The SAP Custom Domain service allows you to use your own custom domain (e.g., yourcompany.com) for applications hosted on SAP Business Technology Platform (BTP), replacing the default SAP-provided URLs. It enhances branding, security (with TLS/SSL certificates), and user experience.
In this blog we explain how to use SAP custom domain service with self-signed certificates for exposing integration flows deployed on to SAP Integration Suite runtime.
Later user can invoke the deployed integration flows endpoints with SAP Custom Domain Service endpoints with OpenSSL generated self-signed certificates as depicted in below diagram.
This blog we can breakdown in to below steps
Domain Registered with SquarespaceAzure DNS as the Authoritative DNSUsing SAP Custom Domain Service configured with Registered Domain and SAAS RoutesGenerating Self-Signed certificates with OpenSSL and Add it to the Custom Domain Service Trust List. Create Process Integration Runtime instance in BTP subaccount with service key based on Self-Signed certificate.Using SAP Integration Suite to create integration flows for testing which uses both Client Certificate approach and User Role approach.Invoke the integration flow endpoint with Custom Domain Service route and self signed certificates.
Domain Registered with Squarespace
We do a simple domain registration, which we may use later to be configured in SAP custom domain service for testing purpose.
Here I registered a domain called mayurpoc.org.
Azure DNS as the Authoritative DNS
Instead of using your domain registrar’s default DNS servers, you delegate your domain’s DNS resolution to Azure DNS.
Create an DNS Zone for the domain we registered in previous step and create a DNS Record, i.e. CNAME record which maps a host alias subdomain to SAP Integration suite runtime Integration flow deployed endpoint host.
Copy all the Azure DNS name servers from above portal and configure in the Squarespace for the registered domain.
This means you update the nameservers (NS records) at your domain registrar to point to the Azure DNS name servers, this Azure DNS provides advanced DNS features (like traffic routing policies, private DNS zones, etc.) that your registrar might not offer.
Using SAP Custom Domain Service configured with Registered Domain and SAAS Routes
Under both the reserved domains and custom domains add the domain we have registered in the first step.
Create SAAS route mapping, which maps the CNAME we created in Azure DNS records to the actual Integration Suite runtime Host URL.
Create CSR under server certificates in SAP Custom domain service, download it and use the Certbot from letsencrypt to generate a server certificate for your custom domain.
certbot.exe certonly –standalone –preferred-challenges dns –csr C:pathtoyourexisting.csr
complete the DNS challenge when it asks to create DNS records in the Azure DNS Zone.
Upon successful validation of DNS records, certbot would generate the server certificate.
Upload the server certificate for the reserved domain and activate the same.
Generating Self-Signed certificates with OpenSSL and Add it Custom Domain Service Trust List.
Generating self-signed certificates with OpenSSL is a common task for development, testing, or internal-only applications where you don’t need a certificate signed by a trusted Certificate Authority (CA).
This command generates both a private key and a self-signed certificate directly.
openssl req -x509 -newkey rsa:2048 -nodes -keyout private.key -out certificate.crt -days 365 -subj “/CN=*.mayurpoc.org/O=SAP/OU=PM/L=Bengaluru/ST=Karnataka/C=IN”
create a TLS configuration in the SAP custom domain service and add this Self-Signed certificate to the Trust List.
This TLS configuration should be assigned to the server certificate activated for configured reserved domain.
Create Process Integration Runtime instance in BTP subaccount with service key based on Self-Signed certificate.
Create Process integration runtime instance of integration-flow plan type. Create an service key of key type “External certificate”
Copy the Self-Signed CRT certificate content into External certificate and create key.
Using SAP Integration Suite to create integration flows for testing which uses both Client Certificate approach and User Role approach
First integration flow is based on User role and we intended to do simple authentication request from an external client , so this iflow gives back custom hardcoded response on HTTP GET request.
Second integration flow is based on Client certificate where we have to configure the SubjectDN and IssuerDN in the http sender channel.
Invoke the integration flow endpoint with Custom Domain Service route and self signed certificates
Here I have used postman to invoke the deployed integration flows. I have converted OpenSSL self signed certificates to pfx format and imported it in postman settings.
Invoked the integration flow endpoint for first use case, i.e. healthCheck Iflow configured with User Role. As you see invocation successful with Self-Signed certificate.
Invoked the integration flow endpoint for second use case, i.e. healthCheck_ssl Iflow configured with Client Certificate. As you see invocation successful with Self-Signed certificate.
