Technical Articles
How to install and configure the RealCore CPI dashboard
This blog post is the second part of the series about our RealCore SAP CPI dashboard tool. It deals with the installation and configuration of the dashboard tool. You can find the first article, which is about the capabilities and features of the dashboard, over here:
Advanced monitoring and health check with RealCore’s CPI Dashboard
Before we start, let’s have a quick look on the restrictions while installing and using the dashboard.
Restrictions
Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn’t send the WWW-Authenticate-header, the IFlow isn’t usable via webbrowser. Thus the dashboard isn’t supported on SAP CPI on CF environments for now because the dashboard’s webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.
Installation
Since the complete dashboard and all its code is packed into one single Integration Flow (IFlow), the installation of the dashboard is done within minutes.
At first you should download the current release from our Github repository. You can find latest release here: https://github.com/codebude/cpi-dashboard/releases
Next you should open your SAP CPI tenant, switch to the Design-perspective and create/choose the package you want to place the monitoring IFlow into. Then edit the package, switch to the Artifacts-tab and click Add, to upload the beforehand downloaded SAP CPI Dashboard release.
That’s it for the installation part. In the next section we will deal with the configuration.
Configuration
All things that need to be configured can be maintained via “Externalized Parameters”. Thus, it is not necessary to make changes to the IFlow itself or its code. Some of the externalized parameters are used multiple times and therefore only need to be maintained once. So trust me – it’s not that much to configure.
To start the configuration, we switch to the configuration perspective now.
Let’s have a look onto the different parameters which have to be set…
Sender configuration
On the Sender-tab you will find one system with multiple adapters (since the IFlow has multiple endpoints), but you have to configure only one parameter, because it is used in all sender channels.
Parameter Name: DASHBOARD_URL_BASE
How to set: Set this parameter to an url-slug you personally prefer. It will be the base url of all endpoints of the IFlow.
Receiver configuration
On the Receiver-tab you will find three Receivers (SAP_CP = general Cloud Platform APIs, SAP_CPI = Cloud Platform Integration specific APIs, MAIL_SERVER = e-mail server to send out alerts) with 3 (SAP_CP), 7 (SAP_CPI) and 1 (MAIL_SERVER) channel. We will consider the different receiver systems separately.
Receiver – SAP_CP
All three SAP_CP receivers share the same configuration parameters. Thus you only have to do the configuration for one of the HTTP channels.
Parameter Name: SAP_CP_HOST
How to set: This must be set to the hostname of your SAP Cloud Platform API host. It is build like:
api.{regional hostname}The {regional hostname} depends on the region your Cloud Platform account sits in. A list of possible hostnames can be found here: https://help.sap.com/viewer/ed6ce7a29bdd42169f5f0d7868bce6eb/Cloud/en-US/0a7d8fb9bc2c4bbd9355146722adc8a1.html
Parameter Name: SAP_CPI_TECHNICALNAME
How to set: This should be set to the technical name of your SAP CPI tenant. You will find the technical name in the Cloud Platform Cockpit via Region –> Global Account –> SAP CPI Subaccount.
At the bottom of the subaccount page you will find the technical name of your SAP CPI tenant.
Explanation: This credentials are used to query the authorization and management api to retireve a list of roles for the dashboard user/caller. The roles itself are needed to show/hide different functions of the dashboard.
Parameter Name: Credential Name/SAP_CP_AUTH_API_CREDENTIALS
How to set: Enter the name of the security material/credentials which contains the credentials for the SAP Cloud Platform Authorization Management API. Note: If you haven’t used the Authorization Management API before, you have to create an account first. Create the OAuth credentials as described here and here. Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.
Receiver – SAP_CPI
In opposite to the SAP_CP receivers not all of the SAP_CPI receivers share the same configuration parameters. The channels can be divided in two groups. The first group is calling urls to “/itspaces/odata/…” and the second group to “/api/v1/…”.
The screenshot below shows how you can differentiate the groups. Ensure that you configure at least one channel of each group from the screenshot.
Parameter Name (Group): SAP_CPI_HOST (Group 1)
How to set: Set this to the hostname of your SAP CPI tenant management node. Take the screenshot below for example.
Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 1)
How to set: Enter the name of the security material/credentials which contains user and password (S-User/technical S-User) of an account which has sufficient rights to access the SAP CPI tenant.
Explanation: This credentials are used to access some unofficial SAP CPI APIs (the ones which are used by the SAP CPI webinterface itself) to retrieve a list of runtime and designtime artifacts.
Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH (Group 2)
How to set: Enter the name of the security material/credentials which contains the OAuth credentials for the SAP CPI OData API.
Note: If you haven’t used the SAP CPI OData API via OAuth before, you have to create a set of OAuth credentials first. Check this article which describes how to setup the credentials. (Basically it’s the same like you did before for the Auth&Management API, but this time you use the “Clients”-tab instead of the “Platform API”-tab in the OAuth section of your CPI-subaccount.) When creating the credentials you need to assign at least the following two rules:
- NodeManager.read
- IntegrationOperationServer.read
Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.
Attention: Since Dashboard version 1.0.2 the credential has to be stored in a security material of type “OAuth2 Credentials”!
Explanation: This credentials are used to query the MessageProcessingLogs-resource (and more) of the SAP CPI OData API which is used to retrieve the message volume/counts.
Receiver – Mail Server
This part of the cofiguration is optional. You only have to configure this receiver, if you want to use the alerting feature of the RealCore CPI Dashboard.
If you want to use the dashboard’s alerting engine, configure a valid mail server here. The dashboard will use it to send out alerting mails. If you don’t want to use the alerting engine, you can fill out the configuration with dummy values.
