Using Cloud Integration APIs with Tools on Cloud F...

fatihpense · ‎07-13-2021

There are resources on this topic, but it was hard to understand for me at the first sight, and there were questions about how to use tools like CPI Explorer in the CF environment.

This is my attempt to create a clear post for referring basis teams. Also, you can find more detailed documentation at the bottom of the article.

I like text with pictures! So, let's start.

Steps

Services > Instances and Subscriptions > Create

Process Integration Runtime

api

Give it a cli-friendly name, click "Next".

"password" lets you use client_id and client_secret as basic auth. But it doesn't work with "api" plan. (For "integration-flow" plan, you can give it to clients that call HTTP endpoints in the flows.)

If you choose JSON here is a list of available roles, you can edit the text and paste it. You can switch between Form and JSON views, they keep the same values.

{

    "grant-types": [

        "client_credentials",

        "password"

    ],

    "redirect-uris": [],

    "roles": [

        "WorkspacePackagesTransport",

        "WorkspacePackagesRead",

        "QueuesActivate",

        "AccessAllAccessPoliciesArtifacts",

        "AccessPoliciesEdit",

        "AccessPoliciesRead",

        "AuthGroup_Administrator",

        "AuthGroup_BusinessExpert",

        "AuthGroup_ContentPublisher",

        "AuthGroup_IntegrationDeveloper",

        "AuthGroup_ReadOnly",

        "AuthGroup_TenantPartnerDirectoryConfigurator",

        "CatalogPackageArtifactsRead",

        "CatalogPackagesCopy",

        "CatalogPackagesRead",

        "CredentialsEdit",

        "DataStorePayloadsRead",

        "DataStoresAndQueuesConfig",

        "DataStoresAndQueuesDelete",

        "DataStoresAndQueuesRead",

        "HealthCheckMonitoringDataRead",

        "MessagePayloadsRead",

        "MessageProcessingLocksDelete",

        "MessageProcessingLocksRead",

        "MonitoringArtifactsDeploy",

        "MonitoringDataRead",

        "QueuesRetry",

        "SecurityMaterialDownload",

        "SecurityMaterialEdit",

        "TraceConfigurationEdit",

        "TraceConfigurationRead",

        "WorkspaceArtifactLocksDelete",

        "WorkspaceArtifactLocksRead",

        "WorkspaceArtifactsDeploy",

        "WorkspacePackagesConfigure",

        "WorkspacePackagesEdit"

    ]

}

Just click "Create"

Wait for a while.

When you click on the instance, a pane on the right appears. Click "Create" under Service Keys.

Just give it a name and click "Create"

You will need client_id, client_secret, and tokenurl.

Get "tokenurl" at the bottom:

That is all.

Example client: CPI Explorer

Tenant management hostname is the same with "url" in the JSON, or the URL where integration developers work.

Enter client_secret:

Resources

Related blog posts

Technical / Service user Cloud Platform Integration for Inbound Communication
https://blogs.sap.com/2019/10/18/technical-service-user-cloud-platform-integration-for-inbound-commu...

Integration Suite – Accessing Cloud Integration Runtime
https://blogs.sap.com/2021/03/22/integration-suite-accessing-cloud-integration-runtime/

Self-Service Enablement of Cloud Integration Service on Cloud Foundry Environment
https://blogs.sap.com/2019/06/10/self-service-enablement-of-cloud-integration-service-on-cloud-found...

pasupularajesh · ‎07-15-2021

Hi Fatih Pense - Would be helpful if you can elaborate how to grant access to this API for other users rather than accessing with the client id and secret of Service Key of this instance like Role Collection and assignment of exact roles that need to be included.

For .e.g. if you want to access the APIs using OData adapter service in the iFlow editor I am afraid that this service instance client cannot be able to access the same as the roles provided at the Integration flow SI might be different.

Also I see no option to edit the roles once the API service instance is created which is worrisome for now (like I want to add Workspace* roles along with monitoring ones or if I miss few initially and like to add later.

Hope SAP soon addresses these issues.

Thanks for taking time and blogging this.

Regards

Rajesh Pasupula

ghaetrer · ‎10-19-2021

Excellent write up Fatih!

Can you clarify which roles exactly are needed for use with CPI Explorer?

philippeaddor · ‎01-26-2022

Hi Fatih!

Thank you for writing down your learnings. The sentence "But it doesn’t work with “api” plan" is a relieve for me! Now I can stop thinking that I'm doing something wrong...

I now realized that basic auth with a service key is not supported for API access, but basic auth with an actual user (that is stored in an identity provider) works (see https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/IAT/en-US/8db3d5141cd644019f0cf244e2a67....

So for example if I use my SAP S-User it works with basic auth. Strange that it's different for the API and Iflow plans, but at least we know now...

Kinds regards,

Philippe

nimmala · ‎08-17-2022

Hi Philippe,

Thanks for the useful information!

I am also trying to assign roles to the Service account (which is not the actual user that is stored in the identity provider).

As per the above info, basic auth with a service key is not supported for API access do we have any alternate solution for the same?

Please guide us as we are also struck by the same.

Thanks in advance!

Regards,

Vinod.

philippeaddor · ‎08-17-2022

Hi Vinod

Not sure. I believe this has changed a bit again. Just try it out. Do you see a Service Instance with plan "api"? If so, there should be a default service in there. Take this one - use its client ID and client secret as user and pass for the basic auth.

Philippe

himangshughosh · ‎08-24-2022

I'm getting the below error in my trial account while trying to create a service instance of Process integration runtime with 'api' plan:

Service broker error: Service broker it-broker-rt failed with: Internal Server Error

can anyone please help me to solve this issue?

ruediger_fritz · ‎11-13-2023

Hi all,

just wanted to share my stupidness with you ...

I had (due to whatever reason) two instances of Process Integration Runtime on my subaccount - one with plan 'integration-flow', one with plan 'api' (I guess I thought if I want to deploy APIs, then I need also the api plan??? - anyway) .

Then I followed this blog [SAP CPI] – HOW TO EXPOSE INTEGRATION FLOW ENDPOINT AS A API – SAP Zero to Hero (sapzero2hero.com)

and maintained the policy as described there with ClientID and ClientSecret ... Test --> no authorization - tested all combinations of my api and integration-flow instances , delete, remove, adjust my API ... all the stuff.

Debugger of the API told me somewhere deep inside "Bearer error="invalid_token"

Close before throwing my keyboard out of the window I thought, "okay, maybe the two instances of my Process Integration Runtime interfere somehow???"
AND YES, THEY SEEM TO DO - because, after I deleted the "plan = api" Instance, my postman call to the API worked!!!

Happy to not need to buy a new keyboard 🙂