Skip to Content
Technical Articles

How to install and configure the RealCore CPI dashboard

This blog post is the second part of the series about our RealCore SAP CPI dashboard tool. It deals with the installation and configuration of the dashboard tool. You can find the first article, which is about the capabilities and features of the dashboard, over here:
Advanced monitoring and health check with RealCore’s CPI Dashboard

Before we start, let’s have a quick look on the restrictions while installing and using the dashboard.


Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn’t send the WWW-Authenticate-header, the IFlow isn’t usable via webbrowser. Thus the dashboard isn’t supported on SAP CPI on CF environments for now because the dashboard’s webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.


Since the complete dashboard and all its code is packed into one single Integration Flow (IFlow), the installation of the dashboard is done within minutes.

At first you should download the current release from our Github repository. You can find latest release here:

Next you should open your SAP CPI tenant, switch to the Design-perspective and create/choose the package you want to place the monitoring IFlow into. Then edit the package, switch to the Artifacts-tab and click Add, to upload the beforehand downloaded SAP CPI Dashboard release.

That’s it for the installation part. In the next section we will deal with the configuration.


All things that need to be configured can be maintained via “Externalized Parameters”. Thus, it is not necessary to make changes to the IFlow itself or its code. Some of the externalized parameters are used multiple times and therefore only need to be maintained once. So trust me – it’s not that much to configure.

To start the configuration, we switch to the configuration perspective now.

Let’s have a look onto the different parameters which have to be set…

Sender configuration

On the Sender-tab you will find one system with five adapters (since the IFlow has five endpoints), but you have to configure only one parameter, because it is used in all five channels.


How to set: Set this parameter to an url-slug you personally prefer. It will be the base url of all five endpoints of the IFlow.

Receiver configuration

On the Receiver-tab you will find three Receivers (SAP_CP = general Cloud Platform APIs, SAP_CPI = Cloud Platform Integration specific APIs, MAIL_SERVER = e-mail server to send out alerts) with 3 (SAP_CP), 7 (SAP_CPI) and 1 (MAIL_SERVER) channel. We will consider the different receiver systems separately.

Receiver – SAP_CP

All three SAP_CP receivers share the same configuration parameters. Thus you only have to do the configuration for one of the HTTP channels.

Parameter Name: SAP_CP_HOST

How to set: This must be set to the hostname of your SAP Cloud Platform API host. It is build like:

api.{regional hostname}

The {regional hostname} depends on the region your Cloud Platform account sits in. A list of possible hostnames can be found here: 


How to set: This should be set to the technical name of your SAP CPI tenant. You will find the technical name in the Cloud Platform Cockpit via Region –> Global Account –> SAP CPI Subaccount.

At the bottom of the subaccount page you will find the technical name of your SAP CPI tenant.

Explanation: This credentials are used to query the authorization and management api to retireve a list of roles for the dashboard user/caller. The roles itself are needed to show/hide different functions of the dashboard.

Parameter Name: Credential Name/SAP_CP_AUTH_API_CREDENTIALS

How to set: Enter the name of the security material/credentials which contains the credentials for the SAP Cloud Platform Authorization Management API. Note: If you haven’t used the Authorization Management API before, you have to create an account first. Create the OAuth credentials as described here and here. Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.

Receiver – SAP_CPI

In opposite to the SAP_CP receivers not all of the seven SAP_CPI receivers share the same configuration parameters. The channels can be divided in two groups. The first group is calling urls to “/itspaces/odata/…” and the second group to “/api/v1/…”.

The screenshot below shows how you can differentiate the groups. Ensure that you configure at least one channel of each group from the screenshot.

Parameter Name (Group): SAP_CPI_HOST (Group 1)

How to set: Set this to the hostname of your SAP CPI tenant management node. Take the screenshot below for example.


Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 1)

How to set: Enter the name of the security material/credentials which contains user and password (S-User/technical S-User) of an account which has sufficient rights to access the SAP CPI tenant.

