How to expose Gateway Services via HCI OData Provisioning, and secure them using SAP API Management on HCP Trial – Part 1
|Part 1 (You are here 🙂 )||
There is already a very fine blog from Martin Bachmann explaining HANA Cloud Platform, the benefits of cloud and HCI Odata Provisioning in general, as well as the scenario for connecting SAP HCI OData Provisioning to an SAP Gateway system here How to connect the SAP Business Suite to the SAP HANA Cloud Platform using Gateway as a Service Trial Edition. However like so many things in the cloud, there are changes already, as soon as its published.
* – As a testament to constant change, mere days after creating this blog, it was announced that the name is now HCP OData Provisioning. In trial for now the name still shows as HCI OData Provisioning, but in future when the name is changed, please replace HCIODP with HCPODP as you read 🙂
I will not re-cover the informational content from Martin’s Blog again, but I will be showing the updated screens for the most recent version.
If you have already configured HCI Odata Provisioning using Martin’s blog, or on your own, and want to skip to the SAP API Management part, please copy down the URL path to your HCI Odata Provisioning Services and go to Part 2 of this blog.
A quick bit on “Why SAP API Management?”
SAP API Management does not replace SAP Gateway, and in fact, relies on SAP Gateway to expose data from SAP Backends. What SAP API Management adds is an enhancement of the capabilities provided by SAP Gateway. It can sit on top of a Gateway deployment in order to provide Secure and Scalable access, through security, and data management policies, as well as providing a developer engagement area. With a deployment on HCP, it is even easier, as a user of SAP Gateway only needs to install/run the IWBEP component of Gateway on their SAP Backend system, and use HCI OData Provisioning on HCP to connect to it, consuming the exposed OData endpoints directly in SAP API Management. Additionally SAP API Management can combine other data sources such as HANA XS or Non-SAP data together with Gateway exposed data, exposed via a single secure endpoint for developers to build impressive Apps.
For more in-depth on benefits of SAP API Management – see SAP API Management FAQ
This walkthrough will focus on using HCI OData provisioning (hereafter referred to as HCIODP) to consume services exposed by SAP Gateway, and expose them as OData endpoints which will be consumed by SAP API Management as API Proxies.
PART I – Creating OData Endpoints in HCIODP
* Pre-Requisite: An account on an SAP Gateway system accessible via Internet. For this walk-through I will be using the SAP Developer Center ES4 system. Anyone can sign up for an account here: SAP NetWeaver Gateway Developer Center
1. Enabling HCIODP in Trial
Login to trial, check the Services section, under “Integration” i.e. In HCP Trial Account
Click HCI OData Provisioning tile to enter service. Check status of service. If click status is “Not enabled” click the “Enable” button. Wait until you see service status change to Enabled.
2. Configuring HCIODP Destination(s)
Click “Configure HCI OData provisioning” – This should bring up the “Destinations” tab under “Configure HCI OData Provisioning”. Click “New Destination” in order to create the destination for the SAP Developer Center ES4 system.
Enter details for the Gateway system. All details, including login, and password will be those which you have registered on the Gateway system. E.g. for SAP Developer center ES4 system, see below:
After you save, wait until details are saved in system, which will be indicated by the configuration screen turning grey and no longer allowing input.
3. Configuring HCIODP Roles
Click the “Roles” tab to configure user access in HCIODP.
Select GW_Admin role, and click “Assign” below in the “Individual Users” section. This will authorize the user to enter the Admin window for HCIODP to configure available services, view logs, or configure Metadata options.
In the popup window, enter the SAP ID login information (P-User, S-User, I#, etc.) you will be using, and click “Assign”..
Repeat this process with the role GW_User, this will assign authorization for a user to consume the services configured on HCIODP (but not to access the Admin window).
Once complete, you should have a user assigned to both the roles GW_Admin and GW_User.
4. Configuring HCIODP Services
Click the “HCI OData Provisioning” link at the top of the window, to return to the HCIODP base screen
Then click “Go to Service” from the base screen for HCIODP.
If everything worked correctly, this will open a new browser tab, for the HCIODP Admin screen. You may be prompted to enter SAP ID credentials, enter the credentials for the user configured in the GW_Admin role. After login the Admin screen should appear as below:
To begin exposing services from Gateway system configured, click the “Register” button at the top of the screen to bring up the “Register Service” screen. Select the SAP Gateway system configured in Step 2 from the drop down list for Destinations, then click the icon of a Magnifying Glass next to “Search Services” to bring up a list of available Gateway Services.
Select the desired service to be exposed to API Management by clicking the empty box on the far left to highlight that selection. E.g. to select “GWDEMO” below:
Note: The box will fill blue when selected, and if you move the mouse cursor away, you will see the entire row is blue when selected. If this is not the case, the row was not properly selected.
Click the “Register” button, to register the selected service in HCIODP. The service should now appear in the list of Registered Services for HCIODP.
Click “Open Service Document” for the newly added service, to test that the service is exposing data as expected. This will open a new browser tab, with service data in OData format. Copy down the URL in your browser bar for the service, this will be used as the Target endpoint for the API Proxy.
Repeat these steps above for each Gateway service you want to expose.
When you have completed registering services, the next step will be creating API proxies in SAP API Management, using HCIODP as the OData Target Endpoints, and the Services as the APIs in this case. This will be covered in Part 2.
For questions, feedback, concerns, feel free to leave a comment, or send us an E-Mail.
Also follow us online
SAP API Management SAP.com | SCN | YouTube
"Pre-Requisite: An account on an SAP Gateway system accessible via Internet"
Does this mean you cannot use on onPremise system connected to HCI via the Cloud Connector?
I tried to use the onPremise system but i am keep getting error: "services could not be retrieved" although the destination seems valid (check connection OK)
When you say "HCI", do you mean HCI-OData Provisioning (HCI-ODP), or HANA Cloud Integration (HCI)?
You can use HCC to connect to an OnPrem system, and another integration method to consume HCC, but I have not outlined this method in this article, which is why I specified that for this walk-through you would need a system which is directly connectable from HCP. Depending on the scenario this can lead to more difficulty in connectivity, and require more advanced configuration.
If trying to use HCI Odata Provisioning, a short answer, the basics of HCC are simply to Register Backend with HCC, and enable resources to be consumed (e.g. /sap/iwbep ), you must ensure that the Service Catalog is accessible, and that IWBEP service is active in SICF node. Then register the destination in HCI-OData Provisioning with your HCC host and iwbep path, and BE credentials (not HCP). You should be able to Search the catalog service.
Could not retrieve services from the destination can mean invalid credentials, rather than failure of connectivity.
I has the same issue as Bert, As you had mentioned the iwbep service was not started so I started the service and tried but i got the same error then i added the client also to the url (as below) it worked perfectly.
It has been quite some time since you asked this but in case others encounter the same problem here is how I fixed it when I received the same error message for ES4 connection.
Basically, I was using the already existing ES4 destination which points to https://sapes4.sapdevcenter.com .
I defined a new destination which points to https://sapes4.sapdevcenter.com/sap/iwbep and it worked fine.
So, you may need to point your destination to the exact service address with .../sap/iwbep .
However, it did not let me access the service document saying my user was not authorised.