ReddRadar
Agent skill
sap-btp-connectivity
SAP BTP Connectivity skill covering Destination Service, Connectivity Service, Cloud Connector, Connectivity Proxy, and Transparent Proxy for Kubernetes. Use when configuring destinations (HTTP, RFC, LDAP, MAIL, TCP), setting up cloud-to-on-premise connectivity, implementing OAuth and principal propagation, deploying connectivity proxies in Kubernetes/Kyma, troubleshooting connectivity errors (405, 407, 503), or configuring multitenancy.
Install this agent skill to your Project
npx add-skill https://github.com/secondsky/sap-skills/tree/main/plugins/sap-btp-connectivity/skills/sap-btp-connectivity
Metadata
Additional technical details for this skill
- version
- 1.1.0
- keywords
-
SAP BTP Connectivity Destination Service Cloud Connector Connectivity Proxy Transparent Proxy Kyma Kubernetes OAuth Principal Propagation RFC LDAP on-premise hybrid connectivity service channels SOCKS5 reverse proxy tunnel
- last verified
- 2025-11-27
SKILL.md
SAP BTP Connectivity Skill
Related Skills
- sap-btp-cloud-platform: Use for platform fundamentals, BTP account setup, and integration patterns
- sap-btp-best-practices: Use for implementation guidance, security best practices, and production deployment
- sap-cap-capire: Use for CAP service connectivity, destination consumption, and secure API access
- sap-fiori-tools: Use for configuring Fiori app destinations and frontend connectivity
- sap-abap: Use when connecting to ABAP systems via RFC or implementing principal propagation
Table of Contents
- Overview
- Quick Start
- Connectivity Scenarios
- Destination Types
- Authentication Configuration
- Cloud Connector Setup
- Kubernetes/Kyma Connectivity
- Common Issues & Troubleshooting
- Security Best Practices
- Critical Rules
- Bundled Resources
Overview
SAP BTP Connectivity provides secure access from SAP BTP applications to remote services across cloud, on-premise, and VPC environments.
Core Components
| Component | Purpose |
|---|---|
| Destination Service | Manages connection metadata, authentication, routing |
| Connectivity Service | Enables Kubernetes workloads via Cloud Connector |
| Cloud Connector | Reverse proxy for secure on-premise tunneling |
| Connectivity Proxy | Kubernetes component for on-premise access |
| Transparent Proxy | Kubernetes component for unified destination access |
Supported Environments: Cloud Foundry, ABAP Environment, Kyma
Supported Protocols: HTTP/HTTPS, RFC, TCP (SOCKS5), LDAP/LDAPS, Mail
Quick Start
Create HTTP Destination (Cloud Foundry)
- Navigate: Connectivity > Destinations in BTP Cockpit
- Select: Create > From Scratch
- Configure:
Name: my-destination Type: HTTP URL: [https://api.example.com](https://api.example.com) ProxyType: Internet Authentication: OAuth2ClientCredentials clientId: <your-client-id> clientSecret: <your-client-secret> tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
Set Up Cloud Connector
- Download from SAP Tools
- Access:
[https://localhost:8443](https://localhost:8443`) - Login:
Administrator/manage(change immediately) - Add subaccount connection
Access Destination in Application (Node.js)
const { getDestination } = require('@sap-cloud-sdk/connectivity');
const destination = await getDestination({ destinationName: 'my-destination' });
Connectivity Scenarios
Cloud-to-Cloud
ProxyType: Internet
Authentication: OAuth2ClientCredentials | OAuth2SAMLBearerAssertion
Cloud-to-On-Premise
ProxyType: OnPremise
Authentication: BasicAuthentication | PrincipalPropagation
Requires Cloud Connector installation in on-premise network.
On-Premise-to-Cloud (Service Channels)
For on-premise systems accessing SAP BTP services via Cloud Connector.
Destination Types
| Type | Use Case | ProxyType | Common Authentication |
|---|---|---|---|
| HTTP | REST/OData APIs | Internet/OnPremise | OAuth2, Basic, Certificates |
| RFC | SAP systems | OnPremise | Basic, PrincipalPropagation |
| LDAP | Directory services | Internet | Basic, NoAuth |
| Email protocols | Internet | Basic, NoAuth | |
| TCP | Generic TCP | OnPremise | Basic |
Detailed configuration: See references/http-destinations.md, references/rfc-destinations.md, references/mail-tcp-ldap-destinations.md
Authentication Configuration
OAuth2ClientCredentials (Service-to-Service)
Authentication: OAuth2ClientCredentials
clientId: <client-id>
clientSecret: <client-secret>
tokenServiceURL: [https://auth.example.com/oauth/token](https://auth.example.com/oauth/token)
OAuth2SAMLBearerAssertion (User Propagation)
Authentication: OAuth2SAMLBearerAssertion
audience: <target-audience>
clientKey: <client-key>
tokenServiceURL: [https://auth.example.com/oauth2/token](https://auth.example.com/oauth2/token)
KeyStoreLocation: <certificate-location>
PrincipalPropagation (On-Premise SSO)
Authentication: PrincipalPropagation
ProxyType: OnPremise
Requires Cloud Connector X.509 certificate generation.
