SAP Community - SAP BTP Security

Spring security html

2024-04-08T13:26:27.934000+02:00

I add 'xsuaa-spring-boot-starter' dependency to my springboot application, and i put a html file to the classpath, and then when i started the application and access the html, the html code is displayed without being rendered, and i found source file on chrome, it displayed html code with wrong format. And when i remove the 'xsuaa-spring-boot-starter' dependency, it rendered success. Please give me some help, many thanks!

Spring security html

2024-04-08T13:29:54.447000+02:00

Authentication for e2e Test Automation on BTP with SAP CI/CD, wdi5 and BTP Build & Workzone

2024-04-11T16:11:30.780000+02:00

Dear fellow people interested in test automation on btp

I face the problem of authentication on SAP Build & Workzone service in order for being able to execute automated tests from our SAP CI/CD Pipeline. The reason of this is, that I don't know how to authenticate via SAP Universal ID automatically in a pipeline environment. But let's give you a broad overview first.

We are developing applications in CAP for the cloud foundry environment. Those applications are build, tested and deployed in pipelines in the SAP CI/CD service.
The html5 applications are collected and displayed in SAP Build & Workzone, so POs and Devs can do all necessary tests for new features.
In my opinion, it does make sense to also do the e2e tests over Build & Workzone, so that we have a single point for all testing. We do the e2e tests with webdriver.io and the wdi5 plugin, which does work super well on a local instance.

The problem is now, that I don't know how to automatically log in from the pipeline into build & workzone in order to have the proper permission to access the applications. I already tried to automate the login with SAP Universal ID. The problem is there, that after several logins a captcha appears, which is not solvable automatically (of course this is intended).

So what is the proper way to set up this kind of authentication ?
Is a private authentication provider necessary for this kind of setup ?
Is the setup just wrong and there is another, maybe more elegant way to do this ?

I am happy for any kind of input and suggestions. If something should be unclear please ask 🙂

cheers

David

Can a user log on to the BTP Build Workzone (standard edition) with UN + PW instead of SSO?

2024-04-15T19:02:15.238000+02:00

Not for external Users, this question is for Users who we provide a HR Service for and are not in our AD yet, but they will be in future, the migration is just taking a while. with SF, users can have a URL which is non-SSO enabled, so I was just wondering if we can have the same type of URL to be made available for this group of Users? Thank you.

401 authorization error while calling the CPI service from POSTMAN and SOAP UI

2024-04-17T13:47:40.592000+02:00

Dear Experts,

Up until this past weekend, everything was going well with my SAP Cloud connection login and admin access. However, for the past two days, I've been receiving 401 authorization errors when attempting to contact the CPI services using POSTMAN and SOAP UI.

Kindly help me to understand what am i missing here (password rest also done but still same issue).

Regards,

Access Denied: 403 Error in SAP BTP / XSUAA issue

2024-04-17T14:17:55.449000+02:00

Hi,

I'm building a full-stack application with SAP BTP CAMP. I've configured the data model, services, and HTTP endpoints. Additionally, I've created a role collection within the trial account. However, during testing, I've encountered issues accessing data. Although the GET command for metadata retrieval is functioning properly, I'm facing difficulties accessing data from specific tables. Each attempt results in a "Forbidden" error message. I've attached screenshots of the error for reference. I would greatly appreciate your assistance in resolving this matter and gaining access to the tables.

Thank you.

Best Regards,

Fatima Dhool

Kerberos Error when task "deploy" from db-deployer

2024-04-18T10:53:07.466000+02:00

Hi all,

I was following this tutorial for deploying a sap cap mta to hana database, and I'm getting an issue when executing task "deploy" of db-deployer when trying to deploy the app to BTP.

This is the log message retrieved from execution:

[db-deployer] 4b0ab072-eb88-449c-968f-4cd73283ec89 [2024-04-17T15:17:50.283158] Kerberos error. Major: "No credentials were supplied, or the credentials were unavailable or inaccessible [458752]", minor: "No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_2000) [2529639053/-1765328243]"

Could it be regarding xsuaa configuration?

This is my yaml.file:

_schema-version: '3.1'

ID: lre_rx

version: 1.0.0

description: "LORUM Real Estate APP RX"

parameters:

enable-parallel-deployments: true

build-parameters:

before-all:

- builder: custom

commands:

- npm ci

- npx -p @Sap/cds-dk cds build --production

- npx rimraf gen/db/src/gen/data

modules:

- name: lre_rx-srv

type: nodejs

path: gen/srv

parameters:

buildpack: nodejs_buildpack

build-parameters:

builder: npm

provides:

- name: srv-api # required by consumers of CAP services (e.g. approuter)

properties:

srv-url: ${default-url}

requires:

- name: L4RE-db

- name: L4RE-auth

- name: lre_rx-db-deployer

type: hdb

path: gen/db

parameters:

buildpack: nodejs_buildpack

requires:

