Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
With SAP BTP, Kyma Runtime, you can now expose your custom domain through an API Rule using an istio Gateway.

Steps to expose your custom domain

  1. Hold the certificate of your custom domain

  2. Create on istio-system namespace a TLS Secret holding the certificate’s data

  3. Create your new namespace (eg: dev)

  4. Create a new istio Gateway that consumes the Secret you just created

  5. Create a new API Rule hosting on your custom domain

  6. Test the endpoint on Postman with SSL enabled


Get the certificate of your custom domain

The certificate, or certificates should hold data for these 3 fields:

  • crt

  • key

  • ca

Create a TLS Kubernetes Secret with the credentials of your certificate

After getting your domains’ certificates, you’ll need to create a tls Kubernetes Secret that is required for your Istio Gateway. Log in to your Kyma cluster, go to istio-system namespace.

If istio-system is not visible on the namespace list, click on the top-right icon of your Dashboard to open "Preferences". On the left side, select "Clusters" and enable "Show hidden Namespaces".

Go back to your namespace list and select "istio-system".

On the left panel select Configuration – Secret.

Click on “+ Create Secret” and choose tls preset:

After that choose a name to your secret and fill the Data panel.

The tls Secret needs to hold the correct values for:

  • tls.crt

  • tls.key

  • ca.crt

After completion, click on Create. Your custom domain's certificate is now saved as a tls Secret.

Create an istio Gateway

Go to your application namespace, or create a new one (eg: dev). On the left panel select istio – Gateways.

Click on “+ Create Gateway”

Firstly, choose a name for your Gateway. After that, start by adding a Server:

Click on “+ Add”

Create an HTTPS port

Port number: 443

Name: https

Protocol: HTTPS

On the TLS panel:


Credential name: select your secret on the istio-system namespace. (if the secret does not appear on the dropdown, don't worry and write it down, it will be found after creation)

On the Hosts panel:

Hosts: *

Then click on “Create”

Create an API Rule

Go to your application namespace. On the left panel select Discovery and Network – API Rules.

Click on "+ Create API Rule" and start by selecting a name of your choice.

Under the Service panel:

Select Service name and choose the service and the port you want to expose through the API Rule.

After that complete Gateway and Hosts with your newly created Gateway and custom Domain.



Under the Rules panel, apply the necessary changes that you see most fit.

When that is done, click on “Create”.

Test the connection to your custom domain on Postman

Open Postman and paste your newly created custom domain. Add necessary credentials and parameters if that is the case. In the end, enable the SSL verification under Settings and hit “Send”.


Kyma dashboard offers the possibility of exposing a service through an API rule hosting on a custom domain. With this, it is possible to avoid using Kyma domain on exposed APIs.

Feel free to provide feedback or ask questions about this topic 😊

If the SAP BTP, Kyma runtime topic interests you, here are some other links that you may like:


Further Readings