Development Guide

PUBLIC
2020-07-01
Getting Started with SAP Cloud Platform

Integration (CF Trial)
© 2020 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Initial Setup of a Trial Account in Cloud Foundry Environment . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1 Subscribing to Process Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Unsubscribing the Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Configuring User Access to the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Provisioning the Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Creating Service Instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Get Started with Integration Flow Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1 Overview of the SAP Cloud Platform Integration Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Create an Integration Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3 Create the Integration Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4 Smoke Test Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Add a Timer Start Event. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Create a Content Modifier to Define the Message Body. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Create a Script Step to Log the Payload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Save and Deploy the Integration Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Monitor Message Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.5 Smoke Test Scenario with External Data Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Create a Content Modifier to Define the Message Body. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Create a Content Modifier to Add a Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Create the Outbound OData Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Create the Script Step to Log the Payload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Run the Integration Flow and Monitor the Message Processing. . . . . . . . . . . . . . . . . . . . . . . . . .36
2.6 Timer-Initiated Scenario with a Mail Receiver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Update the Tenant Keystore with the Certificates Required by the Mail Server. . . . . . . . . . . . . . . 41
Create and Deploy a User Credentials Artifact for the E-Mail Account. . . . . . . . . . . . . . . . . . . . . 43
Create the Mail Receiver Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Monitor Message Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.7 Sender-Initiated Scenario (with HTTPS Sender Adapter). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Authorize the HTTP Client to Call the Integration Flow Endpoint in the Cloud Foundry
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Create the HTTPS Sender Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Add the JSON to XML Converter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Send the HTTP Request and Process the Integration Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3 Security in the Cloud Foundry Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.1 Technical Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Getting Started with SAP Cloud Platform Integration (CF Trial)

2 PUBLIC Content
3.2 Security Aspects of Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.3 Security Aspects of Data, Data Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4 Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Persona. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.5 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
3.6 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Types of Stored Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Specific Data Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.7 Other Security-Related Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Content PUBLIC 3
1 Initial Setup of a Trial Account in Cloud
Foundry Environment
Quickly get started with a trial account in Cloud Foundry (CF) Environment.
This quick start guide provides all the information you need to quickly onboard after registering for a free trial
account with SAP Cloud Platform Integration.
Here you find an overview of tasks that you would perform while creating a subaccount in Cloud Foundry
environment.
Trial accounts are intended for personal exploration, and not for production use or team development. The
features included in a trial account are limited, compared to an enterprise account. Consider the following
before using a trial account:
● Every trial user gets one trial account only.

● Cloud Foundry trial accounts expire after 30 days. You can extend the trial period to a maximum of 90
days, after which your account is automatically deleted.
● Usage of runtime resources are limited only for functional evaluations. Processing of large message
payloads is not supported.
● A subaccount in your trial account is created automatically. Each subaccount is associated with exactly
one Cloud Foundry organization in which you can create additional spaces.
● You can manage members in your trial account.
● You can activate Enterprise Messaging with limited capabilities.
● You can use production and beta services in trial accounts.
● A trial account includes 4 GB of memory for applications.
● You can use 8 GB of instance memory.
● SAP does not provide support to establish secure connection using private keys and authentication based
on inbound client certificate. It’s recommended to use basic authentication for allowing a client to
authenticate itself against the CF server based on user credentials (clientid and clientsecret)
● You can use a maximum number of 10 JMS queues.
● There is no service level agreement with regards to the availability of the platform.
For more information about the regions that are available for trial accounts, see Regions and API Endpoints
Available for the Cloud Foundry Environment.
Related Information
Subscribing to Process Integration [page 5]

Configuring User Access to the Application [page 6]
Provisioning the Tenant [page 7]
Creating Service Instances [page 7]

4 PUBLIC Initial Setup of a Trial Account in Cloud Foundry Environment
1.1 Subscribing to Process Integration
Subscribe to the Process Integration application from the Subscriptions page in the SAP Cloud Platform
cockpit.
Prerequisites
● You have signed up for a free trial account with SAP Cloud Platform Integration in the Cloud Foundry
environment.
● You have navigated to the subaccount in the Cloud Foundry environment.
Procedure
1. In the navigation area of the subaccount, choose Subscriptions.
The following information is displayed for the business applications to which your global account is entitled
in the Cloud Foundry environment:
○ The name and short description of the application.

○ Subscribed / Not subscribed: The status of the application, indicating whether the subscription is
active in your subaccount in the current region.
2. Choose the Process Integration tile to open its Overview page.
3. Choose Subscribe. Wait for the subscription to complete and once done successfully, you will see the
Process Integration tile is shown as Subscribed.
 Note
To login to the Cloud Integration application, you have to assign the relevant roles first.
4. Choose Go to Application to provisioning application. For more information, see Provisioning the Tenant
[page 7].
Unsubscribing the Service
You choose Unsubscribe in the Overview page page to decommission the tenant. Before you unsubscribe the
Process Integration service, make sure you have deleted the Process Integration runtime service instances.
During this process you would have noticed the Subscribe button available that might encourage you to choose
it. You need to refrain yourself from choosing the button until the tenant is successfully decommissioned.

Initial Setup of a Trial Account in Cloud Foundry Environment PUBLIC 5
1.2 Configuring User Access to the Application
Create and modify application roles and assign users to these roles.
Prerequisites
You are subscribed to Process Integration SaaS application in the Cloud Foundry environment.
Context
As an administrator of the Cloud Foundry environment of SAP Cloud Platform Integration, you can group
application roles in role collections. Typically, these role collections provide authorizations for certain types of
users.
Once you have created a role collection, you can pick the roles that apply to the typical job of an integration
developer. Since the roles are application-based, you must select the application to see which roles come with
the role template of this application. You are free to add roles from multiple applications to your role collection.
Finally, you assign the role collection to the users provided by the SAP ID service.
Procedure
1. Go to your subaccount and choose Security Role Collections.

2. To create a new role collection, choose New Role Collection and enter a name relevant to the role.
3. Add roles to newly created role collection by selecting the role name and then choose Add Role.
4. Select the application identifier (prefixed with it) and the role template (AuthGroup_Administrator).
5. Add AuthGroup_Administrator, AuthGroup_IntegrationDeveloper and AuthGroup_BusinessExpert as roles to
the role collection. These roles are required to execute the test samples described in the Get Started with
Integration Flow Development Guide. For more information about the different roles, see Overview of
Authorization Groups.
6. Choose Save.
7. To assign the role collections to the user (e-mail address) go to your subaccount, and choose Security
Trust Configuration SAP ID Service .
8. Choose Role Collection Assignment, and enter the user's e-mail address.
9. Choose Show Assignments, to see the role collections that are currently assigned to this user.
 Note
For first time users, choose Show Assignments and add the user to the SAP ID Service provider.

10. Choose Assign Role Collection, to assign a role collection for the user.
1.3 Provisioning the Tenant
Provision a Cloud Integration tenant and receive a consumer-specific URL to access the application.
Prerequisites
You have created the role collection and have assigned it to the users provided by the SAP ID service.
Procedure
1. In the navigation area of the subaccount, choose Subscriptions and go to the Process Integration tile, and
choose Go to Application.
2. The the provisioning application opens in a new browser instance.
For more information on subscribing Process Integration, see Subscribing to Process Integration [page 5].
3. To log on to the application, enter your credentials (use e-mail address assigned while configuring the role
collection).
4. Choose Provision. Once the provision is done use the Tenant URL to access the SAP Cloud Platform
Integration Web UI.
After successful provisioning of the tenant, you can create and deploy integration flows.
 Note
Provisioning of Cloud Integration tenant happens only if the subdomain name length is less than or
equal to 16 characters.
1.4 Creating Service Instances
Use services in the Cloud Cockpit to create service plan, service instances and service keys.
Context
Create Process Integration runtime service instances to access the endpoints after deploying the integration
flows..

Procedure
1. You need to assign service plan for a specific subaccounts associated with process integration service.
1. In your Global Account, choose Entitlements to assign service plan to specific subaccounts.
2. To add service plan to a subaccount choose Edit, and under the Process Integration Runtime for the
relevant subaccount select integration-flow from the service plan.
 Note
If your subaccount is not visible here, then you haven't created a Cloud Foundry organization yet.
To create one you need to choose Enable Cloud Foundry from the subaccount Overview menu.
3. Save the changes.

2. (Optional) Create space in Cloud Foundry environment to control use of resources. A space sets the scope
to fix the share of resources to be consumed by a particular subaccount within a Cloud Foundry
organization.
 Note
For a trial account a space by name dev is created as default. Perform the procedure below to create a
new space.
1. Choose the subaccount, in which you would like to create a new space.
2. Choose Spaces New Space .
3. Enter a space name and select the permissions you would like to assign to your ID.
4. Save the changes.
 Note
Allocating space quota plans helps you to better manage resources of subaccount under an Cloud
Foundry organisation. For more information , see Change Space Quota Plans.
3. Use spaces that are available to the subaccount, and access them using the cockpit.
1. Navigate to the newly created space, in which you want to create a service instance.
 Note
Before creating a runtime instance, ensure your tenant provisioning is successful.
2. Choose the space and navigate Services Service Marketplace Process Integration Runtime .
3. In Process Integration Runtime service instance, choose Instances New Instance .
4. Choose a Service Plan from the dropdown list, then choose Next.
5. In the Specify Parameter menu, you must enter the below command in the text area to assign roles and
then choose Next. This authorizes the sender system to call a tenant and allows to process the
messages on the tenant.
 Source Code
{
"roles":[
"ESBMessaging.send"
]

}
 Note
The role name is case-sensitive and the authentication mode used is basic authentication.
6. In the Assign Application menu, to bind the new service instance by default None selected and then
choose Next.
7. Enter a name for your instance and choose Finish.
4. Create service keys to generate credentials to communicate directly with the Process Integration Runtime
service instance. When configuring the service key, you use a client certificate (exported from the sender
keystore).
1. Choose Instances, from the list then select an instance you are creating a key for.
2. In the navigation area, choose Service Keys and then choose Create Service Key.
3. Enter a name for the service key.
 Note
○ As user credentials, for basic authentication mode, use the values of clientid and
clientsecret.
○ To use principal propogation as an authentication mode for an On-Premise service for a given
user:
○ Fire the authentication call with grant type password from the ‘Process Integration
Runtime’ service key.
POST <tokenurl from service key from Process Integration Runtime>?
grant_type=password&username=<email address of the
user>&password=<password of the username>
Basic authentication with UserName/Password: <clientid from service
key from Process Integration Runtime>/< clientsecret from service
key from Process Integration Runtime>
○ Use the access token obtained from the response above to trigger the integration process
to propagation user’s email identity.
 Note
○ Ensure the user has role MessagingSend assigned.

