Custom Domain Service in SAP BTP Build Work Zone (Standard Edition)

Custom Domain Service in SAP BTP Build Work Zone (Standard Edition)
Estimated read time 11 min read

 

Hello Everyone,

After analyzing and successfully implementing Custom Domain Service in SAP Build Work Zone, Standard Edition, I’m writing this blog to share my learnings. This post explains the concept of Custom Domain Service in SAP BTP and provides end-to-end steps to configure and use it with SAP Build Work Zone.

This blog will help you get started with SAP Custom Domain Service in SAP BTP Build Work Zone (Standard Edition).

 

Business Requirement

Our client required the use of a custom (client-specific) domain instead of the SAP standard domain.

By default, when accessing an SAP Build Work Zone site, the URL looks like this:

https://<SubAccount>.launchpad.cfapps.<DataCenter>.hana.ondemand.com/site/<site-alias>#Shell-home

(Here, we are using SAP Build Work Zone – Standard Edition.). We can use it for advanced edition too.

The requirement was to replace this with a client-friendly URL, for example:

https://abc.com
OR
https://abcservices.abc.com

We initially tried redirecting traffic from
https://abcservices.abc.com to the SAP BTP Work Zone URL.
However, this approach didn’t meet the requirement because:

Network-level redirection works, but

The browser address bar changes to the SAP BTP URL,

The client URL (https://abcservices.abc.com) is no longer visible.

To solve this, we implemented SAP Custom Domain Service.

 

Prerequisites

Before starting the configuration, ensure the following prerequisites are met:

1. Enable Custom Domain Service

Add Custom Domain Service to your subaccount with the Standard plan.

Note: Another plan exists but is deprecated at the time of writing this blog.

SAP Help Document:
https://help.sap.com/docs/custom-domain/custom-domain-manager/initial-setup

Below is the screen shot from sub account for reference:

Please note SAP will charge based on how many certificate you have uploaded in the Cusotm Domain Manager irrespective of Number of Custom Domain.

 

2. Finalize Reserved and Custom Domains

Finalize your reserved domain and custom domains in advance.

Do’s:

Do not rush this step. 

Finalize domains separately for Non-Prod (DEV & QA) and Prod subaccounts.

Changing domains later can be complex and time-consuming.

Dont’s:

Do not signed the CSR form Trusted CA authority because it involved cost and time. If possible dont configure the Non Prod and Prod Custom domain in single custom domain manager because it will mess the things. Try to keep the Custom Domain Service for Production seperately.Dont configure the Custom Domain Manager for Production untill you get success in the Non Prod environment. 

3. Runtime Destination Naming

Ensure the runtime destination names are finalized as per project standards, as these are referenced by applications.

 

Implementation Steps

Step 1: Define a Default Site

A default site is the site that opens when no site ID is specified in the URL.

Key points:

A default site is configured per custom domain.

It does not affect all domains in the subaccount.

A custom domain can be mapped to only one entry point, which is why it’s mapped to the default site and not to a specific site. Below is the screen shot of the default site:

 

 

Step 2: Identify the Reserved Domain

The reserved domain should be the parent domain, for example:

abc.com or abcservices.abc.com

The custom domain is created using the reserved domain, such as:

wz.abcservices.abc.com

 

Step 3: Define Custom Domains for Applications

Create custom domains for the following applications as needed:

SAP Build Work Zone

On-Premise Backend Systems (S/4HANA, CRM, BW, etc.) – Optional

Identity Authentication Service (IAS) – Optional

IAS works with the SAP standard domain by default. A custom domain for IAS is optional.

IAS Considerations

In our case, we did not configure a custom domain for IAS because:

IAS requires a separate CSR and CA-signed certificate.

This involves additional cost.

Wildcard certificates used in Custom Domain Manager do not work for IAS.

Reference Documents:

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/use-custom-domain-in-identity-authentication

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/regional-availability?version=Cloud

 

Step 4: Configure Custom Domain Manager

Add the reserved domain and custom domains in Custom Domain Manager.

Required Roles:

Assign the following roles to the user (Default or Custom IAS):

Custom Domain Administrator – Manage configurations

Custom Domain Viewer – View configurations

Once roles are assigned, you can access Custom Domain Manager from the subaccount.

 

Step 5: Create SaaS Routes

Create a SaaS route for each custom domain.
These routes act as redirection endpoints for:

SAP Build Work Zone

Backend systems (if applicable)

 

Step 6: Create TLS Configuration

Create a TLS configuration for secure communication.

