Back to skills
SkillHub ClubShip Full StackFull Stack
sap-btp-connectivity
$2e
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
152
Hot score
96
Updated
March 20, 2026
Overall rating
C3.4
Composite score
3.4
Best-practice grade
F19.6
Install command
npx @skill-hub/cli install secondsky-sap-skills-sap-btp-connectivity
Repository
secondsky/sap-skills
Skill path: plugins/sap-btp-connectivity/skills/sap-btp-connectivity
$2e
Open repositoryBest for
Primary workflow: Ship Full Stack.
Technical facets: Full Stack.
Target audience: everyone.
License: GPL-3.0.
Original source
Catalog source: SkillHub Club.
Repository owner: secondsky.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install sap-btp-connectivity into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/secondsky/sap-skills before adding sap-btp-connectivity to shared team environments
- Use sap-btp-connectivity for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: sap-btp-connectivity
description: |
This skill provides comprehensive knowledge for SAP BTP Connectivity, including the Destination Service, Connectivity Service, Cloud Connector, Connectivity Proxy, and Transparent Proxy for Kubernetes. It should be used when configuring destinations, setting up cloud-to-on-premise connectivity, implementing principal propagation, deploying connectivity proxies in Kubernetes/Kyma environments, or troubleshooting connectivity issues.
Use this skill when:
- Creating or configuring SAP BTP destinations (HTTP, RFC, LDAP, MAIL, TCP)
- Setting up Cloud Connector for on-premise connectivity
- Implementing OAuth authentication flows for destinations
- Configuring principal propagation or user propagation
- Deploying Connectivity Proxy or Transparent Proxy in Kubernetes
- Troubleshooting connectivity errors (405, 407, 503)
- Setting up high availability for Cloud Connector
- Configuring multitenancy for destinations
Keywords: SAP BTP, Connectivity, Destination Service, Cloud Connector, Connectivity Proxy, Transparent Proxy, Kyma, Kubernetes, OAuth, Principal Propagation, RFC, LDAP, on-premise, hybrid connectivity, service channels, SOCKS5, reverse proxy, tunnel
license: GPL-3.0
metadata:
version: "1.1.0"
last_verified: "2025-11-27"
---
# SAP BTP Connectivity Skill
## Related Skills
- **sap-btp-cloud-platform**: Use for platform fundamentals, BTP account setup, and integration patterns
- **sap-btp-best-practices**: Use for implementation guidance, security best practices, and production deployment
- **sap-cap-capire**: Use for CAP service connectivity, destination consumption, and secure API access
- **sap-fiori-tools**: Use for configuring Fiori app destinations and frontend connectivity
- **sap-abap**: Use when connecting to ABAP systems via RFC or implementing principal propagation
## Table of Contents
1. [Overview](#overview)
2. [Quick Start](#quick-start)
3. [Connectivity Scenarios](#connectivity-scenarios)
4. [Destination Types](#destination-types)
5. [Authentication Configuration](#authentication-configuration)
6. [Cloud Connector Setup](#cloud-connector-setup)
7. [Kubernetes/Kyma Connectivity](#kuberneteskyma-connectivity)
8. [Common Issues & Troubleshooting](#common-issues--troubleshooting)
9. [Security Best Practices](#security-best-practices)
10. [Critical Rules](#critical-rules)
11. [Bundled Resources](#bundled-resources)
---
## Overview
SAP BTP Connectivity provides secure access from SAP BTP applications to remote services across cloud, on-premise, and VPC environments.
### Core Components
| Component | Purpose |
|-----------|---------|
| **Destination Service** | Manages connection metadata, authentication, routing |
| **Connectivity Service** | Enables Kubernetes workloads via Cloud Connector |
| **Cloud Connector** | Reverse proxy for secure on-premise tunneling |
| **Connectivity Proxy** | Kubernetes component for on-premise access |
| **Transparent Proxy** | Kubernetes component for unified destination access |
**Supported Environments**: Cloud Foundry, ABAP Environment, Kyma
**Supported Protocols**: HTTP/HTTPS, RFC, TCP (SOCKS5), LDAP/LDAPS, Mail
---
## Quick Start
### Create HTTP Destination (Cloud Foundry)
1. Navigate: **Connectivity > Destinations** in BTP Cockpit
2. Select: **Create > From Scratch**
3. Configure:
```
Name: my-destination
Type: HTTP
URL: [https://api.example.com](https://api.example.com)
ProxyType: Internet
Authentication: OAuth2ClientCredentials
clientId: <your-client-id>
clientSecret: <your-client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
```
### Set Up Cloud Connector
1. Download from [SAP Tools](https://tools.hana.ondemand.com/#cloud)
2. Access: `[https://localhost:8443`](https://localhost:8443`)
3. Login: `Administrator` / `manage` (change immediately)
4. Add subaccount connection
### Access Destination in Application (Node.js)
```javascript
const { getDestination } = require('@sap-cloud-sdk/connectivity');
const destination = await getDestination({ destinationName: 'my-destination' });
```
---
## Connectivity Scenarios
### Cloud-to-Cloud
```
ProxyType: Internet
Authentication: OAuth2ClientCredentials | OAuth2SAMLBearerAssertion
```
### Cloud-to-On-Premise
```
ProxyType: OnPremise
Authentication: BasicAuthentication | PrincipalPropagation
```
Requires Cloud Connector installation in on-premise network.
### On-Premise-to-Cloud (Service Channels)
For on-premise systems accessing SAP BTP services via Cloud Connector.
---
## Destination Types
| Type | Use Case | ProxyType | Common Authentication |
|------|----------|-----------|----------------------|
| **HTTP** | REST/OData APIs | Internet/OnPremise | OAuth2, Basic, Certificates |
| **RFC** | SAP systems | OnPremise | Basic, PrincipalPropagation |
| **LDAP** | Directory services | Internet | Basic, NoAuth |
| **MAIL** | Email protocols | Internet | Basic, NoAuth |
| **TCP** | Generic TCP | OnPremise | Basic |
**Detailed configuration**: See `references/http-destinations.md`, `references/rfc-destinations.md`, `references/mail-tcp-ldap-destinations.md`
---
## Authentication Configuration
### OAuth2ClientCredentials (Service-to-Service)
```
Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
```
### OAuth2SAMLBearerAssertion (User Propagation)
```
Authentication: OAuth2SAMLBearerAssertion
audience: <target-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-location>
```
### PrincipalPropagation (On-Premise SSO)
```
Authentication: PrincipalPropagation
ProxyType: OnPremise
```
Requires Cloud Connector X.509 certificate generation.
**Complete reference**: `references/authentication-types.md` (all 17+ types)
---
## Cloud Connector Setup
### Installation
- **Production**: Windows MSI/Linux RPM packages (service registration)
- **Development**: Portable archive (manual execution)
### Initial Configuration
1. Access UI: `[https://<hostname>:8443`](https://<hostname>:8443`)
2. Login: `Administrator` / `manage`
3. **Change password immediately**
4. Select mode: Master or Shadow
5. Add subaccount connection
### Access Control
Configure on-premise resource access:
- **Backend Types**: ABAP System, SAP Gateway, Non-SAP System, SAP HANA
- **HTTP Access Control**: System mapping + resource paths + policies
### High Availability
- **Master-Shadow**: Primary + backup with synchronized config
- **Requirements**: Stable network, separate machines, identical versions
**Complete guide**: `references/cloud-connector.md`
---
## Kubernetes/Kyma Connectivity
### Connectivity Proxy
Enables Kubernetes workloads to access on-premise systems.
**Installation**:
```bash
helm install connectivity-proxy \
oci://registry-1.docker.io/sapse/connectivity-proxy \
--version <version> --namespace <namespace> -f values.yaml
```
### Transparent Proxy
Exposes BTP destinations as Kubernetes Services.
**Installation**:
```bash
helm install transparent-proxy \
oci://registry-1.docker.io/sapse/transparent-proxy \
--version <version> --namespace <namespace> -f values.yaml
```
**Usage**: Create Destination Custom Resource, access as Kubernetes Service.
**Complete configuration**: `references/kubernetes-connectivity.md`
---
## Common Issues & Troubleshooting
### HTTP Error Codes
| Code | Cause | Solution |
|------|-------|----------|
| **400** | Malformed request | Check request syntax |
| **401** | Authentication failure | Verify credentials/tokens |
| **405** | HTTPS instead of HTTP | Use `[http://`](http://`) with port 20003 |
| **407** | Missing authorization | Add `Proxy-Authorization: Bearer <token>` |
| **503** | Cloud Connector offline | Check CC connection and Location ID |
### Cloud Connector Issues
**Cannot connect to subaccount**:
- Verify region host URL
- Check firewall allows outbound HTTPS
- Verify subaccount credentials
**Access denied to resource**:
- Check access control configuration
- Verify virtual host mapping
- Check resource path policy
**Complete troubleshooting**: `references/troubleshooting.md`
---
## Security Best Practices
### Cloud Connector
- Deploy in DMZ under IT control
- Change default password immediately
- Configure LDAP for user management
- Enable audit logging (All level for production)
- Deploy high availability (master + shadow)
### Destinations
- Use OAuth over basic authentication
- Store credentials in Destination Service, not code
- Enable TLS for all connections
- Use mTLS for enhanced security
---
## Critical Rules
### Always Do
- Change Cloud Connector default password immediately
- Use HTTPS for all external connections
- Configure access control before exposing resources
- Enable audit logging in production
- Cache tokens and destinations appropriately
### Never Do
- Expose Cloud Connector UI to internet
- Store credentials in application code
- Skip access control configuration
- Modify Cloud Connector Tomcat config files
- Run multiple master instances (split-brain)
---
## Bundled Resources
### Configuration References
- `references/http-destinations.md` - Complete HTTP destination properties
- `references/rfc-destinations.md` - RFC destination properties and pooling
- `references/mail-tcp-ldap-destinations.md` - Mail, TCP, LDAP configuration
- `references/authentication-types.md` - All 17+ authentication configurations
### Setup & Configuration
- `references/cloud-connector.md` - Cloud Connector setup and configuration
- `references/kubernetes-connectivity.md` - Connectivity Proxy and Transparent Proxy
- `references/destination-service-api.md` - REST API reference
### Advanced Topics
- `references/advanced-configuration.md` - MTA, config.json, chaining, ZTIS
- `references/identity-propagation-scenarios.md` - ABAP, NetWeaver Java, custom IDP
- `references/operational-guides.md` - Network zones, solution management
- `references/connectivity-alternatives-and-config.md` - Reverse proxy, user roles, RFC config
### Development & SDK
- `references/java-sdk-development.md` - Java APIs, JCo, SAP Cloud SDK
- `references/mail-protocols.md` - SMTP, IMAP, POP3 configuration
### Templates
- `templates/destination-http-oauth.json` - HTTP destination with OAuth template
- `templates/destination-onpremise.json` - On-premise destination template
- `templates/connectivity-proxy-values.yaml` - Helm values for Connectivity Proxy
- `templates/transparent-proxy-values.yaml` - Helm values for Transparent Proxy
---
## Documentation Links
- **Official SAP Documentation**: [https://help.sap.com/docs/connectivity](https://help.sap.com/docs/connectivity)
- **GitHub Repository**: [https://github.com/SAP-docs/btp-connectivity](https://github.com/SAP-docs/btp-connectivity)
- **Destination API**: [https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination)
- **Release Notes**: [https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56](https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56)
---
**Last Updated**: 2025-11-27
**Next Review**: 2026-02-27
**Source**: [https://github.com/SAP-docs/btp-connectivity](https://github.com/SAP-docs/btp-connectivity) (383 files, 352+ analyzed)
---
## Referenced Files
> The following files are referenced in this skill and included for context.
### references/http-destinations.md
```markdown
# HTTP Destinations - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/http-destinations-42a0e6b.md](https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/http-destinations-42a0e6b.md)
---
## Overview
HTTP destinations define connection parameters for HTTP/HTTPS endpoints, supporting internet, on-premise, and PrivateLink connections.
---
## Required Properties
| Property | Description | Values |
|----------|-------------|--------|
| `Name` | Unique destination identifier | String (max 200 chars) |
| `Type` | Destination type | `HTTP` |
| `URL` | Target endpoint URL | Valid HTTP(S) URL |
| `ProxyType` | Connection routing | `Internet`, `OnPremise`, `PrivateLink` |
| `Authentication` | Authentication method | See Authentication Types |
---
## Proxy Types
### Internet
Direct connection to internet-accessible endpoints.
- Default proxy type
- No additional components required
### OnPremise
Connection via Cloud Connector to on-premise systems.
- Requires Cloud Connector installation
- Optional `CloudConnectorLocationId` for multiple connectors
- Also applies to VPC environments
### PrivateLink
Connection via SAP Private Link Service.
- Available for selected SAP BTP services
- Requires Private Link setup with IaaS provider
---
## Authentication Types
### No Authentication
```
Authentication: NoAuthentication
```
### Basic Authentication
```
Authentication: BasicAuthentication
User: <username>
Password: <password>
```
### Client Certificate Authentication
```
Authentication: ClientCertificateAuthentication
KeyStoreLocation: <certificate-location>
KeyStorePassword: <password>
```
### OAuth2ClientCredentials
```
Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
tokenServiceURLType: Dedicated | Common
```
**Optional Properties:**
- `scope`: OAuth scopes
- `tokenServiceUser` / `tokenServicePassword`: For token service basic auth
- `URL.headers.<name>`: Custom headers for target
- `URL.queries.<name>`: Custom query parameters
- `tokenService.body.<name>`: Custom token request body
### OAuth2JWTBearer
```
Authentication: OAuth2JWTBearer
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
```
Exchanges incoming user JWT for new access token.
### OAuth2SAMLBearerAssertion
```
Authentication: OAuth2SAMLBearerAssertion
audience: <saml-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-for-signing>
```
**Required for user propagation (cloud-to-cloud).**
**Additional Properties:**
- `nameIdFormat`: SAML NameID format
- `userIdSource`: JWT field for user ID
- `authnContextClassRef`: Authentication context class
- `assertionIssuer`: SAML assertion issuer
- `companyId`: Company identifier
- `assertionRecipient`: SAML recipient
### OAuth2Password
```
Authentication: OAuth2Password
User: <username>
Password: <password>
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
```
**Deprecated**: Use OAuth2ClientCredentials or OAuth2SAMLBearerAssertion instead.
### OAuth2AuthorizationCode
```
Authentication: OAuth2AuthorizationCode
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
```
For interactive user authorization flows.
### OAuth2UserTokenExchange
```
Authentication: OAuth2UserTokenExchange
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
```
Exchanges user token for access token.
### OAuth2RefreshToken
```
Authentication: OAuth2RefreshToken
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
refreshToken: <refresh-token>
```
Uses refresh token to obtain access tokens.
### SAMLAssertion
```
Authentication: SAMLAssertion
audience: <saml-audience>
```
For SAML assertion authentication without OAuth.
### PrincipalPropagation
```
Authentication: PrincipalPropagation
ProxyType: OnPremise
```
**Required for user propagation (cloud-to-on-premise).**
- Requires Cloud Connector configuration
- Generates X.509 certificate from user identity
---
## Optional Properties
### Connection Settings
| Property | Description | Default |
|----------|-------------|---------|
| `URL.connectionTimeoutInSeconds` | Connection timeout | 0 (system default) |
| `URL.socketReadTimeoutInSeconds` | Read timeout | 0 (system default) |
Valid ranges:
- Connection timeout: 0-60 seconds
- Socket read timeout: 0-600 seconds
### Custom Headers and Parameters
```
URL.headers.<header-name>: <value>
URL.queries.<param-name>: <value>
tokenService.headers.<header-name>: <value>
tokenService.queries.<param-name>: <value>
tokenService.body.<param-name>: <value>
```
### TLS Configuration
```
TrustStoreLocation: <truststore-location>
TrustAll: true | false
```
**Warning**: `TrustAll: true` disables certificate validation. Use only for testing.
### Cloud Connector
```
CloudConnectorLocationId: <location-id>
```
Required when multiple Cloud Connectors connect to the same subaccount.
---
## Token Service URL Types
| Type | Behavior |
|------|----------|
| `Dedicated` | Use URL as-is (default) |
| `Common` | Replace `{tenant}` placeholder with subaccount subdomain |
Example with `Common`:
```
tokenServiceURL: [https://{tenant}.auth.example.com/oauth/token](https://{tenant}.auth.example.com/oauth/token)
```
---
## Example: Complete OAuth2ClientCredentials Destination
```json
{
"Name": "my-api-destination",
"Type": "HTTP",
"URL": "[https://api.example.com/v1",](https://api.example.com/v1",)
"ProxyType": "Internet",
"Authentication": "OAuth2ClientCredentials",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"tokenServiceURLType": "Dedicated",
"scope": "read write",
"URL.headers.X-Custom-Header": "custom-value",
"URL.connectionTimeoutInSeconds": "30",
"URL.socketReadTimeoutInSeconds": "60"
}
```
---
## Example: On-Premise with Principal Propagation
```json
{
"Name": "onprem-sap-system",
"Type": "HTTP",
"URL": "[http://virtual-host:443/sap/opu/odata/sap/API_BUSINESS_PARTNER",](http://virtual-host:443/sap/opu/odata/sap/API_BUSINESS_PARTNER",)
"ProxyType": "OnPremise",
"Authentication": "PrincipalPropagation",
"CloudConnectorLocationId": "loc1"
}
```
---
## Documentation Links
- HTTP Destinations: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations)
- Authentication Types: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations#authentication](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations#authentication)
- Destination Service API: [https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination)
---
**Last Updated**: 2025-11-22
```
### references/rfc-destinations.md
```markdown
# RFC Destinations - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/rfc-destinations-238d027.md](https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/rfc-destinations-238d027.md)
---
## Overview
RFC destinations enable Remote Function Call communication with SAP ABAP systems. They support both on-premise systems via Cloud Connector and cloud ABAP systems.
---
## Minimal Configuration
```properties
Name=SalesSystem
Type=RFC
jco.client.client=000
jco.client.lang=EN
jco.client.user=consultant
jco.client.passwd=<password>
jco.client.ashost=sales-system.cloud
jco.client.sysnr=42
jco.destination.proxy_type=OnPremise
```
---
## Required Properties
### User Logon Properties
| Property | Description |
|----------|-------------|
| `jco.client.user` | SAP user name |
| `jco.client.passwd` | User password |
| `jco.client.client` | SAP client number (000-999) |
| `jco.client.lang` | Logon language (EN, DE, etc.) |
### Target System Properties
| Property | Description |
|----------|-------------|
| `jco.client.ashost` | Application server hostname |
| `jco.client.sysnr` | System number (00-99) |
| `jco.destination.proxy_type` | `OnPremise` or `Internet` |
---
## Pooling Configuration
Connection pooling improves performance by reusing connections.
| Property | Description | Default |
|----------|-------------|---------|
| `jco.destination.pool_capacity` | Max idle connections kept open | 1 |
| `jco.destination.peak_limit` | Max concurrent active connections | pool_capacity |
| `jco.destination.max_get_client_time` | Wait time for free connection (seconds) | 30 |
| `jco.destination.expiration_time` | Idle connection lifetime (seconds) | 60 |
| `jco.destination.expiration_check_period` | Check interval for expired connections (seconds) | 60 |
| `jco.destination.pool_check_connection` | Validate connections before reuse | false |
**Example:**
```properties
jco.destination.pool_capacity=5
jco.destination.peak_limit=10
jco.destination.max_get_client_time=30
jco.destination.expiration_time=60
```
### Pool Behavior
- Pool starts empty (no pre-allocated connections)
- Connections created on demand during function module calls
- Requests wait up to `max_get_client_time` if `peak_limit` reached
- `pool_check_connection` validates pooled connections (performance overhead)
---
## Communication Behavior Parameters
| Property | Description |
|----------|-------------|
| `jco.client.codepage` | SAP code page |
| `jco.client.delta` | Delta manager (0/1) |
| `jco.client.serialization_format` | Serialization format |
| `jco.client.trace` | JCo trace level (0-10) |
---
## Repository Configuration
| Property | Description |
|----------|-------------|
| `jco.destination.repository_destination` | Destination for repository queries |
| `jco.destination.repository_snc_mode` | Repository SNC mode |
| `jco.destination.repository_user` | Repository user |
| `jco.destination.repository_passwd` | Repository password |
---
## SNC (Secure Network Communications)
For encrypted RFC connections:
| Property | Description |
|----------|-------------|
| `jco.client.snc_mode` | Enable SNC (0/1) |
| `jco.client.snc_partnername` | SNC partner name |
| `jco.client.snc_qop` | Quality of protection (1-9) |
| `jco.client.snc_lib` | Path to SNC library |
| `jco.client.snc_myname` | Own SNC name |
---
## Load Balancing (Message Server)
For connection via message server:
| Property | Description |
|----------|-------------|
| `jco.client.mshost` | Message server host |
| `jco.client.msserv` | Message server port |
| `jco.client.r3name` | System ID (SID) |
| `jco.client.group` | Logon group |
---
## SAP Router
For connections through SAP Router:
| Property | Description |
|----------|-------------|
| `jco.client.saprouter` | SAP Router string |
**Format:** `/H/<router-host>/S/<router-port>/H/<target-host>`
---
## Principal Propagation
For user propagation to on-premise systems:
```properties
Type=RFC
jco.destination.proxy_type=OnPremise
jco.destination.auth_type=PrincipalPropagation
```
Requires Cloud Connector configuration for X.509 certificate generation.