○ The identity propagated of the user is the email address
4. Save your changes.

The Service Key will show now the role.

2 Get Started with Integration Flow
Development
Learn how to develop and run your first integration flow.
 Note
These exercises apply for both cases when you use SAP Cloud Platform Integration in the Neo and in the
Cloud Foundry environment.
However, note that at certain steps there are specific things to consider depending on the environment.
Whenever this is the case, it is indicated in this documentation.
A key part of an SAP Cloud Platform Integration project is to develop integration flows. An integration flow
allows you to specify how a message is processed on a tenant. The SAP Cloud Platform Integration Web UI
provides a modeling environment that allows you to design the details of message processing (its senders and
receivers as well as the individual processing steps) with a graphical user interface.
This section shows you step-by-step how to develop and run your first, simple integration flows. In other words,
it gives you an introduction to the tasks of an integration developer. We show you the design of four integration
flows, with increasing complexity.
 Note
The first three integration flows are initiated by a timer and don't have a sender. This means that all tasks
related to setting up a sender system to SAP Cloud Platform Integration can be omitted.
The fourth integration flow is initiated by a request from a sender system which is simulated by an HTTP
client.
To complete the tasks, you use the SAP Cloud Platform Integration Web UI.
Before designing any integration flow of this section, you need to create an integration package first and, within
this integration package, create an integration flow. When you have created the integration flow, you add the
steps as described for the specific integration flow exercise.
● The first exercise shows you how to perform a simple smoke test to check whether your tenant cluster is
working correctly and that it processes messages in the expected way. A simple message is created with
the text Hello World! in the message body. The integration flow has no receiver. To check if the message
has been processed successfully, you can go to the monitoring application and check for the message
content there.
More information: Smoke Test Scenario [page 18]
● The second exercise shows you how to extend the smoke test scenario by adding an outbound call to an
external data source. The integration flow requests data exposed by the external component through an
OData application programming interface (API). The message body is created based on that data and, like
in the first exercise, can be displayed by the monitoring application.
More information: Smoke Test Scenario with External Data Source [page 27]

10 PUBLIC Get Started with Integration Flow Development
● The third exercise is a simple enhancement and modification of second integration flow. It has an e-mail
receiver so that you receive the message (processed by SAP Cloud Platform Integration) in an e-mail
account of your choice.
More information: Timer-Initiated Scenario with a Mail Receiver [page 39]
● The last exercise is a simple integration flow which also has a sender component. The sender in this
example is simulated by an HTTP client installed on your computer.
More information: Sender-Initiated Scenario (with HTTPS Sender Adapter) [page 48]
The exercises are designed so that you can do all four of them independently. All steps are described one-by-
one. But you can also start with the first one and, successively, enhance it to derive the second and the thirs
scenario out of the first one.
 Note
Prerequisites:
● You have been given access to an SAP Cloud Platform Integration tenant and have integration
developer permissions assigned to your user (authorization group
AuthGroup_IntegrationDeveloper).
● Authorization group AuthGroup_BusinessExpert has been assigned to your user (to allow to assess
message processing log attachments).
● You have set up an e-mail account that you can use as the receiver system for the integration flow (only
required for third exercise with the Mail adapter).
● You have opened the SAP Cloud Platform Integration Web UI (the Web UI URL ends with /itspaces).
Related Information
Overview of the SAP Cloud Platform Integration Web UI [page 11]

Smoke Test Scenario [page 18]
Smoke Test Scenario with External Data Source [page 27]
Timer-Initiated Scenario with a Mail Receiver [page 39]
2.1 Overview of the SAP Cloud Platform Integration Web UI
The SAP Cloud Platform Integration Web UI is your one-stop shop for integration development.
Note that the URL to access the Web UI ends with /itspaces.
When you open the Web UI, the following page is displayed.

Get Started with Integration Flow Development PUBLIC 11
The Web UI comprises the following sections:
● Discover
Here, you can find predefined integration content provided by SAP that you can use out of the box and
adapt to your requirements. As the Getting Started documentation focuses on how to design your own
integration content, we do not go into any more detail on this section.
● Design
This is where you design your integration content. As you progress through the exercise in the Getting
Started documentation, you will spend most of your time in this section. It contains the graphical
integration flow modeling environment.
● Monitor
This is where you can monitor your integration flow. You also use this section to manage additional artifacts
that you need to deploy on your tenant to complement your integration flows (for example, User Credential
artifacts to configure connections using basic authentication).
Design Section
When you go to the Design section, you find a list of integration packages defined for the tenant.
When you select an integration package, you can find the integration flows (and other artifacts) defined for the
package (on the Artifacts tab).
In this Getting Started documentation, we assume that you have not yet defined an integration package for
your integration content. Therefore, the first step is to define an integration package.
Monitor Section
The Monitor section (also referred to as Operations view) has several subsections, each one containing several
tiles. These subsections allow you to perform various tasks that are required for an integration project in
addition to integration content design.

When you work in the Neo environment, the SAP Cloud Platform Integration section has the following
appearance:

When you work in the Cloud Foundry environment, the SAP Cloud Platform Integration section has the
following appearance:
● Monitor Message Processing

When you select a tile in this section, you find all messages that have been processed by all integration
flows deployed on the tenant. You can find out whether messages have been processed successfully for
your integration flow and analyze the situation if not.
● Manage Integration Content
When you select a tile in this section, you find all deployed integration flows and can check whether
deployment was successful. You can also find the endpoint address for your integration flow (which you
need if you want to configure the endpoint in the connected sender system).
● Manage Security

○ The Security Material tile contains security-related artifacts that are required on the tenant in addition
to the security-relevant settings in your integration flow. In the course of the following exercise, you will
create and deploy a User Credentials artifact to define the user name and password for the mail
account that is addressed by the Mail receiver adapter of the integration flow.
○ The Keystore tile shows the content of the tenant keystore, which contains key pairs and certificates
required to set up connections that are protected using certificate-based authentication. In the
exercise, we need to add certificates when setting up the connection to the e-mail receiver.
○ The Connectivity Tests (only available in the Neo environment) tile allows you to test outbound
connections (from SAP Cloud Platform Integration to a receiver system). We use the connectivity test
tool to retrieve the certificates of the e-mail receiver that need to be imported into the tenant keystore.
There are other sections and tiles that are required for additional tasks, but these are not required in the
Getting Started exercise, so we will not look at them in any more detail here.
2.2 Create an Integration Package
Create an integration package that contains your integration flows.
An integration package is used like a folder for your integration content (integration flows, value mappings, and
OData services). You can transport an integration package, for example, if you want to design your integration
content on a test tenant first and then transport it to a production tenant.
1. Open the Web UI using the hyperlink provided to you in the mail from SAP (the links ends with /
itspaces).
2. Go to the Design section of the Web UI.
3. Choose Create.
4. Enter a name and description for your integration package and choose Save.

2.3 Create the Integration Flow
Create the integration flow as part of your integration package.
1. Open the Web UI, go to the  (Design) section.

2. Select the integration package and choose Edit.
3. Go to the Artifacts tab and choose Add Integration Flow .

4. Provide a name and description for the integration flow and choose OK.
The integration flow is added to the list of artifacts for the selected integration package.
5. Select the integration flow from the list.
An integration flow template opens that contains the following shapes: Sender (this represents your
sender system), Receiver (this represents a receiver system), Integration Process (this will later contain all
the processing steps that define how a message is processed on the tenant). The Integration Process
shape contains a Start and an End event.

If you select a shape in the integration flow modeling area, the properties of the selected shape are displayed in
the section below the modeling area. If you click the area outside of the shapes, the properties are displayed
that are related to the integration flow as a whole (as shown in the figure above).
To start modeling, choose Edit. Notice that a palette appears to the left of the integration flow model. This
palette provides access to all integration flow step shapes that you can add to the model.
2.4 Smoke Test Scenario
This is a very simple test to verify that your SAP Cloud Platform Integration is working as expected. You do not
need any receiver system to perform this test.
In this scenario, you create a Hello World text and write it into the message body (scheduled on deployment of
the integration flow). The result is written into the message processing log which you can directly inspect with
the message monitoring application.
 Caution
This integration scenario is designed to show how to quickly (without much effort) set up and run an
integration flow without the need to configure and connect to any receiver system. It uses a Script step to
store the message payload in the message processing log (to enable you to easily check in the message
monitoring application if the message was processed without any errors).
Note that this is not according to standard best practice. When designing productive scenarios, don't store
the message payload in the message processing log. This can cause severe issues with memory
consumption. The reason is that tasks such as message processing and message monitoring share the
same memory and CPU which are available on your tenant.
In the course of this exercise, you develop the following integration flow.
To make it as easy as possible for you to develop this first integration flow, you don't need to configure any
sender system. That saves the effort for you to set up a dedicated sender system and to connect it to SAP
Cloud Platform Integration. Instead of this, message processing is triggered by a Timer event, and the inbound
message payload is created within the integration flow, in a dedicated Content Modifier step.
Furthermore, it is also not required that you set up any receiver system. To enable you to check if the message
has been processed correctly, you will configure the integration so that the message payload is written into the
message processing log (where you can easily inspect it using the Monitor application of the Web UI).

This is how the integration flow will process the message at runtime:
1. The Timer event triggers the processing of the message (according to the settings of the Timer's
scheduler).
2. The Content Modifier step creates a message with a simple text content (Hello World!).
3. The Groovy Script step logs the payload of the message (that means, it writes the message content into
the message processing log).
When you have finished the integration flow design, you save and deploy the integration flow.
You can then monitor message processing.
Related Information
Create a Content Modifier to Define the Message Body [page 21]

Create a Script Step to Log the Payload [page 22]
Save and Deploy the Integration Flow [page 24]
Monitor Message Processing [page 26]
2.4.1 Add a Timer Start Event
1. Open the integration flow model (Edit mode), select the Sender shape, and choose the recycle bin icon (to
remove the Sender shape).
2. In the same way, remove the Start event.

3. In the palette, select the Events entry, and then select the Timer shape.

4. Place the Timer shape in the Integration Process shape (at the point where the Start event was previously
located).
5. In the properties section of the Timer event (displayed below the integration flow model when the Timer
event is selected in the model), go to the Scheduler tab.
6. Make sure that the option Run Once is selected.
 Note
You can, of course, try out the other settings, which enable the Timer to start message processing
periodically. However, take care when selecting these options and you have added a receiver to your
scenario. For example, in another demo scenario provided in this documentation, the receiver of the
message is an e-mail account, and you don't want your e-mail account to be inundated with
periodically generated e-mails.

