Skip to Content

There was a business requirement in one of the latest projects I have been involved with to create and utilise a cloud domain rather than providing users with links that don’t really mean anything. This opened up my eyes to the world of cloud domains. I had seen this option before but had not really dabbled in it but I must say after having some experience with this I really like the use of it. Definitely allows a company to customise their Portal sites for the betterment of the user experience. In previous projects I usually compiled a URL register for the client so they know the URL’s involved in accessing Portal Site Admin, OData Provisioning and of course the specific FLP’s or Freestyle sites that have been created per sub-account. With Cloud Domains this is no longer necessary as the URL’s are easy to remember! As such, I am now recommending to all clients to think about implementing Cloud Domains – just another element added to the mix to really improve the user experience!

Just as an example, this would change the following:

https://flpnwc-subaccountname.dispatcher.ap1.hana.ondemand.com/sites/freestylesitename#Home-Show

to

https:/fioridev.companyname.com.au/sites/freestylesitename#Home-Show

This of course is an example for an entire freestyle site but you can set specific cloud domain values for individual applications if desired.

When thinking about rolling solutions out to the user base a number of different options are involved. It is a bit of a black art and I’ve seen a number of options utilised including:

  • Sending out the links to the FLP via email. This starts to get tricky if users need to access multiple FLP’s.
  • Producing a QR code that points to the FLP site. I quite like this one but probably only makes sense if the FLP is to consumed on a mobile device and via SAP Fiori Client.
  • Embedding of the link in an intranet site, possibly Office 365 link. This is more adding the link to a central place that most users go to on a daily basis.
  • Self-service by users entering the link into their SAP Fiori Client application on their mobile device. This again gets complicated when you have users testing the application.

Another option is to create a cloud domain name that is easy enough for users to remember. Most of the time organisations already have their own domain so it is more a task of extending it to include new cloud domain values. So, let’s go through how this can be achieved. Firstly, let me include some links that I referenced when creating and setting up the cloud domain.

This link is quite good and has a diagram explaining the steps involved as well as the involved parties.

https://blogs.sap.com/2015/06/24/set-up-your-custom-application-url/

This is the standard SAP Cloud Platform help site which has some great information as well.

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/98e655aacd1d4fc6a6ab23475b1afcd9.html

The following SAP Cloud Platform capabilities site I also referenced. The video is great although I had to pause and rewind the video a few times as it went through the steps quickly. 🙂

https://cloudplatform.sap.com/capabilities/product-info.Custom-Domain.2386628a-b819-4a83-9890-828efa3d17c2.html

 

Now, before we get into the detailed steps let’s cover the pre-requisites – these are required to start this entire process.

Prerequisites

There are a number of prerequisites required when carrying out the set up of the cloud domain, including:

  1. Domain Name. This is the first pre-requisite however most companies already have a domain name that they own.If not, or if a different domain name is required for the custom domain then it will need to be purchased.
  2. Custom Domain. This is obviously absolutely required. For customers signing up to the SAP Fiori Cloud subscription you will receive 1 complimentary cloud domain with your SAP Fiori Cloud subscription however most organisations would use this for a Production environment. I will detail below how you can check if you have a free cloud domain with your SAP Cloud Platform subscription.
  3. Console Client. Management of the custom domain and full set up takes place through the SAP Cloud Platform console client. Commands are used to carry out the necessary instructions to not only set up the custom domain but to create the Certificate signing request, to load the certificate and to create the SSL host. All of this will be described in more detail below. I used the command prompt as I used a Windows 10 laptop to perform the tasks.

    https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/9341b7dc-322d-4523-ac64-b6213594ad0c.html

Additionally – you will see the User parameter used throughout the Neo commands below. This user is the email address for your SAP Cloud Platform login. It should always be the same.

Console Client

To download the console client you need to visit the SAP Development tools website and navigate to the Cloud category -> https://tools.hana.ondemand.com/#cloud. To carry out the Cloud Domain set up you need to download the SAP Cloud Platform Neo Environment SDK as shown below. There are a number of versions and they change regularly so just download the latest version.

