Release of SAP Mobile Platform 3.0 SP 11
With the release of SP11 of the SAP Mobile Platform we introduced a lot of important changes and innovations:
- MBO Façade
- SAP Secure Login Server integration
- Revamped Admin UI
- Usage Analysis
- Feature migration from HCP mobile services for development and operations
MBO Facade
For the customers who are running MBO-based applications the MBO Façade will come really handy on their journey towards Offline OData based applications.
The Façade is an integrated web app in the SMP 3.0 side car that automatically exposes the whole dataset of a given application as delta-token enabled OData service. Your whole MBO data model, which does the change calculation for your, is now accessible as an OData service. There is no need for additional development work, everything works out of the box, no redeploy of packages needed. After your in-place upgrade to SP11, you’ll have immediate access to the data. If you were not accessing it, it will not consume resources either.
You’ll find the OData service here:
http[s]://supserver:port/mbofacade/{domainName}/{packageName}/{packageVersion}/$metadata
In the following table you’ll see how MBO artifacts are mapped to OData artifacts.
|
MBO Package |
MBOFacade OData Service |
|
Attribute |
Property |
|
CUD operations |
POST/PUT/PATCH/DELETE request |
|
Mobile Business Object |
Collection/Entry/Entity |
|
Other Operation |
Operation Entity |
|
Relationship |
Association and Navigation Property |
|
Synchronization Parameter |
Subscription Entity |
Please also notice that query options like $orderby, $top, $filter are not supported on these sevices, but this is not really a bad thing. You would offline these data on the device using the SAP Mobile Platform SDK and on the device you’ll be able to use all these query options.
There’s also a MBO to OData data type mapping. Most of it is obvious, but there is one thing to be noticed: MBO date types are mapped to Edm. DateTime! Know you know it.
Here’s how it looks like from an architectural point of view:
The SMP3 main car does treat the MBO façade a bit special and generates a special header with a unique ID that prevents MBO cache groups to be refreshed to often through the offline component behavior in the main car. This optimization will be later available in HCPms as well, so that you can expose your MBO data to HCP!
When should you use this feature:
- You already have an existing MBO data model
- You want to leverage the MBO technology to add delta calculation capabilities to non-delta enabled back-ends
- You want to offload your back-end (staging) and in addition you want to use the more flexible and open development approach of Offline OData
- You want migrate away from MBO to OData-based mobile app technology. With this, you already have an OData based app. Next step would be to migrate your OData service to SAP Gateway.
SAP Secure Login Server Integration (with support of Christian Cohrs)
The world of business applications is changing rapidly, and technologies used to support these business applications need to provide a high level of both flexibility and security to cover the many requirements. However, when it comes to secure authentication, customers often find the best and most flexible solution to be a mature and widely used technology that has been the foundation for many security processes for a long time, namely X.509 certificates.
Many SAP customers use Public Key Infrastructure technology to provide X.509 certificates to their end users for secure authentication to desktop applications. It is only natural that these customers also want to rely on certificates for secure authentication on mobile devices.
With the release of SP11 of version 3.0, the SAP Mobile Platform is able to integrate with Secure Login Server (SLS), SAP’s solution for providing X.509 certificates for secure authentication and certificate lifecycle management. This enables the many SLS customers to reuse the existing and proven certificate authority (CA) to also cover mobile scenarios. Even customers using a 3rd party CA can benefit from the integration, as Secure Login Server can be used as a kind of proxy (or registration authority) in front of an existing enterprise PKI. For more information on Secure Login Server, please visit https://scn.sap.com/community/sso
The architectural view is as follows:
The request from the client on the left hand side will be redirected to the Secure Login Server. Once the SLS has authenticated the request, the device can access the back-end servers using the certificate issued by the SLS. This is of course a very simplified view, since the actual certification creation process is not trivial. Good news from SMP administration perspective is that the configuration is really easy:
Revamped Admin UI
Let’s have a look first:
Well, that looks very similar to the HANA Cloud Platform mobile service for development and operations UI and actually it is even the same code!