---
## Complete Example
```properties
# Basic Configuration
Name=ERP_System
Type=RFC
Description=Production ERP System
# User Logon
jco.client.user=RFC_USER
jco.client.passwd=<password>
jco.client.client=100
jco.client.lang=EN
# Target System
jco.client.ashost=virtual-erp-host
jco.client.sysnr=00
# Connectivity
jco.destination.proxy_type=OnPremise
CloudConnectorLocationId=loc1
# Connection Pooling
jco.destination.pool_capacity=10
jco.destination.peak_limit=50
jco.destination.max_get_client_time=30
jco.destination.expiration_time=60
jco.destination.pool_check_connection=1
```
---
## Cloud Connector Access Control
For RFC destinations with `ProxyType=OnPremise`:
1. Add system mapping in Cloud Connector:
- Virtual Host: Name used in destination
- Internal Host: Actual SAP hostname
- Protocol: RFC or RFCS (with SNC)
- Port: System number × 100 + 3300
2. Optionally restrict function modules:
- Add allowed function module patterns
- Use wildcards for module groups
---
## Invoking ABAP Function Modules
### Java (JCo)
```java
JCoDestination destination = JCoDestinationManager.getDestination("ERP_System");
JCoFunction function = destination.getRepository().getFunction("BAPI_COMPANYCODE_GETLIST");
function.execute(destination);
JCoTable codes = function.getTableParameterList().getTable("COMPANYCODE_LIST");
while (codes.nextRow()) {
System.out.println(codes.getString("COMP_CODE"));
}
```
### Node.js (node-rfc)
```javascript
const { Client } = require('node-rfc');
const client = new Client({ dest: 'ERP_System' });
await client.open();
const result = await client.call('BAPI_COMPANYCODE_GETLIST', {});
console.log(result.COMPANYCODE_LIST);
await client.close();
```
---
## Documentation Links
- RFC Destinations: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/rfc-destinations](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/rfc-destinations)
- Pooling Configuration: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/pooling-configuration](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/pooling-configuration)
- Invoking Function Modules: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/invoking-abap-function-modules-via-rfc](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/invoking-abap-function-modules-via-rfc)
---
**Last Updated**: 2025-11-22
```
### references/mail-tcp-ldap-destinations.md
```markdown
# Mail, TCP, and LDAP Destinations - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Mail Destinations
### Overview
Mail destinations support SMTP, IMAP, and POP3 protocols for sending and receiving emails.
### Supported Protocols
| Protocol | Default Port | Description |
|----------|--------------|-------------|
| SMTP | 25 | Simple Mail Transfer Protocol |
| SMTPS | 465 | SMTP over TLS |
| IMAP | 143 | Internet Message Access Protocol |
| IMAPS | 993 | IMAP over TLS |
| POP3 | 110 | Post Office Protocol v3 |
| POP3S | 995 | POP3 over TLS |
### Internet Mail Destinations
All protocols supported (SMTP, SMTPS, IMAP, IMAPS, POP3, POP3S).
**Example SMTP:**
```json
{
"Name": "smtp-destination",
"Type": "MAIL",
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "[email protected]",
"Password": "<password>",
"mail.smtp.host": "smtp.example.com",
"mail.smtp.port": "587",
"mail.smtp.auth": "true",
"mail.smtp.starttls.enable": "true"
}
```
**Example IMAP:**
```json
{
"Name": "imap-destination",
"Type": "MAIL",
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "[email protected]",
"Password": "<password>",
"mail.imap.host": "imap.example.com",
"mail.imap.port": "993",
"mail.imap.ssl.enable": "true"
}
```
### On-Premise Mail Destinations
Supports SMTP, POP3, and IMAP via Cloud Connector (SOCKS5).
**Example:**
```json
{
"Name": "onprem-smtp",
"Type": "MAIL",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"User": "smtp-user",
"Password": "<password>",
"mail.smtp.host": "virtual-mail-host",
"mail.smtp.port": "25",
"CloudConnectorLocationId": "loc1"
}
```
### Authentication Options
| Type | Use Case |
|------|----------|
| `NoAuthentication` | Anonymous access |
| `BasicAuthentication` | Username/password |
| `OAuth2ClientCredentials` | Service accounts |
| `OAuth2RefreshToken` | Long-lived tokens |
| `OAuth2AuthorizationCode` | User-interactive |
### Mail Properties Reference
#### SMTP Properties
| Property | Description |
|----------|-------------|
| `mail.smtp.host` | SMTP server hostname |
| `mail.smtp.port` | SMTP server port |
| `mail.smtp.auth` | Enable authentication (true/false) |
| `mail.smtp.starttls.enable` | Enable STARTTLS |
| `mail.smtp.ssl.enable` | Enable SSL/TLS |
| `mail.smtp.from` | Default sender address |
| `mail.smtp.connectiontimeout` | Connection timeout (ms) |
| `mail.smtp.timeout` | I/O timeout (ms) |
#### IMAP Properties
| Property | Description |
|----------|-------------|
| `mail.imap.host` | IMAP server hostname |
| `mail.imap.port` | IMAP server port |
| `mail.imap.ssl.enable` | Enable SSL/TLS |
| `mail.imap.starttls.enable` | Enable STARTTLS |
| `mail.imap.connectiontimeout` | Connection timeout (ms) |
#### POP3 Properties
| Property | Description |
|----------|-------------|
| `mail.pop3.host` | POP3 server hostname |
| `mail.pop3.port` | POP3 server port |
| `mail.pop3.ssl.enable` | Enable SSL/TLS |
| `mail.pop3.starttls.enable` | Enable STARTTLS |
---
## TCP Destinations
### Overview
TCP destinations enable generic TCP-based protocol connections via SOCKS5 proxy.
### Configuration
```json
{
"Name": "tcp-database",
"Type": "TCP",
"ProxyType": "OnPremise",
"Address": "virtual-db-host:3306",
"CloudConnectorLocationId": "loc1"
}
```
### SOCKS5 Protocol
The Connectivity service provides a SOCKS5 proxy for TCP connections.
**Connection Details:**
- Host: `onpremise_proxy_host` from service binding
- Port: `onpremise_socks5_proxy_port` from service binding
- Auth Method: 0x80 (JWT authentication)
### Authentication Flow
1. **Method Negotiation**: Client requests 0x80 method
2. **Authentication**: Client sends JWT token + optional Location ID
3. **Connect Request**: Client requests connection to target
### SOCKS5 Error Codes
| Code | Name | Cause |
|------|------|-------|
| 0x00 | SUCCESS | Connection established |
| 0x02 | FORBIDDEN | Missing access control rule |
| 0x03 | NETWORK_UNREACHABLE | Cloud Connector not connected |
| 0x04 | HOST_UNREACHABLE | Backend system unreachable |
| 0x05 | CONNECTION_REFUSED | Backend refused connection |
| 0x06 | TTL_EXPIRED | Connection timeout |
| 0x07 | COMMAND_NOT_SUPPORTED | Unsupported SOCKS command |
| 0x08 | ADDRESS_NOT_SUPPORTED | Invalid address type |
### Java Implementation Example
```java
public class Socks5ProxySocket extends Socket {
private static final byte SOCKS_VERSION = 0x05;
private static final byte AUTH_METHOD = (byte) 0x80;
public void connect(String proxyHost, int proxyPort,
String targetHost, int targetPort,
String jwtToken, String locationId) {
// 1. Connect to proxy
super.connect(new InetSocketAddress(proxyHost, proxyPort));
// 2. Method negotiation
sendMethodRequest(AUTH_METHOD);
verifyMethodResponse();
// 3. Authentication
sendAuthRequest(jwtToken, locationId);
verifyAuthResponse();
// 4. Connect request
sendConnectRequest(targetHost, targetPort);
verifyConnectResponse();
}
}
```
### Transparent Proxy TCP Support
In Kubernetes, TCP destinations are exposed as services:
```yaml
apiVersion: destination.connectivity.api.sap/v1
kind: Destination
metadata:
name: tcp-destination
spec:
destinationRef:
name: my-tcp-destination
```
---
## LDAP Destinations
### Overview
LDAP destinations enable access to directory services for user authentication and lookup.
### Configuration
**Internet LDAP:**
```json
{
"Name": "ldap-destination",
"Type": "LDAP",
"URL": "ldap://ldap.example.com:389",
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "cn=admin,dc=example,dc=com",
"Password": "<password>"
}
```
**Secure LDAPS:**
```json
{
"Name": "ldaps-destination",
"Type": "LDAP",
"URL": "ldaps://ldap.example.com:636",
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "cn=admin,dc=example,dc=com",
"Password": "<password>",
"TrustStoreLocation": "ldap-truststore.jks"
}
```
**On-Premise LDAP:**
```json
{
"Name": "onprem-ldap",
"Type": "LDAP",
"URL": "ldap://virtual-ldap-host:389",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"User": "cn=admin,dc=corp,dc=local",
"Password": "<password>",
"CloudConnectorLocationId": "loc1"
}
```
### LDAP Best Practices (Cloud Connector)
#### Connection Configuration
```xml
<!-- Example LDAP Realm for Cloud Connector -->
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.corp.local:636"
userBase="ou=users,dc=corp,dc=local"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="ou=groups,dc=corp,dc=local"
roleSearch="(member={0})"
roleName="cn"/>
```
#### User Base Configuration
| Property | Description |
|----------|-------------|
| `userBase` | Base DN for user searches |
| `userSearch` | LDAP filter for user lookup |
| `userSubtree` | Search subtree (true/false) |
| `userPattern` | DN pattern (avoid with SSL) |
#### Role Configuration
| Property | Description |
|----------|-------------|
| `roleBase` | Base DN for role searches |
| `roleSearch` | LDAP filter for roles |
| `roleName` | Attribute containing role name |
| `userRoleName` | User attribute containing roles |
### Cloud Connector LDAP Roles
| Role | Description |
|------|-------------|
| `sccadmin` | Full administrator access |
| `sccsubadmin` | Subaccount administration |
| `sccsupport` | Support operations |
| `sccmonitoring` | Monitoring access |
| `sccdisplay` | Read-only access |
### Active Directory Tips
- Use `adCompat="true"` for AD-specific handling
- Format users as `user@domain` or full DN
- Escape special characters with `\nn`
- Use `\\` for backslashes
---
## Cloud Connector Access Control
### LDAP Access Control
1. Navigate to **Access Control > LDAP**
2. Add system mapping:
- Virtual Host: Name for BTP destinations
- Internal Host: Actual LDAP server
- Protocol: LDAP or LDAPS
### TCP Access Control
1. Navigate to **Access Control > TCP**
2. Add system mapping with port ranges
3. Protocol: TCP or TCPS
---
## Documentation Links
- Mail Destinations: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/mail-destinations](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/mail-destinations)
- TCP Protocol: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/using-tcp-protocol-for-cloud-applications](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/using-tcp-protocol-for-cloud-applications)
- LDAP Destinations: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/ldap-destinations](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/ldap-destinations)
- LDAP Best Practices: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/ldap-configuration-best-practices](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/ldap-configuration-best-practices)
---
**Last Updated**: 2025-11-22
```
### references/authentication-types.md
```markdown
# Authentication Types - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Overview
SAP BTP Destination Service supports 17+ authentication types for HTTP destinations, covering various OAuth flows, certificate-based authentication, and principal propagation.
---
## Authentication Type Summary
| Type | Use Case | User Context |
|------|----------|--------------|
| `NoAuthentication` | Public APIs | No |
| `BasicAuthentication` | Simple credentials | Technical |
| `ClientCertificateAuthentication` | X.509 certificates | Technical |
| `OAuth2ClientCredentials` | Service-to-service | Technical |
| `OAuth2Password` | Legacy password flow | Technical |
| `OAuth2JWTBearer` | Token exchange | Business User |
| `OAuth2SAMLBearerAssertion` | Cloud-to-cloud propagation | Business User |
| `OAuth2UserTokenExchange` | User token exchange | Business User |
| `OAuth2TokenExchange` | Generic token exchange | Business User |
| `OAuth2TechnicalUserPropagation` | Technical user via OAuth | Technical |
| `OAuth2RefreshToken` | Refresh token flow | Depends |
| `OAuth2AuthorizationCode` | Interactive authorization | Business User |
| `SAMLAssertion` | SAML without OAuth | Business User |
| `PrincipalPropagation` | Cloud-to-on-premise SSO | Business User |
| `ServerCertificateAuthentication` | Server certificates | Technical |
---
## NoAuthentication
No authentication required for the target endpoint.
```json
{
"Name": "public-api",
"Type": "HTTP",
"URL": "[https://api.public.example.com",](https://api.public.example.com",)
"ProxyType": "Internet",
"Authentication": "NoAuthentication"
}
```
---
## BasicAuthentication
Username and password authentication.
```json
{
"Name": "basic-auth-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "username",
"Password": "password"
}
```
**Properties:**
| Property | Required | Description |
|----------|----------|-------------|
| `User` | Yes | Username |
| `Password` | Yes | Password |
---
## ClientCertificateAuthentication
X.509 client certificate authentication.
```json
{
"Name": "cert-auth-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "ClientCertificateAuthentication",
"KeyStoreLocation": "cert.p12",
"KeyStorePassword": "keystorepassword"
}
```
**Properties:**
| Property | Required | Description |
|----------|----------|-------------|
| `KeyStoreLocation` | Yes | Certificate location in Destination Service |
| `KeyStorePassword` | Yes | Keystore password |
---
## OAuth2ClientCredentials
OAuth 2.0 client credentials flow for service-to-service communication.
```json
{
"Name": "oauth-cc-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2ClientCredentials",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
**Required Properties:**
| Property | Description |
|----------|-------------|
| `clientId` | OAuth client ID |
| `clientSecret` | OAuth client secret |
| `tokenServiceURL` | Token endpoint URL |
**Optional Properties:**
| Property | Description |
|----------|-------------|
| `tokenServiceURLType` | `Dedicated` (default) or `Common` (multi-tenant) |
| `scope` | OAuth scopes (space-separated) |
| `tokenServiceUser` | User for token service basic auth |
| `tokenServicePassword` | Password for token service basic auth |
**Token Caching**: Automatic caching with auto-renewal before expiration.
---
## OAuth2JWTBearer
Exchanges incoming user JWT for new access token.
```json
{
"Name": "oauth-jwt-bearer",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2JWTBearer",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
**Required Properties:**
| Property | Description |
|----------|-------------|
| `clientId` | OAuth client ID |
| `clientSecret` | OAuth client secret |
| `tokenServiceURL` | Token endpoint URL |
**Requires**: User JWT in request context (e.g., from XSUAA).
---
## OAuth2SAMLBearerAssertion
OAuth 2.0 SAML Bearer Assertion flow for user propagation between cloud systems.
```json
{
"Name": "oauth-saml-bearer",
"Type": "HTTP",
"URL": "[https://api.successfactors.com",](https://api.successfactors.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2SAMLBearerAssertion",
"audience": "www.successfactors.com",
"clientKey": "my-client-key",
"tokenServiceURL": "[https://api.successfactors.com/oauth/token",](https://api.successfactors.com/oauth/token",)
"KeyStoreLocation": "signing-cert.p12",
"KeyStorePassword": "password"
}
```
**Required Properties:**
| Property | Description |
|----------|-------------|
| `audience` | SAML assertion audience |
| `clientKey` | Client identifier for authorization server |
| `tokenServiceURL` | Token endpoint URL |
| `KeyStoreLocation` | Certificate for SAML signing |
| `KeyStorePassword` | Keystore password |
**Optional Properties:**
| Property | Description |
|----------|-------------|
| `nameIdFormat` | SAML NameID format |
| `userIdSource` | JWT field for user ID extraction |
| `authnContextClassRef` | Authentication context class |
| `assertionIssuer` | SAML issuer |
| `assertionRecipient` | SAML recipient |
| `companyId` | Company identifier |
**User ID Resolution Order:**
1. `SystemUser` property (deprecated)
2. JWT field via `userIdSource` or `nameIdFormat`
3. Custom user attributes from IdP
---
## OAuth2Password
OAuth 2.0 Resource Owner Password flow.
```json
{
"Name": "oauth-password",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2Password",
"User": "username",
"Password": "password",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
**Deprecation Warning**: This flow is deprecated. Use `OAuth2ClientCredentials` or `OAuth2SAMLBearerAssertion` instead.
---
## OAuth2UserTokenExchange
Exchanges user token for new access token.
```json
{
"Name": "oauth-ute",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2UserTokenExchange",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
**Requires**: User token in request context.
---
## OAuth2TokenExchange
Generic OAuth 2.0 Token Exchange (RFC 8693).
```json
{
"Name": "oauth-token-exchange",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2TokenExchange",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
---
## OAuth2TechnicalUserPropagation
Propagates technical user identity via OAuth.
```json
{
"Name": "oauth-tech-user",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2TechnicalUserPropagation",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
---
## OAuth2RefreshToken
Uses refresh token to obtain access tokens.
```json
{
"Name": "oauth-refresh",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2RefreshToken",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"refreshToken": "stored-refresh-token"
}
```
---
## OAuth2AuthorizationCode
OAuth 2.0 Authorization Code flow for interactive authorization.
```json
{
"Name": "oauth-auth-code",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2AuthorizationCode",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
---
## SAMLAssertion
SAML assertion authentication without OAuth token exchange.
```json
{
"Name": "saml-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "SAMLAssertion",
"audience": "target-audience"
}
```
---
## PrincipalPropagation
Cloud-to-on-premise user identity propagation via Cloud Connector.
```json
{
"Name": "onprem-pp-destination",
"Type": "HTTP",
"URL": "[http://virtual-host:443/api",](http://virtual-host:443/api",)
"ProxyType": "OnPremise",
"Authentication": "PrincipalPropagation"
}
```
**Requirements:**
1. Cloud Connector installed and configured
2. Subject pattern configured in Cloud Connector
3. Trust established between Cloud Connector and on-premise system
4. User JWT in request context
**How It Works:**
1. Application sends request with user JWT
2. Connectivity Service forwards to Cloud Connector
3. Cloud Connector generates X.509 certificate from user identity
4. Certificate used for on-premise system authentication
---
## Client Assertion
Alternative to client secret for OAuth flows using SAML or JWT assertions.