Explanation: This credentials are used to access some unofficial SAP CPI APIs (the ones which are used by the SAP CPI webinterface itself) to retrieve a list of runtime and designtime artifacts.

Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH (Group 2)

How to set: Enter the name of the security material/credentials which contains the OAuth credentials for the SAP CPI OData API. Note: If you haven’t used the SAP CPI OData API via OAuth before, you have to create a set of OAuth credentials first. Check this article which describes how to setup the credentials. (Basically it’s the same like you did before for the Auth&Management API, but this time you use the “Clients”-tab instead of the “Platform API”-tab in the OAuth section of your CPI-subaccount.) Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.
Attention: Since Dashboard version 1.0.2 the credential has to be stored in a security material of type “OAuth2 Credentials”!

Explanation: This credentials are used to query the MessageProcessingLogs-resource (and more) of the SAP CPI OData API which is used to retrieve the message volume/counts.

Receiver – Mail Server

This part of the cofiguration is optional. You only have to configure this receiver, if you want to use the alerting feature of the RealCore CPI Dashboard.

If you want to use the dashboard’s alerting engine, configure a valid mail server here. The dashboard will use it to send out alerting mails. If you don’t want to use the alerting engine, you can fill out the configuration with dummy values.


Congratulations, if you managed to get to this point – the hardest part of the configuration is done. On the “More”-tab you have to configure some more parameters.


How to set: If you plan to use the alerting engine of the dashboard, then you can set up the mail address here which should be shown as sender/origin of the alert mails.


How to set: You can set this parameter to any value. It defines the name of the Datastore which is used by dashboard to cache the message count information. So ideally choose a name that is not yet in use as well as one that fits your naming conventions for datastores.


How to set: This values describes the measured interval for CPU utilization in milliseconds. (To measure the utilization of CPU the CPU time is read out twice. The higher the interval, the better the CPU usage results in dashboard. But on the same side – the higher the interval, the longer the dashboard loading time. Everything higher than 1000 should be fine.


How to set: Define the name of the role a dashboard user must have assigned to get access to the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it blocks access to the dashboard. If you want to work with your own rules, read this article of mine, which describes custom role handling.


How to set: Define the name of the role a dashboard user must have assigned to view and download logfiles via the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it hides the logfiles section in the dashboard and blocks file download requests. If you want to work with your own rules, read this article of mine, which describes custom role handling.


How to set: Define the name of the role a dashboard user must have assigned to view security material/credentials. When the IFlow is called it checks if the user has the role defined here. If not, it hides the security material section in the dashboard and blocks manually executed calls to the secmat-service. If you want to work with your own rules, read this article of mine, which describes custom role handling.


If you plan to use the alerting engine, you can configure here how often the engine should check for errors. Regardless of the interval you configure, the engine will check the complete time interval since the last check. So by setting a larger interval in the timer, you just configure how often you will receive mails.

Deployment and Usage

Now that we have finalized the configuration, we have to deploy the IFlow. Either click on the Deploy-button from the configuration page or use the deploy option from the package view.

After the successful deployment, switch to the operations view of your SAP CPI tenant and go to the Manage Integration Content -> All-perspective. Search for the dashboard IFlow. From here you can find the dashboard’s url. Copy the url and open it in a (modern) webbrowser.


Now we have reached the end of the second article. I hope you have successfully set up the RealCore Dashboard on your SAP CPI tenant. If there are problems or questions, just write a comment. I’m sure together we can figure out what went wrong.

You must be Logged on to comment or reply to a post.
    • Hi Jon Prow,

      this error looks like it comes from the IFlow’s call to the authorization & management api. This call is done by the IFlow to get a list of roles of the S-User which is calling/opening the dashboard. If you get a 401 error for the auth & management api call, you may have a problem with the “platform api’-oauth credentials which you should have set up while configuring the dashboard.