SAP Help Document:
https://help.sap.com/docs/custom-domain/custom-domain-manager/manage-tls-configurations

Step 7: Generate CSR (Certificate Signing Request)

Generate a CSR from Custom Domain Manager and get it signed by a trusted Certificate Authority (CA).

CSR Generation Options

Option A: Individual Certificates
Generate one CSR per domain, for example:

s4.abcservices.abc.com

crm.abcservices.abc.com

bw.abcservices.abc.com

Option B: Wildcard Certificate
Generate a wildcard CSR:

CN: *.abcservices.abc.com
SAN: *.abcservices.abc.com, abcservices.abc.com

Certificate Signing Guidelines

Internal network → Internal CA is acceptable.

Public access → Internal CA will cause browser warnings.
Use a trusted CA like DigiCert.

Important Notes:

Verify CN and SAN before submitting CSR.

Certificates are valid only for the Custom Domain Manager instance from which the CSR was generated.

Non-Prod certificates cannot be reused in Prod.

We have generated the Wild Card Certificate for Production and Single Certificate (Included all SAN) for Non Prod System. Below is the Certificate Screen shot:

 

DigiCert Reference:
https://docs.digicert.com/en/certcentral/manage-certificates/reissue-an-ssl-tls-certificate.html

 

(Optional) IAS CSR Generation

Wildcard certificates do not work for IAS.
A separate CSR and certificate are required.

We skipped IAS custom domain due to additional cost and renewal overhead.

 

Step 8: Upload and Activate Certificate

Once signed, upload the certificate to Custom Domain Manager.

The certificate package includes:

Actual certificate

Intermediate certificate

Root certificate

Certificate Chain Format

Actual Certificate
+ Intermediate Certificate
+ Root Certificate

Tips:

Combine the full chain in a text file.

Remove extra spaces or blank lines.

Activate the certificate after upload.

Once activated:

Certificate expiry days are visible.

Renewal can be planned proactively.

 

Final Result

After successful activation, SAP Build Work Zone is accessible using the custom domain:

https://wz.abccompany.company.com

 

Conclusion

I hope this blog helps you understand the Custom Domain Service concept and implement it successfully in SAP Build Work Zone projects.

Happy learning and implementing! 🚀

 

Regards,
Rohit Gera

 

