Skip to Content
Author's profile photo Bjoern Woppmann

Exposing Gateway Services from SAP Process Orchestration

When it comes to exposing data in the OData format from your SAP backend systems SAP Gateway is your go-to solution. There are a number of different deployment options how you can set up your system landscape for this scenario.

Since the release of SAP Process Orchestration 7.31 SP13 or SAP Process Orchestration 7.40 SP08 you have the additional option to expose SAP Gateway services from your SAP backend systems as OData services directly from your Process Orchestration server.

This has the benefit that it can replace the need to install a separate Gateway Hub server in many cases, thus lowering the TCO of your IT landscape. Also, it gives you the possibility to consolidate the exposure of your different web services in one location – the SAP Process Orchestration server.

Additionally, there are some technical upsides to this approach: For example, you might create a BPM process with some generated TaskUI screens, running directly on your SAP Process Orchestration server. If you now want to add some some SAP backend data that is not a part of your process context, you can now expose this data as an OData service from the same server, thus avoiding Cross-Origin Requests that would trigger security warnings otherwise.

At the moment, there are some scenarios in which you can’t use this feature:

  • A SAP Process Orchestration Java Single Stack installation is a pre-requisite
  • SAP Fiori app deployment is not yet supported
  • Unified Inbox is not yet supported

The OData Provisioning feature is a part of the usage type AEX and therefore comes pre-installed with SAP Process Orchestration. The only thing left for you to do, is to assign the proper authorizations GW_ADMIN and GW_USER to the respective users.

You can find the official documentation for the feature Exposing Back-End Data as OData Service here:

I now want to show you how easy it is to expose a Gateway service on SAP Process Orchestration:

Adding a new destination to your backend system

First you want to add a new destination in your NetWeaver administrator console pointing to the IWBEP service in your SAP backend system. This is the “catalogue” from where all the Gateway services are exposed.

      1. Go to your NetWeaver Administrator interface:
        http://<SAP Process Orchestration server>:<port>/nwa
      2. Go to Configuration –> Destinations
        Picture1.png
      3. In the Destination List, click on the Create button:
        Picture2.png
      4. In the Destination Wizard, select your Hosting System, assign a Destination Name and select the Destination Type „HTTP“:
        Picture3.png
      5. In the Connection and Transport Security Settings step enter the connection information to your SAP Gateway IW_BEP service and enter the Additional Settings for SAP Systems:
        Picture4.png
      6. If you use a HTTPS connection, select the Trusted Servers Certificates Keystore, where the (root) certificate of the backend server is stored:
        Picture5.png
      7. In the Logon step enter the logon information to authenticate against the IW_BEP service in the SAP backend:
        Picture6.png
      8. To test your destination, select the new entry and click on the Ping Destination button; you should receive a success message if everything is configured correctly:
        Picture7.png

Register Gateway Services in the OData Provisioning Administration interface

      1. Go to Integration Gateway OData Provisioning Administration:
        http://<SAP Process Orchestration Server>:<Port>/igwj/Admin
      2. Click on Register a New Service
        Picture8.png
      3. Select the backend destination you created in the NetWeaver Administrator
        Picture9.png
      4. Perform a search for the service you would like to register from SAP Gateway
        Picture10.png
      5. Select the service and click on Register
        Picture11.png
      6. Open the Service Document
        Picture12.png
      7. View and work with your OData Service published on the Process Orchestration Server
        08-10-2014 12-51-08.jpg

This is all you need to do to expose an SAP Gateway service on your SAP Process Orchestration server. Apart from the not supported scenarios mentioned above, you can do everything to this service that you could do to a regular Gateway service.

Assigned Tags

      49 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Carlos Roggan
      Carlos Roggan

      Hi Björn,

      this is again a very comprehensice and useful description.

      Thanks!

      Author's profile photo Former Member
      Former Member

      Thanks for the detailed info ...

      Is there any plan to combine the service registry and oData Provisioning models to provide unified provisioning...

      Regards
      Rajesh

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Rajesh,

      I don't fully understand what you mean by Unified Provisioning. Could you please elaborate on what you want to do?

      Thanks and regards

      Björn

      Author's profile photo Former Member
      Former Member

      Hi Björn,

      Currently to register the webservices we are using the service registry.. and i understood the Integration gateway is doing the same thing for the oData services... so going ahead can we expect to have single registry/repository to have these information ( both for soap and odata services..)..

      HTH

      Rajesh

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Rajesh,

      this might come at some point in the future, but it won't be a part of the next releases.

