Configure Principal Propagation from Cloud Foundry to Neo

0 %

Configure Principal Propagation from Cloud Foundry to Neo

Details

// Explore More Tutorials

Configure Principal Propagation from Cloud Foundry to Neo

Philipp Stehle

10/06/2018

Intermediate

45 min.

Set up principal propagation in SAP Cloud Platform so that you can deploy a Cloud Foundry application that consumes data from a Neo application.

You will learn

How to set up principal propagation in SAP Cloud Platform
How to establish trust from the Neo environment to the Cloud Foundry environment

In this tutorial you will set up a connection between SAP Cloud Platform Neo environment (Neo) and Cloud Foundry environment (CF).

A simple application in CF will consume data from an Neo application, and therefore propagate the user details from one environment to the other. This is called “Principal Propagation” and requires some additional steps establishing trust between the environments, to guarantee security.

Step 1: Adapt the ESPM Application

If you’re using Eclipse for the first time, you will see a Welcome Page. Close this page.
Open Eclipse and choose Window > Perspective > Open Perspective > Other…, select Git and click Open.
Click Clone a Git repository.
Insert https://github.com/SAP/cloud-espm-v2.git into the URI field and click Next.
Make sure only the master branch is selected and click Next.
Click Finish and wait until the clone has finished.
Right-click on cloud-espm-v2 > Import Projects….
Make sure Eclipse hast detected all projects and click Finish.
Open the Java EE Perspective and edit the web.xml file: Look for <auth-method>FORM</auth-method> and change it to <auth-method>OAUTH</auth-method>. Don’t forget to save your changes.

Done

Log on to answer question

Step 2: Create an approuter

View Full Instructions

Create a new directory called approuter somewhere on your machine.

Create a new file called package.json inside this directory with the following content:

{
  "name": "approuter",
  "version": "1.0.0",
  "description": "",
  "scripts": {
"start": "node node_modules/@sap/approuter/approuter.js",
"test": "echo \"Error: no test specified\" && exit 1"
  },
  "license": "ISC",
  "dependencies": {
"@sap/approuter": "^5.3.0"
  }
}

This tells Node (npm) to fetch and start the approuter.

Create a file called .npmrc with the following content:
```
@sap:registry=https://npm.sap.com/
```
This tells Node (npm) where to find the SAP dependencies (the approuter and its dependencies).

Note: On Windows, if you get the error message “You must type a file name”, call your file .npmrc.. Windows will then automatically remove the trailing dot.

Create a file called xs-app.json with the following content:

{
  "welcomeFile": "index.html",
  "routes": [ {
  "source": "/espm-cloud-web/espm.svc/",
  "target": "/espm-cloud-web/espm.svc/",
  "destination": "retailerBackend"
}, {
    "source": "/espm-cloud-web/images/",
    "localDir": "static/images/"
}, {
  "source": "/",
  "localDir": "static/retailer/"
}
  ]
}

This configures the routing inside the approuter.

Create a folder called static.
Move the src/main/webapp/retailer folder (from the espm project) to the newly created static folder.

Note: This folder contains the HTML, CSS and JavaScript of the Retailer application.
Copy the src/main/webapp/images folder to the newly created static folder.

Note: The images are needed by the Shop and the Retailer application.
Create a zip archive called approuter.zip containing all the file in the approuter folder. It’s important that the files are in the top level of the zip file!
You can use this commands in bash (Linux and macOS) to create the zip file:
```
for file in static/retailer static/images xs-app.json .npmrc package.json ; do
  if [[ ! -e $file ]] ; then echo -e "\e[33m[WARNING] $file does not exist\e[0m"; fi ;
done
zip -r approuter.zip .
```
or use PowerShell (Windows):
```
foreach ($file in @("static\retailer", "static\images","xs-app.json",".npmrc", "package.json")){
   if (-not (Test-Path $file)) { Write-Warning "$file does not exist" }
}
Compress-Archive -Force -Path .\* -DestinationPath approuter.zip
```
This will also check that all files exist and print a warning if one or more is missing.
Note: You need to change to the approuter directory using the cd command first (Linux, macOS and Windows).

Done

Log on to answer question

Step 3: Build the ESPM Application

Make a right-click on espm and select Export.
Select Web > WAR file and click Next.
Select a Destination on your machine and click Finish.

Done

Log on to answer question

Step 4: Configuration in the Neo environment

Open the Neo cockpit.
Navigate to SAP HANA / SAP ASE > Databases & Schemas and click New
Create a database named espm and select a password. Make sure you don’t lose it, we’ll need it soon.
Wait until you see the event with description Tenant DB creation finished successfully (created and configured) (this can take up to 15 minutes). Now navigate back to your subaccount.
Navigate to Applications > Java Applications and click Deploy Application
Select the espm-cloud-web.war you’ve exported in the first step, be sure to use the Tomcat 8 Runtime and click deploy. Note: Don’t change the name of the application.
Wait until the application is successfully deployed and click Done.
Open the details of the application by clicking its name.
Navigate to Configuration > Data Source Bindings and click New Binding.
Enter SYSTEM and the password you choose while creating the database as credentials and click Save.
Navigate to Security > Roles, make sure the Retailer role is selected and click Assign in the Individual Users section.
Enter your email-address (the one you use for your Cloud Foundry Account) and click Assign.
Navigate to Overview and click Start.
Wait until you can see Started and open the Application URL.