      You can do two things now:

      1. Double check, that you passed the correct credentials in the IFlow configuration for the parameter SAP_CP_AUTH_API_CREDENTIALS
      2. Take the URL from the error message, use a tool like Postman and try to call the url with the auth & management api OAuth credentials. If it works in Postman, something with the IFlow is wrong. If it doesn’t work in Postman, you may have made a mistake while setting up the API credentials.


      • Hey Raffael,

        I assume its related to my configuration, but I think I am close.  Here is our error:


        Error text: HTTP operation failed invoking https://oauthasservices-<consumer-account&gt; with statusCode: 503


        When I put url in Postman it doesn’t work, but if i add the landscape host name in the url I am able to receive an access token.






        • Update – I am able to get in with adding the landscape host to the http connection to SAP_CPI from Integration Process / Collect system status and Integration Process / Read security material



          • Hi Jon,

            thanks for your effort and your feedback. I think I see what you meant. There are two http channels which call “”. Unfortunately I missed to make them region aware.

            Instead of changing the IFlow itself, it should be possible to add the region key (as defined here: ) to the parameter SAP_CPI_TENANT_TECHNICALNAME. (This should be possible, because the parameter is only used in those two channels and sits right in front of the url part where the region selector should be.

            So if your tenant technical name looks like “abc1234” and your are placed in “US East (Ashburn)” datacenter (see link above), than the SAP_CPI_TENANT_TECHNICALNAME should be set to “abc1234.us1”.

            In the next version/update, I will fix this issue.



          • Thats what I tried initially, but there is other configuration that uses SAP_CPI_TENANT_TECHNICALNAME that is impacted.  For example the HTTP connection to SAP_CP in the Check authorization integration.

            Thanks for the help, looking forward to the next release.


          • Oh, I see… But since the region-aware hostname, which is needed for the OAuth token calls is exactly the same like the {{SAP_CP_HOST}}, just without the leading “api.”, we can re-use this variable. I just setup a small new release, which uses the SAP_CP_HOST-parameter and does an substring on that. Thus the existing configuration doesn’t have to be changed.

            You can find the release here: Feedback is appreciated. Thanks for your help again.

    • Hi Jon

      Your userId seems to be lacking the S-prefix. Maybe it’s that?

      That is pulled from the security material entry for the parameter SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 3)

      However, in my case I have the prefix there and it still doesn’t work.


          • Hi Philippe Addor ,

            if your OAuth credentials are wrong, it would be a 401 (=Unauthorized) – it’s the default behaviour. The call which fails for you is this one:

            If you check the configuration settings of the connector, you see that it uses “Authentication: OAuth2 Client Credentials” mode. When using this mode, the adapter takes the client credentials pair which you created in the security material section. Then it makes a call against the token endpoint which is part of the credential settings:

            This token endpoint responds with an Bearer token, which is then used to call the endpoint url which was configured in the communication channel. If the OAuth credentials are wrong, are missing grants or the token endpoint is wrong, you may get the 401 Unauthorized error you have seen.

            If you want to check, if your OAuth credentials are correct, you could use a tool like Postman. The screenshot below shows the configuration. You should choose Authorization mode “Basic Auth”, then copy Client ID and Client Secret from the Security Material (screenshot above). The copy the “Token Service URL” as configured in the security material and add “?grant_type=client_credentials”.

            If you click the “Send”-button, you should see a token response in the lower half of the Postman window. In addition you should see “Status 200 OK”. If you get an “Status 401” (what I assume will happen), then you should re-check your credentials and re-create them like shown here:


          • Thanks Raffel for the comprehensive explanation! I think there are several issues:

            1. I made the mistake to mix up the security material for the different configuration parameters. I believe your channel configuration description in this blog differs at least from the latest version of the iflow. The HTTP channel groups on the image do not apply anymore.
            2. There seems to be a problem with getting the Message Processing Log and the Runtime Artifacts: the two channels in the corresponding flow steps have the setting “Authentication = None” in the Iflow. I have changed this to Basic, and voila, it works now for me!

