Skip to Content
Technical Articles

How to install and configure the RealCore CPI dashboard

This blog post is the second part of the series about our RealCore SAP CPI dashboard tool. It deals with the installation and configuration of the dashboard tool. You can find the first article, which is about the capabilities and features of the dashboard, over here:
Advanced monitoring and health check with RealCore’s CPI Dashboard

Before we start, let’s have a quick look on the restrictions while installing and using the dashboard.


Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn’t send the WWW-Authenticate-header, the IFlow isn’t usable via webbrowser. Thus the dashboard isn’t supported on SAP CPI on CF environments for now because the dashboard’s webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.


Since the complete dashboard and all its code is packed into one single Integration Flow (IFlow), the installation of the dashboard is done within minutes.

At first you should download the current release from our Github repository. You can find latest release here:

Next you should open your SAP CPI tenant, switch to the Design-perspective and create/choose the package you want to place the monitoring IFlow into. Then edit the package, switch to the Artifacts-tab and click Add, to upload the beforehand downloaded SAP CPI Dashboard release.

That’s it for the installation part. In the next section we will deal with the configuration.


All things that need to be configured can be maintained via “Externalized Parameters”. Thus, it is not necessary to make changes to the IFlow itself or its code. Some of the externalized parameters are used multiple times and therefore only need to be maintained once. So trust me – it’s not that much to configure.

To start the configuration, we switch to the configuration perspective now.

Let’s have a look onto the different parameters which have to be set…

Sender configuration

On the Sender-tab you will find one system with multiple adapters (since the IFlow has multiple endpoints), but you have to configure only one parameter, because it is used in all sender channels.


How to set: Set this parameter to an url-slug you personally prefer. It will be the base url of all endpoints of the IFlow.

Receiver configuration

On the Receiver-tab you will find three Receivers (SAP_CP = general Cloud Platform APIs, SAP_CPI = Cloud Platform Integration specific APIs, MAIL_SERVER = e-mail server to send out alerts) with 3 (SAP_CP), 7 (SAP_CPI) and 1 (MAIL_SERVER) channel. We will consider the different receiver systems separately.

Receiver – SAP_CP

All three SAP_CP receivers share the same configuration parameters. Thus you only have to do the configuration for one of the HTTP channels.

Parameter Name: SAP_CP_HOST

How to set: This must be set to the hostname of your SAP Cloud Platform API host. It is build like:

api.{regional hostname}

The {regional hostname} depends on the region your Cloud Platform account sits in. A list of possible hostnames can be found here: 


How to set: This should be set to the technical name of your SAP CPI tenant. You will find the technical name in the Cloud Platform Cockpit via Region –> Global Account –> SAP CPI Subaccount.

At the bottom of the subaccount page you will find the technical name of your SAP CPI tenant.

Explanation: This credentials are used to query the authorization and management api to retireve a list of roles for the dashboard user/caller. The roles itself are needed to show/hide different functions of the dashboard.

Parameter Name: Credential Name/SAP_CP_AUTH_API_CREDENTIALS

How to set: Enter the name of the security material/credentials which contains the credentials for the SAP Cloud Platform Authorization Management API. Note: If you haven’t used the Authorization Management API before, you have to create an account first. Create the OAuth credentials as described here and here. Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.

Receiver – SAP_CPI

In opposite to the SAP_CP receivers not all of the SAP_CPI receivers share the same configuration parameters. The channels can be divided in two groups. The first group is calling urls to “/itspaces/odata/…” and the second group to “/api/v1/…”.

The screenshot below shows how you can differentiate the groups. Ensure that you configure at least one channel of each group from the screenshot.

Parameter Name (Group): SAP_CPI_HOST (Group 1)

How to set: Set this to the hostname of your SAP CPI tenant management node. Take the screenshot below for example.


Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 1)

How to set: Enter the name of the security material/credentials which contains user and password (S-User/technical S-User) of an account which has sufficient rights to access the SAP CPI tenant.

Explanation: This credentials are used to access some unofficial SAP CPI APIs (the ones which are used by the SAP CPI webinterface itself) to retrieve a list of runtime and designtime artifacts.

Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH (Group 2)

How to set: Enter the name of the security material/credentials which contains the OAuth credentials for the SAP CPI OData API.
Note: If you haven’t used the SAP CPI OData API via OAuth before, you have to create a set of OAuth credentials first. Check this article which describes how to setup the credentials. (Basically it’s the same like you did before for the Auth&Management API, but this time you use the “Clients”-tab instead of the “Platform API”-tab in the OAuth section of your CPI-subaccount.) When creating the credentials you need to assign at least the following two rules:


Then store the OAuth credentials in your SAP CPI’s security material section and enter the name of the security material as the needed configuration parameter.
Attention: Since Dashboard version 1.0.2 the credential has to be stored in a security material of type “OAuth2 Credentials”!

Explanation: This credentials are used to query the MessageProcessingLogs-resource (and more) of the SAP CPI OData API which is used to retrieve the message volume/counts.

Receiver – Mail Server

This part of the cofiguration is optional. You only have to configure this receiver, if you want to use the alerting feature of the RealCore CPI Dashboard.

If you want to use the dashboard’s alerting engine, configure a valid mail server here. The dashboard will use it to send out alerting mails. If you don’t want to use the alerting engine, you can fill out the configuration with dummy values.


