Show TOC

Defining Back-End ConnectionsLocate this document in the navigation structure

For the selected application, define its back-end connections. Mobile platform supports one primary endpoint per application ID. However, an administrator can create multiple secondary endpoints for services used by the application; Mobile platform treats secondary endpoints as proxy connections. For applications that access a Web service containing relative URLs, add the relative paths to enable the server to handle requests correctly.


  1. In Management Cockpit, select Applications.
  2. Select an application, then select Back End.
  3. Enter values for the selected application:
    Field Value
    The URL the application uses to access business data on the back-end system or service. This can be a back-end connection, or a service document. Typical format:
    Example back-end connection URL:
    For a service, the service document URL is the document destination you assigned to the service in gateway. Include a trailing forward slash to avoid triggering a redirection of the URL, and losing important HTTP header details. This is especially important when configuring the application with security, such as SSOToken and Certificates, and when Rewrite URL in SMP or Rewrite URL in Backend System is selected for Rewrite Mode. Example service URL:
    Note If you select to rewrite the URL, it must not include a reserved pattern. See Endpoint Reserved Patterns.
    Internal Whitelist a service that you create in the mobile platform. If you define an endpoint as internal, the host name and port of the back-end URL are ignored, and incoming requests are forwarded to internal services in-process, without another HTTP call to localhost. An example of an internal service is Integration Gateway.
    Use System Proxy (Optional) Whether to use proxy settings as configured in the system properties to access the back-end system. This setting is typically disabled, because most back-end systems can be accessed within an intranet without a proxy. Enable this setting only when proxy settings are needed to access a remote back-end system outside of the network. When enabled, this particular connection is routed via the settings in the system properties.
    Allow Anonymous Access

    (Optional) Whether to enable anonymous access, which means the user can access the application without entering a user name and password. However, the back-end system still requires login credentials for data access, whether it is a read-only user, or a back-end user who is assigned specific roles.

    • If enabled and the back end requires it, enter the login credentials to access the back-end system:
      • User name – the user name for the back-end system.
      • Password – (required if you set a user name) the password for the back-end system.
    • If disabled (the default) or the back end does not require it, you need not provide these credentials.

    Note If you use Allow Anonymous Access for a native OData application, do not also assign the No Authentication Challenge security profile to the application; anonymous OData requests are not sent, and Status code: 401 is reported.
    Certificate Alias Optional if the Endpoint URL begins with HTTPS.

    If the back-end system has a mutual SSL authentication requirement, enter the certificate alias name of the private key and technical user certificate that is used to access the back-end system. The alias is located in smp_keystore; otherwise, leave the entry blank.

    Maximum Connections The number of back-end connections that are available for connection pooling for this application. The larger the pool, the larger the number of possible parallel connections to this specific connection. For primary endpoints, the default and minimum is 500 connections. Factors to consider when resetting this property:
    • The expected number of concurrent users of the application.
    • The load that is acceptable to the back-end system.
    • The load that the underlying hardware and network can handle.
    Increase the maximum number of connections only if SAP Mobile Platform Server hardware can support the additional parallel connections, and if the underlying hardware and network infrastructure can handle it.
    Note For secondary endpoints, there is no required minimum.
    Rewrite Mode Select one of:
    • Rewrite URL in SMP – in request and response messages, server replaces all back-end URLs with the server URL.
    • Rewrite URL in Backend System – the back end rewrites the URLs. The server forwards its host name and port to the back end as an HTTP header, and the back end creates the URL to retrieve back-end entities.
    • No Rewriting – request and response messages are not modified; server passes messages directly between clients and the back end.
    Note To enable applications using an external back end to run offline, you must select one of the rewrite options.
    Relative Path

    If an application requires data from a back end that uses relative URLs, you must configure those relative URL patterns in Management Cockpit. Server rewrites the relative URLs to include the Connection ID (connection name), enabling access to the back-end data. For example, a Web service application requests an HTML page named abc.html, which contains the relative URLs /sap/bc and /sap/public/bc in its src or href tags.

    When a request is made, server rewrites the relative URLs contained in the response, so that subsequent requests (to these relative URLs in the response) can be processed correctly. For example, if "webApp" is the connection name and the response contains the relative URLs /sap/bc,/sap/public/bc; mobile platform rewrites these relative URLS to /webApp/sap/bc,/webApp/sap/public/bc. Without the relative URLs, the request cannot be processed.