Figure:1 SAP Cloud Platform Neo Environment SDK download screen

Steps include:

  1. Download the ZIP file by clicking on the link as highlighted above. I believe you can download either version but in my case I downloaded the Java Web Tomcat 8 version. Specifically click on the neo-java-web-sdk-3.65.7.zip.
  2. Extract the ZIP file into a preferred location. In my case I created a new folder on my local drive called SCP and a sub-directory called SDK. Tip: Look at the Readme.txt file for more detailed information about the SDK. 

Here is an excerpt from the Readme file for some additional information.

#############################################################
# Welcome to the SAP Cloud Platform SDK for Neo Environment #
#############################################################

Runtime : Java Web Tomcat 8
Version : 3.59.20.3
Build Date : 2018-07-13

1. Introduction

The SAP Cloud Platform SDK for Neo environment contains everything required to build SAP Cloud Platform applications.
The following section will show you its inner structure.
It gives you the libraries required for compilation of SAP Cloud Platform applications, contains documentation, samples, and the tools for command line usage.

2. File System Structure

<root>
|- api Platform API JARs required for compilation of SAP Cloud Platform applications
|- javadoc JavaDoc of the above platform API
|- license Licenses of third party components contained in the SAP Cloud Platform SDK for Neo environment
|- repository Repository from which the local server runtime can be installed
|- samples Samples demonstrating how to develop for SAP Cloud Platform
|- server Initially not present, but created once you install a local server runtime
|- tools SAP Cloud Platform console client required for development, e.g. to install a SAP Cloud Platform local runtime
|- readme.txt Brief introduction into the SAP Cloud Platform SDK for Neo environment, its content and how to set it up
|- sdk.version SAP Cloud Platform SDK for Neo environment version information for use by other tools interacting with the SDK


This is what the extracted zip file looks like.

Figure:2 SDK extracted files

As highlighted above the key folder for the cloud domain set up is the tools directory. For more information check out this link.

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7613843c711e1014839a8273b0e91070.html

Now that we have the SAP Cloud Platform Neo SDK tools installed it is time to start setting up the cloud domain.

For all the steps involved I used the Command Prompt (for Windows machines).

  • Using the Run option bring up the MS windows command prompt.
  • Navigate to the SDK tools directory. This includes batch commands that need to be executed.

NOTE: The steps can be carried out at all different times so perform the above two steps every time you need to carry out a step as part of the overall Cloud Domain set up process. 

At this point as mentioned previously we need to first check whether in fact a cloud domain is available. If a different cloud domain is required per SAP Cloud Platform subaccount then they will need to be purchased via the normal methods.

List SSL Hosts

You can use the list-ssl-hosts command to do this. This will show how many cloud domains are available.

COMMAND = list-ssl-hosts

The following information is referenced in the List SSL hosts command including:

  • Neo Sub-Account name.
  • User – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com

You will then need to run a specific command to list the SSL hosts.

neo list-ssl-hosts –account subaccountname –user phil@company.com.au –host ap1.hana.ondemand.com

As you can see at this point we have only 1 available – this is the Account quota number detailed below. All SSL hosts will be listed here if in fact more have been set up. At this point in the process I had created an SSL for a single SAP Cloud Platform subaccount and had used the quota.

Figure:3 SSL hosts and Cloud Domains quota

OK, now that we have checked this we can now go through the steps of creating and setting up the Cloud Domain.

There are a number of steps involved that I will now cover.

Task Task Description
1 Create SSL Host
2 Generate CSR
3 Sign Certificate
4 Upload Domain Certificate
5 Bind Certificate to the SSL Host
6 Map custom domain
7 Configure DNS
8 Configure Single Sign On

 

We will now go through all of these steps and along the way cover some additional learnings throughout the process.

1. Create SSL Host

The first step in setting up a Cloud Domain is to create a new SSL host. This will actually serve your custom domain. You will need an SSL host for each cloud domain you want to utilise which would typically match the number of SAP Cloud Platform subaccounts you have if in fact you are creating a cloud domain for each. All other steps will ultimately relate to the SSL host so this is an important step.

Result of this step:  Creation of an SSL host name – something like the following – APnnnnnnnnnnn.ssl.ondemand.com where the AP stands for the Region – Asia Pacific (AP) in this case.

The following command is used to create the SSL host. When this is created you will actually be able to ping it with successful connectivity.