Congratulations, if you managed to get to this point – the hardest part of the configuration is done. On the “More”-tab you have to configure some more parameters.


How to set: If you plan to use the alerting engine of the dashboard, then you can set up the mail address here which should be shown as sender/origin of the alert mails.


How to set: You can set this parameter to any value. It defines the name of the Datastore which is used by dashboard to cache the message count information. So ideally choose a name that is not yet in use as well as one that fits your naming conventions for datastores.


How to set: This values describes the measured interval for CPU utilization in milliseconds. (To measure the utilization of CPU the CPU time is read out twice. The higher the interval, the better the CPU usage results in dashboard. But on the same side – the higher the interval, the longer the dashboard loading time. Everything higher than 1000 should be fine.


How to set: Define the name of the role a dashboard user must have assigned to get access to the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it blocks access to the dashboard. If you want to work with your own rules, read this article of mine, which describes custom role handling.


How to set: Define the name of the role a dashboard user must have assigned to view and download logfiles via the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it hides the logfiles section in the dashboard and blocks file download requests. If you want to work with your own rules, read this article of mine, which describes custom role handling.


How to set: Define the name of the role a dashboard user must have assigned to view security material/credentials. When the IFlow is called it checks if the user has the role defined here. If not, it hides the security material section in the dashboard and blocks manually executed calls to the secmat-service. If you want to work with your own rules, read this article of mine, which describes custom role handling.


How to set: This parameter is optional. You can enter connection data for multiple remote CPI tenants (separated by 😉 here. The tenants configured here will be used for the dashboard’s IFlow comparison tool. Each remote system has to be entered in the format: <hostname of tenant>|<name of security material>
Example: If your remote tenant is available via “” and you have created a security material containing an S-User with password in your current tenant named “CPI_x0815_CREDENTIALS” then you should enter the following into the DIFF_REMOTE_CPI_TENANTS field:|CPI_x0815_CREDENTIALS

If you want to connect multiple remote tenants, just separate the tenant entries by use of a semicolon (;).


If you plan to use the alerting engine, you can configure here how often the engine should check for errors. Regardless of the interval you configure, the engine will check the complete time interval since the last check. So by setting a larger interval in the timer, you just configure how often you will receive mails.

Deployment and Usage

Now that we have finalized the configuration, we have to deploy the IFlow. Either click on the Deploy-button from the configuration page or use the deploy option from the package view.

After the successful deployment, switch to the operations view of your SAP CPI tenant and go to the Manage Integration Content -> All-perspective. Search for the dashboard IFlow. From here you can find the dashboard’s url. Copy the url and open it in a (modern) web browser.


Now we have reached the end of the second article. I hope you have successfully set up the RealCore Dashboard on your SAP CPI tenant. If there are problems or questions, just write a comment. I’m sure together we can figure out what went wrong.

You must be Logged on to comment or reply to a post.
  • Hi Raffael,

    Thank you for providing cpi dashboard. We are getting the following error when attempting to access the dashboard for the first time.

    HTTP operation failed invoking with statusCode: 401


    Any ideas?



    • Hi Jon Prow,

      this error looks like it comes from the IFlow's call to the authorization & management api. This call is done by the IFlow to get a list of roles of the S-User which is calling/opening the dashboard. If you get a 401 error for the auth & management api call, you may have a problem with the "platform api'-oauth credentials which you should have set up while configuring the dashboard.

      You can do two things now:

      1. Double check, that you passed the correct credentials in the IFlow configuration for the parameter SAP_CP_AUTH_API_CREDENTIALS
      2. Take the URL from the error message, use a tool like Postman and try to call the url with the auth & management api OAuth credentials. If it works in Postman, something with the IFlow is wrong. If it doesn't work in Postman, you may have made a mistake while setting up the API credentials.


      • Hey Raffael,

        I assume its related to my configuration, but I think I am close.  Here is our error:


        Error text: HTTP operation failed invoking https://oauthasservices-<consumer-account> with statusCode: 503


        When I put url in Postman it doesn't work, but if i add the landscape host name in the url I am able to receive an access token.






        • Update - I am able to get in with adding the landscape host to the http connection to SAP_CPI from Integration Process / Collect system status and Integration Process / Read security material



          • Hi Jon,

            thanks for your effort and your feedback. I think I see what you meant. There are two http channels which call "". Unfortunately I missed to make them region aware.

            Instead of changing the IFlow itself, it should be possible to add the region key (as defined here: ) to the parameter SAP_CPI_TENANT_TECHNICALNAME. (This should be possible, because the parameter is only used in those two channels and sits right in front of the url part where the region selector should be.

            So if your tenant technical name looks like "abc1234" and your are placed in "US East (Ashburn)" datacenter (see link above), than the SAP_CPI_TENANT_TECHNICALNAME should be set to "abc1234.us1".

            In the next version/update, I will fix this issue.



          • Thats what I tried initially, but there is other configuration that uses SAP_CPI_TENANT_TECHNICALNAME that is impacted.  For example the HTTP connection to SAP_CP in the Check authorization integration.

            Thanks for the help, looking forward to the next release.


