For security reasons, browsers make sure that front end JavaScript code which is originated from a certain origin do only back-end calls to the same origin host. however with CORS, hosts can inform the browser via some headers that such calls from certain origins can be allowed. to read more about CORS please read more here. With this enablement, your SAC will be able to communicate directly with your BW inA API without the need to run an additional reverse proxy.
ABAP Netweaver 7.52+ supports CORS setup out of the box, however for older version there is a workaround which can be done. this brief article will guide you to enable direct connections for both scenarios.
Make sure that icf/cors_enabled is set to 1.
Go to transaction UCONCOCKPIT > Uniefeid Conictivity Scenario Selection > HTTP White List Scenario > Cross-Origin Resource Sharing.
Go To Edit Mode and add the following three entries for the BW InA services:
After adding the three services, you have to save your changes.
Note: This workaround relies on the following post. for more detailed information please read more there.
On your BW system, create a file somewhere (ex: /usr/sap/<SID>/SYS/profile/cors_rewrite), then add it to icm/HTTP/mod_0 as the following:
The file should hold the following content:
kindly replace {SAC_HOSTNAME} with your SAC host name(s) ( including port if none standard), you may also adapt the pattern to meet your requirement (http or https or both ..)
Finally you have to restart your ABAP system.
After that you should be able to create a direct Live BW connection in SAC :
Note #1: as a prerequisite, you will have to unblock third party cookies in your browser
Chrome:
Safari:
Note #2: for the same BW back-end system, you may configure either a direct connection or a path connection over a reverse proxy, if end user mixes between both scenarios in the same session for the same back-end then session handling could be impacted and unpredictable behavior is expected to happen.
ABAP Netweaver 7.52+ supports CORS setup out of the box, however for older version there is a workaround which can be done. this brief article will guide you to enable direct connections for both scenarios.
Netweaver 7.52+
Make sure that icf/cors_enabled is set to 1.
Go to transaction UCONCOCKPIT > Uniefeid Conictivity Scenario Selection > HTTP White List Scenario > Cross-Origin Resource Sharing.
Go To Edit Mode and add the following three entries for the BW InA services:
1. GetServerInfo service
Service Path : /sap/bw/ina/getserverinfo/
Host rule: your origin host name, (more entries comma seperated, or * for all).
Allowed Methods: Get, POST,OPTIONS
Allowed Headers: AUTHORIZATION,X-CSRF-TOKEN,X-SAP-CID,ACCEPT-LANGUAGE
Exposed Headers: X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID
Allow Credentials: has to be active.
Max Age: 6002. GetResponse service
Service Path : /sap/bw/ina/getresponse/
Host rule: your origin host name, (more entries comma seperated, or * for all).
Allowed Methods: Get, POST, OPTIONS
Allowed Headers: AUTHORIZATION,CONTENT-TYPE,MYSAPSSO2,X-CSRF-TOKEN,X-SAP-CID,ACCEPT-LANGUAGE
Exposed Headers: X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID
Allow Credentials: has to be active.
Max Age: 6002. Logoff service
Service Path : /sap/bw/ina/logoff/
Host rule: your origin host name, (more entries comma seperated, or * for all).
Allowed Methods: GET,OPTIONS
Allowed Headers: AUTHORIZATION,X-SAP-CID,ACCEPT-LANGUAGE
Exposed Headers: X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID
Allow Credentials: has to be active.
Max Age: 600After adding the three services, you have to save your changes.
Netweaver 7.4+
Note: This workaround relies on the following post. for more detailed information please read more there.
On your BW system, create a file somewhere (ex: /usr/sap/<SID>/SYS/profile/cors_rewrite), then add it to icm/HTTP/mod_0 as the following:
icm/HTTP/mod_0 = PREFIX=/,FILE={path_to_cors_rewrite_file}The file should hold the following content:
if %{HEADER:isSACOriginAllowed} = true
setHeader isSACOriginAllowed false
if %{HEADER:ORIGIN} regimatch ^(http(s)?:\/\/)?{SAC_HOSTNAME} [AND]
if %{PATH} regimatch (\/sap(\(.*\))*\/bw\/ina\/*) [AND]
if %{REQUEST_METHOD} regimatch (GET|POST|OPTIONS)
setHeader isSACOriginAllowed true
if %{HEADER:isSACOriginAllowed} = true
begin
setResponseHeader Access-Control-Allow-Origin %{HEADER:ORIGIN}
setResponseHeader Access-Control-Allow-Methods GET,POST
setResponseHeader Access-Control-Allow-Headers x-csrf-token,x-sap-cid,authorization,mysapsso2,x-request-with,sap-rewriteurl,sap-url-session-id,content-type,accept-language
setResponseHeader Access-Control-Max-Age 600
setResponseHeader Access-Control-Expose-Headers x-csrf-token,sap-rewriteurl,sap-url-session-id,sap-perf-fesrec,sap-system
setResponseHeader Access-Control-Allow-Credentials true
setResponseHeader vary Origin
end
if %{HEADER:isSACOriginAllowed} = true [AND]
if %{REQUEST_METHOD} stricmp OPTIONS
begin
regRewriteUrl ^/(.*) /sap/public/ping
removeResponseHeader Set-Cookie
removeResponseHeader Expires
end
kindly replace {SAC_HOSTNAME} with your SAC host name(s) ( including port if none standard), you may also adapt the pattern to meet your requirement (http or https or both ..)
Finally you have to restart your ABAP system.
After that you should be able to create a direct Live BW connection in SAC :
Notes
Note #1: as a prerequisite, you will have to unblock third party cookies in your browser
Chrome:
Safari:
Note #2: for the same BW back-end system, you may configure either a direct connection or a path connection over a reverse proxy, if end user mixes between both scenarios in the same session for the same back-end then session handling could be impacted and unpredictable behavior is expected to happen.
- SAP Managed Tags:
9 Comments