      Kind regards

      Björn

      Author's profile photo Russel Irvine
      Russel Irvine

      Hi Bjoern

      Can you tell us if there is a way of providing an alias for use by consumers of these services? Something like ABAP transaction SICF-> External Aliases?

      Regards

      Russel

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Russel,

      currently the service is exposed exactly the same way as it is modeled in SAP Gateway. There you can define how the service is supposed to be called for consumption. Is there a specific reason why you want to provide an alias name for a Gateway service?

      Regards

      Björn

      Author's profile photo Russel Irvine
      Russel Irvine

      Hi Bjorn

      There is a preference in our compmay to not show the full sap path to the service.  So, instead of host:port/igwj/odata/SAP/ZGW_service_name;v=1/, it would be host:port/service_alias/v1.

      We have used SICF to do this in the back end systems to hide the path .../sap/opu/odata/sap...

      Regards

      Russel

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Russel,

      when exposing the service using the OData provisioning feature in Process Orchestration, you don't have this capability. The service will be exposed at the following URL:

      http://<server>:<port>/igwj/odata/<service namespace>/<service>;v=1

      Kind regards

      Björn

      Author's profile photo Rahul Mehta
      Rahul Mehta

      Hi Bjoern

      We have used java gateway to consume gateway services from our UI application. SAPUI5 application is deployed on SAP PO sever and gateway services on ECC. With Java gateway we avoid typical cross origin issues. Also in the destination we have used a service user to connect to gateway system. I am assuming this user is used when gateway services are invoked from ui application. We don't have any sso between sap po and gateway since for sso same user should exist in both systems. We don't want that.

      Second point is around usage of substringof function in gateway url. Strangely this is not working for us. However if I test the same in gateway client, it works. Any clues here ?

      Regards

      Rahul

      Author's profile photo Former Member
      Former Member

      Hi Bjoern Woppmann,

      Thanks for a wonderful descriptive document, I have a question can you please help.

      I couldn't find the role GW_Admin and GW_User in identity manager. We are using the server NW 7.4 SP 08. Any pointers what might be wrong.

      Thanks & Regards

      Author's profile photo Christian Loos
      Christian Loos

      Hi,

      I'd suggest opening a support ticket.

      Best Regards,

      Christian

      Author's profile photo Peter Chezowitch
      Peter Chezowitch

      Hello Björn,

      What are the plans to allow altering of these Services on the PO System? Can we adjust backend exposed Services on Gateway Java in any way or is it a 1:1 Routing through?

      Is it possible to use the existing REST Adapter on PO to consume these Services and alter them?

      In General, will we have an integrated Adapter on PO in future for OData Service provisioning or will Gateway Java be the strategic tool?

      Which Approach is advisable for consumption in BPM? Should the BPM process rather call the OData Service via JGW or should BPM talk to PI via XI protocol and then PI calls the backend via Proxy or similar? Any adventages / disadvantages?

      Author's profile photo Christian Loos
      Christian Loos

      Hi Peter,

      Right now, it's a 1:1 routing (aside from aggregation of multiple sources).

      You could of course also use the PO REST adapter (or any other PO adapter) to do service adaptation, but you need to factor in the additional costs of the message processing in the PO pipeline.

      While the OData provisioning is currently technically separated from the other PO adapters/integration scenarios, in the future this will merge (as you can also see in our road map).
      So it is planned to support mapping/transformation and different source types (e.g. REST and SOAP) also for OData provisioning.

      Regarding BPM, it depends on the use case. For triggering transactions in the backend system, e.g. creating a purchase order, this should go via XI as there you have full monitoring, error handling and retry functionality.

      If you need data from the backend for display in a BPM task application UI, you can use the embedded Gateway. This actually allows you to keep the BPM process context small and load additional data directly from the UI, where it is needed.

      Regards,

      Christian

      Author's profile photo Peter Chezowitch
      Peter Chezowitch

      Hi Christian,

      Thank you for your explanation!

      Regarding ODATA Service provisioning  on PO - can you give us a hint how the merging will look like between Integration Gateway and the ODATA sender adapter?

      Will they somehow work together or will they offer two alternative ways to provide ODATA services on PO? Let's assume we want to provide an ODATA service from an ABAP system which is known on PO (we have a RFC receiver channel) - can we leverage the existing channel on Integration gateway to wrap the RFC as ODATA or will we in this case use the ODATA sender adapter on PO for an ODATA to RFC synchronous scenario?

