SAP Community - Martin Pankraz

Hey ABAP Cloud please let me save my data export to Azure Storage please🥺🙏- part 4

2023-11-21T13:21:26+01:00

👉🏿back to blog series or jump to GitHub repos🧑🏽‍💻

<<part 3

Hello and welcome back to your ABAP Cloud with Microsoft integration journey. Part 3 of this series got you covered with modern GraphQL API definition on top of your ABAP Cloud RAP APIs to expose a single API endpoint that may consume many different OData, OpenAPI, or REST endpoints at the same time.

Today will be different. Sparked by a SAP community conversation with dpanzer and lars.hvam including a community question by rammel on working with files with ABAP Cloud, I got inspired to propose a solution for the question below:

Before we dive into my proposal see here a list of alternative options that I came across as food for thought for your own research.

Mount a file system to a Cloud Foundry app	Create custom API hosted by your CF app and call via http client from ABAP Cloud
Connect to SFTP server via SAP Cloud Integration	Design iFlow and call via http client from ABAP Cloud
Integrate with SAP Document Management Service	Call SAP BTP REST APIs from ABAP Cloud directly
Integrate with SAP BTP Object Store exposing hyperscaler storage services using SDKs	Create custom API hosted by your CF or Kyma app and call via http client from ABAP Cloud
Serve directly from ABAP Code via XCO	Base64-encode your file content, wrap into ABAP code, and serve as XCO class. Lars likes it at least 😜. There were sarcastic smiles involved and some more “oh please”, so take it not too seriously.
Raise an influencing request at SAP to release something like the former NetWeaver MIME repos	Live the dream

A common theme among all the options is the need to interact with them from ABAP Cloud via the built-in http client. On the downside some options require an additional app on CF or Kyma to orchestrate the storage interactions.

Ideally ABAP Cloud integrates directly with the storage account to reduce complexity and maintenance.

You guessed rightly my own proposal focusses on direct integration with Azure Blob

To get started with this sample I ran through the SAP developer tutorial “Create Your First ABAP Cloud Console Application” and steps 1-6 of “Call an External API and Parse the Response in SAP BTP ABAP Environment. This way you can easily reproduce from an official reference.

Got your hello world on Eclipse? Great, onwards, and upwards in the stack we go then 🪜. Or down to the engine room – that depends on your perspective.

All the blob storage providers offer various options to authenticate with the service. See the current coverage for Azure here.

Fig.1 Screenshot of supported authentication methods for Azure Storage

The Microsoft Entra ID option offers superior security capabilities compared to access keys – which can be leaked or lost for example – and is therefore recommended by Microsoft.

For developer ease, I left the code using the simpler to configure “Shared-Access-Signature (SAS) tokens” commented on the shared GitHub repos. SAS tokens can be created from the Azure portal with two clicks.

The shared key approach requires a bit of hashing and marshaling on ABAP. Use the ABAP SDK for Azure to accelerate that part of your implementation. Check the “get_sas_token” method for reference.

Anonymous read access would only be ok for less sensitive content like static image files or the likes because anyone can access them once they have the URL.

For an enterprise-grade solution however, you will need to use a more secure protocol like OAuth2 with Microsoft Entra ID

Technically you could do the OAuth2 token fetching with plain http-client requests from ABAP Cloud. See this blog by jacek.wozniczak for instance. However, it is recommended to use the steampunk “Communication Management” to abstract away the configuration from your code. Think “external configuration store”. Also, it reduces the complexity of your ABAP code, because Communication Management handles the OAuth2 flow for you.

📢Note: SAP will release the needed capability to maintain OAuth2 scopes in communication arrangements as part of your ABAP Cloud requests with the upcoming SAP BTP, ABAP environment 2402.

So, till then you will need to use the BTP Destination service. Target destinations living on subaccount level by calling them like so (omitting the i_service_instance_name, thank you thwiegan for calling that out here😞

destination = cl_http_destination_provider=>create_by_cloud_destination(

        i_name = |azure-blob|

        i_authn_mode = if_a4c_cp_service=>service_specific

    ).

