Back to Details

sap-btp-connectivity

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SAP BTP Connectivity Skill

SAP BTP Connectivity技能

Related Skills

相关技能

  • sap-btp-cloud-platform: Use for platform fundamentals, BTP account setup, and integration patterns
  • sap-btp-best-practices: Use for implementation guidance, security best practices, and production deployment
  • sap-cap-capire: Use for CAP service connectivity, destination consumption, and secure API access
  • sap-fiori-tools: Use for configuring Fiori app destinations and frontend connectivity
  • sap-abap: Use when connecting to ABAP systems via RFC or implementing principal propagation
  • sap-btp-cloud-platform: 适用于平台基础、BTP账户设置和集成模式相关场景
  • sap-btp-best-practices: 适用于实施指导、安全最佳实践和生产部署相关场景
  • sap-cap-capire: 适用于CAP服务连接、目标消费和安全API访问相关场景
  • sap-fiori-tools: 适用于配置Fiori应用目标和前端连接相关场景
  • sap-abap: 适用于通过RFC连接ABAP系统或实现主体传播相关场景

Table of Contents

目录

  1. Overview
  2. Quick Start
  3. Connectivity Scenarios
  4. Destination Types
  5. Authentication Configuration
  6. Cloud Connector Setup
  7. Kubernetes/Kyma Connectivity
  8. Common Issues & Troubleshooting
  9. Security Best Practices
  10. Critical Rules
  11. Bundled Resources
  1. 概述
  2. 快速开始
  3. 连接场景
  4. 目标类型
  5. 认证配置
  6. Cloud Connector搭建
  7. Kubernetes/Kyma连接
  8. 常见问题与排查
  9. 安全最佳实践
  10. 关键规则
  11. 配套资源

Overview

概述

SAP BTP Connectivity provides secure access from SAP BTP applications to remote services across cloud, on-premise, and VPC environments.
SAP BTP Connectivity为SAP BTP应用提供安全访问能力,可连接云、本地和VPC环境中的远程服务。

Core Components

核心组件

ComponentPurpose
Destination ServiceManages connection metadata, authentication, routing
Connectivity ServiceEnables Kubernetes workloads via Cloud Connector
Cloud ConnectorReverse proxy for secure on-premise tunneling
Connectivity ProxyKubernetes component for on-premise access
Transparent ProxyKubernetes component for unified destination access
Supported Environments: Cloud Foundry, ABAP Environment, Kyma
Supported Protocols: HTTP/HTTPS, RFC, TCP (SOCKS5), LDAP/LDAPS, Mail
组件用途
Destination Service管理连接元数据、认证和路由
Connectivity Service通过Cloud Connector支持Kubernetes工作负载
Cloud Connector用于安全本地隧道的反向代理
Connectivity Proxy用于访问本地系统的Kubernetes组件
Transparent Proxy用于统一目标访问的Kubernetes组件
支持环境:Cloud Foundry、ABAP Environment、Kyma
支持协议:HTTP/HTTPS、RFC、TCP(SOCKS5)、LDAP/LDAPS、Mail

Quick Start

快速开始

Create HTTP Destination (Cloud Foundry)

创建HTTP目标(Cloud Foundry)

  1. Navigate: Connectivity > Destinations in BTP Cockpit
  2. Select: Create > From Scratch
  3. Configure: 
    Name: my-destination
Type: HTTP
URL: [https://api.example.com](https://api.example.com)
ProxyType: Internet
Authentication: OAuth2ClientCredentials
clientId: <your-client-id>
clientSecret: <your-client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
  1. 导航:BTP控制台中的Connectivity > Destinations
  2. 选择:Create > From Scratch
  3. 配置: 
    Name: my-destination
Type: HTTP
URL: [https://api.example.com](https://api.example.com)
ProxyType: Internet
Authentication: OAuth2ClientCredentials
clientId: <your-client-id>
clientSecret: <your-client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)

Set Up Cloud Connector

搭建Cloud Connector

  1. Download from SAP Tools
  2. Access: 
    [https://localhost:8443
    ](https://localhost:8443`)
  3. Login: 
    Administrator
    / 
    manage
    (change immediately)
  4. Add subaccount connection
  1. SAP Tools下载
  2. 访问:
    [https://localhost:8443
    ](https://localhost:8443`)
  3. 登录:
    Administrator
    / 
    manage
    (立即修改密码)
  4. 添加子账户连接

