Show TOC

Configuring REST TunnelLocate this document in the navigation structure

In this step, you configure the REST tunnel.

Prerequisites

You have completed the following procedures:

Context

Note

This configuration task is optional and currently not supported for external service providers other than SAP Jam.

However, this task is mandatory for SAP Fiori apps or any app using the collaboration components, and mandatory in any system used as ABAP SMI hub.

If OData or REST calls are made directly to an external service provider, each calling system has to have a trusted connection to the external service provider. When using a REST tunnel, only the tunnel system has a trusted connection and clients can make use of this type of indirect OData or REST call.

Front-end applications such as SAP Fiori apps can consume the SAP Jam's OData API directly. This, however, results in cross-domain authorization problems. For these applications, ABAP SMI provides a general REST tunnel that uses the same trusted connection as the one you have established in the Customizing steps for the server and applications settings. From the application's perspective, the application calls the tunnel instead of SAP Jam directly.

The REST tunnel can be addressed as an ICF service using the ICF node path /sap/bc/ui2/smi/rest_tunnel/ in a URL with the following format:

<back-end host>:<port>/sap/bc/ui2/smi/rest_tunnel/<tunnel destination>/<service provider service root>/<service resource path>
Example

https://example.com:1111/sap/bc/ui2/smi/rest_tunnel/Jam/api/v1/OData/ Groups('ABC123')

The example URL consists of the following elements:

Element Description
example.com:1111 Back-end host and port
sap/bc/ui2/smi/rest_tunnel ICF node path
Jam Tunnel destination
api/v1/OData Service root of the service provider
Groups('ABC123') Resource path for the service

The system uses the most specific entry matching the service root and the resource path to determine the service provider type, application ID, and authentication context. For security reasons, you have to explicitly activate tunneling for the services the tunnel is to address (whitelist). For information about REST tunnel security aspects, see Network and Communication Security.

By default, tunneling is not active. You have to activate the ICF node /sap/bc/ui2/smi/rest_tunnel/ and specify the allowed endpoints as described in the following procedure.

Procedure

  1. To check whether the ICF node /sap/bc/ui2/smi/rest_tunnel/ is activated, run transaction SICF.
    For more information, see the system documentation for the transaction.
  2. In Customizing for SAP NetWeaver, choose Start of the navigation path UI Technologies Next navigation step SAP Jam Integration> Next navigation step Configure REST Tunnel End of the navigation path (or run transaction CLB2_TUNNEL).
    The Change View "Collaboration: Tunnel Service": Overview screen appears.
  3. To activate tunneling, in view CLB2V_TUNNEL_C, choose New Entries and complete the steps for the following endpoints as required.
    For SAP Fiori apps, you have to complete the steps for all endpoints listed below.
    • To activate the REST tunnel for the OData endpoint of the service metadata document, complete the fields as follows:
      Field Value
      Tunnel Destination Enter Jam.
      Service Provider Type Select Jam.
      Application ID Select DEFAULT.
      Service Root Enter api/v1/OData.
      Note The entry for the service root is case-sensitive.
      Resource Path Enter $metadata.
      Authentication Context Select NONE (No authentication).
    • To activate the REST tunnel for the OData endpoints of SAP Jam, complete the fields as follows:
      Field Value
      Tunnel Destination Enter Jam.
      Service Provider Type Select Jam.
      Application ID Select DEFAULT.
      Service Root Enter api/v1/OData.
      Note The entry for the service root is case-sensitive.
      Resource Path To use the default, that is, the unrestricted REST tunnel, leave the field empty.
      Authentication Context Select USER (User context).
    • To activate the REST tunnel for posting feed entries in SAP Jam, complete the fields as follows:
      Field Value
      Tunnel Destination Enter Jam.
      Service Provider Type Select Jam.
      Application ID Select DEFAULT.
      Service Root Enter api/v1/feed/post.
      Note The entry for the service root is case-sensitive.
      Resource Path To use the default, that is, the unrestricted REST tunnel, leave the field empty.
      Authentication Context Select USER (User context).
    • To activate the REST tunnel for retrieving the single-use tokens from SAP Jam, complete the fields as follows:
      Field Value
      Tunnel Destination Enter Jam.
      Service Provider Type Select Jam.
      Application ID Select DEFAULT.
      Service Root Enter /v1/single_use_tokens.
      Note The entry for the service root is case-sensitive.
      Resource Path To use the default, that is, the unrestricted REST tunnel, leave the field empty.
      Authentication Context Select USER (User context).
    Note

    Some services that would expose security tokens through the REST tunnel are blocked by a blacklist. The blacklist cannot be modified.

    Examples for endpoints not allowed in SAP Jam:

    • v1/session
    • oauth/access_token
    • oauth/revoke_token

  1. Save your entries.

Results

You have defined tunneling for your OData or REST services.