Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
r_herrmann
Active Contributor
14,331

This blog post is the second part of the series about our RealCore SAP CPI dashboard tool. It deals with the installation and configuration of the dashboard tool. You can find the first article, which is about the capabilities and features of the dashboard, over here:
Advanced monitoring and health check with RealCore’s CPI Dashboard

Before we start, let's have a quick look on the restrictions while installing and using the dashboard.

Restrictions


Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn't send the WWW-Authenticate-header, the IFlow isn't usable via webbrowser. Thus the dashboard isn't supported on SAP CPI on CF environments for now because the dashboard's webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.

Installation


Since the complete dashboard and all its code is packed into one single Integration Flow (IFlow), the installation of the dashboard is done within minutes.

At first you should download the current release from our Github repository. You can find latest release here: https://github.com/codebude/cpi-dashboard/releases

Next you should open your SAP CPI tenant, switch to the Design-perspective and create/choose the package you want to place the monitoring IFlow into. Then edit the package, switch to the Artifacts-tab and click Add, to upload the beforehand downloaded SAP CPI Dashboard release.



That's it for the installation part. In the next section we will deal with the configuration.

Configuration


All things that need to be configured can be maintained via "Externalized Parameters". Thus, it is not necessary to make changes to the IFlow itself or its code. Some of the externalized parameters are used multiple times and therefore only need to be maintained once. So trust me - it's not that much to configure.

To start the configuration, we switch to the configuration perspective now.



Let's have a look onto the different parameters which have to be set...

Sender configuration




On the Sender-tab you will find one system with multiple adapters (since the IFlow has multiple endpoints), but you have to configure only one parameter, because it is used in all sender channels.

Parameter Name: DASHBOARD_URL_BASE

How to set: Set this parameter to an url-slug you personally prefer. It will be the base url of all endpoints of the IFlow.

Receiver configuration


On the Receiver-tab you will find three Receivers (SAP_CP = general Cloud Platform APIs, SAP_CPI = Cloud Platform Integration specific APIs, MAIL_SERVER = e-mail server to send out alerts) with 3 (SAP_CP), 7 (SAP_CPI) and 1 (MAIL_SERVER) channel. We will consider the different receiver systems separately.

Receiver - SAP_CP


All three SAP_CP receivers share the same configuration parameters. Thus you only have to do the configuration for one of the HTTP channels.



Parameter Name: SAP_CP_HOST

How to set: This must be set to the hostname of your SAP Cloud Platform API host. It is build like:
api.{regional hostname}

The {regional hostname} depends on the region your Cloud Platform account sits in. A list of possible hostnames can be found here: https://help.sap.com/viewer/ed6ce7a29bdd42169f5f0d7868bce6eb/Cloud/en-US/0a7d8fb9bc2c4bbd9355146722a...




Parameter Name: SAP_CPI_TECHNICALNAME

How to set: This should be set to the technical name of your SAP CPI tenant. You will find the technical name in the Cloud Platform Cockpit via Region --> Global Account --> SAP CPI Subaccount.



At the bottom of the subaccount page you will find the technical name of your SAP CPI tenant.



Explanation: This credentials are used to query the authorization and management api to retireve a list of roles for the dashboard user/caller. The roles itself are needed to show/hide different functions of the dashboard.




Parameter Name: Credential Name/SAP_CP_AUTH_API_CREDENTIALS

How to set: Enter the name of the security material/credentials which contains the credentials for the SAP Cloud Platform Authorization Management API. Note: If you haven't used the Authorization Management API before, you have to create an account first. Create the OAuth credentials as described here and here. Then store the OAuth credentials in your SAP CPI's security material section and enter the name of the security material as the needed configuration parameter.

Receiver - SAP_CPI


In opposite to the SAP_CP receivers not all of the SAP_CPI receivers share the same configuration parameters. The channels can be divided in two groups. The first group is calling urls to "/itspaces/odata/..." and the second group to "/api/v1/...".