2.4.2 Create a Content Modifier to Define the Message Body
Add a Content Modifier step to create the message body.
As the integration flow has no sender, we use a Content Modifier to create a message from scratch.
1. To add a Content Modifier, go to the palette, choose the Message Transformers icon, and select the Content
Modifier icon.
2. Place the Content Modifier in the model after the Timer Start event.
3. In the Content Modifier properties section, go to the Message Body tab and enter the following string
sequence in the entry field:
Hello World!
This simulates the inbound XML message.

4. Connect the Timer event with the Content Modifier. To do this, select the Timer event.

5. Click the arrow icon, and drag and drop the cursor to the Content Modifier.
2.4.3 Create a Script Step to Log the Payload
Add a Script step to log the message payload.
With a Groovy Script step, you can configure the integration in such a way that the payload of the message is
written to the message processing log as attachment.
1. To add a Script step (containing a Groovy script), go to the palette and choose the Message Transformers
icon and select the Script icon.
2. In the Script submenu, select Groovy Script.
3. Place the Script step shape after the Content Modifier step and connect both shapes.
4. Select the Script step.
The context icons are displayed.

5. Choose the + icon.
6. The default script coding of the step is displayed.
7. Replace this content by the script provided in the coding example below.
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message)
{
def body = message.getBody(java.lang.String) as String;
def messageLog = messageLogFactory.getMessageLog(message);
if(messageLog != null)
{
messageLog.addAttachmentAsString("Log current Payload:", body, "text/
plain");
}
return message;
}
8. Choose OK.
The integration flow model is again displayed.

2.4.4 Save and Deploy the Integration Flow
Save and deploy the integration flow on the tenant to be able to process it.
1. When you have finished modeling, click Save.
On successful save, a corresponding status message is displayed.
2. Click Deploy.
A message is displayed that asks you to confirm this action.
Another message is displayed when the validation has been performed and the integration flow
deployment has been triggered.
After successful deployment, a status message is displayed.
 Note
In case of a modeling error, instead of this message a Validation Failed message is displayed.
Only when you have fixed the error, deployment of the integration flow is triggered.
3. Chose the Operations view to check the status of the deployment.

4. Click a tile in section Manage Integration Content.
You can check the deployment status of your integration flow.
It will change from Starting to Started.
There is an alternative approach to deploy an integration flow.
Open the integration package that contains the integration flow to deploy. Go to the Artifacts tab, click the
Actions button (next to the name of the integration flow which you like to deploy) and select Deploy.

2.4.5 Monitor Message Processing
Run the integration flow and check the result of message processing.
When the integration flow has been deployed successfully, the message is processed without any further
trigger (based on the settings of the timer).
1. Go to the Operations view and select a tile under Monitor Message Processing.
If your integration flow has been processed successfully, the status Completed should be shown.
2. Select the integration flow and analyze the details area to the right of the integration flow list.

3. Under Attachments, click Log current Payload.
You should see the message content, which consists of the following text:
Hello World!
This shows you that the message has been processed correctly.
2.5 Smoke Test Scenario with External Data Source
This is a very simple test to verify that your SAP Cloud Platform Integration is working as expected. You do not
need any receiver system to perform this test.
In this scenario, you access an OData service and get information about a product (for a specific product ID).
The result is written into the message processing log which you can directly inspect with the message
monitoring application.
 Caution
This integration scenario is designed to show how to quickly (without much effort) set up and run an
integration flow without the need to configure and connect to any receiver system. It uses a Script step to
store the message payload in the message processing log (to enable you to easily check in the message
monitoring application if the message was processed without any errors).
Note that this is not according to standard best practice. When designing productive scenarios, don't store
the message payload in the message processing log. This can cause severe issues with memory
consumption. The reason is that tasks such as message processing and message monitoring share the
same memory and CPU which are available on your tenant.
In the course of this exercise, you develop the following integration flow.

To make it as easy as possible for you to develop this first integration flow, you don't need to configure any
sender system. That saves the effort for you to set up a dedicated sender system and to connect it to SAP
Cloud Platform Integration. Instead of this, message processing is triggered by a Timer event, and the inbound
message payload is created within the integration flow, in a dedicated Content Modifier step.
Furthermore, it is also not required that you set up any receiver system. To enable you to check if the message
has been processed correctly, you will configure the integration so that the message payload is written into the
message processing log (where you can easily inspect it using the Monitor application of the Web UI).
This is how the integration flow will process the message at runtime:
scheduler).
2. The first Content Modifier step creates a message with only one element, a productIdentifier (to
identify a product from the product catalog).
The actual value of the productIdentifier is hard-coded in this step. If you like to process the
integration flow with another product identifier, you need to change the value in this step and re-deploy the
integration flow again. This is the drawback which results from abstaining from a dedicated sender system.
3. The second Content Modifier creates a message header (which we also call productIdentifier) and
writes the actual value of the productIdentifier element into it. This header will be used in the
subsequent step.
4. The Request Reply step passes over the message to an external data source and retrieves data (about
products) from there.
The external data source is represented by the lower WebShop shape.
The external data source supports the Open DataProtocol (OData). For our scenario, we use the ESPM
WebShop, which is based on the Enterprise Sales and Procurement Model (ESPM) provided by SAP. The
demo application can be accessed at the following address: https://refapp-espm-ui-
cf.cfapps.eu10.hana.ondemand.com/webshop/index.html
For the connection to the WebShop, an OData receiver channel is used. To query for exactly one product
(for the product identifier provided with the inbound message), the header that has been created in the
preceding Content Modifier is used.
5. The OData service provides the details of one specific product (according to the product identifier provided
with the inbound message).
6. The Groovy Script step logs the payload of the message (that means, it writes the message content into
the message processing log).
You can then run the integration flow and monitor message processing as described under: Run the Integration
Flow and Monitor the Message Processing [page 36].
Related Information
Create the Script Step to Log the Payload [page 35]

Run the Integration Flow and Monitor the Message Processing [page 36]

2.5.1 Create a Content Modifier to Define the Message Body
Add a Content Modifier step to create the message body.
As the integration flow has no sender, we use a Content Modifier to create a message from scratch.
1. To add a Content Modifier, go to the palette, choose the Message Transformers icon, and select the Content
Modifier icon.
2. Place the Content Modifier in the model after the Timer Start event.
3. In the Content Modifier properties section, go to the Message Body tab and enter the following string
sequence in the entry field:
 Sample Code
<root>
<productIdentifier>HT-1080</productIdentifier>
</root>
This simulates the inbound XML message.
4. Connect the Timer event with the Content Modifier. To do this, select the Timer event, click the arrow icon,
and drag and drop the cursor to the Content Modifier.

2.5.2 Create a Content Modifier to Add a Header
Add a Content Modifier to your model to define a header, which will be used in a later step to filter data from the
external source.
If you remember, our input message has only one field: productIdentifier. This field will contain a product
identifier that we want to use to filter the results from the WebShop application.
To make this number available to the integration framework during message processing, SAP Cloud Platform
Integration provides the option to store the value of productIdentifier from the incoming message either
in the message header or in a data container referred to as an exchange property.
We use the first option, and to prepare the message accordingly we use a Content Modifier.
1. Add a second Content Modifier (after the first one) to the integration flow model.
2. In the properties section of the second Content Modifier, go to the Message Header tab and choose Add.
3. Specify the following parameters:
○ Name: Enter any name, for example, productIdentifier. This is the name of the header that will be
created by the Content Modifier step.
○ Type: Select XPath.
 Tip
In this example, you use an XML Path Language (XPath) expression to address a dedicated
element of your inbound message. XPath allows you to address any element in an XML structure
by using a well-defined syntax. The expression //<element name> addresses all elements with
name <element name> in the XML document.
○ Data Type: Enter java.lang.String.

○ Value: Enter //productIdentifier (which is the XPath expression that points to the
productIdentifier field in the inbound message).
4. Connect the first Content Modifier (which defines the message body) with the second one.
In other words, the Content Modifier creates a header with the name productIdentifier, which will contain
the value of the productIdentifier field of the incoming message.
2.5.3 Create the Outbound OData Channel
To call the external data source, add a Request Reply step to the integration flow model and connect this step
with the external system using an OData channel.
 Note
Follow this procedure in case you use SAP Cloud Platform Integration in the Neo environment.

To configure SAP Cloud Platform Integration to send a request message to the external OData service (to
retrieve the required data), you need to do the following:
● Create a Request Reply step.

● Connect the Request Reply step to a Receiver shape and select the OData adapter type.
● Configure the OData adapter to specify how the OData API of the external service should be called (to
define query options, for example).
 Remember
There are currently certain limitations when working in the Cloud Foundry environment. For more
information on the limitations, see SAP Note 2752867 .
1. Go to the palette and select the Call entry.
2. Select External Call and in the submenu choose Request Reply.
3. Place the Request Reply shape between the second Content Modifier and the End event in the model.
Furthermore, connect the second Content Modifier with the Request Reply step and the Request Reply
step with the End event.
4. Move the Receiver shape closer to the Request Reply shape (below the Request Reply shape but outside
the Integration Process shape, as shown in the overall integration flow model under Smoke Test Scenario
with External Data Source [page 27]).
5. Connect the Request Reply shape to the Receiver shape (by selecting the Request Reply shape, clicking
the arrow icon, and dragging and dropping the cursor on the Receiver shape).
6. In the next dialog, choose adapter type OData.

7. In the next dialo, as Message Protocol select OData V2.
 Note
This adapter supports different versions of the OData protocol. We select version 2.0.
8. Go to the Connection tab of the OData adapter and enter the following as the Address:
https://refapp-espm-ui-cf.cfapps.eu10.hana.ondemand.com/espm-cloud-web/espm.svc
 Tip
This is the endpoint address of the ESPM WebShop's OData application programming interface.
9. Go to the Processing tab.

10. Next to Resource Path, choose Select.
The Query Editor opens, where you can conveniently define the OData query.
The Address field is already populated with the value you just entered
11. Make sure that Remote is selected as the Connection Source, and choose Step 2.
The system connects to the WebShop service and retrieves the metadata from its OData API.
12. Choose the Search icon in the Select Entity field.

Select Products.
13. A list of the available elements is provided, using the information from the OData API..
Choose a set of elements for which you want to retrieve data (for example, all elements, as shown in the
next figure) and choose Step 3.

14. Choose the copy icon in the Filter By field and select ProductId.
15. In the next field, select Equal.
16. In the third field, enter an expression that allows the integration framework to access the message header
productIdentifier that you created in the preceding Content Modifier step.
${header.productIdentifier}
 Tip
The dollar sign and the curled brackets indicate that we are dealing with Apache's Simple Expression
Language, which is often used in SAP Cloud Platform Integration. In particular, here you see a dynamic
parameter, which has the following effect: The value of the header productIdentifier (which is
identical to the value of the productIdentifier field of the incoming message) is used dynamically
at runtime to define the OData query.
17. Choose Finish.