              Before, the MPL had no Credential parameter, unlike described above (see below “SAP_CPI_AUTH_API_CREDENTIALS (Group 2)”)

            However, I don’t yet fully understand the difference between the Platform API Client and the “standard” Oauth client, as well as when to use Basic Auth and when Oauth (still learning… 🙂 ). So maybe my change would be unnecessary and there is still a mix-up in Security Material in the different configurations. Or maybe instead of using Basic, I should use the Oauth Client.


          • Hi Philippe,

            thanks for investing your time to test our tool. Glad to hear that it finally runs for you. Regarding your points…

            1. You’re right. The screenshot with the groups was wrong. If fixed it right now in the blog post. It seems like when saving the IFlow in the new version, the channel/parameter list was just randomly mixed up… (Note to myself – re-check the channel order and update the blog post for each update.)
            2. Nice to hear that it works. But it was correct that the channels had no auth. For accessing the MessageProcessingLog-api (MPL-api) I used the OAuth logon mode. You can see that at the beginning of the main process (“Integration Process / Collect system status”) there is a call named “Get Bearer token”. At this point the CPI OAuth credential pair is used to get an access token. This token then later is used when calling the MPL api. (It is added to the request headers via script steps direct before doing the MPL call.) You solution works also, because the MPL can be accessed via BasicAuth, too. I just used OAuth, because it’s the preferred way to access this API.

            Now let’s come to your questions concerning all the API keys.

            However, I don’t yet fully understand the difference between the Platform API Client and the “standard” Oauth client, as well as when to use Basic Auth and when Oauth (still learning… 🙂 ).

            We are dealing with three types of API in the dashboard. All of them need different credentials.

            1. Authorization and Management API: This API is used to query the roles assigned to a user. Since users are managed on SAP Cloud Platform level and are not specifically handled via your specific SAP CPI tenant/instance, we need credentials on the SAP Cloud Platform (SAP CP) level. That’s why we create an OAuth credentials pair on “Platform API” level.
            2. SAP CPI OData API: This official API allows you to access different things of a specific SAP CPI tenant. (Think of the CPI as specific application which runs on the more generic Cloud Platform). That’s why we need to create an own OAuth credential pair for this API calls and assign it to the SAP CPI application. (You can get a list of all SAP CPI OData apis here: )
            3. itspaces/workspace.svc API: This is an unofficial API. It’s the API which is called via the SAP CPI website/webbackend. E.g. If you click on create a new IFlow, this API is called in background. We need this API to get a list of all the designtime content/IFlows because this information is not available via the official OData APIs. Since this API is not official and since it normally is used only when someone uses the website, we use the BasicAuth logon mode here. The credential pair should have the same rights as a user which uses the SAP CPI webbackend regularly.

            Hopefully this clarifies some of your open points. Have a nice


          • Hi Raffael

            Thanks a lot for the explanation! It makes sense now. And I will some time try to find out why the bearer token is not working in my case, just for the sake of my own learning.

            Best Regards,


        • Hi Prabhakar Teegavarapu,

          posting the url in a regular webbrowser give this “code”-responses. That’s correct, because when using a regular webbrowser the call is missing the needed token headers. Thus a webbrowser is not an appropriate tool to evaluate if your credentials are right.

          Please read this comment I wrote for Philippe. It explains how to check your OAuth credentials via Postman. It may help to find out what is going wrong on your side.


  • Hi Raffael Herrmann

    we are currently configuring the RealCore CPI dashboard on our test cpi.
    so far everything worked fine and thanks for the great documentation. From time to time it would be good to know which roles have to be assigned how and where in the cockpit. Maybe this can be completed…
    We have finished the configuration so far and can connect to the dashboard. As soon as the dashboard is opened the following http 400 error occurs:
    https://{{{SAP_CP_HOST}}/authorization/v1/accounts/{{SAP_CPI_TENANT_TECHNICALNAME}}/groups/roles?groupName= with statusCode 400
    Is it possible that our SAP_CP_HOST or the SAP_CPI_TENANT_TECHNICALNAME is not correct?