We are really staying true to your mantra “one code line” for on-premise and on-demand versions of our mobile technology stack. With the revamped Admin UI, featuring Fiori-Tec design, we can now easier make innovation released for on-demand first to our on-premise customers. The disadvantage here is that users of SMP will not be familiar with the new UI and you’ll certainly search a lot until you’ll find the screen or option you are looking for – the whole navigation and all the screens have been changed. But the concepts of what you configure stay the same! So, I’m pretty sure you’ll quickly get used to it.
Usage Analysis
The usage analysis you may know from HCP mobile service for development and operations is now also available on SMP. A very good example of a feature that first appears in HCP mobile service and then will be available on SMP.
We do have the usage upload via the SDK and also the very (release 1605 of the mobile service on HCP) new predefined usage reports in SP11. Of course, your apps need to upload the usage data first in order to generate the reports.
Here’s how it can look like:
Feature migration from HCP mobile services for development and operations
And finally there are a lot of changes included that have been introduced in mobile service on HCP already:
- • Automatic Removal of inactive user registrations
- • Renewed Application Overview screen
- • Custom URL rewriting
- • …
One last thing I want to mention, even though it is a bit out of line and has not directly something to do with SP11. This year we slowed down release cycle of SMP to two releases instead of four. This is to make sure our on-premise customers do have a chance to keep up with the release cycles.
Hope you’ll enjoy the new release.
Have Fun,
Martin
Hi Martin Grasshoff,
Thank you for the new release updates.
SMP older version also supports the X509 authentication with internal PKI certificates, (on Gateway, we enable Rule Based or External Role Mapping for it to work).
1. Is this mapping not required if we use SLS?
2. Can you please suggest what is the advantage of SLS? is it related to Certificate Lifecycle management?
Regards,
Nagesh
Hi Nagesh,
using the SLS you don't need a full fledged PKI. SLS provides short living certificates that lives a configurable time period and needs to be renewed quite regularly. So using SLS would allow you to use X.509 certificate based authentication, but without a PKI.
SMP SP 11 does support X509 authentication as you used before. The new SLS support is just an option for those companies who does not have an PKI.
Another advantage is that you can implement X509-based Single Sign On, with your apps on the device.
Hope this answers your question.
Regards,
Martin
Hi Martin,
Yes, it did answer my question.
Many Thanks for the clarification.
Regards,
Nagesh
Hi Martin Grasshoff,
My apologies if these are dumb questions, SLS is very new to me.
I was able to configure SLS with SMP, but not sure how to test it. Does this work only with any application? Can this be tested on RESTClient with regular registration process? If yes, how can we receive the certificates?
What will happen in production scenario, does SMP distribute the Certificates to the Application/Client? I hope there is no need for Afaria certificate distribution.
Regards,
Nagesh
Hi Nagesh,
yes, you do need to have an application in order to test this. Our plan is to provide a quick guide on how to setup your App in order to work with the SLS certificates. Unfortunately, it's not available yet.
Of course there needs to be some configuration done on SLS to in order to run according to your needs.
Maybe Christian Cohrs want to add to SLS part.
Regards,
Martin
Thank you, will wait for Christian Cohrs.
Regards,
Nagesh
Hi Nagesh,
the integration with the SAP Mobile Platform does not require any specific settings on Secure Login Server. You just need a regular Secure Login Client profile. Most likely you will configure this with basic authentication so that the certificate can be retrieved with username and password.
You will find more details in the implementation guide at http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf
Best regards,
Christian
Thank you Christian. I shall read them and get back.
On a high level I see that SSO3 is required for this and an application to test after the configurations on SMP is complete.
If there is any sample app for testing, please do let us know so that we can test and confirm the same.
Regards,
Nagesh
Hi Martin,
Thanks for the article. We are planning to roll out SSO 3.0.
Currently we have 300+ Finance mobile users who use UI5 to connect to ECC and SSO is not enabled for them. Does SSO 3.0 supports UI5? I have searched in SDN and didn't find anything related. Could you clarify?
Thanks
Naveen
Hi Naveen,
SAP Single Sign-On can also support web applications that are based on the UI5 library. The technology and integration options depend mostly on the operating system of the mobile device, and whether the app runs inside the system browser or inside a native app.
Best regards,
Christian