zhongwei/gh-secondsky-sap-skills-skills-sap-btp-cloud-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:54:56 +08:00
commit 4b44ecffd4
17 changed files with 5701 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,12 @@
{
"name": "sap-btp-cloud-platform",
"description": "Comprehensive SAP BTP reference for cloud development, deployment, and operations. Covers Cloud Foundry, Kyma, ABAP environments, identity providers, and multi-target applications.",
"version": "1.0.0",
"author": {
"name": "Zhongwei Li",
"email": "zhongweili@tubi.tv"
},
"skills": [
"./"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# sap-btp-cloud-platform
Comprehensive SAP BTP reference for cloud development, deployment, and operations. Covers Cloud Foundry, Kyma, ABAP environments, identity providers, and multi-target applications.

349
SKILL.md Normal file
View File

@@ -0,0 +1,349 @@
---
name: sap-btp-cloud-platform
description: |
Comprehensive SAP Business Technology Platform (BTP) reference for cloud development, deployment, and operations. Use when setting up BTP accounts (global accounts, directories, subaccounts), working with Cloud Foundry environment (orgs, spaces, buildpacks, service bindings), deploying to Kyma environment (Kubernetes, modules, serverless functions), developing in ABAP environment (RAP, CDS, ADT), managing entitlements and quotas, configuring identity providers (SAP Cloud Identity Services, XSUAA), implementing authentication and authorization (role collections, trust configuration), using btp CLI or CF CLI, deploying multi-target applications (MTA), setting up connectivity (destinations, Cloud Connector), implementing CI/CD pipelines (SAP Continuous Integration and Delivery), extending SAP solutions (S/4HANA Cloud, SuccessFactors), or troubleshooting BTP services. Covers all three runtime environments with production-tested patterns.
Keywords: SAP BTP, SAP Business Technology Platform, Cloud Foundry, CF, Kyma, ABAP environment, subaccount, global account, directory, entitlements, quotas, btp CLI, CF CLI, MTA, multi-target application, XSUAA, SAP Authorization and Trust Management, Cloud Identity Services, Identity Authentication, destinations, Cloud Connector, service binding, buildpack, Kubernetes, serverless, RAP, CDS, CAP, SAP Cloud Application Programming Model, CI/CD, SAP Continuous Integration and Delivery, extensions, formations, trial account, free tier, enterprise account, consumption-based, subscription-based, CPEA, BTPEA, regions, availability zones, high availability, disaster recovery, audit logging, role collections, platform users, business users, Neo environment, service broker, space, org, namespace, Helm, Docker, Istio, API Gateway, Eventing
license: GPL-3.0
metadata:
version: "1.1.0"
last_verified: "2025-11-27"
source: "[https://github.com/SAP-docs/sap-btp-cloud-platform"](https://github.com/SAP-docs/sap-btp-cloud-platform")
---
# SAP BTP Cloud Platform
## Related Skills
- **sap-btp-best-practices**: Use for architectural best practices, account setup guidance, and production deployment patterns
- **sap-cap-capire**: Use for CAP application development on BTP Cloud Foundry or Kyma environments
- **sap-fiori-tools**: Use for deploying Fiori applications to BTP or configuring BTP destinations
- **sap-ai-core**: Use when implementing AI/ML workloads on BTP or setting up AI services
- **sap-abap**: Use when working with ABAP Environment on BTP or extending S/4HANA Cloud
- **sap-btp-connectivity**: Use for setting up secure connections to on-premise systems via Cloud Connector
- **sap-btp-service-manager**: Use for programmatic service instance management on BTP
Comprehensive reference for SAP Business Technology Platform covering all runtime environments, account management, security, and operations.
**Documentation Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform](https://github.com/SAP-docs/sap-btp-cloud-platform)
**SAP Help Portal**: [https://help.sap.com/docs/btp](https://help.sap.com/docs/btp)
**SAP Discovery Center**: [https://discovery-center.cloud.sap/](https://discovery-center.cloud.sap/)
## 1. Platform Overview
SAP BTP integrates five technology portfolios: Application Development, Process Automation, Integration, Data & Analytics, and AI. Provides suite qualities: SAP Fiori UX, Cloud Identity Services, Master Data Integration, embedded analytics, SAP Task Center, and SAP Cloud ALM.
---
## 2. Account Model
### Hierarchy
```
Global Account → Directory (optional) → Subaccount (region-specific)
↓ CF: Org → Spaces
↓ Kyma: Cluster → Namespaces
↓ ABAP: System instance
```
### Key Entities
- **Global Account**: Contract with SAP, region-independent, manages entitlements
- **Directory**: Organizational container, up to 7 levels, optional entitlement management
- **Subaccount**: Region-specific deployment target hosting apps and services
- **Labels**: Metadata tags (up to 10 values per label)
### Account Types
- **Trial**: 90-day free exploration (4GB memory, 10 routes, 40 services, daily stops)
- **Enterprise**: Production use based on commercial contract
- **Free Tier**: Long-term testing with service-specific limits, no SLA
---
## 3. Environments
SAP BTP offers four runtime environments at the subaccount level:
### Cloud Foundry Environment
Open PaaS with polyglot support. Features: multiple buildpacks (Java, Node.js, Python, Go, PHP), spaces for separation, auto-scaling, SAP HANA integration.
```bash
cf login -a [https://api.cf.<region>.hana.ondemand.com](https://api.cf.<region>.hana.ondemand.com)
cf push my-app
cf bind-service my-app my-service-instance
```
**Structure**: Subaccount → Org (1:1) → Spaces
### Kyma Environment
Managed Kubernetes runtime based on open-source Kyma.
- **Default Modules**: istio (service mesh), api-gateway, btp-operator
- **Optional Modules**: serverless, eventing, application-connector, telemetry, keda
**Structure**: Subaccount → Cluster (1:1) → Namespaces
### ABAP Environment
Cloud ABAP development with RAP, CDS, SAP Fiori integration, ADT, 1:1 SAP HANA database per system.
**Use Cases**: Extend S/4HANA Cloud, build new cloud applications, transform ABAP custom code
### Neo Environment
**Status**: Sunsetting December 31, 2028. **Recommendation**: Migrate to CF/Kyma.
---
## 4. Commercial Models
### Consumption-Based
Access all eligible services with flexible usage. Flavors: SAP BTPEA, CPEA, Pay-As-You-Go. Benefits: Switch services on/off, access current and future services.
### Subscription-Based
Fixed cost for selected services, pay irrespective of consumption. Additional services require contract modification.
**Best Practice**: Use consumption-based for pilots, subscription for stable workloads.
## 5. Entitlements and Quotas
### Definitions
- **Entitlement**: Right to provision and consume a service plan
- **Quota**: Numeric quantity of consumption allowed
- **Service Plan**: Variant of a service (e.g., t-shirt sizes)
### Quota Types
- **Fixed**: Upper limit (subscription model)
- **Unlimited**: No limit, billed by usage (consumption model)
### Distribution Flow
Global Account → Directory (reserves) → Subaccount (consumes) → CF Space (optional)
---
## 6. Regions and Infrastructure
### Region Providers
| Provider | Examples |
|----------|----------|
| **SAP** | eu10, us10, ap10 |
| **AWS** | eu10, us10, ap10, ap11, ap12 |
| **Azure** | eu20, us20, ap20, jp20 |
| **Google Cloud** | us30, in30 |
| **Alibaba Cloud** | cn40 |
### Key Considerations
- Each subaccount assigned to exactly one region
- Multi-region requires separate deployments
- EU Access available in specific regions for compliance
- API endpoints vary by region instance
### Availability Zones
Multi-AZ deployment for high availability:
- Isolated power, network, cooling
- Automatic failover within region
- Both CF and Kyma support multi-AZ
---
## 7. User Management
### User Types
| Type | Description | Example |
|------|-------------|---------|
| **Platform Users** | Manage BTP infrastructure | Developers, administrators |
| **Business Users** | Use deployed applications | End users, customers |
### Identity Providers
| Provider | Use Case |
|----------|----------|
| **SAP ID Service** | Default, SAP community users |
| **SAP Cloud Identity Services** | Recommended for production |
| **Corporate IdP** | Via Identity Authentication proxy |
### Authorization Flow
```
Identity Provider
SAP BTP (Shadow Users)
Role Collections
Application/Service Access
```
---
## 8. Tools
### Key Tools Overview
- **Administration**: SAP BTP Cockpit (web), btp CLI (automation), REST APIs, Terraform, SAP Automation Pilot
- **Development**: SAP Business Application Studio (VS Code-based), SAP Build (low-code), SAP Cloud SDK (Java/JS), ADT for Eclipse (ABAP)
- **Kubernetes/Kyma**: kubectl, kubelogin (OIDC), Helm, Pack (buildpacks), Docker Desktop
### Essential CLI Commands
```bash
# btp CLI
btp login --url [https://cpcli.cf.<region>.hana.ondemand.com](https://cpcli.cf.<region>.hana.ondemand.com)
btp list accounts/subaccount
btp create accounts/subaccount --display-name "Dev"
btp assign security/role-collection "Subaccount Administrator" --to-user user@example.com
# CF CLI
cf login -a [https://api.cf.<region>.hana.ondemand.com](https://api.cf.<region>.hana.ondemand.com)
cf target -o my-org -s my-space
cf push my-app
cf bind-service my-app my-service
# kubectl
kubectl get pods -n my-namespace
kubectl apply -f deployment.yaml
kubectl logs -f deployment/my-app
```
---
## 9. Security Essentials
### Authentication
**Recommended**: Corporate IdP → SAP Cloud Identity Services → SAP BTP
**XSUAA** provides OAuth 2.0 authorization, role-based access control, and application security descriptors (xs-security.json).
### Trust Configuration
1. Configure Identity Authentication tenant
2. Establish trust in subaccount
3. Map role collections to IdP groups
4. Assign users via role collections
### Best Practices
- Use TLS 1.2+ (mandatory)
- Enable MFA for administrators
- Maintain backup administrators in default IdP
- Use provisioning over federation for production
- Implement audit logging
## 10. Connectivity
### Destinations
Connect to remote systems without hardcoding URLs. Key authentication methods:
- `NoAuthentication` (public APIs)
- `OAuth2ClientCredentials` (service-to-service)
- `OAuth2SAMLBearerAssertion` (user propagation)
- `PrincipalPropagation` (on-premise with Cloud Connector)
### Cloud Connector
Secure tunnel for on-premise connectivity with no inbound firewall ports, fine-grained access control, RFC/HTTP support, and principal propagation.
---
## 11. Development Patterns
### Programming Models
- **CAP**: Java/Node.js/TypeScript for enterprise services, domain-driven development
- **ABAP Cloud**: Cloud-ready ABAP with RAP
### Multi-Target Applications (MTA)
Package multiple modules for deployment. Core structure includes modules (app types: nodejs, html5) and resources (services like hana).
### Application Router
Single entry point providing static content serving, user authentication, URL rewriting, and request forwarding to microservices.
## 12. CI/CD
### SAP Continuous Integration and Delivery
Managed service supporting Cloud Foundry apps (Fiori, CAP), SAP Fiori for ABAP Platform, and SAP Integration Suite artifacts.
### Pipeline Setup
1. Activate service in BTP cockpit
2. Assign Administrator/Developer roles
3. Configure repository credentials
4. Add code repository (GitHub, GitLab, Bitbucket, Azure Repos)
5. Create and configure CI/CD jobs
### Delivery Options
- **CI/CD**: Java/HTML5/CAP, Kyma apps (Cloud Integration in development)
- **Cloud Transport Mgmt**: Java/HTML5/CAP, Cloud Integration, SAP Build Work Zone
---
## 13. Extensions
### Extension Architecture
Build loosely coupled extensions: SAP Solution → APIs & Events → SAP BTP Extension → Custom Business Logic
### System Registration
1. Register systems in global account
2. Create formations (logical groupings)
3. Enable API/event exchange
4. Deploy extensions
### Supported Solutions
- **Cloud Foundry**: S/4HANA Cloud, Marketing Cloud, SuccessFactors
- **Kyma**: Above + Commerce Cloud, Field Service Management
## 14. High Availability and Resilience
### Resilience Strategies
- **Multi-AZ**: Deploy across availability zones
- **Multi-Region**: Deploy across geographic regions
- **In-Metro DR**: Synchronous replication within region
### Failover Implementation
1. Deploy in two data centers
2. Keep applications synchronized (CI/CD)
3. Define failover detection (5xx errors, timeouts)
4. Plan failback procedure
### SLAs
- **RPO**: Maximum 5 minutes data loss
- **RTO**: Service restoration within 2 hours
## 15. Operations and Monitoring
### Key Tools
- **SAP Cloud ALM**: Real user and health monitoring
- **SAP Cloud Logging**: Observability across CF, Kyma
- **SAP Alert Notification**: Multi-channel notifications
- **Audit Log Viewer**: Activity tracking
### Best Practices
- Deploy multiple application instances
- Implement Application Autoscaler
- Use blue-green deployment for updates
- Set up automated alerting
- Regular compliance verification
---
## 16. Support
### Getting Support
- **SAP for Me**: [https://me.sap.com/](https://me.sap.com/)
- **SAP Community**: [https://community.sap.com/](https://community.sap.com/)
- **Support Components**: BC-CP-* (component codes)
### Operating Model
- **SAP manages**: Platform software updates, infrastructure monitoring, BTP service monitoring, global account provisioning
- **You manage**: Account strategy, application development and security, role assignments and integrations, application monitoring
## References
For detailed guidance, see the 13 reference files:
- `glossary.md` - Complete terminology (40+ terms)
- `cloud-foundry.md` - CF development and administration
- `kyma.md` - Kyma runtime and Kubernetes patterns
- `abap.md` - ABAP environment, RAP, CDS
- `security.md` - Authentication, authorization, identity
- `connectivity.md` - Destinations, Cloud Connector
- `development.md` - Development patterns, MTA, Application Router
- `administration.md` - Account management, btp CLI
- `operations.md` - Monitoring, alerting, logging
- `extensions.md` - SAP solution extensions, formations
- `tools.md` - CLI references, development tools
- `troubleshooting.md` - Common issues and solutions
- `regions-endpoints.md` - Region-specific API endpoints
## Source Documentation
- [https://github.com/SAP-docs/sap-btp-cloud-platform](https://github.com/SAP-docs/sap-btp-cloud-platform)
- [https://help.sap.com/docs/btp](https://help.sap.com/docs/btp)
- [https://discovery-center.cloud.sap/](https://discovery-center.cloud.sap/)
**Last Verified**: 2025-11-27

97
plugin.lock.json Normal file
View File

@@ -0,0 +1,97 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:secondsky/sap-skills:skills/sap-btp-cloud-platform",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "b9d09a8d2d4e29c6e2c212cc3166e0709dfa422e",
"treeHash": "f08d6401e3dc0b1ef6c571b032a5cac30f3122c42a2ff51608b8dd9e37757cbb",
"generatedAt": "2025-11-28T10:28:11.983607Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "sap-btp-cloud-platform",
"description": "Comprehensive SAP BTP reference for cloud development, deployment, and operations. Covers Cloud Foundry, Kyma, ABAP environments, identity providers, and multi-target applications.",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "5bb0303107173549018e1be56a38dc2e5ee0552b991adc970da43b78206852d0"
},
{
"path": "SKILL.md",
"sha256": "44ecc2d2b91c358e8a0cc31b5eda0a3016b80c005ab0cbbe934a211a05548246"
},
{
"path": "references/operations.md",
"sha256": "117ac075baef6bd97f28d343669d733a880263f1642faa4241fdde1f138dfa76"
},
{
"path": "references/kyma.md",
"sha256": "d30314598cef75141f9f77c15fe5686c37aaf8d617e7edf2e4ab0e0579df8d4f"
},
{
"path": "references/extensions.md",
"sha256": "fb3633589c4b011950c5850ccb135769c091acf1d13abbf0dd310a217a66e4a3"
},
{
"path": "references/troubleshooting.md",
"sha256": "bc5c44d06d759e3a0b59897ec3d71291a4134df40f264a91ff89e34eb01d3a3f"
},
{
"path": "references/glossary.md",
"sha256": "ef2cfcaba7d140abfa551e41eade0dba002db83af9920732155c7365a75c4cee"
},
{
"path": "references/abap.md",
"sha256": "ae547104f469b06a41bad246c6cf2c6a569f703d68f5e7ff083dcbf2ca54d942"
},
{
"path": "references/administration.md",
"sha256": "d4b4775f5a2d1e0e47313d7a36f65070ab0c5cce755784f3f293984e9e245d13"
},
{
"path": "references/connectivity.md",
"sha256": "7d56b4e79427afa6d98808991345e0545488d617fbeb0cb54dbad0e5183a21cc"
},
{
"path": "references/regions-endpoints.md",
"sha256": "4deb20aa8be2c33f03410a213f6de036a8a897fed3f4d4b2ebe92157bc2a47df"
},
{
"path": "references/development.md",
"sha256": "81742518bd3324c820058891f7e1d238575f70af4e46a98bc9e1512c8290e2e0"
},
{
"path": "references/cloud-foundry.md",
"sha256": "afb23e58145abf735d63675b1ad884b8d02e32a641332186c33d95b70784ed9e"
},
{
"path": "references/security.md",
"sha256": "77b3ae6e2be0a36cc46658a243a08f32e2816ef21391d336dacbcb5ad61e2030"
},
{
"path": "references/tools.md",
"sha256": "217583563ae237c7644cc27090a7c12cc16d210b1d706d086644f150c15d71e9"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "ab019fbe42242565ad319e5390285d4a5f0e229346187a88e943c697a4b1d535"
}
],
"dirSha256": "f08d6401e3dc0b1ef6c571b032a5cac30f3122c42a2ff51608b8dd9e37757cbb"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

