Skip to Content
Technical Articles
Author's profile photo Raffael Herrmann

How to install and configure the RealCore CPI dashboard

This blog post is the second part of the series about our RealCore SAP CPI dashboard tool. It deals with the installation and configuration of the dashboard tool. You can find the first article, which is about the capabilities and features of the dashboard, over here:
Advanced monitoring and health check with RealCore’s CPI Dashboard

Before we start, let’s have a quick look on the restrictions while installing and using the dashboard.

Restrictions

Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn’t send the WWW-Authenticate-header, the IFlow isn’t usable via webbrowser. Thus the dashboard isn’t supported on SAP CPI on CF environments for now because the dashboard’s webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.

Installation

Since the complete dashboard and all its code is packed into one single Integration Flow (IFlow), the installation of the dashboard is done within minutes.

At first you should download the current release from our Github repository. You can find latest release here: https://github.com/codebude/cpi-dashboard/releases

Next you should open your SAP CPI tenant, switch to the Design-perspective and create/choose the package you want to place the monitoring IFlow into. Then edit the package, switch to the Artifacts-tab and click Add, to upload the beforehand downloaded SAP CPI Dashboard release.

That’s it for the installation part. In the next section we will deal with the configuration.

Configuration

All things that need to be configured can be maintained via “Externalized Parameters”. Thus, it is not necessary to make changes to the IFlow itself or its code. Some of the externalized parameters are used multiple times and therefore only need to be maintained once. So trust me – it’s not that much to configure.

To start the configuration, we switch to the configuration perspective now.

Let’s have a look onto the different parameters which have to be set…

Sender configuration

On the Sender-tab you will find one system with multiple adapters (since the IFlow has multiple endpoints), but you have to configure only one parameter, because it is used in all sender channels.

Parameter Name: DASHBOARD_URL_BASE

How to set: Set this parameter to an url-slug you personally prefer. It will be the base url of all endpoints of the IFlow.

Receiver configuration

On the Receiver-tab you will find three Receivers (SAP_CP = general Cloud Platform APIs, SAP_CPI = Cloud Platform Integration specific APIs, MAIL_SERVER = e-mail server to send out alerts) with 3 (SAP_CP), 7 (SAP_CPI) and 1 (MAIL_SERVER) channel. We will consider the different receiver systems separately.

Receiver – SAP_CP

All three SAP_CP receivers share the same configuration parameters. Thus you only have to do the configuration for one of the HTTP channels.

Parameter Name: SAP_CP_HOST

How to set: This must be set to the hostname of your SAP Cloud Platform API host. It is build like:

api.{regional hostname}

The {regional hostname} depends on the region your Cloud Platform account sits in. A list of possible hostnames can be found here: https://help.sap.com/viewer/ed6ce7a29bdd42169f5f0d7868bce6eb/Cloud/en-US/0a7d8fb9bc2c4bbd9355146722adc8a1.html 


Parameter Name: SAP_CPI_TECHNICALNAME

How to set: This should be set to the technical name of your SAP CPI tenant. You will find the technical name in the Cloud Platform Cockpit via Region –> Global Account –> SAP CPI Subaccount.

At the bottom of the subaccount page you will find the technical name of your SAP CPI tenant.

Explanation: This credentials are used to query the authorization and management api to retireve a list of roles for the dashboard user/caller. The roles itself are needed to show/hide different functions of the dashboard.


Parameter Name: Credential Name/SAP_CP_AUTH_API_CREDENTIALS

How to set: Enter the name of the security material/credentials which contains the credentials for the SAP Cloud Platform Authorization Management API. Note: If you haven’t used the Authorization Management API before, you have to create an account first. Create the OAuth credentials as described here and here. Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.

Receiver – SAP_CPI

In opposite to the SAP_CP receivers not all of the SAP_CPI receivers share the same configuration parameters. The channels can be divided in two groups. The first group is calling urls to “/itspaces/odata/…” and the second group to “/api/v1/…”.

The screenshot below shows how you can differentiate the groups. Ensure that you configure at least one channel of each group from the screenshot.

Parameter Name (Group): SAP_CPI_HOST (Group 1)

How to set: Set this to the hostname of your SAP CPI tenant management node. Take the screenshot below for example.

 


Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 1)

How to set: Enter the name of the security material/credentials which contains user and password (S-User/technical S-User) of an account which has sufficient rights to access the SAP CPI tenant.

Explanation: This credentials are used to access some unofficial SAP CPI APIs (the ones which are used by the SAP CPI webinterface itself) to retrieve a list of runtime and designtime artifacts.


Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH (Group 2)

How to set: Enter the name of the security material/credentials which contains the OAuth credentials for the SAP CPI OData API.
Note: If you haven’t used the SAP CPI OData API via OAuth before, you have to create a set of OAuth credentials first. Check this article which describes how to setup the credentials. (Basically it’s the same like you did before for the Auth&Management API, but this time you use the “Clients”-tab instead of the “Platform API”-tab in the OAuth section of your CPI-subaccount.) When creating the credentials you need to assign at least the following two rules:

  • NodeManager.read
  • IntegrationOperationServer.read

Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.
Attention: Since Dashboard version 1.0.2 the credential has to be stored in a security material of type “OAuth2 Credentials”!

Explanation: This credentials are used to query the MessageProcessingLogs-resource (and more) of the SAP CPI OData API which is used to retrieve the message volume/counts.

Receiver – Mail Server

This part of the cofiguration is optional. You only have to configure this receiver, if you want to use the alerting feature of the RealCore CPI Dashboard.

If you want to use the dashboard’s alerting engine, configure a valid mail server here. The dashboard will use it to send out alerting mails. If you don’t want to use the alerting engine, you can fill out the configuration with dummy values.

More(-Configuration)

Congratulations, if you managed to get to this point – the hardest part of the configuration is done. On the “More”-tab you have to configure some more parameters.

Parameter Name: ALERT_MAIL_SENDER

How to set: If you plan to use the alerting engine of the dashboard, then you can set up the mail address here which should be shown as sender/origin of the alert mails.


Parameter Name: CACHE_DATASTORE_NAME

How to set: You can set this parameter to any value. It defines the name of the Datastore which is used by dashboard to cache the message count information. So ideally choose a name that is not yet in use as well as one that fits your naming conventions for datastores.


Parameter Name: CPU_USAGE_MESEASUREMENT_TIME_IN_MS

How to set: This values describes the measured interval for CPU utilization in milliseconds. (To measure the utilization of CPU the CPU time is read out twice. The higher the interval, the better the CPU usage results in dashboard. But on the same side – the higher the interval, the longer the dashboard loading time. Everything higher than 1000 should be fine.


Parameter Name: ROLE_GENERAL_ACCESS

How to set: Define the name of the role a dashboard user must have assigned to get access to the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it blocks access to the dashboard. If you want to work with your own rules, read this article of mine, which describes custom role handling.


Parameter Name: ROLE_LOG_AND_FILE_ACCESS

How to set: Define the name of the role a dashboard user must have assigned to view and download logfiles via the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it hides the logfiles section in the dashboard and blocks file download requests. If you want to work with your own rules, read this article of mine, which describes custom role handling.