Access Destination in Application (Node.js)

在应用中访问目标(Node.js)

javascript
const { getDestination } = require('@sap-cloud-sdk/connectivity');
const destination = await getDestination({ destinationName: 'my-destination' });
javascript
const { getDestination } = require('@sap-cloud-sdk/connectivity');
const destination = await getDestination({ destinationName: 'my-destination' });

Connectivity Scenarios

连接场景

Cloud-to-Cloud

云到云

ProxyType: Internet
Authentication: OAuth2ClientCredentials | OAuth2SAMLBearerAssertion
ProxyType: Internet
Authentication: OAuth2ClientCredentials | OAuth2SAMLBearerAssertion

Cloud-to-On-Premise

云到本地

ProxyType: OnPremise
Authentication: BasicAuthentication | PrincipalPropagation
Requires Cloud Connector installation in on-premise network.
ProxyType: OnPremise
Authentication: BasicAuthentication | PrincipalPropagation
需要在本地网络中安装Cloud Connector。

On-Premise-to-Cloud (Service Channels)

本地到云(服务通道)

For on-premise systems accessing SAP BTP services via Cloud Connector.
适用于本地系统通过Cloud Connector访问SAP BTP服务的场景。

Destination Types

目标类型

TypeUse CaseProxyTypeCommon Authentication
HTTPREST/OData APIsInternet/OnPremiseOAuth2, Basic, Certificates
RFCSAP systemsOnPremiseBasic, PrincipalPropagation
LDAPDirectory servicesInternetBasic, NoAuth
MAILEmail protocolsInternetBasic, NoAuth
TCPGeneric TCPOnPremiseBasic
Detailed configuration: See 
references/http-destinations.md
, 
references/rfc-destinations.md
, 
references/mail-tcp-ldap-destinations.md
类型使用场景ProxyType常见认证方式
HTTPREST/OData APIInternet/OnPremiseOAuth2、Basic、证书
RFCSAP系统OnPremiseBasic、PrincipalPropagation
LDAP目录服务InternetBasic、无认证
MAIL邮件协议InternetBasic、无认证
TCP通用TCPOnPremiseBasic
详细配置:请查看 
references/http-destinations.md
references/rfc-destinations.md
references/mail-tcp-ldap-destinations.md

Authentication Configuration

认证配置

OAuth2ClientCredentials (Service-to-Service)

OAuth2ClientCredentials(服务到服务)

Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)

OAuth2SAMLBearerAssertion (User Propagation)

OAuth2SAMLBearerAssertion(用户传播)

Authentication: OAuth2SAMLBearerAssertion
audience: <target-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-location>
Authentication: OAuth2SAMLBearerAssertion
audience: <target-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-location>

PrincipalPropagation (On-Premise SSO)

PrincipalPropagation(本地单点登录)

Authentication: PrincipalPropagation
ProxyType: OnPremise
Requires Cloud Connector X.509 certificate generation.
Complete reference: 
references/authentication-types.md
(all 17+ types)
Authentication: PrincipalPropagation
ProxyType: OnPremise
需要Cloud Connector生成X.509证书。
完整参考
references/authentication-types.md
(包含17+种认证类型)

Cloud Connector Setup

Cloud Connector搭建

Installation

安装

  • Production: Windows MSI/Linux RPM packages (service registration)
  • Development: Portable archive (manual execution)
  • 生产环境:Windows MSI/Linux RPM包(服务注册)
  • 开发环境:便携归档包(手动执行)

Initial Configuration

初始配置

  1. Access UI: 
    [https://<hostname>:8443
    ](https://<hostname>:8443`)
  2. Login: 
    Administrator
    / 
    manage
  3. Change password immediately
  4. Select mode: Master or Shadow
  5. Add subaccount connection
  1. 访问UI:
    [https://<hostname>:8443
    ](https://<hostname>:8443`)
  2. 登录:
    Administrator
    / 
    manage
  3. 立即修改密码
  4. 选择模式:主节点(Master)或备用节点(Shadow)
  5. 添加子账户连接

