Technical Articles
SAP CPI – How to Configure Custom Domain
We all access our SAP CPI tenants with the default SAP domain i.e. *.hana.ondemand.com. In this blog let us see how to create a custom domain(in Neo) and configure SAP CPI TMN and IFL Application to access through it.
Before we see the step by step guide, let’s see what the end-state will look like.
Custom Domain Solution
Above is the solution assuming the Org has a domain imagine.com, and we decide to configure and access SCPI thru design-intSBX.scp.imagine.com (design time) and intSBX.scp.imagine.com (runtime). Below is the simplified steps of the end-to-end connectivity.
- When a client tries to connect to the Custom Domain URL of SCPI, it reaches the Organization DNS (i.e. imagine.com in this example) for hostname resolution.
- The DNS returns the SAP Cloud Platform SSL Hostname i.e. eu*.ssl.ondemand.com.
- The client tries to resolve the SSL Hostname and reaches SAP’s ondemand.com DNS.
- The ondemand.com DNS returns the SSL Host IP address
- The client sends traffic to the IP with the custom domain in the Host Header.
- The SSL host terminates the SSL handshake and connects the client to the right SCPI application.
Now, Below is the list of steps to achieve this
- Buy Custom Domain Quota
- Buy Domain
- Create SSL Host in SCP
- Create Key Pair
- Get CA Signed Certificate
- Upload Certificate
- Bind Certificate and SSL Host
- Bind Custom Domain and CPI Application
- Complete DNS Configuration
1. Buy Custom Domain Quota
As you saw in the solution diagram, we need a run an SSL host in our Subaccount. We need to have (or buy) a Custom domain quota in your Global Account in order to create an SSL Host. One custom domain quota means we can create one SSL Host. The Custom domain quota from the Global Account also needs to be assigned to the underlying Subaccount(s). To find the Account Quota use the list-ssl-hosts.
neo list-ssl-hosts -a <subaccount> -h <host> -u <email>
List SSL Host
2. Buy Domain
All most all organization has its own domain and DNS server. If not the case then you can buy a domain from providers like GoDaddy.
3. Create SSL Host in SCP
An SSL host is the entry point to the custom domain in SAP Cloud Platform. It holds the custom domain, SSL Certificate, mapping between the custom domain and SCP application, etc.
neo create-ssl-host -a <subaccount> -h <host> -u <email> -n <nameof_SSLHost>This command will create an SSL host in your subaccount with the name EU*.ssl.ondemand.com. Make a note of this SSL host as you will need it to create a CNAME record in your DNS server.
SSL Host Creation
4. Create Key Pair
This step is to create a key pair i.e. Private Key and Public Key for the custom domain intSBX.scp.imagine.com and design-intSBX.scp.imagine.com. Then download the CSR and get CA certified. This is the SSL certificate that will use to secure the custom domain.
There is 2 option here.
- Create Key Pair in SCP, download the CSR for CA signing. This is the recommended option since the key will not leave the server.
neo generate-csr -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -d <Subject_Distinguished_Name> -s <SAN>
- Create Key Pair Externally( like OpenSSL), download CSR for CA signing.
5. Get CA Signed Certificate
Share the Certificate Signing Request (CSR) to Certification Authority and get it signed.
6. Upload Certificate
Based on option 1 or 2 on Step-4 we will
- Upload only the Signed Public Certificate Chain received from CA or
neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain> - The Private Key generated externally and Signed Public Certificate Chain received from CA.
neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain> -k <private_key>Upload Domain Certificate
7. Bind Certificate and SSL Host
In Step-3 we created an SSL Host (scpiHostSBX) and in Step-4,5 & 6 we created a Domain Certificate (scpiCertSBX). In this step, we will bind the Domain Certificate and SSL Host.