Or call destinations living on Cloud Foundry spaces like so:

destination = cl_http_destination_provider=>create_by_cloud_destination(

        i_name = |azure-blob|

        i_service_instance_name = |SAP_BTP_DESTINATION|

        i_authn_mode = if_a4c_cp_service=>service_specific

    ).

For above Cloud Foundry variation you need to deploy the “standard” communication scenario SAP_COM_0276. My generated arrangement id in this case was “SAP_BTP_DESTINATION”.

Be aware, SAP marked the approach with BTP destinations as deprecated for BTP ABAP. And we can now see why. It will be much nicer doing it from the single initial communication arrangement only, rather than having the overhead with additional services and arrangements. Looking forward to that in February 😎

Not everything is “bad” about using BTP destinations with ABAP Cloud though. They have management APIs, which the communication arrangements don’t have yet. Also, re-use of APIs across your BTP estate beyond the boundary of your ABAP Environment tenant would be useful.

A fully automated solution deployment with the BTP and Azure terraform providers is only possible with the destination service approach as of today.

See this TechEd 2023 session and watch this new sample repos (still in development) for reference.

The application flow is quite simple once the authentication part is figured out

Access your communication management config from your ABAP web Ui:

https://your-steampunk-domain.abap-web.eu20.hana.ondemand.com/ui#Shell-home

Steampunk supports the typical set of authentication flows for outbound communication users using http that you are used to from BTP. I chose the OAuth2 Client Credentials grant because that is most widely referenced in the BTP world and reasonably secure.

Fig.2 ABAP Cloud API flow including OAuth2 token request from Microsoft Entra ID

Since I am integrating with an Azure Storage account, I will need to authenticate via Microsoft Entra ID (formerly known as Azure Active Directory).

Yes, Microsoft likes renaming stuff from time to time, too 😉.

Using the Azure Storage REST API I can create, update, delete, and list files as I please.

The Entra ID setup takes a couple of clicks

Create a new App registration from Microsoft Entra ID service on your Azure portal and generate a new secret. Beware of the expiry date!

Below preferred option will start working once SAP adds the scope parameter for OAuth2 Client Credentials grant as described before.

Fig.3 Screenshot of attribute and secret mapping for ABAP Cloud Outbound user

For now, let’s have a look at a destination on subaccount level instead. Be aware the scope parameter needs to be “https://storage.azure.com/.default” (see fig.4 below, additional properties section called “scope” on the bottom right). That is also the setting that we are missing for the preferred approach mentioned above.

The standard login URLs for OAuth token endpoints on Microsoft Entra ID are the following:

https://login.microsoftonline.com/your-tenantId/oauth2/v2.0/token

https://login.microsoftonline.com/your-tenantId/oauth2/v2.0/authorize

Fig.4 Screenshot of attribute mapping from Entra ID to SAP BTP Destination

So far so good. Let’s roll the integration test from our ABAP console application on Eclipse (ADT).

Fig.5 Screenshot of file interaction from ABAP Cloud and data container view on Azure

Excellent, there is our booking request: Safe and sound stored as Azure Blob, posted from ABAP, and read again seamlessly.

See the shared Postman collection to help with your integration testing.

Thoughts on production readiness

The biggest caveat is the regularly required OAuth2 client credential secret rotation. Unfortunately, credential-free options with Azure Managed Identities are not possible, because BTP is hyperscaler-agnostic and does not expose the underlying Azure components to you.

Some of you might say next: let’s use client certificates with “veeery long validity time frames like 2038” to push out the problem beyond so far out someone else will have to deal with it. Well, certificate lifetimes get reduced more and more (TLS certs for instance have a maximum of 13 months at DigiCert since 2020) and you have to rotate them eventually, too 😉. With shorter certificate lifetimes more secure hashing algorithms come into effect much quicker for instance.

I will dedicate a separate post on client certificates (mTLS) with steampunk to consume Azure services.