Parameter Name: ROLE_SECURITY_MAT_ACCESS

How to set: Define the name of the role a dashboard user must have assigned to view security material/credentials. When the IFlow is called it checks if the user has the role defined here. If not, it hides the security material section in the dashboard and blocks manually executed calls to the secmat-service. If you want to work with your own rules, read this article of mine, which describes custom role handling.

Parameter Name:DIFF_REMOTE_CPI_TENANTS

How to set: This parameter is optional. You can enter connection data for multiple remote CPI tenants (separated by 😉 here. The tenants configured here will be used for the dashboard’s IFlow comparison tool. Each remote system has to be entered in the format: <hostname of tenant>|<name of security material>
Example: If your remote tenant is available via “https://x0815-tmn.hci.eu1.hana.ondemand.com/itspaces” and you have created a security material containing an S-User with password in your current tenant named “CPI_x0815_CREDENTIALS” then you should enter the following into the DIFF_REMOTE_CPI_TENANTS field:

x0815-tmn.hci.eu1.hana.ondemand.com|CPI_x0815_CREDENTIALS

If you want to connect multiple remote tenants, just separate the tenant entries by use of a semicolon (;).

Timer(-Configuration)

If you plan to use the alerting engine, you can configure here how often the engine should check for errors. Regardless of the interval you configure, the engine will check the complete time interval since the last check. So by setting a larger interval in the timer, you just configure how often you will receive mails.

Deployment and Usage

Now that we have finalized the configuration, we have to deploy the IFlow. Either click on the Deploy-button from the configuration page or use the deploy option from the package view.

After the successful deployment, switch to the operations view of your SAP CPI tenant and go to the Manage Integration Content -> All-perspective. Search for the dashboard IFlow. From here you can find the dashboard’s url. Copy the url and open it in a (modern) web browser.

Summary

Now we have reached the end of the second article. I hope you have successfully set up the RealCore Dashboard on your SAP CPI tenant. If there are problems or questions, just write a comment. I’m sure together we can figure out what went wrong.

Assigned Tags

      107 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Manoj K
      Manoj K

      Thanks Raffael, for this wonderful opensource tool.

      Author's profile photo Jonathan Prow
      Jonathan Prow

      Hi Raffael,

      Thank you for providing cpi dashboard. We are getting the following error when attempting to access the dashboard for the first time.

      HTTP operation failed invoking https://api.us3.hana.ondemand.com/authorization/v1/accounts/ewc3bf1d/users/roles?userId=0007770116 with statusCode: 401

       

      Any ideas?

       

      -Jon

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Jon Prow,

      this error looks like it comes from the IFlow's call to the authorization & management api. This call is done by the IFlow to get a list of roles of the S-User which is calling/opening the dashboard. If you get a 401 error for the auth & management api call, you may have a problem with the "platform api'-oauth credentials which you should have set up while configuring the dashboard.

      You can do two things now:

      1. Double check, that you passed the correct credentials in the IFlow configuration for the parameter SAP_CP_AUTH_API_CREDENTIALS
      2. Take the URL from the error message, use a tool like Postman and try to call the url with the auth & management api OAuth credentials. If it works in Postman, something with the IFlow is wrong. If it doesn't work in Postman, you may have made a mistake while setting up the API credentials.

      Regards,
      Raffael

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Raffael

       

      Unfortunately, I have the same problem. I am trying with Postman but get the 401 there too.

      I’m doing a POST call to URL (S-user censored):

      https://api.eu1.hana.ondemand.com/authorization/v1/accounts/a304c76af/users/roles?userId=S00190126xx

      For the login (basic auth), I’m using the credentials that I got when I created the “Platform API” Oauth Client. Is that both correct?

      Thank you,

      Philippe

      Author's profile photo Jonathan Prow
      Jonathan Prow

      Hey Raffael,

      I assume its related to my configuration, but I think I am close.  Here is our error:

       

      Error text: HTTP operation failed invoking https://oauthasservices-<consumer-account>.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credentials with statusCode: 503

       

      When I put url in Postman it doesn't work, but if i add the landscape host name in the url I am able to receive an access token.

      https://oauthasservices-<consumer-account>.us3.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credentials

      Ideas?

       

      Thanks,

      -Jon

      Author's profile photo Jonathan Prow
      Jonathan Prow

      Update - I am able to get in with adding the landscape host to the http connection to SAP_CPI from Integration Process / Collect system status and Integration Process / Read security material

       

      -Jon

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Jon,

      thanks for your effort and your feedback. I think I see what you meant. There are two http channels which call "". Unfortunately I missed to make them region aware.

      Instead of changing the IFlow itself, it should be possible to add the region key (as defined here: https://bit.ly/2zp82KR ) to the parameter SAP_CPI_TENANT_TECHNICALNAME. (This should be possible, because the parameter is only used in those two channels and sits right in front of the url part where the region selector should be.

      So if your tenant technical name looks like "abc1234" and your are placed in "US East (Ashburn)" datacenter (see link above), than the SAP_CPI_TENANT_TECHNICALNAME should be set to "abc1234.us1".

      In the next version/update, I will fix this issue.

       

      Regards,
      Raffael

      Author's profile photo Jonathan Prow
      Jonathan Prow

      Thats what I tried initially, but there is other configuration that uses SAP_CPI_TENANT_TECHNICALNAME that is impacted.  For example the HTTP connection to SAP_CP in the Check authorization integration.

      Thanks for the help, looking forward to the next release.

      -Jon

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Oh, I see... But since the region-aware hostname, which is needed for the OAuth token calls is exactly the same like the {{SAP_CP_HOST}}, just without the leading "api.", we can re-use this variable. I just setup a small new release, which uses the SAP_CP_HOST-parameter and does an substring on that. Thus the existing configuration doesn't have to be changed.

      You can find the release here: https://github.com/codebude/cpi-dashboard/releases Feedback is appreciated. Thanks for your help again.

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Jon

      Your userId seems to be lacking the S-prefix. Maybe it's that?

      That is pulled from the security material entry for the parameter SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 3)

      However, in my case I have the prefix there and it still doesn't work.

      Philippe

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Philippe,

      I think this is an fault in my implementation. At two points/communication channels, I forgot to make the url region-aware. Please check the new release, which should be region aware and let me know if this solves your trouble: https://github.com/codebude/cpi-dashboard/releases

      Regards,
      Raffael

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Raffael

       

      I deployed the new version and configured it again. Unfortunately, I still get:

      HTTP operation failed invoking https://api.eu1.hana.ondemand.com/authorization/v1/accounts/a304c76af/users/roles?userId=S0019012678 with statusCode: 401

       

      Could it be a wrong credential? But then, why error 401..?

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Philippe Addor ,

      if your OAuth credentials are wrong, it would be a 401 (=Unauthorized) - it's the default behaviour. The call which fails for you is this one:

      If you check the configuration settings of the connector, you see that it uses "Authentication: OAuth2 Client Credentials" mode. When using this mode, the adapter takes the client credentials pair which you created in the security material section. Then it makes a call against the token endpoint which is part of the credential settings:

      This token endpoint responds with an Bearer token, which is then used to call the endpoint url which was configured in the communication channel. If the OAuth credentials are wrong, are missing grants or the token endpoint is wrong, you may get the 401 Unauthorized error you have seen.

      If you want to check, if your OAuth credentials are correct, you could use a tool like Postman. The screenshot below shows the configuration. You should choose Authorization mode "Basic Auth", then copy Client ID and Client Secret from the Security Material (screenshot above). The copy the "Token Service URL" as configured in the security material and add "?grant_type=client_credentials".