Complete reference: references/authentication-types.md (all 17+ types)
Cloud Connector Setup
Installation
- Production: Windows MSI/Linux RPM packages (service registration)
- Development: Portable archive (manual execution)
Initial Configuration
- Access UI:
[https://<hostname>:8443](https://:8443`) - Login:
Administrator/manage - Change password immediately
- Select mode: Master or Shadow
- Add subaccount connection
Access Control
Configure on-premise resource access:
- Backend Types: ABAP System, SAP Gateway, Non-SAP System, SAP HANA
- HTTP Access Control: System mapping + resource paths + policies
High Availability
- Master-Shadow: Primary + backup with synchronized config
- Requirements: Stable network, separate machines, identical versions
Complete guide: references/cloud-connector.md
Kubernetes/Kyma Connectivity
Connectivity Proxy
Enables Kubernetes workloads to access on-premise systems.
Installation:
helm install connectivity-proxy \
oci://registry-1.docker.io/sapse/connectivity-proxy \
--version <version> --namespace <namespace> -f values.yaml
Transparent Proxy
Exposes BTP destinations as Kubernetes Services.
Installation:
helm install transparent-proxy \
oci://registry-1.docker.io/sapse/transparent-proxy \
--version <version> --namespace <namespace> -f values.yaml
Usage: Create Destination Custom Resource, access as Kubernetes Service.
Complete configuration: references/kubernetes-connectivity.md
Common Issues & Troubleshooting
HTTP Error Codes
| Code | Cause | Solution |
|---|---|---|
| 400 | Malformed request | Check request syntax |
| 401 | Authentication failure | Verify credentials/tokens |
| 405 | HTTPS instead of HTTP | Use [http://](http://`) with port 20003 |
| 407 | Missing authorization | Add Proxy-Authorization: Bearer <token> |
| 503 | Cloud Connector offline | Check CC connection and Location ID |
Cloud Connector Issues
Cannot connect to subaccount:
- Verify region host URL
- Check firewall allows outbound HTTPS
- Verify subaccount credentials
Access denied to resource:
- Check access control configuration
- Verify virtual host mapping
- Check resource path policy
Complete troubleshooting: references/troubleshooting.md
Security Best Practices
Cloud Connector
- Deploy in DMZ under IT control
- Change default password immediately
- Configure LDAP for user management
- Enable audit logging (All level for production)
- Deploy high availability (master + shadow)
Destinations
- Use OAuth over basic authentication
- Store credentials in Destination Service, not code
- Enable TLS for all connections
- Use mTLS for enhanced security
Critical Rules
Always Do
- Change Cloud Connector default password immediately
- Use HTTPS for all external connections
- Configure access control before exposing resources
- Enable audit logging in production
- Cache tokens and destinations appropriately
Never Do
- Expose Cloud Connector UI to internet
- Store credentials in application code
- Skip access control configuration
- Modify Cloud Connector Tomcat config files
- Run multiple master instances (split-brain)
Bundled Resources
Configuration References
references/http-destinations.md- Complete HTTP destination propertiesreferences/rfc-destinations.md- RFC destination properties and poolingreferences/mail-tcp-ldap-destinations.md- Mail, TCP, LDAP configurationreferences/authentication-types.md- All 17+ authentication configurations
Setup & Configuration
references/cloud-connector.md- Cloud Connector setup and configurationreferences/kubernetes-connectivity.md- Connectivity Proxy and Transparent Proxyreferences/destination-service-api.md- REST API reference
Advanced Topics
references/advanced-configuration.md- MTA, config.json, chaining, ZTISreferences/identity-propagation-scenarios.md- ABAP, NetWeaver Java, custom IDPreferences/operational-guides.md- Network zones, solution managementreferences/connectivity-alternatives-and-config.md- Reverse proxy, user roles, RFC config
Development & SDK
references/java-sdk-development.md- Java APIs, JCo, SAP Cloud SDKreferences/mail-protocols.md- SMTP, IMAP, POP3 configuration
Templates
templates/destination-http-oauth.json- HTTP destination with OAuth templatetemplates/destination-onpremise.json- On-premise destination templatetemplates/connectivity-proxy-values.yaml- Helm values for Connectivity Proxytemplates/transparent-proxy-values.yaml- Helm values for Transparent Proxy
Documentation Links
- Official SAP Documentation: https://help.sap.com/docs/connectivity
- GitHub Repository: https://github.com/SAP-docs/btp-connectivity
- Destination API: https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination
- Release Notes: https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56
Last Updated: 2025-11-27
Next Review: 2026-02-27
Source: https://github.com/SAP-docs/btp-connectivity (383 files, 352+ analyzed)
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
secondsky/sap-skills
sap-cap-capire
SAP Cloud Application Programming Model (CAP) development skill using Capire documentation. Use when: building CAP applications, defining CDS models, implementing services, working with SAP HANA/SQLite/PostgreSQL databases, deploying to SAP BTP Cloud Foundry or Kyma, implementing Fiori UIs, handling authorization, multitenancy, or messaging. Covers CDL/CQL/CSN syntax, Node.js and Java runtimes, event handlers, OData services, and CAP plugins.
