Skip to Content
Technical Articles
Author's profile photo Jordy Schipper

Integration suite setup custom domain for integration endpoints in an extension landscape


In this blog post you will learn how to setup custom domains for SAP Integration Suite integration runtime based on Cloud Foundry when the subaccount is on the main landscape of the same region (e.g. eu20) and your Integration Suite service is created for the extension landscape (e.g. eu20-001).

The setup is a bit different compared to the documentation available in as of the writing of this blog and most of the blogs published are pointing to the Cloud Foundry CLI which will not work for this specific configuration.

To keep this blog to the point the focus is to provide detailed steps and information for this case. Information about obtaining a certificate or updating DNS records are only briefly touched.


To follow the steps explained please make sure you have or gathered:

  • Administrator access to the subaccount in which Integration Suite is running. To be able to
    • Setup Custom Domain Manager
    • Setup authorization
  • SAP Integration Suite is setup and running. Launchpad is accessible.
  • DNS administrator authorization.
  • Certificate administrator authorization.

Knowing the difference between extension and main landscape. Below an example but it applies to all regions supported:

  • Main landscape = eu20
  • Extension landscape = eu20-001

Integration Suite extension landscape validation

Before going to the next paragraphs in this blog validate you have your subaccount in another landscape compared to the Integration Suite. This is an easy validation:

  1. Login to the BTP cockpit and navigate to the subaccount containing the Integration Suite service overview tab and look for the API endpoint in the Cloud Foundry Environment section:BTP%20cockpit-subaccount%20overview%20tab
  2. Open the SAP Integration Suite application/launchpad from the BTP cockpit:BTP%20cockpit%20subaccount%20instances%20and%20subscriptions%20integration%20suite
  3. In the URL you will see the landscape used:Integration%20Suite%20launchpad%20region
  4. If you see something like -000 behind the main region this means the SAP Integration Suite is using the extension landscape of the region. Be aware this is the case for API proxies, integration flow runtimes but doesn’t have to be the case for API business hub enterprise (formerly known as API developer portal).

If your subaccount matches the region including possible -000 for integration suite the custom domain can be setup via the normal procedure. Otherwise please follow the rest of this blog.

Configuration steps – Custom Domain manager setup

As mentioned the Cloud Foundry CLI with the custom domain plugin cannot be used for the extension landscape setup as described above. The Custom Domain Manager is a UI-based web application available within the service marketplace of the subaccount. To setup custom domains for integration suites at the extension landscape when the subaccount is at the main landscape follow the below steps and in my setup Custom Domain Manager is configured in one of the subaccounts containing an SAP Integration Suite:

  1. Login to the BTP cockpit and navigate to the subaccount containing the Integration Suite service.
  2. In the entitlement menu within the subaccount assign the custom domain service and only the standard (Application) plan:BTP%20cockpit%20subaccount%20entitlements
  3. After the assignment is completed in the services->instances and subscriptions menu create an instance for the standard plan. After the services is provision first assign the correct authorization to use it.
  4. A role collection needs to be created containing the roles and assign it to the person doing the rest of the activities:
    • CustomDomainAdmin
    • CustomDomainViewer
  5. If you open the application no error prompt should be shown. If this is the case this part is completed.BTP%20cockpit%20subaccount%20instance%20for%20custom%20domain%20manager

Configuration steps – Custom Domain SaaS subscription setup

The Custom Domain Manager need to be open to perform the next steps.

