Skip to Content
Technical Articles

Part 2: Connect to on-premise APIs from SAP Cloud Platform API Management Cloud Foundry Environment

SAP Cloud Connector enables you to securely connect applications on SAP Cloud Platform with your on-premise systems. Using SAP Cloud Connector, you can manage your on-premise APIs via SAP Cloud Platform API Management. In this blog, steps to connect SAP Cloud Connector to your SAP Cloud Platform Cloud Foundry environment and its usage from SAP Cloud Platform API Management is covered.

SAP Cloud Platform API Management is not yet available in Cloud Foundry trial environment and therefore this steps can be tried out from a production account.  For SAP Cloud Platform Integration Suite, you can also follow this blog to enable the API Management capabilities.


  • Subscribed to API Management, API portal tile in Cloud Foundry ( details in this blog).
  • Alternatively you have enabled API Management capabilities from Integration Suite ( details in this blog)
  • Installed and configured SAP Cloud Connector ( details in this tutorials)

Connect your SAP Cloud Connector to SAP Cloud Platform sub account

To connect SAP Cloud Platform API Management to an on-premise system via the Cloud Connector, you will need to configure the SAP Cloud Platform sub-account where API Management, API portal service is enabled/subscribed in SAP Cloud Connector.

  • Logon to SAP Cloud Platform and navigate to your SAP Cloud Platform sub-account.
  • Navigate to Overview tab and copy the sub-account ID available in the Subaccount Details section.


SAP Cloud Platform Overview page

  • Log on to the Cloud Connector administration console.
  • Select Connector tab and then select Add Subaccount


Add a new subaccount in SAP Cloud Connector

  • In the Add Subaccount dialog, select your SAP Cloud Platform Region from the drop down, paste your previously copied Subaccount ID, optionally provide a Display Name, enter your SAP Cloud Platform cockpit administrator’s email address and password, optionally provide a Location ID. Finally click Save.

Connect Cloud Connector with your on-premise system


To access your on-premise system from SAP Cloud Platform via SAP Cloud Connector, you will need to provide a mapping between your internal on-premise system host/port to a virtual host in the Access Control section. After the access control is set up you can use the virtual host on SAP Cloud platform to allow applications to connect to services on your on-premise system. In this blog, access to SAP Gateway system was enabled.

  • In the Cloud Connector Administration console, expand the name of your sub account and select Cloud To On-Premise tab. Select the plus ( + icon) in the section Mapping Virtual to Internal System.

  • In the Add System Mapping select your Back-end system type and select Next.

  • Select your protocol HTTPS, select Next.

  • Enter your Internal Host and Port, select Next.

  • Enter your Virtual Host and Port, select Next.

  • Select your Authentication type or Principal type between SAP Cloud Connector and your target system. In this blog, None was selected so that the authentication value passed by the client is passed as if to the target SAP Gateway. Select Next.

  • Select which field should be used in the Request Header. You can chose between Use Virtual Host or Internal Host. Select Next.

  • Finally click Finish to create the necessary mapping between Virtual host & Internal host

  • Next you will need to allow access to the service paths in each of your SAP Gateway services.  Select + button next to the Resources section.

  • Add in the URL paths and also select the option to access path & all sub-paths and select Save.  In the blog, since the connection is for SAP Gateway OData APIs the URL path value was set to /sap/opu/odata.

  • You can select on the highlighted icons to check on the status of the newly added virtual host & internal host mapping.

  • You can also check the status of your SAP Cloud Connector connection by navigating your SAP Cloud Platform cockpit , selecting the sub-account which was used in the connection from SAP Cloud Connector. Select Cloud Connectors under Connectivity.


Create API Provider in SAP Cloud Platform API Management for connecting to on-premise APIs

API Providers features of SAP Cloud Platform API Management enables you to provide your technical configuration details like host, port, authentication type and discovery API URL.

  • Navigate to your API Management, API portal service available within your SAP Cloud Platform Cloud Foundry environment ( available under Subscription tab).
  • Navigate to Configure tab and then select Create.


  • Enter name for your API Provider say SAPGatewayTest

  • In the Connection tab, select On-Premise as the Type, enter your virtual host and port from SAP Cloud Connector, enter the Location ID ( if specified on SAP Cloud Connector during connectivity to SAP Cloud Platform sub-account). For the authentication type you can select None or Principal Propagation. In this blog , None was selected therefore the client connecting to API Proxy should provide the target endpoint credentials. In the upcoming blogs, Principal propagation configuration will be covered.

  • For discovering of OData APIs from SAP S/4HANA or SAP Gateway system, you can additionally maintain the catalog service information. In Catalog Service Settings, enter your Service Collection URL.  Based on the SAP Gateway & SAP S/4HANA system the endpoint could be either /sap/opu/odata/IWFND/CATALOGSERVICE;v=2/ServiceCollection or /sap/opu/odata/IWFND/CATALOGSERVICE/ServiceCollection
  • Select Basic from the Authentication type and enter your SAP Backend user name and password and select Save. This credentials will be used only for discovery of OData APIs and will not be used during the actual API Proxy execution.

  • To check on your configured value, you can select Test Connection.


Create API Proxy in SAP Cloud Platform API Management for connecting to on-premise APIs

API Proxy enables you to create a facade layer over your actual target endpoint and add policies like Quota, Spike Arrest, message validation and more.

  • Navigate to Develop tab, then select API and click Create.

  • Select the newly created API Provider and select Discover

  • Search & select the on-premise OData service that you would like to manage with SAP API Management

  • Enter a title, description, base path your API Proxy and select Create.