What about federated identities? You could configure trust between your SAP Cloud Identity Service (or Steampunk auth service) and Microsoft Entra ID to allow requests from ABAP Cloud to authorize Azure services. However, that would be a more complex configuration with implications for your overall setup causing larger integration test needs. And we embarked on this journey to discover a simple solution not too far away from AL11 and the likes, right? 😅

See a working implementation of federated identities with SAP Cloud Identity service consuming Microsoft Graph published by my colleagure mraepple in his blog series here.

Ok, then let’s compromise and see how we can automatically rotate secrets. Azure Key Vault exposes events for secrets, keys, and certificates to inform downstream services about due expiry. With that a small low code app can be provided to perform the secret update. See below sample that went the extra mile asking the admins via Microsoft Teams if they wanted to perform the change or not:

Fig.6 Architecture of secret rotation with Azure Key Vault and secret refresh approval

A new secret for the app registration on Entra can be generated with the Microsoft Graph API like so. See this post for details on the Azure Key Vault aspects of the mix.

To apply that flow and propagate the new secret to steampunk, we need to call BTP APIs to save the new secret. See the BTP REST API for Destinations here to learn about the secret update method.

Have a look at my earlier blog post for specifics on how to do the same with certificates.

Estimated cost for such a secret rotation solution for 1000 rotations per month is around 2$ per month. With simpler configurations and less rotations, it can be covered by free tiers even.

Once you have applied the means of automation as discussed above you may incorporate this into your DevOps process and live happily ever after with no manual secret handling 😊.

Final Words

That’s a wrap 🌯you saw today how – in the absence of an application server file system and NetWeaver MIME repository (good old days) – you can use Azure Storage Account as your external data store from BTP ABAP Environment (steampunk) using ABAP Cloud. In addition to that, you gained insights into the proper setup for authentication and what flavors are supported by steampunk now. You got a glimpse into automated deployment of the solution with the BTP and Azure terraform provider.

To top it up you learnt what else is needed to operationalize the approach at scale with regular secret/certificate rotation.

Check SAP’s docs for external APIs with steampunk for further official materials.

What do you think dpanzer and lars.hvam? Not too bad, is it? 😉

Find all the resources to replicate this setup on this GitHub repos. Stay tuned for the remaining parts of the steampunk series with Microsoft Integration Scenarios from my overview post.

Cheers

Martin

Re: Terraform for SAP BTP - above and beyond

2023-11-28T14:14:48+01:00

Caboom lechner! What a post. How about linking our joint TechEd session where we deployed a CAP app to check "shipping state" via an Azure function using the new btp terraform provider?

teched2023-XP160

Happy tofu-ing.

Cheers

Re: Call/trigger an iflow from ABAP cloud

2023-12-18T08:20:05+01:00

Hey rammel, in ABAP Cloud you will need to use the class "cl_web_http_client_manager". Regarding security: well, you are calling a public Internet-facing cloud service 😉 So, you are dependent on it being secured by SAP and not be spoofed for instance. A best practice would be securing your iFlow trigger at least with a certificate or OAuth2 with SAP's XSUAA to secure the iFlow itself. You can go further than that with OIDC with Azure or SAP API Management fronting that iFlow.

You may consider running the iFlow in your own environment using SAP Edge Integration Cell.This way the trigger and runtime would not be Internetfacing anymore.

Generally speaking though, the application security should be tackled on app level not networking. Private networking is no guarantee to be more secure.

Re: Azure APIM TO S4HANA CONNECTIVITY VIA CI (Principal Propagation)

2024-01-31T11:22:52.042000+01:00

Thanks for sharing @Arundathi! Insightful blog. Are you aware of OAuth2SAMLBearer based authentication with Azure APIM towards SAP ECC/S4 for Principal Propagation? Could you shed some light on the reasoning why you chose the BTP route with short-lived certs?

Maybe a comment on how to vet the custom credential mapping table with compliance? Special maintenance process with small number of Admins?

KR Martin

Re: SAP ECC to Azure Data Factory

2024-01-31T11:36:29.359000+01:00

Hi @Sanjay_Daniel,

This is being discussed here: https://learn.microsoft.com/en-us/azure/sap/workloads/integration-get-started#azure-data-services I would recommend the SAP CDC connector in general.

