SAP Community - SAP Connectivity service

Communication arrangement in SAP

2024-11-08T12:19:47.729000+01:00

Hello Experts,

We are facing connection issue while creating communication arrangement in SAP,

issue: SOAP:1032 SRT: Wrong Content-Type and empty HTTP-B ody received: ("HTTP Code 401 : Unauthorized")

we tried changing user ID and password but it's still the same.

Please suggest us on how to solve this error.

Regards

Pranavi Reddy

ClientCredentials grant flow with one XSUAA and multiple apps inlcuding scopes

2024-11-12T13:50:01.462000+01:00

I would like to do server-to-server communication on the BTP (CF) using the ClientCredentials grant flow with custom scopes. For example, consider a client app and a server app that are bound to the same XSUAA and destination service instance as they are deployed in a single manifest.yaml. During deployment, a destination is created for the server API with the ClientCredentials grant flow as authentication.

The error occurs when the destination is fetched from the Destination Service. Then, the ClientCredentails grant flow is executed by the Destination Service and fails as the scope "Test.Admin" is invalid. Omitting the scope lets the flow complete, but the access token does not include the scope and thus endpoints of the server app which require the "Admin" role can not be called.

The destination looks like this:

tokenServiceURLType=Dedicated
clientId=exampleClientId
clientSecret=exampleClientSecret
xsappname=exampleAppName
tokenServiceURL=https\://60ccf4actrial.authentication.us10.hana.ondemand.com/oauth/token
WebIDEEnabled=true
HTML5.ForwardAuthToken=false
TokenServiceURLType=Dedicated
URL=https\://exampleURL.cfapps.us10-001.hana.ondemand.com
Name=server-api
Type=HTTP
verificationkey=***
Authentication=OAuth2ClientCredentials
scope=Test.Admin
ProxyType=Internet

The xs-security.json for the single, shared XSUAA instance looks like this:

{
  "xsappname": "${default-xsappname}",
  "tenant-mode": "dedicated",
  "scopes": [
    {
      "name": "Test.Admin"
    }
  ],
  "attributes": [],
  "role-templates": [
    {
      "name": "Admin",
      "description": "",
      "scope-references": ["Test.Admin"],
      "attribute-references": []
    }
  ],
  "oauth2-configuration": {
    "redirect-uris": ["https://*.hana.ondemand.com/**"]
  },
  "authorities": ["$ACCEPT_GRANTED_AUTHORITIES", "Test.Admin"]
}

The issue can be manually reproduced, simulating what the Destination Service does when fetching the destination:

// Fetch token from XSUAA using ClientCredentials grant flow
GET {{tokenServiceURL}}?grant_type=client_credentials&scope=Test.Admin
Authorization: Basic exampleClientId:exampleClientSecret

Additionally, the simplified manifest.yaml looks like this:

_schema-version: "3.1"
ID: example
version: 1.0.0
description: "Example project for server-to-server communication in background jobs"
parameters:
  enable-parallel-deployments: true

modules:
  - name: client
    # ....
    requires:
      - name: example-uaa
      - name: example-destination
      - name: server
    provides:
      - name: client-api
        properties:
          srv-url: ${default-url}

  - name: server
    # ...
    requires:
      - name: example-uaa
      - name: example-destination
    provides:
      - name: server-api
        properties:
          srv-url: ${default-url}

  # ---------------------- DESTINATIONS --------------------------
  - name: example-destination-content
    # ------------------------------------------------------------
    type: com.sap.application.content
    build-parameters:
      no-source: true
    requires:
      - name: example-destination
        parameters:
          content-target: true
      - name: server-api
      - name: example-uaa
        parameters:
          service-key:
            name: example-uaa-key
    parameters:
      content:
        instance:
          existing_destinations_policy: update
          destinations:
            - Name: server-api
              URL: ~{server-api/srv-url}
              WebIDEEnabled: true
              Authentication: OAuth2ClientCredentials
              HTML5.ForwardAuthToken: false # when enabled, the ClientCredentials flow is not triggered
              TokenServiceURLType: Dedicated
              TokenServiceInstanceName: example-uaa
              TokenServiceKeyName: example-uaa-key

resources:
  - name: example-uaa
    type: org.cloudfoundry.managed-service
    parameters:
      service-name: example-uaa
      service: xsuaa
      service-plan: application
      path: ./xs-security.json
      config:
        xsappname: example
      service-keys:
        - name: example-uaa-key
  - name: example-destination
    type: org.cloudfoundry.managed-service
    parameters:
      service-name: example-destination
      service: destination
      service-plan: lite

Is this even possible with a single shared XSUAA instance or do I need to create one XSUAA instance for each app?