      If you click the "Send"-button, you should see a token response in the lower half of the Postman window. In addition you should see "Status 200 OK". If you get an "Status 401" (what I assume will happen), then you should re-check your credentials and re-create them like shown here: https://blogs.sap.com/2019/08/28/authorization-management-api-in-sap-cloud-platform/

      Regards,
      Raffael

      Author's profile photo Philippe Addor
      Philippe Addor

      Thanks Raffel for the comprehensive explanation! I think there are several issues:

      1. I made the mistake to mix up the security material for the different configuration parameters. I believe your channel configuration description in this blog differs at least from the latest version of the iflow. The HTTP channel groups on the image do not apply anymore.
      2. There seems to be a problem with getting the Message Processing Log and the Runtime Artifacts: the two channels in the corresponding flow steps have the setting "Authentication = None" in the Iflow. I have changed this to Basic, and voila, it works now for me!

        Before, the MPL had no Credential parameter, unlike described above (see below "SAP_CPI_AUTH_API_CREDENTIALS (Group 2)")

      However, I don't yet fully understand the difference between the Platform API Client and the "standard" Oauth client, as well as when to use Basic Auth and when Oauth (still learning... 🙂 ). So maybe my change would be unnecessary and there is still a mix-up in Security Material in the different configurations. Or maybe instead of using Basic, I should use the Oauth Client.

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Philippe,

      thanks for investing your time to test our tool. Glad to hear that it finally runs for you. Regarding your points...

      1. You're right. The screenshot with the groups was wrong. If fixed it right now in the blog post. It seems like when saving the IFlow in the new version, the channel/parameter list was just randomly mixed up... (Note to myself - re-check the channel order and update the blog post for each update.)
      2. Nice to hear that it works. But it was correct that the channels had no auth. For accessing the MessageProcessingLog-api (MPL-api) I used the OAuth logon mode. You can see that at the beginning of the main process ("Integration Process / Collect system status") there is a call named "Get Bearer token". At this point the CPI OAuth credential pair is used to get an access token. This token then later is used when calling the MPL api. (It is added to the request headers via script steps direct before doing the MPL call.) You solution works also, because the MPL can be accessed via BasicAuth, too. I just used OAuth, because it's the preferred way to access this API.

      Now let's come to your questions concerning all the API keys.

      However, I don’t yet fully understand the difference between the Platform API Client and the “standard” Oauth client, as well as when to use Basic Auth and when Oauth (still learning… ? ).

      We are dealing with three types of API in the dashboard. All of them need different credentials.

      1. Authorization and Management API: This API is used to query the roles assigned to a user. Since users are managed on SAP Cloud Platform level and are not specifically handled via your specific SAP CPI tenant/instance, we need credentials on the SAP Cloud Platform (SAP CP) level. That's why we create an OAuth credentials pair on "Platform API" level.
      2. SAP CPI OData API: This official API allows you to access different things of a specific SAP CPI tenant. (Think of the CPI as specific application which runs on the more generic Cloud Platform). That's why we need to create an own OAuth credential pair for this API calls and assign it to the SAP CPI application. (You can get a list of all SAP CPI OData apis here: https://api.sap.com/package/CloudIntegrationAPI?section=Artifacts )
      3. itspaces/workspace.svc API: This is an unofficial API. It's the API which is called via the SAP CPI website/webbackend. E.g. If you click on create a new IFlow, this API is called in background. We need this API to get a list of all the designtime content/IFlows because this information is not available via the official OData APIs. Since this API is not official and since it normally is used only when someone uses the website, we use the BasicAuth logon mode here. The credential pair should have the same rights as a user which uses the SAP CPI webbackend regularly.

      Hopefully this clarifies some of your open points. Have a nice
      Sunday!

      Regards,
      Raffael

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Raffael

      Thanks a lot for the explanation! It makes sense now. And I will some time try to find out why the bearer token is not working in my case, just for the sake of my own learning.

      Best Regards,

      Philippe

      Author's profile photo Prabhakar Teegavarapu
      Prabhakar Teegavarapu

      Thanks Raffael,

      Thats an excellent work.

      I miss something here

      https://api.{landscapeHost}/authorization/v1/accounts/{accountName}/users/roles

        401

      unauthorized.

       

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Prabhakar,

      did you see the new release 1.0.1? (https://github.com/codebude/cpi-dashboard/releases/tag/1.0.1) It fixes some of the connection errors.

      If you already use the current release, than it might be a problem with your OAuth credentials. Can you try to call the faulty url manually via Postman an check if you get the error there too?

      Regards,
      Raffael

      Author's profile photo Prabhakar Teegavarapu
      Prabhakar Teegavarapu

      Hi Raffael,

       

      I am using the latest code. i get this response when i paste the url in the browser

      {"code":"42xxxxx8-286e-45f6-a0ca-9xxxxxxxxxx1"}
      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Prabhakar Teegavarapu,

      posting the url in a regular webbrowser give this "code"-responses. That's correct, because when using a regular webbrowser the call is missing the needed token headers. Thus a webbrowser is not an appropriate tool to evaluate if your credentials are right.

      Please read this comment I wrote for Philippe. It explains how to check your OAuth credentials via Postman. It may help to find out what is going wrong on your side.

      Regards,
      Raffael

      Author's profile photo Venu Ravipati
      Venu Ravipati

      Thank you Raffael Herrmann for sharing this awesome work.

      Liked it a lot.

      Best Regards,
      Venu

       

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      Hi Raffael Herrmann

      we are currently configuring the RealCore CPI dashboard on our test cpi.
      so far everything worked fine and thanks for the great documentation. From time to time it would be good to know which roles have to be assigned how and where in the cockpit. Maybe this can be completed…
      We have finished the configuration so far and can connect to the dashboard. As soon as the dashboard is opened the following http 400 error occurs:
      https://{{{SAP_CP_HOST}}/authorization/v1/accounts/{{SAP_CPI_TENANT_TECHNICALNAME}}/groups/roles?groupName= with statusCode 400
      Is it possible that our SAP_CP_HOST or the SAP_CPI_TENANT_TECHNICALNAME is not correct?

      I checked also that we us the correct Host (Rot Europ as discribed in  https://help.sap.com/viewer/ed6ce7a29bdd42169f5f0d7868bce6eb/Cloud/en-US/0a7d8fb9bc2c4bbd9355146722adc8a1.html)

      with the log trace I could find out the place from where the error comes from (see the screenshot)

      where is this group drawn from and where can I configure it?

      Thanks for a little note

      Regards

      Matthias

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Matthias Lüthi,

      The groupname, used in the connection which is shown in your screenshot, is read from the CPI exchange header. It will be filled in the "Check autorization" local integration process. This local integration process is called whenever a call to the dashboard is done.

      (1) The roles defined in the externalized parameters are written to the Exchange' properties. (You can define which roles a user of the dashboard should have assigned to get access to the different functionalties.

      (2) The S-User id (read from the request headers) is used to get a list of roles that are directly assigned to a user.

      (3) The S-User id is used to get a list of groups the user is assigned to. (We have to do this, because the "get roles" call only gave roles directly assigned to the user, but not the ones which are assigned indirectly via groups.)

