Update from SAP DITA CMS (squashed):

commit 9ce367f766f23cdb38c7e4fe28d37678d751419c
Author: REDACTED
Date:   Tue Aug 5 21:48:13 2025 +0000

    Update from SAP DITA CMS 2025-08-05 21:48:13

    Project: dita-all/jjq1673438782153
    Project map: c2f780f61c744155b0bd42b6f38fb70c.ditamap
    Output: loiob2927cc326be495da9f4fea0b6bda2b3
    Language: en-US
    Builddable map: c590d25af285407ba12a69179a940c19.ditamap

commit 9a80a910891cefd4917816e7433c4e904531de8c
Author: REDACTED
Date:   Tue Aug 5 21:26:11 2025 +0000

    Update from SAP DITA CMS 2025-08-05 21:26:11

    Project: dita-all/jjq1673438782153
    Project map: c2f780f61c744155b0bd42b6f38fb70c.ditamap
    Output: loiob2927cc326be495da9f4fea0b6bda2b3
    Language: en-US
    Builddable map: c590d25af285407ba12a69179a940c19.ditamap

commit 906c62842a7665f96a85f8c2cf4048b486ca86b4
Author: REDACTED
Date:   Tue Aug 5 13:55:48 2025 +0000

    Update from SAP DITA CMS 2025-08-05 13:55:48

    Project: dita-all/jjq1673438782153
    Project map: c2f780f61c744155b0bd42b6f38fb70c.ditamap

##################################################
[Remaining squash message was removed before commit...]

Author: ditaccms-bot

docs/1-connectivity-documentation/calling-the-destination-service-rest-api-via-ias-token-ce25f2b.md