The screenshot below shows how you can differentiate the groups. Ensure that you configure at least one channel of each group from the screenshot.



Parameter Name (Group): SAP_CPI_HOST (Group 1)

How to set: Set this to the hostname of your SAP CPI tenant management node. Take the screenshot below for example.



 




Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH (Group 1)

How to set: Enter the name of the security material/credentials which contains user and password (S-User/technical S-User) of an account which has sufficient rights to access the SAP CPI tenant.

Explanation: This credentials are used to access some unofficial SAP CPI APIs (the ones which are used by the SAP CPI webinterface itself) to retrieve a list of runtime and designtime artifacts.




Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH (Group 2)

How to set: Enter the name of the security material/credentials which contains the OAuth credentials for the SAP CPI OData API.
Note: If you haven't used the SAP CPI OData API via OAuth before, you have to create a set of OAuth credentials first. Check this article which describes how to setup the credentials. (Basically it's the same like you did before for the Auth&Management API, but this time you use the "Clients"-tab instead of the "Platform API"-tab in the OAuth section of your CPI-subaccount.) When creating the credentials you need to assign at least the following two rules:

  • NodeManager.read

  • IntegrationOperationServer.read


Then store the OAuth credentials in your SAP CPI's security material section and enter the name of the security material as the needed configuration parameter.
Attention: Since Dashboard version 1.0.2 the credential has to be stored in a security material of type "OAuth2 Credentials"!

Explanation: This credentials are used to query the MessageProcessingLogs-resource (and more) of the SAP CPI OData API which is used to retrieve the message volume/counts.

Receiver - Mail Server


This part of the cofiguration is optional. You only have to configure this receiver, if you want to use the alerting feature of the RealCore CPI Dashboard.

If you want to use the dashboard's alerting engine, configure a valid mail server here. The dashboard will use it to send out alerting mails. If you don't want to use the alerting engine, you can fill out the configuration with dummy values.

More(-Configuration)


Congratulations, if you managed to get to this point - the hardest part of the configuration is done. On the "More"-tab you have to configure some more parameters.



Parameter Name: ALERT_MAIL_SENDER

How to set: If you plan to use the alerting engine of the dashboard, then you can set up the mail address here which should be shown as sender/origin of the alert mails.




Parameter Name: CACHE_DATASTORE_NAME

How to set: You can set this parameter to any value. It defines the name of the Datastore which is used by dashboard to cache the message count information. So ideally choose a name that is not yet in use as well as one that fits your naming conventions for datastores.




Parameter Name: CPU_USAGE_MESEASUREMENT_TIME_IN_MS

How to set: This values describes the measured interval for CPU utilization in milliseconds. (To measure the utilization of CPU the CPU time is read out twice. The higher the interval, the better the CPU usage results in dashboard. But on the same side - the higher the interval, the longer the dashboard loading time. Everything higher than 1000 should be fine.




Parameter Name: ROLE_GENERAL_ACCESS

How to set: Define the name of the role a dashboard user must have assigned to get access to the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it blocks access to the dashboard. If you want to work with your own rules, read this article of mine, which describes custom role handling.




Parameter Name: ROLE_LOG_AND_FILE_ACCESS

How to set: Define the name of the role a dashboard user must have assigned to view and download logfiles via the dashboard. When the IFlow is called it checks if the user has the role defined here. If not, it hides the logfiles section in the dashboard and blocks file download requests. If you want to work with your own rules, read this article of mine, which describes custom role handling.




Parameter Name: ROLE_SECURITY_MAT_ACCESS

How to set: Define the name of the role a dashboard user must have assigned to view security material/credentials. When the IFlow is called it checks if the user has the role defined here. If not, it hides the security material section in the dashboard and blocks manually executed calls to the secmat-service. If you want to work with your own rules, read this article of mine, which describes custom role handling.