COMMAND = create-ssl-host

The following information is referenced in the Create SSL host command including:

  • Neo Sub-Account name.
  • User – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • SSL host name to be created. This is usually the cloud domain you would like. For e.g. fioridev.company.com.au

You will then need to run a specific command to create the SSL host.

neo create-ssl-host –account mysubaccount –user phil@company.com.au –host ap1.hana.ondemand.com –name mysslhostname

When you run any command you will prompted to enter your Password (for the user you included in the command). This is your SAP Cloud Platform Neo account password that you would normally enter when navigating to the SAP Cloud Platform Cockpit.  Once entered the SSL host will be created successfully and you will receive the following message:

“A new SSL host ‘mysslhostname’ was created and is now accessible on ‘APnnnnnnnnnnn.ssl.ondemand.com’. The ssl host name that is created here will need to be used by the Network team to associate internal URL’s with the external SSL host. This is covered in later steps.You can also ping the site and you will see at this point it should connect.

Figure:4 Step:1 Create SSL Host

If you create an SSL host in error you can delete it. Look in the last section of this blog to find out how you can delete an SSL host after creating it.

 

2. Create CSR

The next step in the process is to create a Certificate Signing Request (CSR). This will typically be sent to a Certificate Authority to be digitally signed and be warned they do cost money – between $700 and $1000 AUD for each certificate.

COMMAND = generate-csr

Similar to the SSL host creation step this needs to be performed in the Console client. You will need to determine the following information as part of this step.

  • Certificate Identifier – this is a certificate identifier to be used in later steps it is not specifically included as part of the CSR. An example would be companynamedevcert.
  • Certificate Distinguished Name – also referred to as the Common Name (CN). This is usually the host name you want to create.
  • Subject Alternative Name (SAN – this can be the same as the Certificate Distinguished Name and can also have additional descriptors.
  • Locality – usually the suburb or city of the company name
  • Organisational Unit (OU) – the department for which the CSR relates to. Typically this is IT.
  • Organisation (O) – typically the Company Name and includes Pty. Ltd based on the type of company.
  • State or Province (ST) – the state or province the company is located.
  • Country (C) – this is a 2-digit country code. AU for Australia.

Here is a full example of what the parameters could be set to.

Parameter Name Value
Common Name (CN) fioridev.company123.com.au
Subject Alternative Name (SAN) fioridev.company123.com.au
Email Address (EMAIL)
Locality (L) Melbourne
Organisational Unit (OU) IT
Organisation (O) Company Name
State or Province (ST) Victoria
Country (C) AU
Domain Component (DC)

The generate CSR command needs to be entered in the following format.

neo generate-csr –account mysubaccount –user phil@company.com.au –host ap1.hana.ondemand.com –name certificateidentifier –-certificate-distinguished-name “C=XX,O=XXXXX,L=XXXX,ST=XXXXXX,CN=xxxxxxxx” –subject-alternative-name “xxxxxxxxxxxxxxxxxxxxxxx”

The result of this step is that a Certificate Signing Request is generated. When this is generated you will need to copy the CSR into a text file and send through to your certificate authority to get it signed. Copy all of the text including the —–BEGIN CERTIFICATE —– and —–END CERTIFICATE —– text.

Figure:5 Step:2 Generate CSR (Certificate Signing Request)

This request is then signed.

3. Sign Certificate

The certificate authority needs to sign the above CSR and provide a PEM file for the signed certificate. Once the CSR is signed by the certificate authority it will need to be loaded using the Console client.

NOTE: You cannot load any certificate here, a certificate signed directly from the CSR only can be uploaded. Here is some more information about the certificate. 

The certificate must be in Privacy-enhanced Electronic Mail (PEM) format (128 or 256 bits) with private key (2048-4096 bits).

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/77cf0e6cd32e496c9cc8eeac4bedde94.html#loio55120d899d314e23ab8e33b4b388cea6

The certificate should be in a PEM format. It doesn’t have to be .pem file. It can also be .cer, .crt.

But p7b file is in PKCS#7 format which is not supported.

4. Upload Domain Certificate

When the signed certificate comes back from the certificate authority it can be uploaded using the console client. This is normally 24-48 hours after the CSR is generated so you will need to run the command prompt again and navigate to the correct directory for the Neo commands (tools as mentioned previously). A number of file formats are permissible here but the ideal one is a .PEM file. There is not normally a password required when uploading this certificate.