@@ -0,0 +1,302 @@
+<!-- loioce25f2be9c3640ca832d73e31e7917fc -->
+
+# Calling the Destination Service REST API via IAS Token
+
+Find a step-by-step procedure to use an IAS token for calling available Destination service REST API endpoints.
+
+
+
+## Prerequisites
+
+To call the Destination service REST API using an IAS token, you must have the following set up:
+
+-   [Configured Trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication?version=Cloud) between *SAP Authorization and Trust Management service* and *SAP Cloud Identity Services*
+-   A Destination service instance inside your subaccount
+-   An Identity service instance inside your subaccount
+
+
+
+<a name="loioce25f2be9c3640ca832d73e31e7917fc__instance"/>
+
+## Set Up a Destination Service Instance for your Subaccount
+
+To create a Destination service instance inside your subaccount, follow this documentation about creating service instances through the BTP cockpit or from the CF CLI: [Creating Service Instances](https://help.sap.com/docs/btp/sap-business-technology-platform/creating-service-instances?version=Cloud).
+
+> ### Note:  
+> When creating a Destination service instance, you can refer to the following *yaml* segment for the basic information of the instance.
+
+
+<table>
+<tr>
+<th valign="top">
+
+Basic Information for the Destination Service instance
+
+</th>
+</tr>
+<tr>
+<td valign="top">
+
+-   Plan: *lite* 
+
+    \# Currently, the Destination service offers only this plan.
+
+-   Runtime Environment: *Cloud Foundry* 
+
+    \# You will need to have enabled Cloud Foundry for your subaccount.
+
+-   Space: *<space\_name\>* 
+
+    \# Choose the space in which the Destination service instance will reside in.
+
+-   Instance Name: *<instance\_name\>* 
+
+    \# Enter whatever name you want here for the instance.
+
+
+
+
+</td>
+</tr>
+</table>
+
+
+
+## Retrieving the Destination Service REST API Endpoint
+
+The Destination service REST API endpoint can be retrieved from the credentials contained in a service key of the Destination Service instance. If you don't have any service keys in your Destination service instance, follow this BTP documentation about creating a service key for an instance from the BTP cockpit or through the CF CLI: [Creating Service Keys](https://help.sap.com/docs/btp/sap-business-technology-platform/creating-service-keys?version=Cloud).
+
+Once you have a service key for your Destination service instance, you need to open it and extract the following information:
+
+
+<table>
+<tr>
+<th valign="top">
+
+Information to Extract from the Service Key
+
+</th>
+</tr>
+<tr>
+<td valign="top">
+
+-   uri: *"<value\_to\_extract\>"* 
+
+    \# The URL of the Destination service
+
+
+
+
+</td>
+</tr>
+</table>
+
+
+
+## Set up a Cloud Identity Service Instance for your Subaccount
+
+To create a Cloud Identity service instance inside your subaccount, follow this documentation about creating service instances through the BTP cockpit or from the CF CLI: [Creating Service Instances](https://help.sap.com/docs/btp/sap-business-technology-platform/creating-service-instances?version=Cloud).
+
+> ### Note:  
+> When creating a Cloud Identity service instance, you must provide the following basic information as well as the parameters in the *config.json* input file.
+
+
+<table>
+<tr>
+<th valign="top">
+
+Basic Information for the Cloud Identity Service
+
+</th>
+</tr>
+<tr>
+<td valign="top">
+
+-   Plan: *application* 
+
+    \# Currently, the Cloud Identity service offers only this plan.
+
+-   Runtime Environment: *Cloud Foundry* 
+
+    \# You must have enabled Cloud Foundry for your subaccount.
+
+-   Space: *<space\_name\>* 
+
+    \# Choose the space in which the Cloud Identity service instance will reside in.
+
+-   Instance Name: *<instance\_name\>* 
+
+    \# Enter any name for the instance.
+
+
+
+
+</td>
+</tr>
+</table>
+
+**config.json \(Example\)**
+
+> ### Sample Code:  
+> ```
+> {
+>     "consumed-services":
+>     [
+>         {
+>             "service-instance-name": "<destination-service-instance-name>"
+>         }
+>     ]
+> }
+> ```
+
+where:
+
+*<destination-service-instance-name\>* is the value of `instance_name` from step [Set Up a Destination Service Instance for your Subaccount](calling-the-destination-service-rest-api-via-ias-token-ce25f2b.md#loioce25f2be9c3640ca832d73e31e7917fc__instance).
+
+
+
+## Getting the Credentials to Call the Destination Service REST API
+
+To access the Destination service REST API, you need an access token. To generate such, you must get the credentials contained in a service key of the Cloud Identity service instance. If you don't have any service keys in your Cloud Identity service instance, follow this BTP documentation about creating a service key for an instance from the BTP cockpit or through the CF CLI: [Creating Service Keys](https://help.sap.com/docs/btp/sap-business-technology-platform/creating-service-keys?version=Cloud).
+
+> ### Note:  
+> The IAS access token is issued through mTLS, so when you are creating the service key in your Cloud Identity service, you must provide the following *config.json*:
+> 
+> **X.509 Credential Type \(Example\)**
+> 
+> > ### Sample Code:  
+> > ```
+> > {
+> >     "credential-type": "X509_GENERATED"
+> > }
+> > ```
+
+Once you have a service key for your Cloud Identity service instance, you need to open it and extract the following information:
+
+
+<table>
+<tr>
+<th valign="top">
+
+Information to Extract from the Service Key
+
+</th>
+</tr>
+<tr>
+<td valign="top">
+
+-   clientid: *"<value\_to\_extract\>"* 
+
+    \# The client id which will be used for the authentication in the next step
+
+-   certificate: *"<value\_to\_extract\>"* 
+
+    \# The certificate which will be used for the authentication in the next step
+
+-   key: *"<value\_to\_extract\>"* 
+
+    \# The key which will be used for the authentication in the next step
+
+-   url: *"<value\_to\_extract\>"* 
+
+    \# The authentication endpoint from where an access token for the Cloud Identity service will be acquired
+
+
+
+
+</td>
+</tr>
+</table>
+
+
+
+<a name="loioce25f2be9c3640ca832d73e31e7917fc__acquire"/>
+
+## Acquire an Access Token from IAS to Access the Destination Service REST API
+
+In this step, we will acquire an access token from IAS which we can then use to successfully authenticate towards the Destination service REST API. For this step, you must use the values you extracted for `clientid`, `certificate`, `key`, and `url` from the previous step.
+
+Here is an example call using curl:
+
+**CURL Command to Acquire an Access Token for the Destination service** 
+
+> ### Sample Code:  
+> ```
+> curl -X POST \
+>         "<url>/oauth2/token" \
+>         -H "Content-Type: application/x-www-form-urlencoded" \
+>         -d "grant_type=client_credentials" --data-urlencode "client_id=<client_id>" --cert <certificate> --key <key>
+> ```
+
+where:
+
+-   <url\> is the value of `url` from the previous step
+-   <client\_id\> is the value of `clientid` from the previous step
+-   <certificate\> is the value of `certificate` from the previous step
+-   <key\> is the value of the `key` from the previous step
+
+The token which you will be using for the next step is provided under the `access_token` key in the response JSON. Make sure you save it because we will need it in the next step.
+
+
+
+<a name="loioce25f2be9c3640ca832d73e31e7917fc__section_i1p_qt5_bgc"/>
+
+## Call the Destination Service REST API
+
+Now that you have an access token for the Destination service, you can finally call one of the Destination service REST API endpoints. To see the full list of available endpoints in the Destination service REST API and their responses, see [Destination Service REST API reference](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination/resource/Find_a_Destination).
+
+> ### Caution:  
+> Currently, authentication to the Destination service via IAS token is working only for [destinations](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination/resource/Destinations_on_Subaccount_Level), [destination fragments](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination/resource/Destination_Fragments_on_Subaccount_Level), and [certificates](https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination/resource/Certificates_on_Subaccount_Level) on *subaccount* level.
+
+Here is an example of the call using curl:
+
+**CURL Command for Calling the Destination Service** 
+
+> ### Sample Code:  
+> ```
+> curl -X GET \
+>         "<uri>/destination-configuration/v1/<endpoint>" \
+>         -H "Authorization: Bearer <access_token>"
+> ```
+
+where:
+
+-   <uri\> is the value of `uri` from [Getting the Credentials to Call the Destination Service](calling-the-destination-service-rest-api-via-ias-token-ce25f2b.md#loioce25f2be9c3640ca832d73e31e7917fc__credentials) 
+-   <endpoint\> is the endpoint of the Destination service REST API which you want to call
+-   <access\_token\> is the access token you saved from [Acquire an Access Token from IAS to Access the Destination Service REST API](calling-the-destination-service-rest-api-via-ias-token-ce25f2b.md#loioce25f2be9c3640ca832d73e31e7917fc__acquire) 
+
+For a more concrete example, if you want to make a GET call towards the */subaccountDestinations* endpoint, the call would look like this:
+
+**CURL Command for Calling the Destination Service** 
+
+> ### Sample Code:  
+> ```
+> curl -X GET \
+>         "<uri>/destination-configuration/v1/subaccountDestinations" \
+>         -H "Authorization: Bearer <access_token>"
+> ```
+
+An example response from the Destination service would be:
+
+> ### Sample Code:  
+> ```
+> [
+>     {
+>         "Name": "no-authentication-destination",
+>         "Type": "HTTP",
+>         "URL": "https://sap.com",
+>         "Authentication": "NoAuthentication",
+>         "ProxyType": "Internet"
+>     },
+>     {
+>         "Name": "basic-authentication-destination",
+>         "Type": "HTTP",
+>         "URL": "https://sap.com",
+>         "Authentication": "BasicAuthentication",
+>         "ProxyType": "Internet",
+>         "User": "my-user",
+>         "Password": "my-password"
+>     }
+> ]
+> ```
+