- name: L4RE-db

- name: lre_rx

type: approuter.nodejs

path: app/router

parameters:

keep-existing-routes: true

disk-quota: 256M

memory: 256M

requires:

- name: srv-api

group: destinations

properties:

name: srv-api # must be used in xs-app.json as well

url: ~{srv-url}

forwardAuthToken: true

- name: L4RE-auth

resources:

- name: L4RE-db

type: com.sap.xs.hdi-container

parameters:

service: hana-cloud-trial

service-plan: hana

- name: L4RE-auth

type: org.cloudfoundry.managed-service

parameters:

service: xsuaa

service-plan: application

path: ./xs-security.json

config:

xsappname: lre_rx-${org}-${space}

tenant-mode: dedicated

And this are my instances and subscriptions:

Hope you could help me,

Thank you!

Shadow user in BTP

2024-04-18T11:36:17.711000+02:00

Hello,

What are the possible methods for automatic user provisioning from SAP IAS to SAP BTP while "Create Shadow Users During Logon" option in SAP BTP is deactivated ?

Or do users need to be created manually in SAP BTP in that case?

Many thanks for every tip ?

Best Regards

SAP Cloud connector uninstallation error

2024-04-19T13:08:56.030000+02:00

Can any one help me am unable to uninstall cloud connector

Attaching the screenshot while uninstalling cloud connector as administrator. The process is keep on going

and no progress. If I cancel it cloud connector again coming back t

Thanks

Vykuntarao

SAP Master Data Integration issue for Subscription Billing with SAP S/4HANA Public Cloud

2024-04-23T23:32:00.640000+02:00

Hello All,

We are using the Subscription Billing solution with SAP S/4HANA Public Cloud system.

When I try to utilize the function of test connection to make the replication is active from Sub Bill system to SAP S/4 we are encountering a 404 HTTP error and I'm attaching a screenshot below for the same.

If anyone has any expertise on how to fix this or come across same situation, please throw some lights.

SAP S/4HANA SAP Subscription Billing SAP BTP, ABAP environment SAP S/4HANA Public Cloud SAP S/4HANA Cloud for Sales SAP Billing and Revenue Innovation Management, subscription order management

Thanks!

Change default date format for a language in SAP BTP Workzone

2024-04-24T12:06:18.936000+02:00

HI,

Is there a way to change the default date format for a language from say MM.DD.yyyy to DD.MM.yyyy in sap BTP Workzone. Right now every language has a default date format. For example for German it is DD.MM.yyyy and I want to change it to MM.DD.yyyy.

Is there a way to do it.

Thanks.

using Already availble XSUAA service to another application giving service broker failed error

2024-04-25T12:48:55.374000+02:00

I have a MTA app(lets say uaatest Having standalone app router) which is already deployed to cloud foundry and having XSUAA service(with its xs-security.json contents).
I have developed another MTA app (lets say uaatest2 Having standalone app router), In this i tried using above mentioned XSUAA(which is already used for uaatest). But with xs-security.json file that is specifically referring to my uaatest2.

while deploying to CF i am getting an error saying that "Service broker error: Service broker xsuaa failed with: Could not find xsapp entry for uaatest2!t259732"

this (uaatest2!t259732) is referring to my uaatest2.

Even though i am using same xsuaa service but still i can maintain two different "xsappname" entries in my each xs-security.json file(referring to uaatest and uaatest2) right?

or am i missing something? or please give me an example how to use already available xsuaa to new MTA with its own xs-security.json.

please find attached xs-security.json for reference.

Thanks in advance

Rakesh.

Using Integration Suite API's with Basic Auth

2024-04-26T17:21:25.121000+02:00

Hi Everyone.

I try to create packages using the Integration Suite API's.
This works when I use Client Credentials from the api-service-instance that I created in my Foundry BTP.

Now my problem:
The Package is createdBy the Client-ID:

Since this doesn't look good, I want it to display my user. As far as I know there is no possibility to do this with the API-service-instance. Therefore I need to authenticate using my user.

I found that there should be a way to do that:
https://help.sap.com/docs/cloud-integration/sap-cloud-integration/basic-authentication-of-idp-user-for-api-clients

Now when I try to call an API from Postman with Basic Authentication and my Universal-ID I get an error-message even though I gave myself full permission on all "!it"-roles:
"Error while obtaining token from UAA, with details: Request failed with status code 401"

I couldn't find anything online corresponding with this error-message.

What am I doing wrong?

Thanks for the help

How to find who deleted the services and spaces from our subaccount?

2024-04-29T22:36:12.161000+02:00

Hi Team,

Today we see, some of services and spaces in our Development subaccount is deleted. We need to find out who deleted the configuration, Kindly please check audit log and provide the details.