KR Martin

Re: ABAP to Microsoft EWS

2024-01-31T11:51:01.349000+01:00

Always good to hear back you were able to solve and how @jakob_steen-petersen 🙂 did you consider using or at least getting inspired from the ABAP SDK for Azure to integrate with Microsoft Graph API? If not, why?

Also want to make you aware we keep our docs for the support auth setup for Exchange Online and SAP here.

KR Martin

Re: How to connect with "Microsoft Power Apps" or "Micros...

2024-02-28T09:00:03.891000+01:00

Hi @koide_yuya,

PowerApps interactions triggered by Buttons etc will point at PowerAutomate flows. From there you are free to trigger iFlows on Integration Suite as you like using the plain http connector for instance (push-based scenario). On PowerAutomate you may also retrieve the info from your app or do additional pulls from Dataverse that you want to pass along to your iflow.

SAP Open Connectors would be needed for pull-based scenarios from your iFlow.

Let the community know what you decided in the end.

Cheers Martin

Re: How to connect with "Microsoft Power Apps" or "Micros...

2024-03-04T11:41:56.119000+01:00

Yes, for the "push" you directly point at Integration Suite. Up to you if you need to front it with SAP APIM. For pull-based you may use the Dataverse Web API. That is plain OData and can be called with SAP's standard oData connector. No need for OpenConnectors. Alternatively, use Azure Data Factory to move the data from Dataverse to SAP

Re: Open your SAP OData APIs for some swagger – or how to make friends with the other kids from the

2024-03-04T17:10:29.904000+01:00

Hey @papsoc,

In case your chosen CA is not “well-known”, you need to also upload the intermediary and root certificate to APIM. Have a look at my other blog post subsection "Add the pfx file to Azure API Management" for more details. Also verify your APIM tier. Certificate-validation is not support in Consumption tier for instance.

Let me know if that fixes your 401.

KR Martin

Re: Open your SAP OData APIs for some swagger – or how to make friends with the other kids from the

2024-03-06T09:19:03.466000+01:00

Hey @papsoc,

1. Hard for me to tell from afar. You need to have the whole chain that sits on top of your client leaf certificate in C4C available in Azure APIM as CA certificate and the client cert for C4C on the "Certificates" section.

2. No won't work. How about you swap from Consumption to Developer tier? With Azure free credits you will be able to perform your validation at no cost.

KR Martin

Re: IAS is mandatory for customers with Microsoft Azure S...

2024-03-11T07:59:39.888000+01:00

We describe our best practices for the scenarios on the Microsoft docs here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration

Re: IAS is mandatory for customers with Microsoft Azure S...

2024-03-11T08:01:10.336000+01:00

We describe our best practices for the scenarios of integrating SAP IAS and Entra ID (formerly Azure AD) on the Microsoft docs here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration

Re: SAP Connector for .NET Framework 5.0 and higher

2024-03-20T16:09:51.541000+01:00

Hi @KentP,

SAP is tracking the item as influencing request. Engineering will make an update to give more clarity on timeline.

KR Martin

Re: Simplify SSO with Microsoft Entra ID (Azure AD) & SAP Identity Authentication Service

2024-03-22T08:56:16.855000+01:00

Thanks for sharing @PolySonika. I'd like to add the reference to the best-practices guide for Entra ID (formerly Azure AD) with SAP IAS. Find it on Microsoft Learn here.

Re: SAP application slow after Microsoft Defender was installed on server

2024-03-27T09:39:05.160000+01:00

@Syamkriz Please have a look at Microsoft's dedicated guidance for Defender for Endpoint on SAP hosts:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap

https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268

Re: Provision users from Microsoft Azure AD to SAP Cloud Identity Services - Identity Authentication

2024-04-02T09:53:38.724000+02:00

Hey @tskwin,

Have a look at the Microsoft learn page for our recommendations on Entra ID with SAP IAS. Note on the side: Be aware SAP recommends SAP IDM customers to migrate to Entra ID. Meaning the already deep integration between both ecosystems will increase even more over time.