Step 5: Establish trust between CF and Neo

Open the CF environment in a new tab, navigate into your subaccount, go to Connectivity > Destinations and export the X509 certificate of the destination service by clicking the Download Trust button.
Go to Overview and find your subaccounts id and the landscape host. You will need it later. Notice: The landscape host does not include api.cf.!
Go to the Neo environment > Security > Trust > Application Identity Provider and click on Add Trusted Identity Provider.

Enter the following details and click Save.

Parameter	Value
Name	`cfapps.` + Landscape Host + `/` + subaccount ID e.g. `cfapps.eu10.hana.ondemand.com/77f532e6-71f7-44e9-9761-c0b24f6f38ca`
Signing Certificate	Open the certificate file downloaded earlier with your favorite editor and copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Go to Security > OAuth > Clients and click Register new client.

Enter the following details and click Save.

Parameter	Value
Name	It doesn’t actually matter. Use e.g. `CFNEO-Demo`.
Subscription	`p0123456789trial/espmcloudweb` (while `p0123456789` is your own account id)
ID	leave unchanged and save it somewhere for later use
Confidential	checked
Secret	Generate a random password and save it somewhere for later use
Redirect URI	Unused in this scenario. Use e.g. `https://example.com`

Example:

Go back to the CF environment and click New Destination.

Property	Value
Name	`retailerBackend`
Type	`HTTP`
URL	URL of the Neo application/API you want to consume. e.g. `https://espmcloudwebp2000292804trial.hanatrial.ondemand.com/espm-cloud-web/`
Proxy type	`Internet`
Authentication	`OAuth2SAMLBearerAssertion`
Audience	Depends on your Landscape (Neo). See table in the bottom.
Client Key	ID of the OAuth client you saved in the previous step.
Token Service URL	taken from the “Branding” tab in the Neo subaccount - “Security” > “OAuth”.
Token Service user	Once again the ID of the OAuth client.
Token Service Password	The Secret you generate in the last step.
System User	empty
Use default JDK truststore	Checked

Add the following Additional properties:

Property	Value
`authnContextClassRef`	`urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession`
`nameIdFormat`	`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`

Use this table to find the correct audience for your landscape:

Landscape	Audience
Europe (Rot) - Trial	`https://nwtrial.ondemand.com/services`
Australia (Sydney)	`ap1.hana.ondemand.com/services`
Brazil (São Paulo)	`https://br1.hana.ondemand.com/services`
Canada (Toronto)	`https://ca1.hana.ondemand.com/services`
Europe (Amsterdam)	`https://eu3.hana.ondemand.com/services`
Europe (Rot)	`https://netweaver.ondemand.com/services`
Japan (Tokyo)	`https://jp1.hana.ondemand.com/services`
KSA (Riyadh)	`https://sa1.hana.ondemand.com/services`
Russia (Moscow)	`https://ru1.hana.ondemand.com/services`
UAE (Dubai)	`https://ae1.hana.ondemand.com/services`
US East (Ashburn)	`https://us1.hana.ondemand.com/services`
US West (Chandler)	`https://us2.hana.ondemand.com/services`
US East (Sterling)	`https://us3.hana.ondemand.com/services`

Example:

Done

Log on to answer question

Step 6: Configuration in the CF environment

View Full Instructions

Create Destination Service Instance
- Navigate into your dev space.
- Open the Service Marketplace under Services.
- Find and click the destination tile.
- Click New Instance.
- Press Next three times.
- Enter the Instance Name: destination-demo-lite and click Finish.

Create Authorization & Trust Management Service Instance (aka XSUAA)

Click the arrow next to destination (see screenshot) and select Authorization & Trust Management.

Open dropdown and select Authorization & Trust Management

Click New Instance.

Press Next only once.

Copy and past the following parameters and click Next.

{
	"xsappname": "connectivity-app",
	"tenant-mode": "dedicated",
	"authorities": ["uaa.user"],
	"scopes": [{
		"name": "uaa.user",
		"description": "Default scope for user",
		"granted-apps": ["xs_user", "*"]
	}],
	"role-templates": [{
			"name": "USER",
			"description": "Normal user",
			"scope-references": [
				"uaa.user"
			]
		}
	]
}

Enter the Instance Name: xsuaa-demo and click Finish.

Create Manifest File for the approuter.

Create a new file called approuter-manifest.yml with the following content:

  ---
  applications:

  - name: destination-demo-approuter
    host: destination-demo-approuter-<userid>
    buildpack: nodejs_buildpack
    memory: 128M
    path: ./approuter.zip
    env:
      NODE_TLS_REJECT_UNAUTHORIZED: 0
    services:
      - xsuaa-demo
      - destination-demo-lite

Replace <userid> of the host property with your user id.

Deploy the Approuter
- Back in the Browser click the dev-space, Applications followed by Deploy Application.
- Click Browse and select approuter.zip as File Location. Then do the same for the Manifest Location and select the approuter-manifest.yml. Finally click Deploy.
- Wait until your application shows a green Started as State and then click on approuter-demo.
- Navigate to the Approuter by clicking the link as shown in the screenshot.
- Login using the E-Mail-Address and password of your trial account.