  1. Start with adding a reserved domain to the Custom Domain Manager application by navigating to the menu at the top called Domains and click the button Add Reserved Domain. This will open a pop-up window to enter the domain for which the certificate will be or is created via the Custom Domain Manager.
    • My advice is to enter the main domain including the subdomain. If you use a second custom domain for the same region and main domain you will run into the error:Domain%20already%20occupied%20error
  2. After the reserved domain is added in the other tab called custom domains register the custom domain via the button Create Custom Domain and option for you Subaccount’s SaaS subscription: Custom%20Domain%20Manager%20custom%20domain%20for%20SaaS%20Subscription
  3. In this step it is very important to select the Integration Suite application in the correct landscape. You cannot use a custom domain linked to the main landscape for the extension landscape and vice versa:Custom%20Domain%20Manager%20Saas%20subcription%20setup
  4. In the next step of the wizard you select the created reserved domain from step 1 and if you already specified the subdomain in step 1 you can leave it empty in the last step of the wizard. If all goes well it should shown one entry in the custom domain tab something like below:Custom%20Domain%20Manager%20created%20custom%20domain%20for%20extension%20landscape
  5. Before setting up TLS and the server certificate a SaaS route need to be created. In the top menu navigate to SaaS Routes and if you first setup the SaaS routing for the SAP Integration Suite service in the same subaccount you can leave the checkbox Continue with current subaccount’s list of subscriptions selected. If you setup Custom Domain Manager in another subaccount make sure you selected the correct extension landscape for the custom domain as described in step 3. Provide the TenantID from the other subaccount available in the subaccount Overview menu. After supplying it and it finds a matching landscape the next step button will be clickable and you can select the Integration Suite to be linked. For possible issues please see the troubleshooting section of this blog.
  6. Update the standard route to the runtime URL otherwise endpoints/iFlow cannot be called via this setup. The runtime URL can be found in the integration suite monitoring menu and navigate to an deployed artifact containing e.g. a HTTP adapter:Integration%20Suite%20runtime%20URL
  7. After selecting a hostname for the route it should be completed for the Saas Route part. To be able to use the custom domain you need to create TLS record and server certificate. The server certificate is created from within Custom Domain Manager via the CSR procedure meaning you cannot use an already existing certificate. Standard documentation can be followed with some small additions:
    • Give the TLS configuration a sensible name. I used the complete custom domain including subdomain and post-fixed it with: tls. The rest is following the wizard.
    • For the Server Certificate I used a wild-card certificate specific for this purpose. This has the advantage if in the future an additional SAP Integration Suite environment is added the certificate doesn’t have to be changed related to the SAN names activated for it compared to if you create the certificate specific for the custom domains SaaS Routes. The certificate has the structure *.[subdomain].[maindomain].[extension] in which the star will be the hostname for the Integration Suite runtime.
  8. If the above steps are completed the last step is to create the CNAME mapping in the DNS provider. For this step it is important to make the CNAME mapping towards the correct extension landscape. In the documentation at the moment of writing this blog it states to use the API endpoint from the subaccount as described in step 1 in section Integration Suite extension landscape validation but it needs to reflect the extension landscape. To prevent error:Requested%20route%20not%20foundIn the CNAME mapping change as example:
    • From main:
    • To extension:

Be informed after the custom domain is active, routing activation will take maximum 24 hours, you can still use the default domain for integration endpoints. Only exception is the OAuth token URL (authentication) this one is only available with the standard SAP domain as described in note 3291485.

Possible solution for the OAuth URL if API management is used, is to create an API proxy with a custom domain and use the integration OAuth token endpoint as target so you don’t have to use the standard domain.


During the setup I encountered multiple challenges. I tried to list them all below in random order:

  • Cloud Foundry CLI – is not supported for the situation, at least not for the routing etc. If you try to create a SaaS route for Integration Suite when you created a custom domain for the CF organization (for re-usables purposes) it will throw the below error:Cloud%20Foundry%20CLI%20extension%20landscape%20for%20CF%20organization%20domain
  • Cloud Foundry CLI – cannot list domains for a landscape other then the API endpoint provided in the subaccount. In the API endpoint provided in the subaccount it will state no domains configured and if you try to use the extension landscape you get an unauthorized error message.
  • Cloud Foundry CLI – sharing custom domains certificates is only possible within the same landscape. You cannot share across landscapes in the same region for example eu20 and eu20-001.
  • Custom Domain Manager – Custom Domain created for CF organization in the main landscape (eu20) cannot link with services in subaccounts in the extension landscape (eu20-001). If you try to create a SaaS Route for another subaccounts subscription after entering the TenandID you will get this generic error message:Custom%20Domain%20Manager%20cannot%20use%20extension%20landscape%20for%20CF%20organization%20main%20lanscape
  • Custom Domain Manager – First the setup for custom domain in our organization was in another subaccount not containing an Integration Suite or a service in the extension landscape and when creating a custom domain for your CF organization or Saas Subscription you can only select the landscape linked to the subaccount (CF organization) or for the Saas Subscriptions in the same subaccount. Currently it is required to use custom domain in the same subaccount as the one of the integration suite environments.


When the steps are known to get custom domains setup for Integration Suite in the situation mentioned in this blog it is pretty easy and straightforward. It seems I encountered a situation which is not that common and especially in combination with custom domains.