SAP Integration Suite Test Connectivity to SAP Ariba - How to get Host URL

2024-11-12T23:50:30.108000+01:00

Hello Experts ..

We tried to Integrate SAP Ariba to ServiceNow using SAP BTP Integration Suite.

As a first step, trying to connect SAP BTP Integration Suite to SAP Ariba thru "Connectivity Tests".

Question: How do we get Host url of SAP Ariba?

We tried with https://S1.Ariba.com etc.. but getting "Couldn't connect to Hot".

Could you please help.

SAP CAPM service failing with http 407 Proxy Authentication failed Error

2024-11-26T11:05:09.238000+01:00

I am consuming a SOAP based web service from a S/4HANA On-prem system inside a SAP CAP service using sap-cloud-sdk api's coupled with BTP destinations and cloud connector.

Reference :https://community.sap.com/t5/technology-blogs-by-sap/consuming-soap-web-services-in-sap-cloud-application-programming-model-cap/ba-p/13522820

I have recently upgraded the @Pa_Vi-cloud-sdk/connectivity version to 3.23.0(latest) recently and now the service is failing sometimes with http status code 407- Proxy Authentication failed. The service works most of the time but randomly fails with this error. And once i redeploy the CAP app to CF again the service starts working like usual.

Run NodeJS app locally using destination and connectivity services

2025-01-16T18:20:33.193000+01:00

Hello everyone,

lately I have been trying to create a NodeJS app using NestJS and the SAP Cloud SDK for javascript and deploy it to the cloud foundry runtime according to this example: https://github.com/SAP-samples/cloud-sdk-js?tab=readme-ov-file

I created a new service, generated the odata client using an edmx file of our on premise service and deployed it.

The deployed version is fine: I can read data and consume the odata service.
In local mode the destination fails.

I found this blogpost telling me how to check the connectivity of my destination.
Using the curl request results in this:

curl -v -i "<destinationName>.dest/sap/opu/odata/iwfnd/catalogservice;v=2/ServiceCollection?%24top=1"
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,github.com,.github.com,.npmjs.org,.yarnpkg.com,npm.sap.com,.maven.apache.org,.repo-cache.svc.cluster.local'
* Uses proxy env variable http_proxy == 'http://127.0.0.1:8887'
*   Trying 127.0.0.1:8887...
* Connected to 127.0.0.1 (127.0.0.1) port 8887 (#0)
> GET http://<destinationName>.dest/sap/opu/odata/iwfnd/catalogservice;v=2/ServiceCollection?%24top=1 HTTP/1.1
> Host: sd_orca_sap_ecc_akab.dest
> User-Agent: curl/7.88.1
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 500 Internal Server Error
HTTP/1.1 500 Internal Server Error
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Date: Thu, 16 Jan 2025 17:10:28 GMT
Date: Thu, 16 Jan 2025 17:10:28 GMT
< Content-Length: 75
Content-Length: 75

< 
dial tcp: lookup <destinationName>.dest on 100.64.0.10:53: no such host
* Connection #0 to host 127.0.0.1 left intact

I also created a .env file that should change the proxy settings:

destinations="[{"name": "<destinationName>","url": "http://<destinationName>.dest","proxyConfiguration":{"host": "127.0.0.1","port": 8887,"protocol":"http"}}]"

My destination looks like this:

The destination is created on subaccount level.
After changing the destination i also called the reload request Andre mentioned in his blogpost.

My default-env.json and default-services.json files both contain the configuration to the destination, connectivity and xsuaa service I created for the app. The variables are created using the cf env myapp > .env command.
I am quite sure the service is found. Removing the destination service from these files results in another error: "Could not find service binding of type 'destination'".