More(-Configuration)
Congratulations, if you managed to get to this point – the hardest part of the configuration is done. On the “More”-tab you have to configure some more parameters.
Parameter Name: ALERT_MAIL_SENDER
How to set: If you plan to use the alerting engine of the dashboard, then you can set up the mail address here which should be shown as sender/origin of the alert mails.
Parameter Name: CACHE_DATASTORE_NAME
How to set: You can set this parameter to any value. It defines the name of the Datastore which is used by dashboard to cache the message count information. So ideally choose a name that is not yet in use as well as one that fits your naming conventions for datastores.
Parameter Name: CPU_USAGE_MESEASUREMENT_TIME_IN_MS
How to set: This values describes the measured interval for CPU utilization in milliseconds. (To measure the utilization of CPU the CPU time is read out twice. The higher the interval, the better the CPU usage results in dashboard. But on the same side – the higher the interval, the longer the dashboard loading time. Everything higher than 1000 should be fine.
Parameter Name: ROLE_GENERAL_ACCESS
How to set: Define the name of the role a dashboard user must have assigned to get access to the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it blocks access to the dashboard. If you want to work with your own rules, read this article of mine, which describes custom role handling.
Parameter Name: ROLE_LOG_AND_FILE_ACCESS
How to set: Define the name of the role a dashboard user must have assigned to view and download logfiles via the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it hides the logfiles section in the dashboard and blocks file download requests. If you want to work with your own rules, read this article of mine, which describes custom role handling.
Parameter Name: ROLE_SECURITY_MAT_ACCESS
How to set: Define the name of the role a dashboard user must have assigned to view security material/credentials. When the IFlow is called it checks if the user has the role defined here. If not, it hides the security material section in the dashboard and blocks manually executed calls to the secmat-service. If you want to work with your own rules, read this article of mine, which describes custom role handling.
Parameter Name:DIFF_REMOTE_CPI_TENANTS
How to set: This parameter is optional. You can enter connection data for multiple remote CPI tenants (separated by 😉 here. The tenants configured here will be used for the dashboard’s IFlow comparison tool. Each remote system has to be entered in the format: <hostname of tenant>|<name of security material>
Example: If your remote tenant is available via “https://x0815-tmn.hci.eu1.hana.ondemand.com/itspaces” and you have created a security material containing an S-User with password in your current tenant named “CPI_x0815_CREDENTIALS” then you should enter the following into the DIFF_REMOTE_CPI_TENANTS field:
x0815-tmn.hci.eu1.hana.ondemand.com|CPI_x0815_CREDENTIALS
If you want to connect multiple remote tenants, just separate the tenant entries by use of a semicolon (;).
Timer(-Configuration)
If you plan to use the alerting engine, you can configure here how often the engine should check for errors. Regardless of the interval you configure, the engine will check the complete time interval since the last check. So by setting a larger interval in the timer, you just configure how often you will receive mails.
Deployment and Usage
Now that we have finalized the configuration, we have to deploy the IFlow. Either click on the Deploy-button from the configuration page or use the deploy option from the package view.
After the successful deployment, switch to the operations view of your SAP CPI tenant and go to the Manage Integration Content -> All-perspective. Search for the dashboard IFlow. From here you can find the dashboard’s url. Copy the url and open it in a (modern) web browser.
Summary
Now we have reached the end of the second article. I hope you have successfully set up the RealCore Dashboard on your SAP CPI tenant. If there are problems or questions, just write a comment. I’m sure together we can figure out what went wrong.
Thanks Raffael, for this wonderful opensource tool.
Hi Raffael,
Thank you for providing cpi dashboard. We are getting the following error when attempting to access the dashboard for the first time.
HTTP operation failed invoking https://api.us3.hana.ondemand.com/authorization/v1/accounts/ewc3bf1d/users/roles?userId=0007770116 with statusCode: 401
Any ideas?
-Jon
Hi Jon Prow,
this error looks like it comes from the IFlow's call to the authorization & management api. This call is done by the IFlow to get a list of roles of the S-User which is calling/opening the dashboard. If you get a 401 error for the auth & management api call, you may have a problem with the "platform api'-oauth credentials which you should have set up while configuring the dashboard.
You can do two things now:
Regards,
Raffael
Hi Raffael
Unfortunately, I have the same problem. I am trying with Postman but get the 401 there too.
I’m doing a POST call to URL (S-user censored):
For the login (basic auth), I’m using the credentials that I got when I created the “Platform API” Oauth Client. Is that both correct?
Thank you,
Philippe
Hey Raffael,
I assume its related to my configuration, but I think I am close. Here is our error:
Error text: HTTP operation failed invoking https://oauthasservices-<consumer-account>.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credentials with statusCode: 503
When I put url in Postman it doesn't work, but if i add the landscape host name in the url I am able to receive an access token.
https://oauthasservices-<consumer-account>.us3.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credentials
Ideas?
Thanks,
-Jon
Update - I am able to get in with adding the landscape host to the http connection to SAP_CPI from Integration Process / Collect system status and Integration Process / Read security material
-Jon
Hi Jon,
thanks for your effort and your feedback. I think I see what you meant. There are two http channels which call "". Unfortunately I missed to make them region aware.
Instead of changing the IFlow itself, it should be possible to add the region key (as defined here: https://bit.ly/2zp82KR ) to the parameter SAP_CPI_TENANT_TECHNICALNAME. (This should be possible, because the parameter is only used in those two channels and sits right in front of the url part where the region selector should be.
So if your tenant technical name looks like "abc1234" and your are placed in "US East (Ashburn)" datacenter (see link above), than the SAP_CPI_TENANT_TECHNICALNAME should be set to "abc1234.us1".
In the next version/update, I will fix this issue.