Documentation & Links

If you like to read more information about custom domains and the setup it requires for other cases I can recommend reading the below helpful information:

If you have questions or remarks please be so kind to leave a comment. A like is appreciated.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Zameer Ahamad
      Zameer Ahamad

      Hi Jordy Schipper,

      Thank you so much for the detailed blog. I have few questions on this topic, let me write it down here.

      We have done the custom domain setup for the applications running in Cloud foundry environment having the main region in the URL but not for the extension region like the one for integration suite.

      We recently activated the integration suite tenant having main region EU10 with extension 003 in the URL, So we are following this blog.

      In the below step

      Configuration steps – Custom Domain SaaS subscription setup

      Point Number 5, We wanted to know what will be the Hostname should mention as we have already selected in the previous screen.


      Author's profile photo Jordy Schipper
      Jordy Schipper
      Blog Post Author

      Dear Zameer,

      Thank you for the reply. Related to this setup I assume you are able to select the integration suite SaaS subscription from the list? If this is the case the standard route will point to something like: integrationsuite.cfapps.{region}-{extensionlandscape} however the route should be linked with: it-cpi023-rt.cfapps.{region}-{extensionlandscape} This is mentioned in point 6.

      After this is done you select your custom domain, this can either be one with specific SAN name(s) ( e.g. test.{yourcompany}.com and prod.{yourcompany}.com ) or as a wild-card ( *.{yourcompany}.com ) and depending on how the custom domain and certificate is setup you can add a specific prefix to the custom domain or leave it as is. So as an example:

      • Custom domain is already the full address to be used for example: prod.{yourcompany}.com then you can leave the Hostname empty.
      • Custom domain is re-used for different integration suites tenants (wild-card setup) then in the hostname field you provide the prefix so if you custom domain is *.{yourcompany}.com then you enter prod in hostname and it becomes: prod.{yourcompany}.com

      In case this is not answering your question please let me know.

      Kind regards,


      Author's profile photo Zameer Ahamad
      Zameer Ahamad

      Hi Jordy,

      Thanks for the help, we proceeded further.
      We complete all the steps, in the last steps of CNAME mapping in DNS what should be the URL need to map, Should we map the runtime URL hostname or the main default SAP domain of SAP integration suite.

      We followed the below tutorial from SAP and to test the mapping what is the best way to do, When we tried our custom domain URL it is pointing to the below XSA URL which is not correct. Don't know where we are missing? can you help us here.


      Author's profile photo Jordy Schipper
      Jordy Schipper
      Blog Post Author

      Dear Zameer,

      We encountered also an issue with this and what works for us is a DNS records pointing to the api endpoint of the extension landscape even though in the documentation from SAP it states to use the api endpoint defined in the subaccount. So make the mapping as follows: *{landscaperegion}-{extensionlandscapenumber}

      This should do the trick.

      The api endpoint part is also described in this help documentation:

      Hopefully this is the final piece of information to get this working otherwise I will try to assist.

      Kind regards,


      Author's profile photo Oscar Navas
      Oscar Navas

      Hi Jordy, and many thanks for the blog.

      I'm looking for a solution in configuration with the API endpoint pointing to eu10-004 and the app's endpoint pointing to eu10-003. This is, API and iflows endpoint are in different Extension landscapes.


      Reserved Domains eu10-004



      Custom Domain eu10-003


      #Update 2023.06.07

      For CNAME configuration, the correct endpoint should be the API endpoint, but with the correct lanscape from any deployed iflow. In my case:

      API endpoint:


      In DNS Provider CNAME the configuration is with the api endpoint

      • ->


      Now I can see the correct CA / server certificate when I connect to



      But there are an error about CN is not valid for this signed certificate.



      The server certificate, signed by SDI (Italy tax agency), has both CN in capital letters, and CN Alternative in lower case for the same domain.


      Server Certificated Signed

      At this point I don't know what is next step to be checked...



      Author's profile photo Jordy Schipper
      Jordy Schipper
      Blog Post Author

      Dear Oscar,

      Apologize for the late response, I was on holiday.

      The setup in this blog is for the generic usage of Cloud Integration with Custom Domain and in your case you are working on the custom domain part for the Italian SDI setup. i didn't do this setup and according to the notes around this topic the steps for custom domain setup are a bit different from the Cloud Integration custom domain setup.

      I don't have an answer to your question unfortunately.

      Kind regards,