At this point I am very desperate in trying to start my app locally.

Any help is appreciated, thank you already in advance!

Communicate from SAP Public Cloud to Java Application (Jco Server) via WebSocketRFC Problem

2025-01-28T14:28:12.902000+01:00

Hello everybody,

i am having a problem while trying to call a outbound service from the SAP Public Cloud to a external JCo WebSocketRFC Server instance.

My JCo WebSocketRFC server is running on a VM that is exposed to the internet on port 8080.

In the SAP Public Cloud i have already configured the communication system where i have just entered the "Host Name" of my VM and set the Authentification Method in the "Users for Outbound Communication" to None since i do not need the authentification for the tests.

I have also configured a communication agreement for the communication system

On the Eclipse ADT side i have a communication scenario that looks like this:

with the corresponding outbound service

Now, when i try to call the outbound service from SAP Public Cloud ABAP with the corresponding code:

like described by SAP i get the following error

Anyone has an idea why this fails? Dis anyone made a scenario like this before? - to communicate from the SAP Public Cloud to a external server program? I have only found tutorials how to communicate with on prem systems.

The JcoTrace for the server says the following (i have replaced the real IP with "hostname" in the screenshot)

obviously the handshake cannot be completed. I am trying to connect to the server withot any authentification (i have set the communication scenario to "Unauthentifiacted" and i have startet the Jco server without any p12 files - jco.server.use_tls=0).

Server props:

@MarkusTolksdorf @simon_luser Thanks for your reply, i have added the Trace from the Jco. Could the problem be the missing authorisation?

SAP DBTech JDBC: [403]: internal error: Cannot get remote source objects:

2025-02-13T11:07:42.145000+01:00

Hello Experts!

While connecting the remote source system, S4_HANA_SDA connect timeout expired error occur.

Here is the error details.

Thanks in advance

Outbound communication from SAP Public cloud to a Websocket RFC Server in a fenced customer network

2025-03-05T12:14:51.564000+01:00

Hello everybody,

is there any possibility to call a outbound service from SAP Public Cloud to a Websocket RFC server that is running in a fenced company network ? I have already called that Websocket RFC server with success but in that scenario the server must be accessible from the internet.

Maybe there is any way to use a VPN tunnel to get that connection done? Maybe even not with Websocket RFC if that should not be possible but with HTTP or even thru BTP like:

SAP Public Cloud -> BTP (some destination or tunnel) -> external program in a fenced company network (server).

Can such scenario be accomplished at all or is it not possible?

Greetings!

@simon_luser , @Ulrich_Schmidt1 thanks for your replies - update 14.03.25 - in the meanwhile i have installed the Cloud Connector on the machine where my WebSocket RFC Server is running (inside a fenced company network). Sadly i still wasn't able to establish a connection. For now i am not sure if this can be done using the Cloud Connector combined with a WebSocket RFC call from SAP public cloud. The problem is, as i suppose, that in the cloud connector there is no option for a RFC protocoll while selecting the target system "Non-SAP" that is my WebSocket RFC server. the possible option are:

Therefore i have selected the TCP protocol that at least does "see" the WebSoclet RFC server running on its port

but with that configuration i get no connection to the server. In the monitor view i do not see any throughput for the configured Cloud Connector.

I have also found a blog entry from Thomas Weiss (from 2021 - maybe its outdated?)

https://community.sap.com/t5/technology-blogs-by-sap/websocket-rfc-rfc-for-the-internet/ba-p/13502531

that is saying the following:

So i suppose for the scenario:

--> SAP Public Cloud (embedded steampunk) to WebSocket RFC Server in a fenced company network some different communication type must be used.

Or maybe i am doing something wrong? any ideas?

Greetings!

Call Action Project error queryA ENOTFOUND in Build Process Automation

2025-03-18T18:48:02.785000+01:00

Hello Experts,

Destination configuration

we configured the S4HANA On-premise URL as a Destination like in a below screenshot.

Action Project

Process Automation Flow

We added the above Action project as a Dependency to our process automation flow like in a below screenshot.

Problem we are facing

Below is the response of the action activity 'GET_MAIL_LIST'.