          • Oh, I see... But since the region-aware hostname, which is needed for the OAuth token calls is exactly the same like the {{SAP_CP_HOST}}, just without the leading "api.", we can re-use this variable. I just setup a small new release, which uses the SAP_CP_HOST-parameter and does an substring on that. Thus the existing configuration doesn't have to be changed.

            You can find the release here: Feedback is appreciated. Thanks for your help again.

    • Hi Jon

      Your userId seems to be lacking the S-prefix. Maybe it's that?

      That is pulled from the security material entry for the parameter SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 3)

      However, in my case I have the prefix there and it still doesn't work.


        • Hi Raffael


          I deployed the new version and configured it again. Unfortunately, I still get:

          HTTP operation failed invoking with statusCode: 401


          Could it be a wrong credential? But then, why error 401..?


          • Hi Philippe Addor ,

            if your OAuth credentials are wrong, it would be a 401 (=Unauthorized) - it's the default behaviour. The call which fails for you is this one:

            If you check the configuration settings of the connector, you see that it uses "Authentication: OAuth2 Client Credentials" mode. When using this mode, the adapter takes the client credentials pair which you created in the security material section. Then it makes a call against the token endpoint which is part of the credential settings:

            This token endpoint responds with an Bearer token, which is then used to call the endpoint url which was configured in the communication channel. If the OAuth credentials are wrong, are missing grants or the token endpoint is wrong, you may get the 401 Unauthorized error you have seen.

            If you want to check, if your OAuth credentials are correct, you could use a tool like Postman. The screenshot below shows the configuration. You should choose Authorization mode "Basic Auth", then copy Client ID and Client Secret from the Security Material (screenshot above). The copy the "Token Service URL" as configured in the security material and add "?grant_type=client_credentials".

            If you click the "Send"-button, you should see a token response in the lower half of the Postman window. In addition you should see "Status 200 OK". If you get an "Status 401" (what I assume will happen), then you should re-check your credentials and re-create them like shown here:


          • Thanks Raffel for the comprehensive explanation! I think there are several issues:

            1. I made the mistake to mix up the security material for the different configuration parameters. I believe your channel configuration description in this blog differs at least from the latest version of the iflow. The HTTP channel groups on the image do not apply anymore.
            2. There seems to be a problem with getting the Message Processing Log and the Runtime Artifacts: the two channels in the corresponding flow steps have the setting "Authentication = None" in the Iflow. I have changed this to Basic, and voila, it works now for me!

              Before, the MPL had no Credential parameter, unlike described above (see below "SAP_CPI_AUTH_API_CREDENTIALS (Group 2)")

            However, I don't yet fully understand the difference between the Platform API Client and the "standard" Oauth client, as well as when to use Basic Auth and when Oauth (still learning... 🙂 ). So maybe my change would be unnecessary and there is still a mix-up in Security Material in the different configurations. Or maybe instead of using Basic, I should use the Oauth Client.


          • Hi Philippe,

            thanks for investing your time to test our tool. Glad to hear that it finally runs for you. Regarding your points...

            1. You're right. The screenshot with the groups was wrong. If fixed it right now in the blog post. It seems like when saving the IFlow in the new version, the channel/parameter list was just randomly mixed up... (Note to myself - re-check the channel order and update the blog post for each update.)
            2. Nice to hear that it works. But it was correct that the channels had no auth. For accessing the MessageProcessingLog-api (MPL-api) I used the OAuth logon mode. You can see that at the beginning of the main process ("Integration Process / Collect system status") there is a call named "Get Bearer token". At this point the CPI OAuth credential pair is used to get an access token. This token then later is used when calling the MPL api. (It is added to the request headers via script steps direct before doing the MPL call.) You solution works also, because the MPL can be accessed via BasicAuth, too. I just used OAuth, because it's the preferred way to access this API.

            Now let's come to your questions concerning all the API keys.

            However, I don’t yet fully understand the difference between the Platform API Client and the “standard” Oauth client, as well as when to use Basic Auth and when Oauth (still learning… ? ).

            We are dealing with three types of API in the dashboard. All of them need different credentials.

            1. Authorization and Management API: This API is used to query the roles assigned to a user. Since users are managed on SAP Cloud Platform level and are not specifically handled via your specific SAP CPI tenant/instance, we need credentials on the SAP Cloud Platform (SAP CP) level. That's why we create an OAuth credentials pair on "Platform API" level.
            2. SAP CPI OData API: This official API allows you to access different things of a specific SAP CPI tenant. (Think of the CPI as specific application which runs on the more generic Cloud Platform). That's why we need to create an own OAuth credential pair for this API calls and assign it to the SAP CPI application. (You can get a list of all SAP CPI OData apis here: )
            3. itspaces/workspace.svc API: This is an unofficial API. It's the API which is called via the SAP CPI website/webbackend. E.g. If you click on create a new IFlow, this API is called in background. We need this API to get a list of all the designtime content/IFlows because this information is not available via the official OData APIs. Since this API is not official and since it normally is used only when someone uses the website, we use the BasicAuth logon mode here. The credential pair should have the same rights as a user which uses the SAP CPI webbackend regularly.

            Hopefully this clarifies some of your open points. Have a nice


          • Hi Raffael

            Thanks a lot for the explanation! It makes sense now. And I will some time try to find out why the bearer token is not working in my case, just for the sake of my own learning.

            Best Regards,


    • Hi Prabhakar,

      did you see the new release 1.0.1? ( It fixes some of the connection errors.

