Exposing Back-End Data as OData Services

PDF download from SAP Help Portal:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/91/0ba096bfe34cbcb1e7eccf0d347c63/frameset.htm
Created on August 23, 2015

The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help
Portal.

Note
This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP
SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are
provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set
forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in
Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Table of content

PUBLIC
2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 1 of 5

Table of content
1 Exposing Back-End Data as OData Services
1.1 Authorizations in Gateway to Access Applications
1.2 Enabling Single Sign-on Authentication
1.3 Creating Destinations on SAP NetWeaver Application Server Java
1.4 Managing Service Registrations

PUBLIC
2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 2 of 5

1 Exposing Back-End Data as OData Services

You can use the Java implementation of the Gateway Hub (part of the Integration Gateway and in the following named as Gateway Java) to expose SAP backend data as OData services.
The Gateway Java provides SAP back-end content as OData services using the OData Channel (ODC). ODC allows you to expose OData services by
defining object models and registering a corresponding runtime data provider class.
As OData services the data from SAP back-end systems can be consumed by applications, for example, by apps or user interfaces for completing tasks.

Note
Fiori Apps and the Unified Inbox are not yet supported by the Gateway Java. If you want to consume the back-end data as OData services in Fiori Apps or
the Unified Inbox, please use the Gateway.

Before you can expose SAP back-end content as OData services with Gateway Java, the following preperation steps are needed:
Enable SSO authentication between SAP NetWeaver Application Server Java (AS Java) and SAP back-end system.
If you have deployed the component IW_BEP 200 SP06 or lower in the SAP backend, you need to implement the SAP note 1816779
component IW_BEP 200 is required to enable SAP services as OData services.

. The

Related Information
Enabling Single Sign-on Authentication
Creating Destinations on SAP NetWeaver Application Server Java
Managing Service Registrations

1.1 Authorizations in Gateway to Access Applications

Authorizations in Gateway determines access to applications. This is based on an authorization concept that enables an administrator to assign authorizations
to users.
The assigned authorizations determine the actions that users can perform after they have been authenticated. For Gateway, assign the following predefined
application roles:
Role

Description

GW_Admin

Use this role to manually assign a user with administration permissions.

GW_User

Use this role to manually or automatically assign a user or a group of users with
application permissions.

To assign the roles you use the Identity Management that is integrated in the SAP NetWeaver Administrator.
1. Log on to the SAP NetWeaver Administrator with http://<host>:<port>/nwa.
2. Choose

Configuration

Identity Management

Note
You can also directly open the Identity Management application using the quick link, http://<host>:<port>/nwa/identity.

PUBLIC
2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 3 of 5

3. On the Overview tab, you can search for the GW_Admin and GW_User roles using Roles as Search Criteria .
4. You can create a user or modify an exisitng user and assign the appropriate role. For more information, see UME Roles and Actions (AS Java).

Related Information
Security Aspects of Process Orchestration

1.2 Enabling Single Sign-on Authentication

Enabling single sign-on (SSO) authentication is a prerequisite for using Gateway.

Context
You must encrypt the communication channel between SAP Application Server and SAP back-end system for security reasons. This is achieved by uploading
the SSO certificate of the SAP back-end system to the SAP Application Server and vice versa.

Procedure
1. Download the certificate from the SAP Application Server:
1. Use the link http://<host>:<port>/nwa to go to the SAP Application Server and log on.
2. Choose the Configuration tab, and
Certificates and Keys
Ticketkeystore
SAPLogonTicketKeypair-cert.
3. Choose Export Entry .
4. In the Export Entry to File window, choose Binary X.509 as the export format.
5. Choose Download and save the certificate on your system.
This SAP Application Serve certificate has to be uploaded to SAP back-end system.
2. Upload the certificate to the SAP back-end system:
1. Log on to SAP back-end system in which you want to upload the certificate.
2. Go to transaction strustsso2 .
3. Expand System PSE and choose the child node to get the details of the system.
4. Click the assigned owner, for example, CN=AP2 .
5. Choose Import Certificate .
6. Enter the path where the downloaded SAPLogonTicketKeypair-cert.crt is saved.