Regards,
Raffael
Thats what I tried initially, but there is other configuration that uses SAP_CPI_TENANT_TECHNICALNAME that is impacted. For example the HTTP connection to SAP_CP in the Check authorization integration.
Thanks for the help, looking forward to the next release.
-Jon
Oh, I see... But since the region-aware hostname, which is needed for the OAuth token calls is exactly the same like the {{SAP_CP_HOST}}, just without the leading "api.", we can re-use this variable. I just setup a small new release, which uses the SAP_CP_HOST-parameter and does an substring on that. Thus the existing configuration doesn't have to be changed.
You can find the release here: https://github.com/codebude/cpi-dashboard/releases Feedback is appreciated. Thanks for your help again.
Hi Jon
Your userId seems to be lacking the S-prefix. Maybe it's that?
That is pulled from the security material entry for the parameter SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 3)
However, in my case I have the prefix there and it still doesn't work.
Philippe
Hi Philippe,
I think this is an fault in my implementation. At two points/communication channels, I forgot to make the url region-aware. Please check the new release, which should be region aware and let me know if this solves your trouble: https://github.com/codebude/cpi-dashboard/releases
Regards,
Raffael
Hi Raffael
I deployed the new version and configured it again. Unfortunately, I still get:
HTTP operation failed invoking https://api.eu1.hana.ondemand.com/authorization/v1/accounts/a304c76af/users/roles?userId=S0019012678 with statusCode: 401
Could it be a wrong credential? But then, why error 401..?
Hi Philippe Addor ,
if your OAuth credentials are wrong, it would be a 401 (=Unauthorized) - it's the default behaviour. The call which fails for you is this one:
If you check the configuration settings of the connector, you see that it uses "Authentication: OAuth2 Client Credentials" mode. When using this mode, the adapter takes the client credentials pair which you created in the security material section. Then it makes a call against the token endpoint which is part of the credential settings:
This token endpoint responds with an Bearer token, which is then used to call the endpoint url which was configured in the communication channel. If the OAuth credentials are wrong, are missing grants or the token endpoint is wrong, you may get the 401 Unauthorized error you have seen.
If you want to check, if your OAuth credentials are correct, you could use a tool like Postman. The screenshot below shows the configuration. You should choose Authorization mode "Basic Auth", then copy Client ID and Client Secret from the Security Material (screenshot above). The copy the "Token Service URL" as configured in the security material and add "?grant_type=client_credentials".
If you click the "Send"-button, you should see a token response in the lower half of the Postman window. In addition you should see "Status 200 OK". If you get an "Status 401" (what I assume will happen), then you should re-check your credentials and re-create them like shown here: https://blogs.sap.com/2019/08/28/authorization-management-api-in-sap-cloud-platform/
Regards,
Raffael
Thanks Raffel for the comprehensive explanation! I think there are several issues:
Before, the MPL had no Credential parameter, unlike described above (see below "SAP_CPI_AUTH_API_CREDENTIALS (Group 2)")
However, I don't yet fully understand the difference between the Platform API Client and the "standard" Oauth client, as well as when to use Basic Auth and when Oauth (still learning... 🙂 ). So maybe my change would be unnecessary and there is still a mix-up in Security Material in the different configurations. Or maybe instead of using Basic, I should use the Oauth Client.
Hi Philippe,
thanks for investing your time to test our tool. Glad to hear that it finally runs for you. Regarding your points...
Now let's come to your questions concerning all the API keys.
We are dealing with three types of API in the dashboard. All of them need different credentials.
Hopefully this clarifies some of your open points. Have a nice
Sunday!
Regards,
Raffael
Hi Raffael
Thanks a lot for the explanation! It makes sense now. And I will some time try to find out why the bearer token is not working in my case, just for the sake of my own learning.
Best Regards,
Philippe
Thanks Raffael,
Thats an excellent work.
I miss something here
https://api.{landscapeHost}/authorization/v1/accounts/{accountName}/users/roles
401
unauthorized.
Hi Prabhakar,
did you see the new release 1.0.1? (https://github.com/codebude/cpi-dashboard/releases/tag/1.0.1) It fixes some of the connection errors.
If you already use the current release, than it might be a problem with your OAuth credentials. Can you try to call the faulty url manually via Postman an check if you get the error there too?
Regards,
Raffael
Hi Raffael,
I am using the latest code. i get this response when i paste the url in the browser
{"code":"42xxxxx8-286e-45f6-a0ca-9xxxxxxxxxx1"}Hi Prabhakar Teegavarapu,
posting the url in a regular webbrowser give this "code"-responses. That's correct, because when using a regular webbrowser the call is missing the needed token headers. Thus a webbrowser is not an appropriate tool to evaluate if your credentials are right.
Please read this comment I wrote for Philippe. It explains how to check your OAuth credentials via Postman. It may help to find out what is going wrong on your side.
Regards,
Raffael
Thank you Raffael Herrmann for sharing this awesome work.
Liked it a lot.
Best Regards,
Venu
Hi Raffael Herrmann
we are currently configuring the RealCore CPI dashboard on our test cpi.
so far everything worked fine and thanks for the great documentation. From time to time it would be good to know which roles have to be assigned how and where in the cockpit. Maybe this can be completed…
We have finished the configuration so far and can connect to the dashboard. As soon as the dashboard is opened the following http 400 error occurs:
https://{{{SAP_CP_HOST}}/authorization/v1/accounts/{{SAP_CPI_TENANT_TECHNICALNAME}}/groups/roles?groupName= with statusCode 400
Is it possible that our SAP_CP_HOST or the SAP_CPI_TENANT_TECHNICALNAME is not correct?