      If you already use the current release, than it might be a problem with your OAuth credentials. Can you try to call the faulty url manually via Postman an check if you get the error there too?


        • Hi Prabhakar Teegavarapu,

          posting the url in a regular webbrowser give this "code"-responses. That's correct, because when using a regular webbrowser the call is missing the needed token headers. Thus a webbrowser is not an appropriate tool to evaluate if your credentials are right.

          Please read this comment I wrote for Philippe. It explains how to check your OAuth credentials via Postman. It may help to find out what is going wrong on your side.


  • Hi Raffael Herrmann

    we are currently configuring the RealCore CPI dashboard on our test cpi.
    so far everything worked fine and thanks for the great documentation. From time to time it would be good to know which roles have to be assigned how and where in the cockpit. Maybe this can be completed…
    We have finished the configuration so far and can connect to the dashboard. As soon as the dashboard is opened the following http 400 error occurs:
    https://{{{SAP_CP_HOST}}/authorization/v1/accounts/{{SAP_CPI_TENANT_TECHNICALNAME}}/groups/roles?groupName= with statusCode 400
    Is it possible that our SAP_CP_HOST or the SAP_CPI_TENANT_TECHNICALNAME is not correct?

    I checked also that we us the correct Host (Rot Europ as discribed in

    with the log trace I could find out the place from where the error comes from (see the screenshot)

    where is this group drawn from and where can I configure it?

    Thanks for a little note



    • Hi Matthias Lüthi,

      The groupname, used in the connection which is shown in your screenshot, is read from the CPI exchange header. It will be filled in the "Check autorization" local integration process. This local integration process is called whenever a call to the dashboard is done.

      (1) The roles defined in the externalized parameters are written to the Exchange' properties. (You can define which roles a user of the dashboard should have assigned to get access to the different functionalties.

      (2) The S-User id (read from the request headers) is used to get a list of roles that are directly assigned to a user.

      (3) The S-User id is used to get a list of groups the user is assigned to. (We have to do this, because the "get roles" call only gave roles directly assigned to the user, but not the ones which are assigned indirectly via groups.)

      (4) For each group we got back, we do a call of the local integration process shown in your screenshot, to retrieve a list of roles, which are assigned to the group the user was assigned to.

      (5) Now that we have all roles of the user (the directly assigned ones as also the the ones which came via groups) we compare them with the roles defined in the externalized parameters of the IFlow to decide if a dashboard user is authorized to use the dashboard or not.

      If it still fails, you could try to activate the "Trace" mode of the IFlow and check the properties/headers if they contain valid role names. If nothing works, you can also contact me via Skype/MS Teams. (Just drop me a message here with your e-mail/skype address.)


    • Hi Matthias


      This is related to the role assignment of the user used to access this dashboard via web browser. If you use direct role assignment, then you will hit this error. The quick fix is to simply assign the user to any existing groups.


      I have submitted a pull request ( to Raffael to fix this, so that groups are not checked if user is not assigned any groups.



      Eng Swee

      • Hi all
        could solve the 403 problem; too few permissions!
        We have now implemented version 1.0.31 and have a spinning wheel of death when calling the dashboard.
        Do we still have to implement the fix with the index file?



      • Hi Eng Swee

        We tried to implement your "workaround" with the router.

        Short question abaout that:

        How should we configure the "yes" and "no" connection?

        Regads, Matthias

  • Hi Raffael,

    Thank you for this great blog post and kudo's for the time, effort and creativity you have put into it!

    I've got your CPI Dashboard running now, but I still have a question. When the page is loaded initially, the CPI instance data is fetched and displayed, but doesn't refresh/update automatically, correct? I've implemented a work-around by installing a page refresh plugin in the Chrome browser.

    However, when the page is automatically refreshed let's say every 5 seconds, the underlying iFlow is also executed at the same rate. This results in a total of 12 new OAuth tokens every minute. I configured the token's lifetime to a maximum of 1 minute, but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.

    Is there a way, without editing your integration content, to let the page refresh automatically?

    Thank you in advance!




    • Hi Rik Dingemans,

      thanks for your valuable feedback. Since I used the tool to get an overview I never tried to refresh the page that often.

      [...] but it seems that sometimes the amount of tokens exceeds a certain maximum which results in a HTTP 401 error on client-side.

      Which of the OAuth token exceeds? The one for the Platform API or the one for the SAP CPI? (When setting up the IFlow you created two kinds of OAuth tokens.)

      The tokens themselves are reused during a dashboard call for multiple API calls, but you are right. They aren't saved over multiple dashboard calls. I add this to the list for the next release. (I plan to store them in the datastore and make them reusable.)

      Regarding the refresh question. For now, it's impossible to activate an "auto-refresh". But I'll add it also to the list for the upcoming release. (If you want to implement it yourself, you should add some javascript timer in the website's code. Sources are available on Github...)


      • Hi Raffael Herrmann

        Thank you for your prompt reply. The SAP CPI token exceeds randomly, sometimes I have to mass-revoke all generated tokens.

        I will try and find a proper Javascript timer to put into the code.