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

providing IAS authentication through cloud identity service for UI5 MTA app

2024-04-30T20:10:11.395000+02:00

Hi,
I have created a sap ui5 MTA(multi target application) with stand alone app router. its having mta-approuter(router), mta-ui(ui5 app), xs-security.json, mta.yml etc..
mta-approuter is having xs-app.json file which is pointing to mta-ui as the welcome file and authentication as 'route'. mta-ui as well having another xs-app.json file which is having the default route pointing to html5-repo-rt and 'xsuaa' as authentication type.
I have deployed this app to CF and on running the app from CF its working good.

Now I wanted to try out cloud identity services which provides IAS authentication. So i have created an IDP in my trial account. then inside my mta-ui's 'xs-app.json' i have changed authentication type from 'xsuaa' to 'ias' .

And in my mta.yml i have added a identity service in the required section of app router and defined it in resource section as well.

Now I have deployed it to CF. On try running the app I am getting the below error. even i tried enabling third party cookies.

my expectation is same like default IDP with cloud identity services as well SSO works smoothly.

Can you please help me what am i missing?

PFA details of app/trial account.

Thank in Advance.

S/4 HANA Public Cloud - BTP learning journey

2024-05-07T17:02:16.621000+02:00

Hello,

Can you recommend the best learning journey or course to take for an introduction to S/4 HANA Public Cloud edition.

Also, can you recommend the best learning journey for BTP enablement.

Thank You

sap-approuter-userapi calling the route from ui xs-app.json but not app-router xs-app.json

2024-05-07T20:22:16.673000+02:00

Hi,

I have developed a sample ui5 MTA app using Stand alone app router. I am having two xs-app.json files(one from ui5 app, another from app router). I wanted to read the user information using sap-approuter-userapi service. I have maintained the route in xs-app.json file of app-router. But After deployment to CF when I run the app router URL, in Network tab I can see that user-api call is getting failed. its giving me 404-Not found. What i observed is user-api is taking the default route which is defined in xs-app.json file of ui. Even though i have defined a seperate user-api route in xs-app.json file of router, it's not considering. May i know what am i missing?

If i maintained the user-api route in xs-app.json file of ui5 app then I am getting the success and getting the data as well.

My point is why its considering the ui-xs-app.json file but not routers xs-app.json file?

please note that i have maintained user-api datasource/model at manifest.json of ui app in the correct way only.

Please see the attachements for error/ui-xs-app.json/router-xs-app.json

Thank you.

Configuration of job-scheduler in BTP with python flask

2024-05-08T08:11:32.561000+02:00

Hi,

we are struggling with the setup of a job-scheduler for a pyython flask app on cloud foundry in the BTP.

The job must call the app via the approuter.

Following tutorials, we created a check_authorization method with:

access_token = request.headers.get('authorization')[7:]

security_context = xssec.create_security_context(access_token, uaa_service.credentials)

isAuthorized = security_context.check_scope('openid')

We granted

"grant-as-authority-to-apps": ["$XSSERVICENAME(job-scheduler)"] to a scope in xs-security.json and the scope is evaluated to True by security_context.check_local_scope("admin") in both cases (from job and from user)

When called via the job-scheduler, the security_context.check_scope('openid') however gives false, when called with a user it is True.

What might still be missing here ? Or do we need to check against another scope than 'openid' in the check_scope ?

Any help appreciated.

Regards

Marcus

spring based odata deployment error in BTP cloud foundry with security configuration

2024-05-08T09:00:52.935000+02:00

Hi All,

Can someone help me why am getting error(last picture) when am deploying spring-based java application using olingo odata java to BTP cloud foundry but am able to execute the same app with out any error after deploying if am implementing without security configuration

I can send you if you need more details like java app content or BTP credentials

Following is the procedure before deploying and after deploying

XSUAA service

Hanaschema micro service

HANA instance also running

While building the maven app

After deploying am getting below error. Could you please give any clues why this error can be??Am attaching the log file downloaded from BTP

Thanks

Vykunt

SAP BTP - Adding redirect uris to service instance fails - "The redirect_uri has an invalid domain."

2024-05-08T16:01:34.723000+02:00

I am trying to make API calls to the "SAP Authorization and Trust Management Service" package.
I want to make the calls from my non-sap platform.
In order to do that, I created an Authorization and Trust Management Service Instance and added the following configuration in the instance parameters:

I followed all the instructions to obtain the OAuth token in my platform to make the calls, but when sending the authorization request to the authorization server i am getting the error - "The redirect_uri has an invalid domain."

I added my domain to the trusted domains here but that doesn't seem to solve the problem:

When using this service instance I created in SAP "try out api engine" I am able to get succesfull responses.
Another interesting thing is that in that try out engine, when I am executing a call to retrieve the service instance details, I noticed the redirect URIs i tried to configure are not configured for some reason:

What am I missing here?