  • This will generate the OpenAPI documentation for your selected on-premise OData API service. Select Deploy to activate the API Proxy. This will generate your API Proxy endpoint URL


  • Select your API Proxy URL and then open it in new browser tab to quick connectivity to your On-Premise API

  • You will be promoted to enter your target or back-end credentials and after a successful login you will see the data from your on-premise back-end via SAP Cloud Platform API Management.



Stay tuned, more blogs on API Management in Cloud Foundry environment to come:

To learn more about SAP Cloud Platform API Management, visit us at SAP Community.


You must be Logged on to comment or reply to a post.
    • Hi Rahul,

      Thanks for your suggestion on the principal propagation blog. The part 3 of the blog would be on the principal propagation and hopefully soon it would be available as well. In terms of the steps to enable principal propagation at a high level it would be as follows :-

      • Enable the entitlement to use the API Management, api portal service in your cloud foundry space, select the on-premise connectivity plan.
      • Create a service instance of this API Management service from the service market place and then select plan of on-premise connectivity.
      • Create or Edit the API Provider and select Principal Propagation for the authentication type from the drop down.

      Thanks and Best Regards,


  • Divya

    Thanks for this blog

    When I try this in Cloud Foundry Trial Account under the Connectivity tab there is only Destination Option but not the option you have mentioned to check connector connection. Does this mean we can't try out the cloud connector in the Trail environment?

    I created the Destination for on Prem SAP but it fails while a similar destination in NEO works along with all APIs.

    Best regards


      • Boonsom

        It appears to me that SAP has resolved some issues in the trial version.  you can look at this



  • Hi Divya,


    if I try to create an API Provider with type "on-premise" I´m always getting this error;

    Unable to Configure API Provider 
    [Request ID: a914cb19-f69e-4575-a364-1da911ecae76]
    dest: Name or service not known_ON_PREM

    Do you have any idea or suggestion to solve this problem?

    In Cloud Cockpit trial account in a Cloud Foundry subaccount I subscribted to "Integration Suite" and activated API Management.

    When setting a "on-premise" connection in a iFlow in Integration Suite everything goes fine.

    Best regardes,


    • Hi Markus,

      Thanks for bringing this issue on trial to our notice. This issue has been reported to our DevOps team, so will keep you posted on the progress soon.

      Thanks and Best Regards,


    • Hi Markus,

      The issue for trial is fixed now.  Kindly retest and let us know if this issue continues to persist for your account.

      Thanks and Best Regards,


      • Hello Divya,

        I am getting same error when I try to create API Provider with on-premise Cloud Connector.

        [Request ID: 42afcf77-4319-4def-9010-2705b140cc28]
        dest: Name or service not known_ON_PREM

        What was the root-cause and resolution for this error?  Please share details for the benefit of others who  may encounter the same issue.


        Thank you and Best Regards


  • Dear Divya,


    I have the same problem when I am try to configure an API Provider based on the cloud connector. I tried  with an factoryaccount and the integration suite plan trial (Frankfurt) and standard ( Netherland).

    Unable to Configure API Provider

    [Request ID: 3c65d43b-bcae-4e04-af5a-def03c5e8a15]
    An internal error occurred, contact SAP administrator for details


    Beside that the Test Connection Button is not activ.

    Best regards





    • Hi Peter,

      Kindly create an incident on the component OPU-API-OD-OPS so that our DevOps team can assist you in resolving this issue.

      Thanks and Best Regards,


  • Hi Divya,


    Need your Help

    When trying to test the API, using CDS view. I am getting error.



    {"fault":{"faultstring":"Unsupported Encoding \"br\"","detail":{"errorcode":"protocol.http.UnsupportedEncoding"}}}
    Best Regards,
    • Hi Rohit,

      Kindly check if you are able to call your API from the test console of SAP API Management or from any external API test tooling like Postman by passing in the additional header named Accept-Encoding with value gzip,deflate . If this helps, then you can assign this header value using the AssignMessage policy.

      In case the issue continue to happen kindly raise a customer incident on the component OPU-API-OD-OPS.

      Thanks and Best Regards,



  • Hi Divya,

    If there’s a big tenant solution which means one CPI tenant connects to several customers' backend systems, is ‘Connect to On-Premise APIs via SCP API management’ still a recommended way or it is better not use the SCP API management to expose the API from on-premise system?

    Thanks and Best regards,

    • Hi Radar,

      This question is more of an EA question, and based on the expectation, quantity and usage the decision could be made.

      Many customers put in place SAP API Management as the default for all API exposures within their organization, cloud or onprem, to serve as a centralized security and discovery point for APIs.

      API Management doesn't necessary need to be exclusive to CPI - CPI can be a connectivity point for multiple backend systems, and then expose the connections/aggregations as APIs in to SAP API Management. This is part of the coming roadmap for "Low Code API development" between CPI and APIM.

      Or if no aggregation, encryption, transformation, etc. is required APIs can be brought directly into API Management. Again however, these are all possibilities that would need to be evaluated on a case by case basis.


  • Divya

    I was trying this on the Cloud Foundry Trial account - When I click on Test connection Step I got the message

    System is up and reachable. However, the ping check responded with code : 405; Message : Method Not Allowed

    When I checked the log in the cloud connector I found exception occurred with this message.

    sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#Thread-29# #Unexpected exception while establishing tunnel connection for tunnel: account:///4d66160b-e6ad-4a7c-9208-9857f24a8b9c/RCloudConn
    io.netty.resolver.dns.DnsResolveContext$SearchDomainUnknownHostException: Search domain query failed. Original hostname: '' failed to resolve

    Best regards