        Thanks again,



        • Hi Rik Dingemans

          the rows 823-839 of the index.html trigger the data retrieval for the dashboard. You could extract this lines into a new function like

          function loadDashboardData(){
            //content of lines 823-838

          Then just place a function call to this function in line 823. As next step, add a new timer in line 824 (behind the loadDashboardData call) with the following code:

          //Call dashboard data every 10 seconds
          setInterval(loadDashboardData, 10000);

          After that call the build script over here. It will output a file to /dist/staticContent.groovy. Open this file and copy the Base64 block into the file with the same name in the following directory: /IFlow/Source/src/main/resources/script. At the end zip the /IFlow/Source directory. Et voilà – you have a patched dashboard. ?


          • Hi Raffael,

            Thanks for this suggestion. I followed your steps, but unfortunately the Dashboard is now unresponsive with a 'spinning wheel of death' in it:


            I will try and do some bugfixing when I find the time 😉



            Rik Dingemans

          • I don't know how fit you are in the field of web development, so maybe this is nothing new for you. But have you tried pressing F12 in your browser? This should bring up the developer tools. Switch to the "console" tab and search for errors in the main page. If you found something suspicious, click on the line number at the right hand of the error line. This will bring you to the code view, where you can set break points to debug the site. Otherwise wait for the next release. 😉

          • Hi Raffael,

            Found the issue! I did a copy-paste of your code:

            //Call dashboard data every 10 seconds
            setInterval(loadDashboarData, 10000);

            And just found out that I also copied the small typo:

            loadDashboarData instead of loadDashboardData

            Refreshing works like a charm now! Thank you for your help!


  • Hi Raffael,

    Thanks for your Blog, that's really great ..

    i dowloaded the latest iflow from the below url - - 1.0.3


    and configured as mentioned in your blog, how ever i am getting the below error in the step show in the below screenshot  ..

    org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking with statusCode: 401


    i did follow your reply to Philippe  and tested the client id and Secret in postman, which is successful.

    i used the same url, client id and client secret in the security meterial as per below screenshot:

    but i am not able to understand why i am getting this error..

    below is the screenshot of the Receiver configuration.

    also .. when i tested the url ( with statusCode: 401 ) in postman.. i got 401 error.



    • Hi Pradeep,

      If the call doesn't work in postman, than it's an authorization issue. Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)

      Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair.

      If nothing helps, let me know. I'm on vacation for the next 2 weeks, but if you like, we can have a Skype/Teams session after my vacation to figure out together what's going wrong.

      Best regards

  • Hi Raffael,

    Thanks for your prompt reply,

    >>>Can you double check that you use the correct OAuth credentials? (You should have created two pairs. One for CPI access and one for CP/Platform access. You should use the one for CP/Platform here.)

    i have used the same OAuth credentials that i have used in the postman, In postman i got 200 status back. below are the screenshots.

    CP/Platform access

    CPI access


    >>Also double check, that you grated all needed roles/access types when creating the OAuth credentials pair

    i believe i have all the roles, let me know if i miss any role (from the below screenshots).



    Pradeep A.

    • Hi Pradeep,

      If the Postman calls to the token endpoints work, than your credentials (combination out of client id and client secret) are fine. But if the actual call against the API for getting the user roles fail, then your credentials might have a scope issue. That's what I meant when I said that you should check the scope/authorization of the OAuth credentials. (Theory: An OAuth credential pair gives you general access to an API. Since someone shouldn't use all functions of an API it is controlled via so called scopes, which API functions an user can access/use.)

      So please check if your OAuth user for the platform API has the scopes to read the authorization and management API. Therefore check the following screenshots.



      Best regards

  • It's not entirely clear the roles that are required for the OAuth client that accesses CPI's OData APIs (Credential SAP_CPI_AUTH_API_CREDENTIALS_OAUTH - Group 2)

    After some troubleshooting and referring to Tasks and Permissions, I nailed it down to the following two roles (if you do not want to provide broad-based roles to the OAuth client user).


    • Hi Eng Swee,

      Thanks for your help. As I see from all the problems it seems that my installation instructions are not as clear as I wished them to be. (Especially because practically  the setup isn't that hard.)

      I will rewrite this article when I'm back from my vacation and try to point out some steps more clearly. (Also I'm thinking about writing a small desktop tool which acts as guided setup.)

      Regards, Raffael

  • Hello Raffael,


    We are getting following error while calling the dashboard.

 $count?$filter=LogStart%20ge%20datetime'2019-10-08T00:00:00.000'%20and%20LogStart%20le%20datetime'2019-10-08T23:59:59.999' with statusCode: 401


    I checked both the Platform & Client token URL. I'm able to get back the token using postman.



  • Many Thanks Raffael Herrmann, this really helps!

    I have managed to follow the suggested process and have stuck at the last step i.e. i’m able to fetch the CPI Roles API via Platform API OAUTH through Postman tool and when tried with CPI, its giving me a 401 UnAuthorized Error.

    can you please suggest if any additional access required to fetch the roles from ROLES API through SUID?

    Unable to attach Post Man Response & CPI Reponse to this thread.

    Many Thanks,

    Vijay Devulapalli

    • If it works in Postman, it should work in the tool, too. Please double-check that you are using the right credentials for the IFlow and wait a couple of hours (sometimes there seems to be a cache problem.)

      If nothing helps, feel free to contact me via LinkedIn. Then we may look together on your problem.

  • Hi Raffael,

    I am getting also error 401 during HTTP requst/response to SAP_CP.

