You might ask why do I need this project? The answer is whenever you want to work with on-premise destinations or a system connected through a Cloud Connector and you don't have a VPN connection which would allow you to connect directly. But please note that you don't need this project when you're working with SAP Business Application Studio and you have a Cloud Connector connected to the subaccount BAS is running in.
The authentication of the SAP BTP Cloud Foundry subaccount must be configured to use SAP ID or SAP Identity Authentication. For SAP Identity Authentication you must have the credentials of a local user.
This proxy makes use of the possibility to connect via ssh into an app (sshenabler) that is running inside the SAP BTP Cloud Foundry environment. From there the so-called connectivity proxy is reachable. This proxy is provided by an instance of the Connectivity Service. On your development computer you have to start two programs:
- the script that establishes the ssh tunnel and forwards requests from the local port 20003 and 20004 to connectivityproxy.internal.cf.eu10.hana.ondemand.com:20003 / 20004
- the reverse proxy that by default listens on port 5050 and acts as your local endpoint for calls that should be forwarded to the on premise system
When your local app that you develop e.g. a CAP Application using an external service, a SAPUI5 App or a REST Client Script sends a request to the proxy, it will either use the username / password provided as an basic authentication header or via the environment variables USERNAME / PASSWORD and use that to authenticate on the XSUAA service using the password grant type. In return a JWT is retrieved. This token is sent in the backend request and is translated to the X.509 certificate used for principal propagation in the Cloud Connector. The local reverse proxy sends request for an on premise destination to local port that are forwarded via the ssh tunnel to the proxy in the BTP.
When you want to directly connect to e.g. a database running on-premise (Sybase ASE, Postgres, HANA) then this repository provides a proxy that tunnels TCP requests through to the database.
You are logged into your SAP BTP Cloud Foundry subaccount via the cf CLI, you have the Multitarget Build Tool (mbt) installed ,and you have installed the MultiApps CLI Plugin. If you’re going to use the SOCKS5 proxy (Forward TCP data), you’ll need to have Maven installed.
Clone the repository to a directory of your choice:
git clone git@github.com:jowavp/sap-cf-proxy.gitRun the following commands in a terminal window in the sap-cf-proxy directory :
npm install
npm run build:mta
npm run deploy:cf
npm run enable-sshBy default the script
start-sshtunnelis configured to forward the requests to:'connectivityproxy.internal.cf.eu10.hana.ondemand.com:20003'.
Open the SAP BTP Cockpit and navigate to the details of the deployed app sshenabler. Open the Environment Variables of this app. They can be found by opening the cloud foundry space in the correct sub-account. Click on the deployed application sshenabler and click on the Environment Variables in the left-hand menu.
Copy the content of the textbox System Provided to a file named default-env.json in the root folder of this project.
Only the "VCAP_SERVICES" section is required. Do not add the "VCAP_APPLICATION" section.
The hostname or IP address you are looking for is named onpremise_proxy_host in the VCAP_SERVICES Environment Variable of the sshenabler application.
Update the following section in package.json with the hostname or IP address:
"config":{
"proxy": "connectivityproxy.internal.cf.eu10.hana.ondemand.com"
},Once this configuration is complete you can now run:
npm run start:sshtunnelThe result should be something like:
> sap-cf-proxy@0.0.2 start:sshtunnel
> cf ssh sshenabler -L 20003:$npm_package_config_proxy:20003 -L 20004:$npm_package_config_proxy:20004
vcap@<guid>:~$and you will be able to enter commands on the server if you wish.
Once you have created the local default-env.json as described above, in another terminal window of the sap-cf-proxy app run:
npm startGo to the SAP BTP Cockpit and open the details of the deployed app sshenabler. Navigate there to the Environment Variables. Copy the content of the textbox System Provided to a local file called default-env.json in the directory socks-proxy.
Then, run the following commands in another terminal window. Make sure to change ON_PREMISE_HOST and ON_PREMISE_PORT to values that you see in the Cloud Connector configuration. To specify a particular cloud connector, set the variable CLOUD_CONNECTOR_LOCATION_ID.
cd socks-proxy
# Set Environment
export ON_PREMISE_HOST=hostnameOfOnPremiseSystem \
ON_PREMISE_PORT=portOfOnPremiseSystem \
CLOUD_CONNECTOR_LOCATION_ID=cloudConnectorLocationId \
VCAP_SERVICES=$(jq -c '.VCAP_SERVICES' default-env.json)
# Start the proxy
mvn compile exec:java -Dexec.mainClass="StartSocksProxy"Now you can open your preferred database tool or also your application that uses JDBC to connect and just point it to localhost:5050.
Following properties can be configured in a .env file in the root folder of the project.
| Property | Description | Defaul value |
|---|---|---|
| PORT | Proxy port | 5050 |
| DESTINATION_PROPERTY_NAME | Header property to define the target destination | X-SAP-BTP-destination |
| DEFAULT_DESTINATION | If no target destination is set in the request to the proxy we use this destination nama. | SAP_ABAP_BACKEND |
| CFPROXY_HOST | Host where the port-forwarding is running to the CF proxy | 127.0.0.1 |
| CFPROXY_POST | Port that is forwarded to the CF proxy | 20003 |
| USERNAME | Username in cloud foundry, if no user is set you have to send an authorization header. | |
| PASSWORD | Password in cloud foundry, if no password is set you have to send an authorization header. |
Using the VS Code Extension REST Client you can execute the test in test/ping.http. Before you can run the test you have to create a .env file in the test folder with the following (of course adjusted) content:
sapcpproxy=http://localhost:5050
sapid_username="<user-email>"
sapid_password="<password>"
sapclient=<SAP Client>Connect a Cloud Connector to your Subaccount and create the following destinations:
- SAP_ABAP_BACKEND_NO_AUTH
- SAP_ABAP_BACKEND_BASIC_AUTH
Then run the test. The result should be:
<html><body>Server reached.</body></html>
in both cases.
If you start the sshtunnel with npm run start:sshtunnel and get the following error:
Error opening SSH connection: You are not authorized to perform the requested action.then you need to:
cf enable-ssh sshenabler;
cf restart sshenabler;Other troubleshooting is available
Currently the following warning are emmited on npm i
The deprecated libraries need to be updated.
npm WARN deprecated @types/pino@7.0.5: This is a stub types definition. pino provides its own type definitions, so you do not need this installed.
npm WARN deprecated babel-preset-es2015@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read https://babeljs.io/env to update!
npm WARN deprecated @sap-cloud-sdk/analytics@1.54.2: 1.x is no longer maintained.
npm WARN deprecated @sap-cloud-sdk/util@1.54.2: 1.x is no longer maintained.
npm WARN deprecated @sap-cloud-sdk/core@1.54.2: Version 1 of SAP Cloud SDK is no longer maintained. Check the upgrade guide for switching to version 2: https://sap.github.io/cloud-sdk/docs/js/guides/upgrade-to-version-2.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.