KR Martin

Re: Provision users from Microsoft Azure AD to SAP Cloud Identity Services - Identity Authentication

2024-04-05T09:27:20.407000+02:00

Hey @tskwin,

not sure what your requirements are. If you need to synch groups you require SAP IPS. The mechanism described on our docs before is about mapping based on attributes like groups but actually re-creating them on the SAP side.

In general, like with any integration project, less redundancy and a single source of truth is beneficial.

KR Martin

Re: Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider

2024-04-11T08:59:38.676000+02:00

Thank you for sharing @vinayak_adkoli! I am curious what scenarios require a people-based interactive authentication flow for CPI. Shouldn't this be solved on app layer rather than the iflow? SAP Principal Propagation would then be achieved through token exchange on CPI level.

It has never been easier to print from SAP with Microsoft Universal Print

2024-04-16T17:06:26.850000+02:00

👉🏿back to Microsoft Learn or jump to GitHub repos🧑🏽‍💻

Dear community,

Printing from SAP is rarely discussed with all the SAP S/4HANA cloud migration chatter, AI bliss, and sustainability efforts to avoid printing at all (don’t print this blog post😈). For some of you it is similarly mission critical, nevertheless.

For instance, consider a manufacturer that needs to print and attach labels to their products before they leave the factory. In case of disruption delivery is halted! It can be equally bad as an ERP outage.

Printer management and driver software maintenance for the different vendors are among the causes of headaches. Anyone emotionally attached to print servers💖? I hope not…

Those days are gone now – you will see the future with cloud printing and Microsoft Universal Print today! No more print servers!

Crowd🎉: Yes, and no more laser cartridge changes or replenishing paper stacks!

Don’t be ridiculous! Of course, you will still change cartridges and replenish paper! Till the robots come at least.

However, the drivers, print servers, and complicated setups are gone 😊And yes, it works with RISE, GROW, Azure, other hyperscalers, on-premises, and even down in your dark cellar where the poor “Raspberry Pies” are ticking away legacy integrat📱 if they have Internet uplink.

Enabling your SAP Business Users (Frontend Printing)

SAP front-end printing sends an output to a printer available for the user on their front-end device. In other words, a printer accessible by the operating system. The same client computer runs SAP GUI, or a browser (Fiori, BTP apps, WebGUI, you name it). To use Universal Print, you need to have access to such printers.

Client OS with support for Universal Print
Add Universal Print printer to your Windows client
Able to print on Universal Print printer from OS

See the Universal Print documentation for details on these prerequisites.

Find more details on the overall setup for SAP on the dedicated Microsoft Learn page.

Enabling unattended SAP processes (Backend Printing)

SAP offers the standard OData service as “Print Queue Item - Read (A2X)” to enable 3rd party integration with SAP Print Queues. You will see the term: Output Management Systems (OMS) being referenced on other SAP sources and docs entries.

In collaboration with SAP SE the capabilities of the communication scenario SAP_COM_0466 “Printing - Pull Integration” were made available to SAP NetWeaver SAP_BASIS releases 757 and upwards. Have a look at the SAP docs to which ERP releases the components apply 😊At the time of publishing this blog that would be S/4HANA 2022 and upwards.

See the SAP note “3420465 – Print queues in on-premise systems” to learn more about how to enable on your own SAP system.

Given the above preparations you are ready to integrate the SAP print queues with the Microsoft Graph API that powers Microsoft Universal Print. To get you started we shipped an open-source project on GitHub. For ease of use, and CI/CD best practices, the app is terraform enabled. But of course, you could also deploy manually if needed.

fig.1 Architecture Overview

Kick-off your SAP backend print process however you prefer with SAP standard means (print function on SAPGUI screens, Spool requests etc.). The simplest means for an integration test would be printing the ALV screen from transaction SP02. Find the print button and choose your new print queue as Output Device.

fig.2 Screenshot of test print from SAP transaction SP02

Note on the side: The new output device of type “Q: print via print queue” can be maintained from transaction SPAD. Find the setting under “Access Method -> Host Spool Access Method”.

