan provider for your PO system here:
Setting Up Virus Scan Providers (Java) - System Security - SAP Library
thank you for your quick response.
We already looked at the general setup in the PO system and our global parameter (system property xiadapter.virusscan.active) is set to inactive and we still get the error. We're looking if there's a special setup for the integration gateway. If I'm understanding correctly this is not the case?
We think we found the solution. The virusscan is set to inactive, but as long as the profile that is defined as default is not activated, he doesn't seem to consider this option.
great that you found the solution. 🙂
There are no specific settings for the OData Provisioning in Process Orchestration in regards to Virus scanning.
I am getting same error.. Do we need to craete Virus Scan profile in PI ?
Another line item you can add to the not supported feature is the ODATA provisioning itself 🙂
To be blunt, I feel this feature is nothing but proxying a gateway service via SAP PO
Yes but surely we can avoid using a sever as gateway Hub.
same can be done through SAP PI/PO .
If the limitations are covered it will be perfect.
Thanks again for your expertise.
When calling a registered service via PO a logon screen is returned whereas if I call the service directly a popup appears for the credentials.
If I call the service directly from SoapUI, the credentials I have entered on the request are used, whereas the registered service on PO returns a logon screen html.
How should we handle this logon screen when calling registered services?
Sorry for troubling you with that - form-based authentication does the trick.
This is really a brilliant blog.
Is it possible to create CRUD operations for the service from SAP PO and also can we test the service from SAP PO.
I am not quite sure I understand your question. You need to develop a service using SAP Gateway technology (e.g. transaction SEGW in a NetWeaver backend system. You can then expose this service using the above described technology on SAP Process Orchestration.
While trying to register the service in Odata Provisioning administration i am not able to find any HTTP destination in it even though i have created an HTTP destination for Gateway server.
Please check the above screen shot.
Were you able to perform steps 1-8 in the section Adding a new destination to your backend system?
Were you able to successfully perform the ping to the system?
Yes, I am able to create it and ping it successfully using HTTP destination.
Did you manage to solve this issue that you mention? I just activated the SAP Gateway settings in my PO instance and I am facing the same issue.
Thanks in advance,
Did any one resolve this . I am having the same issue . Please suggest if some one have any fix for this .
I am not able to find the roles GW_ADMIN and GW_USER as mentioned,although version of PO is 7.4 SP08.
Am I missing some installation of component or configuration?
actually there should be no further configuration required to see the roles, they should be supported automatically once you upgrade to 7.4 SP08, I checked in my system and there it looks fine, maybe the upgrade haven't gone properly through, in any case I would propose that you open an incident ticket, it's hard if not impossible to analyse your very system from within SCN.
We are using JAVA Gateway in one of our projects but facing some issues with dates. There is a gateway service which returns start and end date from ECC. But when it comes via JAVA gateway, its always one day lesser than whats returned from backend. For instance, if ECC returns 7/11/2016 but via Java gateway it becomes 7/10/2016. Both ECC and SAP Process orchestration are in EST timezone.
Before Java gateway, we were using a proxy servlet and never faced this issue
I would suggest to open a support incident for this behavior. It sounds like it might be a product issue.
Thanks and regards
We did open a support ticket but haven't received any response. Till I get the response from SAP, can you suggest workaround for this issue?
How do you normally debugging Odata services that exposed via SAP PO?
Hi David, you would need to do the debugging in the backend system where you have created your SAP Gateway service.
It looks like you use a service-user in the logon data in the destination.
Does this mean that all services will be executed with this user account?
If a user logs in to PO with role gw_user then that user can execute all services using the destination but with service-user authorizatio in the backend?
I thought the login method to use is single sign on "login ticket"?
It would be great if you can shed some light on authentication.
Great blog still
We use a reverse proxy in front of sap po.
Is it possible to configure url rewrite so the urls in the odata service document and $metadata points to the reverse proxy instead of sap po? Is there documentation somewhere?
Excellent blog to refer.
While doing this, when I opened the link http://<SAPPOServer>:Port>/igwj/Admin, then it is saying "Application Stopped". Please suggest how can I activate this Gateway application service (igwj) in PO 7.5.
P.S. I have the all necessary authorizations like GW_ADMIN and GW_USER in PO system.
Could you please throw some light? I have a requirement where i have to call OData Services from Sucessfactors EmployeeCentral system, can this be achieved on PI 7.31 DualStack SP18?
Thanks in Advance
Thanks for your blog, i can exposed odata gateway service from PO. But i confused how to create sender communication channel for this odata. Could you advise how create sender communication channel for this odata.
Thanks & best regards,
I have successfully registered the service in PO, but while opening the service document I am getting below error -
<error><code>INTERNAL_SERVER_ERROR</code><message xml:lang="en">Could not perform the operation, contact your System Administrator: Transaction ID :XXXXXXXXXXX</message></error>
How do we monitor the gateway logs in SAP Process Orchestration ? what is the Substitute for for below transaction in PO /n/IWFND/GW_CLIENT
GET operations are working fine, however POST operation is giving a HTTP 403.
This error is happening even with a non-existing OData.
I have assigned GW_Admin and GW_User.
Appreciate expert advice.