397
references/abap.md Normal file
View File

@@ -0,0 +1,397 @@
# ABAP Environment Reference
Complete guidance for SAP BTP ABAP environment development and administration.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts)
---
## Table of Contents
1. [ABAP Environment Overview](#abap-environment-overview)
2. [Service Plans and Metering](#service-plans-and-metering)
3. [System Creation](#system-creation)
4. [Development Tools](#development-tools)
5. [Programming Model](#programming-model)
6. [Communication Management](#communication-management)
7. [Lifecycle Management](#lifecycle-management)
8. [Integration](#integration)
---
## ABAP Environment Overview
The ABAP environment enables cloud ABAP development on SAP BTP.
### Key Features
- Latest ABAP platform cloud release
- SAP HANA database (1:1 per system)
- ABAP RESTful Application Programming Model (RAP)
- Core Data Services (CDS)
- SAP Fiori integration
- Released objects approach for APIs
### Use Cases
| Use Case | Description |
|----------|-------------|
| **Extensions** | Extend S/4HANA Cloud, SuccessFactors |
| **New Apps** | Build cloud-native ABAP applications |
| **Transformation** | Move existing ABAP to cloud |
| **Side-by-Side** | Complement SAP solutions |
### Architecture
```
ABAP System Instance
├── ABAP Runtime (Memory: ABAP Compute Units)
├── SAP HANA Database (Storage: HANA Compute Units)
├── Fiori Launchpad
└── Web Access (ADT, Launchpad)
```
---
## Service Plans and Metering
### Service Plans
| Plan | Use Case | Requirements |
|------|----------|--------------|
| **free** | Proof of concept | Auto-stops nightly, no SLA |
| **standard** | Dev/Test/Prod | Min 2 HANA CU + 1 ABAP CU |
| **saas_oem** | Multitenancy SaaS | Min 2 HANA CU + 1 ABAP CU |
### Compute Units
**ABAP Compute Unit (ACU)**:
- Configures runtime memory
- Measured in 16 GB blocks
- Volatile memory for application execution
- Billed hourly
**HANA Compute Unit (HCU)**:
- Configures persistent storage
- Measured in 16 GB blocks
- Retains data after restart
- Billed hourly
### Entitlement Requirements
For standard plan, assign all three:
1. `abap` service with `standard` plan
2. `abap_compute_unit` with quantity
3. `hana_compute_unit` with quantity
### Minimum Configuration
| Component | Minimum |
|-----------|---------|
| HANA Compute Units | 2 |
| ABAP Compute Units | 1 |
| Total Memory | 48 GB (32 HANA + 16 ABAP) |
### Free Plan Limitations
- Auto-stops every night
- Manual restart via Landscape Portal
- Community support only
- No SLA
- Limited resources
---
## System Creation
### Prerequisites
1. Subaccount with Cloud Foundry enabled
2. ABAP environment entitlements assigned
3. Space created
### Create via BTP Cockpit
1. Navigate to **Subaccount > Cloud Foundry > Spaces**
2. Open target space
3. Click **SAP HANA Cloud** or **Service Marketplace**
4. Find **ABAP environment**
5. Create instance with parameters:
```json
{
"admin_email": "admin@example.com",
"description": "Development System",
"is_development_allowed": true,
"sapsystemname": "DEV",
"size_of_runtime": 1,
"size_of_persistence": 4
}
```
### Create via CF CLI
```bash
cf create-service abap standard my-abap-system -c '{
"admin_email": "admin@example.com",
"description": "Development System",
"is_development_allowed": true,
"sapsystemname": "DEV",
"size_of_runtime": 1,
"size_of_persistence": 4
}'
```
### System Parameters
| Parameter | Description |
|-----------|-------------|
| `admin_email` | Initial admin user email |
| `sapsystemname` | 3-char system ID |
| `is_development_allowed` | Enable dev features |
| `size_of_runtime` | ABAP Compute Units |
| `size_of_persistence` | HANA Compute Units |
---
## Development Tools
### ABAP Development Tools (ADT)
Eclipse-based IDE for ABAP development:
1. Install Eclipse (latest supported version)
2. Install ADT plugin from SAP update site
3. Connect to ABAP system
**ADT Update Site**: [https://tools.hana.ondemand.com/latest](https://tools.hana.ondemand.com/latest)
### ADT Features
- ABAP Editor with code completion
- CDS Editor
- Debugger
- Unit Test Runner
- Transport Management
- Git Integration (abapGit)
### Connecting ADT
1. **File > New > ABAP Cloud Project**
2. Select **SAP BTP, ABAP Environment**
3. Enter service key or use browser login
4. Select system and log in
### Service Key for ADT
```bash
cf create-service-key my-abap-system my-key
cf service-key my-abap-system my-key
```
### Web Access
| Component | URL Pattern |
|-----------|-------------|
| Fiori Launchpad | `[https://<system>.abap.<region>.hana.ondemand.com/`](https://<system>.abap.<region>.hana.ondemand.com/`) |
| SAP GUI for HTML | Via Fiori Launchpad |
| ADT | Via Eclipse with service key |
---
## Programming Model
### ABAP RESTful Application Programming Model (RAP)
Modern ABAP development approach:
```
CDS Data Model → Behavior Definition → Service Definition → Service Binding
```
### CDS Data Model
```abap
@AccessControl.authorizationCheck: #CHECK
define root view entity ZI_Product
as select from zproduct
{
key product_id as ProductId,
product_name as ProductName,
@Semantics.amount.currencyCode: 'Currency'
price as Price,
currency as Currency
}
```
### Behavior Definition
```abap
managed implementation in class zbp_i_product unique;
strict ( 2 );
define behavior for ZI_Product alias Product
persistent table zproduct
lock master
authorization master ( instance )
{
create;
update;
delete;
field ( readonly ) ProductId;
field ( mandatory ) ProductName;
validation validateProduct on save { create; update; }
determination setDefaults on modify { create; }
}
```
### Service Definition
```abap
@EndUserText.label: 'Product Service'
define service ZUI_PRODUCT {
expose ZI_Product as Product;
}
```
### Service Binding
Create via ADT:
1. Right-click service definition
2. New > Service Binding
3. Select binding type (OData V2/V4, UI)
4. Activate and publish
---
## Communication Management
### Communication Scenarios
Predefined integration patterns:
| Type | Description |
|------|-------------|
| **Inbound** | External calls to ABAP |
| **Outbound** | ABAP calls external systems |
### Communication Arrangement
```
Communication Scenario → Communication System → Communication User
```
### Creating Outbound Communication
1. Create Communication System (target system details)
2. Create Outbound Communication User (credentials)
3. Create Communication Arrangement (link scenario + system)
### HTTP Destination
```abap
DATA(lo_destination) = cl_http_destination_provider=>create_by_comm_arrangement(
comm_scenario = 'Z_MY_SCENARIO'
service_id = 'Z_MY_SERVICE'
).
DATA(lo_client) = cl_web_http_client_manager=>create_by_http_destination( lo_destination ).
DATA(lo_response) = lo_client->execute( if_web_http_client=>get ).
```
---
## Lifecycle Management
### Software Components
Git-based source code management:
```
Software Component (Git repo)
├── Package 1
│ ├── Classes
│ ├── CDS Views
│ └── Services
└── Package 2
```
### Transport Management
| Transport Type | Use |
|----------------|-----|
| **Workbench** | Development objects |
| **Customizing** | Configuration |
### Release and Import
1. Release transport request in source system
2. Export via gCTS or Cloud Transport Management
3. Import to target system
### Landscape Configuration
```
Development → Test → Production
↓ ↓ ↓
Clone Import Import
```
---
## Integration
### Integrated SAP BTP Services
| Service | Integration |
|---------|-------------|
| SAP Destination Service | Connectivity |
| SAP Build Work Zone | Launchpad |
| SAP Build Process Automation | Workflows |
| SAP Forms by Adobe | PDF forms |
| SAP Cloud Identity Services | Authentication |
### Fiori Elements
Automatic UI generation from CDS annotations:
```abap
@UI.headerInfo: {
typeName: 'Product',
typeNamePlural: 'Products',
title: { type: #STANDARD, value: 'ProductName' }
}
@UI.lineItem: [{ position: 10, label: 'Product ID' }]
@UI.identification: [{ position: 10 }]
ProductId,
```
---
## Regions
### Available Regions
| Region | Provider | Technical Name |
|--------|----------|----------------|
| EU (Frankfurt) | AWS | eu10 |
| US East | AWS | us10 |
| Japan (Tokyo) | AWS | jp10 |
| Australia (Sydney) | AWS | ap10 |
| Singapore | AWS | ap11 |
| EU (Netherlands) | Azure | eu20 |
| US West | Azure | us20 |
| Japan (Tokyo) | Azure | jp20 |
Full list: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-for-the-abap-environment-879f373.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-for-the-abap-environment-879f373.md)
---
## Related Documentation
- ABAP Environment: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/abap-environment-11d6265.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/abap-environment-11d6265.md)
- Service Plans: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/service-plans-and-metering-for-sap-btp-abap-environment-b7f5a93.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/service-plans-and-metering-for-sap-btp-abap-environment-b7f5a93.md)
- Getting Started: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-abap-environment-2ffdd24.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-abap-environment-2ffdd24.md)
- SAP Help Portal: [https://help.sap.com/docs/btp/sap-business-technology-platform/abap-environment](https://help.sap.com/docs/btp/sap-business-technology-platform/abap-environment)

427
references/administration.md Normal file
View File

@@ -0,0 +1,427 @@
# Administration Reference
Complete guidance for SAP BTP account administration and operations.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
---
## Table of Contents
1. [Account Administration](#account-administration)
2. [Entitlement Management](#entitlement-management)
3. [User and Role Management](#user-and-role-management)
4. [Default Role Collections](#default-role-collections)
5. [Environment Management](#environment-management)
6. [Service Management](#service-management)
7. [Monitoring and Logging](#monitoring-and-logging)
8. [Backup and Recovery](#backup-and-recovery)
---
## Account Administration
### Global Account Operations
```bash
# List subaccounts
btp list accounts/subaccount
# Get global account details
btp get accounts/global-account
# Update global account
btp update accounts/global-account --display-name "New Name"
```
### Subaccount Operations
```bash
# Create subaccount
btp create accounts/subaccount \
--display-name "Development" \
--subdomain dev-acme \
--region eu10 \
--subaccount-admins admin@example.com
# Update subaccount
btp update accounts/subaccount <id> \
--display-name "New Name" \
--description "Updated description"
# Delete subaccount
btp delete accounts/subaccount <id>
# Move subaccount to directory
btp move accounts/subaccount <id> --to-directory <dir-id>
```
### Directory Operations
```bash
# Create directory
btp create accounts/directory \
--display-name "Business Unit A" \
--directory-features ENTITLEMENTS,AUTHORIZATIONS
# List directories
btp list accounts/directory
# Delete directory
btp delete accounts/directory <id>
```
### Labels
```bash
# Add label to subaccount
btp add accounts/label --subaccount <id> \
--name "Environment" --value "Development"
# List labels
btp list accounts/label --subaccount <id>
# Remove label
btp remove accounts/label --subaccount <id> --name "Environment"
```
---
## Entitlement Management
### View Entitlements
```bash
# Global account entitlements
btp list accounts/entitlement
# Subaccount assignments
btp list accounts/entitlement --subaccount <id>
```
### Assign Entitlements
```bash
# Assign to subaccount
btp assign accounts/entitlement \
--to-subaccount <id> \
--for-service hana-cloud \
--plan hana \
--amount 1
# Assign to directory
btp assign accounts/entitlement \
--to-directory <id> \
--for-service xsuaa \
--plan application \
--amount 10
```
### Common Services to Assign
| Service | Plan | Description | Availability |
|---------|------|-------------|--------------|
| `cloudfoundry` | `standard` | CF runtime | All CF regions |
| `kymaruntime` | `aws` / `azure` / `gcp` | Kyma runtime | Selected regions only |
| `abap` | `standard` | ABAP environment | Selected regions only |
| `hana-cloud` | `hana` | HANA Cloud database | All regions |
| `xsuaa` | `application` | Authorization service | All regions |
| `destination` | `lite` | Destination service | All regions |
| `connectivity` | `lite` | Connectivity service | All regions |
| `application-logs` | `lite` | Application logging | All regions |
> **Note**: Services marked "Selected regions only" require checking regional availability in BTP Cockpit
> or SAP Discovery Center before assignment. Kyma/ABAP availability varies by IaaS provider and region.
---
## User and Role Management
### User Operations
```bash
# Assign user to role collection
btp assign security/role-collection "Subaccount Administrator" \
--to-user user@example.com \
--of-idp sap.ids
# Remove user from role collection
btp unassign security/role-collection "Subaccount Administrator" \
--from-user user@example.com \
--of-idp sap.ids
# List role collection assignments
btp list security/role-collection
```
### Group Mapping
```bash
# Map IdP group to role collection
btp assign security/role-collection "Developers" \
--to-group "BTP_Developers" \
--of-idp my-corporate-idp
# Remove group mapping
btp unassign security/role-collection "Developers" \
--from-group "BTP_Developers" \
--of-idp my-corporate-idp
```
### Trust Configuration
```bash
# List trust configurations
btp list security/trust
# Get trust details
btp get security/trust <idp-origin>
```
---
## Default Role Collections
### Global Account Level
| Role Collection | Description |
|-----------------|-------------|
| **Global Account Administrator** | Full access to global account, entitlements, subaccounts |
| **Global Account Viewer** | Read-only access to global account |
### Directory Level
| Role Collection | Description |
|-----------------|-------------|
| **Directory Administrator** | Manage directory, entitlements, subaccounts |
| **Directory Viewer** | Read-only access to directory |
### Subaccount Level
| Role Collection | Description |
|-----------------|-------------|
| **Subaccount Administrator** | Full access to subaccount |
| **Subaccount Viewer** | Read-only access to subaccount |
| **Subaccount Service Administrator** | Manage service brokers |
| **Cloud Connector Administrator** | Manage Cloud Connector |
| **Destination Administrator** | Manage destinations and trust |
| **Connectivity and Destination Administrator** | Combined CC + destinations |
### Cloud Foundry Roles
| Role | Description |
|------|-------------|
| **Org Manager** | Manage org settings, spaces, quotas |
| **Org Auditor** | View-only access to org |
| **Space Manager** | Manage space settings, members |
| **Space Developer** | Deploy apps, manage services |
| **Space Auditor** | View-only access to space |
---
## Environment Management
### Cloud Foundry
```bash
# Create CF environment
btp create accounts/environment-instance \
--subaccount <id> \
--environment cloudfoundry \
--plan standard \
--landscape eu10-004
# List environments
btp list accounts/environment-instance --subaccount <id>
# Delete environment
btp delete accounts/environment-instance <env-id> --subaccount <id>
```
### Kyma
```bash
# Create Kyma environment
btp create accounts/environment-instance \
--subaccount <id> \
--environment kyma \
--plan aws \
--parameters '{"name":"my-kyma"}'
# Get Kyma kubeconfig
# Download from BTP Cockpit or use Kyma Dashboard
```
---
## Service Management
### Service Instances
```bash
# Discover available services and plans
cf marketplace
# CF CLI - Create service instance
cf create-service <service> <plan> <name> -c '<parameters>'
# CF CLI - List services
cf services
# CF CLI - Update service
cf update-service <name> -p <new-plan> -c '<parameters>'
# CF CLI - Delete service
cf delete-service <name>
```
### Service Bindings
```bash
# Bind to app
cf bind-service <app> <service> -c '<parameters>'
# Create service key (for external access)
cf create-service-key <service> <key-name>
# View service key
cf service-key <service> <key-name>
```
### Service Broker Management
```bash
# Register service broker
cf create-service-broker <name> <user> <password> <url>
# List brokers
cf service-brokers
# Delete broker
cf delete-service-broker <name>
```
---
## Monitoring and Logging
### SAP Cloud ALM
Integration for:
- Real User Monitoring
- Health Monitoring
- Integration Monitoring
- Exception Monitoring
- Job Automation Monitoring
### Application Logging
```bash
# CF - View logs
cf logs <app> --recent
cf logs <app> # tail
# Subscribe to Application Logging service
cf create-service application-logs lite my-logs
cf bind-service my-app my-logs
```
### Audit Logging
Access via:
- SAP Audit Log Viewer Service (subscription)
- Audit Log Retrieval API
```bash
# API access
curl -X GET "[https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords"](https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords") \
-H "Authorization: Bearer <token>"
```
### Alert Notification
Configure alerts for:
- Application events
- Service events
- Platform events
Channels:
- Email
- Slack
- ServiceNow
- SAP Cloud ALM
---
## Backup and Recovery
### SAP-Managed Backups
| Service | Backup | Recovery |
|---------|--------|----------|
| SAP HANA Cloud | Continuous | Point-in-time restore |
| PostgreSQL (Hyperscaler) | 14-day retention | Point-in-time restore |
| Redis | No persistence | N/A |
| Object Store | Versioning available | Manual |
### Customer Responsibilities
You must backup:
- Service configurations
- Destination settings
- Trust configurations
- Application configurations
- Custom code (Git repositories)
### Kyma Backup
- Managed Kubernetes snapshots
- Excludes persistent volumes
- Use Velero for volume backups
### Cloud Foundry Apps
- No built-in backup
- Keep code in external Git
- Export service configurations
- Document environment variables
---
## Automation
### Terraform Provider
```hcl
provider "btp" {
globalaccount = "my-global-account"
}
resource "btp_subaccount" "dev" {
name = "Development"
subdomain = "dev-acme"
region = "eu10"
}
resource "btp_subaccount_entitlement" "cf" {
subaccount_id = btp_subaccount.dev.id
service_name = "APPLICATION_RUNTIME"
plan_name = "MEMORY"
amount = 1
}
```
### SAP Automation Pilot
Low-code automation for:
- Scheduled operations
- Event-triggered workflows
- Multi-step procedures
---
## Related Documentation
- Administration: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
- btp CLI: [https://help.sap.com/docs/btp/btp-cli-command-reference/btp-cli-command-reference](https://help.sap.com/docs/btp/btp-cli-command-reference/btp-cli-command-reference)
- Terraform: [https://registry.terraform.io/providers/SAP/btp/latest/docs](https://registry.terraform.io/providers/SAP/btp/latest/docs)