2.5.4 Create the Script Step to Log the Payload
Add a Script step to log the message payload.
With a Groovy Script step, you can configure the integration in such a way that the payload of the message is
written to the message processing log.
1. To add a Script step (containing a Groovy script), go to the palette and choose the Message Transformers
icon and select the Script icon.
2. In the Script submenu, select Groovy Script.
3. Place the Script Step shape after the Request Reply step and connect both shapes.
4. Select the Script step.
The context icons are displayed.
5. Choose the + icon.

6. The default script coding of the step is displayed.

7. Replace this content by the script provided in the coding example below.
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message)
{
def body = message.getBody(java.lang.String) as String;
def messageLog = messageLogFactory.getMessageLog(message);
if(messageLog != null)
{
messageLog.addAttachmentAsString("Log current Payload:", body, "text/
plain");
}
return message;
}
8. Choose OK.
The integration flow model is again displayed.
9. Save and deploy the integration flow.
2.5.5 Run the Integration Flow and Monitor the Message

Processing
Run the integration flow and check the result of message processing.
When the integration flow has been deployed successfully, the message is processed without any further
trigger (based on the settings of the timer).
1. When you have saved and deployed your integration flow, check the deployment status. Go to the Monitor
section of the Web UI and select a tile under Manage Integration Content.

2. As soon as deployment has finished, the status Started should be displayed for your integration flow.
3. Go back to the overview page of the Web UI Monitor section and select a tile under Monitor Message
Processing.
If your integration flow has been processed successfully, the status Completed should be shown.

4. Select the integration flow and analyze the details area to the right of the integration flow list.
5. Under Attachments, click Log current Payload.

You should see the message content, which consists of the details of the product associated with the value
of productIdentifier entered in the first Content Modifier.

This shows you that the message has been processed correctly.
2.6 Timer-Initiated Scenario with a Mail Receiver
Create a simple integration scenario that is initiated by a timer, retrieves data from an external source, and
sends the result to an e-mail account (as the receiver system).
A typical challenge addressed by an integration scenario is to retrieve data from a certain source (for example,
product details from a product catalog on a vendor's site) using certain filter criteria. We use the integration
flow described in this section to address such a use case.
In the course of this exercise, you develop the following integration flow:
To make it as easy as possible for you to develop this integration flow, you don't need to configure a sender
system. This saves you the effort of setting up a dedicated sender system and connecting it to SAP Cloud
Platform Integration. Instead, message processing is triggered by a Timer event, and the inbound message is
created within the integration flow, in a dedicated Content Modifier step.

As a prerequisite to use the Mail adapter, you need to take care of the following things.
● Update the tenant keystore with the certificates required by the mail server.
● Create and deploy a User Credentials artifact that contains the credentials of the mail account.
This is how the integration flow processes the message at runtime:
scheduler).
2. The first Content Modifier step creates a message with only one element: a productIdentifier (to
identify a product from the product catalog).
The actual value of the productIdentifier is hard-coded in this step. If you want to process the
integration flow with another product identifier, you need to change the value in this step and redeploy the
integration flow. This is the drawback of not having a dedicated sender system.
3. The second Content Modifier step creates a message header (which we also call productIdentifier)
and writes the actual value of the productIdentifier element into it. This header is used in the
subsequent step.
4. The Request Reply step passes the message to an external data source from which it retrieves data (about
products).
The external data source is represented by the lower WebShop shape.
An OData receiver channel is used to connect to the WebShop. The header that was created in the
preceding Content Modifier is used to query exactly one product (using the product identifier provided with
the inbound message).
5. The OData service provides the details of this product.
6. Finally, the result of the request is forwarded to an e-mail account using the Mail receiver adapter (the e-
mail server is represented by the Mail_Ser … shape on the right in the integration flow model).
When you have finished integration flow design, you can monitor message processing.
This integration flow introduces you to a number of important aspects of integration development, such as
defining an OData query and using a message header to dynamically query an OData source.
Related Information
Update the Tenant Keystore with the Certificates Required by the Mail Server [page 41]
Create and Deploy a User Credentials Artifact for the E-Mail Account [page 43]
Create the Mail Receiver Channel [page 44]
Monitor Message Processing [page 47]

2.6.1 Update the Tenant Keystore with the Certificates
Required by the Mail Server
Add the required server root certificates (required by the e-mail provider) to the tenant keystore.
The tenant keystore contains the key pairs and certificates that are required (on the tenant side) to establish
trusted communication with the connected systems.
When establishing the connection to the SAP Cloud Platform Integration tenant, the e-mail server needs to
authenticate itself against SAP Cloud Platform Integration using a digital server certificate. For this purpose,
the tenant keystore must contain a root certificate that is also trusted by the e-mail server.
You can download the required certificates usually on a dedicated section of the email provider's website. You
might search for server certificate to get more information. However, note that the procedure might differ
depending on the email provider.
Get the E-Mail Servers' Certificate
To get the e-mail servers' root certificate, you can do the following:
1. Open the website that hosts the mail account you like to address with the Mail adapter.
2. In the browser address field, click the lock icon and select Certificate (Valid) (example for using Google
Chrome).
3. In tab Certification Path doubleclick the uppermost node (which is the root certificate).

4. Click Details and select Copy to File ....
5. In the wizard, click Next.

6. On the next screen, keep the setting DER encoded binary X.509 (.CER) and click Next.
7. Choose a directory on your computer where to store the certificate file and a name.
8. Click Next and then Finish.
The root certificate is stored as file with extension .cer on your computer.
Finally, you need to import the downloaded certificates to the tenant keystore. To do this, open the Keystore
monitor.
1. Go to the Monitor section of the Web UI and select the Keystore tile under Manage Security.
All certificates that are already included in the keystore are displayed. If you have only recently started
working with SAP Cloud Platform Integration, these are the certificates provided by SAP initially when
providing the tenant for you.
2. Choose Add Certificate .

3. Browse to the certificate stored on your computer, provide an alias (to identify the certificate in the
keystore) and choose Deploy.
The certificate is added (under the alias name) to the list of keystore entries.
4. Repeat this task for all certificates that you have downloaded.
 Note
You might also need to change the settings of your e-mail account so that the mail server accepts
connections to remote applications with a lower security level (for example, for Yahoo mail, this is the Less
Secure Apps setting). If you don't do this, the integration flow might raise an error during processing.
 Note
If you don't upload the required root certificate to the tenant keystore and try to execute the integration
flow (when having finished its design), message processing will fail with the following error message
starting with:
 Sample Code
javax.mail.MessagingException: Could not connect to SMTP host:

smtp.mail.yahoo.com, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException ...
2.6.2 Create and Deploy a User Credentials Artifact for the E-

Mail Account
Deploy a User Credentials artifact that contains the user name and password for your receiver mail account.
1. Go to the Monitor section of the Web UI and select the Security Material tile under Manage Security.

2. Choose Add User Credentials .
3. As Name, enter the User Credentials name that you specified in the Mail receiver adapter, and as User
enter the e-mail account user name (also specified in the fields From and To in the Mail receiver adapter).
Also provide the password of the mail account.
 Note
Storing the user name and password in a separate artifact increases the security level of integration
development.
4. Choose Deploy.
2.6.3 Create the Mail Receiver Channel
Add a Mail receiver channel to enable the integration flow to send messages to an e-mail account.
1. First, add a second receiver to represent the e-mail account. In the integration flow model (in Edit mode),
select the Participants entry from the palette and select Receiver.
2. Place the Receiver shape on the right side of the model, outside the Integration Process shape.
You can rename the shape to Mail_Receiver (for example).

3. Select the End event, click the arrow button and drag and drop the cursor on the Receiver shape.
4. Select Mail as the Adapter Type.
5. In the Mail adapter properties section (below the model), go to the Connection tab and specify the
following Mail adapter parameters.
The figure shows example settings, which are explained further below.

○ Address: Enter the address of your mail provider, followed by a colon and the port number. The
example in the figure shows the address for Yahoo Mail (smtp.mail.yahoo.com:465) and SMTP
protocol.
○ Protection: Select SMTPS.
○ Authentication: Select Plain User/Password.
○ Credential Name: Enter a name for a User Credentials artifact that you will create in a subsequent step,
for example, MyCredentials.
The User Credentials artifact will contain the user name and password for the e-mail account to which
the message is to be sent.
○ From and To: Enter the mail address of the e-mail account that should receive the message.
○ Subject: Enter a meaningful text.
Keep the default settings for the other parameters.
6. Save and deploy the integration flow.

2.6.4 Monitor Message Processing
As you use a Timer event to trigger the message processing, the integration flow is processed as soon as it is
deployed.
1. To check whether the processing has been executed correctly, go to your e-mail account. You should find a
mail with the following content:
2. Finally, check how the message was processed by opening the Monitor section of the Web UI.
3. Choose a tile under Monitor Message Processing and you should find your message with the integration
flow name.
4. Open the integration flow in Edit mode, click the first Content Modifier and on the Message Body tab
change the value of the productIdentifier to HT-2001 and redeploy the integration flow.
5. Once the integration flow has been deployed successfully, you should receive an e-mail with details about
another product.

2.7 Sender-Initiated Scenario (with HTTPS Sender
Adapter)
Create a simple integration scenario that is initiated by a sender (using the HTTPS sender adapter).
With the following steps, you can easily modify and extend the previously built integration flow with the email
receiver (Timer-Initiated Scenario with a Mail Receiver).
The figure shows the integration flow model that you get as a result of this exercise.
In the modified integration flow, an HTTP client instead of a Timer event triggers message processing.
Furthermore (to simplify the design), we have merged the steps processed by two different Content Modifier
steps in the previously built integration flow into one Content Modifier step.
 Note
As a prerequisite to execute this integration flow in the Cloud Foundry environment, you need to authorize
the sender system (HTTP client) to call the integration flow endpoint. For that purpose, you create a service
instance on SAP Cloud Platform and generate service key credentials (which can then be used by the HTTP
client to call the integration flow endpoint).
This is how the integration flow processes the message at runtime:
1. The HTTP client (represented by the Sender shape) sends an HTTP request to SAP Cloud Platform
Integration through an HTTPS sender channel. The HTTPS request body, which is in JavaScript Object
Notation (JSON) format, contains a product identifier.
2. The JSON-to-XML converter transforms the request body into XML format (which can be processed in the
following step, the Content Modifier).
3. The Content Modifier creates a message header (which we also call productIdentifier) and writes the
actual value of the productIdentifier element into it. This header is used in the subsequent step.
In this exercise, you use one Content Modifier to create the header and to write the message body.
4. The Request Reply step passes the message to an external data source and retrieves data (about orders)
from there.