docs/1-connectivity-documentation/configure-identity-propagation-for-rfc-33a2f37.md

@@ -30,7 +30,7 @@ The following data and setup is used:
 
 -   The Cloud Connector system identity's SNC name is `p:CN=SCC, OU=SAP CP Scenarios, O=Trust Community, C=DE`.
 -   The ABAP system's SNC identity name is`p:CN=SID, O=Trust Community, C=DE`. This value can typically be found in the ABAP system instance profile parameter `snc/identity/as` and hence is provided per application server.
--   When using the SAP Cryptographic Library, the ABAP system's SNC identity and the Cloud Connector's system identity should be signed by the same CA for mutual authentication.
+-   When using the SAP Cryptographic Library, we recommend that you use an ABAP system SNC identity and a Cloud Connector system identity signed by the same CA for mutual authentication.
 -   The example short-lived certificate has the subject `CN=P1234567`, where `P1234567` is the SAP BTP application user.
 
 

docs/1-connectivity-documentation/consuming-the-destination-service-7e30625.md

@@ -411,3 +411,5 @@ Back to [Tasks](consuming-the-destination-service-7e30625.md#loio7e306250e08340f
 
 [Extending Destinations with Fragments](extending-destinations-with-fragments-f56600a.md "Use the “Find Destination” API to extend your destination with a destination fragment.")
 
