Skip to Content

Configure Your SAP S/4HANA System for Content Federation

Configure the allow list to enable SAP S/4HANA applications to be run in an iFrame in an SAP Launchpad site and set an SAP Fiori launchpad parameter for the exposure of classic apps.
You will learn
  • How to set up the allow list to enable your SAP BTP trial to access the SAP S/4HANA system
  • How to set the SAP Fiori launchpad parameter EXPOSURE_SYSTEM_ALIASES_MODE in the SAP S/4HANA Customizing.
SibylleBSibylleBJune 1, 2022
Created by
SibylleB
February 18, 2021
Contributors
SibylleB
SibylleB

Prerequisites

  • Get a Free Account on SAP BTP Trial
  • To integrate federated content into an SAP Launchpad site, you already need a launchpad site available in your SAP BTP trial account. Please follow at least the first two tutorials of the Create your First SAP Launchpad site group or the full Deliver your First SAP Fiori launchpad site with integrated apps mission to set up the SAP Launchpad service on your SAP BTP trial account.
  • To test content federation, you need an SAP S/4HANA system on release 2020 or 2021 and have administrator access to it. This tutorial describes the configuration of an SAP S/4HANA 2020 system which you can also get as SAP S/4 HANA Fully Activated Appliance 30-day trial system. You can find more details about the process to start your SAP S/4HANA trial in this Quick Start Document.
     
    To avoid reconfiguration of the SAP Cloud Connector after each restart, we recommend to use the system with a static public IP address.
     
    Please keep in mind that the trial is only free for 30 days, so only request the system, when you are ready to run the tutorial.
     
  • You need an SAP Cloud Connector installed. If you are using the SAP S/4HANA trial, the SAP Cloud Connector is already included in it.

In this group of tutorials, you will integrate SAP Fiori launchpad content from an SAP S/4HANA system to the SAP Launchpad service on SAP BTP using content federation. With this functionality, SAP enables SAP S/4HANA (and other products) to serve as content providers by exposing their business content and role structures to the central Launchpad, which makes the day-to-day operation and maintenance by the content administrator much more efficient.

You will learn how to combine federated content from SAP S/4HANA with apps from other sources like custom apps running on SAP BTP or SAP Business Suite applications in one launchpad site.

  • Step 1
    1. If you are using your own instance of the SAP S/4HANA 2020 or 2021, Fully Activated Appliance solution in SAP Cloud Appliance Library, click Connect.

      Connect instance
    2. You can either use the Windows Remote Desktop and login via SAP Logon there or login directly via SAP GUI by clicking Connect in the SAP GUI row in the Connect to the Instance pop-up . Please check the Getting Started with the SAP S/4HANA 2020 (SP00) Fully-Activated Appliance Guide for details.

      An .sap file will be downloaded to your computer to connect to the SAP S/4HANA system.

      Connect to S/4
    3. Click the downloaded file. If required, click Allow in the pop-up window.

      Downloaded file
    4. Login to client 100 of system S4H with default user BPINST and password Welcome1.

      Login
  • Step 2

    Since the SAP S/4HANA apps are integrated into the SAP Launchpad service using iFrames, you need to configure an allowlist to protect your system against clickjacking attacks. The allowlist service is an ABAP-wide service to implement protections. You can manage such allowlist scenarios with the Unified Connectivity Framework (UCON Framework) to optimize the protection of your RFC and HTTP(S) communication against unauthorized access.

    To allow the SAP Launchpad service to consume data from your SAP S/4HANA system, you should add your trial account to the allowlist for Clickjacking Framing Protection.

    If you do not activate the allowlist, the launchpad defaults to a more restrictive clickjacking protection mechanism. It will then only allow framing if the host of the application is part of the same domain as the embedding application, i.e. the Launchpad (same origin policy).

    Start the transaction uconcockpit.

    Launch uconcockpit
  • Step 3
    1. In the drop-down list, select HTTP Whitelist Scenario.

    In an SAP S/4HAnA 2021 system, this is called “HTTP Allowlist Scenario”

    ![Open HTTP allowlist](4-open-http-whitelist.png)
    
    1. If the Clickjacking Framing Protection scenario is not available in the list, you need to activate it. To do so, select HTTP Whitelist > Setup in the menu bar.