382
references/cloud-foundry.md Normal file
View File

@@ -0,0 +1,382 @@
# Cloud Foundry Environment Reference
Detailed guidance for SAP BTP Cloud Foundry environment development and administration.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts)
**CF Docs**: [https://docs.cloudfoundry.org/](https://docs.cloudfoundry.org/)
---
## Table of Contents
1. [Architecture](#architecture)
2. [Account Structure](#account-structure)
3. [Buildpacks](#buildpacks)
4. [Service Bindings](#service-bindings)
5. [Application Deployment](#application-deployment)
6. [CF CLI Commands](#cf-cli-commands)
7. [Space Management](#space-management)
8. [Availability Zones](#availability-zones)
---
## Architecture
### Cloud Foundry in SAP BTP
- Open Platform-as-a-Service (PaaS)
- Polyglot application support
- SAP HANA extended application services integration
- Multiple buildpacks for language support
- Automatic scaling and load balancing
### Hierarchy
```
Subaccount (1:1 with CF Org)
└── Organization (Org)
├── Space: Development
│ ├── Applications
│ └── Service Instances
├── Space: Testing
└── Space: Production
```
---
## Account Structure
### Organizations (Orgs)
- Each CF subaccount contains exactly one org
- Org name derived from subaccount name
- Use for grouping related spaces
### Spaces
Spaces provide environment separation within an org:
| Configuration | Subaccount Level | Space Level |
|---------------|------------------|-------------|
| Business user groups | Yes | No |
| Cloud Connector tunnels | Yes | No |
| Trust/roles settings | Yes | No |
| Quota assignment | Mandatory | Optional |
### Space Quota Plans
Optional resource limits per space:
```bash
# Create space quota
cf create-space-quota my-quota -m 4G -i 1G -r 10 -s 5
# Assign to space
cf set-space-quota my-space my-quota
```
---
## Buildpacks
### SAP-Provided Buildpacks
| Buildpack | Language | Notes |
|-----------|----------|-------|
| `sap_java_buildpack` | Java | SAP JVM, Jakarta EE |
| `nodejs_buildpack` | Node.js | LTS versions |
| `python_buildpack` | Python | 3.x versions |
| `go_buildpack` | Go | Latest versions |
| `staticfile_buildpack` | Static HTML | HTML5 apps |
### Specifying Buildpacks
```yaml
# manifest.yml
applications:
- name: my-app
buildpacks:
- nodejs_buildpack
memory: 256M
disk_quota: 512M
```
### Custom Buildpacks
```yaml
applications:
- name: my-app
buildpack: [https://github.com/my-org/my-buildpack.git](https://github.com/my-org/my-buildpack.git)
```
---
## Service Bindings
### Service Marketplace
```bash
# List available services
cf marketplace
# Create service instance
cf create-service hana hdi-shared my-hana
# Bind to application
cf bind-service my-app my-hana
```
### Service Keys
For external access without binding:
```bash
# Create service key
cf create-service-key my-service my-key
# Get credentials
cf service-key my-service my-key
```
### User-Provided Services
For external services not in marketplace:
```bash
cf create-user-provided-service my-external-service -p '{"url":"[https://api.example.com","key":"xxx"}'](https://api.example.com","key":"xxx"}')
```
### VCAP_SERVICES
Environment variable containing bound service credentials:
```javascript
const services = JSON.parse(process.env.VCAP_SERVICES);
const hanaCredentials = services.hana[0].credentials;
```
---
## Application Deployment
### manifest.yml
```yaml
applications:
- name: my-app
memory: 512M
disk_quota: 1G
instances: 2
path: ./target/my-app.jar
buildpacks:
- sap_java_buildpack
env:
JBP_CONFIG_SAPJVM: "[default_vm: jdk]"
routes:
- route: my-app.cfapps.eu10.hana.ondemand.com
services:
- my-hana
- my-xsuaa
```
### Deployment Commands
```bash
# Deploy application
cf push
# Deploy with manifest override
cf push -f manifest-prod.yml
# Deploy specific path
cf push my-app -p ./dist
# Scale instances
cf scale my-app -i 3
# Scale memory
cf scale my-app -m 1G
```
### Blue-Green Deployment
```bash
# Deploy new version with different name
cf push my-app-new -f manifest.yml
# Map route to new version
cf map-route my-app-new cfapps.eu10.hana.ondemand.com --hostname my-app
# Unmap route from old version
cf unmap-route my-app cfapps.eu10.hana.ondemand.com --hostname my-app
# Delete old version
cf delete my-app -f
# Rename new version
cf rename my-app-new my-app
```
---
## CF CLI Commands
### Authentication
```bash
# Login
cf login -a [https://api.cf.eu10.hana.ondemand.com](https://api.cf.eu10.hana.ondemand.com)
# Login with SSO
cf login -a [https://api.cf.eu10.hana.ondemand.com](https://api.cf.eu10.hana.ondemand.com) --sso
# Target org/space
cf target -o my-org -s my-space
```
### Application Management
```bash
# List applications
cf apps
# View app details
cf app my-app
# Start/stop/restart
cf start my-app
cf stop my-app
cf restart my-app
# View logs
cf logs my-app --recent
cf logs my-app # tail
# SSH into container
cf ssh my-app
# Set environment variable
cf set-env my-app MY_VAR "value"
cf restage my-app
```
### Service Management
```bash
# List services
cf services
# Create service
cf create-service <service> <plan> <name>
# Update service
cf update-service <name> -p <new-plan>
# Delete service
cf delete-service <name>
# Bind/unbind
cf bind-service <app> <service>
cf unbind-service <app> <service>
```
### Routes
```bash
# List routes
cf routes
# Create route
cf create-route my-space cfapps.eu10.hana.ondemand.com --hostname my-app
# Map route to app
cf map-route my-app cfapps.eu10.hana.ondemand.com --hostname my-app
# Delete route
cf delete-route cfapps.eu10.hana.ondemand.com --hostname my-app
```
---
## Space Management
### Space Roles
| Role | Permissions |
|------|-------------|
| **Space Manager** | Manage space settings, add members |
| **Space Developer** | Deploy apps, manage services |
| **Space Auditor** | View-only access |
### Assign Roles
```bash
# Set space role
cf set-space-role user@example.com my-org my-space SpaceDeveloper
# Unset space role
cf unset-space-role user@example.com my-org my-space SpaceDeveloper
```
### Org Roles
| Role | Permissions |
|------|-------------|
| **Org Manager** | Manage org, spaces, quotas, billing |
| **Org Auditor** | View-only for org settings |
| **Billing Manager** | View billing information |
---
## Availability Zones
### Multi-AZ Deployment
Cloud Foundry distributes application instances across availability zones automatically when:
1. Multiple instances are running (`instances: 2+`)
2. Region supports multiple AZs
### Benefits
- Independent power, network, cooling
- Automatic failover within region
- Improved application availability
### Configuration
No special configuration required. CF Controller distributes instances automatically.
```yaml
applications:
- name: my-app
instances: 3 # Distributed across AZs
```
---
## Supported Features
### Supported
- Diego runtime
- Application manifests
- Service bindings
- SSH access
- Health monitoring
- Autoscaling (via Application Autoscaler)
- Container-to-container networking
### Not Supported
- DEA runtime (deprecated)
- Some community plugins may not work
---
## Related Documentation
- CF Environment Concepts: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/cloud-foundry-environment-9c7092c.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/cloud-foundry-environment-9c7092c.md)
- Regions and Endpoints: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-available-for-the-cloud-foundry-environment-f344a57.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-available-for-the-cloud-foundry-environment-f344a57.md)
- Getting Started: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-cloud-foundry-environment-b328cc8.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-cloud-foundry-environment-b328cc8.md)
- Official CF Docs: [https://docs.cloudfoundry.org/](https://docs.cloudfoundry.org/)