### SAML Client Assertion
```json
{
"Authentication": "OAuth2ClientCredentials",
"clientId": "my-client-id",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"clientAssertion.type": "urn:ietf:params:oauth:client-assertion-type:saml2-bearer",
"clientAssertion.destinationName": "saml-provider-destination"
}
```
### JWT Client Assertion
```json
{
"Authentication": "OAuth2ClientCredentials",
"clientId": "my-client-id",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"clientAssertion.type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"clientAssertion.destinationName": "jwt-provider-destination"
}
```
---
## X.509 Certificate Authentication with OAuth
Combine OAuth flows with X.509 client certificate for token service.
```json
{
"Authentication": "OAuth2ClientCredentials",
"clientId": "my-client-id",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"tokenService.KeyStoreLocation": "cert.p12",
"tokenService.KeyStorePassword": "password"
}
```
---
## Decision Guide
### Service-to-Service (No User Context)
→ `OAuth2ClientCredentials`
### User Propagation (Cloud-to-Cloud)
→ `OAuth2SAMLBearerAssertion` or `OAuth2JWTBearer`
### User Propagation (Cloud-to-On-Premise)
→ `PrincipalPropagation`
### Simple Credentials
→ `BasicAuthentication`
### Certificate-Based
→ `ClientCertificateAuthentication`
### Public API
→ `NoAuthentication`
---
## Documentation Links
- Authentication Types Overview: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations#authentication](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations#authentication)
- OAuth2SAMLBearerAssertion: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/oauth-saml-bearer-assertion-authentication](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/oauth-saml-bearer-assertion-authentication)
- OAuth2ClientCredentials: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/oauth-client-credentials-authentication](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/oauth-client-credentials-authentication)
- Principal Propagation: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/principal-propagation](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/principal-propagation)
---
**Last Updated**: 2025-11-22
```
### references/cloud-connector.md
```markdown
# Cloud Connector - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/cloud-connector-e6c7616.md](https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/cloud-connector-e6c7616.md)
---
## Overview
The Cloud Connector is an on-premise agent that acts as a reverse invoke proxy between on-premise networks and SAP BTP. It enables secure tunneling without exposing on-premise systems directly to the internet.
### Key Features
- Fine-grained access control
- Automatic connection recovery
- Audit logging
- High availability support
- HTTP, RFC, LDAP, and TCP protocols
---
## Installation
### Supported Platforms
| Platform | Installer | Portable |
|----------|-----------|----------|
| Windows (x86-64) | MSI | ZIP |
| Linux (x86-64) | RPM/DEB | TAR.GZ |
| Linux (PowerPC LE) | RPM | TAR.GZ |
| macOS (ARM64) | - | TAR.GZ |
### Production Installation (Installer)
**Windows:**
```powershell
# Download MSI from SAP Tools
# Run installer as Administrator
# Service registered as "SAP Cloud Connector"
```
**Linux (RPM):**
```bash
sudo rpm -i sapcc-<version>-linux-x64.rpm
# Service: scc_daemon
sudo systemctl start scc_daemon
sudo systemctl enable scc_daemon
```
**Linux (DEB):**
```bash
sudo dpkg -i sapcc-<version>-linux-x64.deb
sudo systemctl start scc_daemon
sudo systemctl enable scc_daemon
```
### Development Installation (Portable)
```bash
# Extract archive to empty directory
unzip sapcc-<version>-linux-x64.zip -d /opt/scc-portable
# Set JAVA_HOME
export JAVA_HOME=/path/to/jdk
# Start manually
cd /opt/scc-portable
./go.sh # Linux/macOS
go.bat # Windows
```
**Portable Limitations:**
- Cannot run as background service
- No automatic upgrades
- Not for production use
---
## Initial Configuration
### Access Administration UI
```
URL: [https://<hostname>:8443](https://<hostname>:8443)
Default Port: 8443 (HTTPS)
```
### Default Credentials
```
Username: Administrator
Password: manage
```
**CRITICAL SECURITY REQUIREMENT**: Complete password change before proceeding to subaccount configuration.
### Setup Wizard
1. Accept license agreement
2. **Change administrator password** (mandatory - do not skip)
3. Select installation mode:
- **Master**: Primary instance
- **Shadow**: Backup for high availability
4. Add optional description
5. Add first subaccount
---
## Subaccount Configuration
### Add Subaccount
1. Navigate to **Connector > Define Subaccount**
2. Enter:
- **Region**: SAP BTP region (e.g., `cf.eu10.hana.ondemand.com`)
- **Subaccount**: Technical name (subaccount ID)
- **Display Name**: Friendly name
- **Subaccount User**: Email of BTP user
- **Password**: BTP password
- **Location ID**: Optional identifier for multiple connectors
### Connection Status Indicators
| Color | Meaning |
|-------|---------|
| Green | Connected and valid |
| Yellow | Warning (certificate expiring) |
| Red | Error or disconnected |
---
## Access Control
### Backend System Types
| Type | Supported Protocols |
|------|---------------------|
| ABAP System | HTTP(S), RFC(S), TCP(S) |
| SAP Gateway | HTTP(S), RFC(S), TCP(S) |
| SAP HANA | HTTP(S), TCP(S) |
| Other SAP System | HTTP(S), TCP(S) |
| Non-SAP System | HTTP(S), TCP(S), LDAP(S) |
| SAP Application Server Java | HTTP(S) |
### HTTP Access Control
1. **Add System Mapping**
- Virtual Host: Name exposed to cloud applications
- Internal Host: Actual hostname in on-premise network
- Virtual Port: Port exposed (typically 443)
- Internal Port: Actual port
- Protocol: HTTP or HTTPS
2. **Add Resources**
- Path: URL path to expose
- Policy:
- `Path Only`: Exact path match
- `Path and All Sub-Paths`: Path and children
- Access Policy: Allowed or Denied
### RFC Access Control
1. **Add System Mapping**
- Virtual Host: Name for RFC destinations
- Internal Host: SAP system hostname
- Virtual Port: Instance number × 100 + 33 (e.g., 3300 for instance 00)
- Protocol: RFC or RFC/SNC
2. **Optionally restrict function modules**
### LDAP Access Control
1. **Add System Mapping**
- Virtual Host/Port
- Internal Host/Port
- Protocol: LDAP or LDAPS
---
## High Availability
### Master-Shadow Architecture
```
┌─────────────────┐
│ SAP BTP │
│ Cloud Region │
└────────┬────────┘
│ Tunnel
┌────────┴────────┐
┌──────────┤ Connectivity ├──────────┐
│ │ Service │ │
│ └─────────────────┘ │
│ │
┌────┴────┐ ┌────┴────┐
│ Master │◄─────── Config Sync ────────►│ Shadow │
│ CC │ │ CC │
└────┬────┘ └────┬────┘
│ │
└────────────┬──────────────────────────┘
│
On-Premise Systems
```
### Configuration
**Master Instance:**
1. Select "Master" during initial setup
2. Configure normally
**Shadow Instance:**
1. Select "Shadow" during initial setup
2. Enter Master hostname and port
3. Shadow connects to Master and syncs configuration
### Failover Behavior
1. Shadow monitors Master via ping checks
2. If Master unreachable, Shadow becomes active
3. Shadow takes over tunnel connection
4. When Master recovers, manual switchback may be needed
**Warning**: Network issues between Master and Shadow can cause split-brain scenarios.
**Split-Brain Recovery**:
1. Stop both instances immediately
2. Check logs to identify which instance was most recently active
3. Designate one as Master, one as Shadow
4. Clear state on the Shadow instance if needed
5. Restart both in correct roles (Master first)
6. Verify configuration sync completes successfully
---
## Sizing Recommendations
### Master Instance
| Scenario | CPU | Memory | Disk |
|----------|-----|--------|------|
| Small (< 100 req/s) | 2 cores | 4 GB | 50 GB |
| Medium (100-500 req/s) | 4 cores | 8 GB | 100 GB |
| Large (> 500 req/s) | 8 cores | 16 GB | 200 GB |
### Shadow Instance
- Same as Master for failover capability
### Server Requirements
- **Minimum**: 3 servers (dev, prod master, prod shadow)
- **Recommended**: Separate physical hardware for master/shadow
- Consider disaster recovery instances
---
## Monitoring
### Windows Service Status
```powershell
sc query "SAP Cloud Connector"
```
### Linux Daemon Status
```bash
systemctl status scc_daemon
# or
service scc_daemon status
```
### Administration UI
1. **Subaccount Dashboard**: Connection states
2. **Hardware Metrics**: CPU, memory, disk
3. **Performance Monitor**: Request statistics
4. **Audit Logs**: Configuration changes and access
### Monitoring APIs
Cloud Connector exposes REST APIs for external monitoring tools:
- Health check endpoints
- Performance metrics
- Connection status
---
## Audit Logging
### Configuration
1. Navigate to **Configuration > Audit**
2. Set audit level:
- **Off**: No logging
- **Security**: Authentication and authorization events
- **All**: Complete audit trail (recommended for production)
### Log Management
- Logs stored locally
- Configure rotation and archival
- Export for SIEM integration
---
## Backup and Restore
### Configuration Backup
**Via UI:**
1. Navigate to **Configuration > Backup**
2. Click **Download Backup**
3. Save encrypted backup file
**Via REST API:**
```bash
curl -X GET "[https://localhost:8443/api/v1/configuration/backup"](https://localhost:8443/api/v1/configuration/backup") \
-H "Authorization: Basic <credentials>" \
--output backup.zip
```
### Restore
1. Fresh install on new machine
2. Navigate to **Configuration > Backup**
3. Upload backup file
4. Restart Cloud Connector
---
## Security Guidelines
### Network Deployment
- Deploy in DMZ
- Under IT department control
- Firewall between Cloud Connector and internal systems
### OS-Level Protection
- Restrict OS access to administrators
- Dedicate machine to Cloud Connector
- Enable hard-drive encryption
- Enable OS audit logging
### Administration UI
- Change default password immediately
- Configure LDAP for user management
- Replace self-signed certificate
- Restrict UI access to localhost (high-security)
### Protocols
- Use HTTPS for HTTP connections
- Use SNC for RFC connections
- Use LDAPS for LDAP connections
---
## Common Operations
### Upgrade
1. Download new version
2. Stop Cloud Connector service
3. Run installer (configuration preserved)
4. Start service
5. Verify functionality
### Certificate Renewal
1. Navigate to **Configuration > On Premise > System Certificate**
2. Generate new CSR or upload new certificate
3. If using Cloud Connector CA: renew via subaccount dashboard
### Change Administrator Password
1. Navigate to **Configuration > User Interface**
2. Enter current password
3. Enter new password
4. Click **Change Password**
---
## Troubleshooting
### Cannot Connect to Subaccount
1. Verify region URL
2. Check firewall allows outbound HTTPS (port 443)
3. Verify credentials
4. Check proxy settings if behind corporate proxy
### Access Denied to Resource
1. Verify system mapping exists
2. Check resource path matches
3. Verify policy allows access
4. Check virtual host/port in destination
### Performance Issues
1. Check hardware metrics
2. Increase JVM heap if needed
3. Review access control rules (too permissive can cause overhead)
4. Consider additional instances
---
## Documentation Links
- Cloud Connector Overview: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/cloud-connector](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/cloud-connector)
- Installation: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/installation](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/installation)
- Initial Configuration: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/initial-configuration](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/initial-configuration)
- High Availability: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/high-availability-setup](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/high-availability-setup)
- Security Guidelines: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/security-guidelines](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/security-guidelines)
- FAQ: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/frequently-asked-questions](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/frequently-asked-questions)
---
**Last Updated**: 2025-11-22
```
### references/kubernetes-connectivity.md
```markdown
# Kubernetes Connectivity - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/connectivity-proxy-for-kubernetes-e661713.md](https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/connectivity-proxy-for-kubernetes-e661713.md)
---
## Overview
Kubernetes connectivity in SAP BTP involves two main components:
1. **Connectivity Proxy**: Enables on-premise system access from Kubernetes
2. **Transparent Proxy**: Exposes BTP destinations as Kubernetes Services
Both work together for comprehensive connectivity in Kubernetes and Kyma environments.
---
## Connectivity Proxy
### Purpose
Bridges Kubernetes workloads with on-premise systems via Cloud Connector.
### Architecture
```
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ ┌─────────────┐ ┌───────────────────┐ │
│ │ Application │───►│ Connectivity Proxy │ │
│ └─────────────┘ └─────────┬─────────┘ │
└───────────────────────────────┼─────────────────────────────┘
│ Secure Tunnel
┌───────────┴───────────┐
│ SAP Connectivity │
│ Service │
└───────────┬───────────┘
│
┌───────────┴───────────┐
│ Cloud Connector │
└───────────┬───────────┘
│
┌───────────┴───────────┐
│ On-Premise Systems │
└───────────────────────┘
```
### Installation via Helm
```bash
# Add SAP registry
helm repo add sap [https://sapse.github.io/helm-charts](https://sapse.github.io/helm-charts)
# Install Connectivity Proxy
helm install connectivity-proxy \
oci://registry-1.docker.io/sapse/connectivity-proxy \
--version <version> \
--namespace <namespace> \
-f values.yaml
```
### values.yaml Configuration
```yaml
# Connectivity Service credentials
config:
integration:
connectivityService:
serviceCredentialsKey: connectivity-service-key
# Subaccount configuration
subaccountId: <subaccount-id>
subaccountSubdomain: <subdomain>
# High availability
replicaCount: 2
# Resource limits
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Logging
config:
servers:
proxy:
logging:
level: INFO
```
### Create Connectivity Service Instance
```bash
# Cloud Foundry
cf create-service connectivity connectivity_proxy my-connectivity-service
# Create service key
cf create-service-key my-connectivity-service my-key
# Get credentials
cf service-key my-connectivity-service my-key
```
### Kubernetes Secret
Create secret from service key:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: connectivity-service-key
namespace: <namespace>
type: Opaque
stringData:
connectivity_key: |
{
"clientid": "...",
"clientsecret": "...",
"url": "...",
"onpremise_proxy_host": "...",
"onpremise_proxy_port": "..."
}
```
### Using the Connectivity Proxy
Applications connect via HTTP with proxy configuration:
```javascript
const axios = require('axios');
// Get proxy settings from service binding
const proxy = {
host: process.env.CONNECTIVITY_PROXY_HOST || 'connectivity-proxy.namespace',
port: process.env.CONNECTIVITY_PROXY_PORT || 20003
};
// Make request to on-premise system
const response = await axios.get('[http://virtual-host/api/resource',](http://virtual-host/api/resource',) {
proxy: {
host: proxy.host,
port: proxy.port,
protocol: 'http'
},
headers: {
'Proxy-Authorization': `Bearer ${accessToken}`,
'SAP-Connectivity-SCC-Location_ID': 'optional-location-id'
}
});
```
---
## Transparent Proxy
### Purpose
Provides unified access to BTP destinations as Kubernetes Services, handling authentication, principal propagation, and protocol translation automatically.
### Architecture
```
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ ┌─────────────┐ ┌───────────────────┐ │
│ │ Application │───►│ Transparent Proxy │ │
│ └─────────────┘ └─────────┬─────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ Destination Custom Resources ││
│ │ my-destination.namespace → BTP Destination ││
│ └─────────────────────────────────────────────────────────┘│
└───────────────────────────────┼─────────────────────────────┘
│
┌─────────────────┼─────────────────┐
│ │ │
┌────────┴────┐ ┌───────┴───────┐ ┌─────┴─────┐
│ Internet │ │ Connectivity │ │ Cloud │
│ Services │ │ Proxy │ │ Connector │
└─────────────┘ └───────────────┘ └───────────┘
```
### Installation via Helm
```bash
helm install transparent-proxy \
oci://registry-1.docker.io/sapse/transparent-proxy \
--version <version> \
--namespace <namespace> \
-f values.yaml
```
### values.yaml Configuration
```yaml
# Destination Service credentials
config:
integration:
destinationService:
serviceCredentialsKey: destination-service-key
# Connectivity Proxy integration (for on-premise)
connectivityProxy:
enabled: true
serviceName: connectivity-proxy
# Tenant mode
tenantMode: shared # or dedicated
# Logging
logging:
level: info
# Resources
replicaCount:
http: 2
tcp: 1
resources:
http:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
```
### Destination Custom Resource
Create a Custom Resource for each destination:
```yaml
apiVersion: destination.connectivity.api.sap/v1
kind: Destination
metadata:
name: my-api-destination
namespace: default
spec:
destinationRef:
name: my-btp-destination # Name in BTP Destination Service
destinationServiceInstanceName: my-dest-service # Optional
```
### Accessing Destinations
After creating the Custom Resource, access the destination as a Kubernetes Service:
```javascript
const axios = require('axios');
// Access destination via Transparent Proxy
// URL format: [http://<destination-name>.<namespace>](http://<destination-name>.<namespace>)
const response = await axios.get('[http://my-api-destination.default/api/resource',](http://my-api-destination.default/api/resource',) {
headers: {
'Authorization': 'Bearer ' + userToken // For user propagation
}
});
```
### Supported Destination Types
| Type | Protocol | Notes |
|------|----------|-------|
| HTTP | HTTP/HTTPS | Internet and on-premise |
| LDAP | LDAP/LDAPS | Directory access |
| MAIL | SMTP/IMAP/POP3 | Email protocols |
| TCP | TCP (SOCKS5) | Generic TCP |
---
## Service Channels (On-Premise-to-Cloud)
### Purpose
Expose Kubernetes workloads to on-premise systems via Cloud Connector.
### ServiceMapping Resource
```yaml
apiVersion: servicemapping.connectivityproxy.sap.com/v1
kind: ServiceMapping
metadata:
name: my-exposed-service
spec:
# Protocol type
type: TCP # or RFC
# Subaccount for routing
subaccountId: <subaccount-id>
# Virtual service name (exposed to on-premise)
serviceId: my-k8s-service
# Internal Kubernetes address
internalAddress: my-service.namespace:8080
# Optional: Location IDs for specific Cloud Connectors
locationIds:
- loc1
- loc2
```
### Constraints
- `type` + `subaccountId` + `serviceId` must be unique
- ServiceMappings are cluster-scoped
- Requires Cloud Connector 2.15.0+ (2.14.2+ for RFC only)
---
## Kyma Environment
### Differences from Standalone Kubernetes
In Kyma, connectivity components are managed as Kyma modules:
1. **Module Installation**: Enable via Kyma dashboard
2. **Operator Management**: Kubernetes Operator handles lifecycle
3. **Feature Set**: May differ from standalone versions
### Enable Connectivity Module
```yaml
# Kyma module configuration
apiVersion: operator.kyma-project.io/v1alpha1
kind: ModuleTemplate
metadata:
name: connectivity
spec:
channel: regular
```
### Destination Custom Resource in Kyma
```yaml
apiVersion: destinations.connectivity.api.sap/v1alpha1
kind: Destination
metadata:
name: my-destination
namespace: default
spec:
destinationRef:
name: my-btp-destination
```
---
## Multi-Region Deployment
### Configuration
Deploy Connectivity Proxy across regions:
```yaml
# values.yaml for multi-region
config:
multiRegion:
enabled: true
regions:
- name: eu10
connectivity:
serviceCredentialsKey: eu10-connectivity-key
- name: us10
connectivity:
serviceCredentialsKey: us10-connectivity-key
```
---
## Istio Service Mesh Integration
### Prerequisites
- Istio installed in cluster
- PeerAuthentication configured
### Configuration
```yaml
# values.yaml for Istio
config:
istio:
enabled: true
# Disable internal mTLS (Istio handles it)
config:
servers:
proxy:
http:
enableMTLS: false
```
### PeerAuthentication
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: connectivity-proxy
namespace: <namespace>
spec:
selector:
matchLabels:
app: connectivity-proxy
mtls:
mode: STRICT
```
---
## Lifecycle Management
### Upgrade
```bash
# Helm upgrade
helm upgrade connectivity-proxy \
oci://registry-1.docker.io/sapse/connectivity-proxy \
--version <new-version> \
--namespace <namespace> \
-f values.yaml
```
### Downgrade
```bash
# Same as upgrade with older version
helm upgrade connectivity-proxy \
oci://registry-1.docker.io/sapse/connectivity-proxy \
--version <older-version> \
--namespace <namespace> \
-f values.yaml
```
### Uninstall
```bash
helm uninstall connectivity-proxy --namespace <namespace>
# CRDs are preserved; delete manually if needed
kubectl delete crd servicemappings.servicemapping.connectivityproxy.sap.com
```
---
## Troubleshooting
### Log Retrieval
```bash
# Connectivity Proxy logs
kubectl logs statefulset/connectivity-proxy -n <namespace>
# Transparent Proxy logs
kubectl logs deployment/transparent-proxy -n <namespace>
```
### Change Log Level
```bash
kubectl exec <pod> -n <namespace> -it -- change-log-level DEBUG
```
### List Loggers
```bash
kubectl exec <pod> -n <namespace> -it -- list-loggers
```
### Common Errors
| Error | Cause | Solution |
|-------|-------|----------|
| 405 | HTTPS instead of HTTP | Use `[http://`](http://`) with port 20003 |
| 407 | Missing proxy auth | Add `Proxy-Authorization: Bearer <token>` |
| 503 | Cloud Connector offline | Check CC connection and Location ID |
### Error Response Headers
- `x-error-message`: Error description
- `x-error-origin`: Component that failed
- `x-request-id`: Correlation ID
---
## Documentation Links
- Connectivity Proxy: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivity-proxy-for-kubernetes](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivity-proxy-for-kubernetes)
- Transparent Proxy: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/transparent-proxy-for-kubernetes](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/transparent-proxy-for-kubernetes)
- Kyma Connectivity: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivity-in-kyma-environment](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivity-in-kyma-environment)
- Helm Charts: [https://github.com/SAP/connectivity-proxy](https://github.com/SAP/connectivity-proxy)
---
**Last Updated**: 2025-11-22
```
### references/troubleshooting.md
```markdown
# Troubleshooting - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/troubleshooting-e7a04d9.md](https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/troubleshooting-e7a04d9.md)
---
## Overview
This guide covers common issues and solutions for SAP BTP Connectivity components.
