Enable CORS on SAP NetWeaver releases lower than 7.52

You must perform the following CORS setup if your SAP BW system or SAP BPC 10.1 NW system is running on a version of SAP NetWeaver lower than 7.52.

Prerequisites

You must be updated to SAP Kernel 7.49 PL 315 or higher.

Context

Note
If your SAP BW landscape is running behind SAP Web Dispatcher, then you should apply these changes to SAP Web Dispatcher instead of ABAP.

Procedure

  1. Create a new file on your ABAP server.

    This file will contain CORS rewrite rules. For example, /usr/sap/<SID>/SYS/profile/<cors_rewrite>.

  2. Adjust the ICM parameter to point to the file you created in step 1.
    You can find this parameter in the SAP profile parameter settings for your ABAP server.
    For example,
    icm/HTTP/mod_0 = PREFIX=/,FILE=<Path_To_CORS_Rewrite_File>
    Note

    Replace <Path_To_CORS_Rewrite_File> with the path to the CORS rewrite file you created.

  3. Add the following content to the rewrite file:
    if %{HEADER:isSACOriginAllowed} = true
           setHeader isSACOriginAllowed false
    
    if %{HEADER:ORIGIN} regimatch ^(https:\/\/)?<HOSTNAME> [AND]
    if %{PATH} regimatch (\/sap(\(.*\))*\/bw\/ina\/*) 
      setHeader isSACOriginAllowed true
    
    if %{HEADER:isSACOriginAllowed} = true [AND]
    if %{REQUEST_METHOD} regimatch (GET|POST)
    begin
      setResponseHeader Access-Control-Allow-Origin %{HEADER:ORIGIN}
      setResponseHeader Access-Control-Expose-Headers x-csrf-token,sap-rewriteurl,sap-url-session-id,sap-perf-fesrec,sap-system
      setResponseHeader Access-Control-Allow-Credentials true
      setResponseHeader Vary origin
    end
    
    if %{HEADER:isSACOriginAllowed} = true [AND]
    if %{REQUEST_METHOD} stricmp OPTIONS
    begin
      regRewriteUrl ^/(.*) /sap/public/ping
      setResponseHeader Access-Control-Allow-Origin %{HEADER:ORIGIN}
      setResponseHeader Access-Control-Allow-Methods GET,POST
      setResponseHeader Access-Control-Allow-Headers x-csrf-token,x-sap-cid,authorization,mysapsso2,x-request-with,sap-rewriteurl,sap-url-session-id,content-type,accept-language
      setResponseHeader Access-Control-Max-Age 600
      setResponseHeader Access-Control-Allow-Credentials true
      setResponseHeader Vary origin
      removeResponseHeader Set-Cookie
      removeResponseHeader Expires
    end
    
    Note
    Replace <HOSTNAME> with your SAP Analytics Cloud host. For example, mytenant.us1.sapanalytics.com.
    Note
    Multiple hosts can be added to the rewrite file. For more information, see How to Enable CORS on SAP NetWeaver Platform.
  4. Restart your ABAP server.