    If i switch debug on I will find in CP_default trace: while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}| while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."} Error while generating token: status code - 400 message - {"error":"invalid_request","error_description":"Unexpected request grant type."}

    If i use postman:
    with client ID and Client secret as basic auth.
    it returns the bearer token.

    using no auth. and the bearer token from post
    it will return the roles as reponse.

    could you please let me know what i made wrong in the CPI config?

    thanks in advance for your help.


    • Hi Markus,

      at first - if the OAuth flow works in Postman that's a good sign. So we can skip the part of checking the credentials creation, because from that point everything seems to be fine.

      Since the IFlow works for me and other, I dare to assert that the IFlow itself is still functional. Thus the only point of failure I can think of is the OAuth security material (for the Cloud Platform access) in your tenant. Could you please check the following:

      • The token service url shouldn't contain any url paramter. It should end with "...apitoken/v1". (For example - I use the following url which might differ if you are in a different location:
      • The parameter "Client Authentication" of the security material is set to "Send as Request Header".
      • The checkbox "Include Scope" isn't checked/marked.

      If anything of this differs in your credential and you change something, don't forget to redeploy before testing.

      My current config looks like:

      Please let me know if this solved your issues.

      • HI Raffael,



        this solved the 401 for CP.


        But now I got 401 for HTTP to SAP_CPI ..../api/v1/MessageProcessingLogs/$count as already mentioned above, where Eng Swee provided a solution. This i check already.


        If I use postman again:


        with BasicAuth and ClientID and Clientsecret I get this response:




        thanks in advance for your help.



        • Hi Markus,

          this error comes from another API (the CPI tenant specific OData API – which is on another level then the generic Cloud Platform api, which was called in the step before.)

          For this API you need a dedicate pair of OAuth credentials. Since it doesn’t work in Postman I guess there was an error made during the creation of this credentials.

          When creating the credentials…

          • …follow the paragraph “Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH” on this blog post
          • …make sure that your create the credentials in the “Clients” not in the “Platform API” tab of the Cloud Cockpit’s OAuth section
          • …ensure that you add the following two roles to the client. (You can attach them by going to the Authorizations section in Cloud Platform Cockpit. Then enter “oauth_client_<client ID>”, replace the <client ID> with the ID of your client generated before, and add the roles.)

          If you need help/assistence, feel free to contact me via LinkedIn for a chat.

  • Hi, I configured the integration flow by following all the instruction and it is deployed. It also shows the end points available, but when I use the end point for dashboard, it gives me

    HTTP Status 403 – Forbidden

    I am using admin S-ID on CPI.



    Help please.



  • Hi Raffael, My S-ID is part of the administrator group which has the ESBMessaging.send. I normally use the postman to send the test payload to CPI using my S-ID.

  • Hi, I am able to pass beyond 403 error, and now I am getting 401 error.*****/users/roles?userId=S***** with statusCode: 401

    I am able to get the token using Postman which means oauth credentials are working.

    Any idea what could I be missing?



    • Sounds like an error with the OAuth security material in SAP CPI. Check that the OAuth credentials artifact for Cloud Platform has…

      • …send token in headers activated (don’t send them in body)
      • …the token endpoint URL without the parameters section. (If the token endpoint URL contains a ?, remove the ? and everything on the right side from it.)
  • Hi Raffael, First, Thank you so much for helping on this.


    I have the Token URl defined like this:


    It is also set to send the token in header.

  • It did move one step further after removing the parameters from the end-point but now giving error on filter process. And it is also displaying dialog box for user id and password, but it doesn’t accept the S-ID.

    However, if I type below URL in Postman, it does return me a count value. 


    Error text: HTTP operation failed invoking https://****$count?$filter=LogStart%20ge%20datetime'2020-013T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-01-23T23:59:59.999‘ with statusCode: 401


    • Hi Athar,

      This good in some way, because the error you see now comes from a later step in the flow. So you successfully solved the first problem. 🙂

      The error you face now, corresponds to the second OAuth credentials pair. (Do you remember? You generated two pairs. One for platform access and one for the CPI OData API.)

      Please check:

      • That you set mode to "send via header" in the OAuth credentials/security artifact for CPI OAuth access
      • That you configured the correct token endpoint in the security material. (It's another token endpoint than the one for the Platform OAuth credentials. You can find the correct token endpoint in Cloud Platform Cockpit -> OAuth -> Client tab down at the bottom
      • Ensure the you assigned the necessary roles (check the instructions in the blog above) to the OAuth client credentials user

      If you still have problems, feel free to contact me via linkedin. Then we can arrange a quick Screensharing session to solve the problem together.

  • Hi Raffael,

    I figured out the issue after debugging and reviewing the iFlow in detail.


    I have deployed v1.0.4 of the dashboard and steps defined in this blog are missing the http channel setup.

    One of the channel used to get the count information is supposed to be Basic Authentication. But, it is setup as Oauth in iFlow. I modified the iFlow and changed the authentication to BASIC and it started working.



    Everything is up and running now.

    I really appreciate for all the help.



    • Hi Athar,

      Nice to hear that it works. But the count-api call runs against the same endpoint/API like other calls which use the OAuth credentials. So this definitely works with OAuth, too. 😉

      Nevertheless - since it works for you now, leave it as it is.


