Skip to Content
Author's profile photo Elijah Martinez

How to expose Gateway Services via HCI OData Provisioning, and secure them using SAP API Management on HCP Trial – Part 2

Part 1
  • Enable HCI Odata Provisioning in HCP
  • Expose SAP Gateway Services via HCI OData Provisioning
Part 2 (You are here 🙂 )
  • Connecting SAP API Management to HCI OData Provisioning
  • Creating an API Proxy from service exposed by HCI OData Provisioning

This is a continuation from Part 1 where we walk-through setting up HCI OData Provisioning on HANA Cloud Platform against SAP Developer Center’s ES4 Gateway system. If you haven’t already completed this, I recommend going through Part 1 in order to be ready for this blog.

A quick bit on “Why SAP API Management?”

SAP API Management does not replace SAP Gateway, and in fact, relies on SAP Gateway to expose data from SAP Backends. What SAP API Management adds is an enhancement of the capabilities provided by SAP Gateway. It can sit on top of a Gateway deployment in order to provide Secure and Scalable access, through security, and data management policies, such as

  • Traffic Throttling and Traffic Smoothing
  • Advanced Resource-level Application Authentication
  • On-the-fly Data Transformation

As well as providing a developer engagement area. With a deployment on HCP, it is even easier, as a user of SAP Gateway only needs to install/run the IWBEP component of Gateway on their SAP Backend system, and use HCI OData Provisioning on HCP to connect to it, consuming the exposed OData endpoints directly in SAP API Management. Additionally SAP API Management can combine other data sources such as HANA XS or Non-SAP data together with Gateway exposed data, exposed via a single secure endpoint for developers to build impressive Apps.

For more in-depth on benefits of SAP API Management – see SAP API Management FAQ

Now that you should have at least one SAP Gateway service exposed in HCI OData Provisioning (hereafter referred to as HCIODP), it’s time to set things up so that they can be connected to by SAP API Management. Due to the Platform nature of HANA Cloud Platform, this is remarkably easy fortunately. If you have not yet enabled SAP API Management, please follow the steps outlined here Free Trial of SAP API Management on HANA Cloud Platform is available now!

Once you are set-up, can get started right away.

PART II – Creating API Proxies from OData Endpoints in SAP API Management

1. Creating a “System” connection to HCIODP.

Login to your HCP Trial Account with SAP API Management enabled. Open the Services pane, and locate SAP API Management under the “Integration” section. Launch API Management API Portal by clicking “Access SAP API Management API Portal”


This should load the “Configure” section of SAP API Management by default, if not, click the drop down menu from the top left hand corner and select “Configure”. This is where one generates Target systems for SAP API Management. Click “Create” in the bottom right hand corner to add a system.

This will take you to the Create System window, where you will need to enter the relevant details for the HCIODP system used in Part I.


Details: HCI OData Provisioning system, providing exposed Gateway Services

Host: enter the Base URL from the Service Document URL you saved from Part I. (The format will be gwaas-<userID>

Port: 443
Check Use SSL
Authentication Type:

Service Collection URL:  /CATALOGSERVICE/ServiceCollection


* The Catalog URL is something unique to SAP Gateway systems, which allows SAP API Management to “Discover” available services from the Catalog Service. It is not used for Non-SAP systems.

After checking details entered, then click “Save”. Once system has been saved, click “Launch” hyperlink at bottom left-hand side of screen, this will launch a new tab, opening the SAP API Management Destinations area on the HCP Cockpit, not to be confused with the Global HCP Destinations. Here you will add Authentication settings for the newly created System. Click the name of the system you newly created, e.g. HCIODP and click the “Edit” button at the bottom of the page.

User: <Use the accountID that was added under GW_User in Part I>

Password: <Password for accountID added under GW_User in Part I>
Next, Click “New Property” under Additional Properties, and enter Key: TrustAll || Value: true


Then click “Save”. Changes can take up to 5 minutes to save (but usually will only take a few seconds).

2. Creating an API Proxy using HCIODP Service

Close HCP Cockpit to return to API Management API Portal window. Select drop-down menu list from top left hand corner and select “Manage” to open API Proxy page.


In the API Proxy window, click “Create” at the bottom-right hand corner, and select “Create API” from popup selection to bring up the “Create API” screen.

Provider System: <Select system created in step 2>
Click “Discover” button to see a list of all services exposed by HCI-OData Provisioning.

Select a Service and click “OK” this should auto-fill all the API Information for you.