378
references/connectivity.md Normal file
View File

@@ -0,0 +1,378 @@
# Connectivity Reference
Complete guidance for SAP BTP connectivity including destinations and Cloud Connector.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development)
---
## Table of Contents
1. [Destinations Overview](#destinations-overview)
2. [Authentication Methods](#authentication-methods)
3. [Cloud Connector](#cloud-connector)
4. [Principal Propagation](#principal-propagation)
5. [Destination Service API](#destination-service-api)
---
## Destinations Overview
Destinations abstract connection details from application code:
### Benefits
- Separation of configuration from code
- Secure credential storage
- Runtime resolution of connection details
- Central management in BTP Cockpit
### Destination Types
| Type | Description |
|------|-------------|
| **HTTP** | REST APIs, web services |
| **RFC** | SAP RFC connections |
| **LDAP** | Directory services |
| **Mail** | SMTP connections |
### Proxy Types
| Proxy | Use Case |
|-------|----------|
| **Internet** | Cloud services, public APIs |
| **OnPremise** | On-premise systems via Cloud Connector |
| **PrivateLink** | AWS/Azure private connectivity |
---
## Authentication Methods
### NoAuthentication
Public APIs without authentication:
```json
{
"Name": "public-api",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "NoAuthentication"
}
```
### BasicAuthentication
Username/password (testing only):
```json
{
"Name": "basic-auth",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "BasicAuthentication",
"User": "username",
"Password": "password"
}
```
### OAuth2ClientCredentials
Service-to-service:
```json
{
"Name": "oauth2-client",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2ClientCredentials",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
### OAuth2SAMLBearerAssertion
User propagation to cloud services:
```json
{
"Name": "saml-bearer",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2SAMLBearerAssertion",
"audience": "[https://audience.example.com",](https://audience.example.com",)
"clientKey": "my-client-id",
"tokenServiceURL": "[https://auth.example.com/oauth/token",](https://auth.example.com/oauth/token",)
"tokenServiceURLType": "Dedicated",
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
}
```
### OAuth2JWTBearer
Token exchange (preferred over OAuth2UserTokenExchange):
```json
{
"Name": "jwt-bearer",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "OAuth2JWTBearer",
"clientId": "my-client-id",
"clientSecret": "my-client-secret",
"tokenServiceURL": "[https://auth.example.com/oauth/token"](https://auth.example.com/oauth/token")
}
```
### PrincipalPropagation
On-premise with Cloud Connector:
```json
{
"Name": "onprem-pp",
"Type": "HTTP",
"URL": "[http://virtualhost:port",](http://virtualhost:port",)
"ProxyType": "OnPremise",
"Authentication": "PrincipalPropagation",
"CloudConnectorLocationId": "location1"
}
```
### ClientCertificateAuthentication
mTLS:
```json
{
"Name": "mtls",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"ProxyType": "Internet",
"Authentication": "ClientCertificateAuthentication",
"KeyStoreLocation": "keystore.p12",
"KeyStorePassword": "password"
}
```
> **Note**: The keystore file (`.p12` or `.jks`) must be uploaded to the destination
> configuration in BTP Cockpit before referencing it. Upload via: Connectivity →
> Destinations → destination properties → Upload and Delete Certificates.
### Authentication Method Compatibility
| Method | Internet | OnPremise | Private Link |
|--------|----------|-----------|--------------|
| NoAuthentication | Yes | Yes | Yes |
| BasicAuthentication | Yes | Yes | Yes |
| OAuth2ClientCredentials | Yes | No | Yes |
| OAuth2SAMLBearerAssertion | Yes | No | Yes |
| OAuth2JWTBearer | Yes | No | Yes |
| PrincipalPropagation | No | Yes | No |
| ClientCertificateAuthentication | Yes | Yes | Yes |
---
## Cloud Connector
### Overview
Lightweight on-premise agent providing:
- Secure tunnel to SAP BTP
- No inbound firewall ports required
- Fine-grained access control
- Principal propagation support
### Installation
1. Download from SAP Software Download Center
2. Install on on-premise network
3. Configure connection to SAP BTP subaccount
4. Define accessible resources
### Architecture
```
SAP BTP Application
↓ (HTTPS)
Connectivity Service
↓ (TLS tunnel)
Cloud Connector (on-premise)
↓ (HTTP/RFC)
On-Premise System
```
### Configuration Scopes
| Scope | Configuration |
|-------|---------------|
| **Subaccount** | One Cloud Connector per subaccount |
| **Location ID** | Multiple connectors per subaccount |
| **Access Control** | Resource-level permissions |
### Virtual Host Mapping
Map internal systems to virtual hosts:
```
Virtual Host: sap-erp-virtual:443
→ Internal System: erp.internal.company.com:443
```
### Access Control
Define which resources are accessible:
| Setting | Description |
|---------|-------------|
| **Protocol** | HTTP, HTTPS, RFC |
| **Internal Host** | Actual system hostname |
| **Virtual Host** | Exposed hostname to BTP |
| **Path** | URL path prefix |
| **Method** | HTTP methods allowed |
### High Availability
**Architecture**:
- **Master connector**: Active, handles all traffic
- **Shadow connector**: Standby, monitors master health
- Automatic failover if master becomes unavailable
**Setup**:
1. Install Cloud Connector on two separate hosts
2. Configure first as master (connects to BTP)
3. Configure second as shadow (points to master)
4. Shadow automatically takes over if master fails
**Configuration**:
```
Master: cc-master.internal.company.com:8443
Shadow: cc-shadow.internal.company.com:8443
→ Points to master for health checks
→ Same subaccount/location ID configuration
```
**Best Practices**:
- Deploy master and shadow on different physical hosts
- Use different network segments if possible
- Monitor both instances via Cloud Connector admin UI
- Test failover periodically
### Monitoring
- Connection status in BTP Cockpit
- Audit logs
- Performance metrics
---
## Principal Propagation
### On-Premise via Cloud Connector
Forward user identity to on-premise systems:
```
User authenticates → BTP App → Cloud Connector → On-Premise
(SAML) (X.509 cert) (user context)
```
**Requirements**:
1. Cloud Connector with SNC or X.509
2. Destination with `PrincipalPropagation`
3. On-premise system configured for SSO
### SAP System Configuration
For SAP ERP/S4:
1. Configure trusted certificate in STRUST
2. Enable SSO in SICF
3. Map certificate subject to user
### Cloud-to-Cloud
Use `OAuth2SAMLBearerAssertion` or `OAuth2JWTBearer`:
```javascript
// Using SAP Cloud SDK
const destination = await getDestination('my-destination');
const response = await executeHttpRequest(destination, {
method: 'GET',
url: '/api/resource'
});
```
---
## Destination Service API
### Get Destination
```bash
# Get single destination
curl -X GET "[https://destination-configuration.cfapps.<region>.hana.ondemand.com/destination-configuration/v1/destinations/<name>"](https://destination-configuration.cfapps.<region>.hana.ondemand.com/destination-configuration/v1/destinations/<name>") \
-H "Authorization: Bearer <token>"
```
### Response
```json
{
"owner": {
"SubaccountId": "...",
"InstanceId": "..."
},
"destinationConfiguration": {
"Name": "my-destination",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "OAuth2ClientCredentials",
"ProxyType": "Internet"
},
"authTokens": [
{
"type": "Bearer",
"value": "...",
"expires_in": "3600"
}
]
}
```
### Using in Applications
**Node.js (CAP/Cloud SDK)**:
```javascript
const { getDestination, executeHttpRequest } = require('@sap-cloud-sdk/core');
const destination = await getDestination('my-destination');
const response = await executeHttpRequest(destination, {
method: 'GET',
url: '/api/resource'
});
```
**Java (Cloud SDK)**:
```java
HttpDestination destination = DestinationAccessor
.getDestination("my-destination")
.asHttp();
HttpClient client = HttpClientAccessor.getHttpClient(destination);
HttpResponse response = client.execute(new HttpGet("/api/resource"));
```
---
## Related Documentation
- Connectivity Service: [https://help.sap.com/docs/connectivity](https://help.sap.com/docs/connectivity)
- Cloud Connector: [https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/cloud-connector](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/cloud-connector)
- Destinations: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development)

492
references/development.md Normal file
View File

@@ -0,0 +1,492 @@
# Development Reference
Development patterns and best practices for SAP BTP applications.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development)
---
## Table of Contents
1. [Multi-Target Applications](#multi-target-applications)
2. [Application Router](#application-router)
3. [CAP Development](#cap-development)
4. [Service Bindings](#service-bindings)
5. [CI/CD Pipelines](#cicd-pipelines)
6. [Deployment Strategies](#deployment-strategies)
---
## Multi-Target Applications
### MTA Structure
```
my-app/
├── mta.yaml # MTA descriptor
├── srv/ # Backend service
│ ├── package.json
│ └── src/
├── app/ # Frontend
│ └── webapp/
├── db/ # Database artifacts
│ └── src/
└── xs-security.json # Security config
```
### mta.yaml Template
```yaml
_schema-version: "3.1"
ID: my-app
version: 1.0.0
description: My SAP BTP Application
parameters:
enable-parallel-deployments: true
build-parameters:
before-all:
- builder: custom
commands:
- npm install --production
modules:
# Backend service
- name: my-app-srv
type: nodejs
path: srv
parameters:
buildpack: nodejs_buildpack
memory: 256M
build-parameters:
builder: npm
requires:
- name: my-app-db
- name: my-app-auth
provides:
- name: srv-api
properties:
srv-url: ${default-url}
# Database deployer
- name: my-app-db-deployer
type: hdb
path: db
parameters:
buildpack: nodejs_buildpack
requires:
- name: my-app-db
# UI module
- name: my-app-ui
type: html5
path: app
build-parameters:
builder: custom
commands:
- npm run build
supported-platforms: []
# App Router
- name: my-app-approuter
type: approuter.nodejs
path: approuter
parameters:
disk-quota: 256M
memory: 256M
requires:
- name: my-app-auth
- name: srv-api
group: destinations
properties:
name: srv-api
url: ~{srv-url}
forwardAuthToken: true
resources:
# HDI Container
- name: my-app-db
type: com.sap.xs.hdi-container
parameters:
service: hana
service-plan: hdi-shared
# XSUAA
- name: my-app-auth
type: org.cloudfoundry.managed-service
parameters:
service: xsuaa
service-plan: application
path: ./xs-security.json
```
### Build and Deploy
```bash
# Build MTA archive
mbt build
# Deploy
cf deploy mta_archives/my-app_1.0.0.mtar
# Deploy with options
cf deploy my-app.mtar --strategy blue-green
```
---
## Application Router
### Purpose
- Single entry point for applications
- User authentication
- Static content serving
- URL routing to microservices
- Session management
### xs-app.json
```json
{
"welcomeFile": "/index.html",
"authenticationMethod": "route",
"sessionTimeout": 30,
"routes": [
{
"source": "^/api/(.*)$",
"target": "$1",
"destination": "srv-api",
"authenticationType": "xsuaa",
"csrfProtection": true
},
{
"source": "^/(.*)$",
"target": "$1",
"localDir": "webapp",
"authenticationType": "xsuaa"
}
]
}
```
### Authentication Types
| Type | Description |
|------|-------------|
| `xsuaa` | Require authentication |
| `none` | No authentication |
| `basic` | Basic auth (dev only) |
### Route Properties
| Property | Description |
|----------|-------------|
| `source` | Regex pattern for incoming URL |
| `target` | Rewritten path |
| `destination` | Destination name |
| `localDir` | Serve from local directory |
| `csrfProtection` | Enable CSRF tokens |
| `scope` | Required authorization scope |
### Environment Variables
```json
{
"destinations": [
{
"name": "srv-api",
"url": "[https://my-srv.cfapps.eu10.hana.ondemand.com",](https://my-srv.cfapps.eu10.hana.ondemand.com",)
"forwardAuthToken": true
}
]
}
```
---
## CAP Development
### Project Setup
```bash
# Create new project
cds init my-project
# Add features
cds add hana
cds add xsuaa
cds add mta
```
### Service Definition (CDS)
```cds
// srv/catalog-service.cds
using { my.bookshop as my } from '../db/schema';
service CatalogService {
@readonly entity Books as projection on my.Books;
entity Orders as projection on my.Orders;
}
```
### Data Model
```cds
// db/schema.cds
namespace my.bookshop;
entity Books {
key ID : Integer;
title : String;
author : Association to Authors;
stock : Integer;
}
entity Authors {
key ID : Integer;
name : String;
books : Association to many Books on books.author = $self;
}
entity Orders {
key ID : UUID;
book : Association to Books;
amount : Integer;
}
```
### Service Implementation
```javascript
// srv/catalog-service.js
module.exports = cds.service.impl(async function() {
const { Books, Orders } = this.entities;
this.before('CREATE', 'Orders', async (req) => {
const { book_ID, amount } = req.data;
const book = await SELECT.one.from(Books).where({ ID: book_ID });
if (book.stock < amount) {
req.error(409, 'Not enough stock');
}
});
this.after('CREATE', 'Orders', async (order, req) => {
await UPDATE(Books)
.set({ stock: { '-=': order.amount } })
.where({ ID: order.book_ID });
});
});
```
### Running Locally
```bash
# Start with watch (SQLite in-memory)
cds watch
# With hybrid profile (remote services, local app)
cds watch --profile hybrid
# Deploy to database
cds deploy --to hana
```
**Profile Options**:
| Profile | Description | Use Case |
|---------|-------------|----------|
| `default` | SQLite in-memory, mock auth | Initial development, quick testing |
| `hybrid` | Connect to remote BTP services while running locally | Test with real HANA, XSUAA, destinations |
| `production` | Full BTP services | Deployed application |
**Hybrid Profile Setup** (`.cdsrc.json`):
```json
{
"[hybrid]": {
"requires": {
"db": {
"kind": "hana",
"credentials": { "from": "env:VCAP_SERVICES" }
},
"auth": {
"kind": "xsuaa",
"credentials": { "from": "env:VCAP_SERVICES" }
}
}
}
}
```
Run `cds bind` to fetch service credentials, then `cds watch --profile hybrid`.
---
## Service Bindings
### Accessing Bound Services
**Environment Variable (VCAP_SERVICES)**:
```javascript
const vcap = JSON.parse(process.env.VCAP_SERVICES);
const hanaCredentials = vcap.hana[0].credentials;
```
**Using @sap/xsenv**:
```javascript
const xsenv = require('@sap/xsenv');
xsenv.loadEnv();
const hanaCredentials = xsenv.serviceCredentials({ tag: 'hana' });
```
**Using CAP**:
```javascript
// Automatic binding via cds.requires in package.json
const db = await cds.connect.to('db');
```
### package.json (CAP)
```json
{
"cds": {
"requires": {
"db": {
"kind": "hana",
"credentials": {
"binding": "db"
}
},
"auth": {
"kind": "xsuaa"
}
}
}
}
```
---
## CI/CD Pipelines
### SAP Continuous Integration and Delivery
Pipeline types:
1. Cloud Foundry - Fiori, CAP
2. SAP Fiori for ABAP Platform
3. SAP Integration Suite Artifacts
### Pipeline Configuration
```yaml
# .pipeline/config.yml
general:
buildTool: mta
mtaBuildTool: cloudMbt
stages:
Build:
npmExecuteBefore:
dockerImage: 'node:18'
Integration:
credentials:
cfCredentialsId: cf-credentials
Release:
cfSpace: prod
cfCredentialsId: cf-credentials
```
### GitHub Actions Example
```yaml
name: Deploy to BTP
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Build MTA
run: npx mbt build
- name: Deploy to CF
env:
CF_API: ${{ secrets.CF_API }}
CF_USER: ${{ secrets.CF_USER }}
CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
run: |
cf login -a $CF_API -u $CF_USER -p $CF_PASSWORD -o $CF_ORG -s $CF_SPACE
cf deploy mta_archives/*.mtar -f
```
---
## Deployment Strategies
### Rolling Deployment (Default)
Replace instances one by one:
```bash
cf push my-app
```
### Blue-Green Deployment
Zero-downtime with instant rollback:
```bash
# Deploy new version
cf push my-app-new -f manifest.yml
# Map production route
cf map-route my-app-new cfapps.eu10.hana.ondemand.com -n my-app
# Unmap from old
cf unmap-route my-app cfapps.eu10.hana.ondemand.com -n my-app
# Delete old version
cf delete my-app -f
# Rename
cf rename my-app-new my-app
```
**With MTA**:
```bash
cf deploy my-app.mtar --strategy blue-green
```
### Canary Deployment
Gradual traffic shift:
```bash
# Deploy canary with different route
cf push my-app-canary -f manifest-canary.yml
# Gradually shift traffic (manual or with load balancer)
```
---
## Related Documentation
- Development Guide: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/30-development)
- CAP Documentation: [https://cap.cloud.sap/docs/](https://cap.cloud.sap/docs/)
- MTA Guide: [https://help.sap.com/docs/btp/sap-business-technology-platform/multitarget-applications](https://help.sap.com/docs/btp/sap-business-technology-platform/multitarget-applications)

374
references/extensions.md Normal file
View File

@@ -0,0 +1,374 @@
# Extensions Reference
Complete guidance for extending SAP solutions using SAP BTP.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/40-extensions](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/40-extensions)
---
## Table of Contents
1. [Extensions Overview](#extensions-overview)
2. [Formations](#formations)
3. [System Registration](#system-registration)
4. [S/4HANA Cloud Extensions](#s4hana-cloud-extensions)
5. [SuccessFactors Extensions](#successfactors-extensions)
6. [Event Mesh Integration](#event-mesh-integration)
7. [Configuration Files](#configuration-files)
8. [Troubleshooting](#troubleshooting)
---
## Extensions Overview
SAP BTP enables loosely coupled extensions without disrupting core SAP solution processes.
### Extension Capabilities
| Capability | Description |
|------------|-------------|
| **API Access** | Consume SAP solution APIs |
| **Event Consumption** | React to SAP solution events |
| **UI Extensions** | Extend SAP Fiori interfaces |
| **Side-by-Side** | Build companion apps |
### Supported SAP Solutions
| Solution | Cloud Foundry | Kyma |
|----------|---------------|------|
| SAP S/4HANA Cloud | Yes | Yes |
| SAP SuccessFactors | Yes | Yes |
| SAP Marketing Cloud | Yes | Yes |
| SAP Commerce Cloud | - | Yes |
| SAP Field Service Management | - | Yes |
| SAP Customer Experience | - | Yes |
### Extension Architecture
```
SAP Solution (S/4HANA, SuccessFactors)
↓ APIs & Events
SAP BTP (Unified Customer Landscape)
↓ Formations
Extension Application (CF or Kyma)
```
---
## Formations
Formations are logical groupings of SAP systems for common business scenarios.
### Formation Types
| Type | Purpose |
|------|---------|
| **Business Scenario** | Group systems for specific use cases |
| **Service Integration** | Connect to BTP services |
| **Extensibility** | Enable extension development |
### Formation Status
| Status | Description |
|--------|-------------|
| **Ready** | Successfully configured |
| **Draft** | Incomplete, missing systems |
| **Action Required** | Needs additional setup |
| **Synchronizing** | Systems syncing in background |
| **Error** | Sync failed, needs resync |
### Creating Formations
1. Navigate to **System Landscape > Formations** in BTP Cockpit
2. Click **Create Formation**
3. Enter unique name (max 128 chars)
4. Select formation type
5. Add registered systems
6. Review and confirm
### Formation Management
```
BTP Cockpit → System Landscape → Formations
├── Create Formation
├── Add Systems
├── Finalize Formation
├── Resynchronize (on error)
└── Delete Formation
```
---
## System Registration
Register SAP systems to enable extensions.
### Registration Process
1. **Generate Token**: Create registration token in BTP Cockpit
2. **Configure System**: Use token in SAP solution admin
3. **Verify Connection**: Check system status in BTP
### System Types
| System Type | Registration Method |
|-------------|---------------------|
| SAP S/4HANA Cloud | Registration token |
| SAP SuccessFactors | Registration token |
| SAP Marketing Cloud | Registration token |
| Third-party Systems | Manual configuration |
| SAP BTP Applications | Service instance |
### Register S/4HANA Cloud System
```
BTP Cockpit → System Landscape → Systems
├── Add System
├── System Type: SAP S/4HANA Cloud
├── Generate Token
└── Complete in S/4HANA Cloud Admin
```
### Register SuccessFactors System
```
BTP Cockpit → System Landscape → Systems
├── Add System
├── System Type: SAP SuccessFactors
├── Generate Token
└── Complete in SuccessFactors Provisioning
```
---
## S/4HANA Cloud Extensions
### Extension Setup Steps
1. **Register System** in global account
2. **Configure Entitlements** for subaccounts
3. **Create Service Instance** (api-access or messaging plan)
4. **Build Extension** in CF or Kyma
### Service Plans
| Plan | Purpose |
|------|---------|
| `api-access` | Consume S/4HANA APIs |
| `messaging` | Consume S/4HANA events |
### API Access Configuration
```json
{
"systemName": "MY_S4HANA_SYSTEM",
"communicationArrangement": {
"communicationArrangementName": "MY_ARRANGEMENT",
"scenarioId": "SAP_COM_0008",
"inboundAuthentication": "OAuth2SAMLBearerAssertion",
"outboundAuthentication": "BasicAuthentication",
"outboundServices": [
{
"name": "Business Partner (A2X)",
"isServiceActive": true
}
]
}
}
```
### Supported Authentication
| Method | Use Case |
|--------|----------|
| BasicAuthentication | Simple scenarios |
| OAuth2SAMLBearerAssertion | User propagation |
| OAuth2ClientCredentials | Service-to-service |
| NoAuthentication | Public APIs |
### Event Consumption
1. Configure SAP Event Mesh entitlements
2. Create Event Mesh service instance
3. Create S/4HANA extensibility instance (messaging plan)
4. Subscribe to events
---
## SuccessFactors Extensions
### Extension Setup
1. **Register System** in global account
2. **Configure SSO** (optional)
3. **Configure Entitlements**
4. **Create Service Instance**
### SSO Configuration
```
SuccessFactors → Identity Authentication → SAP BTP
```
Steps:
1. Configure SuccessFactors as trusted IdP in BTP
2. Configure subaccount as trusted service provider in SuccessFactors
3. Test SSO flow
### API Access
```json
{
"systemName": "MY_SFSF_SYSTEM",
"technicalUser": "TECHNICAL_USER",