Parameter Name:DIFF_REMOTE_CPI_TENANTS

How to set: This parameter is optional. You can enter connection data for multiple remote CPI tenants (separated by 😉 here. The tenants configured here will be used for the dashboard's IFlow comparison tool. Each remote system has to be entered in the format: <hostname of tenant>|<name of security material>
Example: If your remote tenant is available via "https://x0815-tmn.hci.eu1.hana.ondemand.com/itspaces" and you have created a security material containing an S-User with password in your current tenant named "CPI_x0815_CREDENTIALS" then you should enter the following into the DIFF_REMOTE_CPI_TENANTS field:
x0815-tmn.hci.eu1.hana.ondemand.com|CPI_x0815_CREDENTIALS

If you want to connect multiple remote tenants, just separate the tenant entries by use of a semicolon (;).

Timer(-Configuration)


If you plan to use the alerting engine, you can configure here how often the engine should check for errors. Regardless of the interval you configure, the engine will check the complete time interval since the last check. So by setting a larger interval in the timer, you just configure how often you will receive mails.


Deployment and Usage


Now that we have finalized the configuration, we have to deploy the IFlow. Either click on the Deploy-button from the configuration page or use the deploy option from the package view.

After the successful deployment, switch to the operations view of your SAP CPI tenant and go to the Manage Integration Content -> All-perspective. Search for the dashboard IFlow. From here you can find the dashboard's url. Copy the url and open it in a (modern) web browser.


Summary


Now we have reached the end of the second article. I hope you have successfully set up the RealCore Dashboard on your SAP CPI tenant. If there are problems or questions, just write a comment. I'm sure together we can figure out what went wrong.
107 Comments
iglmarkus
Explorer
0 Kudos
HI Raffael,

 

thanks!!!

this solved the 401 for CP.

 

But now I got 401 for HTTP to SAP_CPI ..../api/v1/MessageProcessingLogs/$count as already mentioned above, where Eng Swee provided a solution. This i check already.

 

If I use postman again:

post: https://oauthasservices-xxxxx.eu2.hana.ondemand.com/oauth2/api/v1/token?grant_type=client_credential...

with BasicAuth and ClientID and Clientsecret I get this response:

{"error":"unauthorized_client"}

 

 

thanks in advance for your help.

 

Markus
r_herrmann
Active Contributor
0 Kudos

Hi Markus,

this error comes from another API (the CPI tenant specific OData API – which is on another level then the generic Cloud Platform api, which was called in the step before.)

For this API you need a dedicate pair of OAuth credentials. Since it doesn’t work in Postman I guess there was an error made during the creation of this credentials.

When creating the credentials…

  • …follow the paragraph “Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH” on this blog post
  • …make sure that your create the credentials in the “Clients” not in the “Platform API” tab of the Cloud Cockpit’s OAuth section
  • …ensure that you add the following two roles to the client. (You can attach them by going to the Authorizations section in Cloud Platform Cockpit. Then enter “oauth_client_<client ID>”, replace the <client ID> with the ID of your client generated before, and add the roles.)
    • NodeManager.read
    • IntegrationOperationServer.read

If you need help/assistence, feel free to contact me via LinkedIn for a chat.

athar_iqbal
Explorer
0 Kudos
Hi, I configured the integration flow by following all the instruction and it is deployed. It also shows the end points available, but when I use the end point for dashboard, it gives me

HTTP Status 403 – Forbidden


I am using admin S-ID on CPI.

 

Help please.

 

Athar
r_herrmann
Active Contributor
0 Kudos
Hi Athar,

please check if you assigned the role "ESBMessaging.send" (via Cloud Platform Cockpit --> Authorization) to your S-User.