    I checked also that we us the correct Host (Rot Europ as discribed in

    with the log trace I could find out the place from where the error comes from (see the screenshot)

    where is this group drawn from and where can I configure it?

    Thanks for a little note



    • Hi Matthias Lüthi,

      The groupname, used in the connection which is shown in your screenshot, is read from the CPI exchange header. It will be filled in the “Check autorization” local integration process. This local integration process is called whenever a call to the dashboard is done.

      (1) The roles defined in the externalized parameters are written to the Exchange’ properties. (You can define which roles a user of the dashboard should have assigned to get access to the different functionalties.

      (2) The S-User id (read from the request headers) is used to get a list of roles that are directly assigned to a user.

      (3) The S-User id is used to get a list of groups the user is assigned to. (We have to do this, because the “get roles” call only gave roles directly assigned to the user, but not the ones which are assigned indirectly via groups.)

      (4) For each group we got back, we do a call of the local integration process shown in your screenshot, to retrieve a list of roles, which are assigned to the group the user was assigned to.

      (5) Now that we have all roles of the user (the directly assigned ones as also the the ones which came via groups) we compare them with the roles defined in the externalized parameters of the IFlow to decide if a dashboard user is authorized to use the dashboard or not.

      If it still fails, you could try to activate the “Trace” mode of the IFlow and check the properties/headers if they contain valid role names. If nothing works, you can also contact me via Skype/MS Teams. (Just drop me a message here with your e-mail/skype address.)


    • Hi Matthias


      This is related to the role assignment of the user used to access this dashboard via web browser. If you use direct role assignment, then you will hit this error. The quick fix is to simply assign the user to any existing groups.


      I have submitted a pull request ( to Raffael to fix this, so that groups are not checked if user is not assigned any groups.



      Eng Swee

      • Hi all
        could solve the 403 problem; too few permissions!
        We have now implemented version 1.0.31 and have a spinning wheel of death when calling the dashboard.
        Do we still have to implement the fix with the index file?



      • Hi Eng Swee

        We tried to implement your “workaround” with the router.

        Short question abaout that:

        How should we configure the “yes” and “no” connection?

        Regads, Matthias

  • Hi Raffael,

    Thank you for this great blog post and kudo’s for the time, effort and creativity you have put into it!

    I’ve got your CPI Dashboard running now, but I still have a question. When the page is loaded initially, the CPI instance data is fetched and displayed, but doesn’t refresh/update automatically, correct? I’ve implemented a work-around by installing a page refresh plugin in the Chrome browser.

    However, when the page is automatically refreshed let’s say every 5 seconds, the underlying iFlow is also executed at the same rate. This results in a total of 12 new OAuth tokens every minute. I configured the token’s lifetime to a maximum of 1 minute, but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.

    Is there a way, without editing your integration content, to let the page refresh automatically?

    Thank you in advance!




    • Hi Rik Dingemans,

      thanks for your valuable feedback. Since I used the tool to get an overview I never tried to refresh the page that often.

      […] but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.

      Which of the OAuth token exceeds? The one for the Platform API or the one for the SAP CPI? (When setting up the IFlow you created two kinds of OAuth tokens.)

      The tokens themselves are reused during a dashboard call for multiple API calls, but you are right. They aren’t saved over multiple dashboard calls. I add this to the list for the next release. (I plan to store them in the datastore and make them reusable.)

      Regarding the refresh question. For now, it’s impossible to activate an “auto-refresh”. But I’ll add it also to the list for the upcoming release. (If you want to implement it yourself, you should add some javascript timer in the website’s code. Sources are available on Github…)


      • Hi Raffael Herrmann

        Thank you for your prompt reply. The SAP CPI token exceeds randomly, sometimes I have to mass-revoke all generated tokens.

        I will try and find a proper Javascript timer to put into the code.