---
## HTTP Error Codes
### 405 Method Not Allowed
**Cause**: Using HTTPS instead of HTTP for Connectivity Proxy
**Solution**:
- Use `[http://`](http://`) protocol with port `20003`
- The proxy handles TLS termination internally
```javascript
// Wrong
const proxyUrl = '[https://connectivity-proxy:20003';](https://connectivity-proxy:20003';)
// Correct
const proxyUrl = '[http://connectivity-proxy:20003';](http://connectivity-proxy:20003';)
```
### 407 Proxy Authentication Required
**Cause**: Missing or invalid proxy authorization header
**Solution**: Add `Proxy-Authorization` header with Bearer token
```javascript
const response = await axios.get(targetUrl, {
proxy: {
host: 'connectivity-proxy',
port: 20003,
protocol: 'http'
},
headers: {
'Proxy-Authorization': `Bearer ${accessToken}`
}
});
```
### 503 Service Unavailable
**Causes**:
1. Cloud Connector offline
2. Location ID mismatch
3. On-premise system unreachable
**Solutions**:
1. Check Cloud Connector status
2. Verify `CloudConnectorLocationId` matches Cloud Connector configuration
3. Check network connectivity from Cloud Connector to target system
```bash
# Check Cloud Connector status
# Windows
sc query "SAP Cloud Connector"
# Linux
systemctl status scc_daemon
```
### 502 Bad Gateway
**Cause**: Target system returned error or connection failed
**Solution**: Check Cloud Connector logs and on-premise system availability
### 504 Gateway Timeout
**Cause**: Target system took too long to respond
**Solution**:
- Increase timeout settings
- Check target system performance
- Verify network latency
---
## Cloud Connector Issues
### Cannot Connect to Subaccount
**Symptoms**:
- Red status indicator
- "Connection failed" message
**Checklist**:
1. Verify region URL is correct
2. Check firewall allows outbound HTTPS (port 443)
3. Verify subaccount credentials
4. Check if proxy is required
**Proxy Configuration**:
```
Administration UI > Cloud To On-Premise > HTTPS Proxy
Host: <proxy-host>
Port: <proxy-port>
```
### Access Denied to Resource
**Symptoms**:
- HTTP 403 or 404 for specific paths
- "Not exposed" errors
**Checklist**:
1. Verify system mapping exists
2. Check virtual host/port match destination
3. Verify resource path is exposed
4. Check access policy allows path
**Access Control Verification**:
```
Cloud Connector > Access Control > <Backend>
Check:
- System mapping exists
- Resource paths are listed
- Policy: "Path and All Sub-Paths" if needed
```
### Certificate Errors
**Symptoms**:
- "Certificate expired" warnings
- Connection failures with SSL errors
**Solutions**:
**Renew Subaccount Certificate**:
```
Cloud Connector > Subaccount > Dashboard > Refresh Certificate
```
**Renew System Certificate**:
```
Configuration > On Premise > System Certificate > Renew
```
### High Availability Issues
**Symptoms**:
- Shadow doesn't sync
- Both instances active (split-brain)
**Solutions**:
**Shadow Not Syncing**:
1. Verify Master is accessible from Shadow
2. Check Master hostname/port in Shadow configuration
3. Verify firewall allows connection
**Split-Brain Recovery**:
1. Stop one instance
2. Clear state on stopped instance
3. Restart as Shadow
4. Verify sync completes
### Performance Issues
**Symptoms**:
- Slow response times
- High CPU/memory usage
**Solutions**:
**Check Hardware Metrics**:
```
Cloud Connector > Monitoring > Hardware Metrics
```
**Increase JVM Heap**:
```bash
# Edit scc_daemon configuration
# Linux: /opt/sap/scc/scc_daemon
JAVA_OPTS="-Xmx4g"
```
**Review Access Control**:
- Remove unnecessary system mappings
- Use specific paths instead of wildcards
---
## Destination Service Issues
### Destination Not Found
**Symptoms**:
- HTTP 404 from Destination Service
- "Destination not found" error
**Checklist**:
1. Verify destination name spelling (case-sensitive)
2. Check destination visibility level (subaccount vs instance)
3. Verify service instance binding
```bash
# List destinations via API
curl -X GET "${destinationUri}/destination-configuration/v1/subaccountDestinations" \
-H "Authorization: Bearer ${token}"
```
### Authentication Token Not Retrieved
**Symptoms**:
- `authTokens` array empty in response
- OAuth flow failures
**Checklist**:
1. Verify OAuth credentials
2. Check token service URL
3. Verify scopes are correct
4. Check token service is reachable
**Debug Token Retrieval**:
```bash
# Test token service directly
curl -X POST "${tokenServiceURL}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
--data-urlencode "client_id=${clientId}" \
--data-urlencode "client_secret=${clientSecret}" \
-v
```
### Principal Propagation Failures
**Symptoms**:
- User identity not propagated
- X.509 certificate not generated
**Checklist**:
1. User JWT provided in request
2. Cloud Connector trust configuration
3. Subject pattern configured
4. On-premise system trusts Cloud Connector
**Required Headers for Principal Propagation**:
```javascript
headers: {
'Proxy-Authorization': `Bearer ${accessToken}`,
'SAP-Connectivity-Authentication': `Bearer ${userJwt}`
}
```
---
## Connectivity Proxy Issues
### Pod Startup Failures
**Symptoms**:
- CrashLoopBackOff
- Init container failures
**Check Logs**:
```bash
kubectl logs statefulset/connectivity-proxy -n <namespace>
kubectl describe pod connectivity-proxy-0 -n <namespace>
```
**Common Causes**:
1. Missing service credentials secret
2. Invalid credentials
3. Network connectivity issues
### Connection Refused
**Symptoms**:
- `ECONNREFUSED` errors
- Cannot reach proxy
**Solutions**:
1. Verify proxy is running
2. Check service exists
3. Verify port configuration
```bash
# Check service
kubectl get svc connectivity-proxy -n <namespace>
# Check endpoints
kubectl get endpoints connectivity-proxy -n <namespace>
```
### Log Level Adjustment
```bash
# Enable debug logging
kubectl exec connectivity-proxy-0 -n <namespace> -it -- change-log-level DEBUG
# List loggers
kubectl exec connectivity-proxy-0 -n <namespace> -it -- list-loggers
# Reset to INFO
kubectl exec connectivity-proxy-0 -n <namespace> -it -- change-log-level INFO
```
---
## Transparent Proxy Issues
### Destination Custom Resource Not Working
**Symptoms**:
- Service not created
- Destination unreachable
**Check Resource Status**:
```bash
kubectl get destinations.destination.connectivity.api.sap -n <namespace>
kubectl describe destination my-destination -n <namespace>
```
**Common Conditions**:
| Condition | Meaning |
|-----------|---------|
| `Available` | Destination is ready |
| `NotReady` | Configuration issue |
| `Error` | Check events for details |
### Error Response Headers
Check these headers in failed responses:
| Header | Content |
|--------|---------|
| `x-error-message` | Error description |
| `x-error-origin` | Component that failed |
| `x-request-id` | Correlation ID for logs |
```bash
# Include headers in curl
curl -v [http://my-destination.namespace/api/resource](http://my-destination.namespace/api/resource) 2>&1 | grep "x-error"
```
### Service Name Conflicts
**Symptom**: Destination not accessible
**Cause**: Kubernetes Service with same name exists
**Solution**: Rename destination or service to avoid conflict
---
## Network Issues
### Firewall Blocking
**Required Outbound Connections**:
| Source | Destination | Port | Protocol |
|--------|-------------|------|----------|
| Cloud Connector | SAP BTP Region | 443 | HTTPS |
| Connectivity Proxy | Connectivity Service | 443 | HTTPS |
| Application | Destination Service | 443 | HTTPS |
### Proxy Server Issues
**Cloud Connector Behind Corporate Proxy**:
```
Configuration > Cloud To On-Premise > HTTPS Proxy
```
**Note**: Only basic authentication supported (not NTLM)
---
## Log Locations
### Cloud Connector
**Windows**:
```
C:\SAP\scc\log\
```
**Linux**:
```
/opt/sap/scc/log/
```
### Kubernetes Proxies
```bash
# Real-time logs
kubectl logs -f statefulset/connectivity-proxy -n <namespace>
kubectl logs -f deployment/transparent-proxy -n <namespace>
# Previous container logs
kubectl logs --previous <pod-name> -n <namespace>
```
---
## Diagnostic Commands
### Cloud Connector
```bash
# Check version
cat /opt/sap/scc/config/version.txt
# Check connectivity
curl -v [https://connectivitycertsigning.<region>.hana.ondemand.com/](https://connectivitycertsigning.<region>.hana.ondemand.com/)
```
### Kubernetes
```bash
# Pod status
kubectl get pods -n <namespace> -l app=connectivity-proxy
# Resource usage
kubectl top pods -n <namespace>
# Events
kubectl get events -n <namespace> --sort-by='.lastTimestamp'
# Network policies
kubectl get networkpolicies -n <namespace>
```
---
## Support Information
### SAP Support Components
| Component | Support Component | Notes |
|-----------|-------------------|-------|
| Cloud Connector | BC-MID-SCC | Multi-cloud middleware |
| Destination Service | BC-CP-DEST | CF variant: BC-CP-DEST-CF |
| Connectivity Proxy | BC-CP-CON | CF variant: BC-CP-CON-CF |
| Transparent Proxy | BC-CP-CON / BC-CP-DEST | No separate component |
### Information to Collect
1. Component version
2. Error messages and codes
3. Timestamps of issues
4. Relevant log excerpts
5. Configuration (sanitized)
6. Steps to reproduce
---
## Documentation Links
- Cloud Connector FAQ: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/frequently-asked-questions](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/frequently-asked-questions)
- Connectivity Proxy Troubleshooting: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/troubleshooting-connectivity-proxy](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/troubleshooting-connectivity-proxy)
- Common Issues: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/common-issues-and-solutions](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/common-issues-and-solutions)
---
**Last Updated**: 2025-11-22
```
### references/destination-service-api.md
```markdown
# Destination Service REST API - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/destination-service-rest-api-23ccafb.md](https://github.com/SAP-docs/btp-connectivity/blob/main/docs/1-connectivity-documentation/destination-service-rest-api-23ccafb.md)
**API Specification**: [https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination)
---
## Overview
The Destination Service REST API enables programmatic management of destinations, certificates, and destination fragments on SAP BTP.
---
## Authentication
### Get OAuth Access Token
```bash
# Extract credentials from service key
clientId="<from-service-key>"
clientSecret="<from-service-key>"
tokenUrl="<from-service-key>/oauth/token"
destinationUri="<from-service-key>"
# Request access token
curl -X POST "${tokenUrl}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
--data-urlencode "client_id=${clientId}" \
--data-urlencode "client_secret=${clientSecret}"
```
**Response:**
```json
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "bearer",
"expires_in": 43199,
"scope": "uaa.resource"
}
```
### Using mTLS (Recommended)
For enhanced security, use X.509 certificates instead of client secrets:
```bash
curl -X POST "${tokenUrl}" \
-H "Content-Type: application/x-www-form-urlencoded" \
--cert client-cert.pem \
--key client-key.pem \
-d "grant_type=client_credentials" \
--data-urlencode "client_id=${clientId}"
```
---
## Base URL
```
{destinationUri}/destination-configuration/v1
```
The `destinationUri` is obtained from the service key (field: `uri`).
---
## Endpoints
### Subaccount Destinations
#### List All Destinations
```bash
GET /subaccountDestinations
curl -X GET "${destinationUri}/destination-configuration/v1/subaccountDestinations" \
-H "Authorization: Bearer ${access_token}"
```
**Response:**
```json
[
{
"Name": "my-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "OAuth2ClientCredentials",
"ProxyType": "Internet"
}
]
```
#### Get Specific Destination
```bash
GET /subaccountDestinations/{destinationName}
curl -X GET "${destinationUri}/destination-configuration/v1/subaccountDestinations/my-destination" \
-H "Authorization: Bearer ${access_token}"
```
#### Create Destination
```bash
POST /subaccountDestinations
curl -X POST "${destinationUri}/destination-configuration/v1/subaccountDestinations" \
-H "Authorization: Bearer ${access_token}" \
-H "Content-Type: application/json" \
-d '{
"Name": "new-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "BasicAuthentication",
"ProxyType": "Internet",
"User": "username",
"Password": "password"
}'
```
#### Update Destination
```bash
PUT /subaccountDestinations/{destinationName}
curl -X PUT "${destinationUri}/destination-configuration/v1/subaccountDestinations/my-destination" \
-H "Authorization: Bearer ${access_token}" \
-H "Content-Type: application/json" \
-d '{
"Name": "my-destination",
"Type": "HTTP",
"URL": "[https://api.updated.example.com",](https://api.updated.example.com",)
"Authentication": "BasicAuthentication",
"ProxyType": "Internet",
"User": "newuser",
"Password": "newpassword"
}'
```
#### Delete Destination
```bash
DELETE /subaccountDestinations/{destinationName}
curl -X DELETE "${destinationUri}/destination-configuration/v1/subaccountDestinations/my-destination" \
-H "Authorization: Bearer ${access_token}"
```
---
### Service Instance Destinations
#### List Instance Destinations
```bash
GET /instanceDestinations
curl -X GET "${destinationUri}/destination-configuration/v1/instanceDestinations" \
-H "Authorization: Bearer ${access_token}"
```
#### CRUD Operations
Same as subaccount destinations but using `/instanceDestinations` path.
---
### Find Destination (with Authentication)
The most commonly used endpoint - retrieves destination configuration with authentication tokens.
```bash
GET /destinations/{destinationName}
curl -X GET "${destinationUri}/destination-configuration/v1/destinations/my-destination" \
-H "Authorization: Bearer ${access_token}"
```
**Response Structure:**
```json
{
"owner": {
"SubaccountId": "abc123",
"InstanceId": null
},
"destinationConfiguration": {
"Name": "my-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "OAuth2ClientCredentials",
"ProxyType": "Internet",
"clientId": "...",
"tokenServiceURL": "..."
},
"authTokens": [
{
"type": "Bearer",
"value": "eyJhbGciOiJSUzI1NiIs...",
"http_header": {
"key": "Authorization",
"value": "Bearer eyJhbGciOiJSUzI1NiIs..."
},
"expires_in": "43199",
"scope": "read write"
}
],
"certificates": []
}
```
#### With User Token (Principal Propagation)
For destinations requiring user context:
```bash
curl -X GET "${destinationUri}/destination-configuration/v1/destinations/my-destination" \
-H "Authorization: Bearer ${access_token}" \
-H "X-user-token: ${user_jwt}"
```
#### With Destination Fragment
```bash
curl -X GET "${destinationUri}/destination-configuration/v1/destinations/my-destination" \
-H "Authorization: Bearer ${access_token}" \
-H "X-Fragment-Name: my-fragment"
```
---
### Certificates
#### List Certificates
```bash
GET /subaccountCertificates
curl -X GET "${destinationUri}/destination-configuration/v1/subaccountCertificates" \
-H "Authorization: Bearer ${access_token}"
```
#### Upload Certificate
```bash
POST /subaccountCertificates
curl -X POST "${destinationUri}/destination-configuration/v1/subaccountCertificates" \
-H "Authorization: Bearer ${access_token}" \
-H "Content-Type: application/json" \
-d '{
"Name": "my-certificate",
"Type": "CERTIFICATE",
"Content": "base64-encoded-certificate"
}'
```
#### Delete Certificate
```bash
DELETE /subaccountCertificates/{certificateName}
curl -X DELETE "${destinationUri}/destination-configuration/v1/subaccountCertificates/my-certificate" \
-H "Authorization: Bearer ${access_token}"
```
---
### Destination Fragments
#### List Fragments
```bash
GET /subaccountDestinationFragments
curl -X GET "${destinationUri}/destination-configuration/v1/subaccountDestinationFragments" \
-H "Authorization: Bearer ${access_token}"
```
#### Create Fragment
```bash
POST /subaccountDestinationFragments
curl -X POST "${destinationUri}/destination-configuration/v1/subaccountDestinationFragments" \
-H "Authorization: Bearer ${access_token}" \
-H "Content-Type: application/json" \
-d '{
"Name": "my-fragment",
"FragmentProperties": [
{
"Name": "URL.headers.X-Tenant-Id",
"Value": "tenant-123"
}
]
}'
```
#### Delete Fragment
```bash
DELETE /subaccountDestinationFragments/{fragmentName}
curl -X DELETE "${destinationUri}/destination-configuration/v1/subaccountDestinationFragments/my-fragment" \
-H "Authorization: Bearer ${access_token}"
```
---
## Subscription-Level Destinations (Multitenancy)
For SaaS applications with tenant-specific destinations.
### Create Subscription Destination
1. Get subscriber token using provider credentials
2. Call API with subscriber context
```bash
# Get subscriber token
curl -X POST "${subscriberTokenUrl}/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
--data-urlencode "client_id=${providerClientId}" \
--data-urlencode "client_secret=${providerClientSecret}"
# Create subscription destination
curl -X POST "${destinationUri}/destination-configuration/v1/subscriptionDestinations" \
-H "Authorization: Bearer ${subscriber_token}" \
-H "Content-Type: application/json" \
-d '{
"Name": "tenant-destination",
"Type": "HTTP",
"URL": "[https://tenant-api.example.com",](https://tenant-api.example.com",)
"Authentication": "BasicAuthentication",
"User": "tenant-user",
"Password": "tenant-password"
}'
```
---
## Pagination
For large numbers of destinations, use pagination:
```bash
GET /subaccountDestinations?$top=100&$skip=0
curl -X GET "${destinationUri}/destination-configuration/v1/subaccountDestinations?\$top=100&\$skip=0" \
-H "Authorization: Bearer ${access_token}"
```
**Parameters:**
- `$top`: Maximum number of results (default: 100)
- `$skip`: Number of results to skip
---
## Error Handling
### HTTP Status Codes
| Code | Meaning |
|------|---------|
| 200 | Success |
| 201 | Created |
| 204 | Deleted |
| 400 | Bad Request (invalid payload) |
| 401 | Unauthorized (invalid/expired token) |
| 403 | Forbidden (insufficient permissions) |
| 404 | Not Found |
| 409 | Conflict (destination already exists) |
| 500 | Internal Server Error |
### Error Response Format
```json
{
"ErrorMessage": "Destination with name 'my-destination' already exists."