Background: https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/62a03365f0c64fdda7417b6da7e...
athar_iqbal
Explorer
0 Kudos
Hi Raffael, My S-ID is part of the administrator group which has the ESBMessaging.send. I normally use the postman to send the test payload to CPI using my S-ID.
athar_iqbal
Explorer
0 Kudos
Hi, I am able to pass beyond 403 error, and now I am getting 401 error.

https://api.us2.hana.ondemand.com/authorization/v1/accounts/*****/users/roles?userId=S***** with statusCode: 401

I am able to get the token using Postman which means oauth credentials are working.

Any idea what could I be missing?

 

Athar
r_herrmann
Active Contributor
0 Kudos

Sounds like an error with the OAuth security material in SAP CPI. Check that the OAuth credentials artifact for Cloud Platform has…

  • …send token in headers activated (don’t send them in body)
  • …the token endpoint URL without the parameters section. (If the token endpoint URL contains a ?, remove the ? and everything on the right side from it.)
athar_iqbal
Explorer
0 Kudos
Hi Raffael, First, Thank you so much for helping on this.

 

I have the Token URl defined like this:

https://api.us2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

 

It is also set to send the token in header.
athar_iqbal
Explorer
0 Kudos

It did move one step further after removing the parameters from the end-point but now giving error on filter process. And it is also displaying dialog box for user id and password, but it doesn’t accept the S-ID.

However, if I type below URL in Postman, it does return me a count value. 

 

Error text: HTTP operation failed invoking https://****-tmn.hci.us2.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge...‘ with statusCode: 401

 

r_herrmann
Active Contributor
0 Kudos
Hi Athar,

This good in some way, because the error you see now comes from a later step in the flow. So you successfully solved the first problem. 🙂

The error you face now, corresponds to the second OAuth credentials pair. (Do you remember? You generated two pairs. One for platform access and one for the CPI OData API.)

Please check:

  • That you set mode to "send via header" in the OAuth credentials/security artifact for CPI OAuth access

  • That you configured the correct token endpoint in the security material. (It's another token endpoint than the one for the Platform OAuth credentials. You can find the correct token endpoint in Cloud Platform Cockpit -> OAuth -> Client tab down at the bottom

  • Ensure the you assigned the necessary roles (check the instructions in the blog above) to the OAuth client credentials user


If you still have problems, feel free to contact me via linkedin. Then we can arrange a quick Screensharing session to solve the problem together.
athar_iqbal
Explorer
0 Kudos

Hi Raffael,

I figured out the issue after debugging and reviewing the iFlow in detail.

 

I have deployed v1.0.4 of the dashboard and steps defined in this blog are missing the http channel setup.

One of the channel used to get the count information is supposed to be Basic Authentication. But, it is setup as Oauth in iFlow. I modified the iFlow and changed the authentication to BASIC and it started working.

 

 

Everything is up and running now.

I really appreciate for all the help.

 

Athar

r_herrmann
Active Contributor
0 Kudos
Hi Athar,

Nice to hear that it works. But the count-api call runs against the same endpoint/API like other calls which use the OAuth credentials. So this definitely works with OAuth, too. 😉

Nevertheless - since it works for you now, leave it as it is.

 
rhviana
Active Contributor
0 Kudos

Hello r_herrmann ,

Congratulations for this fantastic job.

Applauses !!

Kind regards,

Viana.

former_member666946
Discoverer
0 Kudos
Dear Raffael,

I have a the same problem already posted by Athar.

 

org.apache.camel.component.ahc.AhcOperationFailedException: HTTP operation failed invoking https://XXXXX-tmn.hci.eu1.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-02-17T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-02-17T23:59:59.999' with statusCode: 401

IFlow:



I have now checked all authorization steps for 3 times:

OAuth Client:



Permissions of OAuth Client:



Security Material CPI:



 

I found out that the URL written in Cloud Plattform OAuth section (https://oauthasservices-XXX.hana.ondemand.com/oauth2/api/v1/token) does not work.

I used this one instead:

https://oauthasservices-XXXX.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

Using Postman everythings seems to be ok:

Getting Token using Token URL (second one)

Step 2: Getting MessageProcessingLogs Returns Success http: 200 with a number as body.