* Link Target Server will create the API with all System information determined by the Provider System you determine, and all pathing linked as a virtual path. This allows for easy transition between environments (such as Dev, Test, Prod) for the API Proxy. Documentation flag determines whether SAP API Management attempts to pull existing documentation from the Service, and is only applicable for SAP Gateway endpoints.

Click “Create” to generate the API Proxy. If everything was entered correctly, the API Details screen should come up, with all Resources (and corresponding descriptions of the model) created automatically from the Metadata.


Then click “Save”. If everything went well you should see a message at the bottom of the screen telling you “API Registered Successfully”.

To test that the API Proxy is working correctly, click “GET” for one of the resources with that operation available. If no resources are available, select “Test” from the main Drop-Down menu, then select the name of the API Proxy from the list of APIs.

Click “Authentication: None” and select “Basic Authentication” from the drop down list.
User Name: <UserID added under GW_User in Part I>
Password: <Password for userID added under GW_User in Part I>
Select the “GET” operation.


Click “Send” in the bottom right hand corner.

This should successfully retrieve the OData Collection provided by HCIODP, via a call to the SAP API Management API Proxy Endpoint URL.

Now that you have an API Proxy sitting on top of the HCIODP service, you can start adding Policies to extend the functionality, as well as expose it to the Developer Portal so that Developers could begin to build apps on top of the data. I will not get into that in this blog, as we were just quickly getting up and running connecting SAP API Management to HCIODP.

If you would like to start learning more about what you can do with SAP API Management, I suggest looking at the repository of information SAP API Management – Overview & Getting started which will continue to be updated as more enablement content is added.

Of particular interest to this particular exercise, will be the Blog on creating a Policy SAP API Management – Enabling URL masking . If you notice above, the returned data includes links to the HCI OData Provisioning service, which is not what you want if SAP API Management is the intended target for connectivity. The linked blog will tell you how to have SAP API Management automatically mask all URLs through SAP API Management.

For questions, feedback, concerns, feel free to leave a comment, or send us an E-Mail.

Also follow us online
SAP API Management | SCN | YouTube

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Thanks for posting this.

      Author's profile photo Former Member
      Former Member


      Thanks for the step by step blog on API..

      But Can you describe more the usage of the SAP API here or over all in general.

      Because here we have added a layer on top of HCI Odata provisioning to direct the requests of OData queries..but what value SAP API can bring ..will be worth if you can mention alteast few key benefits of SAP API here..

      Thanks & Regards

      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Hi Rajesh,

      As you are aware, HCI-ODP enables us to have the Gateway Hub on the cloud and acts at central point to register all the OData (APIs) from various backend systems. Say for example, there are about a 100 OData (APIs) which you have built and are looking to expose it externally for partners who would use these APIs to build mobile Apps. API Management will sit at the top ensure the functions in the image below Image3.jpg

      Author's profile photo Elijah Martinez
      Elijah Martinez
      Blog Post Author

      Thank you Murali, for that quick response.

      Rajesh, the topic of API Management is broad, but I have tried to add a quick blurb about how and why API Management works together with SAP Gateway. As Murali pointed out, API Management adds a whole layer of Management on top of SAP Gateway, for enhanced capability when developing agile omni-channel apps from Legacy systems.

      Additionally the capability to expose APIs from Non-Gateway systems alongside Gateway systems, in a secure and scalable manner, from a single repository, to enable technical and business development.

      For more quick introduction to what API Management provides, I recommend checking out the FAQ as well as SAP API Management - Cloud Technical Brief .

      I hope this helps to paint a clearer picture of the two together.



      Author's profile photo Former Member
      Former Member

      Hi Guys ,

      Thanks a lot for pointing to the links and sharing the picture of API benefits that can be utilised in the Cloud Platform.


      Author's profile photo Former Member
      Former Member

      Hi Elijah,

      Once again, I am getting error "unable to fetch metadata" while trying the discover the services and Setp 2. Am I missing any authorizations? I have used the same credentials used in Part-I. Please let me know,  Is there any work around for this step?


      Arivarasu S

      Author's profile photo Elijah Martinez
      Elijah Martinez
      Blog Post Author

      Hi Anivarasu,

      Apologies for the delay in reply. Typically "unable to fetch metadata" during discovery step has indicated an incorrect entry in the Username / Password in the related System.

      I recommend you make sure that you have correctly entered the details associated with the GW_User, sometimes there are typos. Additionally, if you have entered the credentials incorrectly before, and then re-entered them correctly, sometimes the browser Cache will cause you to continue to get the error. So it might help to also clear browser cache after ensuring credentials are set correctly.

      I hope this helps.