neo bind-domain-certificate -a <subaccount> -h <host> -u <email> -l <nameof_SSLHost> --certificate <nameof_SSLCertificate>
Bind Certificate and SSL Host
8. Bind Custom Domain and CPI Application
This step is to add the custom domain
- design-intSBX.scp.imagine.com and map to TMN application
- intSBX.scp.imagine.com and map to IFL Application
Before we perform the map, we need to construct the TMN and IFL Application URL. The URL format is below
https://<Subscribed_Application><Provider_Subaccount>-<Subaccount_Name>.<host>| Subscribed Application | From SCP Subaccount, open Subscriptions and copy Application Name |
| Provider Subaccount | From SCP Subaccount, open Subscriptions and copy Provider Subaccount |
| Subaccount Name | From SCP Subaccount, Overview, copy the Subaccount Name |
| host | Your account host like eu1.hana.ondemand.com |
Execute the below command to add IFL and TMN domain name and map to SCPI Application
neo add-custom-domain -a <subaccount> -h <host> -u <email> -e <customDomain Name> -i <TMN/IFL App Name> -l <nameof_SSLHost>
Custom Domain Mapping
Custom Domain Mapping
9. Compete DNS Configuration
In your DNS server, create two CNAME records to map CPI Custom Domain and SSL Host as below.
- design-intSBX.scp.imagine.com –> EU*.ssl.ondemand.com
- intSBX.scp.imagine.com –> EU*.ssl.ondemand.com
Only when this is done, a client call to design-intSBX.scp.imagine.com/itspaces URL will resolve to EU*.ssl.ondemand.com from the imagine DNS server. Then the SSL host will open the communication to CPI TMN Application as maintained in Step-8 i.e. to map the domain name to CPI Application. The traffic to this custom domain will be encrypted thru the Key pair generated from Step-4 through Step-7.
Additional Configuration
As the SSL will be terminated by the SSL host created by us, the trusted CAs for the SSL handshake and client authentication needs to be maintained at the SSL Host. This is done in two-step.
1. Add the CA certificate to a CA Bundle
neo add-ca -a <subaccount> -h <host> -u <email> --bundle <CABundleName> -l <CA Certificate file>
Add CA Bundle
neo set-ssl-host --a <subaccount> -h <host> -u <email> -n <nameof_SSLHost> --ca-bundle <CABundleName>:<switch>
Set CA Bundle
switch values:
request – client certificate authentication is not mandatory
require – client certificate authentication is mandatory
none – removes the client certificate configuration for the specified bundle and unassigns that bundle from the SSL host
I never thought that we can even brand the CPI access URL with our own custom domain.
May be 1 question... Let says I have developed an iflow and deployed it in my CPI running with custom domain configuration. So in such case, which URL is shown in CPI's integration content area for runtime access? Is it the custom domain intSBX.scp.imagine.com OR general https://XXXX--iflmap.hcisbt.eu1.hana.ondemand.com?
From the step mentioned about I understood that we can resolve intSBX.scp.imagine.com to XXXX-iflmap.hcisbt.eu1.hana.ondemand.com but does this CPI knows somehow that now the run time URL is no more iflmap one and rather custom domain?
BR
Saurabh
Saurabh,
Since SCPI is an MTA we cannot disable the default domain i.e.*.ondemand.com and hence both the custom domain and default domain will work. The CPI runtime in the customer Subaccount will know the custom domain, and the same runtime in the provider(SAP) Subaccount knows the default domain. So upon deploying the iflow will show URLs with both hosts.
So based on the URL used by the client the DNS will resolve to either the SSL Host that customer created or the SAP SSL host
Thanks
Santhosh
Thanks Santhosh for the explanation. It makes sense, what you explained.
Hi ! I have a question, in my case I hired and configured the custom domain, but I have the following problem:
To consume an iflow I need to be authorized, but the url to consume the iflows,
is not the same as to get the authorization token,
Is there any way to use the same custom domain to consume the cpi iflow and get the token to consume them?
Or what can be the solution to this problem?