"technicalUserSecret": "xxx"
}
```
---
## Event Mesh Integration
### Event Mesh Architecture
```
SAP Solution → Event Mesh → Extension App
(CloudEvents)
```
### Event Mesh Service Plans
| Plan | Purpose |
|------|---------|
| `default` | Standard eventing |
| `development` | Non-production |
### Event Mesh Descriptor
```json
{
"emname": "my-event-mesh",
"namespace": "my/namespace",
"rules": {
"queueRules": {
"publishFilter": ["${namespace}/*"],
"subscribeFilter": ["${namespace}/*"]
},
"topicRules": {
"publishFilter": ["${namespace}/*"],
"subscribeFilter": ["${namespace}/*"]
}
}
}
```
### Create Queues and Subscribe
```bash
# Create queue
cf create-service-key my-event-mesh my-key
# Subscribe to topic
# Use Event Mesh UI or REST API
```
---
## Configuration Files
### Communication Arrangement JSON
```json
{
"communicationArrangementName": "MY_ARRANGEMENT",
"scenarioId": "SAP_COM_0008",
"inboundAuthentication": "OAuth2SAMLBearerAssertion",
"outboundAuthentication": "BasicAuthentication",
"inboundServices": [
{
"serviceName": "Business Partner API",
"isServiceActive": true
}
],
"outboundServices": [
{
"name": "Business Partner (A2X)",
"isServiceActive": true
}
]
}
```
### Communication Arrangement YAML
```yaml
communicationArrangementName: MY_ARRANGEMENT
scenarioId: SAP_COM_0008
inboundAuthentication: OAuth2SAMLBearerAssertion
outboundAuthentication: BasicAuthentication
inboundServices:
- serviceName: Business Partner API
isServiceActive: true
outboundServices:
- name: Business Partner (A2X)
isServiceActive: true
```
### API Access Configuration
```json
{
"systemName": "MY_SYSTEM",
"communicationArrangement": {
"communicationArrangementName": "INBOUND_COMM_ARRANGEMENT",
"scenarioId": "SAP_COM_0008",
"inboundAuthentication": "OAuth2SAMLBearerAssertion"
}
}
```
---
## Troubleshooting
### Common Issues
| Issue | Solution |
|-------|----------|
| Service instance creation failed | Check entitlements, verify system registration |
| Event consumption not working | Verify Event Mesh configuration, check topic subscriptions |
| API access denied | Check communication arrangement, verify authentication |
| System not visible | Verify registration token was used, check system status |
### S/4HANA Extensibility Issues
| Error | Resolution |
|-------|------------|
| Instance creation failed (no message) | Check communication arrangement JSON syntax |
| Messaging plan unavailable | Configure Event Mesh entitlements first |
| API authentication failed | Verify OAuth configuration in S/4HANA |
### SuccessFactors Issues
| Error | Resolution |
|-------|------------|
| OData destination not working | Verify technical user credentials |
| SSO not working | Check trust configuration both sides |
| Instance creation failed | Verify system registration complete |
---
## Region Limitations
Extensions functionality is **NOT available** in:
- China (Shanghai) region
- Government Cloud (US) region
---
## Related Documentation
- Extensions: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/extensions-08b1eff.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/extensions-08b1eff.md)
- Formations: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/automating-integrations-using-formations-68b04fa.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/automating-integrations-using-formations-68b04fa.md)
- S/4HANA Extensions: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/extending-sap-s-4hana-cloud-in-the-cloud-foundry-and-kyma-environment-40b9e6c.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/extending-sap-s-4hana-cloud-in-the-cloud-foundry-and-kyma-environment-40b9e6c.md)
- SuccessFactors Extensions: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/extending-sap-successfactors-in-the-cloud-foundry-and-kyma-environment-9e33934.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/extending-sap-successfactors-in-the-cloud-foundry-and-kyma-environment-9e33934.md)

261
references/glossary.md Normal file
View File

@@ -0,0 +1,261 @@
# SAP BTP Glossary
Complete terminology reference for SAP Business Technology Platform.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/glossary-e67a143.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/glossary-e67a143.md)
---
## A
### Application
Software hosted on SAP BTP used by business users to complete tasks. Created by developers utilizing platform services.
### Application Router
Single entry point for applications in Cloud Foundry environment. Handles static content serving, user authentication, URL rewriting, and request forwarding to microservices.
### Availability
The durability and operational performance without failure of a system or component for an agreed amount of time, as defined in the contract.
### Availability Zone (AZ)
A physically isolated location with independent power, network, and cooling infrastructure that acts as an individual failure domain within a region.
---
## B
### Block-hours
A measurement unit representing one compute block's runtime for one hour. Multiple blocks multiply the count accordingly.
### Booster
A set of guided interactive steps that enable you to select, configure, and consume services on SAP BTP to achieve a specific technical goal.
### btp CLI
The command line tool for all tasks on global account, directory, and subaccount level, such as creating or updating subaccounts, authorization management, and working with service brokers and platforms.
### Buildpack
Provides framework and runtime support for applications in the Cloud Foundry environment.
### Business Service
Platform services that enable, facilitate, or accelerate the development of business process components and elements of an application.
---
## C
### Cloud Connector
Serves as the link between on-demand applications in SAP BTP and existing on-premise systems. Lightweight agent establishing secure tunnel.
### Cloud Foundry CLI
Command-line interface tool for deploying and managing applications in the Cloud Foundry environment.
### Cloud Management Tools
Technologies designed for managing SAP BTP. Internally known as Foundation.
### Cockpit
The central point of entry to key information about your accounts and applications, and for managing all activities associated with your account.
### Connectivity
Provides secure, reliable access to business systems or remote services running on-premises or in the cloud.
---
## D
### Destination
A configuration that contains the connection details for a remote communication partner. Allows separation of application code from configuration.
### Disaster
An event declared by SAP when there is a loss of utilities and services, and uncertainty about whether they can be restored within a reasonable period of time.
### Disaster Recovery (DR)
A set of policies, tools, and procedures to protect applications by preserving and rapidly resuming their availability in case of a disaster.
### Durability
The ability of a system to permanently store data without loss or corruption.
---
## E
### Enterprise Account
An enterprise account is usually associated with one SAP customer or partner and is typically subject to charges.
### Entitlement
Your right to provision and consume a resource (service plan) on SAP BTP.
### Environment
Constitutes the SAP BTP actual Platform-as-a-Service offering that allows for the development and administration of applications.
---
## F
### Failover
The automated or manually triggered process of switching from one system to another redundant system in case of an unexpected or planned downtime.
### Formation
A logical grouping of SAP systems that can be extended in a single business scenario. Enables communication between systems.
---
## G
### Global Account
The realization of a contract you made with SAP. A global account is region- and environment-independent, and it is used to manage subaccounts, members, entitlements and quotas.
---
## I
### Identity Provider (IdP)
An authorization authority containing all user information and credentials. In SAP BTP, user information is provided by identity providers, not stored in SAP BTP itself.
### In-Metro Disaster Recovery
Solution using synchronous data replication across multiple AZs within a single region to protect against localized disasters.
---
## K
### Kyma Environment
A fully managed cloud-native Kubernetes application runtime based on the open-source project Kyma.
### Kyma Module
Modular component that can be selectively installed on a Kyma cluster to provide specific functionality.
---
## M
### Member
Indicates a user's assignment to an account. As an account member, a user automatically has the permissions required to use the SAP BTP functionality within the scope of the respective account and as permitted by their account member roles.
### Multi-Target Application (MTA)
A package consisting of multiple modules that are deployed together on SAP BTP.
---
## O
### OAuth
Widely adopted security protocol for protecting resources over the Internet, used by social networks and corporate networks.
### Org (Organization)
A hierarchical level in the account structure of SAP BTP using a Cloud Foundry subaccount. Each Cloud Foundry subaccount contains exactly one Cloud Foundry org.
---
## P
### Platform Service
Software that enables, facilitates, or accelerates the development of applications and other platform services on SAP BTP.
### Platform User
User who manages and administers SAP BTP (developer, administrator, operator).
### Principal Propagation
Forwarding of user identity from one system to another for single sign-on and authorization.
### Programming Model
A set of concepts, languages, runtimes, and APIs used to create applications on SAP BTP.
---
## Q
### Quota
A numeric quantity that defines the maximum allowed consumption of a specific technical asset/resource.
---
## R
### Region
A geographical location (e.g., Europe, US East) where applications, data, or services are hosted. Usually consists of two or more availability zones.
### Resilience
The ability to provide and maintain an acceptable level of service in the face of faults and challenges until normal operation is restored.
### Role Collection
A group of roles assigned to users or groups to grant specific authorizations.
### Runtime
An engine or context for executing programs, such as Java Web Tomcat or Node.js.
---
## S
### SAP BTP, Cloud Foundry Environment
An open Platform-as-a-Service, which provides a scalable runtime container and a choice of clouds, runtimes, and services.
### SAP BTP, Kyma Runtime
A runtime developers can use to build cloud-native Kubernetes-based extensions to SAP by using microservices and serverless Functions.
### SAP BTP, Neo Environment
An enterprise Platform-as-a-Service providing a range of services (sunsetting December 31, 2028).
### SAP Cloud Application Programming Model (CAP)
A framework of languages, libraries, and tools for building enterprise-grade services and applications. Supports Java, JavaScript, and TypeScript.
### SAP ID Service
The default identity provider for SAP BTP applications. Manages the user base for SAP Community Network and other SAP websites.
### SAPUI5
A development toolkit providing UI controls for developing Web applications.
### Service Broker
When a developer provisions and binds a service to an application, the service broker for that service is responsible for providing the service instance and for binding services to applications.
### Service Plan
A variant of a service; for example, a database may be configured with various "t-shirt sizes", each of which is a different service plan.
### Shadow User
A copy of a user from an identity provider stored in SAP BTP for authorization purposes.
### Space
In the Cloud Foundry environment, every application and service is scoped to a space. A space provides users with access to a shared location for application development, deployment, and maintenance.
### Staging
The process in the Cloud Foundry environment by which the raw bits of an application are transformed into a droplet that is ready to execute.
### Subaccount
Lets you structure a global account according to customer requirements with regards to members, authorizations and quotas. Where actual deployments occur.
---
## T
### Technical Service
Platform services that enable, facilitate, or accelerate the generic development of an application, independent of the application's business process or task.
### Tool
A means for users to develop, configure, monitor and administer a service or entities managed by a service.
### Trial Account
90-day complimentary platform exploration with restricted resources.
---
## U
### User-Provided Service Instance
User-provided service instances enable you to use services that are not available in the marketplace with your applications running in the Cloud Foundry environment.
---
## X
### XSUAA
SAP Authorization and Trust Management Service. OAuth 2.0 authorization server for SAP BTP applications.
### xs-security.json
Application security descriptor defining scopes, roles, and attributes for XSUAA.
---
## Related Documentation
- Basic Concepts: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts)
- Full Glossary: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/glossary-e67a143.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/glossary-e67a143.md)

499
references/kyma.md Normal file
View File

@@ -0,0 +1,499 @@
# Kyma Environment Reference
Detailed guidance for SAP BTP Kyma environment development and administration.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts)
**Kyma Project**: [https://kyma-project.io/](https://kyma-project.io/)
---
## Table of Contents
1. [Architecture](#architecture)
2. [Modules](#modules)
3. [Namespaces](#namespaces)
4. [Deployment Patterns](#deployment-patterns)
5. [Service Consumption](#service-consumption)
6. [Serverless Functions](#serverless-functions)
7. [Eventing](#eventing)
8. [Security](#security)
9. [kubectl Commands](#kubectl-commands)
---
## Architecture
### Kyma in SAP BTP
- Fully managed Kubernetes runtime
- Based on open-source Kyma project
- Built on Gardener-managed Kubernetes clusters
- Modular architecture with selectable components
- 1:1 relationship: Subaccount → Kyma Cluster
### Supported Technologies
- CAP (Cloud Application Programming Model)
- SAP Cloud SDK
- Application Router
- HTML5 Deployer
- Docker containers
- Helm charts
### Structure
```
Subaccount (1:1 with Kyma Cluster)
└── Kubernetes Cluster
├── kyma-system (SAP managed)
├── namespace: dev
│ ├── Deployments
│ ├── Services
│ └── Functions
├── namespace: test
└── namespace: prod
```
---
## Modules
### Default Modules (Always Installed)
| Module | Purpose |
|--------|---------|
| `istio` | Service mesh with Kyma-specific configuration |
| `api-gateway` | Expose and secure APIs |
| `btp-operator` | Consume SAP BTP services via Kubernetes |
### Optional Modules
| Module | Purpose |
|--------|---------|
| `serverless` | Deploy simple code functions |
| `eventing` | CloudEvents pub/sub (NATS or SAP Event Mesh) |
| `application-connector` | Integrate external systems |
| `telemetry` | Collect logs and traces |
| `keda` | Event-driven autoscaling |
| `nats` | NATS cluster for eventing |
| `cloud-manager` | Cloud provider product integration |
### Module Management
```bash
# List available modules
kubectl get kymas -n kyma-system
# Add module via BTP Cockpit or kubectl
kubectl patch kyma default -n kyma-system --type merge -p '
spec:
modules:
- name: serverless
'
```
### Community Modules
User-provided modules without:
- Automatic updates
- SLA coverage
- SAP support
---
## Namespaces
### Best Practices
- Use namespaces for environment separation
- Apply resource quotas per namespace
- Implement network policies for isolation
### Create Namespace
```yaml
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: my-app
labels:
istio-injection: enabled
```
```bash
kubectl apply -f namespace.yaml
```
### Resource Quotas
```yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: my-quota
namespace: my-app
spec:
hard:
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
pods: "20"
```
---
## Deployment Patterns
### Standard Deployment
```yaml
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: my-namespace
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: my-registry/my-app:latest
ports:
- containerPort: 8080
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
```
### Service
```yaml
apiVersion: v1
kind: Service
metadata:
name: my-app
namespace: my-namespace
spec:
selector:
app: my-app
ports:
- port: 80
targetPort: 8080
```
### API Rule (Expose API)
```yaml
apiVersion: gateway.kyma-project.io/v1beta1
kind: APIRule
metadata:
name: my-app
namespace: my-namespace
spec:
gateway: kyma-gateway.kyma-system.svc.cluster.local
host: my-app
service:
name: my-app
port: 80
rules:
- path: /.*
methods: ["GET", "POST", "PUT", "DELETE"]
accessStrategies:
- handler: jwt
config:
jwks_urls:
- [https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys](https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys)
```
### Helm Chart
```bash
# Install with Helm
helm install my-app ./my-chart -n my-namespace
# Upgrade
helm upgrade my-app ./my-chart -n my-namespace
# Rollback
helm rollback my-app 1 -n my-namespace
```
---
## Service Consumption
### SAP BTP Operator
Consume SAP BTP services via Kubernetes resources:
```yaml
# ServiceInstance
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
name: my-hana
namespace: my-namespace
spec:
serviceOfferingName: hana-cloud
servicePlanName: hana
parameters:
memory: 32
---
# ServiceBinding
apiVersion: services.cloud.sap.com/v1
kind: ServiceBinding
metadata:
name: my-hana-binding
namespace: my-namespace
spec:
serviceInstanceName: my-hana
secretName: my-hana-credentials
```
### Using Credentials
```yaml
env:
- name: HANA_URL
valueFrom:
secretKeyRef:
name: my-hana-credentials
key: url
```
---
## Serverless Functions
### Function Definition
```yaml
apiVersion: serverless.kyma-project.io/v1alpha2
kind: Function
metadata:
name: my-function
namespace: my-namespace
spec:
runtime: nodejs20
source:
inline:
source: |
module.exports = {
main: async function (event, context) {
const message = event.data?.message || "Hello World";
return { statusCode: 200, body: { message } };
}
};
resourceConfiguration:
function:
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "100m"
memory: "128Mi"
```
### Expose Function
```yaml
apiVersion: gateway.kyma-project.io/v1beta1
kind: APIRule
metadata:
name: my-function
namespace: my-namespace
spec:
gateway: kyma-gateway.kyma-system.svc.cluster.local
host: my-function
service:
name: my-function
port: 80
rules:
- path: /.*
methods: ["GET", "POST"]
accessStrategies:
- handler: noop # No authentication
```
---
## Eventing
### Subscription
```yaml
apiVersion: eventing.kyma-project.io/v1alpha2
kind: Subscription
metadata:
name: my-subscription
namespace: my-namespace
spec:
sink: [http://my-function.my-namespace.svc.cluster.local](http://my-function.my-namespace.svc.cluster.local)
source: myapp
types:
- order.created.v1
```
### Publishing Events
```javascript
// CloudEvent format
const event = {
specversion: "1.0",
type: "order.created.v1",
source: "myapp",
id: uuid(),
data: { orderId: "12345" }
};
await fetch(`${EVENTING_ENDPOINT}/publish`, {
method: "POST",
headers: { "Content-Type": "application/cloudevents+json" },
body: JSON.stringify(event)
});
```
---
## Security
### API Gateway Authentication
JWT validation with XSUAA:
```yaml
accessStrategies:
- handler: jwt
config:
jwks_urls:
- [https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys](https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys)
trusted_issuers:
- [https://<subaccount>.authentication.<region>.hana.ondemand.com/oauth/token](https://<subaccount>.authentication.<region>.hana.ondemand.com/oauth/token)
```
### RBAC
```yaml
# Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: my-namespace
rules:
- apiGroups: ["", "apps"]
resources: ["pods", "deployments", "services"]
verbs: ["get", "list", "create", "update", "delete"]
---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: my-namespace
subjects:
- kind: User
name: developer@example.com
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
```
### Network Policies
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: my-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
```
---
## kubectl Commands
### Authentication
```bash
# Download kubeconfig from BTP Cockpit
# Or use kubelogin for OIDC
export KUBECONFIG=~/.kube/kyma-kubeconfig.yaml
kubectl get nodes
```
### Common Operations
```bash
# List resources
kubectl get pods -n my-namespace
kubectl get deployments -n my-namespace
kubectl get services -n my-namespace
# Apply configuration
kubectl apply -f deployment.yaml
# View logs
kubectl logs -f deployment/my-app -n my-namespace
# Describe resource
kubectl describe pod my-pod -n my-namespace
# Execute command in pod
kubectl exec -it my-pod -n my-namespace -- /bin/sh
# Port forward
kubectl port-forward svc/my-app 8080:80 -n my-namespace
# Delete resources
kubectl delete -f deployment.yaml
```
### Troubleshooting
```bash
# Get events
kubectl get events -n my-namespace --sort-by='.lastTimestamp'
# Check pod status
kubectl get pods -n my-namespace -o wide
# View container logs
kubectl logs my-pod -c my-container -n my-namespace
# Previous container logs
kubectl logs my-pod -c my-container -n my-namespace --previous
```
---
## Related Documentation
- Kyma Environment: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-environment-468c2f3.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-environment-468c2f3.md)
- Kyma Modules: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-modules-0dda141.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-modules-0dda141.md)
- Getting Started: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-kyma-environment-d1abd18.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-kyma-environment-d1abd18.md)
- Kyma Project: [https://kyma-project.io/docs/](https://kyma-project.io/docs/)