      (4) For each group we got back, we do a call of the local integration process shown in your screenshot, to retrieve a list of roles, which are assigned to the group the user was assigned to.

      (5) Now that we have all roles of the user (the directly assigned ones as also the the ones which came via groups) we compare them with the roles defined in the externalized parameters of the IFlow to decide if a dashboard user is authorized to use the dashboard or not.

      If it still fails, you could try to activate the "Trace" mode of the IFlow and check the properties/headers if they contain valid role names. If nothing works, you can also contact me via Skype/MS Teams. (Just drop me a message here with your e-mail/skype address.)

      Regards,
      Raffael

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      Hi Raffael

      Thx for the replay.

      Was on holiday and check this asap

      Regards,

      Matthias

      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      Hi Matthias

       

      This is related to the role assignment of the user used to access this dashboard via web browser. If you use direct role assignment, then you will hit this error. The quick fix is to simply assign the user to any existing groups.

       

      I have submitted a pull request (https://github.com/codebude/cpi-dashboard/pull/2) to Raffael to fix this, so that groups are not checked if user is not assigned any groups.

       

      Regards

      Eng Swee

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      Hi all
      could solve the 403 problem; too few permissions!
      We have now implemented version 1.0.31 and have a spinning wheel of death when calling the dashboard.
      Do we still have to implement the fix with the index file?

      Regards

      Matthias

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      Hi Eng Swee

      We tried to implement your "workaround" with the router.

      Short question abaout that:

      How should we configure the "yes" and "no" connection?

      Regads, Matthias

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      Hi all Problem solved

      the user in the security material was not match with the config in the receiver configuration

      Regards,

      Matthias

      Author's profile photo R. Dingemans
      R. Dingemans

      Hi Raffael,

      Thank you for this great blog post and kudo's for the time, effort and creativity you have put into it!

      I've got your CPI Dashboard running now, but I still have a question. When the page is loaded initially, the CPI instance data is fetched and displayed, but doesn't refresh/update automatically, correct? I've implemented a work-around by installing a page refresh plugin in the Chrome browser.

      However, when the page is automatically refreshed let's say every 5 seconds, the underlying iFlow is also executed at the same rate. This results in a total of 12 new OAuth tokens every minute. I configured the token's lifetime to a maximum of 1 minute, but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.

      Is there a way, without editing your integration content, to let the page refresh automatically?

      Thank you in advance!

      Regards,

      Rik

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Rik Dingemans,

      thanks for your valuable feedback. Since I used the tool to get an overview I never tried to refresh the page that often.

      [...] but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.

      Which of the OAuth token exceeds? The one for the Platform API or the one for the SAP CPI? (When setting up the IFlow you created two kinds of OAuth tokens.)

      The tokens themselves are reused during a dashboard call for multiple API calls, but you are right. They aren't saved over multiple dashboard calls. I add this to the list for the next release. (I plan to store them in the datastore and make them reusable.)

      Regarding the refresh question. For now, it's impossible to activate an "auto-refresh". But I'll add it also to the list for the upcoming release. (If you want to implement it yourself, you should add some javascript timer in the website's code. Sources are available on Github...)

      Regards,
      Raffael

      Author's profile photo R. Dingemans
      R. Dingemans

      Hi Raffael Herrmann

      Thank you for your prompt reply. The SAP CPI token exceeds randomly, sometimes I have to mass-revoke all generated tokens.

      I will try and find a proper Javascript timer to put into the code.

      Thanks again,

      Regards,

      Rik

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Rik Dingemans

      the rows 823-839 of the index.html trigger the data retrieval for the dashboard. You could extract this lines into a new function like

      function loadDashboardData(){
        //content of lines 823-838
      }

      Then just place a function call to this function in line 823. As next step, add a new timer in line 824 (behind the loadDashboardData call) with the following code:

      //Call dashboard data every 10 seconds
      setInterval(loadDashboardData, 10000);

      After that call the build script over here. It will output a file to /dist/staticContent.groovy. Open this file and copy the Base64 block into the file with the same name in the following directory: /IFlow/Source/src/main/resources/script. At the end zip the /IFlow/Source directory. Et voilà – you have a patched dashboard. ?

      Regards,
      Raffael

      Author's profile photo R. Dingemans
      R. Dingemans

      Hi Raffael,

      Thanks for this suggestion. I followed your steps, but unfortunately the Dashboard is now unresponsive with a 'spinning wheel of death' in it:

       

      I will try and do some bugfixing when I find the time 😉

      Cheers!

      Regards,

      Rik Dingemans

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      I don't know how fit you are in the field of web development, so maybe this is nothing new for you. But have you tried pressing F12 in your browser? This should bring up the developer tools. Switch to the "console" tab and search for errors in the main page. If you found something suspicious, click on the line number at the right hand of the error line. This will bring you to the code view, where you can set break points to debug the site. Otherwise wait for the next release. 😉

      Author's profile photo R. Dingemans
      R. Dingemans

      Hi Raffael,

      Found the issue! I did a copy-paste of your code:

      //Call dashboard data every 10 seconds
      setInterval(loadDashboarData, 10000);

      And just found out that I also copied the small typo:

      loadDashboarData instead of loadDashboardData

      Refreshing works like a charm now! Thank you for your help!

      Regards,
      Rik

      Author's profile photo Pradeep Amisagadda
      Pradeep Amisagadda

      Hi Raffael,

      Thanks for your Blog, that's really great ..

      i dowloaded the latest iflow from the below url - https://github.com/codebude/cpi-dashboard/releases - 1.0.3

       

      and configured as mentioned in your blog, how ever i am getting the below error in the step show in the below screenshot  ..

      org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking https://api.XXX.hana.ondemand.com/authorization/v1/accounts/XXXXXXXXX/users/roles?userId=P2XX16XXXXX with statusCode: 401

       

      i did follow your reply to Philippe  and tested the client id and Secret in postman, which is successful.

      i used the same url, client id and client secret in the security meterial as per below screenshot:

      but i am not able to understand why i am getting this error..

      below is the screenshot of the Receiver configuration.

      also .. when i tested the url ( https://api.XXX.hana.ondemand.com/authorization/v1/accounts/XXXXXXXXX/users/roles?userId=P2XX16XXXXX with statusCode: 401 ) in postman.. i got 401 error.

      Regards,

      Pradeep.

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Pradeep,

      If the call doesn't work in postman, than it's an authorization issue. Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)

      Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair.

      If nothing helps, let me know. I'm on vacation for the next 2 weeks, but if you like, we can have a Skype/Teams session after my vacation to figure out together what's going wrong.

      Best regards

      Author's profile photo Pradeep Amisagadda
      Pradeep Amisagadda

      Hi Raffael,

      Thanks for your prompt reply,

      >>>Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)

      i have used the same OAuth credentials that i have used in the postman, In postman i got 200 status back. below are the screenshots.

      CP/Platform access

      CPI access

       

      >>Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair

      i believe i have all the roles, let me know if i miss any role (from the below screenshots).

       

      Regards,

      Pradeep A.

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Pradeep,

      If the Postman calls to the token endpoints work, than your credentials (combination out of client id and client secret) are fine. But if the actual call against the API for getting the user roles fail, then your credentials might have a scope issue. That's what I meant when I said that you should check the scope/authorization of the OAuth credentials. (Theory: An OAuth credential pair gives you general access to an API. Since someone shouldn't use all functions of an API it is controlled via so called scopes, which API functions an user can access/use.)

