Setting up SAP Cloud Platform Transport Management for SAP Cloud Platform Integration
In this blog I will describe how to setup SAP Cloud Platform Transport Management (TMS) for SAP Cloud Platform Integration (CPI) running in the Neo environment. I will concentrate on the points which seem to be a little more challenging and refer to the documentation for the rest.
- (At least) two SAP Cloud Platform Integration tenants (development/source and production/target) running in two SAP Cloud Platform Neo subaccounts.
- The service ‘Solutions Lifecycle Management’ is enabled in all Neo subaccounts being part of the transport landscape.
- Setup SAP Cloud Platform Transport Management as described in the SAP documentation. This includes:
– Buy TMS
– Entitle a Cloud Foundry Subaccount for TMS
– Subscribe to TMS
– Create role collections and assign them to users
– Create a TMS service instance and a service key
There are three different types of destinations needed to setup the CPI / TMS scenario. Please see the picture below:
- Destination pointing from the Solutions Lifecycle Management Service in the Neo subaccount hosting the CPI source tenant to the service instance of TMS. The name of the source node is provided as a parameter in this destination.
Please follow the instructions in SAP help to configure this destination.
Take note that the name of this destination has to be ‘TransportManagementService‘ (case senitive!)
- Destinations pointing to the target Neo subaccounts hosting the CPI tenants: these are configured in the destination service of the Cloud Foundry subaccount hosting TMS as described in the SAP documentation.
The names of these destinations can be freely chosen.
You have to create one destination for every Neo subaccount respectively CPI tenant you would like to deploy to.
These destination are then used to configure the transport nodes in TMS.
- Destination pointing from the Solutions Lifecycle Management Service to the CPI tenant running in the same Neo subaccount.
The configuration of this destination is described here in the SAP documentation.
It has to have the fixed name ‘CloudIntegration‘ (case-sensitive).
A more generic format of the destination’s URL is
‘https://<CPI tenant name>-tmn.hci.<data center>.hana.ondemand.com/itspaces/’
The destination shown in the documentation would refer to an SAP internal account in Canada (‘int/cn1’).
This destination has to be created in all subaccounts which are part of the TMS landscape (source and targets).The easiest way to retrieve the URL containing the CPI tenant name is to go to the SAP Cloud Platform cockpit of the Neo subaccount hosting the CPI tenant. Open the ‘Applications’ tab and the ‘Subscriptions’ subtab. In the list of ‘Subscribed Java Applications’ click on the one which name contains ‘tmn’. This opens a list of ‘Application URLs’ where you can copy the one which ends with ‘itspaces’.
Users, Roles and Identity Providers
Destination to Neo subaccount
The technical user(s) used in the destinations pointing to the target Neo subaccounts (type 2 above) has to be a member of the subaccount and needs to have the role Developer (or Administrator) in the corresponding subaccount. This role can be assigned when adding the user as a member to the subaccount. Alternatively you can assign a custom platform role with the scopes Manage Multi-Target Applications and Read Multi-Target Applications.
If you are using SAP Cloud Identity Authentication Service (IAS) as your platform identity provider the user should be a local user in the IAS tenant and cannot be a user integrated from another Identity Provider. The reason for this is the lack of industry standards for propagating basic authentication requests.
Destination to SAP Cloud Platform Integration tenant
The technical user for the destination pointing to the CPI tenants (type 3 above) needs to have the roles AuthGroup.IntegrationDeveloper and IntegrationContent.Transport. How to assign these roles is described here in the SAP documentation.
If you are using SAP Cloud Identity Authentication Service (IAS) as your application identity provider please take note that ‘Basic Authentication’ for this destination by default points to the SAP Identity Service and does not use SAP IAS. However, this is technically possible and can be changed via a ticket to the security operations team (BC-NEO-SEC-IAM). After the configuration is done also the basic authentication will be done against the SAP IAS tenant used as application identity provider.
As above the user should be a local user in the IAS tenant and cannot be a user integrated from another Identity Provider.
Administrator role for enabling TMS as transport tool in CPI
The administrators who should be able to change the transport mode used for CPI additionally need the role AuthGroup.Administrator.
Enabling TMS transports for CPI
Once you have configured all the destinations above and the corresponding transport landscape in TMS, you have to switch the transport mode of CPI to actually use TMS. That switch is somewhat hidden…
In the CPI web client you have to select the ‘Settings’ tab, then the ‘Transport’ tab and then press the ‘Edit’ button in the lower right corner (which can be far away on a large screen).
This enables the drop down list where you can select ‘Transport Management Service’. Don’t forget to save…
Using TMS from within CPI
Once you have configured and activated TMS for CPI as described above you can use it to create transport from within the CPI development environment.
For that, switch to the ‘Design’ tab in the CPI development tenant and select the CPI package you would like to transport:
You can now perform your changes to the package and save them. You initiate the TMS transport by pressing the ‘Transport’ button:
Provide some information of the transport and press the ‘Transport’ button:
Now a new transport request is created in TMS, the CPI package is put into a Multitarget Application (MTA) archive file and attached to the transport request. The transport request is then released and put into the queue of the transport node which follows the development node (in this example the test node). The confirmation message tells you into the queue of which node the transport has been placed.
In the Transport Management service UI, you will find the new transport in the queue of the node specified in the success message above. From this queue you can trigger the import into the target CPI tenant.
This concludes this blog about the configuration and usage of SAP Cloud Platform Transport Management for SAP Cloud Platform Integration. Have fun using this scenario!