On SAP S/4HANA Public Cloud tenants that ship Fiori apps or don’t offer SAPGUI access anymore use the app “Maintain Print Queues” and trigger “Create Test Page

fig.3 Screenshot of Fiori app "Print Queue" to trigger test page print

Our function app on Azure takes care of pulling the SAP print queue items, mapping the queues to your targeted Microsoft Universal Print cloud printer, securely managing the required credentials + identities, and handling robust upload of the print queue items to the cloud.
Once your output device reports back to Universal Print, the app notifies the SAP print queue on NetWeaver about a successful print via OData again. This way the integration and status tracking work end-to-end.

As a result, you will be greeted with a physical hard copy of a test page like this:

fig.4 Screenshot of printed test page

Depending on your needs, the Azure services can be injected into isolated private virtual networks next to the SAP system for instance. Use Azure ARC to deploy on-premises or to other hyperscalers.

Not too bad, huh? 😎

Find the latest deployment instructions, SAP specific FAQ, and community discussion on our GitHub repos. Your contributions are more than welcome!

For general FAQ on Universal Print see Microsoft Learn. In case you are looking to integrate special label printers have a look here.

Thoughts on production readiness

Most print device manufacturers already support Microsoft Universal Print. If they don’t yet, check Microsoft’s Universal Print connector to make them compatible.

Looking for front end printing for SAP on MacOS? Here you go.

Availability from SAP NetWeaver SAP_BASIS releases 757 and upwards ensures decent coverage for more recent SAP ECC and S/4HANA installations 😊

Universal Print relies on the Microsoft Graph API and the components involved in the integration use Azure PaaS services that power various mission critical workloads like O365 and M365 worldwide.

See the latest info on SLA here.

You are all set for prime time with cloud printing with SAP🚀

Partner solutions

SAP and Microsoft partners offer packaged solutions or even managed service offerings for SAP printing. See below initial list to get started.

DOM-Zone from BLUE-ZONE
RISE ONE from All for One Group
Universal Print integration with SAP using SAP Cloud Integration from Kangoolutions

By no means is the list complete. Anyone else looking to be listed or referenced, please leave a comment, or contact me directly.

Final Words

That’s a wrap 🌯you saw today how you can simplify your printing from SAP, reduce the device management overhead, and get rid of the need for print drivers.

Cloud printing for SAP with Microsoft Universal print is applicable to your SAP Business Users (called frontend printing) from their own devices and browsers just as they are used to.

For your SAP backend jobs and SAP’s standard OData API a community-driven open-source integration component is offered on GitHub. Check the Azure marketplace, SAP store, and partner repositories for updates on partner offerings. Above list of partner solutions could get you started.

Let us know what you think and feel encouraged to participate in the community effort🙌.

Partners are welcome to reach out to build a marketplace or managed offering.

Last but not least: thank you to @timo_straub1 and amazing team for the great collaboration🙏

Cheers

Devansh and Martin

Govern SAP APIs living in various API Management gateways in a single place with Azure API Center

2024-04-26T12:33:48.591000+02:00

Find the GitHub repos associated with this post on Azure API Center here.

Our engineering friends from SAP Integration Suite– in particular @Chaim_Bendelac – published a nice “sister blog” on supporting Azure API Management with the API Management capability of SAP Integration Suite here.

Dear community,

Many of you are heavily invested in APIs regarding your SAP ecosystem and the rest of your IT real estate. Given the integration specialization in the SAP space companies decide to use more than one integration tool to cater for SAP and non-SAP integrations. Gartner even says that 75% will use at least two different ones. For many of you that means SAP Integration Suite plus one for non-SAP.

Due to the fast-paced growth of APIs within organizations, inventory, governance, security, and management cannot keep up. The resulting fragmentation and inconsistency lead to adoption challenges, project delays, and security risks. Postman’s State of APIs report 2023 shows that API security incidents happen frequently.

These challenges are summed up under the term “API Sprawl” by the industry. Beware the API sprawl monster is upon you!

fig.1 Illustration of API Sprawl challenge

Key to survival is automatic discovery of available APIs and a single place to enforce guidelines from, or at least know these unmanaged APIs exist in your estate. Forgotten APIs are low hanging fruit for attackers. To drive home that argument: “Improper Inventory Management” made the OWASP top 10 list for API Security in 2023.