      So please check if your OAuth user for the platform API has the scopes to read the authorization and management API. Therefore check the following screenshots.

       

       

      Best regards

      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      It's not entirely clear the roles that are required for the OAuth client that accesses CPI's OData APIs (Credential SAP_CPI_AUTH_API_CREDENTIALS_OAUTH - Group 2)

      After some troubleshooting and referring to Tasks and Permissions, I nailed it down to the following two roles (if you do not want to provide broad-based roles to the OAuth client user).

      • NodeManager.read
      • IntegrationOperationServer.read

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Eng Swee,

      Thanks for your help. As I see from all the problems it seems that my installation instructions are not as clear as I wished them to be. (Especially because practically  the setup isn't that hard.)

      I will rewrite this article when I'm back from my vacation and try to point out some steps more clearly. (Also I'm thinking about writing a small desktop tool which acts as guided setup.)

      Regards, Raffael

      Author's profile photo Eng Swee Yeoh
      Eng Swee Yeoh

      No problem, Raffael. Have a good vacation 😉

      Author's profile photo Dijesh Tanna
      Dijesh Tanna

      Hello Raffael,

       

      We are getting following error while calling the dashboard.

       

      https://xxxxxx.hci.xxx.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2019-10-08T00:00:00.000'%20and%20LogStart%20le%20datetime'2019-10-08T23:59:59.999' with statusCode: 401

       

      I checked both the Platform & Client token URL. I'm able to get back the token using postman.

       

      Thanks

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Dijesh Tanna ,

      that's an authorization problem. Have you checked, that the OAuth user has enough "rights"? Please check Eng Swee's comment: https://blogs.sap.com/2019/08/22/how-to-install-and-configure-the-realcore-cpi-dashboard/comment-page-1/#comment-477030

      Regards,
      Raffael

      Author's profile photo Dijesh Tanna
      Dijesh Tanna

      Hello Raffael,

      Thanks , error got resolved 

       

       

      Author's profile photo Bhargava Krishna Talasila
      Bhargava Krishna Talasila

      Hi Raffael Herrmann,

      Thanks for sharing this wonderful tool 🙂

      Appreciate your efforts & help to integration community.

       

      Regards

      Bhargava Krishna

      Author's profile photo Vijay Devulapalli
      Vijay Devulapalli

      Many Thanks Raffael Herrmann, this really helps!

      I have managed to follow the suggested process and have stuck at the last step i.e. i’m able to fetch the CPI Roles API via Platform API OAUTH through Postman tool and when tried with CPI, its giving me a 401 UnAuthorized Error.

      can you please suggest if any additional access required to fetch the roles from ROLES API through SUID?

      Unable to attach Post Man Response & CPI Reponse to this thread.

      Many Thanks,

      Vijay Devulapalli

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      If it works in Postman, it should work in the tool, too. Please double-check that you are using the right credentials for the IFlow and wait a couple of hours (sometimes there seems to be a cache problem.)

      If nothing helps, feel free to contact me via LinkedIn. Then we may look together on your problem.

      Author's profile photo Markus Igl
      Markus Igl

      Hi Raffael,

      I am getting also error 401 during HTTP requst/response to SAP_CP.

      If i switch debug on I will find in CP_default trace:
      #ERROR#com.sap.it.rt.authorization.oauth.generator.ClientOAuthGenerationBusinessLogic##S00xxxxx#https-jsse-nio-8041-exec-11###e....#na#na#na#na#doGenerateError while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}|
      #ERROR#com.sap.esb.camel.http.ahc.configurer.impl.OAuth2ClientCredentialsAhcBinding##S00xxxxxx#https-jsse-nio-8041-exec-11###e....#na#na#na#na#Error while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}com.sap.it.rt.authorization.oauth.exception.OAuthException: Error while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}

      If i use postman:
      post https://api.eu2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
      with client ID and Client secret as basic auth.
      it returns the bearer token.

      get http://api.eu2.hana.ondemand.com/authorization/v1/accounts/e..../users/roles?userId=myID
      using no auth. and the bearer token from post
      it will return the roles as reponse.

      could you please let me know what i made wrong in the CPI config?

      thanks in advance for your help.

      Markus

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Markus,

      at first - if the OAuth flow works in Postman that's a good sign. So we can skip the part of checking the credentials creation, because from that point everything seems to be fine.

      Since the IFlow works for me and other, I dare to assert that the IFlow itself is still functional. Thus the only point of failure I can think of is the OAuth security material (for the Cloud Platform access) in your tenant. Could you please check the following:

      • The token service url shouldn't contain any url paramter. It should end with "...apitoken/v1". (For example - I use the following url which might differ if you are in a different location: https://api.eu1.hana.ondemand.com/oauth2/apitoken/v1)
      • The parameter "Client Authentication" of the security material is set to "Send as Request Header".
      • The checkbox "Include Scope" isn't checked/marked.

      If anything of this differs in your credential and you change something, don't forget to redeploy before testing.

      My current config looks like:

      Please let me know if this solved your issues.

      Author's profile photo Markus Igl
      Markus Igl

      HI Raffael,

       

      thanks!!!

      this solved the 401 for CP.

       

      But now I got 401 for HTTP to SAP_CPI ..../api/v1/MessageProcessingLogs/$count as already mentioned above, where Eng Swee provided a solution. This i check already.

       

      If I use postman again:

      post: https://oauthasservices-xxxxx.eu2.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credentials

      with BasicAuth and ClientID and Clientsecret I get this response:

      {"error":"unauthorized_client"}

       

       

      thanks in advance for your help.

       

      Markus

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Markus,

      this error comes from another API (the CPI tenant specific OData API – which is on another level then the generic Cloud Platform api, which was called in the step before.)

      For this API you need a dedicate pair of OAuth credentials. Since it doesn’t work in Postman I guess there was an error made during the creation of this credentials.

      When creating the credentials…

      • …follow the paragraph “Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH” on this blog post
      • …make sure that your create the credentials in the “Clients” not in the “Platform API” tab of the Cloud Cockpit’s OAuth section
      • …ensure that you add the following two roles to the client. (You can attach them by going to the Authorizations section in Cloud Platform Cockpit. Then enter “oauth_client_<client ID>”, replace the <client ID> with the ID of your client generated before, and add the roles.)
        • NodeManager.read
        • IntegrationOperationServer.read

      If you need help/assistence, feel free to contact me via LinkedIn for a chat.

      Author's profile photo Athar Iqbal
      Athar Iqbal

      Hi, I configured the integration flow by following all the instruction and it is deployed. It also shows the end points available, but when I use the end point for dashboard, it gives me

      HTTP Status 403 – Forbidden

      I am using admin S-ID on CPI.

       

      https://*****-iflmap.hcisbp.us2.hana.ondemand.com/http/realcore/cpidash/dashboard

      Help please.

       

      Athar

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Athar,

      please check if you assigned the role "ESBMessaging.send" (via Cloud Platform Cockpit --> Authorization) to your S-User.

      Background: https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/62a03365f0c64fdda7417b6da7e5a4a7.html

      Author's profile photo Athar Iqbal
      Athar Iqbal

      Hi Raffael, My S-ID is part of the administrator group which has the ESBMessaging.send. I normally use the postman to send the test payload to CPI using my S-ID.