}
```
---
## Best Practices
### Caching
- Cache access tokens for their validity period
- Cache destination configurations (3-5 minutes recommended)
- Use stale cache if refresh fails
### Retry Logic
```javascript
const retryDelays = [2000, 4000, 8000, 16000]; // ms
async function callWithRetry(fn) {
for (let i = 0; i < retryDelays.length; i++) {
try {
return await fn();
} catch (error) {
if (i === retryDelays.length - 1) throw error;
await sleep(retryDelays[i]);
}
}
}
```
### Timeouts
- Connect timeout: 2-5 seconds
- Read timeout: ~30 seconds
---
## SDK Usage
### SAP Cloud SDK (Node.js)
```javascript
const { getDestination } = require('@sap-cloud-sdk/connectivity');
// Get destination with authentication
const destination = await getDestination({
destinationName: 'my-destination',
jwt: userJwt // For user propagation
});
console.log(destination.url);
console.log(destination.authTokens);
```
### SAP Cloud SDK (Java)
```java
import com.sap.cloud.sdk.cloudplatform.connectivity.DestinationAccessor;
// Get destination
Destination destination = DestinationAccessor
.getDestination("my-destination");
String url = destination.get(DestinationProperty.URI)
.orElseThrow();
```
---
## Documentation Links
- API Specification: [https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination)
- Calling the API: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/calling-destination-service-rest-api](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/calling-destination-service-rest-api)
- Multitenancy: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/multitenancy-in-destination-service](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/multitenancy-in-destination-service)
---
**Last Updated**: 2025-11-22
```
### references/advanced-configuration.md
```markdown
# Advanced Configuration - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Destination Deployment Methods
### MTA Descriptor
Deploy destinations via Multi-Target Application (MTA) descriptors.
**mta.yaml Structure:**
```yaml
_schema-version: "3.2"
ID: my-mta-app
version: 1.0.0
modules:
- name: my-app
type: nodejs
requires:
- name: dest-service
resources:
- name: dest-service
type: org.cloudfoundry.managed-service
parameters:
service: destination
service-plan: lite
config:
init_data:
subaccount:
existing_destinations_policy: update
destinations:
- Name: my-destination
Type: HTTP
URL: [https://api.example.com](https://api.example.com)
Authentication: NoAuthentication
```
**Existing Destinations Policy:**
| Policy | Behavior |
|--------|----------|
| `fail` | Error if destination exists (default) |
| `ignore` | Skip existing destinations |
| `update` | Overwrite existing destinations |
### Config.JSON for Service Instance
```json
{
"HTML5Runtime_enabled": true,
"init_data": {
"subaccount": {
"existing_destinations_policy": "update",
"existing_certificates_policy": "update",
"destinations": [
{
"Name": "my-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "OAuth2ClientCredentials",
"clientId": "...",
"clientSecret": "...",
"tokenServiceURL": "..."
}
],
"certificates": [
{
"Name": "my-cert",
"Content": "base64-encoded-certificate"
}
]
},
"instance": {
"existing_destinations_policy": "update",
"destinations": []
}
}
}
```
---
## Destination Chaining
### Predefined Chains
| Chain Name | Purpose |
|------------|---------|
| `com.sap.iasGeneratedOAuth2SamlBearerAssertion` | IAS SAML to OAuth2 token |
| `com.sap.sequentialUserPropagation` | User token transformation |
### IAS-Generated SAML Bearer Chain
**Provider Destination (SAML Token):**
```json
{
"Name": "ias-saml-provider",
"Type": "HTTP",
"URL": "[https://ias-tenant.accounts.ondemand.com",](https://ias-tenant.accounts.ondemand.com",)
"Authentication": "OAuth2TokenExchange",
"tokenServiceURL": "[https://ias-tenant.accounts.ondemand.com/oauth2/token"](https://ias-tenant.accounts.ondemand.com/oauth2/token")
}
```
**Consumer Destination (Bearer Token):**
```json
{
"Name": "target-api",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "OAuth2SAMLBearerAssertion",
"x_chain_name": "com.sap.iasGeneratedOAuth2SamlBearerAssertion",
"x_chain_var_saml_provider": "ias-saml-provider"
}
```
### Dynamic Lookup (Destination Gateway)
Single custom resource for multiple destinations:
```yaml
apiVersion: destination.connectivity.api.sap/v1
kind: Destination
metadata:
name: dynamic-destination
spec:
destinationRef:
name: "*"
```
**Request Headers:**
| Header | Description |
|--------|-------------|
| `X-Destination-Name` | Target destination name |
| `X-Fragment-Name` | Optional fragment name |
| `X-Fragment-Optional` | Allow missing fragment |
| `X-Destination-Level` | provider_subaccount, provider_instance |
| `X-Chain-Name` | Destination chain name |
| `X-Chain-Var-*` | Chain variable values |
---
## Cloud Connector Advanced
### System Mappings REST API
**Create Mapping:**
```bash
POST /api/v1/configuration/subaccounts/{region}/{subaccount}/systemMappings
{
"virtualHost": "virtual-erp",
"virtualPort": 443,
"localHost": "erp.internal.corp",
"localPort": 443,
"protocol": "HTTPS",
"backendType": "ABAP",
"authenticationMode": "NONE",
"description": "ERP System"
}
```
**Supported Protocols:**
- HTTP, HTTPS
- RFC, RFCS
- LDAP, LDAPS
- TCP, TCPS
**Backend Types:**
- ABAP (HTTP, RFC, TCP)
- SAP_GATEWAY (HTTP, RFC, TCP)
- SAP_HANA (HTTP, TCP)
- OTHER_SAP (HTTP, TCP)
- NON_SAP (HTTP, TCP, LDAP)
- SAP_JAVA (HTTP)
### Domain Mappings for Cookies
When on-premise servers set cookies with internal domains:
1. Navigate to **Cloud To On-Premises > Cookie Domains**
2. Add mapping:
- Virtual Domain: cloud-facing domain
- Internal Domain: on-premise domain
3. Cloud Connector rewrites `Set-Cookie` domain attributes
### Kerberos Configuration
For Kerberos-enabled backends (non-ABAP):
1. Navigate to **Configuration > On Premise > Kerberos**
2. Configure:
- Realm name
- KEYTAB file (with rc4-hmac key)
- Service user credentials
- KDC addresses (host:port, default port 88)
**Note:** Not supported for ABAP backends (use certificate-based).
### Named Cloud Connector Users
For audit trail and multi-user access:
1. Enable LDAP user administration
2. Configure user groups with appropriate roles
3. Map LDAP groups to Cloud Connector roles
### Certificate Rule-Based Mapping
For principal propagation to ABAP systems:
1. Enable `login/certificate_mapping_rulebased` parameter in RZ10
2. Import sample certificate in transaction CERTRULE
3. Create mapping rules for certificate attributes to users
---
## Cache Configuration
### Transparent Proxy Caching
| Cache Type | Content | TTL |
|------------|---------|-----|
| Destination Service Token | OAuth access tokens | Token lifetime |
| Destination Cache | Destination configs | 2 minutes |
| Destination Tokens | OAuth/SAML tokens | Token lifetime |
### Resilience Behavior
When services unavailable:
- Proxy continues using cached data
- Updates cache when services restore
- Expired tokens trigger re-authentication
---
## System Requirements
### Disk Space
| Component | Minimum |
|-----------|---------|
| Installation files | 50 MB |
| Installed Cloud Connector | 70 MB |
| **Total** | **120 MB** |
### Runtime Space
| Component | Recommendation |
|-----------|----------------|
| Log files | 1-20 GB |
| Trace files | Variable (GB at trace level "All") |
| Audit logs | Based on retention policy |
### Log Files Location
| File | Path | Content |
|------|------|---------|
| Core traces | `<scc_dir>/log/scc_core.trc` | General traces |
| Tunnel traffic | `<scc_dir>/log/tunnel_traffic_*.trc` | Communication payload |
| SNC traffic | `<scc_dir>/log/snc_traffic_*.trc` | ABAP Cloud SNC |
| Audit logs | `<scc_dir>/log/audit/<subaccount>/` | Security events |
---
## Service Channels
### Port Overview
View all configured service channels:
1. Navigate to **Connector > Service Channels Overview**
2. Filter by status: All, Enabled, Disabled, Failed
3. View details: Status, Type, Subaccount, Tenant Host
### Service Channel Types
| Type | Protocol | Use Case |
|------|----------|----------|
| ABAP Cloud System | RFC | Invoke ABAP Cloud function modules |
| Kubernetes Cluster | TCP/RFC | Expose K8s workloads |
### Kubernetes Service Mapping
```yaml
apiVersion: servicemapping.connectivityproxy.sap.com/v1
kind: ServiceMapping
metadata:
name: my-service
spec:
type: TCP
subaccountId: <subaccount-id>
serviceId: my-virtual-host
internalAddress: my-service.namespace:8080
locationIds:
- loc1
```
---
## Destination Service Notifications
Subscribe to alerts via SAP Alert Notification Service:
1. Create Alert Notification service instance
2. Configure event subscriptions
3. Receive notifications for:
- Certificate expiration
- Configuration changes
- Service health events
---
## Zero Trust Identity Service (ZTIS)
### Workload Attestation Method
1. Create Zero Trust service credentials for each Transparent Proxy component
2. Configure x509 attestation for Destination service
3. Set Helm values for SPIRE agent socket path
### SVID Store Method
1. Configure credentials for Kubernetes Secret-based identity
2. Set Helm values for secret name and namespace
3. ZTIS stores identity documents in specified secrets
---
## Documentation Links
- MTA Destinations: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/create-destinations-using-mta-descriptor](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/create-destinations-using-mta-descriptor)
- Config.JSON: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/use-config-json](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/use-config-json)
- Destination Chaining: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/destination-chaining](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/destination-chaining)
- System Mappings API: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/system-mappings](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/system-mappings)
- ZTIS Integration: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/integration-with-zero-trust-identity-service](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/integration-with-zero-trust-identity-service)
---
**Last Updated**: 2025-11-22
```
### references/identity-propagation-scenarios.md
```markdown
# Identity Propagation Scenarios Reference
Advanced identity propagation configurations for ABAP systems, NetWeaver Java, and custom identity providers.
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Overview
Identity propagation enables SSO between SAP BTP and backend systems by forwarding user identity through short-lived X.509 certificates.
### Propagation Types
| Type | Description |
|------|-------------|
| **Principal Propagation** | Propagate logged-in user identity |
| **Technical User Propagation** | Propagate technical service user |
### Supported Backend Systems
- SAP ABAP systems (HTTPS, RFC)
- SAP NetWeaver AS Java
- SAP Web Dispatcher (as proxy)
- Third-party systems (with X.509 support)
---
## Identity Propagation to ABAP Systems
### HTTPS Configuration
**Prerequisites**:
- Cloud Connector installed and connected
- System certificate configured in Cloud Connector
- Access control for target ABAP system
**Steps**:
1. **Export Cloud Connector Certificate**:
- Cloud Connector UI > Configuration > On Premise > System Certificate
- Download the certificate
2. **Import to ABAP Trust Store**:
- Transaction `STRUST`
- Import certificate to `SSL Server Standard`
3. **Configure Certificate Mapping**:
- Transaction `CERTRULE`
- Create rule to map certificate subject to ABAP user
4. **Destination Configuration**:
```
Authentication: PrincipalPropagation
ProxyType: OnPremise
```
### RFC Configuration
**Prerequisites**:
- Cloud Connector with SNC PSE configured
- SNC enabled on ABAP system
**Steps**:
1. **Configure SNC PSE in Cloud Connector**:
- Cloud Connector UI > Configuration > On Premise > SNC
2. **Export SNC Certificate**:
- Download PSE certificate from Cloud Connector
3. **Import to ABAP SNC Trust**:
- Transaction `STRUST` > SNC (SAPCryptolib)
4. **Configure SNC Parameters**:
```
jco.client.snc_mode: 1
jco.client.snc_partnername: p:<ABAP-SNC-Name>
jco.client.snc_qop: 9
```
### Rule-Based Certificate Mapping
Configure in ABAP transaction `CERTRULE`:
| Field | Description | Example |
|-------|-------------|---------|
| **Rule Type** | Mapping algorithm | `Certificate Subject` |
| **Subject Pattern** | X.509 subject filter | `CN=*, OU=Cloud Connector` |
| **User Field** | Field to extract | `CN` |
| **User Mapping** | How to resolve user | `Direct` or `Alias` |
**Example Rules (Transaction CERTRULE)**:
```
# Rule 1: Direct mapping from CN attribute
Certificate Attribute: CN (Common Name)
Login As: ABAP User
Mapping: CN value maps directly to SAP user ID
# Rule 2: Email-based mapping via SubjectAlternativeName
Certificate Attribute: SubjectAlternativeName (Email)
Login As: Alias
Mapping: Email address maps to user alias in table USR02
# Rule 3: OU-based filtering with CN mapping
Subject Filter: OU=Cloud Connector
Certificate Attribute: CN
Login As: ABAP User
```
### Short-Term vs Long-Term Certificates
| Aspect | Short-Term | Long-Term |
|--------|------------|-----------|
| **Validity** | Minutes to hours | Days to months |
| **Use Case** | Principal Propagation | Technical User |
| **Rotation** | Automatic | Manual renewal |
| **Security** | Higher (ephemeral) | Lower (persistent) |
---
## Identity Propagation to NetWeaver Java
### Prerequisites
- SAP NetWeaver Administrator access
- Cloud Connector administrator access
- SSL access point configuration
### Configuration Steps
**1. Import Cloud Connector Certificate**:
- SAP NetWeaver Administrator > Security > Certificates and Keys
- Import system certificate to "Trusted CAs" keystore
**2. Configure ICM SSL Access Point**:
- Create new SSL access point
- Generate Certificate Signing Request (CSR)
- Import certificate chain:
- CSR response
- Root CA certificate
- Cloud Connector certificate
- Restart ICM
**3. Add ClientCertLoginModule**:
- SAP NetWeaver Administrator > Configuration > Security
- Add `ClientCertLoginModule` to policy configuration
**4. Define User Mapping Rules**:
```
# Map from certificate subject
Rule Type: Subject Name Field
Field: CN
Target: User ID
# Map from SubjectAlternativeName
Rule Type: Certificate V3 Extension
Extension: SubjectAlternativeName
Target: User ID
# Certificate filter
Rule Type: Client Certificate Filter
Issuer: CN=Cloud Connector CA
```
### ICM Verification
```bash
# Check ICM trusts certificate
sapcontrol -nr <instance> -function ICMGetThreadList
# Verify SSL configuration
disp+work -v
```
---
## Custom Identity Provider Configuration
### SSO Passcode Method
When using a custom IDP for Cloud Connector subaccount configuration:
**Step 1: Construct SSO URL**
```
[https://<subdomain>.authentication.<region>.hana.ondemand.com/passcode](https://<subdomain>.authentication.<region>.hana.ondemand.com/passcode)
```
Example:
```
[https://mycompany.authentication.eu10.hana.ondemand.com/passcode](https://mycompany.authentication.eu10.hana.ondemand.com/passcode)
```
**Step 2: Obtain Passcode**
- Navigate to SSO URL in browser
- Authenticate with custom IDP
- Copy generated one-time passcode
**Step 3: Configure Cloud Connector**
```
Username: $SAP-CP-SSO-PASSCODE$
Password: <one-time-passcode>
```
### Alternative: Authentication Data File
Cloud Connector 2.17+ supports authentication data file import:
1. Generate file in BTP Cockpit
2. Download authentication data
3. Cloud Connector UI > Configuration > Import
4. Select authentication data file
---
## IAS Token Propagation
### IAS-Signed SAML Bearer Assertion
**Flow**:
1. User authenticates to SAP Identity Authentication Service (IAS)
2. IAS issues signed SAML assertion
3. Destination Service exchanges for OAuth token
4. Token used for target system access
**Destination Configuration**:
```json
{
"Name": "ias-saml-destination",
"Type": "HTTP",
"URL": "[https://target-system.example.com",](https://target-system.example.com",)
"Authentication": "OAuth2SAMLBearerAssertion",
"ProxyType": "Internet",
"audience": "[https://target-system.example.com",](https://target-system.example.com",)
"clientKey": "<service-key>",
"tokenServiceURL": "[https://target.authentication.region.hana.ondemand.com/oauth/token",](https://target.authentication.region.hana.ondemand.com/oauth/token",)
"KeyStoreLocation": "ias-signing-cert.p12",
"KeyStorePassword": "<password>"
}
```
### IAS-Generated SAML to OAuth2 Chain
**Predefined Chain Configuration**:
```
Authentication: OAuth2SAMLBearerAssertion
ChainType: IAS_SAML_TO_OAUTH2
```
**Flow**:
1. BTP app requests destination with IAS token
2. Destination Service validates IAS token
3. Generates SAML assertion from IAS claims
4. Exchanges SAML for OAuth2 token
5. Returns destination with access token
---
## OAuth2UserTokenExchange
### Token Exchange Flow
**Prerequisites**:
- User token with `uaa.user` scope
- OAuth2UserTokenExchange destination configured
**Header Configuration**:
| Scenario | Authorization Header | User Token Exchange Header |
|----------|---------------------|---------------------------|
| Provider Tenant | User JWT | (empty) |
| Subscriber → Provider Dest | Access Token | Subscriber JWT |
| Subscriber → Subscriber Dest | Subscriber Access Token | Subscriber JWT |
### Implementation
```bash
# Provider tenant token exchange
curl -X GET "${uri}/destination-configuration/v1/destinations/${destName}" \
-H "Authorization: Bearer ${userJwt}"
# Subscriber to provider destination
curl -X GET "${uri}/destination-configuration/v1/destinations/${destName}" \
-H "Authorization: Bearer ${accessToken}" \
-H "X-user-token: ${subscriberUserJwt}"
```
---
## Sequential User Propagation Chain
### Concept
Chain multiple authentication methods for complex SSO scenarios.