​  Hello Everyone,After analyzing and successfully implementing Custom Domain Service in SAP Build Work Zone, Standard Edition, I’m writing this blog to share my learnings. This post explains the concept of Custom Domain Service in SAP BTP and provides end-to-end steps to configure and use it with SAP Build Work Zone.This blog will help you get started with SAP Custom Domain Service in SAP BTP Build Work Zone (Standard Edition). Business RequirementOur client required the use of a custom (client-specific) domain instead of the SAP standard domain.By default, when accessing an SAP Build Work Zone site, the URL looks like this:https://<SubAccount>.launchpad.cfapps.<DataCenter>.hana.ondemand.com/site/<site-alias>#Shell-home(Here, we are using SAP Build Work Zone – Standard Edition.). We can use it for advanced edition too.The requirement was to replace this with a client-friendly URL, for example:https://abc.com
OR
https://abcservices.abc.comWe initially tried redirecting traffic fromhttps://abcservices.abc.com to the SAP BTP Work Zone URL.However, this approach didn’t meet the requirement because:Network-level redirection works, butThe browser address bar changes to the SAP BTP URL,The client URL (https://abcservices.abc.com) is no longer visible.To solve this, we implemented SAP Custom Domain Service. PrerequisitesBefore starting the configuration, ensure the following prerequisites are met:1. Enable Custom Domain ServiceAdd Custom Domain Service to your subaccount with the Standard plan.Note: Another plan exists but is deprecated at the time of writing this blog.SAP Help Document:https://help.sap.com/docs/custom-domain/custom-domain-manager/initial-setupBelow is the screen shot from sub account for reference:Please note SAP will charge based on how many certificate you have uploaded in the Cusotm Domain Manager irrespective of Number of Custom Domain. 2. Finalize Reserved and Custom DomainsFinalize your reserved domain and custom domains in advance.Do’s:Do not rush this step. Finalize domains separately for Non-Prod (DEV & QA) and Prod subaccounts.Changing domains later can be complex and time-consuming.Dont’s:Do not signed the CSR form Trusted CA authority because it involved cost and time. If possible dont configure the Non Prod and Prod Custom domain in single custom domain manager because it will mess the things. Try to keep the Custom Domain Service for Production seperately.Dont configure the Custom Domain Manager for Production untill you get success in the Non Prod environment. 3. Runtime Destination NamingEnsure the runtime destination names are finalized as per project standards, as these are referenced by applications. Implementation StepsStep 1: Define a Default SiteA default site is the site that opens when no site ID is specified in the URL.Key points:A default site is configured per custom domain.It does not affect all domains in the subaccount.A custom domain can be mapped to only one entry point, which is why it’s mapped to the default site and not to a specific site. Below is the screen shot of the default site:  Step 2: Identify the Reserved DomainThe reserved domain should be the parent domain, for example:abc.com or abcservices.abc.comThe custom domain is created using the reserved domain, such as:wz.abcservices.abc.com Step 3: Define Custom Domains for ApplicationsCreate custom domains for the following applications as needed:SAP Build Work ZoneOn-Premise Backend Systems (S/4HANA, CRM, BW, etc.) – OptionalIdentity Authentication Service (IAS) – OptionalIAS works with the SAP standard domain by default. A custom domain for IAS is optional.IAS ConsiderationsIn our case, we did not configure a custom domain for IAS because:IAS requires a separate CSR and CA-signed certificate.This involves additional cost.Wildcard certificates used in Custom Domain Manager do not work for IAS.Reference Documents:https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/use-custom-domain-in-identity-authenticationhttps://help.sap.com/docs/cloud-identity-services/cloud-identity-services/regional-availability?version=Cloud Step 4: Configure Custom Domain ManagerAdd the reserved domain and custom domains in Custom Domain Manager.Required Roles:Assign the following roles to the user (Default or Custom IAS):Custom Domain Administrator – Manage configurationsCustom Domain Viewer – View configurationsOnce roles are assigned, you can access Custom Domain Manager from the subaccount. Step 5: Create SaaS RoutesCreate a SaaS route for each custom domain.These routes act as redirection endpoints for:SAP Build Work ZoneBackend systems (if applicable) Step 6: Create TLS ConfigurationCreate a TLS configuration for secure communication.SAP Help Document:https://help.sap.com/docs/custom-domain/custom-domain-manager/manage-tls-configurationsStep 7: Generate CSR (Certificate Signing Request)Generate a CSR from Custom Domain Manager and get it signed by a trusted Certificate Authority (CA).CSR Generation OptionsOption A: Individual CertificatesGenerate one CSR per domain, for example:s4.abcservices.abc.comcrm.abcservices.abc.combw.abcservices.abc.comOption B: Wildcard CertificateGenerate a wildcard CSR:CN: *.abcservices.abc.com
SAN: *.abcservices.abc.com, abcservices.abc.comCertificate Signing GuidelinesInternal network → Internal CA is acceptable.Public access → Internal CA will cause browser warnings.Use a trusted CA like DigiCert.Important Notes:Verify CN and SAN before submitting CSR.Certificates are valid only for the Custom Domain Manager instance from which the CSR was generated.Non-Prod certificates cannot be reused in Prod.We have generated the Wild Card Certificate for Production and Single Certificate (Included all SAN) for Non Prod System. Below is the Certificate Screen shot: DigiCert Reference:https://docs.digicert.com/en/certcentral/manage-certificates/reissue-an-ssl-tls-certificate.html (Optional) IAS CSR GenerationWildcard certificates do not work for IAS.A separate CSR and certificate are required.We skipped IAS custom domain due to additional cost and renewal overhead. Step 8: Upload and Activate CertificateOnce signed, upload the certificate to Custom Domain Manager.The certificate package includes:Actual certificateIntermediate certificateRoot certificateCertificate Chain FormatActual Certificate
+ Intermediate Certificate
+ Root CertificateTips:Combine the full chain in a text file.Remove extra spaces or blank lines.Activate the certificate after upload.Once activated:Certificate expiry days are visible.Renewal can be planned proactively. Final ResultAfter successful activation, SAP Build Work Zone is accessible using the custom domain:https://wz.abccompany.company.com ConclusionI hope this blog helps you understand the Custom Domain Service concept and implement it successfully in SAP Build Work Zone projects.Happy learning and implementing! 🚀 Regards,Rohit Gera   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author