AgentSkillsCN

sap-btp-connectivity

本技能为 SAP BTP 连接性提供全面知识,涵盖目的地服务、连接服务、Cloud Connector、连接代理,以及适用于 Kubernetes 的透明代理。适用于配置目的地、搭建云到本地的连接、实施主体传播、在 Kubernetes/Kyma 环境中部署连接代理,或排查连接问题时使用。 适用于: - 创建或配置 SAP BTP 目的地(HTTP、RFC、LDAP、MAIL、TCP) - 为本地连接搭建 Cloud Connector - 为目的地实施 OAuth 身份认证流程 - 配置主体传播或用户传播 - 在 Kubernetes 中部署连接代理或透明代理 - 排查连接错误(405、407、503) - 为 Cloud Connector 设置高可用性 - 为目的地配置多租户功能 关键词:SAP BTP、连接性、目的地服务、Cloud Connector、连接代理、透明代理、Kyma、Kubernetes、OAuth、主体传播、RFC、LDAP、本地部署、混合连接、服务通道、SOCKS5、反向代理、隧道

SKILL.md
--- frontmatter
name: sap-btp-connectivity
description: |
  This skill provides comprehensive knowledge for SAP BTP Connectivity, including the Destination Service, Connectivity Service, Cloud Connector, Connectivity Proxy, and Transparent Proxy for Kubernetes. It should be used when configuring destinations, setting up cloud-to-on-premise connectivity, implementing principal propagation, deploying connectivity proxies in Kubernetes/Kyma environments, or troubleshooting connectivity issues.

  Use this skill when:
  - Creating or configuring SAP BTP destinations (HTTP, RFC, LDAP, MAIL, TCP)
  - Setting up Cloud Connector for on-premise connectivity
  - Implementing OAuth authentication flows for destinations
  - Configuring principal propagation or user propagation
  - Deploying Connectivity Proxy or Transparent Proxy in Kubernetes
  - Troubleshooting connectivity errors (405, 407, 503)
  - Setting up high availability for Cloud Connector
  - Configuring multitenancy for destinations

  Keywords: SAP BTP, Connectivity, Destination Service, Cloud Connector, Connectivity Proxy, Transparent Proxy, Kyma, Kubernetes, OAuth, Principal Propagation, RFC, LDAP, on-premise, hybrid connectivity, service channels, SOCKS5, reverse proxy, tunnel
license: GPL-3.0
metadata:
  version: "1.1.0"
  last_verified: "2025-11-27"

SAP BTP Connectivity Skill

Related Skills

  • sap-btp-cloud-platform: Use for platform fundamentals, BTP account setup, and integration patterns
  • sap-btp-best-practices: Use for implementation guidance, security best practices, and production deployment
  • sap-cap-capire: Use for CAP service connectivity, destination consumption, and secure API access
  • sap-fiori-tools: Use for configuring Fiori app destinations and frontend connectivity
  • sap-abap: Use when connecting to ABAP systems via RFC or implementing principal propagation

Table of Contents

  1. Overview
  2. Quick Start
  3. Connectivity Scenarios
  4. Destination Types
  5. Authentication Configuration
  6. Cloud Connector Setup
  7. Kubernetes/Kyma Connectivity
  8. Common Issues & Troubleshooting
  9. Security Best Practices
  10. Critical Rules
  11. Bundled Resources

Overview

SAP BTP Connectivity provides secure access from SAP BTP applications to remote services across cloud, on-premise, and VPC environments.

Core Components

ComponentPurpose
Destination ServiceManages connection metadata, authentication, routing
Connectivity ServiceEnables Kubernetes workloads via Cloud Connector
Cloud ConnectorReverse proxy for secure on-premise tunneling
Connectivity ProxyKubernetes component for on-premise access
Transparent ProxyKubernetes component for unified destination access

Supported Environments: Cloud Foundry, ABAP Environment, Kyma
Supported Protocols: HTTP/HTTPS, RFC, TCP (SOCKS5), LDAP/LDAPS, Mail


Quick Start

Create HTTP Destination (Cloud Foundry)

  1. Navigate: Connectivity > Destinations in BTP Cockpit
  2. Select: Create > From Scratch
  3. Configure:
    code
    Name: my-destination
    Type: HTTP
    URL: [https://api.example.com](https://api.example.com)
    ProxyType: Internet
    Authentication: OAuth2ClientCredentials
    clientId: <your-client-id>
    clientSecret: <your-client-secret>
    tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
    

Set Up Cloud Connector

  1. Download from SAP Tools
  2. Access: [https://localhost:8443](https://localhost:8443`)
  3. Login: Administrator / manage (change immediately)
  4. Add subaccount connection

Access Destination in Application (Node.js)

javascript
const { getDestination } = require('@sap-cloud-sdk/connectivity');
const destination = await getDestination({ destinationName: 'my-destination' });

Connectivity Scenarios

Cloud-to-Cloud

code
ProxyType: Internet
Authentication: OAuth2ClientCredentials | OAuth2SAMLBearerAssertion

Cloud-to-On-Premise

code
ProxyType: OnPremise
Authentication: BasicAuthentication | PrincipalPropagation

Requires Cloud Connector installation in on-premise network.

On-Premise-to-Cloud (Service Channels)

For on-premise systems accessing SAP BTP services via Cloud Connector.


Destination Types

TypeUse CaseProxyTypeCommon Authentication
HTTPREST/OData APIsInternet/OnPremiseOAuth2, Basic, Certificates
RFCSAP systemsOnPremiseBasic, PrincipalPropagation
LDAPDirectory servicesInternetBasic, NoAuth
MAILEmail protocolsInternetBasic, NoAuth
TCPGeneric TCPOnPremiseBasic

Detailed configuration: See references/http-destinations.md, references/rfc-destinations.md, references/mail-tcp-ldap-destinations.md


Authentication Configuration

OAuth2ClientCredentials (Service-to-Service)

code
Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)

OAuth2SAMLBearerAssertion (User Propagation)

code
Authentication: OAuth2SAMLBearerAssertion
audience: <target-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-location>

PrincipalPropagation (On-Premise SSO)

code
Authentication: PrincipalPropagation
ProxyType: OnPremise

Requires Cloud Connector X.509 certificate generation.

Complete reference: references/authentication-types.md (all 17+ types)


Cloud Connector Setup

Installation

  • Production: Windows MSI/Linux RPM packages (service registration)
  • Development: Portable archive (manual execution)

Initial Configuration

  1. Access UI: [https://<hostname>:8443](https://<hostname>:8443`)
  2. Login: Administrator / manage
  3. Change password immediately
  4. Select mode: Master or Shadow
  5. Add subaccount connection

Access Control

Configure on-premise resource access:

  • Backend Types: ABAP System, SAP Gateway, Non-SAP System, SAP HANA
  • HTTP Access Control: System mapping + resource paths + policies

High Availability

  • Master-Shadow: Primary + backup with synchronized config
  • Requirements: Stable network, separate machines, identical versions

Complete guide: references/cloud-connector.md


Kubernetes/Kyma Connectivity

Connectivity Proxy

Enables Kubernetes workloads to access on-premise systems.

Installation:

bash
helm install connectivity-proxy \
  oci://registry-1.docker.io/sapse/connectivity-proxy \
  --version <version> --namespace <namespace> -f values.yaml

Transparent Proxy

Exposes BTP destinations as Kubernetes Services.

Installation:

bash
helm install transparent-proxy \
  oci://registry-1.docker.io/sapse/transparent-proxy \
  --version <version> --namespace <namespace> -f values.yaml

Usage: Create Destination Custom Resource, access as Kubernetes Service.

Complete configuration: references/kubernetes-connectivity.md


Common Issues & Troubleshooting

HTTP Error Codes

CodeCauseSolution
400Malformed requestCheck request syntax
401Authentication failureVerify credentials/tokens
405HTTPS instead of HTTPUse [http://](http://`) with port 20003
407Missing authorizationAdd Proxy-Authorization: Bearer <token>
503Cloud Connector offlineCheck CC connection and Location ID

Cloud Connector Issues

Cannot connect to subaccount:

  • Verify region host URL
  • Check firewall allows outbound HTTPS
  • Verify subaccount credentials

Access denied to resource:

  • Check access control configuration
  • Verify virtual host mapping
  • Check resource path policy

Complete troubleshooting: references/troubleshooting.md


Security Best Practices

Cloud Connector

  • Deploy in DMZ under IT control
  • Change default password immediately
  • Configure LDAP for user management
  • Enable audit logging (All level for production)
  • Deploy high availability (master + shadow)

Destinations

  • Use OAuth over basic authentication
  • Store credentials in Destination Service, not code
  • Enable TLS for all connections
  • Use mTLS for enhanced security

Critical Rules

Always Do

  • Change Cloud Connector default password immediately
  • Use HTTPS for all external connections
  • Configure access control before exposing resources
  • Enable audit logging in production
  • Cache tokens and destinations appropriately

Never Do

  • Expose Cloud Connector UI to internet
  • Store credentials in application code
  • Skip access control configuration
  • Modify Cloud Connector Tomcat config files
  • Run multiple master instances (split-brain)

Bundled Resources

Configuration References

  • references/http-destinations.md - Complete HTTP destination properties
  • references/rfc-destinations.md - RFC destination properties and pooling
  • references/mail-tcp-ldap-destinations.md - Mail, TCP, LDAP configuration
  • references/authentication-types.md - All 17+ authentication configurations

Setup & Configuration

  • references/cloud-connector.md - Cloud Connector setup and configuration
  • references/kubernetes-connectivity.md - Connectivity Proxy and Transparent Proxy
  • references/destination-service-api.md - REST API reference

Advanced Topics

  • references/advanced-configuration.md - MTA, config.json, chaining, ZTIS
  • references/identity-propagation-scenarios.md - ABAP, NetWeaver Java, custom IDP
  • references/operational-guides.md - Network zones, solution management
  • references/connectivity-alternatives-and-config.md - Reverse proxy, user roles, RFC config

Development & SDK

  • references/java-sdk-development.md - Java APIs, JCo, SAP Cloud SDK
  • references/mail-protocols.md - SMTP, IMAP, POP3 configuration

Templates

  • templates/destination-http-oauth.json - HTTP destination with OAuth template
  • templates/destination-onpremise.json - On-premise destination template
  • templates/connectivity-proxy-values.yaml - Helm values for Connectivity Proxy
  • templates/transparent-proxy-values.yaml - Helm values for Transparent Proxy

Documentation Links


Last Updated: 2025-11-27
Next Review: 2026-02-27
Source: https://github.com/SAP-docs/btp-connectivity (383 files, 352+ analyzed)