I checked also that we us the correct Host (Rot Europ as discribed in https://help.sap.com/viewer/ed6ce7a29bdd42169f5f0d7868bce6eb/Cloud/en-US/0a7d8fb9bc2c4bbd9355146722adc8a1.html)
with the log trace I could find out the place from where the error comes from (see the screenshot)
where is this group drawn from and where can I configure it?
Thanks for a little note
Regards
Matthias
Hi Matthias Lüthi,
The groupname, used in the connection which is shown in your screenshot, is read from the CPI exchange header. It will be filled in the "Check autorization" local integration process. This local integration process is called whenever a call to the dashboard is done.
(1) The roles defined in the externalized parameters are written to the Exchange' properties. (You can define which roles a user of the dashboard should have assigned to get access to the different functionalties.
(2) The S-User id (read from the request headers) is used to get a list of roles that are directly assigned to a user.
(3) The S-User id is used to get a list of groups the user is assigned to. (We have to do this, because the "get roles" call only gave roles directly assigned to the user, but not the ones which are assigned indirectly via groups.)
(4) For each group we got back, we do a call of the local integration process shown in your screenshot, to retrieve a list of roles, which are assigned to the group the user was assigned to.
(5) Now that we have all roles of the user (the directly assigned ones as also the the ones which came via groups) we compare them with the roles defined in the externalized parameters of the IFlow to decide if a dashboard user is authorized to use the dashboard or not.
If it still fails, you could try to activate the "Trace" mode of the IFlow and check the properties/headers if they contain valid role names. If nothing works, you can also contact me via Skype/MS Teams. (Just drop me a message here with your e-mail/skype address.)
Regards,
Raffael
Hi Raffael
Thx for the replay.
Was on holiday and check this asap
Regards,
Matthias
Hi Matthias
This is related to the role assignment of the user used to access this dashboard via web browser. If you use direct role assignment, then you will hit this error. The quick fix is to simply assign the user to any existing groups.
I have submitted a pull request (https://github.com/codebude/cpi-dashboard/pull/2) to Raffael to fix this, so that groups are not checked if user is not assigned any groups.
Regards
Eng Swee
Hi all
could solve the 403 problem; too few permissions!
We have now implemented version 1.0.31 and have a spinning wheel of death when calling the dashboard.
Do we still have to implement the fix with the index file?
Regards
Matthias
Hi Eng Swee
We tried to implement your "workaround" with the router.
Short question abaout that:
How should we configure the "yes" and "no" connection?
Regads, Matthias
Hi all Problem solved
the user in the security material was not match with the config in the receiver configuration
Regards,
Matthias
Hi Raffael,
Thank you for this great blog post and kudo's for the time, effort and creativity you have put into it!
I've got your CPI Dashboard running now, but I still have a question. When the page is loaded initially, the CPI instance data is fetched and displayed, but doesn't refresh/update automatically, correct? I've implemented a work-around by installing a page refresh plugin in the Chrome browser.
However, when the page is automatically refreshed let's say every 5 seconds, the underlying iFlow is also executed at the same rate. This results in a total of 12 new OAuth tokens every minute. I configured the token's lifetime to a maximum of 1 minute, but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.
Is there a way, without editing your integration content, to let the page refresh automatically?
Thank you in advance!
Regards,
Rik
Hi Rik Dingemans,
thanks for your valuable feedback. Since I used the tool to get an overview I never tried to refresh the page that often.
Which of the OAuth token exceeds? The one for the Platform API or the one for the SAP CPI? (When setting up the IFlow you created two kinds of OAuth tokens.)
The tokens themselves are reused during a dashboard call for multiple API calls, but you are right. They aren't saved over multiple dashboard calls. I add this to the list for the next release. (I plan to store them in the datastore and make them reusable.)
Regarding the refresh question. For now, it's impossible to activate an "auto-refresh". But I'll add it also to the list for the upcoming release. (If you want to implement it yourself, you should add some javascript timer in the website's code. Sources are available on Github...)
Regards,
Raffael
Hi Raffael Herrmann
Thank you for your prompt reply. The SAP CPI token exceeds randomly, sometimes I have to mass-revoke all generated tokens.
I will try and find a proper Javascript timer to put into the code.
Thanks again,
Regards,
Rik
Hi Rik Dingemans
the rows 823-839 of the index.html trigger the data retrieval for the dashboard. You could extract this lines into a new function like
Then just place a function call to this function in line 823. As next step, add a new timer in line 824 (behind the loadDashboardData call) with the following code:
After that call the build script over here. It will output a file to /dist/staticContent.groovy. Open this file and copy the Base64 block into the file with the same name in the following directory: /IFlow/Source/src/main/resources/script. At the end zip the /IFlow/Source directory. Et voilà – you have a patched dashboard.
Regards,
Raffael
Hi Raffael,
Thanks for this suggestion. I followed your steps, but unfortunately the Dashboard is now unresponsive with a 'spinning wheel of death' in it:
I will try and do some bugfixing when I find the time 😉
Cheers!
Regards,
Rik Dingemans
I don't know how fit you are in the field of web development, so maybe this is nothing new for you. But have you tried pressing F12 in your browser? This should bring up the developer tools. Switch to the "console" tab and search for errors in the main page. If you found something suspicious, click on the line number at the right hand of the error line. This will bring you to the code view, where you can set break points to debug the site. Otherwise wait for the next release. 😉
Hi Raffael,
Found the issue! I did a copy-paste of your code:
And just found out that I also copied the small typo:
loadDashboarData instead of loadDashboardData
Refreshing works like a charm now! Thank you for your help!