 

Could you please give an hint where i can troubleshot the issue?

 

Thanks and best regards

Arne

 
r_herrmann
Active Contributor
0 Kudos
Hi Arne,

you were on a good path, when you wrote "I found out that the URL written in Cloud Plattform OAuth section (https://oauthasservices-XXX.hana.ondemand.com/oauth2/api/v1/token) does not work.". The truth lies in between. 😉

The Platform API uses a different OAuth token endpoint, than the OAuth client tokens, which are needed for CPI's OData api. The second endpoint you identified (and proofed as working in Postman) is correct. Unfortunately the CPI credentials are sometimes a little bit like a diva. 😄

Please try the following:
Edit the OAuth credential and especially the token endpoint url. Take the token endpoint url which also works in Postman, but cut off all url parameters (the "?grant_type=client_credentials" part). CPI will add this part on its own. After that, redeploy the credentials and try to reload the dashboard. (If it doesn't work immediately, wait a couple of minutes and try to reload the dashboard again.)

Best regards
former_member666946
Discoverer
0 Kudos
Hi Raffael,

thanks for reply. I have now removed the url parameter and redeployed. The application still does not run. I have found some other hint. If i get the token using portman i does not get any scope:

 

{

    "access_token": "335376779a49eb89f8d3938c6144c139",

    "token_type": "Bearer",

    "expires_in": 3600,

    "scope": ""

}


Is it correct?


Thanks,

best regards

Arne

 
r_herrmann
Active Contributor
0 Kudos
Hi Arne,

that’s correct. Mine also doesn’t get a value in the scope-field. That shouldn’t be a problem. Feel free to contact me via LinkedIn for a screensharing session.
0 Kudos
Hi Raffael,

 

first of thanks for providing such an awesome tool. I just wanted to give an additional tip, since I lost some time on that:

If you want to call the dashboard in the browser, do not authenticate with s-user certificate in browser (single sign on SAP passport). Use your s-user credentials, otherwise you will receive a 403 error.

Regards

Saraj
antoine_trotin
Discoverer
0 Kudos
Hi Raffael,

Thanks for sharing all this fantastic work!

I managed to deploy the last version of code in my CPI tenant ;  but Im facing below error when trying to enter dashboard.:

Error text: java.lang.Exception: java.lang.Exception: User SXXXXXXXX not authorized. Missing role: 'de.realcore.cpi.dashboard'.@ line 30 in authValidate.groovy

Using postman, if I do a get call of

https://api.ap1.hana.ondemand.com/authorization/v1/accounts/nxf6daldna/users/roles?userId=SXXXXXX

I get as result the roles assigned to my oss user....

Can you help me to figure where is the issue here?

(all the postman calls to check auth onfiguration are ok, returning token or role of user...)

 

Thank you!

Best regards

Antoine

 
r_herrmann
Active Contributor
0 Kudos

Hi Antoine,

you wrote: “Using postman, if I do a get call of […] I get as result the roles assigned to my oss user….“.

And does this answer in Postman list a role called “de.realcore.cpi.dashboard”? If not, you know why the dashboard throws this error. ?

In that case you have two options to solve the missing role problem:

  1. Replace the roles a users needs from de.realcore…-roles to some roles your user own (it is configurable via the IFlows “configuration” function)
  2. Add the missing roles to your user. (Check also this blog post.)
antoine_trotin
Discoverer
Hi Raffael,

Creating and adding missing role to my user solved my problem.

Maybe it would be interesting to add this step in your "how to" ; (or maybe its my lack of knowledge that leads me to this issue)

In any case, thank you very much for giving us opportunity to use this dashboard.

Best regards

Antoine
former_member532834
Discoverer
0 Kudos

Thank you r_herrmann for the detailed explanation of how to configure and run this dashboard. Appreciate your efforts.

I just need help with below items.

