Skip to Content
Author's profile photo Ariel Bravo Ayala

CPI: Exploring the hiden and hideous /Operations url

Intro

During this year (2018), SAP launched an API to handle some CPI components. This year also saw the development shift from Eclipse to the Webui. However, some operation features have not yet been migrated to the WebUI or to the oData API and remain available exclusively for the eclipse addon. In this post, I will show some undocumented features hosted under the /Operations URL. Some of these features overlap with the officially  provided tools. More than a few have clicked on the url to simply find a blank web page after the authentication. I will explain how to use this endpoint. Before we start, I am obliged to include a disclaimer.

Disclaimer

The following information is based solely on my research and as such, is not based on official information and may (most likely) contain inaccuracies or errors. Using this, some-how undocumented APIs carries risks and therefore should not be used in production environments or for purposes other than educational or research. I don’t know if using this tool breaks any terms or conditions or any type of SAP license. Please, investigate and use it at your own risk. You’ve been warned!

The “Operation” URL

The Operation URL is nothing else than an endpoint of an API that receives commands to interact with core functionalities of CPI. I’ve started investigating the Operations API, as with the standard API, it is not -yet- possible (Aug 18) to extract the endpoints of an iFlow (or I might be looking at the wrong place!)

Both, the eclipse addon and the webUi, use this API extensively for reading information and for executing some tasks. My feeling is that SAP also uses this API to perform support and maintenance tasks, since many of the available commands are not used by the WebUI or the Eclipse addon. Also, it should be noted that some of the available commands are extremely delicate (just by looking at the name you can understand what I’m saying) so it makes a lot of sense that they are not directly exposed using the tools available. In this post I will not discuss those operations that are available through the WebUi (you can easily review them through the developer console of your internet browser). I will not discuss them all either, as there are so many of them… Otherwise, the post would be endless! Finally, and as I’ve already mentioned, be aware that a few of this operations functionality overlap with the standard oData API (they even share the same payloads).

Basics 1: Preparing the requests

The URL is protected against cross site request forgery. Therefore, you will need to request the X-CSRF token by using the header: X-CSRF-Token=fetch

The response will provide you the token, plus the session cookie. Using postman, you just need to save the token and use it in the subsequent requests.

Getting the token:

HEAD /Operations/ HTTP/1.1
Host: ********-tmn.hci.***.hana.ondemand.com
X-CSRF-Token: fetch
Cache-Control: no-cache

Basics 2: Obtaining the tenant information and calling a command

Once you have your authentication and token in place, you will need to obtain some basic information about your CPI account. The operation: com.sap.it.op.srv.commands.dashboard.ParticipantListCommand provides you that information. Among others, it returns the CPI account id, the assigned nodes (tenant manager -tnm- and runtime -iflmap-) and a list of deployed artefacts on each node.

Create your request payload, by wrapping the parameters in an xml:

<root withActiveTenants="false">
  <onlyHeader>false</onlyHeader>
  <withAdminNodes>true</withAdminNodes>
  <withNodes>true</withNodes>
</root>

Execute the query: (body content-type: application/xml)

With the obtained information in this request, you would be able to explore most of the available commands.

 

Overview of some commands and their parameters

I think that each command name is self-explainatory, so I will only include some remarks in a few of them. Most of these commands require some roles to be assigned to your user. The API will let you know wheter you are missing an authorization or not.

In an ideal world I would be attaching the xsd of the request and response… but this is not an ideal world. I will try to get some time to prepare a postman collection (I have mine, but cleaning personal information is time consuming)

(I’m sorry about the horizontal scroll in the tables, is an issue with the blog platform)

“Safe” operations:

Operation Parameters Remarks
com.sap.esb.monitoring.datastore.access.command.GetDataStorePayloadCommand tenantId, id, qualifier, storeName Payload in B64
com.sap.esb.monitoring.datastore.access.command.ListDataStoreEntriesCommand tenantId,
allStores (boolean), maxNum (int),
onlyOverdue (boolean), qualifier,storeName
com.sap.it.nm.commands.config.ReadTenantConfigCommand tenantId (attibute)
com.sap.it.nm.commands.db.GetTableSizesCommand tenantId Interesting command, show DB tables and the rowcount
com.sap.it.nm.commands.deploy.DownloadContentCommand tenantId,artifactIds The content comes in B64
com.sap.it.nm.commands.deploy.ListContentCommand participantId, tenantId, version (constant? = 2)
com.sap.it.nm.commands.deploy.ListContentLogsCommand artifactIds, tenantId
com.sap.it.nm.commands.node.GetNodesCommand
com.sap.it.nm.commands.node.PrintEnvCommand nodeIds Environment system values of the node, including JVM, variables, sys properties, class path, etc
com.sap.it.nm.commands.node.TailTraceLogCommand Get the tail trace of a specific node
com.sap.it.nm.commands.profile.GetCapabilitiesCommand tenantId, nodeType, nodeProfileName
com.sap.it.nm.commands.profile.GetCapabilitiesWithMetadataCommand tenantId, nodeType, nodeProfileName, keys (namespace and name) attibutes for the keys taken from the GetCapabilitiesCommand
com.sap.it.nm.commands.task.ListTaskLogsCommand taskIds,tenantId
com.sap.it.nm.commands.task.ListTasksCommand tenantId
com.sap.it.nm.commands.vm.GetThreadDumpCommand nodeId,tenantId Analyse performance (Check this blog by Vadim Klimov )
com.sap.it.op.srv.commands.cxf.CxfEndpointsCommand runtimeNodeId, tenantId The command that I was looking for!
com.sap.it.op.srv.commands.dashboard.NodeProcessStatisticCommand from(datetime), to(datetime), participantId, nodeId
com.sap.it.op.srv.commands.dashboard.ParticipantListCommand withActiveTenants(attribute),
onlyHeader, withAdminNodes, withNodes (all booleans)
Gives you basic information used by the other operations
com.sap.it.nm.commands.security.ListCredentialsCommand tenantId Fancy to read all the passwords?