  • Dear Raffael,

    I have a the same problem already posted by Athar.


    org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking$count?$filter=LogStart%20ge%20datetime'2020-02-17T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-02-17T23:59:59.999' with statusCode: 401


    I have now checked all authorization steps for 3 times:

    OAuth Client:

    Permissions of OAuth Client:

    Security Material CPI:


    I found out that the URL written in Cloud Plattform OAuth section ( does not work.

    I used this one instead:

    Using Postman everythings seems to be ok:

    Getting Token using Token URL (second one)

    Step 2: Getting MessageProcessingLogs Returns Success http: 200 with a number as body.


    Could you please give an hint where i can troubleshot the issue?


    Thanks and best regards



    • Hi Arne,

      you were on a good path, when you wrote "I found out that the URL written in Cloud Plattform OAuth section ( does not work.". The truth lies in between. 😉

      The Platform API uses a different OAuth token endpoint, than the OAuth client tokens, which are needed for CPI's OData api. The second endpoint you identified (and proofed as working in Postman) is correct. Unfortunately the CPI credentials are sometimes a little bit like a diva. 😀

      Please try the following:
      Edit the OAuth credential and especially the token endpoint url. Take the token endpoint url which also works in Postman, but cut off all url parameters (the "?grant_type=client_credentials" part). CPI will add this part on its own. After that, redeploy the credentials and try to reload the dashboard. (If it doesn't work immediately, wait a couple of minutes and try to reload the dashboard again.)

      Best regards

      • Hi Raffael,

        thanks for reply. I have now removed the url parameter and redeployed. The application still does not run. I have found some other hint. If i get the token using portman i does not get any scope:


            "access_token": "335376779a49eb89f8d3938c6144c139",
            "token_type": "Bearer",
            "expires_in": 3600,
            "scope": ""
        Is it correct?
        best regards


  • Hi Raffael,


    first of thanks for providing such an awesome tool. I just wanted to give an additional tip, since I lost some time on that:

    If you want to call the dashboard in the browser, do not authenticate with s-user certificate in browser (single sign on SAP passport). Use your s-user credentials, otherwise you will receive a 403 error.



  • Hi Raffael,

    Thanks for sharing all this fantastic work!

    I managed to deploy the last version of code in my CPI tenant ;  but Im facing below error when trying to enter dashboard.:

    Error text: java.lang.Exception: java.lang.Exception: User SXXXXXXXX not authorized. Missing role: 'de.realcore.cpi.dashboard'.@ line 30 in authValidate.groovy

    Using postman, if I do a get call of

    I get as result the roles assigned to my oss user....

    Can you help me to figure where is the issue here?

    (all the postman calls to check auth onfiguration are ok, returning token or role of user...)


    Thank you!

    Best regards



    • Hi Antoine,

      you wrote: “Using postman, if I do a get call of […] I get as result the roles assigned to my oss user….“.

      And does this answer in Postman list a role called “de.realcore.cpi.dashboard”? If not, you know why the dashboard throws this error. ?

      In that case you have two options to solve the missing role problem:

      1. Replace the roles a users needs from de.realcore…-roles to some roles your user own (it is configurable via the IFlows “configuration” function)
      2. Add the missing roles to your user. (Check also this blog post.)
      • Hi Raffael,

        Creating and adding missing role to my user solved my problem.

        Maybe it would be interesting to add this step in your "how to" ; (or maybe its my lack of knowledge that leads me to this issue)

        In any case, thank you very much for giving us opportunity to use this dashboard.

        Best regards


    • Hi Raffael,

      thanks for the great documentation.

      Unfortunately i got the same error like Antoine. Then I created the role and assigned my S-User to this role. Now I am not able to logon to the dashboard. It means it try to access via s-user and password but nothing happens.

      Do you know what happens here?



      • Hi Raffael,


        now it is working as I did the same configuration like Athar.

        Anyway, i got another confusing message in the dashboard. Why do I have not enough authorization? I assigned my S-user to you recommended roles and i have no authorization to view the logfiles and passwords?


        Thanks in advance.


  • Thank you Raffael Herrmann for the detailed explanation of how to configure and run this dashboard. Appreciate your efforts.

    I just need help with below items.

    1. For calling Group 1 services, we have to configure an S-User with required access. Can you please share the exact roles needed as our security team is not comfortable in assigning elevated access.
    2. When I tried to load the security material onto the dashboard I got 403 error. URL triggered is https://{tenat ID}
    3. For the Mail Adapter configuration. Which mail server to be used? Is there any SAP provided option here or we can use O365?
    4. Current Alerting feature in the dashboard is about messages and certificates. Is there any automated way to generate alerts for cases like high CPU Usage or any tenant level issues?
    5. Our client has SAP Passport setup for logging in into any cloud application or page. When he tried to access the dashboard using his SAP Passport, he received 403 forbidden error. Is logging in via cert allowed for this dashboard or we have to use credentials only?

    Thanks in advance.

  • Hi Raffael,


    after the configuration I get a HTTP 500 Error:

    Error text: java.lang.Exception: https://******$format=json@ line 48 in diffGetIFlowPackageContent.groovy


    When i call the url https://******$format=json via BasicAuth of my S-User in Postman the response is:

        "error": {
            "code": null,
            "message": {
                "lang": "en",
                "value": "Entity not found"
    When i call the url in the web-browser a SSO-Auth. via my P-User is forced. But then i get a working json response. 
    It looks like an authorization issue for the S-User. Do you have an idea whats missing?
  • Thank you Raffael Herrmann for the detailed explanation of how to configure and run this dashboard.