      Start HTTP Allowlist setup
    2. In the pop-up, check the entry activate Clickjacking Protection (Context Type 02) for all clients (recommended). Then click the Continue icon.

      Activate clickjacking protection

      For more details, see Using an Allowlist for Clickjacking Framing Protection

    You now see the Clickjacking Framing Protection entry in the table. It is currently set to Logging mode. This means that connections are only logged, but not checked. With this setting, connectivity from your SAP BTP trial account will work. However, this is not a secure setting. In a productive environment, you would need to add the patterns for your SAP Launchpad service to the whitelist and then set the scenario to Active check mode.

    Result clickjacking
  • Step 4

    The parameter EXPOSURE_SYSTEM_ALIASES_MODE defines how to handle system aliases during content exposure. In an embedded deployment of the SAP Fiori front-end server, all apps run on the same server. Therefore, system aliases can be cleared during exposure. In a hub deployment in contrast, they might come from different back-end systems and each back-end system may have several aliases. Therefore, you need to map these aliases to the runtime destinations manually after creating the content provider in the last tutorial of this group. See the documentation for details.

    This parameter must only be set in an embedded scenario where the SAP Fiori front-end server is deployed into the AS ABAP of the SAP S/4HANA system. This is the case in the SAP S/4HANA trial system.

    1. Enter /nspro in the command field to access the customizing.

      Launch SPRO
    2. Click SAP Reference IMG.

      Open SAP Reference IMG
    3. In the tree, open SAP NetWeaver > UI Technologies > SAP Fiori > SAP Fiori Launchpad Settings.

    In an SAP S/4HANA 2020 system the path to choose would be ABAP Platform > UI Technologies > SAP Fiori > SAP Fiori Launchpad Settings.

    1. Then click the IMG Activity icon in front of Change Client-Specific Settings.
      Change Settings
  • Step 5
    1. Click New Entries to create one new entry.

      New Entries
    2. For the new entry, make the following inputs in the first row of the table:

      FLP Property ID: EXPOSURE_SYSTEM_ALIASES_MODE

      Property Value: CLEAR

      The values for Type and Category will be added automatically when you save the new entry.

    3. Click Save.

      Exit
    4. If you see a pop-up window informing you about a refresh of the text index, just confirm it.

      Close pop-up

      To save your settings, you need to assign a customizing request.

    5. Click the Create icon to create a new customizing request.

      Create customizing request
    6. If you want, enter a description. Then click the Save icon.

      Save request
    7. Click the OK icon to confirm the selected customizing request.

      Confirm request
    8. Your entry was saved. Click the Back icon to go back to the main settings table.

      Back to FLP settings

    Now you made all settings required in the SAP S/4HANA trial system.

    Customizing result
  • Step 6

    If you work in your own SAP S/4HANA test system or just want to make sure all prerequisites for content exposure are met, you might check if the service /sap/bc/ui2/cdm3 is activated in the SAP S/4HANA system. This is the case in the preconfigured SAP S/4HANA trial.

    1. Enter /nsicf into the command field to launch transaction SICF.

    2. Enter cdm3 in Service Name and click the Execute icon.

      Enter service name
    3. Right-click the cdm3 service. Check that the Activate Service entry is grey and inactive. This means that the service is already activated. Otherwise, you can activate it now by clicking Activate Service.

      CDM3 service
  • Step 7

    You also need to make sure that the user which does the content exposure has the right role and that the page cache is turned on for them. This is also already the case for user bpinst.

    1. Enter /nsu01 into the command field to launch User Maintenance.

    2. Enter the bpinst as User as this is the user that will do the content exposure. Then click the Display icon.

      Enter user

      The permissions to run the content exposure are delivered with the role SAP_FLP_ADMIN. The BPINST user has full administrator permissions and can be used for content exposure.

    3. Go to tab Parameters and make sure that the parameter /UI2/PAGE_CACHE_OFF does not show up here. If it does, remove it.

      User parameters

    This parameter is only used for test purposes to identify caching issues. It should not be available in productive systems anyhow, as it can slow down the loading process significantly.

    Which parameter defines how system aliases should be handled in the exposure to SAP Cloud Platform Launchpad:

Back to top