I saw the similar issue in the below community link : Call web service error queryA ENOTFOUND - SAP Community However it didn't help us to resolve the issue.

Kindly help me to figure out the issue.

SAP Business Technology Platform, SAP Build Process Automation

Thanks in advance.

Best Regards,

Sakthi.

Error Creating Content Provider for SAP Build Work Zone in Consumer Subaccount

2025-04-10T18:24:21.914000+02:00

I am trying to create a multi-tenant application with SAPUI5 interface that is consumed by the subscriber's SAP Build Work Zone, standard edition subscription, but I am getting errors trying to create the Content Provider.

Following the tutorial in the documentation Developing HTML5 Business Solutions as Content Providers, which has steps for Multitenant consumption via subscription. I updated the "sap.cloud.service" in the SAPUI5 manifest.json file, added the cdm.json file and the script on the mta.yaml file to copy it to the resources folder. I also defined the destination templates in the provider side.

After that I followed the Administrator steps in Federation of HTML5 Business Solutions documentation. Subscribed to the multi-tenant app from another subaccount in the same environment and region. Exported and imported the destinations to the consumer subaccount, changing the runtime destination URL to the subscription URL of the consumer.

However after I create the Content Provider in the consumer SAP Build Work Zone channel manager, the content fetch fails with the following message:

"<Connectivity/InternalError>: Could not fetch content due to an internal error. Please try again later. If the issue persists, please open a ticket on the connectivity service."

This is the code I am currently working in https://github.tools.sap/I538205/simple-saas-mt/tree/bwz
and I also tested the sample from https://github.com/SAP-samples/build-workzone-integration/tree/main/standard/html5-content-provider-sample which also failed to import the content provider.

Has anyone else here faced this issue? How can I solve it?

unable to create connection from SF to SAC & datasphere

2025-04-27T08:45:21.188000+02:00

Hi Experts,

Please help me with this as im getting very annoyed on why we cannot create one simple connection, my intention is to create a connection between SF and SAC and Datasphere. could someone tell me the step-by-step process. I have searched many articular, but none has been very useful. i have screenshot from SF side with Oauth2 setup and SAC. the error i get is : Unable to connect to datasource. Check the connection details and user credentials, and then try again.

the question does this connection looks right and the USER id does it need special step that i have missed?

Cloud Connector access to AL11 directory

2025-05-20T14:48:40.954000+02:00

Hi Experts,

I need your help to understand how to get the internal host of SFTP?

--Symptom--

We created few folders in AL11 directory, now we need to fetch the data from that folder to CPI via cloud connector to S4HANA Private Cloud.
The blog is followed:
https://community.sap.com/t5/technology-blog-posts-by-members/step-by-step-procedure-to-establish-cpi-to-sftp-server-connection/ba-p/13520842

For Cloud Integration to access file storage, you must expose the file storage using FTP or SFTP protocol, by setting up FTP or SFTP service (as Server).

But how to get the internal host of SFTP?

Thank you very much.

SAP CAP : 502 "Error during request to remote service: read ECONNRESET"

2025-07-02T13:05:29.723000+02:00

Hi,

I am developing SAP CAP application, node.js, trying to connect to external S4 onPrem service which is accessed via the cloud connector.

I am trying to reach S4 OData service from CAP Application locally in Business Application Studio via SAP Cloud Connector.

To connect to the destination and other services we are using the “cds bind -2” command, which created the .cdsrc-private.json file.

I am able to connect to the different BTP instances like the destination, authorization and connectivity instances, when i run the app using

cds watch --profile hybrid

But when i'm trying to access any of the entities within the S4 OData service facing the following error,

{"error":{"code":"502","message":"Error during request to remote service: read ECONNRESET"}}

Has anyone faced this issue, please suggest an appropriate solution for this.

Also when the applicaiton is deployed to BTP, the S4 odata services are accessiable via destination and the application is working as expected,

i want run the application locally for development phase, hence need your help,

Regards,

Aakash

Multiple external systems connected to one SAProuter in SAP Private Cloud

2025-07-02T16:12:39.277000+02:00

We have SAP Private Cloud and we have added a SAProuter, and on the one hand we want to connect it to an external system for EDI, on the other hand we also have it for another system of connection with banks, but on the other hand we want to connect it to another external system of invoice management, but they tell us that it is not possible to connect to that SAProuter a third external system, honestly I thought that there were no limitations in connecting external systems to a single saprouter, I have been told that I would have to acquire a second saprouter, is this correct?