COMMAND = upload-domain-certificate

The following information is referenced in the Upload Certificate command including:

  • Neo Sub-Account name.
  • User – the email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • Certificate Identifier that was used in the CSR request step. An example would be companynamedevcert.
  • Certificate file name (.pem)

The upload domain certificate command needs to be entered in the following format. Again, like the other commands you will need to enter your Password.

neo upload-domain-certificate –account mysubaccount –user phil@company.com.au –host ap1.hana.ondemand.com –name certificateidentifier –-location ./certificatefilename.pem

NOTE: The certificate .pem file will need to be located in the SDK\tools folder for the above command to work.

The result from this step is that the SSL certificate will be loaded into SAP Cloud Platform for the sub-account and hostname and be identified by the certificateidentifier.

Figure:6 Step:4 Upload Certificate

The message that is displayed is as follows:

SSL certificate ‘certificateidentifier’ uploaded.

Once the certificate has been uploaded the next step will be to bind the certificate to the SSL host.

***NOTE***

I encountered an issue when uploading the certificate initially and dealt with SAP support and received the following information.

For the initial error, it is caused by this bug on BigIP F5 load balancer and a workaround for it is to use a different name.

 

 

5. Bind Certificate to the SSL Host

The next step in the process is to bind the uploaded certificate to the created SSL host so that it can be used as SSL certificate for requests to this SSL host. The result out of this step is that the certificate will be bound to the SSL host name of the custom domain. Once successful the message displayed will state that the certificate (name) is bound to the SSL host (ssl host name).

COMMAND = bind-domain-certificate

The following information is referenced in the bind certificate command including:

  • Neo Sub-Account name.
  • User – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • SSL Host Name – from Step 1. For e.g. fioridev.company.com.au
  • Certificate Identifier that was used in the CSR request and in the upload step. An example would be companynamedevcert.

You will then need to run a specific command to bind the domain certificate.

neo bind-domain-certificate –account mysubaccount –user phil@company.com.au –host ap1.hana.ondemand.com –ssl-host mysslhostname –certificate certificateidentifier

Figure:7 Step:5 Bind Certificate to SSL Host

The certificate will then be bound to the new SSL host name which will eventually become the cloud domain.

 

6. Add/Map Custom Domain

One of the final steps is to add the custom domain. This is one of the steps that brings it all together.

COMMAND = add-custom-domain

The following information is referenced in the Add Custom Domain command including:

  • Neo Sub-Account name.
  • user – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • Custom domain name (in this case this equals the mysslhostname). Usually this would be the same as the SSL host name.
  • Application URL – basically the flp URL up to the sites part.
  • SSL host name – equals the SSL host created in the first step. For e.g. fioridev.company.com.au

You will then need to run a specific command to add the custom domain.

neo add-custom-domain –account mysubaccount –user phil@company.com.au –host ap1.hana.ondemand.com –custom-domain clouddomainname  –application-url https://flpnwc-mysubaccount.dispatcher.ap1.hana.ondemand.com –ssl-host mysslhostname –certificate certificateidentifier

Figure:8 Step:6 Add Custom Domain

After this step the custom domain is set – there are now only a couple of steps left.

 

7. Configure DNS

The second last change is to modify the DNS name with your website provider. This usually involves changing of the CNAME. The following information is required to complete this step.

  • The SSL host name that was provided after Step 1. You may recall this was in the format of APnnnnnnnnnnn.ssl.ondemand.com. To check connectivity you can actually ping this address in the command prompt.
  • The SSL host or Cloud Domain you have created. You need to basically create an Alias for the above APnnnnnn host name and point it to the new cloud domain created.

This is normally carried out by internal infrastructure/network resources and I won’t go into detail here.

8. Configure Custom Domain / Single Sign-On

The last step in all of this set up is to actually use the cloud domain within the sub-account on SAP Cloud Platform. There is a particular tab page on the Trust settings within the Security area.

The following settings need to be made here:

  • Click on [Edit] button to change the settings.
  • Use Custom Application Domain checkbox -> set to Active.
  • Central Redirect URL = https://authn.ap1.hana.ondemand.com (this is usually prefilled)
  • Custom Domain URLs = https://*.customdomainname/saml2/sp/slo/subaccountname/subaccountname

Figure:9 Step:8 Configure Custom Domain

This now completes the steps involved in creating a custom domain. If you run your new cloud domain URL (followed by the relevant application specifics) you will see the website come up successfully.

