Development of multi-tenant applications on the SAP Cloud Platform in the Neo environment, part 1

Our SAP Cloud Platform provides the ability to develop and run multi-tenant applications. Multi-tenant applications allow you to separately serve several clients from different organizations within the framework of a single solution provided by the provider. Each customer is called a tenant. He accesses the application through the dedicated URL of a particular tenant - in this way, the isolation of users from each other is achieved.


In several articles we will cover the following topics:

Part 1. Multi-tenancy in the SAP Cloud Platform, scenario overview
Part 2. Downloading the solution in the MTAR format to the platform, linking the database and creating subscriptions for tenants, configuration of the provider’s subaccount
Part 3. Persistence Service - initialization and data isolation
Part 4. Identity management using "Identity Authentication" - setting up the tenant of the service
Part 5. SAP Cloud Connector - setting up and configuring a service for connecting to a local system
Part 6. Configuring the “Connectivity” service and testing a multi-tenant application
Part 7. Fiori Launchpad - using the “Portal” service, tile configuration for a multi-tenant application

Note:

This article uses the global (productive) account of the SAP Cloud Platform. To run the script in the account, the following services must additionally be connected:

1. For the subaccount of the application provider - SAP HANA, SAP Cloud Platform Portal - at least one quota must be allocated to launch a Java application (Java quota);
2. For client subaccount: SAP Cloud Platform Portal, SAP Cloud Platform Identity Authentication.

Part 1. SCP Multi-Tenancy and Solution Overview

The SAP Cloud Platform is a platform for developing and running cloud applications, including applications with multiple tenants, so its services support multi-tenancy.

Do you think customers will be happy if the data they store in your SaaS application will be available to other customers? This is a clear violation of data isolation.

This problem is solved by providing each client with a unique tenant identifier (tenant id). Since the application is deployed directly from the provider, the client must be subscribed to this application to gain access to it. This means that the client does not need to copy the application to his account, simply subscribe to it, after which the client receives a special URL for a particular tenant. Thus, when an application is launched through this dedicated URL, the user is identified by the tenant's unique identifier.

Advantages of multi-tenant applications:

• Lower Total Cost of Ownership (TCO): Due to the distribution of computing resources and operating costs between customers, the total cost of ownership for such an application is reduced. Cost savings increase as the number of clients served by the multi-tenant application increases;
• Operational efficiency: application updates and error correction are distributed to all tenants by updating the application instance from the supplier;
• Scalability: fast delivery of services to customers. To access the application, the new client only needs to create a subscription to it;
• Configurability: allows clients to customize their reserve of users who can use the application, their own backend services, etc., as the application requires.

Consider the difference between client and provider subaccounts within the global SCP account:



As shown in the diagram, two subaccounts are deployed within the global SCP account - the provider subaccount and the client subaccount.

The subaccount of the provider contains the business logic of the application, its interface, as well as a database that stores customer data that are isolated from each other. Applications actually work in this account.

As already mentioned, the client access to the application by using a subscription to it. Please note that applications are not copied or run inside a user account. Inside the client subaccount, it is possible to add configurations that apply only to this consumer. For example, you can configure a client identity provider (Identity Provider) as a user repository for cloud platform applications. Or configure destination paths that may indicate internal services running in the client's landscape (for example, you can access the local system data).

Now let's talk about multi-tenancy in SCP services.

a) Persistence Service

There are three ways to achieve multi-tenancy in this service:



1. Column delimiter. This method uses a specific column in the table to provide data isolation. In this case, users can access the same scheme. But the data is different with a special dedicated tenant identifier for each client. To ensure separation of data in an application, each SQL statement must include a tenant identifier.

2. Table (s) in one scheme. This method allows application clients to isolate their data in one or several tables of specific tenants. This is achieved by creating a table or schema in the database for each customer. The client table discriminator determines how to distinguish these tables from other clients' tables. Tables can be in the same schema and use a prefix or suffix to distinguish them; or they can be in a separate schema using the schema client table discriminator.

3. Separation according to schemes. The isolation of customer data in this case is achieved by storing the tables in different schemas.

b) Identity Authentication



The Identity Authentication service is a cloud-based solution for managing the lifecycle of SCP applications and, if necessary, local applications. It allows you to configure authentication, single sign-on for users, and so on. When the service is connected, the account administrator is provided with a tenant, within which the application configuration and user authorization management take place. This service provides an identity provider for SCP.

Client subaccount is configured on a specific provider within which users are defined, roles are configured, and access to the provider application to which the client is subscribed is configured. Roles are described in the application provider. Thus, user isolation is achieved.

c) Connectivity



The client can configure access to local system data. Using a tool such as the SAP Cloud Connector, a secure connection is made to a local application or system that provides certain data. Inside his subaccount, the client configures the destination path to the local system described in the Cloud Connector. In the provider application, the name of the destination path is indicated — thus, when a client accesses the application, data from the client’s local system is transferred to the application and visualized.

Let us turn to the review of the scenario, the description of the implementation of which will occur in the framework of this article.

SAP has a reliable partner company specializing in providing solutions for the oil and gas industry. We will call it ITeLO Consulting. This company uses the SAP Cloud Platform to create and launch its cloud applications. ITeLO Consulting prefer to provide their applications as SaaS. In this model, the software is provided as a service and is available to customers via the Internet.

The company has developed a pollution monitoring dashboard that helps oil and gas companies compare the levels of air pollution in the plant and in the city. This decision has aroused interest among some oil and gas companies wishing to take preventive measures to prevent pollution.

ABC PetroCorp and XYZ EnergyCorp are two oil and gas companies that buy this solution from ITeLO.

In ITeLO Consulting works Robert, who is the architect of this project. The company bought the SAP Cloud Platform package with the services needed to create this application. Robert’s scenario is to develop a multi-tenant SaaS application and make it available to its customers — ABC PetroCorp and XYZ EnergyCorp. ” Emily is an employee of the ABC PetroCorp IT department. She is assigned to work on this project with Robert.

The solution architecture is presented below:



ITeLO Consulting will be the subaccount of the provider in this case, while ABC PetroCorp and XYZ EnergyCorp will be the subaccounts of customers subscribing to the application. The settings inside the client subaccounts will be the same, so we will only consider the configuration for the ABC PetroCorp client.

Account Description:

1) ITeLO Consulting is a provider account that runs a database, business logic and user interface applications.

Database:

Air pollution information from each plant is stored in the SAP HANA database. The data of different customers are stored separately using the tenant insulation function provided by JPA.

Business logic:

Business logic is defined in a Java application running in a provider subaccount. Java application instance is used by different clients. Each user creates a subscription to this Java application and gets a unique URL to access the application. Since the application is accessed using this URL, the SCP retrieves the tenant identifier that is used in the application logic.

User interface:

The user interface logic is defined in the HTML5 application running in the subaccount of the provider. As with the Java application, an instance of the HTML5 application runs for different clients. The client accesses the application using a unique URL to access the application.

2) ABC PetroCorp is a client subaccount in which subscriptions are created, and specific identity provider configurations (IdPs) are created and access to local services is provided.

Java and HTML5 applications are not deployed and copied to this account.

Identity and Access Management:

Access to applications should be available only to ABC PetroCorp employees. ABC PetroCorp has its own identity provider (SAP Identity Authentication), which contains information about the company's employees (name, email, organization, role, etc.). It is configured specifically for the ABC PetroCorp subaccount, so that applications subscribed to can only be accessed by their employees.

Connectivity Services:

ABC PetroCorp has locally launched services that provide information about their plants - the number of employees at the plant, the location of the plant, etc. All this information must be extracted from their landscape and made available to the application using the SAP Cloud Connector.

Part 2. Downloading the solution in the MTAR format to the platform, linking the database and creating subscriptions for tenants, configuration of the provider’s subaccount

The multi-tenant application should be launched in the subaccount of the provider. Robert from ITelo Consulting is an account administrator, and he needs to complete the following steps to install the application:

1. Create an application archive containing all its artifacts;
2. Upload application archive to ITeLO Consulting account;
3. To subscribe the client “ABC PetroCorp” to the application running in the subaccount of the provider;
4. Setting the path to an open service running on the Internet.

Presets:

1. You have installed Java 8;
2. Eclipse Neon installed with plugins for SAP CP ;
3. EGit plugin is installed in Eclipse ;
4. The latest version of the SAP CP Java Web Tomcat 8 SDK was downloaded and unpacked;
5. Download and install MTA Archive Builder ;
6. The SAP HANA database is connected to the SCP account (for the provider’s subaccount);
7. In the subaccount of ITeLO Consulting provider, a code is allocated for launching Java applications (at least one unused computing unit, more details on quota allocation here ).

Note: Creating multiple subaccounts within a global SCP account is not possible for a trial (trial) account.

To install a multi-user application, this article will use the SCP feature such as “Solutions” (loading solutions). Alternatively, application modules can be loaded into the platform separately.

The source code of the pollution monitoring application (“Pollution Monitoring”) is on GitHub .

First, we clone the project and load it into the Eclipse workspace. After successful installation, the project will appear in the workspace, its structure will look like this:



The application consists of several modules developed using various technologies. These modules must be installed in different runtime environments (for example, Java, HTML5). Instead of creating and loading modules separately, the SCP supports the creation of a single application that contains different modules in one archive.

As shown in the application architecture, business logic is defined in a Java application, and user interface logic is defined in an HTML5 application. And now, in the person of Robert, we will create an archive of a multi-module (or multi-purpose) application (MTA) in order to package the application into a convenient format for downloading to the platform.

To create an archive with several application modules, you need to load “mta.jar” and set up “MTA archive builder” (the link to the description of the installation “MTA archive builder” is specified above in the preliminary settings).

Multipurpose application modules are described in the MTA descriptor file (mta.yaml), this file is located in the project root folder.



The file "mta.yaml" contains information about Java and HTML5 modules that will be created during the build process of the application. Open the file and link the SAP HANA database to the Java application, specifying the database identifier in the "id" field.



Here id is the identifier of the database running in the subaccount of the provider. It can be found in the SEC control panel of the ITeLO Consulting account in the Persistence -> Databases Systems menu.



In our case, the database identifier in "mta.yaml" will be indicated as follows:



Save the changes and, opening the command line, go to the folder with the project «pollutionmonitoring» and enter the following command:

java -jar [  mta.jar] –build-target=NEO build 

This command will start the process of building the application into the MTA archive.
After a successful build in the project folder, an MTA archive file (pollutionmonitoring.mtar) will be generated.



The next step is to install the MTA archive (pollutionmonitoring.mtar) in the ITeLO Consulting subaccount. This can be done using the “Solutions” feature provided in the SCP control panel. To do this, go to the "Solutions" tab and click on the "Deploy" button.



In the dialog box that appears, go to the location of the pollutionmonitoring.mtar file by clicking the Browse button on the MTA Archive field, and select it, then click Deploy.



After successful downloading of the MTA archive in the control panel of your ITeLO Consulting account, you will see the following:

• In the “Java Applications” tab, the “pollutionmonitoring” running Java application will appear;



• The database will be automatically linked to a Java application. To test, go to the Java-application and select the tab “Configuration” -> “Data Sourse Bindings”;



• In the “HTML5 Applications” tab, the started pollutionmonitoringui HTML5 application will appear.



Now Robert needs to create a subaccount with the name ABC Petro Corp for the client.

Go to the global account SCP and in the tab "Subaccounts" select "New Subaccount".



In the dialog box that appears, enter the name of the subaccount, select the environment (Neo) and the region in which the global account is located and, accordingly, the subaccount of the provider. Then click “Create”.



Now one more subaccount will appear in the global account - the client subaccount.
The next step is to create a subscription within the ABC Petro Corp client account for applications running in the provider's account. To do this, use the console client for the Neo environment. How to install it is described here.

In the console client for Neo, enter the following command:

 neo subscribe –account <<  ABC_PetroCorp>> -application <<  ITeLO_consulting>>:pollutionmonitoring -user << >> -host << >> 

The subaccount identifier can be found in the tab “Overview” -> “Subaccount information”.



The user ID is indicated in the “User Information” tab, which is located in the drop-down menu in the upper right corner of the SCP control panel.



Hosts for all regions of the Neo environment are described in the documentation .

To subscribe to the HTML5 application, use the SCP control panel. Go to the ABC Petro Corp client subaccount and select the “Subscriptions” -> “New Subscription” tab (for HTML5).



In the dialog box, select the provider subaccount and HTML5 application inside it, then click “Save”.



The client is now subscribed to a Java and HTML5 application provided by the provider, and this is displayed in the control panel of the ABC account Petro Corp.



The pollution monitoring application allows you to display data on the pollution of the plant and the city.

The plant pollution data is in the client’s local system. Information on the level of pollution in the city can be obtained through an open source service available via the Internet. Such a service could be OpenAQ. The pollution monitoring application can access this service using the destination path description in the SCP control panel.

This service will be used by ABC Petro Corp and other potential customers, so the destination address will be added to the ITeLo Consulting provider account.

For a Java application, the destination path called “openaq – api – dest” is described in the file “web.xml”.



This destination path is designated in the "PollutionDataService" class (file "PollutionDataService.java").



After the search for the destination path is completed, all calls from the Java code to the OpenAQ service are run through it.

The destination path file “open-api-dest” is located inside the folder “Destinations-Provider” located inside the project “pollutionmonitoring”.



This file contains the URL to the OpenAQ service.



This destination must be uploaded to the ITeLo Consulting provider subaccount. To do this, we go to ITeLo Consulting subaccount, go to the “Java Applications” tab and select the “pollutionmonitoring” application.

Next, select the tab "Configuration" → "Destinations" and click on the button "Import Destination".



In the dialog box that appears, specify the path to the file "open-api-dest". After that, the destination path will be configured in the SCP control panel. Click the "Save" button. The destination path will look in the cloud platform as follows:



This service is available via https, so you need to establish a secure connection. This can be done using the “key storage” service for SCP. In the project “pollutionmonitoring”, downloaded from GitHub, there are already files with keys: “jssecacerts.jks” and “cacerts.jks”. They need to be downloaded to the ABC Petro Corp. client subaccount.

To do this, again use the console client for the Neo environment.

In the console client for Neo, enter the following commands:

 neo upload-keystore –account <<  ABC_PetroCorp>> –user << >> –location <<   jssecacerts.jks>> –host << >> 

 neo upload-keystore –account <<   ABC_PetroCorp >> –user <<   >> –location <<    cacerts.jks>> –host <<   >> 

These files (“jssecacerts.jks” and “cacerts.jks”) are located in the “KeyStore Services” folder of the “pollutionmonitoring” project.

Part 3. Persistence Service - initialization and data isolation

Several clients are interested in ITeLO Consulting. A true multi-tenant application must ensure that the ABC PetroCorp data is completely isolated from the data of other customers in the database (for example, from XYZ EnergyCorp data). This is very important for securing customer and application data.

Robert from ITeLO Consulting wants his application to isolate the storage of his clients' data, and he wonders how this can be achieved.

To achieve data isolation, we need to determine the degree of isolation, i.e. isolation at the table level (store data in different tables in the same scheme), at the scheme level (store customer data in different schemes), at the tenant level (store customer data in different database tenants). The SAP Cloud Platform Persistence Service, in combination with JPA (Java Persistence API) and EclipseLink, supports the implementation of these data isolation methods.

There are three ways to achieve multi-tenancy at the database level. These methods we discussed in Part 1.

In the second part, we will focus on a method called a “delimiter column”. That it will be used by Robert to isolate data at the database level in his decision.

Using the delimiter column:

In this approach, one DB scheme is distributed among all users of the application. The tenant id can be used as a value in the delimiter column. The code snippet is presented below.