      Author's profile photo Athar Iqbal
      Athar Iqbal

      Hi, I am able to pass beyond 403 error, and now I am getting 401 error.

      https://api.us2.hana.ondemand.com/authorization/v1/accounts/*****/users/roles?userId=S***** with statusCode: 401

      I am able to get the token using Postman which means oauth credentials are working.

      Any idea what could I be missing?

       

      Athar

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Sounds like an error with the OAuth security material in SAP CPI. Check that the OAuth credentials artifact for Cloud Platform has…

      • …send token in headers activated (don’t send them in body)
      • …the token endpoint URL without the parameters section. (If the token endpoint URL contains a ?, remove the ? and everything on the right side from it.)
      Author's profile photo Athar Iqbal
      Athar Iqbal

      Hi Raffael, First, Thank you so much for helping on this.

       

      I have the Token URl defined like this:

      https://api.us2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

       

      It is also set to send the token in header.

      Author's profile photo Athar Iqbal
      Athar Iqbal

      It did move one step further after removing the parameters from the end-point but now giving error on filter process. And it is also displaying dialog box for user id and password, but it doesn’t accept the S-ID.

      However, if I type below URL in Postman, it does return me a count value. 

       

      Error text: HTTP operation failed invoking https://****-tmn.hci.us2.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-013T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-01-23T23:59:59.999‘ with statusCode: 401

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Athar,

      This good in some way, because the error you see now comes from a later step in the flow. So you successfully solved the first problem. 🙂

      The error you face now, corresponds to the second OAuth credentials pair. (Do you remember? You generated two pairs. One for platform access and one for the CPI OData API.)

      Please check:

      • That you set mode to "send via header" in the OAuth credentials/security artifact for CPI OAuth access
      • That you configured the correct token endpoint in the security material. (It's another token endpoint than the one for the Platform OAuth credentials. You can find the correct token endpoint in Cloud Platform Cockpit -> OAuth -> Client tab down at the bottom
      • Ensure the you assigned the necessary roles (check the instructions in the blog above) to the OAuth client credentials user

      If you still have problems, feel free to contact me via linkedin. Then we can arrange a quick Screensharing session to solve the problem together.

      Author's profile photo Athar Iqbal
      Athar Iqbal

      Hi Raffael,

      I figured out the issue after debugging and reviewing the iFlow in detail.

       

      I have deployed v1.0.4 of the dashboard and steps defined in this blog are missing the http channel setup.

      One of the channel used to get the count information is supposed to be Basic Authentication. But, it is setup as Oauth in iFlow. I modified the iFlow and changed the authentication to BASIC and it started working.

       

       

      Everything is up and running now.

      I really appreciate for all the help.

       

      Athar

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Athar,

      Nice to hear that it works. But the count-api call runs against the same endpoint/API like other calls which use the OAuth credentials. So this definitely works with OAuth, too. 😉

      Nevertheless - since it works for you now, leave it as it is.

       

      Author's profile photo Ricardo Viana
      Ricardo Viana

      Hello Raffael Herrmann ,

      Congratulations for this fantastic job.

      Applauses !!

      Kind regards,

      Viana.

      Author's profile photo Arne Steinkamp
      Arne Steinkamp

      Dear Raffael,

      I have a the same problem already posted by Athar.

       

      org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking https://XXXXX-tmn.hci.eu1.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-02-17T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-02-17T23:59:59.999' with statusCode: 401

      IFlow:

      I have now checked all authorization steps for 3 times:

      OAuth Client:

      Permissions of OAuth Client:

      Security Material CPI:

       

      I found out that the URL written in Cloud Plattform OAuth section (https://oauthasservices-XXX.hana.ondemand.com/oauth2/api/v1/token) does not work.

      I used this one instead:

      https://oauthasservices-XXXX.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

      Using Postman everythings seems to be ok:

      Getting Token using Token URL (second one)

      Step 2: Getting MessageProcessingLogs Returns Success http: 200 with a number as body.

       

      Could you please give an hint where i can troubleshot the issue?

       

      Thanks and best regards

      Arne

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Arne,

      you were on a good path, when you wrote "I found out that the URL written in Cloud Plattform OAuth section (https://oauthasservices-XXX.hana.ondemand.com/oauth2/api/v1/token) does not work.". The truth lies in between. 😉

      The Platform API uses a different OAuth token endpoint, than the OAuth client tokens, which are needed for CPI's OData api. The second endpoint you identified (and proofed as working in Postman) is correct. Unfortunately the CPI credentials are sometimes a little bit like a diva. 😀

      Please try the following:
      Edit the OAuth credential and especially the token endpoint url. Take the token endpoint url which also works in Postman, but cut off all url parameters (the "?grant_type=client_credentials" part). CPI will add this part on its own. After that, redeploy the credentials and try to reload the dashboard. (If it doesn't work immediately, wait a couple of minutes and try to reload the dashboard again.)

      Best regards

      Author's profile photo Arne Steinkamp
      Arne Steinkamp

      Hi Raffael,

      thanks for reply. I have now removed the url parameter and redeployed. The application still does not run. I have found some other hint. If i get the token using portman i does not get any scope:

       

      {
          "access_token": "335376779a49eb89f8d3938c6144c139",
          "token_type": "Bearer",
          "expires_in": 3600,
          "scope": ""
      }
      Is it correct?
      Thanks,
      best regards
      Arne

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Arne,

      that’s correct. Mine also doesn’t get a value in the scope-field. That shouldn’t be a problem. Feel free to contact me via LinkedIn for a screensharing session.

      Author's profile photo Gurdev Singh
      Gurdev Singh

      Hi Arne,
      I’m in the same position as you were. Any luck?

      Cheers

      Author's profile photo Saraj Aslam
      Saraj Aslam

      Hi Raffael,

       

      first of thanks for providing such an awesome tool. I just wanted to give an additional tip, since I lost some time on that:

      If you want to call the dashboard in the browser, do not authenticate with s-user certificate in browser (single sign on SAP passport). Use your s-user credentials, otherwise you will receive a 403 error.

      Regards

      Saraj

      Author's profile photo antoine trotin
      antoine trotin

      Hi Raffael,

      Thanks for sharing all this fantastic work!

      I managed to deploy the last version of code in my CPI tenant ;  but Im facing below error when trying to enter dashboard.:

      Error text: java.lang.Exception: java.lang.Exception: User SXXXXXXXX not authorized. Missing role: 'de.realcore.cpi.dashboard'.@ line 30 in authValidate.groovy

      Using postman, if I do a get call of

      https://api.ap1.hana.ondemand.com/authorization/v1/accounts/nxf6daldna/users/roles?userId=SXXXXXX

      I get as result the roles assigned to my oss user....

      Can you help me to figure where is the issue here?

      (all the postman calls to check auth onfiguration are ok, returning token or role of user...)

       

      Thank you!

      Best regards

      Antoine

       

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Antoine,

      you wrote: “Using postman, if I do a get call of […] I get as result the roles assigned to my oss user….“.

      And does this answer in Postman list a role called “de.realcore.cpi.dashboard”? If not, you know why the dashboard throws this error. ?