5. An OData receiver channel is used for the connection to the OData source. To query for exactly one
product (for the product identifier provided with the inbound message), the header that was created in the
preceding Content Modifier is used.
6. The OData service provides the details of one specific product, which is identified by the actual value of the
productIdentifier field (provided with the inbound HTTP request).
7. Finally, the result of the request is forwarded to an e-mail account using the Mail receiver adapter (the e-
mail server is represented by the right Mail … shape in the integration flow model).
When you have finished the integration flow design, you can send the message through the HTTP client.
Related Information
Timer-Initiated Scenario with a Mail Receiver [page 39]

Authorize the HTTP Client to Call the Integration Flow Endpoint in the Cloud Foundry Environment [page 49]
Create the HTTPS Sender Channel [page 52]
Add the JSON to XML Converter [page 53]
Create the Mail Receiver Channel [page 44]
Send the HTTP Request and Process the Integration Flow [page 54]
2.7.1 Authorize the HTTP Client to Call the Integration Flow

Endpoint in the Cloud Foundry Environment
You perform these steps to authorize the sender (HTTP client) to call the SAP Cloud Platform Integration
integration flow endpoint.
 Note
You need to perform these steps only in case you use SAP Cloud Platform Integration in the Cloud Foundry
environment.
These steps imply that you create a service instance on SAP Cloud Platform and generte a service key for it.
The credentials which you get as a result can be used by the HTTP client to call the integration flow endpoint.
Create Service Instance
In the context of this scenario, you can think of the service instance as a technical user that can be associated
with the sending system's (HTTP client's) request.
You perform the following steps using SAP Cloud Platform Cockpit.

1. Choose your space and navigate to Services Service Marketplace and select the tile Process
Integration Runtime.
2. In case a service instance is not available yet, create a new one.
Select Instances New Instance .
3. Choose Next.
4. Enter the below command in the entry field.
 Sample Code
{
"roles":[
"ESBMessaging.send"
]
}
With this command, you associate the service instance with the role ESBMessaging.send which is
required to call an integration flow endoint.
5. Choose Next and on the next screen again choose Next.

6. Enter an instance name and choose Finish.
Create Service Key
With this step, you generate credentials to communicate with a service instance.
The sender application (HTTP client) uses these credentials (clientid and clientsecret) to access the
SAP Cloud Platform Integration integration flow endpoint.
1. Select the instance.

2. Choose Service Keys.
3. Choose Create Service Key.

4. Enter a name for the service key.
5. Choose Save.
The service key is created.
You need to copy the values of clientid and clientsecret to your clipboard or to a text editor for later
reference.
These values specify the credentials of the user associated with the sending application.

2.7.2 Create the HTTPS Sender Channel
Add an HTTPS sender channel to enable the integration flow to receive HTTP requests.
1. Select the integration flow and choose Edit.

2. Click the Sender shape. The context icons for the Sender appear.
 Note
If you choose the information icon, the version of the integration flow component is displayed.
Do not confuse the version of an individual integration flow component with the software version of
SAP Cloud Platform Integration. An integration flow component gets a new version each time a new
feature is added to it by SAP. Let's imagine a situation where you started modeling an integration flow
some time ago and now want to continue working on it. Let's assume that SAP has updated the
software in the meantime. A new version of an integration flow step or shape that you have used is now
available, containing a new feature. You can continue to use the old component version, but if you want
to use the new feature you need to update to the new version.
3. Click the arrow icon and drag and drop the cursor on the Start event.
The list of available adapter types is displayed in a dialog.
4. Choose adapter type HTTPS .

The properties of the adapter are shown below the model.
5. Go to the Connection tab.

Specify the following parameters:
○ Address: This parameter defines the endpoint under which the integration flow can be called from the
sender. Start the address with a slash, for example,/FirstFlow.
○ Authorization and User Role: You want to configure your first integration flow so that the inbound
request is authenticated using basic authentication (based on user credentials). To keep it simple, you
use your dialog user. During onboarding, you also made sure that the role ESBMessaging.send was
assigned to your user (and this setting was also used when configuring the HTTP client).
○ CSRF Protected: Keep this option selected (default setting). It ensures that your integration flow is
protected against Cross-Site-Request-Forgery, a kind of attack where a malicious party can perform
harmful actions by masquerading as the logged in user (the user specified for the HTTP client in our
case).
2.7.3 Add the JSON to XML Converter
Add a JSON-to-XML converter to convert the HTTP request, which is in JavaScript Object Notation (JSON)
format, to XML for further processing.
With the HTTP client, we send a POST request with a request body in JSON format. To enable the subsequent
steps to process the message, it needs to be converted to XML first. To perform the required conversion, you
can use the JSON-to-XML converter.
1. In the palette, select the Message Transformers entry and then choose Converter.
2. In the submenu, choose JSON to XML Converter.

3. In the integration flow model, place the shape inside the Integration Process shape after the Start event.
The model should now look like this:
2.7.4 Send the HTTP Request and Process the Integration

Flow
Set up an HTTP client using Postman and send the HTTP request.
1. Install an HTTP client on your computer.

2. Since the HTTPS sender adapter is configured to expect User Role authorization, the authentication mode
used is basic authentication (with user credentials).
Select the corresponding authentication mode for your HTTP client.
Depending on whether you work in the Neo or the Cloud Foundry environment, the way how to get the
required credentials differs.
○ Neo environment:
Specify the credentials of the user that is associated with the inbound HTTP request and that has been
assigned the role ESBMessaging.send in SAP Cloud Platform Cockpit .
○ Cloud Foundry environment:
As credentials, enter the values of clientid and clientsecret that have been generated when you
created the service key during onboarding.
The following figure shows the related dialog from SAP Cloud Platform Cockpit.

3. As you have selected CSRF Protected in the HTTPS adapter, you need to fetch a CSRF token.
The CSRF token is then used to place the POST request for your integration flow.
1. Find out the endpoint address of the integration flow. To do this, go to the Monitor section of the Web
UI.
2. Choose a tile under Manage Integration Content.
3. Select your integration flow. It should be displayed in the list of deployed artifacts with status Started.
4. Copy the endpoint URL to the clipboard.

The URL should end with /http/<Address specified in the HTTPS adapter>.
4. Using your HTTP client, send a GET request to the endpoint address.
Make sure that you send a header with the key X-CSRF-token and the value fetch with the request.
5. You should receive the CSRF token.
You can now send the POST request to the integration flow.
1. Specify the same authentication settings as for the GET request above.

2. Specify the following HTTP request body (JSON format):
 Sample Code
{
"productIdentifier": "HT-1080"
}
3. Copy the value of the CSRF token (obtained from the GET request above) to the clipboard.
4. Add a header to the request.
In the Key field, enter X-CSRF-Token and in the Value field, enter the value of the CSRF token from your
clipboard.
5. Send the request.
You should get the details of the product with productIdentifier HT-1080.
6. Go to the e-mail account specified in the Mail adapter. You should have received an e-mail like this:
7. Place another POST request with a body containing productIdentifier HT-2001, and you receive details of
another product.
8. Finally, check how the message was processed by opening the Monitor section of the Web UI.
Choose a tile under Monitor Message Processing and you should find your message with the integration
flow name.

3 Security in the Cloud Foundry
Environment
 Note
These instructions are relevant only when you use SAP Cloud Platform Integration in the Cloud Foundry
environment.
This section describes the security-related aspects of the integration platform and shows which measures you
can take to protect customer data that is passed through the platform during the execution of an integration
scenario.
Customers who use SAP Cloud Platform Integration agree that a significant part of their (and their customers')
sensitive data is processed by and stored within an infrastructure not owned by themselves.
The core task of an integration platform is to serve as the transit place for messages, which may contain
sensitive customer data. First and foremost, these messages must be protected against eavesdropping and
unauthorized access.
Therefore, the integration platform must fulfill the following main requirements:
● The integration infrastructure is already designed and built in such a way that it meets the highest security
standards.
In particular, it must be guaranteed that the technical system landscape, the communication between the
components of the integration platform, and the storage locations of messages are secure.
● The processes related to the usage of Cloud Integration meet the highest security standards.
This relates to the processes at SAP that are related to the development and upgrade of the Cloud
Integration software, the processes related to the provisioning and operation of the customers' virtual
environment by the infrastructure provider, and the customer onboarding process during which customers
set up secure connections between their infrastructure and SAP's integration platform.
● Customers have several options to configure how messages are exchanged within an integration scenario
so that the involved data is protected at the highest level.
In particular, when designing integration flows, customers can choose between several options to protect
messages by establishing secure communication channels (transport-level security) and by configuring
digital encryption and digital signing of messages (message-level security).
This documentation summarizes the measures that are taken by SAP to fulfill these requirements.
Related Information
Technical Landscape [page 58]

Security Aspects of Processes [page 60]
Security Aspects of Data, Data Flow [page 60]
Identity and Access Management [page 64]
Data Storage Security [page 77]

Security in the Cloud Foundry Environment PUBLIC 57
Data Protection and Privacy [page 78]
Other Security-Related Information [page 82]
3.1 Technical Landscape

The technical infrastructure comprises a set of technical components that can communicate with each other
and with remote components in a secure way based on certain protocols such as HTTPS or SFTP, for example.
 Note
environment.
Components and Communication Paths
In technical terms, the integration platform is designed as a containerized and clustered integration platform in
the cloud. Messages processed by integration flows from different customers are handled on different parts of
the platform (referred to as tenants).
Tenants processing integration flows from different customers are strictly separated from each other in terms
of CPU, data storage and user access.
The following figure shows a bird's eyes view on the technical architecture.