The SAP Custom Domain service allows you to use your own custom domain (e.g., yourcompany.com) for applications hosted on SAP Business Technology Platform (BTP), replacing the default SAP-provided URLs. It enhances branding, security (with TLS/SSL certificates), and user experience. In this blog we explain how to use SAP custom domain service with self-signed certificates for exposing integration flows deployed on to SAP Integration Suite runtime.Later user can invoke the deployed integration flows endpoints with SAP Custom Domain Service endpoints with OpenSSL generated self-signed certificates as depicted in below diagram. This blog we can breakdown in to below stepsDomain Registered with SquarespaceAzure DNS as the Authoritative DNSUsing SAP Custom Domain Service configured with Registered Domain and SAAS RoutesGenerating Self-Signed certificates with OpenSSL and Add it to the Custom Domain Service Trust List. Create Process Integration Runtime instance in BTP subaccount with service key based on Self-Signed certificate.Using SAP Integration Suite to create integration flows for testing which uses both Client Certificate approach and User Role approach.Invoke the integration flow endpoint with Custom Domain Service route and self signed certificates.Domain Registered with Squarespace We do a simple domain registration, which we may use later to be configured in SAP custom domain service for testing purpose.Here I registered a domain called mayurpoc.org.Azure DNS as the Authoritative DNSInstead of using your domain registrar’s default DNS servers, you delegate your domain’s DNS resolution to Azure DNS.Create an DNS Zone for the domain we registered in previous step and create a DNS Record, i.e. CNAME record which maps a host alias subdomain to SAP Integration suite runtime Integration flow deployed endpoint host. Copy all the Azure DNS name servers from above portal and configure in the Squarespace for the registered domain.This means you update the nameservers (NS records) at your domain registrar to point to the Azure DNS name servers, this Azure DNS provides advanced DNS features (like traffic routing policies, private DNS zones, etc.) that your registrar might not offer.Using SAP Custom Domain Service configured with Registered Domain and SAAS RoutesUnder both the reserved domains and custom domains add the domain we have registered in the first step.Create SAAS route mapping, which maps the CNAME we created in Azure DNS records to the actual Integration Suite runtime Host URL.Create CSR under server certificates in SAP Custom domain service, download it and use the Certbot from letsencrypt to generate a server certificate for your custom domain.certbot.exe certonly –standalone –preferred-challenges dns –csr C:pathtoyourexisting.csrcomplete the DNS challenge when it asks to create DNS records in the Azure DNS Zone.Upon successful validation of DNS records, certbot would generate the server certificate.Upload the server certificate for the reserved domain and activate the same.Generating Self-Signed certificates with OpenSSL and Add it Custom Domain Service Trust List. Generating self-signed certificates with OpenSSL is a common task for development, testing, or internal-only applications where you don’t need a certificate signed by a trusted Certificate Authority (CA).This command generates both a private key and a self-signed certificate directly.openssl req -x509 -newkey rsa:2048 -nodes -keyout private.key -out certificate.crt -days 365 -subj “/CN=*.mayurpoc.org/O=SAP/OU=PM/L=Bengaluru/ST=Karnataka/C=IN”create a TLS configuration in the SAP custom domain service and add this Self-Signed certificate to the Trust List.This TLS configuration should be assigned to the server certificate activated for configured reserved domain.Create Process Integration Runtime instance in BTP subaccount with service key based on Self-Signed certificate. Create Process integration runtime instance of integration-flow plan type. Create an service key of key type “External certificate”Copy the Self-Signed CRT certificate content into External certificate and create key.Using SAP Integration Suite to create integration flows for testing which uses both Client Certificate approach and User Role approachFirst integration flow is based on User role and we intended to do simple authentication request from an external client , so this iflow gives back custom hardcoded response on HTTP GET request.Second integration flow is based on Client certificate where we have to configure the SubjectDN and IssuerDN in the http sender channel.Invoke the integration flow endpoint with Custom Domain Service route and self signed certificates Here I have used postman to invoke the deployed integration flows. I have converted OpenSSL self signed certificates to pfx format and imported it in postman settings. Invoked the integration flow endpoint for first use case, i.e. healthCheck Iflow configured with User Role. As you see invocation successful with Self-Signed certificate. Invoked the integration flow endpoint for second use case, i.e. healthCheck_ssl Iflow configured with Client Certificate. As you see invocation successful with Self-Signed certificate. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