      In that case you have two options to solve the missing role problem:

      1. Replace the roles a users needs from de.realcore…-roles to some roles your user own (it is configurable via the IFlows “configuration” function)
      2. Add the missing roles to your user. (Check also this blog post.)
      Author's profile photo antoine trotin
      antoine trotin

      Hi Raffael,

      Creating and adding missing role to my user solved my problem.

      Maybe it would be interesting to add this step in your "how to" ; (or maybe its my lack of knowledge that leads me to this issue)

      In any case, thank you very much for giving us opportunity to use this dashboard.

      Best regards

      Antoine

      Author's profile photo Julian Wildt
      Julian Wildt

      Hi Raffael,

      thanks for the great documentation.

      Unfortunately i got the same error like Antoine. Then I created the role and assigned my S-User to this role. Now I am not able to logon to the dashboard. It means it try to access via s-user and password but nothing happens.

      Do you know what happens here?

      Thanks

      Julian

      Author's profile photo Julian Wildt
      Julian Wildt

      Hi Raffael,

       

      now it is working as I did the same configuration like Athar.

      Anyway, i got another confusing message in the dashboard. Why do I have not enough authorization? I assigned my S-user to you recommended roles and i have no authorization to view the logfiles and passwords?

       

      Thanks in advance.

      Julian

      Author's profile photo Sai Lakshmi Narayana Danturti
      Sai Lakshmi Narayana Danturti

      Thank you Raffael Herrmann for the detailed explanation of how to configure and run this dashboard. Appreciate your efforts.

      I just need help with below items.

      1. For calling Group 1 services, we have to configure an S-User with required access. Can you please share the exact roles needed as our security team is not comfortable in assigning elevated access.
      2. When I tried to load the security material onto the dashboard I got 403 error. URL triggered is https://{tenat ID}-tmn.hci.us2.hana.ondemand.com/api/v1/UserCredentials
      3. For the Mail Adapter configuration. Which mail server to be used? Is there any SAP provided option here or we can use O365?
      4. Current Alerting feature in the dashboard is about messages and certificates. Is there any automated way to generate alerts for cases like high CPU Usage or any tenant level issues?
      5. Our client has SAP Passport setup for logging in into any cloud application or page. When he tried to access the dashboard using his SAP Passport, he received 403 forbidden error. Is logging in via cert allowed for this dashboard or we have to use credentials only?

      Thanks in advance.

      Author's profile photo Matthias Fuß
      Matthias Fuß

      Hi Raffael,

       

      after the configuration I get a HTTP 500 Error:

      Error text: java.lang.Exception: java.io.FileNotFoundException: https://******-tmn.hci.eu1.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json@ line 48 in diffGetIFlowPackageContent.groovy

       

      When i call the url https://******-tmn.hci.eu1.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json via BasicAuth of my S-User in Postman the response is:

      {
          "error": {
              "code": null,
              "message": {
                  "lang": "en",
                  "value": "Entity not found"
              }
          }
      }
      When i call the url in the web-browser a SSO-Auth. via my P-User is forced. But then i get a working json response. 
      It looks like an authorization issue for the S-User. Do you have an idea whats missing?
      Thanks.
      Matthias
      Author's profile photo Saurabh Kumar
      Saurabh Kumar

      Hi Matthias,

      I was also facing the same issue as described by you. Eventually it got resolved by adding the below roles to my S-User ID:

      AuthGroup.IntegrationDeveloper

      AuthGroup.ReadOnly

      AuthGroup.BusinessExpert

       

      Hope this may help you

      Regards,

      Saurabh

       

       

      Author's profile photo Matthias Fuß
      Matthias Fuß

      that worked, thanks 😉

      Author's profile photo Jemil Gambo
      Jemil Gambo

      Thank you Raffael Herrmann for the detailed explanation of how to configure and run this dashboard.

      I have question, do you have plans to create a similar post for CPI on Cloud Foundry or is there a work around we can use for the Cloud Foundry environment.

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Jemil,

      currently the dashboard isn't compatible to SAP CPI on CF. Sure I would love to see the dashboard on CF, too, but since it's a "sparetime project" and I'm in lack of spare time currently, I can't promise any dates for such update.

      Author's profile photo Friedrich EVA
      Friedrich EVA

      Hi Raffael,

      thanks for this great tool and the explanations!

      After deploying successfully and fixing the little issues here and there thanks to the other comments, I am faced with what seems to be a new issue.

      After logging in, I get an Error 500:

      java.lang.Exception: com.google.common.util.concurrent.UncheckedExecutionException: com.sap.it.nm.types.NodeManagerException: [CONTENT] [CONTENT_DEPLOY]  [NoArtifactDescriptorFoundForArtifactName]: No artifact descriptor found for artifactName myuser@ line 72 in diffGetIflowPackageContent.groovy

      While this message is displayed I get authentication popups so I suppose it's an authorization issue, but I couldn't find a better clue.

      Any idea?

      Thanks

      Friedrich

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Friedrich,

      That sounds like a configuration error. In the IFlow configuration there is a field to place a "....BASIC_AUTH..." credential. In this field you have to enter the name of the "security material" from CPI that contains the basic auth user credentials. The error look like you entered a "security material" name in the configuration that doesn't exist/isn't deployed.

      BR,
      Raffael

      Author's profile photo Sai Lakshmi Narayana Danturti
      Sai Lakshmi Narayana Danturti

      Hi Raffael Herrmann ,

      When I tried to load the security material on the dashboard I got 403 error. URL triggered is https://{tenat ID}-tmn.hci.us2.hana.ondemand.com/api/v1/UserCredentials. Can you please help.

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Sai,

      this sounds like a wrong/missing scope on the OAuth platform api credentials. Please re-check the steps concerning the creation of the platform API credentials from the manual above.

      Author's profile photo Friedrich EVA
      Friedrich EVA

      Hi Raffael,

      thanks for your quick answer!

      I had made a mistake on this credential's configuration indeed. So I got past this stage but now I'm facing an 403 error:

      HTTP operation failed invoking https://mytenant.hci.eu3.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-10-29T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-10-29T23:59:59.999' with statusCode: 403

      I suppose this has to do with the client credential but I can't find what wrong; it has the nodeManager.read and IntegrationOperationServer.read roles and I suppose that it's authenticated properly, as I don't have any 401 anymore.

      Thanks a lot for the support!

      Best regards,

      Friedrich

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Friedrich,

      I can think of different things which might go wrong...

      • Do you use the correct client credential pair? (You had to create two pairs - one for platform api and one for cpi-tenant specific apis. You have to use the credential pair for cpi/tenant not the pair for the platform api.)
      • Have you waited for at least 10 minutes since setting the roles? (Sometimes in the past I experienced that it took a couple of minutes until the assigned roles to the OAuth credentials were finally set and recognized.)
      • Have you tried to call the API-url in a tool like Postman? (Use HTTP GET and the client credentials as entered into CPI.) Do you get the 403 in Postman, too?

      Best regards,
      Raffael

      Author's profile photo Friedrich EVA
      Friedrich EVA

      Hi Raffael,

      yes I have created the two pairs and for "group 2", which is used for MessageProcessingLogs if I understand correctly, I use the pair created in the "Client" tab.

      With Postman, calling https://mytenant.eu3.hana.ondemand.com/api/v1/MessageProcessingLogs/ works fine with the client pair credentials.

      Timing is not an issue, roles have been set hours ago now :).

