Skip to Content
Technical Articles
Author's profile photo Santhosh Kumar Vellingiri

SAP CPI – How to Configure Custom Domain

We all access our SAP CPI tenants with the default SAP domain i.e. *.hana.ondemand.com. In this blog let us see how to create a custom domain(in Neo) and configure SAP CPI TMN and IFL Application to access through it.

Before we see the step by step guide, let’s see what the end-state will look like.

Custom%20Domain%20Solution

Custom Domain Solution

Above is the solution assuming the Org has a domain imagine.com, and we decide to configure and access SCPI thru design-intSBX.scp.imagine.com (design time) and intSBX.scp.imagine.com (runtime). Below is the simplified steps of the end-to-end connectivity.

  1. When a client tries to connect to the Custom Domain URL of SCPI, it reaches the Organization DNS (i.e. imagine.com in this example) for hostname resolution.
  2. The DNS returns the SAP Cloud Platform SSL Hostname i.e. eu*.ssl.ondemand.com.
  3. The client tries to resolve the SSL Hostname and reaches SAP’s ondemand.com DNS.
  4. The ondemand.com DNS returns the SSL Host IP address
  5. The client sends traffic to the IP with the custom domain in the Host Header.
  6. The SSL host terminates the SSL handshake and connects the client to the right SCPI application.

Now, Below is the list of steps to achieve this

  1. Buy Custom Domain Quota
  2. Buy Domain
  3. Create SSL Host in SCP
  4. Create Key Pair
  5. Get CA Signed Certificate
  6. Upload Certificate
  7. Bind Certificate and SSL Host
  8. Bind Custom Domain and CPI Application
  9. Complete DNS Configuration

1. Buy Custom Domain Quota

As you saw in the solution diagram, we need a run an SSL host in our Subaccount. We need to have (or buy) a Custom domain quota in your Global Account in order to create an SSL Host. One custom domain quota means we can create one SSL Host. The Custom domain quota from the Global Account also needs to be assigned to the underlying Subaccount(s). To find the Account Quota use the list-ssl-hosts.

neo list-ssl-hosts -a <subaccount> -h <host> -u <email>

List%20SSL%20Host

List SSL Host

2. Buy Domain

All most all organization has its own domain and DNS server. If not the case then you can buy a domain from providers like GoDaddy.

3. Create SSL Host in SCP

An SSL host is the entry point to the custom domain in SAP Cloud Platform. It holds the custom domain, SSL Certificate, mapping between the custom domain and SCP application, etc.

neo create-ssl-host -a <subaccount> -h <host> -u <email> -n <nameof_SSLHost>

This command will create an SSL host in your subaccount with the name EU*.ssl.ondemand.com. Make a note of this SSL host as you will need it to create a CNAME record in your DNS server.SSL%20Host%20Creation

SSL Host Creation

4. Create Key Pair

This step is to create a key pair i.e. Private Key and Public Key for the custom domain intSBX.scp.imagine.com and design-intSBX.scp.imagine.com. Then download the CSR and get CA certified. This is the SSL certificate that will use to secure the custom domain.

There is 2 option here.

  1. Create Key Pair in SCP, download the CSR for CA signing. This is the recommended option since the key will not leave the server.
    neo generate-csr -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -d <Subject_Distinguished_Name> -s <SAN>​

  2. Create Key Pair Externally( like OpenSSL), download CSR for CA signing.

5. Get CA Signed Certificate

Share the Certificate Signing Request (CSR) to Certification Authority and get it signed.

6. Upload Certificate

Based on option 1 or 2 on Step-4 we will

  1. Upload only the Signed Public Certificate Chain received from CA or
    neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain>​
  2. The Private Key generated externally and Signed Public Certificate Chain received from CA.
    neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain> -k <private_key>​

    Upload%20Domain%20Certificate

    Upload Domain Certificate

7. Bind Certificate and SSL Host

In Step-3 we created an SSL Host (scpiHostSBX) and in Step-4,5 & 6 we created a Domain Certificate (scpiCertSBX). In this step, we will bind the Domain Certificate and SSL Host.

neo bind-domain-certificate -a <subaccount> -h <host> -u <email> -l <nameof_SSLHost> --certificate <nameof_SSLCertificate>