**Example: BTP → IAS → On-Premise**
1. User authenticates to BTP via IAS
2. IAS token exchanged for SAML assertion
3. SAML propagated to on-premise via Cloud Connector
4. On-premise validates and maps user
### Configuration
```json
{
"Name": "sequential-chain-dest",
"Type": "HTTP",
"URL": "[https://onprem.internal:443",](https://onprem.internal:443",)
"Authentication": "OAuth2SAMLBearerAssertion",
"ProxyType": "OnPremise",
"chainConfig": {
"step1": "IAS_TOKEN_VALIDATION",
"step2": "SAML_ASSERTION_GENERATION",
"step3": "PRINCIPAL_PROPAGATION"
}
}
```
---
## Propagation via SAP Web Dispatcher
### Architecture
```
BTP App → Cloud Connector → Web Dispatcher → ABAP Backend
```
### Web Dispatcher Configuration
```
# icm/server_port_0
wdisp/ssl_enable = 1
wdisp/ssl_client_sni = 1
# Client certificate forwarding
icm/HTTP/client_cert_header = SSL_CLIENT_CERT
```
### Trust Chain Setup
1. Import Cloud Connector certificate to Web Dispatcher trust store
2. Configure certificate forwarding to backend
3. Backend validates certificate from trusted Web Dispatcher
---
## Communication Behavior Parameters
### JCo Connection Parameters
| Parameter | Values | Default | Description |
|-----------|--------|---------|-------------|
| `jco.client.trace` | 0, 1 | 0 | Enable protocol traces |
| `jco.client.codepage` | 4-digit | 1100 | Character encoding |
| `jco.client.delta` | 0, 1 | 1 | Table delta management |
| `jco.client.serialization_format` | rowBased, columnBased | rowBased | RFC serialization |
| `jco.client.network` | LAN, WAN | LAN | Network type hint |
### Codepage Considerations
When passwords contain special characters:
- Default `1100` (iso-8859-1) may not support all characters
- Use appropriate codepage for your locale:
- `1160` - UTF-8
- `8000` - Japanese
- `8300` - Korean
---
## Troubleshooting
### Certificate Issues
| Symptom | Cause | Solution |
|---------|-------|----------|
| Certificate not trusted | Missing in trust store | Import to STRUST/ICM |
| User not found | Mapping rule mismatch | Check CERTRULE patterns |
| SNC handshake failed | PSE not configured | Verify SNC setup |
| Token expired | Short-term cert timeout | Check system clocks |
### Debugging
**Cloud Connector**:
```
Audit Log Level: All
Connection/Traffic Traces: Enabled (temporarily)
```
**ABAP**:
```
Transaction: SMICM > Services > ICM Trace
Transaction: SLDCHECK > SSL Trace
```
**NetWeaver Java**:
```
Log Configuration: Security > Authentication
Trace Level: DEBUG
```
---
**Last Updated**: 2025-11-22
**Source Files**:
- configuring-identity-propagation-to-an-abap-system-6705cc3.md
- configuring-identity-propagation-to-sap-netweaver-as-for-java-2e96287.md
- use-a-custom-idp-for-subaccount-configuration-2022612.md
- exchanging-user-jwts-via-oauth2usertokenexchange-destinations-39d4265.md
- ias-signed-saml-bearer-assertion-a1ecea9.md
- sequential-user-propagation-chain-13f633e.md
- parameters-influencing-communication-behavior-cce126a.md
```
### references/operational-guides.md
```markdown
# Operational Guides Reference
Network architecture, connectivity directions, solution management, and operational best practices.
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Network Zones
### Zone Architecture
Organizations typically divide networks into security zones:
| Zone | Security Level | Typical Systems |
|------|---------------|-----------------|
| **Internet** | External/Untrusted | Public services |
| **DMZ** | Perimeter | Firewalls, proxies |
| **Intranet** | Internal/Trusted | Business applications |
| **Secure Zone** | High Security | Databases, core systems |
### Cloud Connector Deployment Options
**Option 1: DMZ Deployment**
```
Internet → Firewall → [Cloud Connector in DMZ] → Firewall → Intranet
```
**Benefits**:
- Centralized IT operation
- External-facing service exposure
- Enhanced security perimeter
**Requirements**:
- Internet access to SAP BTP region hosts (direct or HTTPS proxy)
- Network access to internal backend systems
**Option 2: Intranet Deployment**
```
Internet → Firewall → DMZ → Firewall → [Cloud Connector in Intranet]
```
**Benefits**:
- Line of business operational control
- Direct access to internal systems
- Simpler internal network configuration
**Requirements**:
- Direct, transparent connectivity to backend systems
- Outbound HTTPS to SAP BTP
### Network Requirements
**Standard Ports**:
| Protocol | Port | Direction | Purpose |
|----------|------|-----------|---------|
| HTTPS | 443 | Outbound | BTP connectivity |
| HTTP | 80 | Outbound | (Optional) redirect |
**RFC Communication**:
| Port Type | Port Number | Description |
|-----------|-------------|-------------|
| Gateway | 33+instance (e.g., 3300) | RFC gateway |
| Message Server | Arbitrary | Load balancing |
| Dispatcher | 32+instance | Work process |
**Database Connectivity (HANA JDBC)**:
- Arbitrary outbound port required
- Configurable in HANA connection properties
### Firewall Configuration
Cloud Connector requires transparent access to:
- SAP BTP region hosts (see regional host list)
- Backend systems on configured ports
- Optional: HTTPS proxy server
**Important**: Mail (SMTP) is **not supported** through Cloud Connector.
---
## Connectivity Directions
### Inbound Connectivity (Cloud-to-On-Premise)
**Architecture**:
```
SAP BTP → Cloud Connector Tunnel → On-Premise Systems
```
**Key Characteristics**:
- Reverse invoke proxy model
- Cloud Connector administrator controls tunnel
- TLS encryption with mutual authentication
- Subaccount isolation enforced
**Security Features**:
- Explicit resource exposure (deny by default)
- Virtual host mapping hides physical infrastructure
- Application-level access restrictions
- Comprehensive audit logging
**Supported Protocols**:
- HTTP/HTTPS
- RFC (with SNC option)
**Configuration**:
1. Install Cloud Connector
2. Connect to BTP subaccount
3. Configure access control for target systems
4. Create destinations with `ProxyType: OnPremise`
### Outbound Connectivity (On-Premise-to-Cloud)
**Architecture**:
```
On-Premise Tools → Cloud Connector Tunnel → SAP BTP (HANA DB)
```
**Primary Use Case**:
Database tunnel for JDBC/ODBC access to cloud databases.
**Supported Tools**:
- SAP Lumira
- SAP BusinessObjects Enterprise (BOE)
- SAP Data Services
- Any JDBC/ODBC client
**Protocol Limitation**:
> The database tunnel only allows JDBC and ODBC connections. Reuse for other protocols is not possible.
**Security**:
- Same TLS + mutual authentication as inbound
- Audit logging of all activities
**Required Users**:
| User Type | Purpose | Managed By |
|-----------|---------|------------|
| Platform User | Tunnel establishment | BTP subaccount |
| Database User | HANA access | HANA role/privilege |
---
## Solution Management Integration
### Overview
Integrate Cloud Connector with SAP Solution Management for monitoring and operations.
### Prerequisites
- SAP Host Agent installed on Cloud Connector host
- Cloud Connector 2.x or later
- Solution Manager system configured
### Configuration Properties
| Property | Type | Description |
|----------|------|-------------|
| `hostAgentPath` | String | Host agent directory (optional) |
| `enabled` | Boolean | Enable/disable integration |
| `dsrEnabled` | Boolean | Enable Detailed System Report |
### REST API Operations
**Get Current Configuration**:
```bash
curl -X GET "[https://localhost:8443/api/v1/configuration/connector/solutionManagement"](https://localhost:8443/api/v1/configuration/connector/solutionManagement") \
-H "Authorization: Basic ${auth}" \
-k
```
**Enable Solution Management**:
```bash
curl -X POST "[https://localhost:8443/api/v1/configuration/connector/solutionManagement"](https://localhost:8443/api/v1/configuration/connector/solutionManagement") \
-H "Authorization: Basic ${auth}" \
-H "Content-Type: application/json" \
-d '{"enabled": true, "dsrEnabled": true}' \
-k
```
**Disable Solution Management**:
```bash
curl -X DELETE "[https://localhost:8443/api/v1/configuration/connector/solutionManagement"](https://localhost:8443/api/v1/configuration/connector/solutionManagement") \
-H "Authorization: Basic ${auth}" \
-k
```
**Download Registration File**:
```bash
curl -X GET "[https://localhost:8443/api/v1/configuration/connector/solutionManagement/registrationFile"](https://localhost:8443/api/v1/configuration/connector/solutionManagement/registrationFile") \
-H "Authorization: Basic ${auth}" \
-o registration.xml \
-k
```
### HA Environment Notes
- Configuration on shadow modifies settings only
- Activation requires master instance
- Master changes propagate to shadow automatically
---
## Operational Modes (Kubernetes)
### Standard Mode
Default deployment mode:
- Single namespace operation
- Standard Kubernetes RBAC
- Operator manages resources in deployment namespace
### Managed Namespaces Mode
For multi-tenant Kubernetes clusters:
```yaml
# Connectivity Proxy configuration
config:
managedNamespaces:
enabled: true
namespaces:
- tenant-a
- tenant-b
- shared-services
```
**Features**:
- Operator watches multiple namespaces
- Tenant isolation preserved
- Centralized proxy deployment
---
## Release and Maintenance Strategy
### Cloud Connector Releases
**Release Cadence**:
- Major versions: ~annually
- Minor versions: quarterly
- Patch versions: as needed
**Support Timeline**:
- Current version: Full support
- N-1 version: Maintenance support
- N-2 and older: Best effort / end of support
### Upgrade Recommendations
1. Review release notes for breaking changes
2. Test in non-production first
3. Plan downtime window (typically <30 min)
4. Backup configuration before upgrade
5. Verify connectivity after upgrade
### Kubernetes Proxy Releases
**Helm Chart Updates**:
```bash
# Check for updates
helm search repo sapse/connectivity-proxy --versions
# Upgrade
helm upgrade connectivity-proxy \
oci://registry-1.docker.io/sapse/connectivity-proxy \
--version <new-version> \
-f values.yaml
```
---
## UI Configuration
### Change UI Port
Default: `8443`
**Linux/macOS**:
```bash
# Edit configuration
vi /opt/sap/scc/config.ini
# Add or modify
[https]
port = 9443
# Restart service
service scc_daemon restart
```
**Windows**:
```
# Edit configuration
notepad C:\SAP\scc\config.ini
# Add or modify
[https]
port = 9443
# Restart service (as Administrator)
net stop "SAP Cloud Connector"
net start "SAP Cloud Connector"
```
### Login Screen Customization
Configure in Cloud Connector UI:
- **Configuration > UI Settings > Login Screen**
Customizable elements:
- Company logo
- Welcome message
- Custom CSS
- Footer text
### Theming
Cloud Connector supports SAP Fiori theming:
- Default: SAP Belize
- Custom themes: Import via UI Settings
---
## LDAP User Administration
### Configuration
Enable LDAP for Cloud Connector user management:
1. **Configuration > User Interface > User Management**
2. Select "LDAP" as authentication method
3. Configure LDAP server settings:
```
ldap.server.host = ldap.company.com
ldap.server.port = 636
ldap.server.ssl = true
ldap.base.dn = dc=company,dc=com
ldap.user.dn = cn=scc-user,ou=services,dc=company,dc=com
ldap.user.password = ****
ldap.user.search.filter = (&(objectClass=user)(sAMAccountName={0}))
ldap.group.search.filter = (&(objectClass=group)(member={0}))
```
### LDAP Best Practices
- Use LDAPS (port 636) for encrypted connections
- Create dedicated service account for binding
- Use specific search filters to limit scope
- Map Cloud Connector roles to LDAP groups:
- `scc-admin` → Full administration
- `scc-support` → Monitoring only
- `scc-display` → Read-only access
### TLS Certificate Validation (Production)
For production LDAPS deployments, ensure proper certificate handling:
- Import LDAP server certificate to Cloud Connector truststore
- Validate certificate chain (root CA → intermediate → server)
- Monitor certificate expiration dates
- Consider OCSP/CRL checking for revocation status
---
## Named Cloud Connector Users
### Configuration
Assign named users for audit trail clarity:
1. **Configuration > Access Control > Named Users**
2. Add users with specific roles:
| Role | Permissions |
|------|-------------|
| Administrator | Full access |
| Support | Monitoring, logs |
| Display | Read-only |
### LDAP Group Mapping
```
Administrator = CN=SCC-Admins,OU=Groups,DC=company,DC=com
Support = CN=SCC-Support,OU=Groups,DC=company,DC=com
Display = CN=SCC-Viewers,OU=Groups,DC=company,DC=com
```
---
## Advanced Configuration
### Tunnel Connection Settings
**Configuration > Cloud Connector > Advanced Settings**
| Setting | Default | Description |
|---------|---------|-------------|
| Keep-Alive Interval | 60s | Heartbeat frequency |
| Reconnect Delay | 30s | Wait before reconnect |
| Connection Timeout | 30s | Initial connect timeout |
| Max Connections | 100 | Connection pool size |
### Custom Regions
For private cloud deployments:
```
region.custom.name = Private Cloud
region.custom.host = connectivity.private.company.com
region.custom.port = 443
```
### Firewall Rule Configuration
**SAP BTP Destination Service IPs**:
Contact SAP Support for region-specific IP ranges for firewall whitelisting.
**General Pattern**:
```
# Allow outbound to BTP
ALLOW tcp/443 -> *.hana.ondemand.com
ALLOW tcp/443 -> *.authentication.<region>.hana.ondemand.com
```
---
## Automatic Resource Pickup
### Kubernetes Configuration
Transparent Proxy can automatically detect destination changes:
```yaml
# Transparent Proxy values
config:
destinationRefresh:
enabled: true
interval: 300 # seconds
```
### Event-Based Pickup
Configure webhook notifications:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: transparent-proxy-config
data:
destination-webhook: "true"
webhook-url: "[http://callback-service/destination-update"](http://callback-service/destination-update")
```
---
**Last Updated**: 2025-11-22
**Source Files**:
- network-zones-7b9d90c.md, network-zones-88efb23.md
- inbound-connectivity-90932cf.md
- outbound-connectivity-a2ca4e8.md
- solution-management-integration-1dfef61.md
- configure-solution-management-integration-3a058a2.md
- operational-modes-148bbad.md
- managed-namespaces-mode-6588a65.md
- release-and-maintenance-strategy-7c3b531.md
- change-the-ui-port-ca5af74.md
- configure-login-screen-information-916df5b.md
- theming-e7e8197.md
- use-ldap-for-user-administration-120ceec.md
- configure-named-cloud-connector-users-3859e50.md
- automatic-pickup-on-resource-changes-78ddb8f.md
```
### references/connectivity-alternatives-and-config.md
```markdown
# Connectivity Alternatives and Configuration Reference
Alternative connectivity approaches, user roles, target system configuration, and getting started guide.
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Getting Started
### Core Components Overview
| Component | Purpose |
|-----------|---------|
| **Destination Service** | Stores connection config, automates OAuth2 tokens |
| **Connectivity Service** | Secure tunnel access via Cloud Connector |
| **Cloud Connector** | Secure link between cloud and on-premise |
| **Connectivity Proxy** | Kubernetes access to on-premise systems |
| **Transparent Proxy** | Automated destination retrieval for Kubernetes |
### Quick Start Path
1. **Store Configuration**: Use Destination Service for credentials, certificates, URLs
2. **Choose Architecture**:
- Cloud Foundry → Cloud Connector + Connectivity Service
- Kubernetes → Connectivity Proxy or Transparent Proxy
3. **Enhance**: Deploy Transparent Proxy for automated destination handling
---
## Connectivity Alternatives
### Reverse Proxy vs Cloud Connector
Organizations may choose between Cloud Connector and a reverse proxy/ADC for on-premise connectivity.
#### Reverse Proxy Approach
**Configuration**:
```
ProxyType: Internet
```
**Advantages**:
- Reuses existing reverse proxy/ADC infrastructure
- Cloud-agnostic (works with any cloud)
- Centralized entry point to corporate network
**Disadvantages**:
- Services exposed to Internet (DoS vulnerability)
- IP filtering allows only one BTP outbound address
- Cannot restrict to customer-specific apps
- RFC requires WebSocket (S/4HANA 1909+ only)
- No straightforward principal propagation
- Requires intensive IT involvement
#### Cloud Connector Approach
**Configuration**:
```
ProxyType: OnPremise
```
**Advantages**:
- TLS tunnel with reverse invocation
- No DMZ/firewall changes needed
- Prevents Internet-based attacks
- Simplified setup
- Granular access controls
- Supports HTTP, RFC, LDAP, TCP
- Principal propagation built-in
#### Decision Matrix
| Requirement | Reverse Proxy | Cloud Connector |
|-------------|---------------|-----------------|
| Reuse existing infra | ✅ | ❌ |
| RFC to old ABAP | ❌ | ✅ |
| Principal propagation | ❌ | ✅ |
| Minimal IT involvement | ❌ | ✅ |
| DoS protection | ❌ | ✅ |
| Quick implementation | ❌ | ✅ |
---
## User Roles
### Cloud Connector Roles
| Role | Permissions |
|------|-------------|
| **Administrator** | Full configuration, subaccount management |
| **Subaccount Administrator** | Connect Cloud Connector to subaccounts |
| **Cloud Connector Auditor** | Read-only access (included in Subaccount Viewer) |
| **Display** | View configurations |
| **Support** | Monitoring and logs |
### BTP Role Collections
| Role Collection | Includes |
|-----------------|----------|
| **Subaccount Administrator** | Cloud Connector Administrator |
| **Cloud Connector Administrator** | Dedicated CC role |
| **Connectivity and Destination Administrator** | CC Admin + Destination Admin |
| **Subaccount Viewer** | Cloud Connector Auditor |
### Permission Requirements
**View Connected Cloud Connectors**:
- Requires `readSCCTunnels` permission
- Cloud Connector Administrator role satisfies this
**Configure Access Control**:
- Requires Administrator role in Cloud Connector UI
- Not configurable via BTP Cockpit
---
## Target System Configuration (RFC)
### Connection Types
#### 1. Direct Connection
**Use When**: Single application server target
**Proxy Type**: `OnPremise` (Load Balancing: unchecked)
| Property | Description | Example |
|----------|-------------|---------|
| `jco.client.ashost` | Application server host | `sap-erp.virtual` |
| `jco.client.sysnr` | 2-digit system number | `00` |
| `jco.client.client` | 3-digit client number | `100` |
**Cloud Connector**: Virtual port must be `sapgw<##>` (e.g., `sapgw00`)
#### 2. Load Balancing Connection
**Use When**: Multiple app servers with message server
**Proxy Type**: `OnPremise` (Load Balancing: checked)
| Property | Description | Example |
|----------|-------------|---------|
| `jco.client.mshost` | Message server host | `sap-ms.virtual` |
| `jco.client.group` | Logon group (default: PUBLIC) | `SPACE` |
| `jco.client.r3name` | 3-char system ID | `ERP` |
| `jco.client.msserv` | Message server port (alt to r3name) | `3601` |
| `jco.client.client` | 3-digit client number | `100` |
**Cloud Connector**: Virtual port must be `sapms<###>` (e.g., `sapmsERP`)
#### 3. WebSocket Connection (Internet)
**Use When**: Direct Internet access to ABAP (S/4HANA 1909+)
**Proxy Type**: `Internet`
| Property | Description | Example |
|----------|-------------|---------|
| `jco.client.wshost` | WebSocket RFC server | `s4hana.example.com` |
| `jco.client.wsport` | WebSocket port | `443` |
| `jco.client.client` | Client (optional) | `100` |
| `jco.destination.ws_ping_period` | Keep-alive (0 or 10-86400s) | `60` |
| `jco.destination.ws_pong_timeout` | Pong timeout (0 or 10-3600s) | `30` |
| `jco.client.tls_trust_all` | Trust all certs (0=no, 1=yes) | `0` |
**Trust Store Options**:
- Dedicated trust store with location/password
- Default client trust store
- Trust all (demo only)
**Supported Targets**:
- SAP S/4HANA Cloud
- BTP ABAP Environment
- On-premise ABAP 1909+
---
## User Logon Properties (RFC)
### Core Properties
| Property | Description | Max Length | Case |
|----------|-------------|------------|------|
| `jco.client.user` | Username | 12 chars | Insensitive |
| `jco.client.alias_user` | Alias (alt to user) | 40 chars | Sensitive |
| `jco.client.passwd` | Password | 8-40 chars | Depends on NW version |
| `jco.client.lang` | Logon language | 2 chars | ISO code |
### Password Behavior
| NetWeaver Version | Max Length | Case Sensitive |
|-------------------|------------|----------------|
| < 7.0 | 8 chars | No |
| >= 7.0 | 40 chars | Yes |
### Authentication Types
**`jco.destination.auth_type`**:
| Value | Description |
|-------|-------------|
| `CONFIGURED_USER` | Direct credentials (default) |
| `PrincipalPropagation` | Business user SSO via tokens |
| `TechnicalUserPropagation` | Technical user token forwarding |
### Certificate-Based Login
| Property | Description |
|----------|-------------|
| `jco.client.tls_client_certificate_logon` | Enable cert login (1=yes) |
| Key Store Location | Path to keystore file |
| Key Store Password | Keystore password |
When certificate login enabled, username/password fields hidden.