  1. For calling Group 1 services, we have to configure an S-User with required access. Can you please share the exact roles needed as our security team is not comfortable in assigning elevated access.
  2. When I tried to load the security material onto the dashboard I got 403 error. URL triggered is https://{tenat ID}-tmn.hci.us2.hana.ondemand.com/api/v1/UserCredentials
  3. For the Mail Adapter configuration. Which mail server to be used? Is there any SAP provided option here or we can use O365?
  4. Current Alerting feature in the dashboard is about messages and certificates. Is there any automated way to generate alerts for cases like high CPU Usage or any tenant level issues?
  5. Our client has SAP Passport setup for logging in into any cloud application or page. When he tried to access the dashboard using his SAP Passport, he received 403 forbidden error. Is logging in via cert allowed for this dashboard or we have to use credentials only?

Thanks in advance.

julian_wi
Explorer
0 Kudos

Hi Raffael,

thanks for the great documentation.

Unfortunately i got the same error like Antoine. Then I created the role and assigned my S-User to this role. Now I am not able to logon to the dashboard. It means it try to access via s-user and password but nothing happens.

Do you know what happens here?

Thanks

Julian

julian_wi
Explorer
0 Kudos
Hi Raffael,

 

now it is working as I did the same configuration like Athar.

Anyway, i got another confusing message in the dashboard. Why do I have not enough authorization? I assigned my S-user to you recommended roles and i have no authorization to view the logfiles and passwords?

 

Thanks in advance.

Julian
matthiasfuss
Discoverer
0 Kudos
Hi Raffael,

 

after the configuration I get a HTTP 500 Error:

Error text: java.lang.Exception: java.io.FileNotFoundException: https://******-tmn.hci.eu1.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.Conten... line 48 in diffGetIFlowPackageContent.groovy

 

When i call the url https://******-tmn.hci.eu1.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.Conten... via BasicAuth of my S-User in Postman the response is:

{

    "error": {

        "code": null,

        "message": {

            "lang": "en",

            "value": "Entity not found"

        }

    }

}


When i call the url in the web-browser a SSO-Auth. via my P-User is forced. But then i get a working json response. 



It looks like an authorization issue for the S-User. Do you have an idea whats missing?



Thanks.



Matthias
former_member73191
Discoverer
0 Kudos
Hi Matthias,

I was also facing the same issue as described by you. Eventually it got resolved by adding the below roles to my S-User ID:

AuthGroup.IntegrationDeveloper

AuthGroup.ReadOnly

AuthGroup.BusinessExpert

 

Hope this may help you

Regards,

Saurabh

 

 
matthiasfuss
Discoverer
0 Kudos
that worked, thanks 😉
0 Kudos

Hi Arne,
I’m in the same position as you were. Any luck?

Cheers

0 Kudos
Thank you r_herrmann for the detailed explanation of how to configure and run this dashboard.

I have question, do you have plans to create a similar post for CPI on Cloud Foundry or is there a work around we can use for the Cloud Foundry environment.
r_herrmann
Active Contributor
0 Kudos
Hi Jemil,

currently the dashboard isn't compatible to SAP CPI on CF. Sure I would love to see the dashboard on CF, too, but since it's a "sparetime project" and I'm in lack of spare time currently, I can't promise any dates for such update.
friedrich_eva
Explorer
0 Kudos
Hi Raffael,

thanks for this great tool and the explanations!

After deploying successfully and fixing the little issues here and there thanks to the other comments, I am faced with what seems to be a new issue.

After logging in, I get an Error 500:

java.lang.Exception: com.google.common.util.concurrent.UncheckedExecutionException: com.sap.it.nm.types.NodeManagerException: [CONTENT] [CONTENT_DEPLOY]  [NoArtifactDescriptorFoundForArtifactName]: No artifact descriptor found for artifactName myuser@ line 72 in diffGetIflowPackageContent.groovy

While this message is displayed I get authentication popups so I suppose it's an authorization issue, but I couldn't find a better clue.