      I'm still testing and trying to make it work, any other suggestion is welcome!

      Thanks for your help,

      Friedrich

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      If it works in Postman then either you have a typo in the security material (=> try to recreate the security material / redeploy) or its a caching problem. (Then it may be solved from alone just over time... Take your weekend and try again on Monday. 😉 )

      Author's profile photo Friedrich EVA
      Friedrich EVA

      In fact it was appearing to work in Postman only because of a remaining authentication cookie of another user.

      But a clean test with the client pair gives me the same 403 result as on the dashboard. At least it's consistent!

      But you're right, let's have some rest and try again later.

      Have a nice week-end,

      Friedrich

      Author's profile photo Friedrich EVA
      Friedrich EVA

      Hi Raffael,

      just an update; by replacing all OAuth2 logins by basic auth in the integration flow I managed to have the tool up and running. Very weird; I did the steps several times with the client user but always ended up with a 403 on MessageProcessingLogs.

      If you're interested in having a quick look let me know!

      Also, now that the dashboard is live, I noticed that there seems to be some discrepancy between the two CPU usage statistics; during the last 15 minutes "CPU load" was between 4 and 5 all the time but "CPU use" was below 1%.

      Thanks for the nice dashboard!

      Friedrich

      Author's profile photo Phani Konduru
      Phani Konduru

      Hi Raffael,

      Thank you for the nice CPI dashboard. We were able to configure and run the dashboard with your step by step instructions.

      We have assigned ROLE_GENERAL_ACCESS, ROLE_LOG_AND_FILE_ACCESS & ROLE_SECURITY_MAT_ACCESS parameter values to multiple S users. But, unfortunately only the user (SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH) configured in the security material can access it. None of the other users can access it.

      How do we enable this dashboard to be accessed by multiple users instead of single user? please guide.

      Thanks & Regards,

      Phani.

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      The roles (ROLE_GENERAL_ACCESS, ...) should be assigned to the S-Users that log into the dashboard via webbrowser. There's nothing more to configure. Maybe the IDP needs some time to update the roles. Have you tried to log off and on again with the S-Users that aren't able to use the dashboard? Which error message to you receive?

      Author's profile photo karthikeyan ramachandran
      karthikeyan ramachandran

      Hi Team,

       

      I am deploying this iflow and i am getting the below errors. Can you please help.

      Attached is the error screenshot.

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      You missed to setup the credentialname in the IFlow configuration. Please click "configure" to open the IFlow config and set the corresponding logon credential name. Also check the section "Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH" of this blog article.

      Author's profile photo Marco Reyes
      Marco Reyes

      Hi Raffael,

      I would like to test the Dashboard for CPI, I made the implementation but I get this error:

      "Error text: HTTP operation failed invoking https://*****-tmn.hci.us3.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json with statusCode: 401"

      Could you guide me where the problem could be?

      Greetings and Thanks.

      Author's profile photo Andrey Tkachuk
      Andrey Tkachuk

      Hello!

      During the opening of the dashboard I have error: " This request has been blocked; the content must be served over HTTPS."

      I find code:

      Did I enter a parameter incorrectly when configuring?

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      The first part of the url shown in your screenshot is read from an dynamic CPI header:

      message.getHeaders().get('CamelHttpUrl')

      In the past/usually this header returned the current hostname including the right protocol. Either there was a change in CPI or something seems to be wrong with your instance. Have you called the Dashboard in your webbrowser via HTTP or HTTPs? (Please try with HTTPs.)

      Author's profile photo Andrey Tkachuk
      Andrey Tkachuk

      Yes, I definitely use https. But the http remains in the headed. I entered https manually in  deliverStaticContent.groovy.

      Everything works!

      Thanks!

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      Hi togehter

      We installed the real core iflows on our CPI, which is running on the neo cloud platform. There it is running without problems.

      Now we tried to configured it on the cloud foundry and when we make the loggon to the dashboard i get the wheel of death.

      There are now errors found in the cpi on which is running on the foundy.

      Did anyone had the same problem on the foundry or did someone had any idea for my problem

      thx for help

      Matthias

      Author's profile photo Raffael Herrmann
      Raffael Herrmann
      Blog Post Author

      Hi Matthias,

      please check the first paragraph of this blog article again. 😉

      It reads out...

      Restrictions

      Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn’t send the WWW-Authenticate-header, the IFlow isn’t usable via webbrowser. Thus the dashboard isn’t supported on SAP CPI on CF environments for now because the dashboard’s webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.

      So the dashboard never worked on CPI@Cloud Foundry. Maybe some of the RealCore guys can fix it... You can reach out to them via https://www.realcore.de/index.php/contact

      Author's profile photo Matthias Lüthi
      Matthias Lüthi

      hi Raffael

      Thx for replay. I saw it also now in the blog 🙂

      Author's profile photo Marco Reyes
      Marco Reyes

      Hi Raffael,

      I would like to test the Dashboard for CPI, I made the implementation but I get this error:

      "Error text: HTTP operation failed invoking https://*****-tmn.hci.us3.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json with statusCode: 401"

      Could you guide me where the problem could be?

      Thanks.

      Author's profile photo Andrey Tkachuk
      Andrey Tkachuk

      It seems to me that the project has already died.

      For the new BTP, obtaining rights and groups does not work.

      Getting groups and rights from the BTP does not work for me either. I could not find a solution.

      Author's profile photo Rizu Yadav
      Rizu Yadav

      Hi Raffael Herrmann

      Hope you are doing great!! First of all thanks for this amazing tool.

      But facing issue while configuring it with CPI: Accessing MessageProcessingLogs OData API via OAuth. I go through all the above comments, I have followed the blog for OAuth set up and it works fine when tested using POSTMAN tool. When iFlow is deployed and run the Dashboard MPL ODATA API  401 error. When i replace it with Basic User ID and Password its working fine. Could you please let us know any work around or how you overcome this situation in your case. I love to connect with you on any platform as it will be bit urgent for us to resolve this.

      CPI Environment using: NEO

      Br,

      Rizu Yadav

      Mail Id: rizuyadav@gmail.com

      Linkedin: linkedin.com/in/rizuyadav

      Author's profile photo Paul van Os
      Paul van Os

      Hi Raffael Herrmann,

      Will there be a CF version in the near future? or is this only possibel thru the realcore people?

      Kind regards,

      Paul

      Author's profile photo Philippe Addor
      Philippe Addor

      Hey Raffael,

      I just thought I could check if you have published a CF version in the meantime... I guess you still have the restriction with the www-authenticate header. Now I had an idea that I wanted to share. Not sure if you thought about it: you could create an API in API management as a layer between browser and IFlow. In the API Policies you could use the Basic Authentication policy to set the (hardcoded) credentials needed to access the IFlow. What do you think, could it solve this problem?

      I would have implemented it to test, but realized that there would be many more changes necessary on the Iflow, I believe. Mainly because some APIs are different on CF compared to Neo or different Security concepts. But you know better what you have used and if it's still available in CF.

      Kinds regards, Philippe

      Author's profile photo Marcos Antonio Romano
      Marcos Antonio Romano

      Olá Rafael, como você está?

      Sou novo no SAP CPI, estou tentando configurar o Dashboard, mas estou cometendo esses erros no final, segui o passo a passo do manual, acho que é algo simples mas não estou conseguindo progredir.