Access Control

访问控制

Configure on-premise resource access:
  • Backend Types: ABAP System, SAP Gateway, Non-SAP System, SAP HANA
  • HTTP Access Control: System mapping + resource paths + policies
配置本地资源访问权限:
  • 后端类型:ABAP系统、SAP Gateway、非SAP系统、SAP HANA
  • HTTP访问控制:系统映射 + 资源路径 + 策略

High Availability

高可用

  • Master-Shadow: Primary + backup with synchronized config
  • Requirements: Stable network, separate machines, identical versions
Complete guide: 
references/cloud-connector.md
  • 主备模式:主节点+备用节点,配置同步
  • 要求:稳定网络、独立机器、相同版本
完整指南
references/cloud-connector.md

Kubernetes/Kyma Connectivity

Kubernetes/Kyma连接

Connectivity Proxy

Connectivity Proxy

Enables Kubernetes workloads to access on-premise systems.
Installation:
bash
helm install connectivity-proxy \
  oci://registry-1.docker.io/sapse/connectivity-proxy \
  --version <version> --namespace <namespace> -f values.yaml
支持Kubernetes工作负载访问本地系统。
安装
bash
helm install connectivity-proxy \
  oci://registry-1.docker.io/sapse/connectivity-proxy \
  --version <version> --namespace <namespace> -f values.yaml

Transparent Proxy

Transparent Proxy

Exposes BTP destinations as Kubernetes Services.
Installation:
bash
helm install transparent-proxy \
  oci://registry-1.docker.io/sapse/transparent-proxy \
  --version <version> --namespace <namespace> -f values.yaml
Usage: Create Destination Custom Resource, access as Kubernetes Service.
Complete configuration: 
references/kubernetes-connectivity.md
将BTP目标暴露为Kubernetes服务。
安装
bash
helm install transparent-proxy \
  oci://registry-1.docker.io/sapse/transparent-proxy \
  --version <version> --namespace <namespace> -f values.yaml
使用:创建Destination自定义资源,以Kubernetes服务形式访问。
完整配置
references/kubernetes-connectivity.md

Common Issues & Troubleshooting

常见问题与排查

HTTP Error Codes

HTTP错误码

CodeCauseSolution
400Malformed requestCheck request syntax
401Authentication failureVerify credentials/tokens
405HTTPS instead of HTTPUse 
[http://
](http://`) with port 20003
407Missing authorizationAdd 
Proxy-Authorization: Bearer <token>
503Cloud Connector offlineCheck CC connection and Location ID
错误码原因解决方案
400请求格式错误检查请求语法
401认证失败验证凭证/令牌
405使用HTTPS而非HTTP使用
[http://
](http://`)并搭配端口20003
407缺少授权信息添加
Proxy-Authorization: Bearer <token>
503Cloud Connector离线检查CC连接和Location ID

Cloud Connector Issues

Cloud Connector问题

Cannot connect to subaccount:
  • Verify region host URL
  • Check firewall allows outbound HTTPS
  • Verify subaccount credentials
Access denied to resource:
  • Check access control configuration
  • Verify virtual host mapping
  • Check resource path policy
Complete troubleshooting: 
references/troubleshooting.md
无法连接到子账户
  • 验证区域主机URL
  • 检查防火墙是否允许HTTPS出站
  • 验证子账户凭证
资源访问被拒绝
  • 检查访问控制配置
  • 验证虚拟主机映射
  • 检查资源路径策略
完整排查指南
references/troubleshooting.md

Security Best Practices

安全最佳实践

Cloud Connector

Cloud Connector

  • Deploy in DMZ under IT control
  • Change default password immediately
  • Configure LDAP for user management
  • Enable audit logging (All level for production)
  • Deploy high availability (master + shadow)
  • 在受IT管控的DMZ区域部署
  • 立即修改默认密码
  • 配置LDAP进行用户管理
  • 启用审计日志(生产环境设为All级别)
  • 部署高可用架构(主节点+备用节点)

Destinations

目标配置

  • Use OAuth over basic authentication
  • Store credentials in Destination Service, not code
  • Enable TLS for all connections
  • Use mTLS for enhanced security
  • 使用OAuth替代基础认证
  • 将凭证存储在Destination Service中,而非代码里
  • 为所有连接启用TLS
  • 使用mTLS增强安全性