### Technical User Propagation
| Property | Description |
|----------|-------------|
| `jco.client.tech_user_id` | OAuth client ID |
| `jco.client.tech_user_secret` | OAuth client secret |
| `jco.client.tech_user_service_url` | Token service URL |
---
## SAP SuccessFactors Integration
### OAuth Client Setup
**Prerequisites**:
1. Download X.509 certificate from BTP Cockpit
- Navigate to Connectivity > Destinations
- Click "Download Trust"
**Configuration Steps**:
1. **Access OAuth Management**:
- SuccessFactors Admin Center
- Search "OAuth"
- Select "Manage OAuth2 Client Applications"
2. **Register Application**:
```
Application Name: <descriptive-name>
Application URL: [https://api.cf.<region>.ondemand.com/<subaccount-GUID>](https://api.cf.<region>.ondemand.com/<subaccount-GUID>)
X.509 Certificate: <paste downloaded certificate>
```
3. **Get API Key**:
- Find client by name
- Click "View" in Actions
- Copy the API Key
**Use in Destination**:
```json
{
"Name": "successfactors-dest",
"Type": "HTTP",
"URL": "[https://<sf-instance>.successfactors.com",](https://<sf-instance>.successfactors.com",)
"Authentication": "OAuth2SAMLBearerAssertion",
"ProxyType": "Internet",
"audience": "www.successfactors.com",
"apiKey": "<API-Key-from-SF>",
"companyId": "<company-id>",
"clientKey": "<client-key-from-sf-oauth>",
"tokenServiceUrl": "[https://<sf-api>.successfactors.com/oauth/token",](https://<sf-api>.successfactors.com/oauth/token",)
"tokenServiceUser": "<token-service-user>",
"tokenServicePassword": "<token-service-password>"
}
```
---
## Common Properties (Cloud Connector API)
### Instance Properties
| Property | Description | Values |
|----------|-------------|--------|
| `ha` | High availability role | `master`, `shadow` |
| `description` | Instance description | String |
| `version` | Software version (v2.14+) | String |
### API Endpoints
| Operation | Method | Endpoint |
|-----------|--------|----------|
| Get properties | GET | `/api/v1/configuration/connector` |
| Get version | GET | `/api/v1/connector/version` |
| Update description | PUT | `/api/v1/configuration/connector` |
### Role Requirements
| Operation | Required Roles |
|-----------|---------------|
| Read properties | Admin, Subaccount Admin, Display, Support |
| Update description | Administrator only |
---
## Prerequisites
### Cloud Foundry Environment
- SAP BTP subaccount with Cloud Foundry enabled
- Destination Service instance
- Connectivity Service instance (for on-premise)
- Cloud Connector (for on-premise systems)
### Kubernetes/Kyma Environment
- Kubernetes cluster with BTP integration
- Connectivity Proxy (for on-premise)
- Transparent Proxy (for simplified access)
- Destination Service instance
### Cloud Connector
- Supported OS (Windows, Linux, macOS)
- Java 8+ runtime
- Network access to BTP region hosts
- Network access to target backend systems
### On-Premise Systems
- SAP NetWeaver 4.6C+ (for RFC)
- SAP NetWeaver 7.0+ (for principal propagation)
- S/4HANA 1909+ (for WebSocket RFC)
---
## Connectivity Support
### Getting Help
**SAP Support Portal**:
- Component: `BC-CP-CON` (Connectivity)
- Component: `BC-CP-CF-SEC-DST` (Destination Service)
- Component: `BC-CP-TOOLS-SCC` (Cloud Connector)
**SAP Community**:
- Tag: `SAP BTP Connectivity`
- Tag: `Cloud Connector`
### Log Collection
**Cloud Connector**:
```bash
# Windows
%PROGRAMDATA%\SAP\scc\logs\
# Linux
/opt/sap/scc/logs/
```
**Kubernetes**:
```bash
kubectl logs deployment/connectivity-proxy -n <namespace>
kubectl logs deployment/transparent-proxy -n <namespace>
```
---
**Last Updated**: 2025-11-22
**Source Files**:
- connectivity-via-reverse-proxy-dde01af.md
- user-roles-b922fc8.md
- target-system-configuration-ab6eac9.md
- user-logon-properties-8b1e1c3.md
- create-an-oauth-client-in-sap-successfactors-69130a7.md
- common-properties-8aed644.md
- getting-started-daca64d.md
- prerequisites-e23f776.md
- connectivity-support-e5580c5.md
```
### references/java-sdk-development.md
```markdown
# Java APIs and SDK Development - Complete Reference
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Overview
SAP BTP Connectivity provides Java APIs for destination access, though SAP Cloud SDK is recommended for new developments.
---
## API Status
| API | Status | Environment |
|-----|--------|-------------|
| ConnectivityConfiguration | Support-only | Cloud Foundry |
| AuthenticationHeaderProvider | Support-only | Cloud Foundry |
| SAP Cloud SDK | **Recommended** | Cloud Foundry, Kyma |
| Transparent Proxy | **Recommended** | Kubernetes, Kyma |
**Support-only**: Bug fixes and security patches only; no new features planned.
---
## Maven Dependencies
### Connectivity API Extension
```xml
<dependency>
<groupId>com.sap.cloud.connectivity.apiext</groupId>
<artifactId>com.sap.cloud.connectivity.apiext</artifactId>
<version>${connectivity-apiext.version}</version>
<scope>provided</scope>
</dependency>
```
### JCo (Java Connector for RFC)
```xml
<dependency>
<groupId>com.sap.cloud</groupId>
<artifactId>neo-java-web-api</artifactId>
<version>4.108.9</version>
<scope>provided</scope>
</dependency>
```
### SAP Cloud SDK (Recommended)
```xml
<dependency>
<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
<artifactId>cloudplatform-connectivity</artifactId>
</dependency>
```
---
## ConnectivityConfiguration API
Retrieve destination configurations via JNDI lookup.
### Setup
**context.xml:**
```xml
<Resource name="connectivityConfiguration"
type="com.sap.core.connectivity.api.configuration.ConnectivityConfiguration"
factory="com.sap.core.connectivity.api.jndi.ServiceObjectFactory"/>
```
**manifest.yml:**
```yaml
env:
USE_CONNECTIVITY_APIEXT: true
services:
- my-xsuaa
- my-destination-service
- my-connectivity-service
```
### Usage
```java
import com.sap.core.connectivity.api.configuration.ConnectivityConfiguration;
import com.sap.core.connectivity.api.configuration.DestinationConfiguration;
// JNDI Lookup
Context ctx = new InitialContext();
ConnectivityConfiguration config = (ConnectivityConfiguration)
ctx.lookup("java:comp/env/connectivityConfiguration");
// Get destination
DestinationConfiguration destConfig =
config.getConfiguration("my-destination");
// Access properties
String authType = destConfig.getProperty("Authentication");
Map<String, String> allProps = destConfig.getAllProperties();
// Get keystore for SSL/TLS
KeyStore keyStore = destConfig.getKeyStore();
KeyStore trustStore = destConfig.getTrustStore();
```
### Priority Order
When destinations exist at multiple levels:
1. Instance/Subscription level (highest)
2. Subaccount level (lowest)
---
## AuthenticationHeaderProvider API
Retrieve prepared authentication headers for target systems.
### Setup
**context.xml:**
```xml
<Resource name="myAuthHeaderProvider"
type="com.sap.core.connectivity.api.authentication.AuthenticationHeaderProvider"
factory="com.sap.core.connectivity.api.jndi.ServiceObjectFactory"/>
```
### Usage
```java
import com.sap.core.connectivity.api.authentication.AuthenticationHeaderProvider;
import com.sap.core.connectivity.api.authentication.AuthenticationHeader;
// JNDI Lookup
AuthenticationHeaderProvider authProvider = (AuthenticationHeaderProvider)
ctx.lookup("java:comp/env/myAuthHeaderProvider");
// Principal Propagation (On-Premise SSO)
AuthenticationHeader ppHeader = authProvider.getPrincipalPropagationHeader();
// OAuth2 SAML Bearer Assertion
List<AuthenticationHeader> samlHeaders =
authProvider.getOAuth2SAMLBearerAssertionHeaders(destConfig);
// OAuth2 Client Credentials
AuthenticationHeader ccHeader =
authProvider.getOAuth2ClientCredentialsHeader(destConfig);
```
### Token Caching
- Tokens cached automatically
- Auto-refresh before expiration
- No manual cache management needed
---
## JCo (Java Connector) for RFC
### Sample Servlet
```java
import com.sap.conn.jco.*;
@WebServlet("/rfc-demo")
public class JCoServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
try {
// Get destination
JCoDestination destination =
JCoDestinationManager.getDestination("JCoDemoSystem");
// Get function
JCoFunction function = destination.getRepository()
.getFunction("STFC_CONNECTION");
if (function == null) {
throw new RuntimeException("Function not found");
}
// Set import parameters
function.getImportParameterList()
.setValue("REQUTEXT", "Hello from Cloud!");
// Execute
function.execute(destination);
// Get export parameters
String echoText = function.getExportParameterList()
.getString("ECHOTEXT");
String respText = function.getExportParameterList()
.getString("RESPTEXT");
// Output
resp.getWriter().println("Echo: " + echoText);
resp.getWriter().println("Response: " + respText);
} catch (JCoException e) {
throw new ServletException("RFC error: " + e.getMessage(), e);
}
}
}
```
### Working with Tables
```java
// Get table parameter
JCoTable companyCodeTable = function.getTableParameterList()
.getTable("COMPANYCODE_LIST");
// Iterate rows
while (companyCodeTable.nextRow()) {
String compCode = companyCodeTable.getString("COMP_CODE");
String compName = companyCodeTable.getString("COMP_NAME");
System.out.println(compCode + ": " + compName);
}
// Add rows to input table
JCoTable inputTable = function.getTableParameterList().getTable("INPUT_DATA");
inputTable.appendRow();
inputTable.setValue("FIELD1", "value1");
inputTable.setValue("FIELD2", "value2");
```
### Connection Pool Access
```java
// Check pool statistics
JCoDestination dest = JCoDestinationManager.getDestination("MyDest");
dest.getPoolStatistics(); // Returns pool usage info
```
---
## SAP Cloud SDK (Recommended)
### Get Destination
```java
import com.sap.cloud.sdk.cloudplatform.connectivity.DestinationAccessor;
import com.sap.cloud.sdk.cloudplatform.connectivity.HttpDestination;
// Simple lookup
HttpDestination destination = DestinationAccessor
.getDestination("my-destination")
.asHttp();
// With user propagation
HttpDestination destWithUser = DestinationAccessor
.getDestination("my-destination")
.asHttp()
.withUserToken();
```
### Execute HTTP Request
```java
import com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientAccessor;
HttpClient client = HttpClientAccessor.getHttpClient(destination);
HttpResponse response = client.execute(new HttpGet("/api/resource"));
```
### Node.js (SAP Cloud SDK)
```javascript
const { getDestination } = require('@sap-cloud-sdk/connectivity');
// Get destination
const destination = await getDestination({
destinationName: 'my-destination',
jwt: userJwt // For user propagation
});
// Use with HTTP client
const response = await axios.get(destination.url + '/api/resource', {
headers: destination.headers
});
```
---
## Application Router Setup
Required for multitenancy and user-specific service calls with JCo.
### manifest.yml
```yaml
applications:
- name: approuter
path: approuter
buildpacks:
- nodejs_buildpack
memory: 120M
env:
NODE_TLS_REJECT_UNAUTHORIZED: 0
destinations: >
[{
"name": "backend",
"url": "[https://backend-app.cfapps.eu10.hana.ondemand.com",](https://backend-app.cfapps.eu10.hana.ondemand.com",)
"forwardAuthToken": true
}]
services:
- my-xsuaa
```
### xs-app.json
```json
{
"welcomeFile": "/index.html",
"routes": [
{
"source": "^/api/(.*)$",
"destination": "backend",
"authenticationType": "xsuaa"
}
]
}
```
---
## WebSocket RFC (Internet)
For direct RFC connections without Cloud Connector (S/4HANA 1909+):
### Configuration
```properties
jco.destination.proxy_type=Internet
jco.client.wshost=s4hana.example.com
jco.client.wsport=443
jco.client.tls=1
jco.client.tls_trust_all=0
jco.client.tls_trust_store_location=truststore.jks
jco.client.tls_trust_store_password=<password>
```
### Supported Systems
- SAP S/4HANA Cloud
- SAP BTP ABAP Environment
- SAP S/4HANA On-Premise 1909+
---
## Communication Behavior Parameters
| Property | Description | Default |
|----------|-------------|---------|
| `jco.client.trace` | Enable protocol traces (0/1) | 0 (off) |
| `jco.client.codepage` | SAP codepage (4-digit) | 1100 |
| `jco.client.delta` | Table delta management (0/1) | 1 (on) |
| `jco.client.serialization_format` | rowBased or columnBased | rowBased |
| `jco.client.network` | WAN or LAN | LAN |
---
## Encryption Keys
### Customer-Specific Encryption Keys (CSEK)
- Default encryption with SAP-managed keys
- No configuration required
- All properties encrypted except Name and FragmentName
### Customer-Managed Keys (CMK)
- Dual encryption: CSEK + customer key
- Requires SAP Data Custodian Key Management
- Full control: grant, revoke, rotate, delete keys
### Unencrypted Metadata
- Destination Name
- FragmentName
- Creation/modification timestamps
- Owning subaccount info
---
## Connectivity via Reverse Proxy (Not Recommended)
Alternative to Cloud Connector with significant drawbacks:
| Aspect | Reverse Proxy | Cloud Connector |
|--------|---------------|-----------------|
| Internet exposure | Yes (vulnerable) | No |
| DoS protection | Limited | Protected |
| RFC support | WebSocket only (S/4HANA 1909+) | Full RFC |
| Principal propagation | Difficult | Native support |
| Setup complexity | High | Low |
| IP filtering | Single IP only | Granular |
**Recommendation**: Use Cloud Connector instead.
---
## Documentation Links
- Destination Java APIs: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/destination-java-apis](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/destination-java-apis)
- ConnectivityConfiguration: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivityconfiguration-api](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivityconfiguration-api)
- AuthenticationHeaderProvider: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/authenticationheaderprovider-api](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/authenticationheaderprovider-api)
- SAP Cloud SDK: [https://sap.github.io/cloud-sdk/](https://sap.github.io/cloud-sdk/)
---
**Last Updated**: 2025-11-22
```
### references/mail-protocols.md
```markdown
# Mail Protocol Configuration Reference
Detailed configuration for mail destinations (SMTP, IMAP, POP3) and their secure variants.
**Source**: [https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation](https://github.com/SAP-docs/btp-connectivity/tree/main/docs/1-connectivity-documentation)
---
## Supported Protocols
| Protocol | Secure Variant | Default Port | Description |
|----------|----------------|--------------|-------------|
| SMTP | SMTPS | 25/587 | Outgoing mail (sending) |
| IMAP | IMAPS | 143/993 | Incoming mail (read/manage) |
| POP3 | POP3S | 110/995 | Incoming mail (download) |
---
## SMTP Configuration
### Required Properties
```
Name: <destination-name>
Type: MAIL
ProxyType: Internet | OnPremise
Authentication: BasicAuthentication | OAuth2ClientCredentials | OAuth2RefreshToken | OAuth2AuthorizationCode
mail.smtp.host: <smtp-server-address>
```
### Standard Properties
| Property | Description | Example |
|----------|-------------|---------|
| `mail.transport.protocol` | Transport protocol | `smtp` |
| `mail.smtp.host` | SMTP server address | `smtp.example.com` |
| `mail.smtp.port` | SMTP port (default: 587) | `587` |
| `mail.smtp.auth` | Enable authentication | `true` |
| `mail.smtp.starttls.enable` | Enable STARTTLS | `true` |
| `mail.user` | Username for authentication | `[email protected]` |
| `mail.password` | Password (if BasicAuth) | `****` |
| `mail.smtp.from` | Sender email address | `[email protected]` |
### SMTPS Properties (TLS/SSL)
| Property | Description | Example |
|----------|-------------|---------|
| `mail.transport.protocol` | Secure transport | `smtps` |
| `mail.smtps.host` | SMTPS server address | `smtp.example.com` |
| `mail.smtps.port` | SMTPS port (default: 465) | `465` |
| `mail.smtps.auth` | Enable authentication | `true` |
| `mail.smtps.ssl.enable` | Enable SSL | `true` |
### Port Guidelines
- **Port 25**: Traditional SMTP (often blocked by ISPs)
- **Port 587**: Submission port with STARTTLS (recommended)
- **Port 465**: SMTPS with implicit TLS
---
## IMAP Configuration
### Required Properties
```
Name: <destination-name>
Type: MAIL
ProxyType: Internet | OnPremise
Authentication: BasicAuthentication | NoAuthentication
mail.imap4.host: <imap-server-address>
```
### Standard Properties
| Property | Description | Example |
|----------|-------------|---------|
| `mail.store.protocol` | Store protocol | `imap` |
| `mail.imap4.host` | IMAP server address | `imap.example.com` |
| `mail.imap4.port` | IMAP port (default: 143) | `143` |
| `mail.imap4.auth` | Enable authentication | `true` |
| `mail.user` | Username | `[email protected]` |
| `mail.password` | Password | `****` |
| `mail.imap4.from` | Email address | `[email protected]` |
| `mail.transport.protocol` | Protocol for sending | `imap` |
### IMAPS Properties (TLS/SSL)
| Property | Description | Example |
|----------|-------------|---------|
| `mail.store.protocol` | Secure store | `imaps` |
| `mail.imaps.host` | IMAPS server address | `imap.example.com` |
| `mail.imaps.port` | IMAPS port (default: 993) | `993` |
| `mail.imaps.ssl.enable` | Enable SSL | `true` |
| `mail.imaps.starttls.enable` | Enable STARTTLS | `true` |
---
## POP3 Configuration
### Required Properties
```
Name: <destination-name>
Type: MAIL
ProxyType: Internet | OnPremise
Authentication: BasicAuthentication | NoAuthentication
mail.pop3.host: <pop3-server-address>
```
### Standard Properties
| Property | Description | Example |
|----------|-------------|---------|
| `mail.store.protocol` | Store protocol | `pop3` |
| `mail.pop3.host` | POP3 server address | `pop3.example.com` |
| `mail.pop3.port` | POP3 port (default: 110) | `110` |
| `mail.pop3.auth` | Enable authentication | `true` |
| `mail.user` | Username | `[email protected]` |
| `mail.password` | Password | `****` |
### POP3S Properties (TLS/SSL)
| Property | Description | Example |
|----------|-------------|---------|
| `mail.store.protocol` | Secure store | `pop3s` |
| `mail.pop3s.host` | POP3S server address | `pop3.example.com` |
| `mail.pop3s.port` | POP3S port (default: 995) | `995` |
| `mail.pop3s.ssl.enable` | Enable SSL | `true` |
---
## Authentication Options
### BasicAuthentication
```json
{
"Name": "my-mail-destination",
"Type": "MAIL",
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "[email protected]",
"Password": "<password>",
"mail.smtp.host": "smtp.example.com",
"mail.smtp.port": "587",
"mail.smtp.auth": "true"
}
```
### OAuth2ClientCredentials
```json
{
"Name": "my-mail-destination",
"Type": "MAIL",
"ProxyType": "Internet",
"Authentication": "OAuth2ClientCredentials",
"clientId": "<client-id>",
"clientSecret": "<client-secret>",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"tokenServiceURLType": "Dedicated",
"mail.smtp.host": "smtp.example.com",
"mail.smtp.port": "587"
}
```
### OAuth2RefreshToken
```json
{
"Name": "my-mail-destination",
"Type": "MAIL",
"ProxyType": "Internet",
"Authentication": "OAuth2RefreshToken",
"clientId": "<client-id>",
"clientSecret": "<client-secret>",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"refreshToken": "<refresh-token>",
"mail.imap4.host": "imap.example.com"
}
```
---
## On-Premise Mail Destinations
For on-premise mail servers accessed via Cloud Connector:
```json
{
"Name": "onprem-mail",
"Type": "MAIL",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"User": "mailuser",
"Password": "<password>",
"mail.smtp.host": "virtual-smtp-host",
"mail.smtp.port": "25",
"CloudConnectorLocationId": "my-location"
}
```
**Requirements**:
- Cloud Connector with access control configured for mail server
- Virtual host mapping in Cloud Connector
- TCP protocol enabled in access control
---
## Kubernetes/Transparent Proxy
### Consuming SMTP via Transparent Proxy
The Transparent Proxy performs SOCKS5 handshake automatically for on-premise mail connections.
