Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Active Contributor

We all access our SAP CPI tenants with the default SAP domain i.e. * In this blog let us see how to create a custom domain(in Neo) and configure SAP CPI TMN and IFL Application to access through it.

Before we see the step by step guide, let's see what the end-state will look like.

Custom Domain Solution

Above is the solution assuming the Org has a domain, and we decide to configure and access SCPI thru (design time) and (runtime). Below is the simplified steps of the end-to-end connectivity.

  1. When a client tries to connect to the Custom Domain URL of SCPI, it reaches the Organization DNS (i.e. in this example) for hostname resolution.

  2. The DNS returns the SAP Cloud Platform SSL Hostname i.e. eu*

  3. The client tries to resolve the SSL Hostname and reaches SAP's DNS.

  4. The DNS returns the SSL Host IP address

  5. The client sends traffic to the IP with the custom domain in the Host Header.

  6. The SSL host terminates the SSL handshake and connects the client to the right SCPI application.

Now, Below is the list of steps to achieve this

  1. Buy Custom Domain Quota

  2. Buy Domain

  3. Create SSL Host in SCP

  4. Create Key Pair

  5. Get CA Signed Certificate

  6. Upload Certificate

  7. Bind Certificate and SSL Host

  8. Bind Custom Domain and CPI Application

  9. Complete DNS Configuration

1. Buy Custom Domain Quota

As you saw in the solution diagram, we need a run an SSL host in our Subaccount. We need to have (or buy) a Custom domain quota in your Global Account in order to create an SSL Host. One custom domain quota means we can create one SSL Host. The Custom domain quota from the Global Account also needs to be assigned to the underlying Subaccount(s). To find the Account Quota use the list-ssl-hosts.

neo list-ssl-hosts -a <subaccount> -h <host> -u <email>

List SSL Host

2. Buy Domain

All most all organization has its own domain and DNS server. If not the case then you can buy a domain from providers like GoDaddy.

3. Create SSL Host in SCP

An SSL host is the entry point to the custom domain in SAP Cloud Platform. It holds the custom domain, SSL Certificate, mapping between the custom domain and SCP application, etc.

neo create-ssl-host -a <subaccount> -h <host> -u <email> -n <nameof_SSLHost>

This command will create an SSL host in your subaccount with the name EU* Make a note of this SSL host as you will need it to create a CNAME record in your DNS server.

SSL Host Creation

4. Create Key Pair

This step is to create a key pair i.e. Private Key and Public Key for the custom domain and Then download the CSR and get CA certified. This is the SSL certificate that will use to secure the custom domain.

There is 2 option here.

  1. Create Key Pair in SCP, download the CSR for CA signing. This is the recommended option since the key will not leave the server.
    neo generate-csr -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -d <Subject_Distinguished_Name> -s <SAN>​

  2. Create Key Pair Externally( like OpenSSL), download CSR for CA signing.

5. Get CA Signed Certificate

Share the Certificate Signing Request (CSR) to Certification Authority and get it signed.

6. Upload Certificate

Based on option 1 or 2 on Step-4 we will

  1. Upload only the Signed Public Certificate Chain received from CA or
    neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain>​

  2. The Private Key generated externally and Signed Public Certificate Chain received from CA.
    neo upload-domain-certificate -a <subaccount> -h <host> -u <email> -n <nameof_SSLCertificate> -l <public_certificate_chain> -k <private_key>​

    Upload Domain Certificate

7. Bind Certificate and SSL Host

In Step-3 we created an SSL Host (scpiHostSBX) and in Step-4,5 & 6 we created a Domain Certificate (scpiCertSBX). In this step, we will bind the Domain Certificate and SSL Host.

neo bind-domain-certificate -a <subaccount> -h <host> -u <email> -l <nameof_SSLHost> --certificate <nameof_SSLCertificate>

Bind Certificate and SSL Host

8. Bind Custom Domain and CPI Application

This step is to add the custom domain

  1. and map to TMN application

  2. and map to IFL Application

Before we perform the map, we need to construct the TMN and IFL Application URL. The URL format is below

Subscribed Application From SCP Subaccount, open Subscriptions and copy Application Name
Provider Subaccount From SCP Subaccount, open Subscriptions and copy Provider Subaccount
Subaccount Name From SCP Subaccount, Overview, copy the Subaccount Name
host Your account host like

Execute the below command to add IFL and TMN domain name and map to SCPI Application
neo add-custom-domain -a <subaccount> -h <host> -u <email> -e <customDomain Name> -i <TMN/IFL App Name> -l <nameof_SSLHost>

Add Custom Domain for TMN Application

Custom Domain Mapping

Add Custom Domain for IFL Application

Custom Domain Mapping

9. Compete DNS Configuration

In your DNS server, create two CNAME records to map CPI Custom Domain and SSL Host as below.

  • --> EU*

  • --> EU*

Only when this is done, a client call to URL will resolve to EU* from the imagine DNS server. Then the SSL host will open the communication to CPI TMN Application as maintained in Step-8 i.e. to map the domain name to CPI Application. The traffic to this custom domain will be encrypted thru the Key pair generated from Step-4 through Step-7.

Additional Configuration

As the SSL will be terminated by the SSL host created by us, the trusted CAs for the SSL handshake and client authentication needs to be maintained at the SSL Host. This is done in two-step.

1. Add the CA certificate to a CA Bundle
neo add-ca -a <subaccount> -h <host> -u <email> --bundle <CABundleName> -l <CA Certificate file>

Add CA Bundle

2. Set the CA Bundle to the SSL Host

neo set-ssl-host --a <subaccount> -h <host> -u <email> -n <nameof_SSLHost> --ca-bundle <CABundleName>:<switch>

Set CA Bundle

switch values:
request - client certificate authentication is not mandatory
require - client certificate authentication is mandatory
none - removes the client certificate configuration for the specified bundle and unassigns that bundle from the SSL host
Labels in this area