Skip to main content


Get SAP Cloud Foundry account

Deploying the Link application will require a SAP Cloud Foundry subscription or a SAP Cloud Foundry Trial.


When using a trial the app will shut down after a few hours every day. Create Trial

Access Cloud Foundry

SAP Cloud Foundry Trial or SAP Cloud Foundry

Cloud Foundry Tools can be downloaded at:

Install and configure SAP Cloud Connector (sapcc) on-premise component

sapcc is an appliance provided by SAP for accessing on-premise SAP servers using secure outbound tunnel to SAP Cloud Platform.

Cloud Connector Security Details from SAP

Important Cloud Connector Notes/Warnings


Cloud Connector Security Certificate Expires Annually

The subaccount certificates in SAP Business Technology Platform expire annually. Renewing them is simple (just a click), but if not done all connectivity through Cloud Connectors in the subaccount will be lost.

The instructions for how to update can be found here


Use the SAP Cloud Connector install guide or use a community provided docker image.


Add subaccount

  • Region: This should match the region of the subaccount in cloud foundry, check your subaccount or trial subaccount and ensure the region listed in the subaccount matches the region selected when adding the subaccount.
  • Subaccount: the value is the Id of the subaccount and not the SubDomain. The ID can be obtained using the info hover or the details tab in the SAP Cloud Platform Cockpit.
  • Display Name: enter the subdomain Subaccount User & Password: Use an authorized user account in the subdomain. If you started a trial use your trial credentials.


Cloud to on-premise

In the subaccount add a new System Mapping.

  • Back-end Type: Other SAP System
  • Protocol: HTTP
  • Internal Host: dns name or ip of the SAP ECC/S4 HANA system
  • Internal Port: port, e.g. http port 8000
  • Virtual Host: create a unique name for the virtual host. (e.g. sap-dev)
  • Virtual Port: 80
  • Principal Type: None
  • Host In Request Header: Use Virtual Host
  • Description: leave blank or provide the system name.
  • In the summary check the checkbox (Check Internal Host) [X]
  • Click [Finish]

Under Resources add a Resource

  • URL Path: /enosix/paca
  • Active: [X]
  • Access Policy: (x) Path And All Sub-Paths


Configure Connectivity service in SAP Cloud Foundry

The space Link is deployed to will need to have a connectivity service provisioned with the instance name of connectivity, although it can be configured to use a specific instance. Configuring the connectivity instance

Network connectivity

If your on-premise network requires whitelisting of IP addresses, the correct entries can be found here and here.

Use the cloud foundry CLI with the following manifest.yaml template.

- name: enosix-link-<company-name> # Add your company name
random-route: true # Remove this line in the production space
memory: 128M
image: enosix/link:stable
- connectivity
health-check-type: http
health-check-http-endpoint: /health
#Logging__LogLevel__Default: Trace # Used to enable detailed trace logging for submitting issues
Routes__ConnectivityInstance: connectivity
Routes__dev__ConcurrentRequests: 10 # Throttle link to a limited number of requests concurrently, in order to reduce memory constraints.
Routes__dev__Token: 3de65974f59e200ef27e8ecfb84437f7 # Rename to a unique secret token
Routes__dev__Url: http://sap-dev:80/enosix/paca # Should match to the path of a virtual host configured in sapcc


  • Copy the manifest.yaml into a local file. The template should be copied twice into a production and non production versions.
  • The <company-name> token on line 4 needs to be replaced with your company name in all lowercase without spaces.
  • The next line random-route needs to be removed if deploying to a production space.
  • The environment variable Routes__ConnectivityInstance must contain the instance name of the connectivity service to access in the space the Link app will be deployed.
  • The manifest.yaml template will need to be created and configured to match the virtual systems in cloud foundry. Under the env node of the file, configure the routes entries for each sap virtual host. The format for each route is Routes__<name>__, with an entry for each Token and Url.

Deploy to Cloud Foundry and verify connectivity

Using the cloud foundry cli, use the command cf push in the directory where the configured manifest.yaml is located to deploy to cloud foundry. After deployment the application will be accessible as a route in cloud foundry, this route plus the configured token parameter can be used to access the connected SAP system.

Note: The path where cf push is executed will have all files bundle up and pushed to cloud foundry. Use an empty directory with only the manifest.yaml file to avoid unnecessary uploads.

Sample output from cf push

Pushing from manifest to org ****** / space ****** as ****************...
Using manifest file /Users/******/link/manifest.yaml
Getting app info...
Updating app with these attributes...
name: enosix-link
docker image: enosix/link:stable
command: /bin/sh -c dotnet link.dll
disk quota: 1G
health check http endpoint: /health
health check type: http
instances: 1
memory: 128M
stack: cflinuxfs3

Updating app link...
Mapping routes...

Stopping app...

Waiting for app to start...

name: link
requested state: started
last uploaded: Mon 1 Jan 12:00:00 EST 2000
docker image: enosix/link:stable

type: web
instances: 1/1
memory usage: 128M
start command: /bin/sh -c dotnet link.dll
state since cpu memory disk details
#0 running 2020-02-13T21:34:01Z 7.3% 23.3M of 128M 158.9M of 1G

Application logs

To view logs from the application use cli command cf logs link To view detailed logs uncomment the env node Logging__LogLevel__Default: Trace by removing the leading #, the redeploy with cf push.

Routing explained

With template above. With route named dev the token is 3de65974f59e200ef27e8ecfb84437f7, the deployment to cloud foundry assigned route of thus the url to access the sap-ecc-dev system will be: - [sapcc] -> http://sap-ecc-dev:80/enosix/paca

Testing & Connectivity Verification

Access the route with the token, it should prompt for authentication. Test using a valid SAP username and password.