If you click on the lock you can view the certificate information and the Issued To: should match to your Cloud domain name.

This concludes the cloud domain set up. I will finish off the main part of this blog with an architecture diagram – did not want to scare you off initially with architecture :-).

Figure:10 Cloud Domain Architecture

I will now cover some other notes – more helpful hints for other commands that might be required along on the way. Hope you have enjoyed the ride so far.

 

Other Notes

During this exercise I have found a few other things that are worth noting. Some of these involve use of other console commands but are notable inclusions as you go through the Cloud domain set up process. Hopefully they help you as much as they did me!

Deleting an SSL Host

When I was implementing Cloud domains I actually did need to delete it – so this next Delete command came in handy. It is important to spend some time up front determining exactly what the cloud domain names should be – especially when designing this for multiple sub-accounts. It needs to make sense. Initially when I did create them we had hyphens in the host name so I used the delete-ssl-host command to delete it and create a new one without hyphens. 🙂

This is not really part of the entire cloud domain set up however I have included in case you create the SSL host in error.

COMMAND = delete-ssl-host

The following information is referenced in the Delete SSL host command including:

  • Neo Sub-Account name.
  • User – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • SSL host name as what was initially created. For e.g. fioridev.company.com.au

You will then need to run a specific command to delete the SSL host.

neo delete-ssl-host –account mysubaccount –user phil@company.com.au –host ap1.hana.ondemand.com –name mysslhostname

Figure:11 Deleting an SSL Host

As stated previously you may not need to use the above delete ssl host command but I included this just in case you do.

List Domain Certificates

You can check on the domain certificates that are loaded at any point in time by using the list domain command.

COMMAND = list-domain-certificates

The following information is referenced in the list domain certificates command including:

  • Neo Sub-Account name.
  • Email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • SSL host name as what was initially created. For e.g. fioridev.company.com.au

You will then need to run a specific command to list the domain certificates.

neo list-domain-certificates –account subaccountname –user phil@company.com.au –host ap1.hana.ondemand.com 

 

Deleting Domain Certificates

There are two steps involved when a domain certificate you have bound previously needs to be deleted. This means there are 2 commands involved.

COMMAND = unbind-domain-certificate
COMMAND = delete-domain-certificate

Unbind Domain Certificate

The following information is referenced in the Unbind domain certificate command including:

  • Neo Sub-Account name.
  • User – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • SSL host name as what was initially created. For e.g. fioridev.company.com.au

You will then need to run a specific command to unbind the domain certificate from the SSL host.

neo unbind-domain-certificate –account subaccountname –user phil@company.com.au –host ap1.hana.ondemand.com —ssl-host mysslhostname

Figure:12 Unbinding the Domain Certificate from SSL Host

You will see the return message displayed “Certificate ‘xxxxxxx’ removed from SSL host ‘APnnnnnn.ssl.ondemand.com’.

The domain certificate has been removed from the SSL host at this step.

Delete Domain Certificate

The following information is referenced in the Delete domain certificate command including:

  • Neo Sub-Account name.
  • User – email address of the SAP Cloud Platform user (S or P number).
  • Host name e.g. ap1.hana.ondemand.com
  • Certificate Identifier that was used in the CSR request and in the upload step. An example would be companynamedevcert.

You will then need to run a specific command to unbind the domain certificate from the SSL host.

neo delete-domain-certificate –account subaccountname –user phil@company.com.au –host ap1.hana.ondemand.com –name certificateidentifier

Figure:13 Deleting the Domain Certificate

You will see the return message displayed “Certificate certificateidentifier deleted.

 

SDK Version No Longer Supported

  • SDK version no longer supported.The SDK versions are upgraded regularly so at some point a version that you downloaded may be old and invalid. When this occurs you will actually see notes in the Console.Figure:14 SDK Version Not Supported message

    As it states, it is recommended to keep upgrading the SDK version on your machine to the latest.

 

Overall I had plenty of fun and games going through and learning all about cloud domains and I wrote this blog because I believe the requirement for this will only increase in the future. So hopefully this reference will be useful out in the SAP Community.

Thanks for reading and please add more information or contribute in some way if you feel it is required.

Also happy for comments!

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply