Connecting to SAP APIM end-point-URL from SAP Clou...

Sookriti_Mishra

Here is how we are gonna do it:

In APIM:

An API Proxy with a Policy to Generate OAuth Token to generate OAuth Authentication Token
An API Provider to connect with the target system
A Key Value Map to store the credentials of the target system - S/4HANA
An API Proxy with Policies to Verify the token generated, verify the API Key (optional), call the Key Value Map to get the credentials (Basic Authentication in this case) with reference to the API Provider created in Step 2 to call the actual end-point URL of the target who you are connecting via APIM (which is SAP S/4HANA in our case)
A Product to bind both the API Proxies
A Subscription for the Product created

In Cloud Integration:

Creat an IFlow to call the API Proxy to generate the token, and pass the same to the 2nd API Proxy which calls the S/4 target end-point.

LET'S DO THIS!

Assuming that you have enabled the API Management capability in Integration Suite, I will start with API Provider creation.

1. Create API Proxy - To Generate OAuth Authentication Token

Create an API Proxy with URL type,

2. Add Policy - To generate OAuth 2.0 Authentication

OAuth v2.0 - To generate the Access Token for the ac

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
   <ExternalAuthorization>false</ExternalAuthorization>
   <Operation>GenerateAccessToken</Operation>
   <GenerateResponse enabled="true"/>
       <SupportedGrantTypes>
           <GrantType>client_credentials</GrantType>
       </SupportedGrantTypes>
   <Tokens/>
</OAuthV2>

3. Create API Provider

Connection

Type	On Premise
Host	Virtual Host, as mentioned in Cloud Connector
Port	Virtual Port, as mentioned in Cloud Connector
Location ID	As mentioned in Cloud Connector
Authentication	NONE
Additional Properties:	sap-client: XXX

Catalog Service Settings

Path Prefix	/sap/opu/odata
Service Collection URL	/IWFND/CATALOGSERVICE;v=2/ServiceCollection
Authentication type	BASIC
Username	SAP's User Name for communication
Password	***

Test connection:

4. Create Key Value Map to store the credentials to S/4HANA

5. Create API Proxy - To call the OData Service from S/4HANA

Select the API Provider, click on Discover to select the API which you wanted to use

Select the API & then click on Create.

6. Add Policies to the API Proxy created to call the OData target endpoint on S/4HANA side

Verify API Key - To verify the key which you are going to pass while calling the API.
Where do you get the API? - When you create the Product, and a Subscription, after creating a Subscription in the Developer Hub you will get a Key. That key is to be provided to the Consumer, and this Policy will verify the key sent by the consumer.

 <!--Specify in the APIKey element where to look for the variable containing the api key--> 
<VerifyAPIKey async='true' continueOnError='false' enabled='true' 
xmlns='http://www.sap.com/apimgmt'>
	<APIKey ref='request.header.apikey '/>
</VerifyAPIKey>

OAuth 2.0 - To verify OAuth Token generated

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
   <ExternalAuthorization>false</ExternalAuthorization>
   <!-- valid values are GenerateAccessToken, GenerateAccessTokenImplicitGrant, GenerateAuthorizationCode ,
    RefreshAccessToken , VerifyAccessToken , InvalidateToken , ValidateToken  -->
   <Operation>VerifyAccessToken</Operation>
   <GenerateResponse enabled="true"/><SupportedGrantTypes/>
   <Tokens/>
</OAuthV2>

Assign Message - Before setting up basic authentication in a later step, we need to remove the existing Authorization header. I've used the Assign Message policy to achieve this with the following configuration:

<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="true" enabled="true" xmlns='http://www.sap.com/apimgmt'>
    <Remove>   
     	<Headers>      
			<Header name="Authorization"></Header>   
          </Headers>
     </Remove> 
	<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="request"></AssignTo>
</AssignMessage>

Key Value Map Operations - To fetch the credentials saved in the Key Value Mapping

<KeyValueMapOperations mapIdentifier="SAP_S4HANA_Credentials" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
    <Get assignTo="private.usernameFromKVM" index="1">
        <Key>
            <Parameter>Username</Parameter>
        </Key>
    </Get>
    <Get assignTo="private.passwordFromKVM" index="1">
        <Key>
            <Parameter>Password</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

Basic Authentication - To pass the credentials fetched in the previous step.

<BasicAuthentication async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
	<Operation>Encode</Operation>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<User ref='private.usernameFromKVM'></User>
	<Password ref='private.passwordFromKVM'></Password>
 	<AssignTo>request.header.Authorization</AssignTo>
</BasicAuthentication>

Assign Message - So you get an error as, "{"fault":{"faultstring":"Unsupported Encoding \"br\"","detail":{"errorcode":"protocol.http.UnsupportedEncoding"}}}".
BR is a data format Brotli which is often defined by backend for webpage loading and not accepted by.... And this Assign Message will help your message reach the target.

<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
 
	<!-- Sets a new value to the existing parameter -->
	<Set>
		<Headers>
		     <Header name="Accept-Encoding">gzip,deflate</Header>
	     </Headers> 
	</Set>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="request"></AssignTo>
</AssignMessage>

7. Create Product & Add the both the API Proxies

8. Create a Subscription for the Product created

9. Create an Integration Flow

Content Modifier - To pass the authentication details in Header.

client_secret: from the subscription
client_id: from the subscription
response_type: token
grant_type: client_credentials
Content-Type: application/x-www-form-urlencoded

Request Reply - HTTP - Pass the end-point URL of the API Proxy created to generate the token.

Content Modifier - To capture the token from the XPath /root/access_token and since the target API Proxy has a policy Verify API Key, pass the API Key, which is the same as the Client ID in the Subscription created.

Content Modifier - To pass the bearer token as shown in the screenshot below.

Request Reply - HTTP - Pass the end-point URL of the API Proxy created to verify OAuth Token, API Key, read KVM and call the S/4HANA target API.

Testing Time!

From Cloud Integration:

From API Management: