Home
Configure API Management in SAP BTP
Create an API Proxy in SAP BTP to expose iCWP OData services from your connected SAP system. The proxy uses the API Provider details from Cloud Connector and makes the service available for policy enforcement and external consumption.
Secure API Proxies with Policy-Based Authentication
After creating an API proxy, you must apply authentication policies to control secure access. If no policies are configured, users are prompted for SAP credentials by default.

Title and Copyright
Copyright and Terms of Use page for iMaintenance Installation.
Preface
Understand audience, know related documents and products and conventions followed in this document.
Introduction
The iMaintenance Deployment & Setup Guide gets iMaintenance running safely in your enterprise landscape.
Foundation Setup for iMaintenance Deployment
Before iMaintenance can connect to SAP and expose APIs, the core environment must be initialized. This setup includes seeding MongoDB with configuration data, enabling SAP inbound services, mapping dependencies, and starting the microservices that power the application.
Configure SAP iMaintenance Roles and Authorizations
Before iMaintenance can integrate with SAP, specific roles and authorizations must be configured. These roles control access to master data, transactional posting, and integration endpoints.
Secure API Access with IP Whitelisting
Secure connectivity for Innovapptive-hosted applications is enforced by restricting inbound traffic to trusted client IPs and permitting outbound traffic only to approved Innovapptive domains. This ensures that only authorized systems can exchange data with iMaintenance while preventing unauthorized access.
Install Supporting Systems and iCWP Integration Suite
Enable SAP NetWeaver Gateway and configure virus scan handling so iCWP OData services can run securely.
SAP BTP and On-Premise Integration via Cloud Connector
Set up secure connectivity between SAP BTP and your on-premise SAP systems with the SAP Cloud Connector. This enables iCWP OData services to be consumed on BTP without exposing inbound firewall ports.
Configure API Management in SAP BTP
Create an API Proxy in SAP BTP to expose iCWP OData services from your connected SAP system. The proxy uses the API Provider details from Cloud Connector and makes the service available for policy enforcement and external consumption.
- Verify Prerequisites
  Verify that the foundational setup in SAP BTP is complete before enabling API Management. These prerequisites confirm that the right environment and services are available for iCWP integration.
- Enable API Management in BTP
  Activate API Management in your SAP BTP subaccount and assign the required roles. These roles control who can configure API providers, create proxies, and manage policies for iCWP services.
- Configure API Provider
  Define an API Provider in SAP API Management to connect to your on-premise SAP system through Cloud Connector. The provider stores the virtual host, port, and connectivity settings that proxies use to access iCWP OData services.
- Create an API Proxy
  Create an API Proxy in SAP BTP to expose iCWP OData services from your connected SAP system. The proxy uses the API Provider details from Cloud Connector and makes the service available for policy enforcement and external consumption.
- Secure API Proxies with Policy-Based Authentication
  After creating an API proxy, you must apply authentication policies to control secure access. If no policies are configured, users are prompted for SAP credentials by default.
  - Create a Key Value Map
    Set up a Key Value Map (KVM) in API Management to securely store the SAP service user credentials. The values are encrypted and later referenced in authentication policies.
  - Define API Key Validation Policies
    Validate incoming API calls using API Key policies in SAP BTP API Management. This ensures only authorized clients (with valid keys) can access your iCWP services.
  - Create a Product and Bundle the API
    Create a product in API Portal and bundle the iCWP API so it’s available in Developer Hub.
  - Create an Application to Generate Application Key and Secret Key
    Create an application in Developer Hub, subscribe it to the published product, and generate the Application Key (and optionally a Secret Key) used to authenticate API calls.
  - Test API Proxy with API Key Authentication
    Call the API Proxy using the generated Application Key to validate API Key–based access..
Configure OAuth 2.0 Authentication
Enable OAuth 2.0 authentication in SAP API Management so external consumers can securely obtain and use access tokens when calling iCWP APIs.
Handle CSRF Tokens in API Management
Enable server-to-server authentication between SAP API Management and the backend system, so API consumers don’t need direct backend credentials.
Troubleshoot API Errors and Metadata Issues

Secure API Proxies with Policy-Based Authentication

After creating an API proxy, you must apply authentication policies to control secure access. If no policies are configured, users are prompted for SAP credentials by default.

SAP BTP API Management supports two authentication methods for external consumers:

API Key
OAuth 2.0

These ensure secure access between Innovapptive Cloud and SAP BTP, while communication between SAP BTP API Management and the SAP backend system (SAP Gateway) continues to use Basic Authentication with a dedicated service Service User ID (system user).

To enable API Key-based authentication in SAP BTP API Management, follow the steps below:

Create a Key Value Map.
Define API Key validation policies.
Assign API proxies to a product and publish it.
Create an application and subscribe it to the product.
Share the API key with the external consumer.
Test the API in Postman using the API key.