Technical Articles
Part 3: How to use SAP Cloud Platform Connectivity and Cloud Connector in the Cloud Foundry environment
In the first and second part of this blog series, you can read more on how to setup the Cloud Connector and deploy a cloud application running in the Cloud Foundry environment of SAP Cloud Platform. There you can find all details you need on how to use SAP Cloud Platform Connectivity to consume data coming from an on-premise backend system using Basic Authentication. This authentication type is good for testing but not really recommended for productive usage. In this new part of the blog series, I want to share with you which steps are needed to update the existing configuration to use principal propagation.
Note: To successfully understand the explanations below, I recommend you to go first through the previous parts of the blog series as everything here is based on them.
Before starting to explain on how to configure the Cloud Connector to propagate the user identity from the cloud application to the backend system, let’s have again a short recap of what happens and emphasize the differences to Basic Authentication (colored in blue):
1. User calls the webApp through the AppRouter, which provides a central point of entry to business applications.
2. The request is redirected to XSUAA and the user needs to login. Then a JSON Web Token (let’s call this token JWT1) is created and sent to AppRouter. JWT1 is then cached by the AppRouter.
3. AppRouter forwards the request to the relevant Web-app URL which is defined as destination, it also passes the JWT1 token as credentials.
4a. The WebApp requests another JWT (JWT2) to access the destination instance. JWT2 should be cached for better performance.
4b. In parallel, the WebApp requests another JWT (JWT3) to access the connectivity instance. JWT3 should be cached for better performance.
5. The WebApp requests destination configuration by sending JWT2 and gets the authentication type (Principal Propagation).
6. Based on the authentication type defined in the destination, the WebApp sends a request to the connectivity instance with JWT1 and JWT3.
7. SAP Cloud Platform Connectivity forwards the request to the Cloud Connector.
8. The Cloud Connector sends a request to the on-premise system. Both need to be well configured for principal propagation (see below for details).
In the diagram you can see that you need to update the configuration in 3 different places: in the Cloud Connector, in the on-premise backend system and in the destination created in the SAP Cloud Platform. Let see now what needs to be done exactly.
1. Configuration of the Cloud Connector
a. Update the principal type of the Access Control
b. Set up a trust with the identity provider
c. Export the system certificate so that you can import it in the backend system later on
d. Configure the CA certificate for the short-living certificate
e. Adapt the subject pattern for principal propagation
f. Generate a sample certificate in order to import it in the backend.
2. Configuration of the on-premise backend system
a. Import the system certificate of the Cloud Connector to establish trust
b. Configure the Internet Communication Manager (ICM) to ensure the communication to the outside world.
c. Set up the rule-based certificate mapping (short-living certificate of the Cloud Connector)
3. Update of the destination in SAP Cloud Platform
a. Change the authentication type of the destination to “Principal Propagation”
b. That’s all you need to do in the SAP Cloud Platform. Now you can test your application.
As you can see the main efforts to setup principal propagation remains in the configuration of the Cloud Connector and the backend system. That means the configuration is almost identical to what we need to do in order to propagate the user identity for the NEO environment of the SAP Cloud Platform. If you are not familiar with this configuration: we have created last year for TechEd a step-by-step guide and the good thing is that you can re-use it completely, even though it has been created for the NEO environment.
One last thing… you are probably asking yourself how the web application decides to send the Authorization header (for basic authentication) or the JWT1 (for principal propagation) based on the authentication type defined in the destination. We have just insert a condition to check it in the code. Here is the excerpt of the code, which is in the file ConnectivityServlet.java.
switch (authType) {
case NO_AUTHENTICATION:
// No action needed
break;
case PRINCIPAL_PROPAGATION:
// Forward JWT token to Connectivity Service
client.setRequestProperty(SharedConstants.HEADER_SAP_CONNECTIVITY_AUTHENTICATION,
SharedConstants.BEARER_WITH_TRAILING_SPACE + token);
break;
case BASIC_AUTHENTICATION:
client.setRequestProperty(SharedConstants.HEADER_AUTORIZATION, SharedConstants.BASIC_WITH_TRAILING_SPACE +
connectionAttributes.getAuthenticationToken());
break;
case SAMLBEARER_AUTHENTICATION:
String authHeader = SharedConstants.BEARER_WITH_TRAILING_SPACE
+ connectionAttributes.getAuthenticationToken();
LOGGER.info(SharedConstants.HEADER_AUTORIZATION + ": " + authHeader);
client.setRequestProperty(SharedConstants.HEADER_AUTORIZATION, authHeader);
default:
break;
}
As mentioned in the previous blogs, you can find all the code in the sharepoint.