Regards

Andrés

Oauth Technical User Propagation for Forms Service by Adobe

2025-07-14T06:40:48.422000+02:00

Hello Experts,
We are trying to configure Oauth Technical User Propagation for usage by Forms Service by Adobe on SAP BTP by following the below guides

https://help.sap.com/docs/forms-service-by-adobe/sap-forms-service-cf/configure-technical-user-propagation

The backend system is a S4 HANA 2023 system . ADS works fine when we use basic authentication.

The BTP subaccounts, cloud connector and backend S4 HANA 2023 system are all set for Principal Propagation and normal calls via Principal Propagation works fine
As per the document for Forms Service, to use oauth technical user propagation - we have to create a destination using the proxy type 'on-premise' and so expected to go via the cloud connector

However, SAP documentation here mentions that the calls to token Service URL does not go via the cloud connector. However, it still does not allow us to enter a HTTPS URL for the 'token service URL ' (any service credentials created in the BTP subaccount has a https URL for token service ) . Anyhow - we tried replacing HTTPS with HTTP for the token URL (and also creating a destination in cloud connector to redirect it to HTTPS ) but it does not help . There are no calls logged in the cloud connector as well

The token URl and credentials we used was from a "Authorization and Trust MAnagement Service" in the same subaccount as described as an example in the Forms Service guide

How does this work ?

ABAP Platform pipeline in SAP CI/CD Service - release issue

2025-07-29T17:23:05.180000+02:00

Hi,

I have a problem with my ABAP Platform pipeline, using SAP Continuous Integration and Delivery Service in BTP. The issue is with the Release part.

I have a Cloud Connector and destination (using Principal Propagation) ready. The deployment from SAP BAS works as expected. All necessary OData Services are active and whitelisted. However, there's 401 error when the pipeline is executed.

[2025-07-29T14:59:03.441Z] Sending GET request to http://XXX:400/sap/opu/odata/UI5/ABAP_REPOSITORY_SRV/
[2025-07-29T14:59:03.677Z] Release stage credentials successfully validated against endpoint
...

[2025-07-29T14:59:23.345Z] info  transportRequestUploadCTS - No deploy dependencies provided. Skipping npm install call. Assuming current docker image already contains the dependencies for performing the deployment.
[2025-07-29T14:59:23.345Z] info  transportRequestUploadCTS - running shell script: /bin/sh #!/bin/sh -e
[2025-07-29T14:59:23.345Z] fiori deploy --failfast --yes --username ABAP_USER --password ABAP_PASSWORD --description "Pipeline Test" --config "ui5-deploy.yaml" --url http://XXX:400 --transport GXXXXXXXX --package Z_PACKAGE --name Z_TEST
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [32minfo[39m abap-deploy-task Z_TEST Creating archive with UI5 build result.
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [32minfo[39m abap-deploy-task Z_TEST Archive created.
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [32minfo[39m abap-deploy-task Z_TEST Starting to deploy.
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [31merror[39m abap-deploy-task Z_TEST Deployment has failed.
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [31merror[39m abap-deploy-task Z_TEST Change logging level to debug your issue
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [31merror[39m abap-deploy-task Z_TEST 	(see examples https://github.com/SAP/open-ux-tools/tree/main/packages/deploy-tooling#configuration-with-logging-enabled)
[2025-07-29T14:59:24.278Z] info  transportRequestUploadCTS - [31merror[39m builder:custom deploy-to-abap Request failed with status code 401
[2025-07-29T14:59:24.279Z] info  transportRequestUploadCTS - Command deploy failed with error : Request failed with status code 401
[2025-07-29T14:59:42.331Z] info  transportRequestUploadCTS - fatal error: errorDetails{"category":"undefined","correlationId":"n/a","error":"running shell script failed with /bin/sh: cmd.Run() failed: exit status 1","library":"SAP/jenkins-library","message":"step execution failed","result":"failure","stepName":"transportRequestUploadCTS","time":"2025-07-29T14:59:39.890292594Z"}
[2025-07-29T14:59:42.332Z] fatal transportRequestUploadCTS - step execution failed - running shell script failed with /bin/sh: cmd.Run() failed: exit status 1

I use Job Editor configuration mode. No code is used for the pipeline.

