Skip to Content

In the first part of the blog, I’ve described how establish a secure tunnel between the SAP Cloud Platform Trial (Cloud Foundry environment) and the Cloud Connector. An Access Control has been also configured so that we can now access and consume securely data from an on-premise system.

In the second part I will explain how to configure SAP Cloud Platform Connectivity so that a web application can consume the odata service.

Note: many configuration steps of this blog will be done via the SAP Cloud Platform cockpit. Be aware that you can do exactly the same with the Command Line Interface of Cloud Foundry. More details about the CLI can be found here.

 

 

Creation of the SAP Cloud Platform Connectivity instance

SAP Cloud Platform Connectivity provides a standard HTTP proxy for on-premise connectivity to be accessible by any application. Proxy host and port are available in the credentials of the bound connectivity service via the environment variable “VCAP_SERVICES”. More details on how to interpret VCAP_SERVICES can  found in the official CF documentation.

In order to consume the data coming from the on-premise in the application via the HTTP proxy, we need to create an SAP Cloud Platform Connectivity instance and bind it to the application. When a binding is created the application gets connectivity credentials in its environment variables. More details about it here.

Note: As we haven’t deployed the app for now, we will do the binding later on.

Ok, let’s create an instance! Open the SAP Cloud Platform cockpit, go to the “Services Marketplace” under the “Services” tab and click on the Connectivity tile.

Then click on the “Instances” section and create a new instance.

Keep “lite” as plan and click “Next”. Then skip the next 2 wizard options (Parameters, Application assignment) and add an instance name (e.g. “connectivity-demo-lite”). This name will be added in the manifest of the application later on.

 

 

Creation of the SAP Cloud Platform XSUAA instance

XSUAA is the central identity management service for the Cloud Foundry environment, where authentication and authorization of users are managed.

By calling the application, the user will be redirected to the XSUAA and will be prompt to give his credentials. It will then achieve certain checks like verifying the OAuth client, client’s scopes, user’s scopes (Scopes are permissions to access one or more resources). Assuming everything is fine, the user will be authenticated and the XSUAA will redirect the browser to the application.

In a second step the application will take the client Id and the client secret and will talk directly with the XSUAA to get an access token. Then the application will sent both tokens as HTTP header so that it can consume the backend system via the SAP Cloud Platform Connectivity.

The next step is then to create an instance for the XSUAA. We open the SAP Cloud Platform cockpit and go to the “Services Marketplace” under the “Services” tab and click on the XSUAA tile.

Then click on the “Instances” section and create a new instance.

In the wizard we keep “application” as service plan and click “Next”. Then we add the following parameters in the editor and then click on “Next”.

{
	"xsappname" : "connectivity-app-demo",
	"tenant-mode": "dedicated"
}

 

In the last step of the wizard, we can add an instance name (e.g. “xsuaa-demo”). The same name will be added in the manifest of the application later on.

Note: As mentioned before, we will bind the instance at the end, once we have deployed the application.

Configuration and deployment of the application router

For this demo I have preconfigured an standard application router. Is it really needed? No but it makes my life easier and it’s a kind of best practise in the Cloud Foundry world. So in our scenario the application-router is the component that acts as our oAuth Client. Concretely that means that by calling the application router in the browser, the end-user will be redirected to the XSUAA in order to login. Assuming everything is fine, the XSUAA redirects then the end-user to the web application.

Here is a visualization of the process:

Note: probably you want to try it by yourself and you need maybe a standard application router. No problem, SAP provides an NPM registry under the following URL: https://npm.sap.com/

Use the following command to configure the NPM registry for your user

npm config set @sap:registry https://npm.sap.com/

Use the install command to download the approuter and its dependencies

npm install @sap/approuter

 

Now let’s do some changes in the manifest file of the application router before we deploy it.

  1. Name of the app-router
  2. Hostname of the app-router (has to be unique)
  3. URL of the web application (based on the app name that will be defined in the application’s manifest)
  4. Name of the XSUAA instance (the name has been previously defined in the SAP Cloud Platform cockpit by creating the XSUAA instance)

Here is the code of our app-router manifest:

---
applications:

- name: approuter-demo
  host: approuter-demo
  buildpack: nodejs_buildpack
  memory: 128M
  path: ./
  env:
    NODE_TLS_REJECT_UNAUTHORIZED: 0
    destinations: >
      [{
         "name":"dest-to-app",
         "url" :"https://connectivity-app-demo.cfapps.eu10.sap.hana.ondemand.com",
         "forwardAuthToken": true }
      ]
  services:
    - xsuaa-demo

 

In order to deploy the application router, we go to the “Applications” section in the SAP Cloud Platform cockpit. There we can click on “Deploy Application” and add the archive file and the manifest.

As we have defined the XSUAA service in the manifest, the binding will be done automatically. You can verifying it by clicking on the application router name and then on the “Service Bindings” section.