You can find the step-by-step guide for setting the principal propagation here on Github. To make it easier for you to use it, I have inserted below a detailed structure of what needs to be done with the direct related links, so that you can faster get to the right info. As bonus, you can find a trouble-shooting guide at the end in the same Github repository 😉
A. Steps needed in the Cloud Connector
Step1: Change the principal type of the existing access control to X.509 Certificate
Step 2: Trust configuration to establish trust with the identity provider
Step 3: Configure and export the system certificate
Step 4: Set up CA certificate
Step 5: Configure a subject pattern for principal propagation and generate a sample certificate
B. Steps needed in the on-premise backend system
Step 1: Establishing trust between the ABAP system and the Cloud Connector by importing the system certificate
Step 2: Configuration of the ICM
Step 3: Mapping of the short-living certificate
C. Steps needed in the SAP Cloud Platform
Step 1: Update the destination
Step 2: Launch the app 😉
Here again the repository with the code.
Be aware that this is only the basic setup to propagate the identity of the user. You will probably want to do more like setting the Trust Store in the Cloud Connector or whitelist your cloud applications as trusted. As this is not mandatory for having a working setup, I haven’t mentioned it before but I would highly recommend you to have a look at it. You can find all the details and much more in our security guide that is now part of the official documentation.
Thanks for taking the time to go through this blog and please share your feedbacks. It’s always much appreciated 😉
Nice ..very well documented.. and much needed 🙂 Thanks!!
When i refresh PRINCIPAL PROPAGATION I get different Idps. i do not see accounts.sap.com. My region is cf.eu10.hana.ondemand.com.
Some help here would be great.
>>edit:
Ok. Seems to be no problem for setting up principal propagation
Hi Matthieu Pelatan,
we are trying to consume on-premise service from Neo Trial platform . For authentication , we are using principal propagation through HANA cloud connector to the gateway system.
We followed the steps from the your blogs but received 503 Error when creating UI5 application from neo platform at data connection step
Below is the screenshot of my Cloud connector of principal propagation
cloud-connector-pp.jpg
Below is the screenshot of backend system and its status reachable from Cloud connector
access-control.jpg
Below is the screenshot of neo platform destination configuration and its status
destination-reachable.jpg
destination-neo.jpg
Error while creating application from WebIDE at data connection step
ui-template-503-error.jpg
In Cloud connector logs, i have found the following error
cc-logs-new.jpg
from Cloud connector to the gateway system, connectivity is showing reachable.
From neo platform destination, connectivity check is showing "connection successful".
but when i create the UI5 project in WebIDE at data connection step it is showing 503 error.
Can anyone help me to find the issue here.
Thanks,
Rizwan.
Hello Matthieu,
I have a scenario, where my client has got Cloud foundry (On Azure) and wanted to connect to SAP Sucessfactors through SAP-Cloud connector.
According to SAP documentation
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html
It mentions that SAP Cloud connector cannot be used in connecting to SAP SuccessFactors, If so what would be options for me to get connected for my scenario.
Your Inputs are much appreciated.
Regards,
KishoreJ.
Hi Matthieu Pelatan,
I tried creating a MTA application with UI module to call a on premise odata service and deployed it to cloud foundry. I initially used Basic authentication in the destination. The application was able too fetch the data from on premise system.
I made necessary changes for principle propagation as per your document. Then in destination i changed authentication type Principle propagation. But application is not fetching data.
Can you please guide me.
Also request you to share the code of your example.
Regards
Sachin
Hello Matthieu,
I have a problem with connecting to our SAP backend system via the destination and connectivity service in a mulitanancy scenario.
In the provider subaccount where the application is deployed everything is working fine. But when I subscripe the application via the SaaS-Service in another subaccount I get errors when the application tries to access the destination service. See the following error messages:
I added the destination like in the provider subaccount and also added the subaccount to the cloud connector.
Maybe you have an idea what my fault is?
Thanks and regards,
Andreas
Hi Matthieu,
After complete integration i am getting error that Unable to generate authorization token for user XXXXXXXX on system XXXXX:8009. When i checked in SCC logs then found error "0#ERROR#com.sap.core.connectivity.protocol.http.handlers.HttpAuthenticationHandler#tunnel-client-5-1# #Unable to generate authorization token java.lang.IllegalStateException: The value for the required variable EMAIL is not available in context."
I have referred SAP Blog rhttps://launchpad.support.sap.com/#/notes/0002584310 elated to same error but unable to find any solution on that.
Appreciate your help!!!
Hi Matthieu.
I wish to express my appreciation for all your efforts. Thanks a lot for the wonderfull blog and explanation.
All things work correctly and I am going to use this knowledge in production project.
Kind Regards, Alexey Suslov
Hi Matthieu,
Could I ask you to share the code to call S/4HANA service with principal propagation. Unfortunately, the provided link do not work...
I'm facing the following issue. Maybe you'd have an idea how to solve it.
Regards,
Maciej