+[Using an IAS User Token for Corporate IdP Token Principal Propagation to On-Premise Systems](using-an-ias-user-token-for-corporate-idp-token-principal-propagation-to-on-premise-e50acf1.md "Using an IAS user token for corporate IdP token principal propagation to on-premise systems allows automatic token exchange to the corporate IdP token.")
+

docs/1-connectivity-documentation/create-http-destinations-783fa1c.md

@@ -53,7 +53,7 @@ You have logged into the cockpit and opened the *Destinations* editor from your
 
 10. \(Optional\) You can enter additional properties.
 
-    1.  In the *Additional Properties* panel, choose *New Property*.
+    1.  In the *Additional Properties* panel, choose *Add Property*.
 
     2.  Enter a key \(name\) or choose one from the dropdown menu and specify a value for the property. You can add as many properties as you need.
 

docs/1-connectivity-documentation/create-ldap-destinations-2d11ff6.md

@@ -41,7 +41,7 @@ You have logged into the cockpit and opened the *Destinations* editor from your
 
 9.  \(Optional\) You can enter additional properties.
 
-    1.  In the *Additional Properties* panel, choose *New Property*.
+    1.  In the *Additional Properties* panel, choose *Add Property*.
 
     2.  Enter a key \(name\) or choose one from the dropdown menu and specify a value for the property. You can add as many properties as you need.
 

docs/1-connectivity-documentation/create-mail-destinations-6442cb4.md

@@ -40,14 +40,14 @@ You have logged into the cockpit and opened the *Destinations* editor from your
 
 7.  Enter an *additional property* to specify the address of the target mail server.
 
-    1.  In the *Additional Properties* panel, choose *New Property*.
+    1.  In the *Additional Properties* panel, choose *Add Property*.
 
     2.  Depending on the protocol you want to use, enter *mail.imap4.host*, *mail.pop3.host*, or *mail.smtp.host* and specify a value for the property.
 
 
 8.  \(Optional\) You can enter more additional properties.
 
-    1.  In the *Additional Properties* panel, choose *New Property*.
+    1.  In the *Additional Properties* panel, choose *Add Property*.
 
     2.  Enter a key \(name\) or choose one from the dropdown menu and specify a value for the property. You can add as many properties as you need. Each key of an additional property must start with "`mail.`".
 

docs/1-connectivity-documentation/create-rfc-destinations-9b3cc68.md

@@ -62,7 +62,7 @@ You have logged into the cockpit and opened the *Destinations* editor from your
 
 12. \(Optional\) You can enter additional properties.
 
-    1.  In the *Additional Properties* panel, choose *New Property*.
+    1.  In the *Additional Properties* panel, choose *Add Property*.
 
     2.  Enter a key \(name\) or choose one from the dropdown menu and specify a value for the property. You can add as many properties as you need.
 

docs/1-connectivity-documentation/create-tcp-destinations-fe8306a.md

@@ -44,7 +44,7 @@ You have logged into the cockpit and opened the *Destinations* editor from your
 
 8.  \(Optional\) You can enter additional properties.
 
-    1.  In the *Additional Properties* panel, choose *New Property*.
+    1.  In the *Additional Properties* panel, choose *Add Property*.
 
     2.  Enter a key \(name\) or choose one from the dropdown menu and specify a value for the property. You can add as many properties as you need.
 

docs/1-connectivity-documentation/destination-service-rest-api-23ccafb.md

@@ -17,3 +17,5 @@ It shows all available endpoints, the supported operations, parameters, possible
 
 [Referring Resources Using the REST API](referring-resources-using-the-rest-api-78ba73a.md "Select a level for destinations and destination fragments when using the Destination service Consume REST API in a single-tenant or multi-tenant scenario.")
 
+[Calling the Destination Service REST API via IAS Token](calling-the-destination-service-rest-api-via-ias-token-ce25f2b.md "Find a step-by-step procedure to use an IAS token for calling available Destination service REST API endpoints.")
+

docs/1-connectivity-documentation/http-destinations-42a0e6b.md

@@ -9,14 +9,6 @@ Find information about HTTP destinations for Internet and on-premise connections
 
 
 
-<a name="loio42a0e6b966924f2e902090bdf435e1b2__section_N10024_N10011_N10001"/>
-
-## Destination Levels
-
-The runtime tries to resolve a destination in the order: *Subaccount Level* → *Service Instance Level*.
-
-
-
 <a name="loio42a0e6b966924f2e902090bdf435e1b2__section_ojj_f1p_slb"/>
 
 ## Destinations for Subscribed Applications