By on-boarding a couple of systems to the SAP Fiori Cloud Edition (FCE) using the HCP OData provisiong as a Gateway, we discovered a few obstacles at the installation and configuration process. This document should help you to avoid these traps and give you some hints in case of troubles.
Additional useful documentation
In addition to the product documenation you find configuration steps in the Fiori apps RDS
https://fioriapps-rds.dispatcher.hana.ondemand.com/ -> Fiori apps RDS -> Solution Scope -> Fiori Cloud Edition
Fiori Apps Reference Library & Maintenance Planner
Currently the software provisioning service by using the Fiori Apps Reference Library together with Maintenance Planner requires the configuration of an on-premise Gateway system. Also UI components will be installed. By using Fiori Cloud Edition togehter with HCP OData provisioning service you will not need this installation. Therefore use the standard Maintenance Planner for your installation Maintenance Planner | SAP Support Portal and install only the Fiori backend components.
Post installation tasks
After the installation of the Fiori backend components call transaction SU25 and run the postprocesses 2A, 2B, 2C – this may be necessary to update exisisting user roles.
- For testing create a new user, e.g. FIORIUSER
- Add the roles of the Fiori apps to this user – use transaction PFCG (not SU01)
- if you already using SAP GUI for the functionality of the Fiori app – test your user first here and check if he has all the necessary roles and data configurations. You may have to add additional Authorization templates.
Registration of oData service is not possible in HCP OData Provisioning
If you can’t see any services by trying to register an oData service in HCP OData provisioning service, check the following:
- SAP Cloud Connector log – you may see a similar log entry:
sap.core.connectivity.protocol.http.handlers.HttpProtocolOutboundHandler#tunnelclient-5-1#0xd2e3010e#Access denied to / for virtual host
This gives you an hint that something is wrong with your authorization.
- Check in transaction SICF that sap/iwbep is activated
- For accessing the IW_BEP component in HCP OData provisioning service the user needs the /IWBEP/RT_MGW_ADM authorization template. Check if your user has the appropriate authorization, If not: in transaction PFCG create a new role (e.g. Z_RT_MGW_ADM), add this authorization template and map the role to your user.
- In the destination definition at the HCP oData provisioning service configuration check that your sap-client is set in the URL:
- When using principal propagation check in the SAP Cloud Connector that a trust to your OData provisoning service (gwaas) and IDP is established – you may have to click the synchronize button to display all services:
To simplify the on-boarding process it is helpful not to start with a full E2E security setup. Instead use a basic authentication setup for your development environment. So you can check first that your app is working and the backend user roles are set properly.For basic authentication you have to change the following setup steps:
- Check in your backend (RZ10) that no icm/HTTP/redirect is set for the HTTP port
- In SCC create a HTTP connection to your backend with no principial type
- In the OData Provisioning setup create a destination with basic authentication. Use the credentials of your test user. Be sure that the oData service in OData Provisioning is registered by using this destination. When you later change the setup to prinicipal propagation you should delete and register the service again.
OData Provisioning – caching of service metadata
By default the OData provisioning service is caching the oData metadata. When you make changes in your oData service, you must refresh the metadata cache –> in the OData Provisioning menu select Metadata and clear the cache.
For some Fiori apps it is necessary to have additional roles for accessing all the data. You might get an data access error in your FCE app if the user don’t have the necessary roles/authorization objects. If you don’t know the appropriate roles, add the SAP_ALL authorization template to your user. In transaction ST01 start a trace for authorization check (set a filter for your user Id). Call the Fiori app with your user. In the trace log you should get a list of all authorization objects. Add these objects to your user (e.g by creating a custom role in PFCG), remove the SAP_ALL and try again.
Errors in trust settings
By setting up the E2E trust with principal propagation you may face a couple of problems which could be related to errors in your security settings:
- User is not able to logon to the Launchpad
possible error: wrong SAML2 assertion -> the defined role for your user in your IDP may not match the group & role settings for your HCP service: –> use a browser tool (SAML tracer) for checking the assertion.
- You are able to logon to the HCP Portal Launchpad, but when you call your Fiori app you get an authentication required message:
This could be caused by the following errors:
- Wrong principal is propagated: User is not accepted in backend. Use a SAML tracer – enable SCC trace and set log level to debug. You may see a similar entry in the SCC log: #DEBUG#com.sap.scc.security#tunnelclient-5-1#0x26df8606#Generated X.509 certificate with subject CN=<wrong principal> –> check your IDP settings
- Broken mutual SSL between SCC and ABAP: Analyze ICM trace on ABAP
- Broken trust SCC to ABAP: Analyse SCC log and SMICM trace on ABAP