Key Value Maps
The key value maps are all prefixed with ROIAM_.
Each key value map consists of two entries — one unencrypted and one encrypted. The encrypted entry must have exactly the same name as the unencrypted one, but with the suffix _vault.
TIP
Example:
- ROIAM_Example_Name (not encrypted)
- ROIAM_Example_Name_vault (encrypted)
Note: Do not create that one.
Logically, the encrypted map contains sensitive information such as secrets and passwords used for communication with other services, while the unencrypted map contains usernames, client IDs, URLs, and similar non-sensitive values.
ROIAM_Internal_API_Proxy
The key vault is used for storing variables used in the internal communication to ROI iAM.
roiam_schema_endpoint ->
InterfacesService/detailsOfroiam_event_baseURL ->
https://<application_route_of_ROIAM_Runtime_EventConsumer_Service>/odata/v4/runtime/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called
ROIAM_Runtime_EventConsumer_Service. Copy the application route.roiam_landscape_baseURL ->
https://<application_route_of_ROIAM_Home_Service>/odata/v4/home/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called ->
ROIAM_Home_Service. Copy the application route.roiam_process_baseURL ->
https://<application_route_of_ROIAM_Runtime_Process_Service>/odata/v4/runtime/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called ->
ROIAM_Runtime_Process_Service. Copy the application route.roiam_audit_baseURL ->
https://<application_route_of_ROIAM_Runtime_Audit_Service>/odata/v4/runtime/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called ->
ROIAM_Runtime_Audit_Service. Copy the application route.roiam_IAS_tokenURL ->
<tenantURL>TIP
This is the authentication CIS tenant URL assigned to the SAP BTP subaccount where ROI iAM is deployed. From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias". In the details view, press "View Credentials" and extract the url value without the protocol prefix (http, https).
Example:
<tenantID>.accounts.ondemand.comroiam_api_clientID ->
<Client ID from IAS application>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias_consumer". A service key named consumer_key should be available; extract the clientid attribute value.
roiam_processComplete_endpoint ->
process/ProcessInstanceService/completeroiam_processRunning_endpoint ->
process/ProcessInstanceService/runningroiam_auditFail_endpoint ->
audit/AuditService/failroiam_landscapeRepository_endpoint ->
LandscapeService/readRepositoryByNameroiam_eventConsume_endpoint ->
eventconsumer/EventConsumerService/consumeroiam_auditInitialize_endpoint ->
audit/AuditService/initialize
ROIAM_Internal_API_Proxy_vault
roiam_api_clientSecret ->
<clientsecret>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias_consumer". A service key named consumer_key should be available; extract the clientsecret attribute value.
ROIAM_SCIM_API_Proxy
roiam_IAS_tokenURL ->
<tenantID>.accounts.ondemand.comTIP
This is the authentication CIS tenant URL assigned to the SAP BTP subaccount where ROI iAM is deployed.
roiam_scim_clientID ->
<Client ID from IAS application>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias_consumer". A service key named consumer_key should be available; extract the clientid attribute value.
roiam_scim_baseURL ->
https://<application_route_of_ROIAM_SCIM_REST>/roiam/scim/v2/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space and find the app called
ROIAM_SCIM_REST. Copy the application route.
ROIAM_SCIM_API_Proxy_vault
roiam_scim_clientSecret ->
<clientsecret>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias_consumer". A service key named consumer_key should be available; extract the clientsecret attribute value.
ROIAM_Send_Event_Proxy
roiam_OAuth_tokenURL ->
<uaa.url>TIP
From the SAP BTP subaccount where SAP Integration Suite is running, navigate to Instances. The instance name was provided during prerequisites setup. The instance is for SAP Integration Suite, Event Mesh with plan message-client. A service key should be present; extract the
uaa.urlattribute. Remove the protocol from the URL and paste the result as the value in the KVM.roiam_customer_targetURL ->
<url>/messagingrest/v1/messagesTIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Integration Suite, Event Mesh with plan “message-client”. A service key should be present and from there take the attribute value of “messaging[protocol=’httprest’].uri”
roiam_sendEvent_clientID ->
<uaa.clientID>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Integration Suite, Event Mesh with plan “message-client”. A service key should be present and from there take the attribute value of “uaa.clientID”
roiampublic_targetURL -> same as “roiamcustomer_targetURL”
ROIAM_Send_Event_Proxy_vault
roiam_sendEvent_clientSecret ->
<uaa.clientsecret>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Integration Suite, Event Mesh with plan “message-client”. A service key should be present and from there take the attribute value of “uaa.clientsecret”
ROIAM_GRC_SOAP_RiskAnalysis_Proxy (applicable only for GRC accelerator)
roiam_grcRiskAnalysis_targetURL ->
<ci_deployed_artefact_url>TIP
This should be the URL of the deployed CI iFlow artifact named "ROI iAM - GRC - Authorization Management". To obtain it go to the SAP Cloud Integration Suite and navigate to "Integrations and APIs" from the "Monitor" section. Under "Manage Integration Content" select the "All" tile, which will show all deployed artifacts. Search for "ROI iAM - GRC - Authorization Management" and select it. The URL can be copied from the "Endpoints" section of the details.
roiam_grcRiskAnalysis_clientID ->
<oauth.clientid>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientid”
ROIAM_GRC_SOAP_RiskAnalysis_Proxy_vault (applicable only for GRC accelerator)
roiam_grcRiskAnalysis_clientSecret ->
<oauth.clientsecret>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientsecret”
ROIAM_Internal_BTP_Proxy
roiam_destination_baseURL ->
<uri>/destination-configuration/v1/destinations/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name "api-management-key" and from it extract the “uri” attribute value.
roiam_OAuth_TokenURL ->
<url> (without protocol)TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name “api-management-key” and from it extract the “url” attribute value without protocol (e.g. http/https).
roiam_destination_clientID ->
<clientid>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name “api-management-key” and from it extract the “clientid” attribute value.
ROIAM_Internal_BTP_Proxy_vault
roiam_destination_clientSecret ->
<clientsecret>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name “api-management-key” and from it extract the “clientsecret” attribute value.
ROIAM_Internal_CI_Proxy
roiam_ci_targetURL ->
<oauth.url>/httpTIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.url”
roiam_ci_clientID ->
<oauth.clientid>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientid”
roiam_ci_tokenURL ->
<oauth.tokenurl> (without protocol)TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.tokenurl” - without protocol (e.g. http/https)
ROIAM_Internal_CI_Proxy_vault
roiam_ci_clientSecret ->
<oauth.clientsecret>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientsecret”