sap-btp-connectivity

SAP BTP Connectivity provides secure access from SAP BTP applications to remote services across cloud, on-premise, and VPC environments.

Core Components

| Destination Service | Manages connection metadata, authentication, routing

| Connectivity Service | Enables Kubernetes workloads via Cloud Connector

| Cloud Connector | Reverse proxy for secure on-premise tunneling

| Connectivity Proxy | Kubernetes component for on-premise access

| Transparent Proxy | Kubernetes component for unified destination access

Supported Environments: Cloud Foundry, ABAP Environment, Kyma Supported Protocols: HTTP/HTTPS, RFC, TCP (SOCKS5), LDAP/LDAPS, Mail

Quick Start

Create HTTP Destination (Cloud Foundry)

• Navigate: Connectivity > Destinations in BTP Cockpit

• Select: Create > From Scratch

• Configure:

Name: my-destination
Type: HTTP
URL: [https://api.example.com](https://api.example.com)
ProxyType: Internet
Authentication: OAuth2ClientCredentials
clientId: <your-client-id>
clientSecret: <your-client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)

Set Up Cloud Connector

• Download from SAP Tools

• Access: [https://localhost:8443](https://localhost:8443`)

• Login: Administrator / manage (change immediately)

• Add subaccount connection

Access Destination in Application (Node.js)

const { getDestination } = require('@sap-cloud-sdk/connectivity');
const destination = await getDestination({ destinationName: 'my-destination' });

Connectivity Scenarios

Cloud-to-Cloud

ProxyType: Internet
Authentication: OAuth2ClientCredentials | OAuth2SAMLBearerAssertion

Cloud-to-On-Premise

ProxyType: OnPremise
Authentication: BasicAuthentication | PrincipalPropagation

Requires Cloud Connector installation in on-premise network.

On-Premise-to-Cloud (Service Channels)

For on-premise systems accessing SAP BTP services via Cloud Connector.

Destination Types

| HTTP | REST/OData APIs | Internet/OnPremise | OAuth2, Basic, Certificates

| RFC | SAP systems | OnPremise | Basic, PrincipalPropagation

| LDAP | Directory services | Internet | Basic, NoAuth

| MAIL | Email protocols | Internet | Basic, NoAuth

| TCP | Generic TCP | OnPremise | Basic

Detailed configuration: See references/http-destinations.md, references/rfc-destinations.md, references/mail-tcp-ldap-destinations.md

Authentication Configuration

OAuth2ClientCredentials (Service-to-Service)

Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)

OAuth2SAMLBearerAssertion (User Propagation)

Authentication: OAuth2SAMLBearerAssertion
audience: <target-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-location>

PrincipalPropagation (On-Premise SSO)

Authentication: PrincipalPropagation
ProxyType: OnPremise

Requires Cloud Connector X.509 certificate generation.

Complete reference: references/authentication-types.md (all 17+ types)

Cloud Connector Setup

Installation

• Production: Windows MSI/Linux RPM packages (service registration)

• Development: Portable archive (manual execution)

Initial Configuration

• Access UI: [https://<hostname>:8443](https://:8443`)

• Login: Administrator / manage

• Change password immediately

• Select mode: Master or Shadow

• Add subaccount connection

Access Control

Configure on-premise resource access:

• Backend Types: ABAP System, SAP Gateway, Non-SAP System, SAP HANA

• HTTP Access Control: System mapping + resource paths + policies

High Availability

• Master-Shadow: Primary + backup with synchronized config

• Requirements: Stable network, separate machines, identical versions

Complete guide: references/cloud-connector.md

Kubernetes/Kyma Connectivity

Connectivity Proxy

Enables Kubernetes workloads to access on-premise systems.

Installation:

helm install connectivity-proxy \
  oci://registry-1.docker.io/sapse/connectivity-proxy \
  --version <version> --namespace <namespace> -f values.yaml

Transparent Proxy

Exposes BTP destinations as Kubernetes Services.

Installation:

helm install transparent-proxy \
  oci://registry-1.docker.io/sapse/transparent-proxy \
  --version <version> --namespace <namespace> -f values.yaml

Usage: Create Destination Custom Resource, access as Kubernetes Service.

Complete configuration: references/kubernetes-connectivity.md

Common Issues & Troubleshooting

HTTP Error Codes

| 400 | Malformed request | Check request syntax

| 401 | Authentication failure | Verify credentials/tokens

| 405 | HTTPS instead of HTTP | Use [http://](http://`) with port 20003

| 407 | Missing authorization | Add Proxy-Authorization: Bearer <token>

| 503 | Cloud Connector offline | Check CC connection and Location ID

Cloud Connector Issues

Cannot connect to subaccount:

• Verify region host URL

• Check firewall allows outbound HTTPS

• Verify subaccount credentials

Access denied to resource:

• Check access control configuration

• Verify virtual host mapping

• Check resource path policy

Complete troubleshooting: references/troubleshooting.md

Security Best Practices

Cloud Connector

• Deploy in DMZ under IT control

• Change default password immediately

• Configure LDAP for user management

• Enable audit logging (All level for production)

• Deploy high availability (master + shadow)

Destinations

• Use OAuth over basic authentication

• Store credentials in Destination Service, not code

• Enable TLS for all connections

• Use mTLS for enhanced security

Critical Rules

Always Do

• Change Cloud Connector default password immediately

• Use HTTPS for all external connections

• Configure access control before exposing resources

• Enable audit logging in production

• Cache tokens and destinations appropriately

Never Do

• Expose Cloud Connector UI to internet

• Store credentials in application code

• Skip access control configuration

• Modify Cloud Connector Tomcat config files

• Run multiple master instances (split-brain)

Bundled Resources

Configuration References

• references/http-destinations.md - Complete HTTP destination properties

• references/rfc-destinations.md - RFC destination properties and pooling

• references/mail-tcp-ldap-destinations.md - Mail, TCP, LDAP configuration

• references/authentication-types.md - All 17+ authentication configurations

Setup & Configuration

• references/cloud-connector.md - Cloud Connector setup and configuration

• references/kubernetes-connectivity.md - Connectivity Proxy and Transparent Proxy

• references/destination-service-api.md - REST API reference

Advanced Topics

• references/advanced-configuration.md - MTA, config.json, chaining, ZTIS

• references/identity-propagation-scenarios.md - ABAP, NetWeaver Java, custom IDP

• references/operational-guides.md - Network zones, solution management

• references/connectivity-alternatives-and-config.md - Reverse proxy, user roles, RFC config

Development & SDK

• references/java-sdk-development.md - Java APIs, JCo, SAP Cloud SDK

• references/mail-protocols.md - SMTP, IMAP, POP3 configuration

Templates

• templates/destination-http-oauth.json - HTTP destination with OAuth template

• templates/destination-onpremise.json - On-premise destination template

• templates/connectivity-proxy-values.yaml - Helm values for Connectivity Proxy

• templates/transparent-proxy-values.yaml - Helm values for Transparent Proxy

Documentation Links

• Official SAP Documentation: https://help.sap.com/docs/connectivity

• GitHub Repository: https://github.com/SAP-docs/btp-connectivity

• Destination API: https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination

• Release Notes: https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56

Last Updated: 2025-11-27 Next Review: 2026-02-27 Source: https://github.com/SAP-docs/btp-connectivity (383 files, 352+ analyzed)