Any idea?

Thanks

Friedrich
r_herrmann
Active Contributor
0 Kudos
Hi Friedrich,

That sounds like a configuration error. In the IFlow configuration there is a field to place a "....BASIC_AUTH..." credential. In this field you have to enter the name of the "security material" from CPI that contains the basic auth user credentials. The error look like you entered a "security material" name in the configuration that doesn't exist/isn't deployed.

BR,
Raffael
friedrich_eva
Explorer
0 Kudos
Hi Raffael,

thanks for your quick answer!

I had made a mistake on this credential's configuration indeed. So I got past this stage but now I'm facing an 403 error:

HTTP operation failed invoking https://mytenant.hci.eu3.hana.ondemand.com/api/v1/MessageProcessingLogs/$count?$filter=LogStart%20ge%20datetime'2020-10-29T00:00:00.000'%20and%20LogStart%20le%20datetime'2020-10-29T23:59:59.999' with statusCode: 403

I suppose this has to do with the client credential but I can't find what wrong; it has the nodeManager.read and IntegrationOperationServer.read roles and I suppose that it's authenticated properly, as I don't have any 401 anymore.

Thanks a lot for the support!

Best regards,

Friedrich
r_herrmann
Active Contributor
0 Kudos
Hi Friedrich,

I can think of different things which might go wrong...

  • Do you use the correct client credential pair? (You had to create two pairs - one for platform api and one for cpi-tenant specific apis. You have to use the credential pair for cpi/tenant not the pair for the platform api.)

  • Have you waited for at least 10 minutes since setting the roles? (Sometimes in the past I experienced that it took a couple of minutes until the assigned roles to the OAuth credentials were finally set and recognized.)

  • Have you tried to call the API-url in a tool like Postman? (Use HTTP GET and the client credentials as entered into CPI.) Do you get the 403 in Postman, too?


Best regards,
Raffael
friedrich_eva
Explorer
0 Kudos
Hi Raffael,

yes I have created the two pairs and for "group 2", which is used for MessageProcessingLogs if I understand correctly, I use the pair created in the "Client" tab.

With Postman, calling https://mytenant.eu3.hana.ondemand.com/api/v1/MessageProcessingLogs/ works fine with the client pair credentials.

Timing is not an issue, roles have been set hours ago now :).

I'm still testing and trying to make it work, any other suggestion is welcome!

Thanks for your help,

Friedrich
r_herrmann
Active Contributor
0 Kudos
If it works in Postman then either you have a typo in the security material (=> try to recreate the security material / redeploy) or its a caching problem. (Then it may be solved from alone just over time... Take your weekend and try again on Monday. 😉 )
friedrich_eva
Explorer
0 Kudos
In fact it was appearing to work in Postman only because of a remaining authentication cookie of another user.

But a clean test with the client pair gives me the same 403 result as on the dashboard. At least it's consistent!

But you're right, let's have some rest and try again later.

Have a nice week-end,

Friedrich
friedrich_eva
Explorer
0 Kudos
Hi Raffael,

just an update; by replacing all OAuth2 logins by basic auth in the integration flow I managed to have the tool up and running. Very weird; I did the steps several times with the client user but always ended up with a 403 on MessageProcessingLogs.

If you're interested in having a quick look let me know!

Also, now that the dashboard is live, I noticed that there seems to be some discrepancy between the two CPU usage statistics; during the last 15 minutes "CPU load" was between 4 and 5 all the time but "CPU use" was below 1%.

Thanks for the nice dashboard!