      Author's profile photo Christian Loos
      Christian Loos

      Hi Peter,

      the plan is to have an OData sender adapter for exposing integration flows as OData services, but for ABAP-based services this can be bypassed by directly using the built-in Gateway runtime (as available today).

      Regards,

      Christian

      Author's profile photo Former Member
      Former Member

      Hello Bjoern,

      Nice blog, we used it expose our services to java gateway hub on our PO system. One of the services however is uploading a file (has a stream) and we're getting a "virus scan exception occured". In an ABAP HUB there're possibilities to make setting for this scan profiles for the gateway services.

      For the java HUB we don't seem to find if there're specific settings we need to make. Do you know what we're missing.

      Kr,

      Pieter

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Pieter,

      please find the instructions for setting up a virus scan provider for your PO system here:

      Setting Up Virus Scan Providers (Java) - System Security - SAP Library

      Kind regards

      Björn

      Author's profile photo Former Member
      Former Member

      Hello Björn,

      thank you for your quick response.

      We already looked at the general setup in the PO system and our global parameter (system property xiadapter.virusscan.active) is set to inactive and we still get the error. We're looking if there's a special setup for the integration gateway. If I'm understanding correctly this is not the case?

      Kr,

      Pieter

      Author's profile photo Former Member
      Former Member

      We think we found the solution. The virusscan is set to inactive, but as long as the profile that is defined as default is not activated, he doesn't seem to consider this option.

      Kr,

      Pieter

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Pieter,

      great that you found the solution. 🙂

      There are no specific settings for the OData Provisioning in Process Orchestration in regards to Virus scanning.

      Kind regards

      Björn

      Author's profile photo Tarun Jain
      Tarun Jain

      I am getting same error.. Do we need to craete Virus Scan profile in PI ?

      Author's profile photo Shabarish Nair
      Shabarish Nair

      Another line item you can add to the not supported feature is the ODATA provisioning itself 🙂

      To be blunt, I feel this feature is nothing but proxying a gateway service via SAP PO

      Author's profile photo Former Member
      Former Member

      Yes but surely we can avoid using a sever as gateway Hub.

      same can be done through SAP PI/PO .

      If the limitations are covered it will be perfect.

      Author's profile photo Russel Irvine
      Russel Irvine

      Hi Bjoern

      Thanks again for your expertise.

      When calling a registered service via PO a logon screen is returned whereas if I call the service directly a popup appears for the credentials.

      If I call the service directly from SoapUI, the credentials I have entered on the request are used, whereas the registered service on PO returns a logon screen html.

      How should we handle this logon screen when calling registered services?

      Regards

      Russel

      Author's profile photo Russel Irvine
      Russel Irvine

      Sorry for troubling you with that - form-based authentication does the trick.

      Regards

      Russel

      Author's profile photo Avinash Ayanala
      Avinash Ayanala

      Hi Bjoern,

      This is really a brilliant blog.

      Is it possible to create CRUD operations for the service from SAP PO and also can we test the service from SAP PO.

      Thanks,

      Avinash

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Avinash,

      I am not quite sure I understand your question. You need to develop a service using SAP Gateway technology (e.g. transaction SEGW in a NetWeaver backend system. You can then expose this service using the above described technology on SAP Process Orchestration.

      Kind regards

      Björn

      Author's profile photo Avinash Ayanala
      Avinash Ayanala

      Hi,

      While trying to register the service in Odata Provisioning administration i am not able to find any HTTP destination in it even though i have created an HTTP destination for Gateway server.

      Please check the above screen shot.

      Regards,

      Avinash.

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Were you able to perform steps 1-8 in the section Adding a new destination to your backend system?

      Were you able to successfully perform the ping to the system?

      Regards

      Björn

      Author's profile photo Avinash Ayanala
      Avinash Ayanala

      Hi Bjoern,

      Yes, I am able to create it and ping it successfully using HTTP destination.

      Thanks,

      Avinash

      Author's profile photo Andreea Mutascu
      Andreea Mutascu

      Hello Avinash,

       

      Did you manage to solve this issue that you mention? I just activated the SAP Gateway settings in my PO instance and I am facing the same issue.

      Thanks in advance,

      Andreea

      Author's profile photo vijay Kumar
      vijay Kumar

      Did any one resolve this . I am having the same issue . Please suggest if some one have any fix for this .

      Thanks

      Vijay

       

       

      Author's profile photo Dinesh Chandra
      Dinesh Chandra

      Hi Bjoern,

      I am not able to find the roles GW_ADMIN and GW_USER as mentioned,although version of PO is 7.4 SP08.

      Am I missing some installation of component or configuration?