Critical Rules

关键规则

Always Do

必须执行

  • Change Cloud Connector default password immediately
  • Use HTTPS for all external connections
  • Configure access control before exposing resources
  • Enable audit logging in production
  • Cache tokens and destinations appropriately
  • 立即修改Cloud Connector默认密码
  • 所有外部连接使用HTTPS
  • 暴露资源前配置访问控制
  • 生产环境启用审计日志
  • 合理缓存令牌和目标信息

Never Do

禁止操作

  • Expose Cloud Connector UI to internet
  • Store credentials in application code
  • Skip access control configuration
  • Modify Cloud Connector Tomcat config files
  • Run multiple master instances (split-brain)
  • 将Cloud Connector UI暴露到公网
  • 在应用代码中存储凭证
  • 跳过访问控制配置
  • 修改Cloud Connector Tomcat配置文件
  • 运行多个主节点实例(脑裂问题)

Bundled Resources

配套资源

Configuration References

配置参考

  • references/http-destinations.md
    - Complete HTTP destination properties
  • references/rfc-destinations.md
    - RFC destination properties and pooling
  • references/mail-tcp-ldap-destinations.md
    - Mail, TCP, LDAP configuration
  • references/authentication-types.md
    - All 17+ authentication configurations
  • references/http-destinations.md
    - 完整HTTP目标属性
  • references/rfc-destinations.md
    - RFC目标属性和池化配置
  • references/mail-tcp-ldap-destinations.md
    - Mail、TCP、LDAP配置
  • references/authentication-types.md
    - 所有17+种认证配置

Setup & Configuration

搭建与配置

  • references/cloud-connector.md
    - Cloud Connector setup and configuration
  • references/kubernetes-connectivity.md
    - Connectivity Proxy and Transparent Proxy
  • references/destination-service-api.md
    - REST API reference
  • references/cloud-connector.md
    - Cloud Connector搭建与配置
  • references/kubernetes-connectivity.md
    - Connectivity Proxy和Transparent Proxy配置
  • references/destination-service-api.md
    - REST API参考

Advanced Topics

进阶主题

  • references/advanced-configuration.md
    - MTA, config.json, chaining, ZTIS
  • references/identity-propagation-scenarios.md
    - ABAP, NetWeaver Java, custom IDP
  • references/operational-guides.md
    - Network zones, solution management
  • references/connectivity-alternatives-and-config.md
    - Reverse proxy, user roles, RFC config
  • references/advanced-configuration.md
    - MTA、config.json、链式配置、ZTIS
  • references/identity-propagation-scenarios.md
    - ABAP、NetWeaver Java、自定义IDP
  • references/operational-guides.md
    - 网络区域、解决方案管理
  • references/connectivity-alternatives-and-config.md
    - 反向代理、用户角色、RFC配置

Development & SDK

开发与SDK

  • references/java-sdk-development.md
    - Java APIs, JCo, SAP Cloud SDK
  • references/mail-protocols.md
    - SMTP, IMAP, POP3 configuration
  • references/java-sdk-development.md
    - Java API、JCo、SAP Cloud SDK
  • references/mail-protocols.md
    - SMTP、IMAP、POP3配置

Templates

模板

  • templates/destination-http-oauth.json
    - HTTP destination with OAuth template
  • templates/destination-onpremise.json
    - On-premise destination template
  • templates/connectivity-proxy-values.yaml
    - Helm values for Connectivity Proxy
  • templates/transparent-proxy-values.yaml
    - Helm values for Transparent Proxy
  • templates/destination-http-oauth.json
    - 带OAuth的HTTP目标模板
  • templates/destination-onpremise.json
    - 本地目标模板
  • templates/connectivity-proxy-values.yaml
    - Connectivity Proxy的Helm配置模板
  • templates/transparent-proxy-values.yaml
    - Transparent Proxy的Helm配置模板

Documentation Links

文档链接

Last Updated: 2025-11-27
Next Review: 2026-02-27
Source: https://github.com/SAP-docs/btp-connectivity (383 files, 352+ analyzed)
最后更新:2025-11-27
下次审核:2026-02-27
来源https://github.com/SAP-docs/btp-connectivity(383个文件,已分析352+个)