Besides that on the human side of things: Which developer likes to develop duplicate functionality just because of the lack of shared API inventory to discover existing stuff?

The API Sprawl monster🦖 much hungry! “Nomnom nomnom more food, yes more food!”.

Azure API Center embarked on the journey of taming the monster.

What API solutions can be registered to Azure API Center?

Azure API Center applies to any API and any API management solution out there. Always remember that API Center is not an API Gateway! It doesn’t expose the endpoints or apply policies to them. That stays with the API Management provider. API Center makes them discoverable and allows decorating APIs with additional info to improve governance.

Let that sink in.

My colleagues are building integrated experiences for the most interesting API and integration tool providers. However, API-based registration in API Center will always be possible.

Get it? APIs to register APIs to register APIs ... yah maybe to complicated for a joke.

fig.2 Azure API Center solution coverage overview

The focus of this blog post will be on inventorying APIs hosted by the API Management capability of SAP Integration Suite to mitigate SAP API sprawl. However, the approach described is applicable to all the other SAP APIs out there hosted on SAP Gateway, SAP Graph, SAP CAP, SAP RAP, CloudFoundry, Kyma, etc. too.

Another prominent SAP service would be SAP Cloud Integration (formerly CPI – Cloud Platform Integration). Many of you expose APIs internally or to business partners through SAP integration flows without fronting them with an API Management solution – you know who you are 😉. Those can be registered too. Unfortunately, there is no built-in option to retrieve the definition of such an endpoint. You may generate an API definition for your http trigger using payload samples for instance. I found this repo useful to get an overview on how to generate OpenAPI definitions from JSON payloads.

Even if you don’t, putting the available metadata on the Azure API Center inventory still improves discoverability and enterprise-wide governance by magnitudes.

But now on to SAP API Management.

Automagically registering SAP API Management APIs on Azure API Center

Our starting point is the SAP BTP service apimanagement-devportal. Check SAP’s docs on the setup process here. Make sure you don’t mistakenly choose apimanagement-apiportal.

The API “API Business Hub Enterprise - Discovery Service (CF)” enables querying all available APIs hosted on SAP API Management on that subaccount. It holds info about their OpenAPI definitions.

Authenticate on the service with any of the supported authentication mechanisms. I chose OAuth2 client credentials grant (instance secret – without payload).

See below response from “/apidiscovery/v1/apis” from my SAP BTP sandbox environment. Pay attention to the attributes of “apiDefinitions” and values for “oas-json”.

{
"@odata.context": "$metadata#apis",
  "value": [
    {
      "name": "GWSAMPLE_BASIC",
      "title": "GWSAMPLE_BASIC",
      "version": "1",
      "lastUpdated": "2024-01-24",
      "releaseStatus": "PUBLIC",
      "protocol": "ODATAV2",
      "entryPoints": [
        {
          "name": "GWSAMPLE_BASIC",
          "type": "PROD",
          "url": "https://msftapim.test.apimanagement.eu10.hana.ondemand.com:443/GWSAMPLE_BASIC"
        }
      ],
      "apiDefinitions": [
        {
          "type": "oas-json",
          "url": "https://eu10devportal.cfapps.eu10.hana.ondemand.com/odata/1.0/data.svc/APIMgmt.APIResourceDocumentations('2797A5F5-E18A-4FCC-826A-C833845303F5')/content/$value"
        },
        {
          "type": "edmx",
          "url": "https://msftapim.test.apimanagement.eu10.hana.ondemand.com:443/GWSAMPLE_BASIC/$metadata"
        }
      ]
}

For your convenience we have provided a sample repo that runs Infrastructure-as-Code scripting to register the SAP APIs using their OpenAPI definitions as highlighted above. On each SAP API definition we execute registration requests on Azure API Center.

You may also use Postman, or SAP Build Process Automation etc. to execute the REST API calls if you prefer. Find our collection here.

fig.3 Flow of automated API registration in Azure API Center

Discover all your APIs where you code – see VS Code and GitHub Copilot in action

We developers like to stay within our flow. So, having the API inventory available at my fingertips in VSCode is a good step into that direction. Also generating http requests to poke around the service and API clients is nice 😎Kiota supports a multitude of languages for SDK generation.

