Skip to content

Latest commit

 

History

History
148 lines (97 loc) · 5.6 KB

README.md

File metadata and controls

148 lines (97 loc) · 5.6 KB
Raw

Overview

This sample provides details on how a principal propagation flow can be achieved when extending an on-prem system using SAP BTP, Kyma runtime.

The sample can use XSUAA as well as SAP Identity Authentication Service (IAS) as an external identity provider with user federation.

The principal propagation relies on the exchange of the JWT token received in Kyma. The exchanged token is then forwarded to the SAP Cloud Connector and is used to identify the logged-in user.

In the sample flow, a logged-in user will fetch his sales data from the on-prem system.

flow

Using standalone SAP application router an API sap/com/onprem/mysales is hosted on the Kyma runtime. This API then calls the on-prem system via Connectivity Proxy.

Prerequisites

Set up

Configure cloud connector

Refer Configuring Principal configuration on help.sap.com

On prem backend

You can run the on-prem backend on your laptop or a test system. For simplicity, use the same system where you SAP Cloud Connector is running.

  • Download the CA certificate from the Cloud Connector under certs directory as ca_cert.der.

  • Convert it to PEM format

    openssl x509 -inform der -in certs/ca_cert.der -out certs/ca_cert.pem

  • Generate self-signed server key and certificate

    # Generate a key file
openssl genrsa -out certs/server_key.pem

# Generate a Certificate Signing Request
openssl req -new -key certs/server_key.pem -out certs/server_csr.pem

# Generate the certificate by signing it with the key
openssl x509 -req -days 9999 -in certs/server_csr.pem -signkey certs/server_key.pem -out certs/server_cert.pem

  • Update the mock sales data in on-prem-backend/sales.json to provide your {logged-in-user-email}.

  • Run the app locally

    # go to the nodejs project
cd on-prem-backend

# install dependencies if not done earlier
npm install

# start the application locally
HTTPS=true && npm start

  • Configure the on-prem-backend in cloud connector as a virtual host cc-1

  • Configure the resources to path and all sub-paths cc-2

Kyma configuration

  • Set up environment variables

    export NS={your-namespace}
# only required once to enable istio sidecar. Ignore if done already
kubectl label namespaces $NS istio-injection=enabled

  • Create Connectivity Service Instance in any namespace.

    Note: Only one instance is required for the cluster. If you have deployed it previously, simply skip this step.

    connectivity

  • Create a destination Configuration in BTP Cockpit. destination-config

  • Create xsuaa instance. Update the app-router/k8s/xsuaa-instance.yaml to provide {your-cluster-domain}

    kubectl -n $NS apply -f app-router/k8s/xsuaa-instance.yaml

  • Create a Destination Service instance.

    kubectl -n $NS apply -f app-router/k8s/destination-instance.yaml

  • For the application router to automatically exchange the token using the destination configuration, it needs to be provided with the necessary credentials as well as the details of the connectivity proxy running inside the Kyma cluster.

  • Create the configmap containing connection details about connectivity-proxy running inside kyma runtime.

    kubectl -n $NS apply -f app-router/k8s/connectivity-proxy-info.yaml

  • Create the configuration required for application router.

    kubectl -n $NS apply -f app-router/k8s/config.yaml

  • Deploy the application router. Update the app-router/k8s/deployment.yaml to provide {your-cluster-domain}

    kubectl -n $NS apply -f app-router/k8s/deployment.yaml

  • Expose it over internet using API Rule.

    kubectl -n $NS apply -f app-router/k8s/api-rule.yaml

Test

Access the sales data for the logged-in user https://principal-prop-on-prem.{your-cluster-domain}/sap/com/onprem/mysales

Troubleshooting