58 PUBLIC Security in the Cloud Foundry Environment
These are the basic constituents of the virtual platform:
● A multi tenant-capable application comprises a set of microservices (not depicted in the figure) that
accomplish tasks related to the management of a tenant and the preparation of monitoring data. It takes
requests from the dialog users (for example, when an integration developer deploys an integration flow
using the Web user interface).
These microservices run on an application that can be shared across multiple customer tenants.
● A worker (runtime container) processes messages that are exchanged with external systems. Therefore,
the worker is connected to the external systems. In other words, workers process customer data that
might be confidential and has to be protected.
Workers are operated within customer-specific tenants. These tenantsare strictly separated from each
other.
As a consequence of this cluster design, the following main communication paths are active during the
operation of an integration scenario:
● Communication of tenant cluster and remote components

You can use both cloud systems and on-premise systems (such as on-premise SAP systems) as remote
components.
Remote receiver systems are directly connected to a worker through a protocol, which depends on the
type of the designed receiver adapter.
For inbound communication from a sender targeting Cloud Integration, a load balancer is interconnected
between remote sender systems and the involved SAP Cloud Platform components. The load balancer
terminates incoming Transport Layer Security (TLS) requests and establishes new ones.
Various secure technical protocols can be used for these communication paths. Depending on the adapter
type, the following protocols are available:
● Hyper Text Transfer Protocol (HTTP) over Transport Layer Security (TLS), which is referred to as HTTPS
● SSH File Transfer Protocol (SFTP) for the exchange of data with an SFTP server
● Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP)3, and Internet Message Access Protocol
(IMAP) for the exchange of data with mail servers
User Access
In addition to the above mentioned components that interact with each other when messages are being
processed and exchanged between the involved systems, additional components come into play when a dialog
user accesses the infrastructure (for example, when an administrator accesses monitoring data or when an
integration developer deploys an integration artifact).
People with different roles can access the infrastructure – both on the side of the infrastructure provider and
on the customer side. Human access points (for dialog users) are:
● Dedicated experts at the side of the infrastructure provider access the infrastructure to provide a tenant
for the customer.
● Experts on the customer side access the infrastructure to design and deploy integration content and to
monitor an integration scenario at runtime (integration developers and tenant administrators).

3.2 Security Aspects of Processes
Processes that are related to the provisioning, update, and usage of the cloud-based integration platform meet
the highest security standards.
Cloud Integration is compliant with various SAP-internal technical policies, procedures, directives, guidelines,
and product standards.
For example, SAP software is developed in compliance with the SAP Secure Development Lifecycle
(SDLC) ,which helps to implement measures such as test-driven development and threat modeling.
SAP certifies that the development, maintenance, and operations of Cloud Integration comply with the
requirements of the following standards:
● SAP Cloud Platform ISO/IEC 27001:2013

● SAP Cloud Platform: ISO/IEC 27018:2019
● SAP Cloud Platform C5 Audit Report 2018 H2
● SAP Cloud Platform TISAX
● SAP Cloud Platform SOC 1 (ISAE3402) Audit Report 2019 H1
● SAP Cloud Platform SOC 2 Audit Report 2019 H1
● SAP Development: ISO 9001:2015 certificate
More information: SAP Trust Center
3.3 Security Aspects of Data, Data Flow
All data in transit, either exchanged with remote components or internal, can be protected by methods such as
encryption.
 Note
environment.
During a scenario, the connected remote systems exchange data with each other based on the configured
transport protocol. These protocols support different options to protect the exchanged data against
unauthorized access. In addition to security at the transport level, the content of the exchanged messages can
also be protected by means of digital encryption and signature.
Transport-Level Security
Each adapter allows you to set up a specific security level based on the underlying transport protocol.

Transport-Level Security Options
Transport Protocol Transport-Level Security
SFTP (Secure Shell File Transfer This protocol is supported by the SFTP sender and receiver adapter.
Protocol)
Secure Shell (SSH) is used to securely transfer files in an open network.
SSH uses a symmetric key length with at least 128 bits to protect FTP communication.
Default length of asymetric keys provided by SAP is 2048 bits..
Supported authentication methods:
● User name/password authentication (where the SFTP server authenticates the call
ing component based on the user name and password)
● Public key authentication (where the SFTP server authenticates the calling compo
nent based on a public key)
Secure data transfer with SFTP is based on a combination of symmetric and asymmetric
keys. Symmetric (session) keys are used to encrypt and decrypt data within a session.
Asymmetric key pairs are used to encrypt and decrypt the session keys.
When asymmetric key pairs are used, SFTP also ensures that only authorized public keys
are used by the involved participants.
Supported versions:
● SSH version 2 (as specified at http://tools.ietf.org/html/rfc4251)

● SSH File Transfer Protocol (SFTP) version 3 or higher

HTTP(S) (Hypertext Transfer This protocol is supported by all adapters that allow communication over HTTPS (for ex
Protocol Secure) ample, the IDoc adapter, the SOAP adapters, and the HTTP adapter).
You can protect communication using Transport Layer Security (TLS). In this case, a
symmetric key length of at least 128 bits is used (which is technically enforced). Default
length of asymetric keys provided by SAP is 2048 bits.
 Note
SAP Cloud Platform Integration supports TLS 1.1, and 1.2 for inbound and outbound
communication for all HTTP(S)-based channels.
 Note
The HTTP receiver adapter also allows you to use HTTP URLs. However, we do not
recommend using this option when transferring confidential data (including the
password for basic authentication).
Also, if the network is not entirely trusted, there is no way to verify whether the result
of an HTTP request originates from a trustworthy source. Therefore, we do not rec
ommend using this option for productive scenarios over the Internet.
Receiver adapters also support principal propagation via SAP Cloud Platform Connector.
Various authentication options (basic authentication using user credentials, client certifi-
cates, or OAuth) are supported depending on the selected sender or receiver adapter.
 Caution
Consider that we do not recommend to use basic authentication in productive sce
narios because of the following security aspects:
Basic authentication has the risk that authentication credentials, for example, pass
words, are sent in clear text. Using TLS (transport-layer security, also referred to as
Secure Sockets Layer) as transport-level encryption method (when using HTTPS as
protocol) makes sure that this information is nevertheless encrypted on the trans
port path. However, the authentication credentials might become visible to SAP-in
ternal administrators at points in the network where the TLS connection is termi
nated, for example, load balancers. If logging is not done properly at such devices,
the authentication credentials might become part of log files. Also network monitor
ing tools used at such devices might expose the authentication information to ad
ministrators. Furthermore, the person to whom the authentication credentials be
long (in the example above, the password owner) needs to maintain the password in
a secure place.
SMTP (Simple Mail Transfer Pro These protocols are supported for the exchange of e-mails (in combination with the Mail
tocol) adapter).
Transport encryption is supported via the STARTTLS extended operation.

POP3 (Post Office Protocol )

IMAP (Internet Message Access To authenticate against the e-mail server, you can send user name and password in plain
Protocol ) text or encrypted (the latter only in case the e-mail server supports this option).
 Note
The (optional) password-based authentication only applies to communication be
tween the Cloud Integration system and the mail server. Communication between
mail servers is usually not authenticated. Therefore, you must not assume that data
received by mail comes from a trustworthy source, unless other security measures
(such as digital signatures at message level) are applied.
Message-Level Security
On top of the transport-level security options, you can also secure the communication at message level, where
the content of the exchanged messages can also be protected by means of digital encryption and signatures.
Various security standards are available to do this, as summarized in the table below.
To configure message-level security options, you use dedicated integration flow steps (for example, the
Encryptor and Signer step types).
The following standards and algorithms are supported:
Message-Level Security Standards and Algorithms

Standard Security Feature
PKCS#7/CMS Enveloped Data and Signed Data Encryption/decryption of message content
Signing/verification of payload
PKCS#7/CMS Enveloped and Signed Data Encryption/decryption and signing/verification of payload
Open Pretty Good Privacy (PGP) Encryption/decryption of message content
Encryption/decryption and signing/verification of message
XML Signature Signing/verification of payload
WS-Security Signing/verification of SOAP body

3.4 Identity and Access Management
Identity and access management features of SAP Cloud Platform are used during the lifecycle of an integration
scenario.
 Note
environment.
Access Management
Dialog users who access the platform are authenticated against an identity provider. SAP Identity Service (ID
Service) is used by default. SAP ID Service is the central service for the process of managing identities and
their lifecycles.
User Management and Authorizations
Access to dedicated functions of the platform is controlled and protected by authorization checks. A number of
authorization groups are available to manage the authorizations of dialog users. An authorization group is
based on a persona and defines a set of dedicated permissions relating to the tasks that come into play during
the lifecycle of an integration project.
 Note
Example:
If the logged-in user has to perform tasks such as designing and deploying integration flows, the user must
be assigned the authorization group AuthGroup.IntegrationDeveloper.
Authorization for the Integration Developer
The tasks of persons with integration developer permissions (short: integration developers) constitute a key
part of the SAP Cloud Platform Integration lifecycle. Permissions for the integration developer (who is in charge
of modeling integration flows) are contained in the authorization group
AuthGroup.IntegrationDeveloper.
Note that the roles contained in this authorization group give an integration developer full control over message
processing during runtime.
During integration flow modeling, the integration developer defines how messages are mapped, which
credentials are used, and to which recipients messages are sent. The set of roles provides very powerful
permissions and in some cases allows the integration developer to access sensitive data.

 Note
The integration developer can control which credentials are to be used in connections with basic
authentication by deploying the associated User Credentials artifacts on the tenant. These artifacts contain
user names and passwords. Note that, however, a password specified in a User Credentials is never
displayed. Furthermore, passwords cannot be downloaded (by either using the user interface or the
application programming interface). The integration developer, although having full control over the
integration flow, does not have access to credentials of another tenant of the same customer.
Therefore, apply the following measures when designing integration flows for security-sensitive areas:
● Don't give the integration developer access to productive systems.

● Consider applying a four-eyes principle and implement a review process before deploying integration flows
to production.
● An integration developer has the option to develop integration flows on a separate development or test
tenant. These integration flows can then be transported to the productive tenant by another person.
● Don’t share the same secret credentials between tenants with different security levels (for example,
between test tenant and productive tenant).
● If you suspect a security violation, check the audit log to find out which user deployed the integration flow
in question.
● If read-only access is required to analyze issues in the productive system, use the authorization group
AuthGroup.ReadOnly.
 Tip
Instead of using the predefined authorization groups, you can tailor the permissions to your own
requirements by applying elementary roles that are defined for individual tasks.
More information:
Authentication and Authorization Options for Inbound Calls
When a sender system calls the integration platform using HTTPS-based (inbound) requests, there are
different ways for the calling sender to authenticate itself against the integration platform. The options are
basic authentication, OAuth, and SAML.
 Note
● Authentication
Verifies the identity of the calling entity.
● Authorization
Checks what a user or other entity is authorized to do (for example, as defined by roles assigned to it).
In other words, the authorization check evaluates the access rights of a user or other entity.