      Regards,

      Dinesh Chandra

      Author's profile photo Alexander Bundschuh
      Alexander Bundschuh

      Hi Dinesh,

      actually there should be no further configuration required to see the roles, they should be supported automatically once you upgrade to 7.4 SP08, I checked in my system and there it looks fine, maybe the upgrade haven't gone properly through, in any case I would propose that you open an incident ticket, it's hard if not impossible to analyse your very system from within SCN.

      Alex

      Author's profile photo Rahul Mehta
      Rahul Mehta

      Hi Alexander

      We are using JAVA Gateway in one of our projects but facing some issues with dates. There is a gateway service which returns start and end date from ECC. But when it comes via JAVA gateway, its always one day lesser than whats returned from backend. For instance, if ECC returns 7/11/2016 but via Java gateway it becomes 7/10/2016. Both ECC and SAP Process orchestration are in EST timezone.

      Before Java gateway, we were using a proxy servlet and never faced this issue

      Regards

      Rahul

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi Rahul,

      I would suggest to open a support incident for this behavior. It sounds like it might be a product issue.

      Thanks and regards

      Björn

      Author's profile photo Rahul Mehta
      Rahul Mehta

      Hi Bjoern

      We did open a support ticket but haven't received any response. Till I get the response from SAP, can you suggest workaround for this issue?

      Regards

      Rahul

      Author's profile photo Former Member
      Former Member

      Hi Guru,

      How do you normally debugging Odata services that exposed via SAP PO?

      Thanks

      David

      Author's profile photo Bjoern Woppmann
      Bjoern Woppmann
      Blog Post Author

      Hi David, you would need to do the debugging in the backend system where you have created your SAP Gateway service.

      Kind regards

      Björn

      Author's profile photo David Nguyen
      David Nguyen

      Thanks Bjoern!

      Author's profile photo Otto Frost
      Otto Frost

      Hi Bjoern,

      Great blog.

      It looks like you use a service-user in the logon data  in the destination.

      Does this mean that all services will be executed with this user account?

      If a user logs in to PO with role gw_user then that user can execute all services using the destination but with service-user authorizatio in the backend?

      I thought the login method to use is single sign on "login ticket"?

      It would be great if you can shed some light on authentication.

       

       

       

      Author's profile photo Otto Frost
      Otto Frost

      Hi Bjoern,

      Great blog still

       

      We use a reverse proxy in front of sap po.

      Is it possible to configure url rewrite so the urls in the odata service document and $metadata points to the reverse proxy instead of sap po? Is there documentation somewhere?

       

       

      Author's profile photo Raj .
      Raj .

      Hi Bjoern,

       

      Excellent blog to refer.

       

      While doing this, when I opened the link http://<SAPPOServer>:Port>/igwj/Admin, then it is saying "Application Stopped". Please suggest how can I activate this Gateway application service (igwj) in PO 7.5.

       

      P.S. I have the all necessary authorizations like GW_ADMIN and GW_USER in PO system. 

       

      Br,

      Raj

      Author's profile photo Prasad Penugula
      Prasad Penugula

      Hi Bjoern,

      Could you please throw some light? I have a requirement where i have to call OData Services from Sucessfactors EmployeeCentral system, can this be achieved on PI 7.31 DualStack SP18?

      Thanks in Advance

      Prasad.

      Author's profile photo Former Member
      Former Member

      Hi Bjoern,

      Thanks for your blog, i can exposed odata gateway service from PO. But i confused how to create sender communication channel for this odata. Could you advise how create sender communication channel for this odata.

      Thanks & best regards,

      Husin

      Author's profile photo Rahul Kulkarni
      Rahul Kulkarni

      Hello Bjoern,

       

      I have successfully registered the service in PO, but while opening the service document I am getting below error -

       

      <error><code>INTERNAL_SERVER_ERROR</code><message xml:lang="en">Could not perform the operation, contact your System Administrator: Transaction ID :XXXXXXXXXXX</message></error>

      Author's profile photo deepika jain
      deepika jain

      Hi Bjoern,

      How do we monitor the gateway logs in SAP Process Orchestration ? what is the Substitute for for below transaction in PO  /n/IWFND/GW_CLIENT

      /IWFND/ERROR_LOG

      Author's profile photo Anish Abraham Palakudyil
      Anish Abraham Palakudyil

      Hi All,

      GET operations are working fine, however POST operation is giving a HTTP 403.

      This error is happening even with a non-existing OData.

      I have assigned GW_Admin and GW_User.

       

      Appreciate expert advice.

      Regards,

      Anish