Regards,
Rik
Hi Raffael,
Thanks for your Blog, that's really great ..
i dowloaded the latest iflow from the below url - https://github.com/codebude/cpi-dashboard/releases - 1.0.3
and configured as mentioned in your blog, how ever i am getting the below error in the step show in the below screenshot ..
org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking https://api.XXX.hana.ondemand.com/authorization/v1/accounts/XXXXXXXXX/users/roles?userId=P2XX16XXXXX with statusCode: 401
i did follow your reply to Philippe and tested the client id and Secret in postman, which is successful.
i used the same url, client id and client secret in the security meterial as per below screenshot:
but i am not able to understand why i am getting this error..
below is the screenshot of the Receiver configuration.
also .. when i tested the url ( https://api.XXX.hana.ondemand.com/authorization/v1/accounts/XXXXXXXXX/users/roles?userId=P2XX16XXXXX with statusCode: 401 ) in postman.. i got 401 error.
Regards,
Pradeep.
Hi Pradeep,
If the call doesn't work in postman, than it's an authorization issue. Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)
Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair.
If nothing helps, let me know. I'm on vacation for the next 2 weeks, but if you like, we can have a Skype/Teams session after my vacation to figure out together what's going wrong.
Best regards
Hi Raffael,
Thanks for your prompt reply,
>>>Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)
i have used the same OAuth credentials that i have used in the postman, In postman i got 200 status back. below are the screenshots.
CP/Platform access
CPI access
i believe i have all the roles, let me know if i miss any role (from the below screenshots).
Regards,
Pradeep A.
Hi Pradeep,
If the Postman calls to the token endpoints work, than your credentials (combination out of client id and client secret) are fine. But if the actual call against the API for getting the user roles fail, then your credentials might have a scope issue. That's what I meant when I said that you should check the scope/authorization of the OAuth credentials. (Theory: An OAuth credential pair gives you general access to an API. Since someone shouldn't use all functions of an API it is controlled via so called scopes, which API functions an user can access/use.)
So please check if your OAuth user for the platform API has the scopes to read the authorization and management API. Therefore check the following screenshots.
Best regards
It's not entirely clear the roles that are required for the OAuth client that accesses CPI's OData APIs (Credential SAP_CPI_AUTH_API_CREDENTIALS_OAUTH - Group 2)
After some troubleshooting and referring to Tasks and Permissions, I nailed it down to the following two roles (if you do not want to provide broad-based roles to the OAuth client user).
Hi Eng Swee,
Thanks for your help. As I see from all the problems it seems that my installation instructions are not as clear as I wished them to be. (Especially because practically the setup isn't that hard.)
I will rewrite this article when I'm back from my vacation and try to point out some steps more clearly. (Also I'm thinking about writing a small desktop tool which acts as guided setup.)
Regards, Raffael
No problem, Raffael. Have a good vacation 😉
Hello Raffael,
We are getting following error while calling the dashboard.
https://xxxxxx.hci.xxx.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2019-10-08T00:00:00.000'%20and%20LogStart%20le%20datetime'2019-10-08T23:59:59.999' with statusCode: 401
I checked both the Platform & Client token URL. I'm able to get back the token using postman.
Thanks
Hi Dijesh Tanna ,
that's an authorization problem. Have you checked, that the OAuth user has enough "rights"? Please check Eng Swee's comment: https://blogs.sap.com/2019/08/22/how-to-install-and-configure-the-realcore-cpi-dashboard/comment-page-1/#comment-477030
Regards,
Raffael
Hello Raffael,
Thanks , error got resolved
Hi Raffael Herrmann,
Thanks for sharing this wonderful tool 🙂
Appreciate your efforts & help to integration community.
Regards
Bhargava Krishna
Many Thanks Raffael Herrmann, this really helps!
I have managed to follow the suggested process and have stuck at the last step i.e. i’m able to fetch the CPI Roles API via Platform API OAUTH through Postman tool and when tried with CPI, its giving me a 401 UnAuthorized Error.
can you please suggest if any additional access required to fetch the roles from ROLES API through SUID?
Unable to attach Post Man Response & CPI Reponse to this thread.
Many Thanks,
Vijay Devulapalli
If it works in Postman, it should work in the tool, too. Please double-check that you are using the right credentials for the IFlow and wait a couple of hours (sometimes there seems to be a cache problem.)
If nothing helps, feel free to contact me via LinkedIn. Then we may look together on your problem.
Hi Raffael,
I am getting also error 401 during HTTP requst/response to SAP_CP.
If i switch debug on I will find in CP_default trace:
#ERROR#com.sap.it.rt.authorization.oauth.generator.ClientOAuthGenerationBusinessLogic##S00xxxxx#https-jsse-nio-8041-exec-11###e....#na#na#na#na#doGenerateError while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}|
#ERROR#com.sap.esb.camel.http.ahc.configurer.impl.OAuth2ClientCredentialsAhcBinding##S00xxxxxx#https-jsse-nio-8041-exec-11###e....#na#na#na#na#Error while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}com.sap.it.rt.authorization.oauth.exception.OAuthException: Error while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}
If i use postman:
post https://api.eu2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
with client ID and Client secret as basic auth.
it returns the bearer token.
get http://api.eu2.hana.ondemand.com/authorization/v1/accounts/e..../users/roles?userId=myID
using no auth. and the bearer token from post
it will return the roles as reponse.
could you please let me know what i made wrong in the CPI config?
thanks in advance for your help.
Markus
Hi Markus,
at first - if the OAuth flow works in Postman that's a good sign. So we can skip the part of checking the credentials creation, because from that point everything seems to be fine.
Since the IFlow works for me and other, I dare to assert that the IFlow itself is still functional. Thus the only point of failure I can think of is the OAuth security material (for the Cloud Platform access) in your tenant. Could you please check the following:
If anything of this differs in your credential and you change something, don't forget to redeploy before testing.
My current config looks like:
Please let me know if this solved your issues.
HI Raffael,
thanks!!!
this solved the 401 for CP.