**Multitenancy Support**:
```yaml
apiVersion: destination.connectivity.api.sap/v1
kind: Destination
metadata:
name: smtp-destination
annotations:
transparent-proxy.connectivity.api.sap/tenant-subdomains: "tenant1,tenant2"
spec:
destinationRef:
name: my-smtp-destination
```
Creates separate Kubernetes services per tenant:
- `smtp-destination-tenant1.<namespace>`
- `smtp-destination-tenant2.<namespace>`
---
## Protocol Comparison
| Feature | SMTP | IMAP | POP3 |
|---------|------|------|------|
| **Purpose** | Send | Read/Manage | Download |
| **Message Storage** | N/A | Server-side | Client-side |
| **Folder Support** | N/A | Yes | No |
| **Sync Capability** | N/A | Full sync | Download only |
| **Best For** | Sending emails | Multi-device access | Single device |
---
## Troubleshooting
### Common Issues
| Issue | Cause | Solution |
|-------|-------|----------|
| Connection refused | Wrong port | Verify port number |
| Authentication failed | Wrong credentials | Check user/password |
| SSL handshake error | Certificate issue | Verify TLS/SSL config |
| Timeout | Firewall blocking | Check network rules |
### Port Verification
```bash
# Test SMTP connectivity
telnet smtp.example.com 587
# Test IMAP connectivity
telnet imap.example.com 993
# Test with OpenSSL
openssl s_client -connect smtp.example.com:465
```
---
## Cloud Connector Limitation
**Important**: Mail (SMTP, IMAP, POP3) communication is **not supported** through Cloud Connector for internet-to-on-premise scenarios. Cloud Connector only supports:
- HTTP/HTTPS
- RFC/RFC-SNC
- TCP (via SOCKS5)
- LDAP/LDAPS
For on-premise mail, use TCP destinations with SOCKS5 proxy.
---
**Last Updated**: 2025-11-22
**Source Files**:
- smtp-426527a.md, smtps-897df97.md
- imap-6037066.md, imaps-ceb84cb.md
- pop3-387e3e4.md, pop3s-76db66c.md
- mail-destinations-584bc93.md, mail-destinations-e3de817.md
```
### templates/destination-http-oauth.json
```json
{
"$comment": "SAP BTP HTTP Destination Templates - Example configurations for various authentication types. This is a template file with placeholder values, not a JSON Schema.",
"destinations": [
{
"$comment": "======== INTERNET DESTINATION WITH OAUTH2 CLIENT CREDENTIALS ========",
"Name": "my-api-destination",
"Type": "HTTP",
"URL": "https://api.example.com/v1",
"ProxyType": "Internet",
"Authentication": "OAuth2ClientCredentials",
"Description": "Connection to external API with OAuth2",
"$comment_auth": "OAuth2ClientCredentials Authentication Properties",
"clientId": "<your-client-id>",
"clientSecret": "<your-client-secret>",
"tokenServiceURL": "https://auth.example.com/oauth/token",
"tokenServiceURLType": "Dedicated",
"$comment_optional": "Optional OAuth Properties",
"scope": "read write",
"$comment_timeouts": "Optional Timeout Settings (numeric values)",
"URL.connectionTimeoutInSeconds": 30,
"URL.socketReadTimeoutInSeconds": 60
},
{
"$comment": "======== OAUTH2 SAML BEARER (USER PROPAGATION) ========",
"Name": "successfactors-destination",
"Type": "HTTP",
"URL": "https://api.successfactors.com/odata/v2",
"ProxyType": "Internet",
"Authentication": "OAuth2SAMLBearerAssertion",
"Description": "User propagation to SuccessFactors",
"$comment_auth": "OAuth2SAMLBearerAssertion Properties",
"audience": "www.successfactors.com",
"clientKey": "<your-client-key>",
"tokenServiceURL": "https://api.successfactors.com/oauth/token",
"companyId": "<your-company-id>",
"KeyStoreLocation": "<certificate-name>.p12",
"KeyStorePassword": "<keystore-password>",
"$comment_optional": "Optional SAML Properties",
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
},
{
"$comment": "======== OAUTH2 JWT BEARER ========",
"Name": "jwt-bearer-destination",
"Type": "HTTP",
"URL": "https://api.example.com",
"ProxyType": "Internet",
"Authentication": "OAuth2JWTBearer",
"Description": "Token exchange destination - exchanges user JWT for new access token",
"$comment_auth": "OAuth2JWTBearer Authentication Properties (Required)",
"clientId": "<your-client-id>",
"clientSecret": "<your-client-secret>",
"tokenServiceURL": "https://auth.example.com/oauth/token",
"$comment_optional": "Optional Properties - uncomment if needed",
"$_tokenServiceURLType": "Dedicated"
},
{
"$comment": "======== BASIC AUTHENTICATION ========",
"Name": "basic-auth-destination",
"Type": "HTTP",
"URL": "https://api.example.com",
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"Description": "Simple username/password authentication",
"User": "<username>",
"Password": "<password>"
},
{
"$comment": "======== CLIENT CERTIFICATE ========",
"Name": "cert-auth-destination",
"Type": "HTTP",
"URL": "https://api.example.com",
"ProxyType": "Internet",
"Authentication": "ClientCertificateAuthentication",
"Description": "X.509 certificate authentication",
"KeyStoreLocation": "<certificate-name>.p12",
"KeyStorePassword": "<keystore-password>"
},
{
"$comment": "======== MULTI-TENANT (COMMON TOKEN URL) ========",
"Name": "multitenant-destination",
"Type": "HTTP",
"URL": "https://api.example.com",
"ProxyType": "Internet",
"Authentication": "OAuth2ClientCredentials",
"Description": "Multi-tenant destination with Common token URL",
"clientId": "<your-client-id>",
"clientSecret": "<your-client-secret>",
"tokenServiceURL": "https://{tenant}.auth.example.com/oauth/token",
"tokenServiceURLType": "Common"
}
],
"$usage": {
"instructions": [
"1. Copy the appropriate destination configuration",
"2. Replace all <placeholder> values with actual values",
"3. Remove $comment fields before import",
"4. Import via BTP Cockpit or Destination Service REST API"
],
"import_via_cockpit": [
"1. Navigate to Connectivity > Destinations",
"2. Select Import Destination",
"3. Upload JSON file"
],
"import_via_api": "POST /destination-configuration/v1/subaccountDestinations",
"security_best_practices": [
"NEVER commit actual secrets (clientSecret, KeyStorePassword) to version control",
"Use environment variables or secrets management for sensitive values",
"Store KeyStore files (.p12, .jks) in secure locations only",
"Rotate credentials regularly according to security policies",
"Use service-specific credentials with minimal required permissions"
]
}
}
```
### templates/destination-onpremise.json
```json
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$comment": "SAP BTP On-Premise Destinations - Templates",
"destinations": [
{
"$comment": "======== HTTP ON-PREMISE WITH PRINCIPAL PROPAGATION ========",
"Name": "onprem-sap-gateway",
"Type": "HTTP",
"URL": "http://virtual-host:443/sap/opu/odata/sap/API_BUSINESS_PARTNER",
"ProxyType": "OnPremise",
"Authentication": "PrincipalPropagation",
"Description": "User propagation to on-premise SAP Gateway",
"$comment_location": "Required if multiple Cloud Connectors",
"CloudConnectorLocationId": "loc1",
"$comment_headers": "Optional custom headers",
"sap-client": "100"
},
{
"$comment": "======== HTTP ON-PREMISE WITH BASIC AUTH ========",
"Name": "onprem-basic-auth",
"Type": "HTTP",
"URL": "http://virtual-host:443/api",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"Description": "Technical user access to on-premise system",
"User": "<technical-user>",
"Password": "<password>",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== HTTP ON-PREMISE NO AUTH ========",
"Name": "onprem-no-auth",
"Type": "HTTP",
"URL": "http://virtual-host:8080/health",
"ProxyType": "OnPremise",
"Authentication": "NoAuthentication",
"Description": "Internal endpoint without authentication",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== RFC DESTINATION ========",
"Name": "onprem-rfc-destination",
"Type": "RFC",
"ProxyType": "OnPremise",
"Description": "RFC connection to on-premise SAP system",
"$comment_auth": "User Logon Properties",
"User": "<rfc-user>",
"Password": "<password>",
"$comment_target": "Target System Configuration",
"jco.client.ashost": "virtual-host",
"jco.client.sysnr": "00",
"jco.client.client": "100",
"jco.client.lang": "EN",
"$comment_pool": "Optional Pooling Configuration",
"jco.destination.pool_capacity": "10",
"jco.destination.peak_limit": "50",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== RFC WITH PRINCIPAL PROPAGATION ========",
"Name": "onprem-rfc-pp",
"Type": "RFC",
"ProxyType": "OnPremise",
"Authentication": "PrincipalPropagation",
"Description": "RFC with user propagation",
"jco.client.ashost": "virtual-host",
"jco.client.sysnr": "00",
"jco.client.client": "100",
"jco.client.lang": "EN",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== LDAP DESTINATION ========",
"Name": "onprem-ldap",
"Type": "LDAP",
"URL": "ldap://virtual-host:389",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"Description": "LDAP directory access",
"User": "cn=admin,dc=example,dc=com",
"Password": "<ldap-password>",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== LDAPS (SECURE) DESTINATION ========",
"Name": "onprem-ldaps",
"Type": "LDAP",
"URL": "ldaps://virtual-host:636",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"Description": "Secure LDAP directory access",
"User": "cn=admin,dc=example,dc=com",
"Password": "<ldap-password>",
"TrustStoreLocation": "<truststore-name>.jks",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== MAIL (SMTP) DESTINATION ========",
"Name": "onprem-smtp",
"Type": "MAIL",
"ProxyType": "OnPremise",
"Authentication": "BasicAuthentication",
"Description": "SMTP mail server",
"User": "<smtp-user>",
"Password": "<smtp-password>",
"mail.smtp.host": "virtual-host",
"mail.smtp.port": "25",
"mail.smtp.auth": "true",
"CloudConnectorLocationId": "loc1"
},
{
"$comment": "======== TCP DESTINATION ========",
"Name": "onprem-tcp",
"Type": "TCP",
"ProxyType": "OnPremise",
"Description": "Generic TCP connection",
"Address": "virtual-host:3306",
"CloudConnectorLocationId": "loc1"
}
],
"$cloud_connector_setup": {
"instructions": [
"1. Install Cloud Connector in on-premise network",
"2. Connect to your SAP BTP subaccount",
"3. Configure Access Control for each backend",
"4. Map virtual hosts to internal hosts",
"5. Expose required resources/paths",
"6. Note the Location ID if using multiple connectors"
],
"system_mapping": {
"virtual_host": "Name exposed to BTP (use in destination URL)",
"internal_host": "Actual hostname in on-premise network",
"virtual_port": "Port exposed to BTP",
"internal_port": "Actual port on internal system"
}
},
"$usage": {
"instructions": [
"1. Ensure Cloud Connector is configured",
"2. Copy the appropriate destination configuration",
"3. Replace virtual-host with your Cloud Connector mapping",
"4. Replace all <placeholder> values",
"5. Remove $comment fields before import"
]
}
}
```
### templates/connectivity-proxy-values.yaml
```yaml
# SAP BTP Connectivity Proxy for Kubernetes - Helm Values Template
# Source: https://github.com/SAP-docs/btp-connectivity
#
# Installation:
# helm install connectivity-proxy \
# oci://registry-1.docker.io/sapse/connectivity-proxy \
# --version <version> \
# --namespace <namespace> \
# -f connectivity-proxy-values.yaml
# ============================================================
# IMAGE CONFIGURATION
# ============================================================
image:
# Use SAP Docker registry
registry: docker.io/sapse
repository: connectivity-proxy
# Specify version explicitly for reproducibility
tag: "" # Uses chart version if empty
pullPolicy: IfNotPresent
# Image pull secrets for private registries
imagePullSecrets: []
# - name: my-registry-secret
# ============================================================
# REPLICA AND SCALING
# ============================================================
replicaCount: 2 # Minimum 2 for high availability
# Pod disruption budget
podDisruptionBudget:
enabled: true
minAvailable: 1
# Horizontal Pod Autoscaler
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# ============================================================
# RESOURCE LIMITS
# ============================================================
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
# ============================================================
# CONNECTIVITY SERVICE INTEGRATION
# ============================================================
config:
integration:
connectivityService:
# Name of Kubernetes secret containing service credentials
serviceCredentialsKey: connectivity-service-key
# Subaccount configuration
subaccountId: "<your-subaccount-id>"
subaccountSubdomain: "<your-subaccount-subdomain>"
# Optional: Location ID (must match Cloud Connector configuration)
# locationId: "loc1"
# Region host (usually auto-detected)
# regionHost: "connectivitytunnel.cf.eu10.hana.ondemand.com"
# ============================================================
# PROXY SERVER CONFIGURATION
# ============================================================
servers:
proxy:
# HTTP proxy settings
http:
# Enable/disable HTTP proxy
enabled: true
# Port for SOCKS5 proxy
port: 20003
# Enable mTLS (recommended for production)
enableMTLS: false
# Logging configuration
logging:
level: INFO # DEBUG, INFO, WARN, ERROR
# Authorization mode
authorization:
# oauth2 or none
mode: oauth2
# ============================================================
# HIGH AVAILABILITY
# ============================================================
highAvailability:
# Enable HA mode
enabled: true
# ============================================================
# SERVICE CONFIGURATION
# ============================================================
service:
type: ClusterIP
port: 20003
annotations: {}
# ============================================================
# ISTIO INTEGRATION (if using service mesh)
# ============================================================
# istio:
# enabled: true
# # Disable internal mTLS when Istio handles it
# config:
# servers:
# proxy:
# http:
# enableMTLS: false
# ============================================================
# NETWORK POLICIES
# ============================================================
networkPolicy:
enabled: false
# Ingress rules
ingress: []
# Egress rules
egress: []
# ============================================================
# POD CONFIGURATION
# ============================================================
nodeSelector: {}
tolerations: []
affinity: {}
# Example: spread across availability zones
# affinity:
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 100
# podAffinityTerm:
# labelSelector:
# matchExpressions:
# - key: app
# operator: In
# values:
# - connectivity-proxy
# topologyKey: topology.kubernetes.io/zone
# Security context
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# ============================================================
# HEALTH CHECKS
# ============================================================
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
# ============================================================
# SERVICE ACCOUNT
# ============================================================
serviceAccount:
create: true
annotations: {}
name: ""
# ============================================================
# ADDITIONAL CONFIGURATION
# ============================================================
# Extra environment variables
extraEnvVars: []
# - name: MY_VAR
# value: "my-value"
# Extra volumes
extraVolumes: []
# Extra volume mounts
extraVolumeMounts: []
# ============================================================
# CONNECTIVITY SERVICE SECRET TEMPLATE
# ============================================================
# Create this secret before installing the chart:
#
# apiVersion: v1
# kind: Secret
# metadata:
# name: connectivity-service-key
# namespace: <namespace>
# type: Opaque
# stringData:
# connectivity_key: |
# {
# "clientid": "...",
# "clientsecret": "...",
# "url": "...",
# "onpremise_proxy_host": "...",
# "onpremise_proxy_port": "...",
# "onpremise_proxy_http_port": "..."
# }
```
### templates/transparent-proxy-values.yaml
```yaml
# SAP BTP Transparent Proxy for Kubernetes - Helm Values Template
# Source: https://github.com/SAP-docs/btp-connectivity
#
# Installation:
# helm install transparent-proxy \
# oci://registry-1.docker.io/sapse/transparent-proxy \
# --version <version> \
# --namespace <namespace> \
# -f transparent-proxy-values.yaml
# ============================================================
# IMAGE CONFIGURATION
# ============================================================
image:
registry: docker.io/sapse
repository: transparent-proxy
tag: "" # Uses chart version if empty
pullPolicy: IfNotPresent
imagePullSecrets: []
# ============================================================
# REPLICA AND SCALING
# ============================================================
replicaCount:
# HTTP proxy replicas
http: 2
# TCP proxy replicas (for non-HTTP protocols)
tcp: 1
# Horizontal Pod Autoscaler
autoscaling:
http:
enabled: false
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
tcp:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
# Pod disruption budget
podDisruptionBudget:
http:
enabled: true
minAvailable: 1
tcp:
enabled: true
minAvailable: 1
# ============================================================
# RESOURCE LIMITS
# ============================================================
resources:
http:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
tcp:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
# ============================================================
# DESTINATION SERVICE INTEGRATION
# ============================================================
config:
integration:
destinationService:
# Name of Kubernetes secret containing service credentials
serviceCredentialsKey: destination-service-key
# Connectivity Proxy integration (required for on-premise)
connectivityProxy:
enabled: true
# Service name of Connectivity Proxy in cluster
serviceName: connectivity-proxy
# Namespace (if different from Transparent Proxy)
# namespace: connectivity-namespace
# ============================================================
# TENANT MODE
# ============================================================
tenantMode: shared # shared or dedicated
# shared: Single destination service instance serves all tenants
# dedicated: Tenant-specific destination service instances
# ============================================================
# LOGGING
# ============================================================
logging:
level: info # debug, info, warn, error
# ============================================================
# MANAGED NAMESPACES
# ============================================================
# List of namespaces where Transparent Proxy creates services
# Empty = all namespaces
managedNamespaces: []
# - namespace1
# - namespace2
# ============================================================
# SERVICE CONFIGURATION
# ============================================================
service:
http:
type: ClusterIP
port: 80
tcp:
type: ClusterIP
# ============================================================
# mTLS CONFIGURATION
# ============================================================
security:
# Enable mTLS between components
mtls:
enabled: false
# Certificate manager settings (if not using Istio)
certManager:
enabled: true
issuer: "" # Name of cert-manager issuer
# ============================================================
# ISTIO INTEGRATION
# ============================================================
# istio:
# enabled: true
# # Disable internal mTLS when Istio handles it
# config:
# security:
# mtls:
# enabled: false
# ============================================================
# POD CONFIGURATION
# ============================================================
nodeSelector: {}
tolerations: []
affinity: {}
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# ============================================================
# HEALTH CHECKS
# ============================================================
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
# ============================================================
# SERVICE ACCOUNT
# ============================================================
serviceAccount:
create: true
annotations: {}
name: ""
# RBAC for managing Destination Custom Resources
rbac:
create: true
# ============================================================
# DESTINATION SERVICE SECRET TEMPLATE
# ============================================================
# Create this secret before installing the chart:
#
# apiVersion: v1
# kind: Secret
# metadata:
# name: destination-service-key
# namespace: <namespace>
# type: Opaque
# stringData:
# destination_key: |
# {
# "clientid": "...",
# "clientsecret": "...",
# "url": "...",
# "uri": "..."
# }
# ============================================================
# DESTINATION CUSTOM RESOURCE EXAMPLE
# ============================================================
# After installation, create Destination resources to expose BTP destinations:
#
# apiVersion: destination.connectivity.api.sap/v1
# kind: Destination
# metadata:
# name: my-api-destination
# namespace: default
# spec:
# destinationRef:
# name: my-btp-destination # Name in BTP Destination Service
#
# Access via: http://my-api-destination.default/api/endpoint
```