Friedrich
former_member532834
Discoverer
0 Kudos
Hi r.herrmann ,

When I tried to load the security material on the dashboard I got 403 error. URL triggered is https://{tenat ID}-tmn.hci.us2.hana.ondemand.com/api/v1/UserCredentials. Can you please help.
r_herrmann
Active Contributor
0 Kudos
Hi Sai,

this sounds like a wrong/missing scope on the OAuth platform api credentials. Please re-check the steps concerning the creation of the platform API credentials from the manual above.
phani_konduru
Explorer
0 Kudos
Hi Raffael,

Thank you for the nice CPI dashboard. We were able to configure and run the dashboard with your step by step instructions.

We have assigned ROLE_GENERAL_ACCESS, ROLE_LOG_AND_FILE_ACCESS & ROLE_SECURITY_MAT_ACCESS parameter values to multiple S users. But, unfortunately only the user (SAP_CPI_AUTH_API_CREDENTIALS_BASICAUTH) configured in the security material can access it. None of the other users can access it.

How do we enable this dashboard to be accessed by multiple users instead of single user? please guide.

Thanks & Regards,

Phani.
r_herrmann
Active Contributor
0 Kudos
The roles (ROLE_GENERAL_ACCESS, ...) should be assigned to the S-Users that log into the dashboard via webbrowser. There's nothing more to configure. Maybe the IDP needs some time to update the roles. Have you tried to log off and on again with the S-Users that aren't able to use the dashboard? Which error message to you receive?
0 Kudos
Hi Team,

 

I am deploying this iflow and i am getting the below errors. Can you please help.

Attached is the error screenshot.

r_herrmann
Active Contributor
0 Kudos
You missed to setup the credentialname in the IFlow configuration. Please click "configure" to open the IFlow config and set the corresponding logon credential name. Also check the section "Parameter Name (Group): Credential Name/SAP_CPI_AUTH_API_CREDENTIALS_OAUTH" of this blog article.
mrgongora_cl26
Explorer
0 Kudos
Hi Raffael,

I would like to test the Dashboard for CPI, I made the implementation but I get this error:

"Error text: HTTP operation failed invoking https://*****-tmn.hci.us3.hana.ondemand.com/itspaces/odata/1.0/workspace.svc/ContentEntities.Content... with statusCode: 401"

Could you guide me where the problem could be?

Greetings and Thanks.
former_member724290
Participant
0 Kudos

Hello!

During the opening of the dashboard I have error: " This request has been blocked; the content must be served over HTTPS."

I find code:

Did I enter a parameter incorrectly when configuring?

swissknalli
Explorer
0 Kudos
Hi togehter

We installed the real core iflows on our CPI, which is running on the neo cloud platform. There it is running without problems.

Now we tried to configured it on the cloud foundry and when we make the loggon to the dashboard i get the wheel of death.

There are now errors found in the cpi on which is running on the foundy.

Did anyone had the same problem on the foundry or did someone had any idea for my problem

thx for help

Matthias
r_herrmann
Active Contributor
The first part of the url shown in your screenshot is read from an dynamic CPI header:
message.getHeaders().get('CamelHttpUrl')

In the past/usually this header returned the current hostname including the right protocol. Either there was a change in CPI or something seems to be wrong with your instance. Have you called the Dashboard in your webbrowser via HTTP or HTTPs? (Please try with HTTPs.)
r_herrmann
Active Contributor
0 Kudos
Hi Matthias,

please check the first paragraph of this blog article again. 😉

It reads out...

Restrictions


Since the Cloud Foundry (CF) variant of SAP CPI as of now doesn’t send the WWW-Authenticate-header, the IFlow isn’t usable via webbrowser. Thus the dashboard isn’t supported on SAP CPI on CF environments for now because the dashboard’s webinterface itself is delivered via an IFlow and thus need a webbrowser-friendly authentication method.

So the dashboard never worked on CPI@Cloud Foundry. Maybe some of the RealCore guys can fix it... You can reach out to them via https://www.realcore.de/index.php/contact
former_member724290
Participant
Yes, I definitely use https. But the http remains in the headed. I entered https manually in  deliverStaticContent.groovy.

Everything works!

Thanks!
Labels in this area