But now I got 401 for HTTP to SAP_CPI ..../api/v1/MessageProcessingLogs/$count as already mentioned above, where Eng Swee provided a solution. This i check already.
If I use postman again:
post: https://oauthasservices-xxxxx.eu2.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credentials
with BasicAuth and ClientID and Clientsecret I get this response:
{"error":"unauthorized_client"}
thanks in advance for your help.
Markus
Hi Markus,
this error comes from another API (the CPI tenant specific OData API – which is on another level then the generic Cloud Platform api, which was called in the step before.)
For this API you need a dedicate pair of OAuth credentials. Since it doesn’t work in Postman I guess there was an error made during the creation of this credentials.
When creating the credentials…
If you need help/assistence, feel free to contact me via LinkedIn for a chat.
Hi, I configured the integration flow by following all the instruction and it is deployed. It also shows the end points available, but when I use the end point for dashboard, it gives me
HTTP Status 403 – Forbidden
I am using admin S-ID on CPI.
Help please.
Athar
Hi Athar,
please check if you assigned the role "ESBMessaging.send" (via Cloud Platform Cockpit --> Authorization) to your S-User.
Background: https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/62a03365f0c64fdda7417b6da7e5a4a7.html
Hi Raffael, My S-ID is part of the administrator group which has the ESBMessaging.send. I normally use the postman to send the test payload to CPI using my S-ID.
Hi, I am able to pass beyond 403 error, and now I am getting 401 error.
https://api.us2.hana.ondemand.com/authorization/v1/accounts/*****/users/roles?userId=S***** with statusCode: 401
I am able to get the token using Postman which means oauth credentials are working.
Any idea what could I be missing?
Athar
Sounds like an error with the OAuth security material in SAP CPI. Check that the OAuth credentials artifact for Cloud Platform has…
Hi Raffael, First, Thank you so much for helping on this.
I have the Token URl defined like this:
https://api.us2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
It is also set to send the token in header.
It did move one step further after removing the parameters from the end-point but now giving error on filter process. And it is also displaying dialog box for user id and password, but it doesn’t accept the S-ID.
However, if I type below URL in Postman, it does return me a count value.
Error text: HTTP operation failed invoking https://****-tmn.hci.us2.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-013T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-01-23T23:59:59.999‘ with statusCode: 401
Hi Athar,
This good in some way, because the error you see now comes from a later step in the flow. So you successfully solved the first problem. 🙂
The error you face now, corresponds to the second OAuth credentials pair. (Do you remember? You generated two pairs. One for platform access and one for the CPI OData API.)
Please check:
If you still have problems, feel free to contact me via linkedin. Then we can arrange a quick Screensharing session to solve the problem together.
Hi Raffael,
I figured out the issue after debugging and reviewing the iFlow in detail.
I have deployed v1.0.4 of the dashboard and steps defined in this blog are missing the http channel setup.
One of the channel used to get the count information is supposed to be Basic Authentication. But, it is setup as Oauth in iFlow. I modified the iFlow and changed the authentication to BASIC and it started working.
Everything is up and running now.
I really appreciate for all the help.
Athar
Hi Athar,
Nice to hear that it works. But the count-api call runs against the same endpoint/API like other calls which use the OAuth credentials. So this definitely works with OAuth, too. 😉
Nevertheless - since it works for you now, leave it as it is.
Hello Raffael Herrmann ,
Congratulations for this fantastic job.
Applauses !!
Kind regards,
Viana.
Dear Raffael,
I have a the same problem already posted by Athar.
org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking https://XXXXX-tmn.hci.eu1.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-02-17T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-02-17T23:59:59.999' with statusCode: 401
IFlow:
I have now checked all authorization steps for 3 times:
OAuth Client:
Permissions of OAuth Client:
Security Material CPI:
I found out that the URL written in Cloud Plattform OAuth section (https://oauthasservices-XXX.hana.ondemand.com/oauth2/api/v1/token) does not work.
I used this one instead:
https://oauthasservices-XXXX.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
Using Postman everythings seems to be ok:
Getting Token using Token URL (second one)
Step 2: Getting MessageProcessingLogs Returns Success http: 200 with a number as body.
Could you please give an hint where i can troubleshot the issue?
Thanks and best regards
Arne
Hi Arne,
you were on a good path, when you wrote "I found out that the URL written in Cloud Plattform OAuth section (https://oauthasservices-XXX.hana.ondemand.com/oauth2/api/v1/token) does not work.". The truth lies in between. 😉
The Platform API uses a different OAuth token endpoint, than the OAuth client tokens, which are needed for CPI's OData api. The second endpoint you identified (and proofed as working in Postman) is correct. Unfortunately the CPI credentials are sometimes a little bit like a diva. 😀
Please try the following:
Edit the OAuth credential and especially the token endpoint url. Take the token endpoint url which also works in Postman, but cut off all url parameters (the "?grant_type=client_credentials" part). CPI will add this part on its own. After that, redeploy the credentials and try to reload the dashboard. (If it doesn't work immediately, wait a couple of minutes and try to reload the dashboard again.)
Best regards
Hi Raffael,
thanks for reply. I have now removed the url parameter and redeployed. The application still does not run. I have found some other hint. If i get the token using portman i does not get any scope:
Hi Arne,
that’s correct. Mine also doesn’t get a value in the scope-field. That shouldn’t be a problem. Feel free to contact me via LinkedIn for a screensharing session.
Hi Arne,
I’m in the same position as you were. Any luck?
Cheers
Hi Raffael,
first of thanks for providing such an awesome tool. I just wanted to give an additional tip, since I lost some time on that:
If you want to call the dashboard in the browser, do not authenticate with s-user certificate in browser (single sign on SAP passport). Use your s-user credentials, otherwise you will receive a 403 error.
