Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
santhosh_kumarv
Active Contributor

We all access our SAP CPI tenants with the default SAP domain i.e. *.hana.ondemand.com. In this blog let us see how to create a custom domain(in Neo) and configure SAP CPI TMN and IFL Application to access through it.


Before we see the step by step guide, let's see what the end-state will look like.



Custom Domain Solution


Above is the solution assuming the Org has a domain imagine.com, and we decide to configure and access SCPI thru design-intSBX.scp.imagine.com (design time) and intSBX.scp.imagine.com (runtime). Below is the simplified steps of the end-to-end connectivity.




  1. When a client tries to connect to the Custom Domain URL of SCPI, it reaches the Organization DNS (i.e. imagine.com in this example) for hostname resolution.

  2. The DNS returns the SAP Cloud Platform SSL Hostname i.e. eu*.ssl.ondemand.com.

  3. The client tries to resolve the SSL Hostname and reaches SAP's ondemand.com DNS.

  4. The ondemand.com DNS returns the SSL Host IP address

  5. The client sends traffic to the IP with the custom domain in the Host Header.

  6. The SSL host terminates the SSL handshake and connects the client to the right SCPI application.


Now, Below is the list of steps to achieve this

  1. Buy Custom Domain Quota

  2. Buy Domain

  3. Create SSL Host in SCP

  4. Create Key Pair

  5. Get CA Signed Certificate

  6. Upload Certificate

  7. Bind Certificate and SSL Host

  8. Bind Custom Domain and CPI Application

  9. Complete DNS Configuration


1. Buy Custom Domain Quota


As you saw in the solution diagram, we need a run an SSL host in our Subaccount. We need to have (or buy) a Custom domain quota in your Global Account in order to create an SSL Host. One custom domain quota means we can create one SSL Host. The Custom domain quota from the Global Account also needs to be assigned to the underlying Subaccount(s). To find the Account Quota use the list-ssl-hosts.



neo list-ssl-hosts -a <subaccount> -h <host> -u <email>


List SSL Host



2. Buy Domain


All most all organization has its own domain and DNS server. If not the case then you can buy a domain from providers like GoDaddy.



3. Create SSL Host in SCP


An SSL host is the entry point to the custom domain in SAP Cloud Platform. It holds the custom domain, SSL Certificate, mapping between the custom domain and SCP application, etc.



neo create-ssl-host -a <subaccount> -h <host> -u <email> -n <nameof_SSLHost>

This command will create an SSL host in your subaccount with the name EU*.ssl.ondemand.com. Make a note of this SSL host as you will need it to create a CNAME record in your DNS server.


SSL Host Creation



4. Create Key Pair


This step is to create a key pair i.e. Private Key and Public Key for the custom domain intSBX.scp.imagine.com and design-intSBX.scp.imagine.com. Then download the CSR and get CA certified. This is the SSL certificate that will use to secure the custom domain.


There is 2 option here.




  1. Create Key Pair in SCP, download the CSR for CA signing. This is the recommended option since the key will not leave the server.
    neo generate-csr -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -d <Subject_Distinguished_Name> -s <SAN>​


  2. Create Key Pair Externally( like OpenSSL), download CSR for CA signing.


5. Get CA Signed Certificate


Share the Certificate Signing Request (CSR) to Certification Authority and get it signed.

6. Upload Certificate


Based on option 1 or 2 on Step-4 we will




  1. Upload only the Signed Public Certificate Chain received from CA or
    neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain>​


  2. The Private Key generated externally and Signed Public Certificate Chain received from CA.
    neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain> -k <private_key>​


    Upload Domain Certificate




7. Bind Certificate and SSL Host


In Step-3 we created an SSL Host (scpiHostSBX) and in Step-4,5 & 6 we created a Domain Certificate (scpiCertSBX). In this step, we will bind the Domain Certificate and SSL Host.



neo bind-domain-certificate -a <subaccount> -h <host> -u <email> -l <nameof_SSLHost> --certificate <nameof_SSLCertificate>


Bind Certificate and SSL Host



8. Bind Custom Domain and CPI Application


This step is to add the custom domain

  1. design-intSBX.scp.imagine.com and map to TMN application

  2. intSBX.scp.imagine.com and map to IFL Application


Before we perform the map, we need to construct the TMN and IFL Application URL. The URL format is below
https://<Subscribed_Application><Provider_Subaccount>-<Subaccount_Name>.<host>;




















Subscribed Application From SCP Subaccount, open Subscriptions and copy Application Name
Provider Subaccount From SCP Subaccount, open Subscriptions and copy Provider Subaccount
Subaccount Name From SCP Subaccount, Overview, copy the Subaccount Name
host Your account host like eu1.hana.ondemand.com

Execute the below command to add IFL and TMN domain name and map to SCPI Application
neo add-custom-domain -a <subaccount> -h <host> -u <email> -e <customDomain Name> -i <TMN/IFL App Name> -l <nameof_SSLHost>

Add Custom Domain for TMN Application


Custom Domain Mapping


Add Custom Domain for IFL Application


Custom Domain Mapping



9. Compete DNS Configuration


In your DNS server, create two CNAME records to map CPI Custom Domain and SSL Host as below.




  • design-intSBX.scp.imagine.com --> EU*.ssl.ondemand.com

  • intSBX.scp.imagine.com --> EU*.ssl.ondemand.com


Only when this is done, a client call to design-intSBX.scp.imagine.com/itspaces URL will resolve to EU*.ssl.ondemand.com from the imagine DNS server. Then the SSL host will open the communication to CPI TMN Application as maintained in Step-8 i.e. to map the domain name to CPI Application. The traffic to this custom domain will be encrypted thru the Key pair generated from Step-4 through Step-7.



Additional Configuration


As the SSL will be terminated by the SSL host created by us, the trusted CAs for the SSL handshake and client authentication needs to be maintained at the SSL Host. This is done in two-step.


1. Add the CA certificate to a CA Bundle
neo add-ca -a <subaccount> -h <host> -u <email> --bundle <CABundleName> -l <CA Certificate file>


Add CA Bundle


2. Set the CA Bundle to the SSL Host



neo set-ssl-host --a <subaccount> -h <host> -u <email> -n <nameof_SSLHost> --ca-bundle <CABundleName>:<switch>


Set CA Bundle


switch values:
request - client certificate authentication is not mandatory
require - client certificate authentication is mandatory
none - removes the client certificate configuration for the specified bundle and unassigns that bundle from the SSL host
4 Comments
Labels in this area