7. Under File Format , choose Binary .

The certificate is saved in the location you specified. This ABAP system certificate has to be uploaded to SAP Application Server.
3. Download the certificate from the SAP back-end system:
1. Log on to the SAP back-end system from which you want to download the certificate.
2. Go to transaction strustsso2 .
3. Expand System PSE and choose the child node to get the details of the system.
4. Click the assigned owner, for example, CN=AP2 .
5. Choose Export Certificate .
6. Choose the path where the SAP back-end certificate should be saved.
7. Under File Format , choose Binary .
4. Upload the certificate to the SAP Application Server:
1. Use the link http://<host>:<port>/nwa to go to the SAP Application Server and log on.
2.
3.
4.
5.
6.
7.

On the Configuration tab, choose Trusted Systems .

Under Add Trusted System , choose By Uploading Certificate Manually .
Enter the system ID and client details of the SAP back-end system.
Choose the certificate downloaded from the SAP back-end system.
Choose Next .
Choose Finish .

Creating Destinations on SAP NetWeaver Application Server Java

Create destinations for the services to point to the SAP back-end system from which the data is fetched.

Context
You create the destinations in the SAP NetWeaver Administrator on the SAP NetWeaver Application Server Java.

Procedure
1. To go to the SAP NetWeaver Application Server Java, use the following URI http://<host>:<port>/nwa and log on.
2.
3.
4.
5.
6.

On the Configurations tab, choose

Destinations
Create
Select a system as Hosting System .
Enter a destination name.
As the Destination Type , select HTTP and choose Next .
Enter the details of the SAP back-end system:

Option

Description

URL

Enter the URL of the SAP back-end system.

Here is the generic URL: <https://<hostname>:<port>/sap/iwbep?sapclient=<client number>

PUBLIC
2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 4 of 5

Hostname, port and client number depend on the system you are using.
To get the destination URL:
In transaction SICF , choose Execute to display the service tree
hierarchy.
Expand the default host and navigate to the node IWBEP (
default_host
sap
iwbep ).
In the context menu of the node iwbep , choose Test Service and in the
pop up window, choose Allow .
The URL you get in the address bar of the browser is the destination URL.
System ID

Enter the system ID of the SAP back-end system.

Client

Enter the client number of the SAP back-end system.

Make sure that the service information you enter is the same as on the SAP Business Suite system. To get the list of the SAP Business Suite
services, perform the following steps:
1. Log on to the SAP Business Suite system and go to the transaction SPRO .
2. Open the SAP Reference IMG and navigate to
SAP NetWeaver Gateway
Service Enablement
Backend OData Channel
Service
Deployment for Backend OData Channel
Display Models and Service .
7. Choose Next .
8. Select the Authentication type. You can choose from the following types:
No Authentication: When the back-end system has no authentication mechanism.
Basic (User ID and Password): When the back-end system is authenticated using credentials.
Logon Ticket: SSO authentication; for this type of authentication you have to establish mutual handshake.
Assertion Ticket: Similar to SSO authentication, but the session timeout is shorter than the one of the logon ticket.
User Mapping: Using this option, the user can map the destination to a particular application server.
X509 Client Certificate with SSL: If the user has a certificate authorized by a CA.

Results
A destination is created for the SAP back-end system. You can now register a service using 'OData Provisioning Administration' of Gateway Java.

Related Information
Managing Service Registrations

1.4 Managing Service Registrations

To manage service registrations you use the OData Provisioning Administration tool.

Prerequisites
You have created a destination for the SAP services to point to the SAP back-end system from which the data is fetched. For more information, see
Creating Destinations on SAP NetWeaver Application Server Java.

Context
The OData Provisioning Administration is the central user interface for all Gateway administration tasks. You also use the OData Provisioning
Administration tool to register SAP services.

Procedure
1. To start the OData Provisioning Administration, enter the URL http://<hostname>:<port>/igwj/Admin and log on using the administrator user
2.
3.
4.
5.

name and the corresponding password.

On the SERVICES tab, choose Register a New Service... .
Choose a destination from the Select a Destination list.
To search for SAP services, enter the service name or a key word in the Search field.
Select the service you want to register and choose Register .

Results
The registered service is activated by default. A service document URL to access the OData service is generated. You can see this URL in the Service
Document column.

PUBLIC
2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 5 of 5