Regards
Saraj
Hi Raffael,
Thanks for sharing all this fantastic work!
I managed to deploy the last version of code in my CPI tenant ; but Im facing below error when trying to enter dashboard.:
Error text: java.lang.Exception: java.lang.Exception: User SXXXXXXXX not authorized. Missing role: 'de.realcore.cpi.dashboard'.@ line 30 in authValidate.groovy
Using postman, if I do a get call of
https://api.ap1.hana.ondemand.com/authorization/v1/accounts/nxf6daldna/users/roles?userId=SXXXXXX
I get as result the roles assigned to my oss user....
Can you help me to figure where is the issue here?
(all the postman calls to check auth onfiguration are ok, returning token or role of user...)
Thank you!
Best regards
Antoine
Hi Antoine,
you wrote: “Using postman, if I do a get call of […] I get as result the roles assigned to my oss user….“.
And does this answer in Postman list a role called “de.realcore.cpi.dashboard”? If not, you know why the dashboard throws this error. ?
In that case you have two options to solve the missing role problem:
Hi Raffael,
Creating and adding missing role to my user solved my problem.
Maybe it would be interesting to add this step in your "how to" ; (or maybe its my lack of knowledge that leads me to this issue)
In any case, thank you very much for giving us opportunity to use this dashboard.
Best regards
Antoine
Hi Raffael,
thanks for the great documentation.
Unfortunately i got the same error like Antoine. Then I created the role and assigned my S-User to this role. Now I am not able to logon to the dashboard. It means it try to access via s-user and password but nothing happens.
Do you know what happens here?
Thanks
Julian
Hi Raffael,
now it is working as I did the same configuration like Athar.
Anyway, i got another confusing message in the dashboard. Why do I have not enough authorization? I assigned my S-user to you recommended roles and i have no authorization to view the logfiles and passwords?
Thanks in advance.
Julian
Thank you Raffael Herrmann for the detailed explanation of how to configure and run this dashboard. Appreciate your efforts.
I just need help with below items.
Thanks in advance.
Hi Raffael,
after the configuration I get a HTTP 500 Error:
Error text: java.lang.Exception: java.io.FileNotFoundException: https://******-tmn.hci.eu1.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json@ line 48 in diffGetIFlowPackageContent.groovy
When i call the url https://******-tmn.hci.eu1.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json via BasicAuth of my S-User in Postman the response is:
Hi Matthias,
I was also facing the same issue as described by you. Eventually it got resolved by adding the below roles to my S-User ID:
AuthGroup.IntegrationDeveloper
AuthGroup.ReadOnly
AuthGroup.BusinessExpert
Hope this may help you
Regards,
Saurabh
that worked, thanks 😉
Thank you Raffael Herrmann for the detailed explanation of how to configure and run this dashboard.
I have question, do you have plans to create a similar post for CPI on Cloud Foundry or is there a work around we can use for the Cloud Foundry environment.
Hi Jemil,
currently the dashboard isn't compatible to SAP CPI on CF. Sure I would love to see the dashboard on CF, too, but since it's a "sparetime project" and I'm in lack of spare time currently, I can't promise any dates for such update.
Hi Raffael,
thanks for this great tool and the explanations!
After deploying successfully and fixing the little issues here and there thanks to the other comments, I am faced with what seems to be a new issue.
After logging in, I get an Error 500:
java.lang.Exception: com.google.common.util.concurrent.UncheckedExecutionException: com.sap.it.nm.types.NodeManagerException: [CONTENT] [CONTENT_DEPLOY] [NoArtifactDescriptorFoundForArtifactName]: No artifact descriptor found for artifactName myuser@ line 72 in diffGetIflowPackageContent.groovy
While this message is displayed I get authentication popups so I suppose it's an authorization issue, but I couldn't find a better clue.
Any idea?
Thanks
Friedrich
Hi Friedrich,
That sounds like a configuration error. In the IFlow configuration there is a field to place a "....BASIC_AUTH..." credential. In this field you have to enter the name of the "security material" from CPI that contains the basic auth user credentials. The error look like you entered a "security material" name in the configuration that doesn't exist/isn't deployed.
BR,
Raffael
Hi Raffael Herrmann ,
When I tried to load the security material on the dashboard I got 403 error. URL triggered is https://{tenat ID}-tmn.hci.us2.hana.ondemand.com/api/v1/UserCredentials. Can you please help.
Hi Sai,
this sounds like a wrong/missing scope on the OAuth platform api credentials. Please re-check the steps concerning the creation of the platform API credentials from the manual above.
Hi Raffael,
thanks for your quick answer!
I had made a mistake on this credential's configuration indeed. So I got past this stage but now I'm facing an 403 error:
HTTP operation failed invoking https://mytenant.hci.eu3.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-10-29T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-10-29T23:59:59.999' with statusCode: 403
I suppose this has to do with the client credential but I can't find what wrong; it has the nodeManager.read and IntegrationOperationServer.read roles and I suppose that it's authenticated properly, as I don't have any 401 anymore.
Thanks a lot for the support!
Best regards,
Friedrich
Hi Friedrich,
I can think of different things which might go wrong...
Best regards,
Raffael
Hi Raffael,
yes I have created the two pairs and for "group 2", which is used for MessageProcessingLogs if I understand correctly, I use the pair created in the "Client" tab.
With Postman, calling https://mytenant.eu3.hana.ondemand.com/api/v1/MessageProcessingLogs/ works fine with the client pair credentials.
Timing is not an issue, roles have been set hours ago now :).
I'm still testing and trying to make it work, any other suggestion is welcome!