To get that going install the Azure API Center portal VSCode extension.

fig.4 Screenshot of VSCode extension with example OpenAPI definition

Please note that the authorize button (and respective authentication scheme) on the OpenAPI definition explorer is only available if present on the definition file. It looks like this for Basic Auth:

fig.5 Screenshot of auth definition in example OpenAPI spec for SAP OData service

When using the http file and the REST client extension of your choice, you may simply provide the authentication header with Bearer token etc.

Next to the Azure API Center extension view before, you can also use GitHub Copilot Chat to query available APIs from API Center. See Microsoft Learn for more samples. You may search for APIs by key words like so:

@apicenter /search business-partner

Cherry on the cake 🍰is the API Center portal for the classic developer portal experience across your whole registered API inventory wherever that is.

fig.6 Screenshot of Azure API Center portal API inventory view

So far so good on registering APIs and working off the info their definitions provide. But how about governance? I know how desperately everyone wants to plaster cost centers, line-of-business info, and security labels on your interfaces. 😏

Enforced API metadata is your second line of defense against API sprawl

In addition to simply registering APIs you may add custom properties to the object on Azure API Center. So, even if the info is not present on the API itself you can still govern it from Azure. See below sample that I created from the Microsoft Learn tutorial.

fig.7 Screenshot of Azure API Center metadata maintenance view

Knowing which APIs are public facing is useful, isn’t it?

For everyone looking for more sophisticated security with less human error surface, have a look at Defender for APIs. I like the alert rule for “un-authenticated APIs” and disabling endpoints that were not used in the past 60 days most – wait what? Those exist out there in the wild west of SAP on the Internet? 😲See the open-source automatic remediations repos here to mitigate for Azure API Management.

Defender for API integration with 42Crunch brings API security testing and hardening to your CI/CD pipeline.

API Linting gets you to the next level

OK, now let’s look at API style guide compliance. Is everyone playing by your rules? How do you make sure developers notice violations already during design phase rather than at later stages of deployment, release, or even months after the fact when audited?

Good automatic API linting creates much less hassle for everyone in the long run, less cost to fix API definitions after the fact, improved security posture, and a more rewarding experience for the people involved. See below video on the setup of the linting function for OpenAPI using Spectral linting engine.

Anyone aware of a great OData linter and would be curious to explore? Please share!

Get more details on API Linting for Azure API Center from this Microsoft Learn article.

Thoughts on production readiness

Azure API Center is in public preview but due for General Availability with the next wave of announcements, so completely ready for prime time. The same is true for the VS Code extensions and APIs used to orchestrate the integration between SAP API Management and Azure.

Intentionally registering APIs from SAP to Azure API Center improves API inventory management by magnitudes. However, shadow inventory thrives in places you don’t actively look. To mitigate even more effectively the team is building automated discovery from your GitHub org, Azure DevOps, and other popular sources.

SAP Fiori tools on VSCode provided by SAP SE enable usage of the approach described in this blog out of the box. The same is true for SAP CAP development in VSCode.

Final words

That’s a wrap🌯. You saw today how you can effectively counter API sprawl and its negative side effects that put your APIs and organizations at risk. A primary means to achieve that is creating a central API inventory hosted on all the different API Management solutions out there with Azure API Center.

This blog showed how to achieve that using the API Management capability of SAP Integration Suite as an example.

Furthermore, you learned about steps to improve API governance with custom properties and API linting. Eventually, you understood the difference between Azure API Center and an API Gateway.

Find the GitHub repos associated with this post here. It gets you started in no time.

Big #Kudos to Pascal van der Heiden – my brother in crime on this effort. And of course, last but not least to @UdoPaltzer and @vinayak_adkoli for the great collaboration! 🙌

Anyone curious to tap their toe into the waters where the API sprawl monster 🦖 lives, just reach out to me and Chaim or leave a comment.

Cheers

Martin