        Thanks again,



        • Hi Rik Dingemans

          the rows 823-839 of the index.html trigger the data retrieval for the dashboard. You could extract this lines into a new function like

          function loadDashboardData(){
            //content of lines 823-838

          Then just place a function call to this function in line 823. As next step, add a new timer in line 824 (behind the loadDashboardData call) with the following code:

          //Call dashboard data every 10 seconds
          setInterval(loadDashboardData, 10000);

          After that call the build script over here. It will output a file to /dist/staticContent.groovy. Open this file and copy the Base64 block into the file with the same name in the following directory: /IFlow/Source/src/main/resources/script. At the end zip the /IFlow/Source directory. Et voilà – you have a patched dashboard. 😉


          • Hi Raffael,

            Thanks for this suggestion. I followed your steps, but unfortunately the Dashboard is now unresponsive with a ‘spinning wheel of death’ in it:


            I will try and do some bugfixing when I find the time 😉



            Rik Dingemans

          • I don’t know how fit you are in the field of web development, so maybe this is nothing new for you. But have you tried pressing F12 in your browser? This should bring up the developer tools. Switch to the “console” tab and search for errors in the main page. If you found something suspicious, click on the line number at the right hand of the error line. This will bring you to the code view, where you can set break points to debug the site. Otherwise wait for the next release. 😉

          • Hi Raffael,

            Found the issue! I did a copy-paste of your code:

            //Call dashboard data every 10 seconds
            setInterval(loadDashboarData, 10000);

            And just found out that I also copied the small typo:

            loadDashboarData instead of loadDashboardData

            Refreshing works like a charm now! Thank you for your help!


  • Hi Raffael,

    Thanks for your Blog, that’s really great ..

    i dowloaded the latest iflow from the below url – – 1.0.3


    and configured as mentioned in your blog, how ever i am getting the below error in the step show in the below screenshot  ..

    org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking with statusCode: 401


    i did follow your reply to Philippe  and tested the client id and Secret in postman, which is successful.

    i used the same url, client id and client secret in the security meterial as per below screenshot:

    but i am not able to understand why i am getting this error..

    below is the screenshot of the Receiver configuration.

    also .. when i tested the url ( with statusCode: 401 ) in postman.. i got 401 error.



    • Hi Pradeep,

      If the call doesn’t work in postman, than it’s an authorization issue. Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)

      Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair.

      If nothing helps, let me know. I’m on vacation for the next 2 weeks, but if you like, we can have a Skype/Teams session after my vacation to figure out together what’s going wrong.

      Best regards

  • Hi Raffael,

    Thanks for your prompt reply,

    >>>Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)

    i have used the same OAuth credentials that i have used in the postman, In postman i got 200 status back. below are the screenshots.

    CP/Platform access

    CPI access


    >>Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair

    i believe i have all the roles, let me know if i miss any role (from the below screenshots).



    Pradeep A.

    • Hi Pradeep,

      If the Postman calls to the token endpoints work, than your credentials (combination out of client id and client secret) are fine. But if the actual call against the API for getting the user roles fail, then your credentials might have a scope issue. That’s what I meant when I said that you should check the scope/authorization of the OAuth credentials. (Theory: An OAuth credential pair gives you general access to an API. Since someone shouldn’t use all functions of an API it is controlled via so called scopes, which API functions an user can access/use.)

      So please check if your OAuth user for the platform API has the scopes to read the authorization and management API. Therefore check the following screenshots.



      Best regards

  • It’s not entirely clear the roles that are required for the OAuth client that accesses CPI’s OData APIs (Credential SAP_CPI_AUTH_API_CREDENTIALS_OAUTH – Group 2)

    After some troubleshooting and referring to Tasks and Permissions, I nailed it down to the following two roles (if you do not want to provide broad-based roles to the OAuth client user).


    • Hi Eng Swee,

      Thanks for your help. As I see from all the problems it seems that my installation instructions are not as clear as I wished them to be. (Especially because practically  the setup isn’t that hard.)

      I will rewrite this article when I’m back from my vacation and try to point out some steps more clearly. (Also I’m thinking about writing a small desktop tool which acts as guided setup.)

      Regards, Raffael