    To add relative paths, you can either enter one relative URL per table row (for example, /sap/bc in one row, and /sap/public/bc in another); or you can enter a comma-delimited list of relative URLs in one table row (for example, /sap/bc,/sap/public/bc), and the URLs are redistributed to separate rows after you Save.
    Note To use the Relative Path option, you must select Rewrite URL in SMP option in Rewrite Mode.
    SSO Mechanisms You can add one or more SSO mechanisms, and prioritize them. The runtime calls the first SSO mechanism for which corresponding user credentials are available. Only one SSO mechanism is used per connection attempt. If the connection fails, the server invalidates the client session and requires reauthentication.
    • If Allow Anonymous Access is not selected, you must select an SSO Mechanism.
    • If Allow Anonymous Access is selected, selecting an SSO Mechanism is optional.
    Click Add, select an SSO mechanism, and enter property values if required:
    • Technical User Basic (TechUserBasic) – enter the user name and password for the technical user. Connects to the back end using these credentials. You can use this SSO mechanism with any authentication-provider configuration in the security profile.
    • Technical User X.509 (TechUserX509) – connects to the back end using the configured technical-user X.509 certificate. You can use this mechanism with any authentication-provider configuration in the security profile.
    • Basic – connects to the back end with the end user's user name and password. To use this SSO mechanism, the provider that is configured in the security profile must authenticate the end user with a user name and password, for example, System Only, HTTP/HTTPS, or LDAP.
    • X.509 – connects to the back end using the configured technical user X.509 certificate. The end-user certificate is passed in the SSL_CLIENT_CERT HTTP header. Configure the back end to allow the technical user to impersonate the end user and execute the request in the context of the end user. The end-user certificate may be generated by the Principal Propagation provider that is configured in the security profile, or it may be supplied by the end user when he or she authenticates to the server over a mutually authenticated HTTPS connection. You can use this mechanism with either the X.509 authentication provider or the Principal Propagation provider that is configured in the security profile.
    • Kerberos – enter the Kerberos realm and the service name. Connects to the back end by setting the Kerberos token value in the Authorization: Negotiate <Kerberos token ticket value> header. Configure the back end to authenticate users with Kerberos. You can use this mechanism only if the Kerberos provider is configured in the security profile. The server obtains a Kerberos access token for the specified realm and service name. The realm contains the back-end resources to which you want to provide SSO access.
      Note The service user who is configured in the security profile must also be configured in Active Directory with permission to delegate to the application-endpoint service.
    • SSO2 – authenticates the user to the back end using a MYSAPSSO2 token. You can use this mechanism only if an HTTP/HTTPS provider is configured in the security profile, and it authenticates the end user to SAP Mobile Platform Server against a Web server that returns a MYSAPSSO2 token.
    • Custom – sends configured headers/cookies with values derived from a regular expression. This is a generic mechanism to pass SSO details not covered by other explicit mechanisms. Select Custom, and enter:
      • Name – name of the header or cookie.
      • Pattern – header or cookie value.
      • Type – header or cookie.

    To set the order in which multiple SSO mechanisms are used, click the up or down arrow adjacent to the name.

    Back-End Connections
    To add a secondary back-end connection for the application, click New, and enter:
    • Connection Name – name for the endpoint.
    • Endpoint – URL of the back-end system or service.

    For each back-end connection, select or unselect Enabled for Application.

  4. Click Save. The new back-end connection is added to the list.
    Note To delete a saved connection, select Start of the navigation path Settings Next navigation step Connections End of the navigation path.

    You can maintain the list of server-level back-end connections (including all the connections in SAP Mobile Platform Server), and of application-specific back-end connections. Application-specific back-end connections are the secondary connections that are enabled for an application; by default, no secondary connections are enabled. You must explicitly enable additional back-end connections for an application. Users who are registered to an application can access only these back-end connections. Users cannot access back-end connections (request-response) that are not enabled for an application.

  5. Select Application-Specific Connections to show the back-end connections that are enabled for the application.

    Select Server-Level Connections to show all available connections for the server. Use the checkbox to enable additional connections for the application.

    • You can authenticate multiple back ends using various authentication provider options in the back-end security profile.
    • If the back-end system issues a 302 Redirect or 307 Redirect response, which means it is redirecting the request to a different URL, then you must also add the target URL to the list of application-specific connections.