“Not-so-safe” operations:

Operation Parameters Remarks
com.sap.it.nm.commands.deploy.DeleteContentCommand artifactIds, deployCredentialsRole, deploySecurityRole
com.sap.it.nm.commands.component.ComponentRestartCommand componentIds, componentNames, nodeId, tenantId Restart an artefact

 

“Stay-away” operations (seriously, be careful):

Note: After some thinking, I decided to removed part of the operation name and leave this section only as a general information. It shouldn’t be difficult for you to find out the proper name.
Operation Parameters Remarks
*****.DecommissionTenantCommand No params
*****.GetClusterInfoCommand No params
*****.GetMessagingResourceUsageCommand No params
*****.RemoveTenantClusterCommand No params
*****.SeverTenantClusterCommand No params
*****.SoftwareUpdateCommand No params
*****.StartTenantClusterCommand No params
*****.StopTenantClusterCommand No params
*****.SaveTenantConfigCommand No params
*****.ListClusterLocksCommand tenantId
*****.ReleaseClusterLocksCommand lockIds(unbounded), tenantId
*****.LaunchMgmtNodeCommand No params
*****.LaunchNodeCommand No params
*****.OsgiShellCommand commandLine, nodeId, tenantId Execute a OSGi command
*****.RemoveMgmtNodesCommand No params
*****.RemoveNodesCommand No params
*****.StopMgmtNodesCommand nodeId,tenantId
*****.StopNodesCommand No params

Final words

The /Operations endpoint is a really powerful and not too complex tool. You can learn many things about how CPI works under the hood and thus be able to better understand the capacities and limitations that exist. Some commands such as the PrintEnv and ParticipantList provides you tons of material for analysis and consideration, others such us the TailTrace and the GetThreadDump provides you with excellent focused information for tracing and debugging.

As a final reminder: be careful, the endpoint is not documented for the public and although many commands are used by eclipse, the webui and the oData API, many others are likely reserved for SAP.

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      Hi Ariel

       

      Great exposé! I've saved a copy of this as PDF just in case someone decides this shouldn't be in public view! :p Will definitely try to check it out.

       

      So if one doesn't like WebUI, and can no longer use the deprecated Eclipse addons, just built your own UI! :p

       

      Regards

      Eng Swee

       

      Author's profile photo Andreas Quenstedt
      Andreas Quenstedt

       

      Hi Ariel,

      I want to confirm your assumption that our command framework is limited to SAP internal usage only. It must not be used outside SAP.

      Only API’s which are part of our service documentation are released for customer usage.

      One clarification to your statement “Most of these commands require some roles to be assigned to your user.” – actually all commands include a dedicated role check.

      Roles which are required for SAP admin commands are not exposed via application user management.

      Thanks & regards,

      Andreas

       

      Author's profile photo Thorsten Stork
      Thorsten Stork

      Hello Andreas,

       

      at your official “service documentation” there are no APIs to monitor something like CPU, Memory for each node and other metrics  .

      Our Customer asked for such “monitoring” opportunities.

       

      So are there other ways to get such metrics ? For CPI on NEO and CF ?

       

      Regards

      Thorsten

      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      Hi Ariel

       

      You mentioned that the ParticipantListCommand provides basic information about the other operations. I can't seem to find anything in the response body showing such information. Not sure if anything has changed since you wrote this blog post.

       

      Regards

      Eng Swee

      Author's profile photo Ariel Bravo Ayala
      Ariel Bravo Ayala
      Blog Post Author

      Hi Eng Swee,

      It might be that I did not explain this correctly. What I wanted to say is that this operation provides you information about your account. You can use that data as input for calling the other services.

      As an example, when you register a new system in your eclipse addon, the only information that you provide is the URL of your account, your user and password. From there, Eclipe logins into your account, and uses the ParticipanList to display your account details and to obtain some “internal” data such us the id of the available nodes and the tenant Id itself. Then, if for instance, within eclipse you want to read the thread dump of a node, the addon will call the GetThreadDumpCommand using the nodeId and the tenantId obtained from the ParticipantList.

      The following image can explain this further. The first screen is the response of the GetParicipanList operation. In the second screen, I’m using that info, to get the threadDump of that specific node.

       

      Best regards,

       

      Ariel

      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      Hi Ariel

       

      Indeed I had misunderstood that statement - I thought it meant the ParticipantListCommand's response provided details on the usage of the other commands, e.g. what parameters are available.

       

      Thanks for clarifying that.

       

      I had a look at the calls initiated from WebUI and noticed that instead of HTTP POST, it uses HTTP GET with the parameters provided in the query string.

       

      Regards

      Eng Swee

      Author's profile photo Gerald Kluge
      Gerald Kluge

      Hi Ariel,

       

      the call GetTableSizesCommand

      is it working in Web UI or Eclipse?

      Want to debug why i'm getting 403

       

      BR Gerald

      Author's profile photo Former Member
      Former Member

      In neither of the two... o_O

      Author's profile photo Thorsten Stork
      Thorsten Stork

      Hello Arial,

       

      does this work on CPI for Cloud Foundry also ?

      On NEO I did some successful testing, but on an trial CPI on CF not yet.

       

      Thank you.

       

      Regards

      Thorsten

      Author's profile photo Raju Adhikary
      Raju Adhikary

      Hi Arial,

      Was testing with the same URLs for fetching XCSRF Token and update the log level in
      CloudFoundry   , however it seems not working .    Any clue on that ?

      Regards
      RAdhikary