Related Information
Persona [page 66]
3.4.1 Persona
When you perform user management tasks using SAP Cloud Platform Cockpit, you find a set of pre-defined
roles that you can assign to users of the account. According to the main tasks associated with integration
projects, these roles are associated to certain persona relevant for an integration project.
Persona cover the different tasks associated with an integration project.
 Note
In the different environments, these persona are mapped to different objects.
● In the Neo environment, a persona is realized by an authorization group (beginnig with the string
AuthGroup).
● In the CLoud Foundry environment, a persona ia realized by role collection.
Authorization Groups
Role Collection (Cloud
Persona Authorization Group (Neo) Foundry) Description
Business expert AuthGroup.BusinessExpert PI_Business_Expert Enables a business expert to

perform business tasks like,
for example, examining the
payload.
This includes tasks like:
● Monitoring integration
flows and the status of
integration artifacts
● Reading the message
payload and attach
ments

Administrator AuthGroup.Administrator PI_Administrator Enables the administrator of

the tenant cluster (also refer
red to as the tenant adminis
trator) to connect to a cluster
and to perform administra
tive tasks on the cluster.
● Deploying security con
tent
● Deploying integration
content (such like inte
gration flows, for exam
ple)
● Deleting messages from
transient data store
Integration developer AuthGroup.IntegrationDevel PI_Integration_Developer Enables an integration devel

oper oper to connect to a cluster
using Integration Designer
and to display, download and
deploy artifacts (for example,
integration flows).
This authorization group is

required for accessing web
tooling of Cloud Integration.
● Deploying integration
content (such like inte
gration flows, for exam
ple)
Read only persona AuthGroup.ReadOnly PI_Read_Only Enables you to connect to a

tenant and to monitor mes
sages.
This authorization group en

ables you to access (read-
only) the Data Store viewer.

System developer AuthGroup.SystemDeveloper n.a. Enables a system developer

to perform tasks required for
system support.
● Restarting subsystems
of the tenant cluster
● Software development
tasks on VMs of the ten
ant cluster
This authorization group en

ables you to access (read-
only) the Data Store viewer.
 Note
System developer tasks
are typically required in
the support case by SAP
experts who are sup
posed to perform tasks
like debugging (for ex
ample) on the tenant
cluster.
Partner Directory administra AuthGroup.TenantPartnerDir n.a. Enables the Partner Direc

tor ectoryConfigurator tory sdministrator to read
and write Partner Directory
content.
 Note
In order to enable a sender system to process messages on a tenant using HTTPS/basic authentication,
you need to assign to the associated user the role ESBmessaging.send. This role needs to be assigned to
each (technical) user that is supposed to connect to Cloud Integration.
3.4.1.1 Tasks and Permissions
The following table provides an overview of which roles are required in order to accomplish the various tasks
related to SAP Cloud Platform Integration. It is also indicated in how far the tasks and roles are relevant for the
main persona defined for Cloud Integration.

In the different environments, these persona are mapped to different objects.
● In the Neo environment, a persona is realized by an authorization group (beginning with the string
AuthGroup).
● In the Cloud Foundry environment, a persona ia realized by role collection.
The mapping of the persona to the authorization groups (Neo) or role collections (Cloud Foundry) is described
under .
In the different environments, the permissions to execute certain tasks are given by different objects.
● In the Neo environment, a permission to execute a task is given by a role.

● In the Cloud Foundry environment, a permission to execute a task is given by a role template.
Tasks and Permissions

Role-Templates
Area Task Role (Neo) (Cloud Foundry) Persona
Discover View packages WebToolingCata CatalogPackagesRead Integration Developer

log.OverviewRead
Business Expert
Supporter/System De
veloper
Tenant Administrator
Discover View package artifacts WebToolingCata CatalogPackageArti Integration Developer

factsRead
log.OverviewRead
Business Expert
WebToolingCata
Supporter/System De
log.DetailsRead
veloper
Discover Copy package to work WebToolingCata CatalogPackagesCopy Integration Developer

space log.OverviewRead
WebToolingWork
space.Write
Design View packages and WebToolingWork WorkspacePackages Integration Developer

Read
package artifacts space.Read
Business Expert
Supporter/System De
veloper
Design Create, edit, import, WebToolingWork WorkspacePackagesE Integration Developer

dit
export, delete package space.Read
with its artifacts
WebToolingWork
space.Write

Role-Templates
Design Update package WebToolingWork WorkspacePackagesE Integration Developer

dit
space.Read
WebToolingWork
space.Write
Design Configure artifacts (in WebToolingWork WorkspacePackages Integration Developer

Configure
tegration flows and space.Read
value mappings)
WebTooling.Integra
tionFlowConfigure
Design Deploy/undeploy arti WebToolingWork WorkspaceArtifactsDe Integration Developer

ploy
facts space.Read
NodeManager.read
GenerationAnd
Build.generationand
buildcontent
NodeManager.deploy
content
Design Export Package for WebToolingWork WorkspacePackages n.a.

Transport
transport space.Read
TransportModule.read
TransportModule.write
 Note
The role Integra
tionContent.Trans
port is deprecated.
Design Import package from WebToolingWork WorkspacePackages n.a.

Transport
 Note
The role Integra
tionContent.Trans
port is deprecated.

Role-Templates
Design Update Package from WebToolingWork WorkspacePackages n.a.

Transport
 Note
The role Integra
tionContent.Trans
port is deprecated.
Monitor View Monitor Overview IntegrationOperation MonitoringDataRead Integration Developer

Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor View message proc IntegrationOperation MonitoringDataRead Integration Developer

essing logs Server.read
Business Expert
Supporter/System De
veloper
Monitor View payload of stored esbmessagestor Business Expert

messages from mes age.read
sage storage (also
trace and message
processing log attach
ments)
Monitor View tasks IntegrationOperation MonitoringDataRead Integration Developer

Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper

Role-Templates
Monitor View tail log IntegrationOperation MonitoringDataRead Integration Developer

Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor View deployed artifact IntegrationOperation MonitoringDataRead Integration Developer

list Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor View deployed integra IntegrationOperation MonitoringDataRead Integration Developer

tion flow in graphical Server.read
Business Expert
editor
NodeManager.read
Supporter/System De
veloper
Monitor Download deployed in IntegrationOperation MonitoringDataRead Integration Developer

tegration flow Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor View deployed security IntegrationOperation MonitoringDataRead Integration Developer

material Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor Add credentials IntegrationOperation CredentialsEdit Integration Developer

Server.read
NodeManager.deploy
credentials
NodeManager.deploy
content

Role-Templates
Monitor Add known host, key IntegrationOperation SecurityMaterialEdit Tenant Administrator

store, PGP keyring arti Server.read
facts
NodeManager.deploy
securitycontent
NodeManager.deploy
content
Monitor Edit credentials IntegrationOperation CredentialsEdit Integration Developer

Server.read
NodeManager.deploy
credentials
NodeManager.readcre
dentials
NodeManager.deploy
content
Monitor Undeploy credentials IntegrationOperation CredentialsEdit Tenant Administrator

Server.read
NodeManager.deploy
content
NodeManager.deploy
credentials
Monitor Undeploy known host, IntegrationOperation SecurityMaterialEdit Tenant Administrator

keystore, PGP keyring Server.read
artifacts
NodeManager.deploy
content
NodeManager.deploy
securitycontent
Monitor Download keystore, IntegrationOperation SecurityMaterialDown Tenant Administrator

load
public/prviate keyring, Server.read
known host, .. artifact
NodeManager.read
NodeManager.readse
curitycontent

Role-Templates
Monitor View certificate-to- IntegrationOperation MonitoringDataRead Integration Developer

user mappings Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor Create/edit/delete cer IntegrationOperation SecurityMaterialEdit Tenant Administrator

tificate-to-user map Server.read
pings
NodeManager.deploy
securitycontent
NodeManager.read
Monitor View keystore entries IntegrationOperation MonitoringDataRead Integration Developer

Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor Download public key IntegrationOperation MonitoringDataRead Integration Developer

store entries Server.read
Business Expert
NodeManager.read
Supporter/System De
veloper
Monitor Add/replace/delete IntegrationOperation Tenant Administrator

keystore entries Server.read
NodeManager.deploy
securitycontent
Monitor View access policies IntegrationOperation Integration Developer

Server.read
Supporter/System De
AccessPolicies.Read veloper
Monitor Maintain access poli IntegrationOperation Tenant Administrator

cies Server.read
AccessPolicies.Write

Role-Templates
Monitor View data store en IntegrationOperation DataStorePayloads Integration Developer

Read
tries/variables Server.read
Business Expert
ESBDataStore.read
Supporter/System De
veloper
Monitor View data store entries IntegrationOperation DataStorePayloads Business Expert

Read
- message payload/ Server.read
variables-content
ESBDataStore.read
Payload
Monitor Delete data store en IntegrationOperation DataStoresAnd Tenant Administrator

QueuesDelete
tries/variables Server.read
ESBDataStore.read
ESBDataStore.delete
Monitor View payload of stored esbmessagestor MessagePayloadsRead Business Expert
messages from mes age.read

sage store
Monitor View trace configura- IntegrationOperation TraceConfiguration- Integration Developer

Read
tion Server.read
Business Expert
NodeManager.read
Supporter/System De
ConfigurationSer- veloper
vice.RuntimeBusiness
ParameterRead
Monitor Edit trace configura- IntegrationOperation TraceConfigurationEdit Integration Developer
tion Server.read
Business Expert
(enable/disable trace) NodeManager.read
ConfigurationSer-
ParameterRead
ConfigurationSer-
ParameterWrite
Monitor Add/Edit/undeploy IntegrationOperation MonitoringArtifactsDe Integration Developer

ploy
number ranges Server.read
NodeManager.deploy
content

Role-Templates
Monitor View number ranges IntegrationOperation MonitoringDataRead Integration Developer

Server.read
Business Expert
Supporter/System De
veloper
Monitor Retry queues IntegrationOperation QueuesRetry Integration Developer

Server.read
ESBDataStore.read
ESBDataStore.retry
Monitor Delete queues IntegrationOperation DataStoresAnd Tenant Administrator

QueuesDelete
Server.read
ESBDataStore.read
ESBDataStore.delete
Monitor View queues IntegrationOperation DataStoresAnd Integration Developer

QueuesRead
Server.read
Business Expert
ESBDataStore.read
Supporter/System De
veloper
Monitor View runtime process IntegrationOperation MessageProcessin Integration Developer

gLocksRead
ing locks Server.read
Supporter/System De
MessageProcessing veloper
Locks.Read
Monitor Delete runtime proc IntegrationOperation MessageProcessin Tenant Administrator

gLocksDelete
essing locks Server.read
MessageProcessing
Locks.Delete
Monitor Test connectivity IntegrationOperation MonitoringDataRead Integration Developer

(only for tests without
Server.read
authentication) Tenant Administrator
NodeManager.deploy
CredentialsEdit
credentials

Role-Templates
Monitor Change log level IntegrationOperation Integration Developer

Server.read
Business Expert
ConfigurationSer-
ParameterWrite
NodeManager.read
Monitor View audit log entries IntegrationOperation AuditLogRead Tenant Administrator

Server.read
AuditLog.Read
Settings View/change product WebToolingSetting Tenant Administrator

profile sProductProfiles.save
tenantconfiguration
Settings Set ntransport system WebToolingSetting Tenant Administrator

sProductProfiles.save
tenantconfiguration
3.5 Data Storage Security
Customer data can be stored in dedicated steps during message processing.
 Note
environment.
Customer data stored at rest is strictly separated and isolated for each tenant. Although different tenants
might share a common physical infrastructure, each tenant stores its data in a separate schema.
For certain use cases the customer can configure if the data at rest is encrypted.
Message content can be stored encrypted. If this security measure is configured, the encryption key that is
generated automatically is unique for each tenant and is renewed periodically.
Data storage encryption uses AES and a key length of 256 bits. The encryption key is not stored in the same
location as the encrypted data.

