We all access our SAP CPI tenants with the default SAP domain i.e. *.hana.ondemand.com. In this blog let us see how to create a custom domain(in Neo) and configure SAP CPI TMN and IFL Application to access through it.
Before we see the step by step guide, let’s see what the end-state will look like.
Above is the solution assuming the Org has a domain imagine.com, and we decide to configure and access SCPI thru design-intSBX.scp.imagine.com (design time) and intSBX.scp.imagine.com (runtime). Below is the simplified steps of the end-to-end connectivity.
- When a client tries to connect to the Custom Domain URL of SCPI, it reaches the Organization DNS (i.e. imagine.com in this example) for hostname resolution.
- The DNS returns the SAP Cloud Platform SSL Hostname i.e. eu*.ssl.ondemand.com.
- The client tries to resolve the SSL Hostname and reaches SAP’s ondemand.com DNS.
- The ondemand.com DNS returns the SSL Host IP address
- The client sends traffic to the IP with the custom domain in the Host Header.
- The SSL host terminates the SSL handshake and connects the client to the right SCPI application.
Now, Below is the list of steps to achieve this
- Buy Custom Domain Quota
- Buy Domain
- Create SSL Host in SCP
- Create Key Pair
- Get CA Signed Certificate
- Upload Certificate
- Bind Certificate and SSL Host
- Bind Custom Domain and CPI Application
- Complete DNS Configuration
1. Buy Custom Domain Quota
As you saw in the solution diagram, we need a run an SSL host in our Subaccount. We need to have (or buy) a Custom domain quota in your Global Account in order to create an SSL Host. One custom domain quota means we can create one SSL Host. The Custom domain quota from the Global Account also needs to be assigned to the underlying Subaccount(s). To find the Account Quota use the list-ssl-hosts.
neo list-ssl-hosts -a <subaccount> -h <host> -u <email>
2. Buy Domain
All most all organization has its own domain and DNS server. If not the case then you can buy a domain from providers like GoDaddy.
3. Create SSL Host in SCP
An SSL host is the entry point to the custom domain in SAP Cloud Platform. It holds the custom domain, SSL Certificate, mapping between the custom domain and SCP application, etc.
neo create-ssl-host -a <subaccount> -h <host> -u <email> -n <nameof_SSLHost>
This command will create an SSL host in your subaccount with the name EU*.ssl.ondemand.com. Make a note of this SSL host as you will need it to create a CNAME record in your DNS server.
4. Create Key Pair
This step is to create a key pair i.e. Private Key and Public Key for the custom domain intSBX.scp.imagine.com and design-intSBX.scp.imagine.com. Then download the CSR and get CA certified. This is the SSL certificate that will use to secure the custom domain.
There is 2 option here.
- Create Key Pair in SCP, download the CSR for CA signing. This is the recommended option since the key will not leave the server.
neo generate-csr -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -d <Subject_Distinguished_Name> -s <SAN>
- Create Key Pair Externally( like OpenSSL), download CSR for CA signing.
5. Get CA Signed Certificate
Share the Certificate Signing Request (CSR) to Certification Authority and get it signed.
6. Upload Certificate
Based on option 1 or 2 on Step-4 we will
- Upload only the Signed Public Certificate Chain received from CA or
neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain>
- The Private Key generated externally and Signed Public Certificate Chain received from CA.
neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain> -k <private_key>
7. Bind Certificate and SSL Host
In Step-3 we created an SSL Host (scpiHostSBX) and in Step-4,5 & 6 we created a Domain Certificate (scpiCertSBX). In this step, we will bind the Domain Certificate and SSL Host.
neo bind-domain-certificate -a <subaccount> -h <host> -u <email> -l <nameof_SSLHost> --certificate <nameof_SSLCertificate>
8. Bind Custom Domain and CPI Application
This step is to add the custom domain
- design-intSBX.scp.imagine.com and map to TMN application
- intSBX.scp.imagine.com and map to IFL Application
Before we perform the map, we need to construct the TMN and IFL Application URL. The URL format is below
|Subscribed Application||From SCP Subaccount, open Subscriptions and copy Application Name
|Provider Subaccount||From SCP Subaccount, open Subscriptions and copy Provider Subaccount
|Subaccount Name||From SCP Subaccount, Overview, copy the Subaccount Name
|host||Your account host like eu1.hana.ondemand.com|
Execute the below command to add IFL and TMN domain name and map to SCPI Application
neo add-custom-domain -a <subaccount> -h <host> -u <email> -e <customDomain Name> -i <TMN/IFL App Name> -l <nameof_SSLHost>
9. Compete DNS Configuration
In your DNS server, create two CNAME records to map CPI Custom Domain and SSL Host as below.
- design-intSBX.scp.imagine.com –> EU*.ssl.ondemand.com
- intSBX.scp.imagine.com –> EU*.ssl.ondemand.com
Only when this is done, a client call to design-intSBX.scp.imagine.com/itspaces URL will resolve to EU*.ssl.ondemand.com from the imagine DNS server. Then the SSL host will open the communication to CPI TMN Application as maintained in Step-8 i.e. to map the domain name to CPI Application. The traffic to this custom domain will be encrypted thru the Key pair generated from Step-4 through Step-7.
As the SSL will be terminated by the SSL host created by us, the trusted CAs for the SSL handshake and client authentication needs to be maintained at the SSL Host. This is done in two-step.
1. Add the CA certificate to a CA Bundle
neo add-ca -a <subaccount> -h <host> -u <email> --bundle <CABundleName> -l <CA Certificate file>
neo set-ssl-host --a <subaccount> -h <host> -u <email> -n <nameof_SSLHost> --ca-bundle <CABundleName>:<switch>
request – client certificate authentication is not mandatory
require – client certificate authentication is mandatory
none – removes the client certificate configuration for the specified bundle and unassigns that bundle from the SSL host