As a preparatory step, we also initialize the data that will be used in the pollution monitoring application.

Step 1: Check for the description of the delimiter column in the application code

At this stage, we will look at how the application's data model is used to provide multi-tenancy at the database level.

To do this, let's turn to the project downloaded from GitHub , which is already loaded into the Eclipse workspace.

Next we will view some of the project files. This can be done either through the Eclipse environment, or download the project, unzip it to a place that is convenient for you, and open the files separately. We will use the second option.

The unzipped project looks like this:



Let's go to the file “BaseObject.java” of the project located along the path “/pollutionmonitoring/java/src/main/java/com/sap/hana/cloud/samples/pollutionmonitoring/model/BaseObject.java” and open it with the editor (for example, Notepad ++).



In this file, we check the description of the “Column Delimiter” method. Here's what it looks like:



Now let's turn to the file “web.xml” located along the path “/pollutionmonitoring/java/src/main/webapp/WEB-INF/web.xml”.



Make sure that the data source (database) is bound to the application as a standard source (Default DB). In the file “web.xml” it looks like this:



This example shows how multi-tenancy is implemented in an application for monitoring pollution.

Step 2: Verify the data initialization servlet setting

Robert knows that customers of his application will need to download data to use it. Therefore, he created a servlet to initialize data that clients (eg, Emily) can use to enter data into an application to monitor contamination.

At this stage, we will look at how to set up the publication of the data initialization servlet.

The servlet is described in the “DataInitializationServlet.java” file, which is located in the project along the path “/pollutionmonitoring/java/src/main/java/com/sap/hana/cloud/samples/pollutionmonitoring/api/DataInitializationServlet.java” .



The way of its publication is indicated in the file “web.xml” ( “/ pollutionmonitoring / java / src / main
/webapp/WEB-INF/web.xml " ).



Open this file and make sure that the servlet to load data into the pollution monitoring application was published via the “/ initialize” URL path. It looks like this:



Step 3. Using the servlet to initialize pollution data for ABC PetroCorp (client)

Emily from ABC PetroCorp can access the pollution monitoring application using the subscription created.

The Pollution Monitoring application uses two types of data:

Pollution Data: read from sources such as external APIs, pollution sensors, etc.

Plant data is typically read from the client’s local systems, such as ERP systems.

1) At this stage, we will create pollution data using the data initialization servlet located in the project. This data will be stored in the HANA database in the SAP CP, which is associated with the application in the provider account.

2) The plant data is read by the application from the local system, that is, it is not stored in the HANA database in the SAP CP. This will be discussed in the fifth part of the article “SAP Cloud Connector - setting up and configuring a service for connecting to a local system”.

At this stage, we will upload the pollution data to the “by subscription” application. To do this, the “Data Initialization” servlet will be used, which is in the project and can be used to enter the prepared data into the HANA database.

Let's see what the prepared data looks like and how it can be initialized using a servlet. To do this, look again at the “DataInitializationServlet.java” file, which is located in the project along the path “/pollutionmonitoring/java/src/main/java/com/sap/hana/cloud/samples/pollutionmonitoring/api/DataInitializationServlet.java” , and open it.

Here we can see the prepared data for both ABC PetroCorp and another customer (XYZ EnergyCorp).



We initialize the pollution level data for ABC PetroCorp by calling the Data Initialization servlet.

Let's go to the control panel of the ABC PetroCorp client subaccount. In our case, the global account is located in the Europe (Rot) region, and is accessed via this link .



In the subaccount control panel, go to the tab “Applications -> Subscriptions” and select the Java application to which the client is subscribed.



In the tab "Overview" will be designated URL-applications, copy it.



Open a new browser window, paste the copied application URL and add “/ initialize? Company = ABC PetroCorp” to it. After that, the initialization will be completed and the data should appear on the screen, which will be sent to the application.


Now we have initialized pollution data for ABC PetroCorp in the ITeLO pollution monitoring application.

In the next article we will talk about identity management using Identity Authentication - setting the tenant of the service.