Thanks for your help,
Friedrich
If it works in Postman then either you have a typo in the security material (=> try to recreate the security material / redeploy) or its a caching problem. (Then it may be solved from alone just over time... Take your weekend and try again on Monday. 😉 )
In fact it was appearing to work in Postman only because of a remaining authentication cookie of another user.
But a clean test with the client pair gives me the same 403 result as on the dashboard. At least it's consistent!
But you're right, let's have some rest and try again later.
Have a nice week-end,
Friedrich
Hi Raffael,
just an update; by replacing all OAuth2 logins by basic auth in the integration flow I managed to have the tool up and running. Very weird; I did the steps several times with the client user but always ended up with a 403 on MessageProcessingLogs.
If you're interested in having a quick look let me know!
Also, now that the dashboard is live, I noticed that there seems to be some discrepancy between the two CPU usage statistics; during the last 15 minutes "CPU load" was between 4 and 5 all the time but "CPU use" was below 1%.
Thanks for the nice dashboard!
Friedrich
Hi Raffael,
Thank you for the nice CPI dashboard. We were able to configure and run the dashboard with your step by step instructions.
We have assigned ROLE_GENERAL_ACCESS, ROLE_LOG_AND_FILE_ACCESS & ROLE_SECURITY_MAT_ACCESS parameter values to multiple S users. But, unfortunately only the user (SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH) configured in the security material can access it. None of the other users can access it.
How do we enable this dashboard to be accessed by multiple users instead of single user? please guide.
Thanks & Regards,
Phani.
The roles (ROLE_GENERAL_ACCESS, ...) should be assigned to the S-Users that log into the dashboard via webbrowser. There's nothing more to configure. Maybe the IDP needs some time to update the roles. Have you tried to log off and on again with the S-Users that aren't able to use the dashboard? Which error message to you receive?
Hi Team,
I am deploying this iflow and i am getting the below errors. Can you please help.
Attached is the error screenshot.
You missed to setup the credentialname in the IFlow configuration. Please click "configure" to open the IFlow config and set the corresponding logon credential name. Also check the section "Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH" of this blog article.
Hi Raffael,
I would like to test the Dashboard for CPI, I made the implementation but I get this error:
"Error text: HTTP operation failed invoking https://*****-tmn.hci.us3.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json with statusCode: 401"
Could you guide me where the problem could be?
Greetings and Thanks.
Hello!
During the opening of the dashboard I have error: " This request has been blocked; the content must be served over HTTPS."
I find code:
Did I enter a parameter incorrectly when configuring?
The first part of the url shown in your screenshot is read from an dynamic CPI header:
In the past/usually this header returned the current hostname including the right protocol. Either there was a change in CPI or something seems to be wrong with your instance. Have you called the Dashboard in your webbrowser via HTTP or HTTPs? (Please try with HTTPs.)
Yes, I definitely use https. But the http remains in the headed. I entered https manually in deliverStaticContent.groovy.
Everything works!
Thanks!
Hi togehter
We installed the real core iflows on our CPI, which is running on the neo cloud platform. There it is running without problems.
Now we tried to configured it on the cloud foundry and when we make the loggon to the dashboard i get the wheel of death.
There are now errors found in the cpi on which is running on the foundy.
Did anyone had the same problem on the foundry or did someone had any idea for my problem
thx for help
Matthias
Hi Matthias,
please check the first paragraph of this blog article again. 😉
It reads out...
So the dashboard never worked on CPI@Cloud Foundry. Maybe some of the RealCore guys can fix it... You can reach out to them via https://www.realcore.de/index.php/contact
hi Raffael
Thx for replay. I saw it also now in the blog 🙂
Hi Raffael,
I would like to test the Dashboard for CPI, I made the implementation but I get this error:
"Error text: HTTP operation failed invoking https://*****-tmn.hci.us3.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.ContentPackages?$format=json with statusCode: 401"
Could you guide me where the problem could be?
Thanks.
It seems to me that the project has already died.
For the new BTP, obtaining rights and groups does not work.
Getting groups and rights from the BTP does not work for me either. I could not find a solution.
Hi Raffael Herrmann
Hope you are doing great!! First of all thanks for this amazing tool.
But facing issue while configuring it with CPI: Accessing MessageProcessingLogs OData API via OAuth. I go through all the above comments, I have followed the blog for OAuth set up and it works fine when tested using POSTMAN tool. When iFlow is deployed and run the Dashboard MPL ODATA API 401 error. When i replace it with Basic User ID and Password its working fine. Could you please let us know any work around or how you overcome this situation in your case. I love to connect with you on any platform as it will be bit urgent for us to resolve this.
CPI Environment using: NEO
Br,
Rizu Yadav
Mail Id: rizuyadav@gmail.com
Linkedin: linkedin.com/in/rizuyadav
Hi Raffael Herrmann,
Will there be a CF version in the near future? or is this only possibel thru the realcore people?
Kind regards,
Paul
Hey Raffael,
I just thought I could check if you have published a CF version in the meantime... I guess you still have the restriction with the www-authenticate header. Now I had an idea that I wanted to share. Not sure if you thought about it: you could create an API in API management as a layer between browser and IFlow. In the API Policies you could use the Basic Authentication policy to set the (hardcoded) credentials needed to access the IFlow. What do you think, could it solve this problem?
I would have implemented it to test, but realized that there would be many more changes necessary on the Iflow, I believe. Mainly because some APIs are different on CF compared to Neo or different Security concepts. But you know better what you have used and if it's still available in CF.
Kinds regards, Philippe
Olá Rafael, como você está?
Sou novo no SAP CPI, estou tentando configurar o Dashboard, mas estou cometendo esses erros no final, segui o passo a passo do manual, acho que é algo simples mas não estou conseguindo progredir.