 

 

Configuration and deployment of the web application

The web application consists of 2 groups:

  1. JAVA logic to handle the JWT token and create a request via the HTTP Proxy of the SAP Cloud Platform Connectivity
  2. UI5 Frontend to display the result of the request in a table (Products and prices)

 

The configuration in the manifest file should be also updated:

  1. Name of the application
  2. Hostname of the application (has to be unique)
  3. Location ID(s) of the Cloud Connector (I haven’t define any Location ID in meinem Cloud Connector as I’m using only one)
  4. Virtual Host(s) of the Cloud Connector
  5. Name of the XSUAA instance
  6. Name of the SAP Cloud Platform Connectivity instance

Here is the code of the manifest:

---
applications:

- name: connectivity-app-demo
  host: connectivity-app-demo
  buildpack: java_buildpack
  memory: 256M
  instances: 1
  path: target/connectivity.war
  env:
    SAP_JWT_TRUST_ACL: '[{"clientid":"*","identityzone":"*"}]'
    SAP_SCC_LOCATION_IDS: '[""]'
    SAP_SCC_VIRTUAL_HOSTS: '["http://abap-as-eu01:443"]'
  services:
    - xsuaa-demo
    - connectivity-demo-lite

 

Note: by changing the name of the application, a change need to be done in the file application.properties. You can find it here: /connectivity/WEB-INF/classes/application.properties.

# parameters of the app
xs.appname=connectivity-app-demo

 

Before deploying the web application, let take time to see where the magic happens. The most important file is the connectivity servlet, which is responsible to propagate the user JWT token via headers.

// get value of  "onpremise_proxy_host" and "onpremise_proxy_port"
 ...

// set up the on-premise HTTP Proxy
URL url = new URL("http://virtualhost:1234");
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(connProxyHost, connProxyPort));
urlConnection = (HttpURLConnection) url.openConnection(proxy);
 
// insert the necessary headers in the request
urlConnection.setRequestProperty("SAP-Connectivity-Authentication", "Bearer " + jwtToken1);
urlConnection.setRequestProperty("Proxy-Authorization", "Bearer " + jwtToken2);

// Optionally, if configured, add the SCC location ID
urlConnection.setRequestProperty("SAP-Connectivity-SCC-Location_ID", "New York");

For more details, you can can download the full code at the bottom of the page.

In order to deploy the web application, we go again to the “Applications” section in the SAP Cloud Platform cockpit. And again we click on “Deploy Application” and add the archive file and the manifest.

To veryfy that the manifest has taken care of the binding, we can check the “Service Bindings” section of the web application if the services have been added.

 

That’s all! Now we can call the application in the browser. In order to get the URL, we go to the “applications” tab and click on the “approuter-demo”. Here we can find the URL of the application router.

The route to the web application has been configured in the /approuter/xs-app.json file of the application router,  so that we need to add “/app/” at the end of the URL.

{
	"welcomeFile": "index.html",
	"routes": [{
		"source": "/app",
		"target": "/",
		"destination": "dest-to-app"
  		}
	]
}

The URL to be called is then: https://approuter-demo.cfapps.eu10.hana.ondemand.com/app/ 

By opening this URL in the browser, the user will be redirected to the XSUAA in order to login.

After the login, the XSUAA redirects the user to the web application, which called the odata services of the on-premise system via the Cloud Connector. Here is then the result.

 

You want to try it by your own or you want to see the code in details. No problem, you can download the code here. Some improvements need to be done for sure (for example the way to save the backend credentials 😉 So at least I hope it helps you to better understand how to use the the SAP Cloud Platform Connectivity in the Cloud Foundry environment.

In the next part of this blog serie, I will explain how to replace basic authentication with principal propagation.

Stay tuned and send me your feedback.

Matthieu

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Gennady Maly

    Question about “you can can download the full code at the bottom of the page”. What link on this page could be used exactly?

    thanks and regards,

    Gennady

     

    (0) 
    1. Matthieu Pelatan Post author

      Hi Gennady,

      you can find the link at the bottom of the page:

      You want to try it by your own or you want to see the code in details. No problem, you can download the code here

      Let me know if you have problem with the link.

      Best,

      Matthieu

      (0) 
  2. Serban Petrescu

    Hi Matthieu,

    I am not able to find any documentation on the Principal Propagation for CF. Based on the Cloud Connector itself, I guess it should be possible (I see that you added support for the JWT-based SSO by extracting the principal from the token).

    Could you indicate where we could find some documentation on this feature? Also, is this feature “official” or still “beta” (i.e. work-in-progress)?

    Thanks,
    Serban

    (0) 
    1. Matthieu Pelatan Post author

      Hi Serban,

      indeed Principal Propagation works already in the Cloud Foundry environment. We working on the 3rd part of the blog, which will describe it in details. Stay tuned…

      Matthieu

      (1) 
  3. Petr Shumilov

    Hi Matthieu,

    I am developing node.js application in the Cloud Foundry environment and I need to able connectivity with on-promise OData service (through SAP Gateway). I followed your instructions but when I started implement proxy connection one thing made me confused. I did not understand how determine jwtToken1. Where and how i can get it? I read your java code and this doc but still did not understand. I hope you can help me))

    Thank you in advance,
    intern Petr

    (0) 
    1. Gennady Maly

       

      Petr, as far as I can see, a jwt determination example code is in the code provided my Matthieu “at the bottom of the page” (at the end of his blog) in the ConnectivityServlet.java file,

      getClientOAuthToken() function

       

      (0) 
  4. Simen Huuse

    Hi Matthieu! Great blog!

    Do you have any info on when the connectivity services will become available for the US West (CA) Beta site?

     

    All the best,

    @simenhuuse

    (0) 
  5. Yangyang Chen

    Hi Matthieu,

     

    Thank you for this wonderful blog!

     

    We are wondering whether we can directly consume Connectivity service from UI level? If not, can we implement similar logic in NodeJS instead of Java code?

     

    Thanks in advance

     

    yangyang

    (0) 

Leave a Reply