423
references/operations.md Normal file
View File

@@ -0,0 +1,423 @@
# Operations and Monitoring Reference
Complete guidance for SAP BTP operations, monitoring, logging, and alerting.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
---
## Table of Contents
1. [Monitoring Overview](#monitoring-overview)
2. [SAP Cloud ALM](#sap-cloud-alm)
3. [Application Logging](#application-logging)
4. [Audit Logging](#audit-logging)
5. [Alert Notification](#alert-notification)
6. [Health Monitoring](#health-monitoring)
7. [Operating Model](#operating-model)
8. [Data Protection](#data-protection)
---
## Monitoring Overview
### Monitoring Stack
```
Application Layer
↓ Logs & Metrics
SAP Cloud Logging / Application Logging
↓ Analysis
SAP Cloud ALM / External Tools
↓ Alerts
SAP Alert Notification
↓ Channels
Email / Slack / ServiceNow / Cloud ALM
```
### Available Services
| Service | Purpose |
|---------|---------|
| **SAP Cloud ALM** | End-to-end application lifecycle management |
| **Application Logging** | Application log collection and analysis |
| **SAP Cloud Logging** | Observability across CF, Kyma, K8s |
| **Audit Log** | Security-relevant activity records |
| **Alert Notification** | Multi-channel alerting |
---
## SAP Cloud ALM
Enterprise application lifecycle management included with SAP Enterprise Support.
### Capabilities
| Feature | Description |
|---------|-------------|
| **Real User Monitoring** | End-user experience tracking |
| **Health Monitoring** | Application and service health |
| **Integration Monitoring** | Integration flow status |
| **Exception Monitoring** | Error detection and analysis |
| **Job Automation Monitoring** | Scheduled job tracking |
| **Business Process Monitoring** | Process KPIs |
### Setup
1. Activate SAP Cloud ALM in BTP Cockpit
2. Configure data collection agents
3. Set up monitoring dashboards
4. Configure alert rules
### Integration
```
SAP BTP Applications → SAP Cloud ALM
← Alert Notification
```
---
## Application Logging
### Service Plans
| Plan | Features |
|------|----------|
| **lite** | Basic logging, limited retention |
| **standard** | Extended retention, advanced features |
### Setup
```bash
# Create service instance
cf create-service application-logs lite my-logs
# Bind to application
cf bind-service my-app my-logs
# Restage application
cf restage my-app
```
### Log Levels
| Level | Use Case |
|-------|----------|
| **ERROR** | Errors requiring attention |
| **WARN** | Warning conditions |
| **INFO** | General information |
| **DEBUG** | Debugging information |
### Viewing Logs
**CF CLI**:
```bash
# Recent logs
cf logs my-app --recent
# Tail logs
cf logs my-app
# Specific time range
cf logs my-app --recent | grep "ERROR"
```
**Kibana Dashboard**:
- Access via Application Logging service
- Create custom visualizations
- Set up log-based alerts
### Log Retention
| Plan | Retention |
|------|-----------|
| lite | 7 days |
| standard | Configurable |
---
## Audit Logging
Security-relevant chronological records for compliance and security.
### Audit Categories
| Category | Description |
|----------|-------------|
| `audit.data-access` | Sensitive personal data access |
| `audit.data-modification` | Sensitive data changes |
| `audit.security-events` | Login, logout, security events |
| `audit.configuration` | Security configuration changes |
### Service Plans
| Plan | Features | Retention | Cost |
|------|----------|-----------|------|
| **default** | BTP service audit data | 90 days | Included |
| **premium** | Custom app audit data | Configurable | Additional |
### Audit Log Retrieval
**Via Viewer**:
1. Subscribe to SAP Audit Log Viewer Service
2. Assign viewer roles
3. Access via BTP Cockpit
**Via API**:
```bash
curl -X GET "[https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords"](https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords") \
-H "Authorization: Bearer <token>" \
-H "Accept: application/json"
```
### Writing Audit Logs (Custom Apps)
```javascript
// Node.js example
const auditLog = require('@sap/audit-logging');
const log = auditLog.v2(credentials);
await log.dataAccess({
object: { type: 'customer', id: '12345' },
attributes: ['email', 'phone'],
accessChannel: 'API'
}).tenant('tenant-id').by('user@example.com').log();
```
---
## Alert Notification
Multi-channel alerting service for BTP events.
### Alert Channels
| Channel | Configuration |
|---------|---------------|
| **Email** | SMTP settings |
| **Slack** | Webhook URL |
| **Microsoft Teams** | Webhook URL |
| **ServiceNow** | Instance URL + credentials |
| **SAP Cloud ALM** | Direct integration |
| **Webhook** | Custom HTTP endpoint |
### Alert Configuration
```json
{
"conditions": {
"type": "CONDITION_TREE",
"children": [
{
"type": "LEAF",
"parameter": "eventType",
"operator": "=",
"value": "audit.security-events"
}
]
},
"actions": [
{
"type": "EMAIL",
"properties": {
"destination": "alerts@example.com"
}
}
]
}
```
### Event Types
| Category | Events |
|----------|--------|
| **Application** | Start, stop, crash |
| **Service** | Binding changes, instance updates |
| **Security** | Authentication failures, role changes |
| **Platform** | Quota warnings, maintenance |
---
## Health Monitoring
### Application Health Checks
**Cloud Foundry**:
```yaml
# manifest.yml
applications:
- name: my-app
health-check-type: http
health-check-http-endpoint: /health
health-check-timeout: 60
```
**Kyma**:
```yaml
# deployment.yaml
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
```
### Health Endpoints
```javascript
// Express.js health endpoint
app.get('/health', (req, res) => {
res.json({
status: 'UP',
checks: {
database: checkDatabase(),
cache: checkCache()
}
});
});
```
---
## Operating Model
### Shared Responsibility Model
| Area | SAP Responsibility | Customer Responsibility |
|------|-------------------|------------------------|
| **Platform** | Infrastructure, OS, patches | - |
| **Runtime** | CF/Kyma platform | Application code |
| **Services** | BTP service availability | Service configuration |
| **Security** | Platform security | Application security |
| **Data** | Encryption at rest | Data classification |
| **Backup** | Platform backups | Application backups |
### Cloud Foundry vs Kyma Differences
| Aspect | Cloud Foundry | Kyma |
|--------|---------------|------|
| **Security Patches** | SAP provisions patched versions | Customer creates new Docker images |
| **Container Security** | SAP hardened defaults | Customer configures per K8s recommendations |
| **Custom Databases** | SAP backup support | Customer manages backups |
| **User Management** | Subaccount level | Subaccount + Kyma RBAC |
### Go-Live Checklist
1. **Deploy to Production**
- Production environment configured
- All services bound
- Environment variables set
2. **Configure Access**
- Business users provisioned
- Role collections assigned
- SSO configured
3. **Set Up Monitoring**
- Application logging enabled
- Health checks configured
- Alerts set up
4. **Document**
- Runbooks created
- Support contacts identified
- Escalation paths defined
---
## Data Protection
### GDPR Compliance
SAP BTP provides technical features for data protection:
| Feature | Purpose |
|---------|---------|
| **Audit Logging** | Track data access |
| **Change Logging** | Record modifications |
| **Data Deletion** | Support erasure requests |
| **Consent Management** | Manage user consent |
### Personal Data Guidelines
**Avoid Personal Data In**:
- Account names
- Database names
- Tenant identifiers
- Technical field names
**Proper Handling**:
- Classify data sensitivity
- Implement access controls
- Enable audit logging
- Document processing activities
### User Data Locations
| User Type | Storage Location |
|-----------|-----------------|
| Global Account Users | Platform IdP or Cloud Identity Services |
| Platform Users | Multiple IdPs possible |
| Business Users | Cloud Identity Services or custom IdP |
### Data Subject Requests
1. **Access Requests**: Use audit logs to identify data access
2. **Deletion Requests**: Use deletion APIs or manual processes
3. **Portability**: Export via APIs
---
## Operational Commands
### CF Application Operations
```bash
# Restart application
cf restart my-app
# Scale instances
cf scale my-app -i 3
# View app events
cf events my-app
# SSH for debugging
cf ssh my-app
# Check environment
cf env my-app
```
### Kyma Operations
```bash
# Restart deployment
kubectl rollout restart deployment/my-app -n my-namespace
# Scale deployment
kubectl scale deployment my-app --replicas=3 -n my-namespace
# View events
kubectl get events -n my-namespace --sort-by='.lastTimestamp'
# Check pod status
kubectl describe pod <pod-name> -n my-namespace
```
---
## Related Documentation
- Operations: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
- Audit Logging: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/50-administration-and-ops/audit-logging-in-the-cloud-foundry-environment-f92c86a.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/50-administration-and-ops/audit-logging-in-the-cloud-foundry-environment-f92c86a.md)
- Operating Model: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/70-getting-support](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/70-getting-support)
- Data Protection: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/data-protection-and-privacy-7e513d3.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/data-protection-and-privacy-7e513d3.md)

232
references/regions-endpoints.md Normal file
View File

@@ -0,0 +1,232 @@
# Regions and API Endpoints Reference
Complete reference for SAP BTP regions across all environments.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts)
---
## Table of Contents
1. [Cloud Foundry Regions](#cloud-foundry-regions)
2. [Kyma Regions](#kyma-regions)
3. [ABAP Environment Regions](#abap-environment-regions)
4. [Trial Regions](#trial-regions)
5. [EU Access Regions](#eu-access-regions)
6. [BTP Cockpit URLs](#btp-cockpit-urls)
---
## Cloud Foundry Regions
### Amazon Web Services (AWS)
| Region | Location | API Endpoint | Domain |
|--------|----------|--------------|--------|
| eu10 | Frankfurt | api.cf.eu10.hana.ondemand.com | cfapps.eu10.hana.ondemand.com |
| eu10-002 | Frankfurt | api.cf.eu10-002.hana.ondemand.com | cfapps.eu10-002.hana.ondemand.com |
| eu10-003 | Frankfurt | api.cf.eu10-003.hana.ondemand.com | cfapps.eu10-003.hana.ondemand.com |
| eu10-004 | Frankfurt | api.cf.eu10-004.hana.ondemand.com | cfapps.eu10-004.hana.ondemand.com |
| eu11 | Frankfurt | api.cf.eu11.hana.ondemand.com | cfapps.eu11.hana.ondemand.com |
| eu13 | Milan | api.cf.eu13.hana.ondemand.com | cfapps.eu13.hana.ondemand.com |
| us10 | US East (Virginia) | api.cf.us10.hana.ondemand.com | cfapps.us10.hana.ondemand.com |
| us10-001 | US East (Virginia) | api.cf.us10-001.hana.ondemand.com | cfapps.us10-001.hana.ondemand.com |
| us11 | US West (Oregon) | api.cf.us11.hana.ondemand.com | cfapps.us11.hana.ondemand.com |
| br10 | Brazil (São Paulo) | api.cf.br10.hana.ondemand.com | cfapps.br10.hana.ondemand.com |
| jp10 | Japan (Tokyo) | api.cf.jp10.hana.ondemand.com | cfapps.jp10.hana.ondemand.com |
| ap10 | Australia (Sydney) | api.cf.ap10.hana.ondemand.com | cfapps.ap10.hana.ondemand.com |
| ap11 | Singapore | api.cf.ap11.hana.ondemand.com | cfapps.ap11.hana.ondemand.com |
| ap12 | South Korea (Seoul) | api.cf.ap12.hana.ondemand.com | cfapps.ap12.hana.ondemand.com |
| ca10 | Canada (Montreal) | api.cf.ca10.hana.ondemand.com | cfapps.ca10.hana.ondemand.com |
### Microsoft Azure
| Region | Location | API Endpoint | Domain |
|--------|----------|--------------|--------|
| eu20 | Netherlands | api.cf.eu20.hana.ondemand.com | cfapps.eu20.hana.ondemand.com |
| eu20-001 | Netherlands | api.cf.eu20-001.hana.ondemand.com | cfapps.eu20-001.hana.ondemand.com |
| us20 | US West | api.cf.us20.hana.ondemand.com | cfapps.us20.hana.ondemand.com |
| us21 | US East | api.cf.us21.hana.ondemand.com | cfapps.us21.hana.ondemand.com |
| jp20 | Japan (Tokyo) | api.cf.jp20.hana.ondemand.com | cfapps.jp20.hana.ondemand.com |
| ap20 | Australia (Sydney) | api.cf.ap20.hana.ondemand.com | cfapps.ap20.hana.ondemand.com |
| ap21 | Singapore | api.cf.ap21.hana.ondemand.com | cfapps.ap21.hana.ondemand.com |
| br20 | Brazil (São Paulo) | api.cf.br20.hana.ondemand.com | cfapps.br20.hana.ondemand.com |
| ca20 | Canada (Toronto) | api.cf.ca20.hana.ondemand.com | cfapps.ca20.hana.ondemand.com |
| ch20 | Switzerland (Zurich) | api.cf.ch20.hana.ondemand.com | cfapps.ch20.hana.ondemand.com |
### Google Cloud Platform (GCP)
| Region | Location | API Endpoint | Domain |
|--------|----------|--------------|--------|
| us30 | US Central (Iowa) | api.cf.us30.hana.ondemand.com | cfapps.us30.hana.ondemand.com |
| eu30 | Frankfurt | api.cf.eu30.hana.ondemand.com | cfapps.eu30.hana.ondemand.com |
| in30 | India (Mumbai) | api.cf.in30.hana.ondemand.com | cfapps.in30.hana.ondemand.com |
| il30 | Israel (Tel Aviv) | api.cf.il30.hana.ondemand.com | cfapps.il30.hana.ondemand.com |
| jp30 | Japan (Osaka) | api.cf.jp30.hana.ondemand.com | cfapps.jp30.hana.ondemand.com |
| jp31 | Japan (Tokyo) | api.cf.jp31.hana.ondemand.com | cfapps.jp31.hana.ondemand.com |
| sa30 | Saudi Arabia (Dammam) | api.cf.sa30.hana.ondemand.com | cfapps.sa30.hana.ondemand.com |
| sa31 | Saudi Arabia (Dammam) | api.cf.sa31.hana.ondemand.com | cfapps.sa31.hana.ondemand.com |
| ap30 | Australia (Sydney) | api.cf.ap30.hana.ondemand.com | cfapps.ap30.hana.ondemand.com |
| br30 | Brazil (São Paulo) | api.cf.br30.hana.ondemand.com | cfapps.br30.hana.ondemand.com |
### Other Providers
| Region | Provider | Location | API Endpoint |
|--------|----------|----------|--------------|
| cn40 | Alibaba Cloud | Shanghai | api.cf.cn40.platform.sapcloud.cn |
| cn20 | Azure China | China North | api.cf.cn20.platform.sapcloud.cn |
| eu01 | SAP Cloud Infra | Frankfurt | api.cf.eu01.hana.ondemand.com |
| ae01 | SAP Cloud Infra | Dubai | api.cf.ae01.hana.ondemand.com |
---
## Kyma Regions
### AWS Regions
| Region | Location |
|--------|----------|
| eu10 | Frankfurt |
| us10 | US East (Virginia) |
| jp10 | Japan (Tokyo) |
| ap10 | Australia (Sydney) |
| ap11 | Singapore |
| ap12 | South Korea (Seoul) |
| br10 | Brazil (São Paulo) |
| ca10 | Canada (Montreal) |
### Azure Regions
| Region | Location |
|--------|----------|
| eu20 | Netherlands |
| us20 | US West |
| us21 | US East |
| jp20 | Japan (Tokyo) |
| ap20 | Australia (Sydney) |
| ap21 | Singapore |
### GCP Regions
| Region | Location |
|--------|----------|
| us30 | US Central (Iowa) |
| eu30 | Frankfurt |
---
## ABAP Environment Regions
| Region | Provider | Location |
|--------|----------|----------|
| eu10 | AWS | Frankfurt |
| us10 | AWS | US East (Virginia) |
| jp10 | AWS | Japan (Tokyo) |
| ap10 | AWS | Australia (Sydney) |
| ap11 | AWS | Singapore |
| eu20 | Azure | Netherlands |
| us20 | Azure | US West |
| jp20 | Azure | Japan (Tokyo) |
---
## Trial Regions
### Cloud Foundry Trial
| Region | Provider | Location |
|--------|----------|----------|
| us10 | AWS | US East (Virginia) |
| ap21 | Azure | Singapore |
### Kyma Trial
| Region | Provider | Location |
|--------|----------|----------|
| Free plan | AWS | Various |
Trial limitations:
- 90-day duration
- Limited resources
- Apps stop daily
- No SLA
---
## EU Access Regions
For contracts requiring data processing within EEA/Switzerland only:
| Region | Provider | Supports EU Access |
|--------|----------|-------------------|
| eu10 | AWS | Yes |
| eu11 | AWS | Yes |
| eu20 | Azure | Yes |
| eu30 | GCP | Yes |
| ch20 | Azure | Yes |
**Note**: Not all services support EU Access. Check SAP Discovery Center for service availability.
---
## BTP Cockpit URLs
### Global Cockpit
- **Production**: [https://cockpit.btp.cloud.sap](https://cockpit.btp.cloud.sap)
- **China**: [https://cockpit.cn40.platform.sapcloud.cn](https://cockpit.cn40.platform.sapcloud.cn)
### Region-Specific Cockpits
| Pattern | Example |
|---------|---------|
| Cloud Foundry | [https://cockpit.cf.<region>.hana.ondemand.com](https://cockpit.cf.<region>.hana.ondemand.com) |
| Authentication | [https://<subaccount>.authentication.<region>.hana.ondemand.com](https://<subaccount>.authentication.<region>.hana.ondemand.com) |
### CLI Endpoints
| Tool | Endpoint Pattern |
|------|------------------|
| btp CLI | [https://cpcli.cf.<region>.hana.ondemand.com](https://cpcli.cf.<region>.hana.ondemand.com) |
| CF CLI | [https://api.cf.<region>.hana.ondemand.com](https://api.cf.<region>.hana.ondemand.com) |
| UAA | [https://uaa.cf.<region>.hana.ondemand.com](https://uaa.cf.<region>.hana.ondemand.com) |
---
## Network Considerations
### NAT IPs (Egress)
Each region has NAT IPs for outbound traffic. IPs may change with at least 4 weeks notice.
### Load Balancer IPs (Ingress)
Each region has dedicated load balancer IPs for inbound traffic.
### Firewall Rules
For on-premise connectivity:
- Allow outbound HTTPS (443) to Cloud Connector
- Allow outbound to region-specific endpoints
---
## Region Selection Factors
| Factor | Consideration |
|--------|---------------|
| **Latency** | Choose region closest to users |
| **Data Residency** | Legal requirements for data location |
| **EU Access** | EEA/Switzerland-only processing |
| **Service Availability** | Not all services in all regions |
| **Provider Preference** | AWS, Azure, GCP capabilities |
| **Disaster Recovery** | Multi-region strategy |
---
## Related Documentation
- CF Regions: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-available-for-the-cloud-foundry-environment-f344a57.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-available-for-the-cloud-foundry-environment-f344a57.md)
- Kyma Regions: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-for-the-kyma-environment-557ec3a.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-for-the-kyma-environment-557ec3a.md)
- ABAP Regions: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-for-the-abap-environment-879f373.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/regions-and-api-endpoints-for-the-abap-environment-879f373.md)
- SAP Discovery Center: [https://discovery-center.cloud.sap/](https://discovery-center.cloud.sap/)