secondsky/sap-skills
sap-btp-cloud-platform
secondsky/sap-skills
sap-btp-service-manager
This skill provides comprehensive knowledge for SAP Service Manager on SAP Business Technology Platform (BTP). It should be used when managing service instances, bindings, brokers, and platforms across Cloud Foundry, Kyma, Kubernetes, and other environments. Use when provisioning services via SMCTL CLI, BTP CLI, or REST APIs, configuring OAuth2 authentication, working with the SAP BTP Service Operator in Kubernetes, troubleshooting service consumption issues, or implementing cross-environment service management. Keywords: SAP Service Manager, BTP, service instances, service bindings, SMCTL, service broker, OSBAPI, Cloud Foundry, Kyma, Kubernetes, service-manager, service-operator-access, subaccount-admin, OAuth2, X.509, service marketplace, service plans, rate limiting, cf create-service, btp create services/instance, ServiceInstance CRD, ServiceBinding CRD
secondsky/sap-skills
sap-btp-business-application-studio
This skill provides comprehensive guidance for SAP Business Application Studio (BAS), the cloud-based IDE on SAP BTP built on Code-OSS. Use when setting up BAS subscriptions, creating dev spaces, connecting to external systems, deploying MTA applications, troubleshooting connectivity issues, managing Git repositories, configuring runtime versions, or using the layout editor. Keywords: SAP Business Application Studio, BAS, SAP BTP, dev space, Cloud Foundry, MTA, multitarget application, SAP Fiori, CAP, HANA, destination, WebIDEEnabled, Cloud Connector, Service Center, Storyboard, Layout Editor, ABAP, OData, subscription, entitlements, role collection, Business_Application_Studio_Developer, Git, clone, push, pull, Gerrit, PAT, OAuth, asdf, runtime, Node.js, Java, Python, Task Explorer, CI/CD, Yeoman, generator, template wizard, mbt, mtar, debugging, breakpoint
secondsky/sap-skills
sap-btp-cias
SAP BTP Cloud Integration Automation Service (CIAS) skill for guided integration workflows. Use when: setting up CIAS subscriptions, configuring destinations, assigning roles (CIASIntegrationAdministrator, CIASIntegrationExpert, CIASIntegrationMonitor), planning integration scenarios, working with My Inbox tasks, monitoring scenario execution, troubleshooting CIAS errors, creating OAuth2 instances, configuring identity providers for CIAS, understanding CIAS security architecture, or integrating SAP products (S/4HANA, SuccessFactors, BTP services, SAP Build, IBP).
secondsky/sap-skills
sap-ai-core
Guides development with SAP AI Core and SAP AI Launchpad for enterprise AI/ML workloads on SAP BTP. Use when: deploying generative AI models (GPT, Llama, Gemini, Mistral), building orchestration workflows with templating/filtering/grounding, implementing RAG with vector databases, managing ML training pipelines with Argo Workflows, configuring content filtering and data masking for PII protection, using the Generative AI Hub for prompt experimentation, or integrating AI capabilities into SAP applications. Covers service plans (Free/Standard/Extended), model providers (Azure OpenAI, AWS Bedrock, GCP Vertex AI, Mistral, IBM), orchestration modules, embeddings, tool calling, and structured outputs.
Didn't find tool you were looking for?