Upload credentials is Basic Auth. using my Username and Password. These are no issues with it, as I've tested successfully.

I also use Cloud Connector, with Location ID specified on the destination level.

I have a couple of doubts:

- I see the --config "ui5-deploy.yaml" is used. Is there any special ui5-deploy content I have to add? I use destination there.

- Is ABAP Platform Endpoint the URL that I can find on my Destination level?

- Location ID - documentation says it should be found on the Cloud Connector level in BTP Cockpit, but it's false. There's Location ID, but only on the Destination level.

Any idea what could be the issue?

BR,

Adrian

ADS configuration via OAuth2TechnicalUserPropagation

2025-08-21T08:14:19.320000+02:00

Hi,

Hi , I am having trouble in ADS configuration via OAuth2TechnicalUserPropagation. Reports is throwing an below error.

We have already set the cloud connector setting to X.509.

com.adobe.ads.destination.DestinationException: HTTP-401 Error.(200.101).

I have done the principal propagation as per the SNOTE 345281 and its working fine. We have tested for BAS application.

With Basic authentication reports are working fine.

bind connectivity service to bas doesn't work and end up in CF-UnprocessableEntity error

2025-09-27T16:15:07.293000+02:00

Hello,

i have the problem that i can't bind the connectivity service in my Business Application Studio. If i try to bind the service over the cloudfoundry targets menu then i get the following error.

CF-UnprocessableEntity (Assign a droplet before starting this app.) [10008]

Has anyone an idea why it is so an how i can resolve this problem?

Connect to Onprem LDAP Destination from CAP (Nodejs) App running in K8s cluster???

2025-12-03T10:22:57.877000+01:00

Hi All,

We have a requirement where we have to display users when a Cost Center value is entered.

We are looking to use LDAP protocol to fetch user details and have a working setup locally via ldap client

We have Kubernetes setup where we deploy our applications. We are looking for documentation/ gudance on how to connect to this on prem destination with SAP BTP connectivity service.

We use Transparent proxy, connectivity proxy intalled in the cluster and Destination and Connectivity services, cloud connector from BTP.

Though there is SAP help documentation, we dont have much clarity on how this can be done in CAP.

Looking forward for suggestions/support if someone has already implemented it.

We also interested in knowing if Default SAP IDP provides API's using which we can fetch the user data.

Thanks in Advance.

CAP Multitenancy: Connectivity Service returns 401 invalid_client despite correct provisioning setup

2025-12-15T10:57:55.820000+01:00

I’m working on a CAP multitenant app in Cloud Foundry and I keep getting a 401 error when trying to use the Connectivity service, even though I’ve added it as a dependency both in my mta.yaml and in the provisioning dependencies handler.
What makes this confusing is: I can successfully read subscriber destinations, but Connectivity fails even though it is also bound.

In my app:

Connectivity is listed as a dependency in mta.yaml
I return both the destination and connectivity xsappname in the dependencies handler
The xsappname values look correct in my environment variables
I’ve redeployed and double-checked the service bindings

But I still get this error:

Error: Could not fetch client credentials token for service of type connectivity: HTTP response ... was 401: {"error":"invalid_client","error_description":"Bad credentials"}

Main package versions:
@Pa_Vi-cloud-sdk/connectivity: ^4.2.0
@Pa_Vi-cloud-sdk/http-client: ^4.2.0
@Pa_Vi/cds: ^9.5.2
@Pa_Vi/cds-mtxs: ^3.5.1
@Pa_Vi/xssec: ^4

I have already reviewed the following SAP Community post and the related blog comments, but unfortunately the suggested approach did not resolve the issue in my case:

https://community.sap.com/t5/technology-q-a/cap-multitenancy-connectivity/qaq-p/12493182

Has anyone else run into this? Is there something I might be missing?
Any tips would be really appreciated!

Thanks!