HCI PI Tenant Set UP-Part1
HCI PI Tenant Set UP-Part1
I am working on HCI- PI project in which am building custom iflows. When created a scenario and deployed it on HCI tenant, I have faced a number of issues with respect to HCI tenant setup. I am writing these blogs so that it would help integration developer or basis admin to understand HCI tenant initial setup. I know there are few similar blogs based on trial version. My effort is to try and consolidate all the required information at one place so that it would be easy for developers to follow and use. In this blog, we shall understand what are usages of URL’s which is received from SAP when HCI tenant is purchased.
Step1: You will receive an email from SAP about the account details using which you can access HCI tenant. The email consists of 3 URL’s as mentioned below.
1st will be a WEB UI URL
2nd will be an Eclipse URL
3rd will a runtime URL
HCI-PI URL and Usage
https://account.us2.hana.ondemand.com: This is the URL to access Cockpit which is provided by SAP when an HCI cloud account is requested.
Web UI URL (Access via web browser):
https://yourinstance-tmn.hci.us2.hana.ondemand.com/itspaces: This is to access HCI-PI instance to do integration development.
Management URL (Access via Eclipse HCI plugin):
https://yourinstance-tmn.hci.us2.hana.ondemand.com: This is the URL which is configured in Eclipse tool to perform integration development.
Runtime URL (Webservice URL to be configured in backend systems):
https://yourinstance-iflmap.hcisbp.us2.hana.ondemand.com: This is the runtime URL which is used to configure backend system with SAP HCI-PI
Step2: You need to create an account and provide proper authorization so that you can develop and test your integration scenarios. You can follow below link and steps to accomplish initial account setup.
Step3: You need to provide particular roles for integration developer. Please follow steps mentioned below.
1.Login to cockpit using URL mentioned below using SNC user credentials.
2. Navigate to security tab on the left panel and click Authorization as shown in the screenshot below.
3.In User, search tab input the SNC user and click show assignments.
4.Click on Assign tab and the following screen will pop up and assign roles as mentioned in the screenshot below. One thing to note is account and application type for the specific user role.
5. After assigning the roles your user should look as in the screenshot below. Note: I have assigned some additional roles as I was also involved in admin work. In case you are just responsible for integration development then you can get Integration developer role and ESBMessaging. Send roles which will allow you to develop iflows in HCI tenant.
Note: You need to have ESBMessaging.send and Integration developer role to develop iflowso.
In my next blog will explain how to setup eclipse.
Hope this helps.
See you in my next blog
Thank you, Hari! I have a couple of questions about users and roles. In my understanding only s-users (or p-users and the like) can be used on HCP IS, both for dialog users via UI and for systems sending messages through available channels. Am I right? No way for customers to keep their existing user naming conventions?
How may we distinguish between dialog and system users, as each s-user could be potentially used for both purposes?
An s-user will periodically expire, and I’m wondering how that should be handled in case this is used for communication between systems...
I could not see a place where standard roles or authorization groups could be customized (or new custom roles created). Is this feature available?
Many thanks in advance!
Yes, In HCI there is no service users. Anyone who works on HCI it may be COCKPIT, CLOUD CONNECTOR or TENANT has to have s-user as it is hosted in SAP cloud. Now taking about retaining the same username conventions, if I understand your question correct you mean using the same username and passwords, if yes this can be done by deploying the credentials under security material tab on HCI and referencing the same in communication channel( More appropriate for SFTTP scenarios). The best way to communicate in HCI is to use client certs in which you have the ability to map certs to specific s-user so it is always recommended to have an Admin s-user in the landscape. There are no service or dialog users in HCI the only way it can be differentiated is by roles which you can assign in COCKPIT.
Hope this helps!
I am not getting the relevant roles in my Cockpit. Please see the screenshot below.
Do I need to check anywhere else on cloud?
Do you have admin role to your user ID?using which you're are trying to add additional roles. If yes please open a ticket to SAP under component LOD-HCI-PI-OPS and ask them to review the permission of the HCI tenant and share your tenant details in below format. In case you don't have admin roles please add them and try to add roles in a new session.
Please set the log level for the following loggers:-
TMN url: https://v0XXX-tmn.avt.us1.hana.ondemand.com
Tenant Name: v0XXX
I want to have test on SAP HCI. But I can't find out as on your post and screen. Should I pay for use HCI ? I heard that it need to have tenant from SAP when I have development.
Would you like to let me know how to allocate tenant for development?
Young from Brisbane
Yes, you need to get a tenant licence in order to test HCI PI which is part of HCP and provided as a service. You can get a developer version which would be less expensive compared to others.
Thanks for let me know. I want to purchase tenant license for test HCI PI . Would you let me know where can I purchase or how to purchase for tenant for that ? I haven't found any link or url for that.
Please help .....
I will get you details in couple of days.
Please find details below. Now HCP is renamed as SCP (SAP Cloud Platform)
If you like to get a trial account, mail to: email@example.com.
When an account and tenant have been provided by SAP, you will receive a mail from SAP with the subject text SAP HANA Cloud Integration – Notification. This mail contains information on your account and test and productive tenant and a number of URLs. For more information on the purpose of the URLs, see the table below.
Do not reply to the SAP HANA Cloud Integration – Notification mail. This is an unmonitored mailbox. If you have any further questions, create a ticket (component LOD-HCI).
Just question. SAP HCI is necessary sign up with company level. Do i have any way to use as personal or individual level?
Did you sign up company level ?
Thanks so much my reply inquiry.
You can do both but using if your company is SAP partner then it is better to use company.
I hope you are fine!
Please can you help me?
Can only add a user that has S-user or P-user? I read something about LDAP ID, is this true? If so, how could it be done?
You need to have S-user in order to work on HC I PI.
I think P-User can also be used to access HCI.
Dear Hari, thank you very much for your return and I hope you are fine!
I have one more question, if possible: How do I not allow users to set their credentials? The idea is that only the system administrator has access to security material. Is it possible, if so, how?
(Monitor> Manage Security Material> Security Material)
Note: The registered roles for the developers are:
Group DEVELOPERS (hci)
*** Only on the USERS tab esbmessagestorage.read
Just provide users if they developers with following roles and not admin roles.It should work. Please let me know.
Group DEVELOPERS (hci)
Hello Hari, once again, thank you very much!
I did not understand. So I've been reading no SAP content, no description.
I did not understand whether to remove an ESBMessaging.send (iflmap) role or just let it set for the developer.
In any case, I removed an ESBMessaging.send (iflmap) role and I still manage to edit the service material.
The idea is that only the environment administrator can create such credentials, know_host and etc.
What should I do?
Once again, thank you !!
Let me try to do some test and provide you a answer.
Thank you so much Hari!
I did tests too. I created a new group and assigned each of my roles listed above.
It was only possible not to edit the security material when only the operation view was released. That is, any other parameter that is for developer (from this my list of parameters) gives the user powers to edit the security material.
I'll wait for your return. Thank you very much!
See you soon.
Thank you! this was helpful and solved my problem that I could not copy the desired integration scenario 😉
Now CPI Trail is available.
Where I can see esbmessaging.send role in cockpit.
Please Help me on that.
Thank you Advance
What is the Sub Account name in cockpit, to give it in Cloud Connector.
Do I need to give HTTPS Proxy here?
Please help on this.
You can find the account name following the path as shown in the screenshot below. The sub account name is the technical name which can be found in the specific account type. Hope this helps.