442
references/security.md Normal file
View File

@@ -0,0 +1,442 @@
# Security Reference
Complete security guidance for SAP BTP including authentication, authorization, and identity management.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/60-security](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/60-security)
---
## Table of Contents
1. [Security Overview](#security-overview)
2. [Identity Providers](#identity-providers)
3. [Trust Configuration](#trust-configuration)
4. [Authorization](#authorization)
5. [XSUAA Configuration](#xsuaa-configuration)
6. [Role Collections](#role-collections)
7. [Principal Propagation](#principal-propagation)
8. [Audit Logging](#audit-logging)
9. [Security Best Practices](#security-best-practices)
---
## Security Overview
### User Types
| Type | Description | Authentication |
|------|-------------|----------------|
| **Platform Users** | Manage BTP infrastructure | Global account/subaccount trust |
| **Business Users** | Use deployed applications | Application-level trust |
### Security Layers
```
Identity Provider (Source of Truth)
SAP Cloud Identity Services (Proxy/Direct)
SAP BTP (Shadow Users)
Role Collections → Application Access
```
### Encryption
- TLS 1.2 or higher mandatory
- TLS 1.0/1.1 not supported
- TLS 1.3 available via Custom Domain Manager
- HTTPS required for all communication
---
## Identity Providers
### SAP ID Service (Default)
- Default identity provider for SAP BTP
- Manages SAP Community users
- Suitable for testing and trial accounts
- Not recommended for production
### SAP Cloud Identity Services
**Recommended for production**:
- Identity Authentication for authentication
- Identity Provisioning for user sync
- Corporate IdP integration via proxy
### Identity Provider Architecture
```
Corporate IdP (SAML/OIDC)
SAP Cloud Identity Services - Identity Authentication
SAP BTP Platform (Trust Configuration)
Applications (XSUAA)
```
### Identity Authentication Onboarding
1. Get Identity Authentication tenant
2. Add multiple administrators (different time zones)
3. Enable MFA for administrators
4. Configure security monitoring
5. Set up corporate IdP proxy (optional)
6. Establish trust with SAP BTP
---
## Trust Configuration
### Subaccount Trust Setup
**For Platform Users**:
```
Global Account → Trust Configuration → Add Identity Provider
```
**For Business Users**:
```
Subaccount → Trust Configuration → New Trust Configuration
```
### OIDC Trust Configuration
```json
{
"name": "my-corporate-idp",
"type": "oidc",
"origin": "my-idp-origin",
"config": {
"issuer": "[https://idp.example.com",](https://idp.example.com",)
"clientId": "my-client-id",
"clientSecret": "***",
"authorizationEndpoint": "[https://idp.example.com/authorize",](https://idp.example.com/authorize",)
"tokenEndpoint": "[https://idp.example.com/token",](https://idp.example.com/token",)
"userInfoEndpoint": "[https://idp.example.com/userinfo"](https://idp.example.com/userinfo")
}
}
```
### SAML Trust Configuration
**Setup Steps**:
1. Export SAML metadata XML from your IdP
2. In BTP Cockpit: Subaccount → Trust Configuration → New Trust Configuration
3. Upload IdP metadata (contains signing certificate, endpoints)
4. Configure attribute mapping (email, groups, custom attributes)
5. Download BTP SAML metadata for IdP registration
6. Test authentication flow
**Metadata Exchange**:
```
IdP Metadata → BTP BTP Metadata → IdP
- Entity ID - Entity ID
- SSO URL - Assertion Consumer URL
- Signing Certificate - Signing Certificate
- NameID format - Supported bindings
```
**Certificate Handling**:
- IdP certificates expire—monitor and update before expiry
- BTP auto-generates service provider certificate
- For certificate renewal: upload new IdP metadata with updated certificate
- Grace period allows both old and new certificates during transition
---
## Authorization
### Authorization Methods
| Method | Best For | Pros | Cons |
|--------|----------|------|------|
| **Provisioning** | Production, many users | Centralized, automated offboarding | Sync delay |
| **Federation** | Simple scenarios | Real-time, simple setup | Orphaned users |
| **Manual** | Testing only | Quick setup | Not scalable |
### Provisioning (Recommended)
```
Identity Directory → Identity Provisioning → SAP BTP
```
Benefits:
- Automated user lifecycle management
- Central role assignment
- Immediate offboarding
### Federation
User attributes from IdP mapped to roles at runtime:
- No user sync required
- Real-time attribute updates
- Risk of orphaned shadow users
---
## XSUAA Configuration
### xs-security.json
Application security descriptor:
```json
{
"xsappname": "my-app",
"tenant-mode": "dedicated",
"scopes": [
{
"name": "$XSAPPNAME.Read",
"description": "Read access"
},
{
"name": "$XSAPPNAME.Write",
"description": "Write access"
},
{
"name": "$XSAPPNAME.Admin",
"description": "Admin access"
}
],
"attributes": [
{
"name": "Country",
"description": "User country",
"valueType": "string"
}
],
"role-templates": [
{
"name": "Viewer",
"description": "Read-only user",
"scope-references": ["$XSAPPNAME.Read"]
},
{
"name": "Editor",
"description": "Read-write user",
"scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write"]
},
{
"name": "Administrator",
"description": "Full access",
"scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write", "$XSAPPNAME.Admin"]
}
],
"role-collections": [
{
"name": "MyApp_Viewer",
"description": "View my-app data",
"role-template-references": ["$XSAPPNAME.Viewer"]
}
]
}
```
### Service Instance Creation
```bash
# Cloud Foundry
cf create-service xsuaa application my-xsuaa -c xs-security.json
# Kyma (ServiceInstance)
kubectl apply -f - <<EOF
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
name: my-xsuaa
spec:
serviceOfferingName: xsuaa
servicePlanName: application
parameters:
xsappname: my-app
tenant-mode: dedicated
scopes:
- name: \$XSAPPNAME.Read
description: Read access
EOF
```
---
## Role Collections
### Structure
```
Role Collection
├── Role 1 (from Role Template)
│ └── Scopes
├── Role 2
└── Users/Groups assigned
```
### Creating Role Collections
**Via BTP Cockpit**:
1. Navigate to Subaccount → Security → Role Collections
2. Create new role collection
3. Add roles from application role templates
4. Assign users or groups
**Via btp CLI**:
```bash
# Assign user to role collection
btp assign security/role-collection "MyApp_Viewer" \
--to-user user@example.com \
--of-idp my-idp-origin
# List role collections
btp list security/role-collection
```
### Group Mapping
Map IdP groups to role collections:
```bash
btp assign security/role-collection "MyApp_Viewer" \
--to-group "AppViewers" \
--of-idp my-idp-origin
```
---
## Principal Propagation
Forward user identity to backend systems:
### On-Premise via Cloud Connector
```
User → SAP BTP App → Cloud Connector → On-Premise System
(SAML assertion) (X.509 certificate)
```
**Destination Configuration**:
```json
{
"Name": "my-onprem-system",
"Type": "HTTP",
"URL": "[http://virtualhost:port",](http://virtualhost:port",)
"ProxyType": "OnPremise",
"Authentication": "PrincipalPropagation"
}
```
### Cloud-to-Cloud
```
User → SAP BTP App → SAP Cloud Service
(OAuth2SAMLBearerAssertion)
```
**Destination Configuration**:
```json
{
"Name": "my-cloud-service",
"Type": "HTTP",
"URL": "[https://api.example.com",](https://api.example.com",)
"Authentication": "OAuth2SAMLBearerAssertion",
"audience": "[https://audience.example.com",](https://audience.example.com",)
"tokenServiceURL": "[https://token.example.com/oauth/token"](https://token.example.com/oauth/token")
}
```
---
## Audit Logging
### Enabling Audit Log
1. Subscribe to SAP Audit Log Viewer Service
2. Configure audit log retention
3. Access via BTP Cockpit or API
### Audit Categories
| Category | Description |
|----------|-------------|
| **Security Events** | Login attempts, authorization changes |
| **Data Access** | Read operations on sensitive data |
| **Data Modification** | Create, update, delete operations |
| **Configuration Changes** | System configuration updates |
### Audit Log Retrieval API
```bash
# Get audit logs
curl -X GET "[https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords"](https://auditlog.cf.<region>.hana.ondemand.com/v2/auditlogrecords") \
-H "Authorization: Bearer <token>"
```
---
## Security Best Practices
### Identity Management
1. **Use SAP Cloud Identity Services** for production
2. **Enable MFA** for all administrators
3. **Maintain backup administrators** in default IdP
4. **Use provisioning** over federation for user lifecycle
### Access Control
1. **Principle of least privilege** - minimal required access
2. **Regular access reviews** - remove unused permissions
3. **Avoid generic admin accounts** - individual accountability
4. **Document role assignments** - audit trail
### Platform Access
| Environment | Dev Access | Prod Access |
|-------------|------------|-------------|
| Development | Cloud Dev Team | No access |
| Production | No access | Platform Engineering |
### Application Security
1. **Validate all inputs** - prevent injection attacks
2. **Use XSUAA** for authentication
3. **Implement authorization checks** - scope validation
4. **Enable audit logging** - track access
5. **Encrypt sensitive data** - at rest and in transit
### Credential Management
1. **Use destinations** - never hardcode URLs/credentials
2. **Rotate secrets regularly** - service keys, passwords
3. **Use service bindings** - credentials via VCAP_SERVICES
4. **Secure credential store** - for application secrets
---
## Troubleshooting
### Common Issues
| Issue | Solution |
|-------|----------|
| 401 Unauthorized | Check token, verify trust configuration |
| 403 Forbidden | Check role assignments, scope requirements |
| Invalid redirect URI | Update callback URL in XSUAA config |
| Token expired | Implement token refresh logic |
### Debug Token
```bash
# Decode JWT token
echo "<token>" | cut -d. -f2 | base64 -d | jq
```
---
## Related Documentation
- Security Overview: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/security-e129aa2.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/security-e129aa2.md)
- XSUAA: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/sap-authorization-and-trust-management-service-6373bb7.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/sap-authorization-and-trust-management-service-6373bb7.md)
- Troubleshooting: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/troubleshooting-for-sap-authorization-and-trust-management-service-c33d777.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/troubleshooting-for-sap-authorization-and-trust-management-service-c33d777.md)