Bind%20Certificate%20and%20SSL%20Host

Bind Certificate and SSL Host

8. Bind Custom Domain and CPI Application

This step is to add the custom domain

  1. design-intSBX.scp.imagine.com and map to TMN application
  2. intSBX.scp.imagine.com and map to IFL Application

Before we perform the map, we need to construct the TMN and IFL Application URL. The URL format is below

https://<Subscribed_Application><Provider_Subaccount>-<Subaccount_Name>.<host>
Subscribed Application From SCP Subaccount, open Subscriptions and copy Application Name
Provider Subaccount From SCP Subaccount, open Subscriptions and copy Provider Subaccount
Subaccount Name From SCP Subaccount, Overview, copy the Subaccount Name
host Your account host like eu1.hana.ondemand.com

Execute the below command to add IFL and TMN domain name and map to SCPI Application

neo add-custom-domain -a <subaccount> -h <host> -u <email> -e <customDomain Name> -i <TMN/IFL App Name> -l <nameof_SSLHost>

Add Custom Domain for TMN Application
Custom%20Domain%20Mapping

Custom Domain Mapping

Add Custom Domain for IFL Application
Custom%20Domain%20Mapping

Custom Domain Mapping

9. Compete DNS Configuration

In your DNS server, create two CNAME records to map CPI Custom Domain and SSL Host as below.

  • design-intSBX.scp.imagine.com –> EU*.ssl.ondemand.com
  • intSBX.scp.imagine.com –> EU*.ssl.ondemand.com

Only when this is done, a client call to design-intSBX.scp.imagine.com/itspaces URL will resolve to EU*.ssl.ondemand.com from the imagine DNS server. Then the SSL host will open the communication to CPI TMN Application as maintained in Step-8 i.e. to map the domain name to CPI Application. The traffic to this custom domain will be encrypted thru the Key pair generated from Step-4 through Step-7.

Additional Configuration

As the SSL will be terminated by the SSL host created by us, the trusted CAs for the SSL handshake and client authentication needs to be maintained at the SSL Host. This is done in two-step.

1. Add the CA certificate to a CA Bundle

neo add-ca -a <subaccount> -h <host> -u <email> --bundle <CABundleName> -l <CA Certificate file>

Add%20CA%20Bundle

Add CA Bundle

2. Set the CA Bundle to the SSL Host

neo set-ssl-host --a <subaccount> -h <host> -u <email> -n <nameof_SSLHost> --ca-bundle <CABundleName>:<switch>

Set%20CA%20Bundle

Set CA Bundle

switch values:
request – client certificate authentication is not mandatory
require – client certificate authentication is mandatory
none – removes the client certificate configuration for the specified bundle and unassigns that bundle from the SSL host

Assigned tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Saurabh Kabra
      Saurabh Kabra

      I never thought that we can even brand the CPI access URL with our own custom domain.

      May be 1 question... Let says I have developed an iflow and deployed it in my CPI running with custom domain configuration. So in such case, which URL is shown in CPI's integration content area for runtime access? Is it the custom domain intSBX.scp.imagine.com OR general https://XXXX--iflmap.hcisbt.eu1.hana.ondemand.com?

      From the step mentioned about I understood that we can resolve intSBX.scp.imagine.com to XXXX-iflmap.hcisbt.eu1.hana.ondemand.com but does this CPI knows somehow that now the run time URL is no more iflmap one and rather custom domain?

       

      BR
      Saurabh

      Author's profile photo Santhosh Kumar Vellingiri
      Santhosh Kumar Vellingiri
      Blog Post Author

      Saurabh,

      Since SCPI is an MTA we cannot disable the default domain i.e.*.ondemand.com and hence both the custom domain and default domain will work. The CPI runtime in the customer Subaccount will know the custom domain, and the same runtime in the provider(SAP) Subaccount knows the default domain. So upon deploying the iflow will show URLs with both hosts.

      So based on the URL used by the client the DNS will resolve to either the SSL Host that customer created or the SAP SSL host

      Thanks
      Santhosh

      Author's profile photo Saurabh Kabra
      Saurabh Kabra

      Thanks Santhosh for the explanation. It makes sense, what you explained.