    I have question, do you have plans to create a similar post for CPI on Cloud Foundry or is there a work around we can use for the Cloud Foundry environment.

    • Hi Jemil,

      currently the dashboard isn't compatible to SAP CPI on CF. Sure I would love to see the dashboard on CF, too, but since it's a "sparetime project" and I'm in lack of spare time currently, I can't promise any dates for such update.

  • Hi Raffael,

    thanks for this great tool and the explanations!

    After deploying successfully and fixing the little issues here and there thanks to the other comments, I am faced with what seems to be a new issue.

    After logging in, I get an Error 500:

    java.lang.Exception: [CONTENT] [CONTENT_DEPLOY]  [NoArtifactDescriptorFoundForArtifactName]: No artifact descriptor found for artifactName myuser@ line 72 in diffGetIflowPackageContent.groovy

    While this message is displayed I get authentication popups so I suppose it's an authorization issue, but I couldn't find a better clue.

    Any idea?



    • Hi Friedrich,

      That sounds like a configuration error. In the IFlow configuration there is a field to place a "....BASIC_AUTH..." credential. In this field you have to enter the name of the "security material" from CPI that contains the basic auth user credentials. The error look like you entered a "security material" name in the configuration that doesn't exist/isn't deployed.


  • Hi Raffael,

    thanks for your quick answer!

    I had made a mistake on this credential's configuration indeed. So I got past this stage but now I'm facing an 403 error:

    HTTP operation failed invoking$count?$filter=LogStart%20ge%20datetime'2020-10-29T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-10-29T23:59:59.999' with statusCode: 403

    I suppose this has to do with the client credential but I can't find what wrong; it has the and roles and I suppose that it's authenticated properly, as I don't have any 401 anymore.

    Thanks a lot for the support!

    Best regards,


    • Hi Friedrich,

      I can think of different things which might go wrong...

      • Do you use the correct client credential pair? (You had to create two pairs - one for platform api and one for cpi-tenant specific apis. You have to use the credential pair for cpi/tenant not the pair for the platform api.)
      • Have you waited for at least 10 minutes since setting the roles? (Sometimes in the past I experienced that it took a couple of minutes until the assigned roles to the OAuth credentials were finally set and recognized.)
      • Have you tried to call the API-url in a tool like Postman? (Use HTTP GET and the client credentials as entered into CPI.) Do you get the 403 in Postman, too?

      Best regards,

  • Hi Raffael,

    yes I have created the two pairs and for "group 2", which is used for MessageProcessingLogs if I understand correctly, I use the pair created in the "Client" tab.

    With Postman, calling works fine with the client pair credentials.

    Timing is not an issue, roles have been set hours ago now :).

    I'm still testing and trying to make it work, any other suggestion is welcome!

    Thanks for your help,


    • If it works in Postman then either you have a typo in the security material (=> try to recreate the security material / redeploy) or its a caching problem. (Then it may be solved from alone just over time... Take your weekend and try again on Monday. 😉 )

  • In fact it was appearing to work in Postman only because of a remaining authentication cookie of another user.

    But a clean test with the client pair gives me the same 403 result as on the dashboard. At least it's consistent!

    But you're right, let's have some rest and try again later.

    Have a nice week-end,


  • Hi Raffael,

    just an update; by replacing all OAuth2 logins by basic auth in the integration flow I managed to have the tool up and running. Very weird; I did the steps several times with the client user but always ended up with a 403 on MessageProcessingLogs.

    If you're interested in having a quick look let me know!

    Also, now that the dashboard is live, I noticed that there seems to be some discrepancy between the two CPU usage statistics; during the last 15 minutes "CPU load" was between 4 and 5 all the time but "CPU use" was below 1%.

    Thanks for the nice dashboard!


  • Hi Raffael,

    Thank you for the nice CPI dashboard. We were able to configure and run the dashboard with your step by step instructions.

    We have assigned ROLE_GENERAL_ACCESS, ROLE_LOG_AND_FILE_ACCESS & ROLE_SECURITY_MAT_ACCESS parameter values to multiple S users. But, unfortunately only the user (SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH) configured in the security material can access it. None of the other users can access it.

    How do we enable this dashboard to be accessed by multiple users instead of single user? please guide.

    Thanks & Regards,


    • The roles (ROLE_GENERAL_ACCESS, ...) should be assigned to the S-Users that log into the dashboard via webbrowser. There's nothing more to configure. Maybe the IDP needs some time to update the roles. Have you tried to log off and on again with the S-Users that aren't able to use the dashboard? Which error message to you receive?

  • /
    • You missed to setup the credentialname in the IFlow configuration. Please click "configure" to open the IFlow config and set the corresponding logon credential name. Also check the section "Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH" of this blog article.

  • Hi Raffael,

    I would like to test the Dashboard for CPI, I made the implementation but I get this error:

    "Error text: HTTP operation failed invoking https://*****$format=json with statusCode: 401"

    Could you guide me where the problem could be?

    Greetings and Thanks.