471
references/tools.md Normal file
View File

@@ -0,0 +1,471 @@
# Tools Reference
Complete reference for SAP BTP administration and development tools.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/tools-abcae5b.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/tools-abcae5b.md)
---
## Table of Contents
1. [Administration Tools](#administration-tools)
2. [btp CLI](#btp-cli)
3. [Cloud Foundry CLI](#cloud-foundry-cli)
4. [Development Tools](#development-tools)
5. [Kubernetes Tools](#kubernetes-tools)
6. [Terraform Provider](#terraform-provider)
---
## Administration Tools
| Tool | Purpose | Access |
|------|---------|--------|
| **SAP BTP Cockpit** | Web-based admin UI | [https://cockpit.btp.cloud.sap](https://cockpit.btp.cloud.sap) |
| **btp CLI** | Terminal administration | Download from BTP Cockpit |
| **REST APIs** | Programmatic access | SAP API Business Hub |
| **Terraform Provider** | Infrastructure as Code | registry.terraform.io |
| **SAP Automation Pilot** | Low-code automation | BTP service |
---
## btp CLI
### Installation
1. Download from BTP Cockpit → Downloads
2. Extract and add to PATH
3. Verify: `btp --version`
### Authentication
```bash
# Login with SSO
btp login
# Login with specific URL
btp login --url [https://cpcli.cf.eu10.hana.ondemand.com](https://cpcli.cf.eu10.hana.ondemand.com)
# Login with password (not recommended)
btp login --user user@example.com --password xxx
# Logout
btp logout
```
### Global Account Operations
```bash
# List subaccounts
btp list accounts/subaccount
# Get global account details
btp get accounts/global-account
# List directories
btp list accounts/directory
```
### Subaccount Operations
```bash
# Create subaccount
btp create accounts/subaccount \
--display-name "Development" \
--subdomain dev-acme \
--region eu10
# Update subaccount
btp update accounts/subaccount <subaccount-id> \
--display-name "New Name"
# Delete subaccount
btp delete accounts/subaccount <subaccount-id>
# Target subaccount (set context)
btp target --subaccount <subaccount-id>
```
### Directory Operations
```bash
# Create directory
btp create accounts/directory \
--display-name "HR" \
--directory-features ENTITLEMENTS,AUTHORIZATIONS
# List directories
btp list accounts/directory
# Delete directory
btp delete accounts/directory <directory-id>
```
### Entitlement Operations
```bash
# List entitlements
btp list accounts/entitlement
# Assign entitlement to subaccount
btp assign accounts/entitlement \
--to-subaccount <subaccount-id> \
--for-service hana-cloud \
--plan hana \
--amount 1
# Remove entitlement
btp unassign accounts/entitlement \
--from-subaccount <subaccount-id> \
--for-service hana-cloud \
--plan hana
```
### Environment Operations
```bash
# List environments
btp list accounts/environment-instance
# Create environment instance
btp create accounts/environment-instance \
--subaccount <id> \
--environment cloudfoundry \
--plan standard \
--landscape eu10-004
# Delete environment
btp delete accounts/environment-instance <instance-id> --subaccount <subaccount-id>
```
### Security Operations
```bash
# List role collections
btp list security/role-collection
# Assign user to role collection
btp assign security/role-collection "Subaccount Administrator" \
--to-user user@example.com \
--of-idp sap.ids
# Assign group to role collection
btp assign security/role-collection "Developers" \
--to-group "DevTeam" \
--of-idp my-idp
```
### Service Operations
```bash
# List available services
btp list services/offering
# List service plans
btp list services/plan
# Create service instance
btp create services/instance \
--subaccount <id> \
--offering-name hana-cloud \
--plan-name hana \
--name my-hana
```
### Output Formats
```bash
# JSON output
btp --format json list accounts/subaccount
# Table output (default)
btp list accounts/subaccount
```
---
## Cloud Foundry CLI
### Installation
```bash
# macOS
brew install cloudfoundry/tap/cf-cli@8
# Linux (Debian/Ubuntu)
wget -q -O - [https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key](https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key) | sudo apt-key add -
echo "deb [https://packages.cloudfoundry.org/debian](https://packages.cloudfoundry.org/debian) stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list
sudo apt update && sudo apt install cf8-cli
# Windows (via Chocolatey)
choco install cloudfoundry-cli
```
### Authentication
```bash
# Login
cf login -a [https://api.cf.eu10.hana.ondemand.com](https://api.cf.eu10.hana.ondemand.com)
# Login with SSO
cf login --sso
# Target org and space
cf target -o my-org -s my-space
# Logout
cf logout
```
### Application Commands
```bash
# Push application
cf push my-app -p ./app.jar -m 512M -i 2
# List applications
cf apps
# View application details
cf app my-app
# Start/Stop/Restart
cf start my-app
cf stop my-app
cf restart my-app
# Scale
cf scale my-app -i 3 -m 1G
# Delete application
cf delete my-app -f
```
### Service Commands
```bash
# Marketplace
cf marketplace
# Create service instance
cf create-service hana hdi-shared my-hana
# List services
cf services
# Bind service
cf bind-service my-app my-hana
# Unbind service
cf unbind-service my-app my-hana
# Create service key
cf create-service-key my-hana my-key
# View service key
cf service-key my-hana my-key
```
### Log Commands
```bash
# View recent logs
cf logs my-app --recent
# Tail logs
cf logs my-app
# View events
cf events my-app
```
### CF CLI Plugins
| Plugin | Purpose | Installation |
|--------|---------|--------------|
| MTA | Multi-target apps | `cf install-plugin -r CF-Community multiapps` |
| HTML5 | HTML5 apps | `cf install-plugin -r CF-Community html5-plugin` |
| Service Fabrik | Service management | From SAP |
```bash
# Install MTA plugin
cf install-plugin -r CF-Community multiapps
# Deploy MTA
cf deploy my-app.mtar
# List MTAs
cf mtas
```
---
## Development Tools
### SAP Business Application Studio
Web-based IDE features:
- VS Code-based editor
- Dev Spaces with preconfigured tools
- SAP Fiori development
- CAP development
- ABAP development (via ADT)
**Access**: Subaccount → Services → SAP Business Application Studio
### SAP Build
Low-code/no-code platform:
- SAP Build Apps (drag-and-drop apps)
- SAP Build Process Automation (workflows)
- SAP Build Work Zone (unified launchpad)
### SAP Cloud SDK
Development libraries:
- Java SDK
- JavaScript/TypeScript SDK
- Abstraction for multitenancy, connectivity, logging
```bash
# Install JavaScript SDK
npm install @sap-cloud-sdk/core
```
### Eclipse Tools
| Tool | Purpose |
|------|---------|
| **ADT** | ABAP Development Tools |
| **CF Plugin** | Cloud Foundry deployment |
---
## Kubernetes Tools
### kubectl
```bash
# Install
brew install kubectl # macOS
sudo apt install kubectl # Linux
# Configure for Kyma
export KUBECONFIG=~/.kube/kyma-config.yaml
kubectl get pods -A
```
### kubelogin
OIDC authentication for Kyma:
```bash
# Install
brew install int128/kubelogin/kubelogin
# Login
kubelogin
```
### Helm
```bash
# Install
brew install helm
# Add repo
helm repo add my-repo [https://charts.example.com](https://charts.example.com)
# Install chart
helm install my-release my-repo/my-chart -n my-namespace
# Upgrade
helm upgrade my-release my-repo/my-chart
# List releases
helm list -A
```
### Docker
```bash
# Build image
docker build -t my-app:latest .
# Push to registry
docker push my-registry/my-app:latest
# Run locally
docker run -p 8080:8080 my-app:latest
```
### Pack (Cloud Native Buildpacks)
```bash
# Install
brew install buildpacks/tap/pack
# Build image
pack build my-app --builder paketobuildpacks/builder:base
```
---
## Terraform Provider
### Installation
```hcl
terraform {
required_providers {
btp = {
source = "SAP/btp"
version = "~> 1.0"
}
}
}
```
### Provider Configuration
```hcl
provider "btp" {
globalaccount = "my-global-account"
cli_server_url = "[https://cli.btp.cloud.sap"](https://cli.btp.cloud.sap")
}
```
### Resource Examples
```hcl
# Subaccount
resource "btp_subaccount" "dev" {
name = "Development"
subdomain = "dev-acme"
region = "eu10"
}
# Entitlement
resource "btp_subaccount_entitlement" "hana" {
subaccount_id = btp_subaccount.dev.id
service_name = "hana-cloud"
plan_name = "hana"
amount = 1
}
# Role collection assignment
resource "btp_subaccount_role_collection_assignment" "dev_admin" {
subaccount_id = btp_subaccount.dev.id
role_collection_name = "Subaccount Administrator"
user_name = "admin@example.com"
origin = "sap.ids"
}
```
---
## Related Documentation
- Tools Overview: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/tools-abcae5b.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/tools-abcae5b.md)
- btp CLI: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/50-administration-and-ops)
- Terraform: [https://registry.terraform.io/providers/SAP/btp/latest/docs](https://registry.terraform.io/providers/SAP/btp/latest/docs)

462
references/troubleshooting.md Normal file
View File

@@ -0,0 +1,462 @@
# Troubleshooting Reference
Common issues and solutions for SAP BTP.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/60-security](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/60-security)
---
## Table of Contents
1. [Authentication Issues](#authentication-issues)
2. [Authorization Issues](#authorization-issues)
3. [Trust Configuration Issues](#trust-configuration-issues)
4. [Token Issues](#token-issues)
5. [XSUAA Issues](#xsuaa-issues)
6. [Cloud Foundry Issues](#cloud-foundry-issues)
7. [Kyma Issues](#kyma-issues)
8. [Connectivity Issues](#connectivity-issues)
9. [Service Instance Issues](#service-instance-issues)
---
## Authentication Issues
### Login Screen Shows "SAP HANA XS Advanced"
**Cause**: Application using wrong login endpoint
**Solution**:
1. Check xs-app.json authentication configuration
2. Verify XSUAA service binding
3. Ensure correct UAA URL in environment
### Identity Provider Could Not Process Authentication Request
**Cause**: Trust configuration mismatch
**Solution**:
1. Verify trust configuration in subaccount
2. Check IdP SAML/OIDC metadata is current
3. Ensure certificates are not expired
4. Verify assertion consumer service URL
### Access Is Denied or Forbidden
**Causes**:
- Missing role assignments
- Incorrect scope configuration
- User not in required group
**Solutions**:
1. Check user role collection assignments
2. Verify application scopes in xs-security.json
3. Check IdP group mappings
4. Verify trust configuration
### AuthnRequest Expired
**Cause**: Time synchronization issue between IdP and BTP
**Solution**:
1. Sync IdP server time with NTP
2. Check for clock skew > 5 minutes
3. Verify SAML response timestamps
---
## Authorization Issues
### Cannot Add Role Templates to Predefined Role Collections
**Cause**: Predefined role collections are immutable
**Solution**:
1. Create custom role collection
2. Add desired role templates
3. Assign custom role collection to users
### User Has Role But Still Gets 403
**Causes**:
- Scope not checked in application
- Cache not refreshed
- Wrong role collection assigned
**Solutions**:
1. Verify application checks correct scope
2. Clear browser cache, re-login
3. Check role collection contains required roles
4. Verify role template references correct scopes
### Missing Administrator Access
**Cause**: No administrator assigned to account
**Solutions**:
1. Contact SAP support if locked out
2. Use emergency administrator in default IdP
3. Check SAP ID Service access
---
## Trust Configuration Issues
### 409 Error When Deleting Custom Identity Provider
**Cause**: Trust configuration still in use
**Solution**:
1. Remove all user assignments from this IdP
2. Delete shadow users from this IdP origin
3. Then delete trust configuration
### Subdomain Does Not Map to Valid Identity Zone
**Cause**: Invalid or non-existent subaccount subdomain
**Solutions**:
1. Verify subdomain in subaccount settings
2. Check UAA URL format
3. Ensure subaccount exists and is active
### IAS Application Reference Not Created
**Cause**: Identity Authentication tenant issue
**Solutions**:
1. Verify Identity Authentication subscription
2. Check trust configuration status
3. Re-establish trust if needed
### Trust Establishment Issues
**Common causes**:
- Expired certificates
- Incorrect metadata
- Network issues
**Solutions**:
1. Re-download IdP metadata
2. Update trust configuration
3. Verify network connectivity to IdP
---
## Token Issues
### 400 Error: OAuth Token Call Not Successful
**Causes**:
- Invalid client credentials
- Wrong token endpoint
- Expired client secret
**Solutions**:
1. Verify client ID and secret
2. Check token service URL
3. Regenerate service key if needed
### Token Retrieval Fails with 401
**Causes**:
- Invalid credentials
- Token expired
- Wrong authentication method
**Solutions**:
1. Check client credentials in service binding
2. Verify token not expired
3. Use correct grant type
### Invalid Redirect URI
**Cause**: Callback URL not registered in XSUAA
**Solution**:
1. Add redirect URI to xs-security.json:
```json
{
"oauth2-configuration": {
"redirect-uris": [
"[https://myapp.cfapps.eu10.hana.ondemand.com/**"](https://myapp.cfapps.eu10.hana.ondemand.com/**")
]
}
}
```
2. Update service instance
3. Restage application
---
## XSUAA Issues
### No Client with Requested ID
**Cause**: Service instance not found or wrong client ID
**Solutions**:
1. Verify XSUAA service instance exists
2. Check VCAP_SERVICES for correct credentials
3. Ensure binding is active
### XSUAA Limits Exceeded
**Limits**:
- 100 role templates per application
- 100 scopes per application
- 50 attributes per application
**Solution**: Consolidate roles and scopes
### Sharing Service Instance Issues
**Solutions**:
1. Verify instance supports sharing
2. Check cross-subaccount trust
3. Use service instance sharing API
---
## Cloud Foundry Issues
### Application Won't Start
**Common causes**:
- Out of memory
- Port binding issues
- Missing dependencies
- Buildpack errors
**Debugging**:
```bash
# View logs
cf logs my-app --recent
# Check events
cf events my-app
# SSH for debugging
cf ssh my-app
```
### Service Binding Failed
**Causes**:
- Service not available in space
- Quota exceeded
- Service broker error
**Solutions**:
1. Check marketplace availability
2. Verify quota assignments
3. Check service broker status
### Requested Route Does Not Exist
**Causes**:
- Route not mapped
- Application stopped
- Wrong domain
**Solutions**:
1. Map route: `cf map-route my-app cfapps.eu10.hana.ondemand.com -n my-hostname`
2. Start application
3. Verify domain is correct
### Push Fails with Timeout
**Solutions**:
1. Increase timeout: `cf push -t 180`
2. Check buildpack compatibility
3. Reduce application size
4. Check staging logs
---
## Kyma Issues
### Pod Not Starting
**Debugging**:
```bash
# Check pod status
kubectl describe pod <pod-name> -n <namespace>
# View events
kubectl get events -n <namespace> --sort-by='.lastTimestamp'
# Check logs
kubectl logs <pod-name> -n <namespace>
```
**Common causes**:
- Image pull errors
- Resource limits
- Configuration errors
### Service Binding Not Working (BTP Operator)
**Causes**:
- BTP Operator module not installed
- Incorrect service instance name
- Namespace issues
**Solutions**:
1. Verify BTP Operator module enabled
2. Check ServiceInstance status
3. Verify namespace labels
### API Rule Not Working
**Debugging**:
```bash
kubectl get apirules -n <namespace>
kubectl describe apirule <name> -n <namespace>
```
**Common causes**:
- Wrong host configuration
- Authentication configuration issues
- Istio gateway issues
---
## Connectivity Issues
### Destination Not Found
**Causes**:
- Destination not created
- Wrong destination name
- Missing binding
**Solutions**:
1. Create destination in subaccount
2. Verify exact name match
3. Bind destination service to app
### Cloud Connector Not Connected
**Causes**:
- Network issues
- Certificate expired
- Configuration error
**Solutions**:
1. Check Cloud Connector status
2. Verify certificates
3. Check firewall rules
4. Review Cloud Connector logs
### Principal Propagation Failing
**Causes**:
- Trust not configured
- Certificate mapping incorrect
- Backend system configuration
**Solutions**:
1. Verify trust chain complete
2. Check certificate subject mapping
3. Configure backend for SSO
---
## Service Instance Issues
### Instance Creation Failed
**Common causes**:
- Quota exceeded
- Invalid parameters
- Service plan unavailable
**Debugging**:
```bash
# CF CLI
cf service my-service
# Check marketplace
cf marketplace -e <service>
```
### Extension Service Instance Failed
**For S/4HANA Extensibility**:
1. Verify system registration complete
2. Check communication arrangement syntax
3. Verify entitlements assigned
**For SuccessFactors Extensibility**:
1. Verify system registration
2. Check technical user credentials
3. Verify SSO configuration if used
---
## Debugging Commands
### Cloud Foundry
```bash
# Application info
cf app my-app
cf env my-app
# Logs
cf logs my-app --recent
cf logs my-app
# Events
cf events my-app
# SSH
cf ssh my-app
cf ssh my-app -c "cat /proc/meminfo"
# Services
cf services
cf service my-service
```
### Kyma/Kubernetes
```bash
# Pod debugging
kubectl get pods -n <ns>
kubectl describe pod <pod> -n <ns>
kubectl logs <pod> -n <ns>
kubectl exec -it <pod> -n <ns> -- /bin/sh
# Service debugging
kubectl get svc -n <ns>
kubectl describe svc <svc> -n <ns>
# Events
kubectl get events -n <ns> --sort-by='.lastTimestamp'
# Resource status
kubectl get all -n <ns>
```
### Token Debugging
```bash
# Decode JWT
echo "<token>" | cut -d. -f2 | base64 -d | jq
# Test token endpoint
curl -X POST "[https://<uaa-url>/oauth/token"](https://<uaa-url>/oauth/token") \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-u "client_id:client_secret"
```
---
## Related Documentation
- Security Troubleshooting: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/troubleshooting-for-sap-authorization-and-trust-management-service-c33d777.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/troubleshooting-for-sap-authorization-and-trust-management-service-c33d777.md)
- Extensions Troubleshooting: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/troubleshooting-for-sap-s-4hana-cloud-extensibility-service-3725f59.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/troubleshooting-for-sap-s-4hana-cloud-extensibility-service-3725f59.md)
- Getting Support: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/70-getting-support](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/70-getting-support)