Kinds of Stored Data
The following kinds of data can be stored during the execution of an integration scenario:
● Message content
The runtime node writes message content data to the database in dedicated steps of an integration flow.
There is the option to either store message content for a longer time period (the default is 30 days) or
temporarily. Temporarily stored message content can be used for subsequent message processing steps.
Such steps can then also read message content from the database.
There is the option to configure the retention period of the message content.
● Monitoring data
During message processing, the runtime node also writes monitoring data to the database (which is stored
by default for 30 days). Monitoring data comprises the message processing log (MPL), which records the
executed processing steps.
3.6 Data Protection and Privacy
Various types of customer data are processed by and stored on the integration platform at different times. This
data gets the highest level of protection, and SAP takes dedicated measures to guarantee this security level.
 Note
environment.
General Information
Governments place legal requirements on industry to protect data and privacy. We provide features and
functions to help you meet these requirements.
 Caution
SAP does not provide legal advice in any form. SAP software supports data protection compliance by
providing security features and data protection-relevant functions, such as blocking and deletion of
personal data. In many cases, compliance with applicable data protection and privacy laws is not covered
by a product feature. Furthermore, this information should not be taken as advice or a recommendation
regarding additional features that would be required in specific IT environments. Decisions related to data
protection must be made on a case-by-case basis, taking into consideration the given system landscape
and the applicable legal requirements. Definitions and other terms used in this documentation are not
taken from a specific legal source.
 Caution
We assume that you have not maintained any data related to an individual in the tools provided by SAP
Cloud Platform Integration (for example, when using the Web UI to design integration content).

We expect that sensitive personal data can only be included in message payloads. This responsibility lies
exclusively with you as the operator of an integration scenario using SAP Cloud Platform Integration and
remains your responsibility. If you include sensitive personal data within payloads or message attachments,
SAP Cloud Platform Integration may store this information on your behalf. This applies also for data
maintained in the tools provided by SAP Cloud Platform Integration, however, data within payloads can be
protected by enabling encrypted storage.
The knowledge of sensitive personal data lies exclusively with you and remains your responsibility.
The tools of SAP Cloud Platform Integration only use technical users or data without any references to
individuals.
User Consent
We assume that software operators, such as SAP customers, collect and store the consent of data subjects,
before collecting their personal data. A data privacy specialist can later determine whether data subjects have
granted, withdrawn, or denied consent.
Information Report
An information report is a collection of data relating to a data subject. A data privacy specialist may be required
to provide such a report or an application may offer a self-service. SAP Cloud Platform Integration assumes
that software operators, such as SAP customers, can provide such information.
Erasure of Personal Data
When handling personal data, consider the legislation in the different countries where your organization
operates. After the data has passed the end of purpose, regulations may require you to delete the data.
However, additional regulations may require you to keep the data longer. During this period you must block
access to the data by unauthorized persons until the end of the retention period, when the data is finally
deleted.
Data stored on the SAP Cloud Platform Integration platform is only stored for a limited time period (referred to
as retention time).
For more information on the retention times for the various kinds of data stored by SAP Cloud Platform
Integration, see Specific Data Assets [page 80].

3.6.1 Types of Stored Data
Different kinds of data, such as message content or monitoring data, can be stored during the operation of an
integration scenario.
 Note
environment.
Such data needs to be considered as sensitive data as it can contain personal information. The following list
provides examples:
● Message content
Messages processed on a runtime node typically contain business data of an integration scenario and
therefore can contain sensitive customer data such as addresses, names, or financial information.
When this data is at-rest, it can be stored encrypted. Note, however, that in some use cases the customer
can configure that the data is not encrypted.
When this data is in-transit, several measures can be taken, such as digital message signing or message
content encryption.
● Monitoring data
The message processing log records the processing steps of an integration flow. Only users assigned to
this tenant and with dedicated permissions can access this data.
● Other data, such as the content of log files
 Note
Personal data processed by and stored on the integration platform is handled according to the Data
Processing Agreement, which you can find at http://www.sap.com/about/agreements.html under SAP
Cloud Services Customers.
Due to the tenant isolation concept, data from different customers (stored in different tenants) is strictly
isolated. Additionally, SAP has no access to data stored in customer tenants.
The customer can grant people outside its organization permissions to execute specific tasks on its cluster (for
example, to SAP employees to execute error analysis tasks in support cases).
For more information, see the document SAP Cloud Platform Security: Trust Matters under Data
Governance and Legal Compliance .
3.6.2 Specific Data Assets
Different kinds of data are stored in the SAP Cloud Platform Integration infrastructure during the lifecycle of an
integration project.
 Note
environment.

The following table lists the different kinds and attributes such like storage location and retention time, for
example.
Data Assets
Data Description Logical Storage Classification Retention Time
Message processing Structured information Log data 30 days

log on the processing of a
message
Message processing Data attached to a Message store Log data 30 days

log attachments message processing
Business data
log during runtime
Integration flow tracing Information on the Trace store Log data 60 minutes
data message flow (includ
Business data
ing the message pay
load) and on errors
that occurred during
message processing
Integration content Integration flow mod Workspace Configuration data Unlimited

(design time) els and value map
pings created or edited
by an integration de
veloper
Integration content Camel XML represen Configuration data Unlimited

(runtime) tation of integration
flows and other design
time entities (as de
ployed on a runtime
node)
Data stored by Data Message content Data store Business data Can be defined by inte
Store operations step stored in dedicated gration developer (de
steps in an integration fault value: 90 days)
flow (contains informa
tion such as message
GUID, message proc
essing log GUID, ten
ant ID, time stamp, and
payload).
Is used for further

message processing in
subsequent steps in an
integration flow.

Data Description Logical Storage Classification Retention Time
Data stored by Persist Message content Message store Business data 90 days
step stored in dedicated
steps in an integration
flow (contains informa
tion such as message
GUID, message proc
essing log GUID, ten
ant ID, time stamp, and
payload)
Can be accessed and

analyzed after mes
sage processing.
Lock entries Lock entries that are

created (in the in-prog
ress repository) to
avoid the same mes
sage being processed
several times in paral
lel (for example, by dif
ferent runtime nodes)
3.7 Other Security-Related Information
 Note
environment.
User Interface Security
Cloud Integration provides user interfaces for designing and deploying message flows, and monitoring them at
runtime.
A Web tool (Web UI) is available to accomplish these tasks. The Web UI is implemented using JavaScript and
HTML (UI5).
This user interface is built to prevent vulnerabilities such as cross-site scripting (XSS) and cross-site request
forgery (XSRF). The built-in security capabilities of these technologies are used together with secure design
and coding principles.

 Note
You cannot use application programming interfaces (APIs) in the Cloud Foundry environment to access
certain functions of Cloud Integration.

Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

84 PUBLIC Important Disclaimers and Legal Information
Important Disclaimers and Legal Information PUBLIC 85
www.sap.com/contactsap
© 2020 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

Development Guide

Uploaded by

Copyright:

Available Formats

Development Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Development Guide

Uploaded by

Copyright:

Available Formats

PUBLIC

Getting Started with SAP Cloud Platform

THE BEST RUN

1 Initial Setup of a Trial Account in Cloud Foundry Environment . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Get Started with Integration Flow Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Security in the Cloud Foundry Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Getting Started with SAP Cloud Platform Integration (CF Trial)

Getting Started with SAP Cloud Platform Integration (CF Trial)

● Every trial user gets one trial account only.

Subscribing to Process Integration [page 5]

Getting Started with SAP Cloud Platform Integration (CF Trial)

1. In the navigation area of the subaccount, choose Subscriptions.

○ The name and short description of the application.

Unsubscribing the Service

Getting Started with SAP Cloud Platform Integration (CF Trial)

1. Go to your subaccount and choose Security Role Collections.

Getting Started with SAP Cloud Platform Integration (CF Trial)

1.3 Provisioning the Tenant

1.4 Creating Service Instances

Getting Started with SAP Cloud Platform Integration (CF Trial)

3. Save the changes.

Before creating a runtime instance, ensure your tenant provisioning is successful.

Getting Started with SAP Cloud Platform Integration (CF Trial)

○ Ensure the user has role MessagingSend assigned.

4. Save your changes.

Getting Started with SAP Cloud Platform Integration (CF Trial)

Learn how to develop and run your first integration flow.

Getting Started with SAP Cloud Platform Integration (CF Trial)

Overview of the SAP Cloud Platform Integration Web UI [page 11]

2.1 Overview of the SAP Cloud Platform Integration Web UI

Getting Started with SAP Cloud Platform Integration (CF Trial)

Getting Started with SAP Cloud Platform Integration (CF Trial)

Getting Started with SAP Cloud Platform Integration (CF Trial)

● Monitor Message Processing

Getting Started with SAP Cloud Platform Integration (CF Trial)

2.2 Create an Integration Package

Create an integration package that contains your integration flows.

Getting Started with SAP Cloud Platform Integration (CF Trial)

1. Open the Web UI, go to the  (Design) section.

Getting Started with SAP Cloud Platform Integration (CF Trial)

Getting Started with SAP Cloud Platform Integration (CF Trial)

2.4 Smoke Test Scenario

Getting Started with SAP Cloud Platform Integration (CF Trial)

You can then monitor message processing.

Create a Content Modifier to Define the Message Body [page 21]

2.4.1 Add a Timer Start Event

2. In the same way, remove the Start event.

Getting Started with SAP Cloud Platform Integration (CF Trial)

6. Make sure that the option Run Once is selected.

Getting Started with SAP Cloud Platform Integration (CF Trial)

This simulates the inbound XML message.

Getting Started with SAP Cloud Platform Integration (CF Trial)

2.4.3 Create a Script Step to Log the Payload

Add a Script step to log the message payload.

2. In the Script submenu, select Groovy Script.

Getting Started with SAP Cloud Platform Integration (CF Trial)

Getting Started with SAP Cloud Platform Integration (CF Trial)

1. When you have finished modeling, click Save.

On successful save, a corresponding status message is displayed.

After successful deployment, a status message is displayed.