SAP HANA Cloud Connector

Prasenjit Paul

2014 IBM Corporation

Agenda
1.

What is SAP HANA Cloud Connector ?

2.

Advantages of SAP HANA Cloud Connector.

3.

Architecture : Connecting Cloud Applications to On-Premise Systems

4.

Install SAP HANA Cloud Connector

5.

Setup initial configuration of SAP HANA Cloud Connector.

6.

Connect On Premise System from SAP HANA Cloud via HTTP.

2014 IBM Corporation

What is SAP HANA Cloud Connector ?

SAP HANA Cloud connector serves as the link between on-demand applications in SAP HANA Cloud Platform and
existing on-premise systems.

It combines an easy setup with a clear configuration of the systems that are exposed to SAP HANA Cloud Platform.
In addition, the resources' availability can be controlled for the cloud applications in those systems.

The Cloud connector runs as on-premise agent in a secured network and acts as a reverse invoke proxy between
the on-premise network and SAP HANA Cloud Platform.

Due to its reverse invoke support, don't need to configure the on-premise firewall to allow external access from the
cloud to internal systems. The Cloud connector provides fine-grained control over:
On-premise systems and resources that shall be accessible by cloud applications;
loud applications that shall make use of the Cloud connector.

Cloud connector can be used in business critical enterprise scenarios. The tool takes care to automatically reestablish broken connections, provides audit logging of the inbound traffic and configuration changes, and can be
run in a high-availability setup.

2014 IBM Corporation

Advantages of SAP HANA Cloud Connector

Compared to the approach of opening ports in the firewall and using reverse proxies in the DMZ to establish access to
on-premise systems, the Cloud connector has the following advantages:
The firewall of the on-premise network does not have to open an inbound port to establish connectivity from SAP
HANA Cloud Platform to an on-premise system. In the case of allowed outbound connections, no modifications are
required.
The Cloud connector supports additional protocols, apart from HTTP. For example, the RFC protocol supports native
access to ABAP systems by invoking function modules.
The Cloud connector can be used to connect on-premise database, or BI tools to SAP HANA databases in the cloud.
That means, it also supports the opposite connection direction (from the on-premise system to the cloud).
The Cloud connector allows propagating identity of cloud users to on-premise systems in a secure way.
The Cloud connector is easy to install and configure, that is, it comes with a low TCO and fits well to cloud scenarios.
SAP provides standard support for it.

2014 IBM Corporation

Architecture : Connecting Cloud Applications to On-Premise Systems

2014 IBM Corporation

Install SAP HANA Cloud Connector on Microsoft Windows OS

Prerequisites
Downloaded either the ZIP archive or the MSI installer.
Install Microsoft Visual Studio C++ 2010 runtime libraries.
Install Java 6 or Java 7 or use sapjvm JDK
Procedure
Developer Scenario
i.Extract the <sapcc-<version>-windows-x64.zip> ZIP file to an arbitrary directory on your local file system.
ii.Change to this directory and start Cloud connector 2.x via the go.bat batch file.
iii.Continue with the Next Steps section.
Productive Scenario
Install by double-clicking on <sapcc-<version>-windows-x64.msi> installer.
Continue with the Next Steps section.
Next Steps

In a browser, enter: https://<hostname>:8443, where <hostname> is the host name of the machine on which you
have installed the Cloud connector. If you access the Cloud connector locally from the same machine, you can just
enter localhost.

2014 IBM Corporation

Install SAP HANA Cloud Connector

Initial Configuration

https://localhost:8443

Following steps below :

Log in
Change your password
Set up parameters and HTTPS proxy
Establish connections to SAP HANA Cloud Platform
Log in to the Cloud connector
In a Web browser, enter: https://<hostname>:<port>
( note : 8443 is default port and use localhost if
url open in same system where clouds connector is running )
For User Name / Password enter
Administrator / manage (case sensitive).
Choose between master and shadow installation. Use Master

2014 IBM Corporation

Install SAP HANA Cloud Connector ( contd.. )

Change your password

Change the password once login for first time.
Password can be changed again Administrator user from the
Settings menu:

2014 IBM Corporation

Install SAP HANA Cloud Connector ( contd.. )

After first log on, the Cloud connector collects the following required
information:
For Landscape Host, specify the SAP HANA Cloud Platform
landscape that should be used.
Enter registered Account Name, Account User and Password, of
SAP HANA Cloud Platform.
Optional: Define a Display Name, which allows to easily recognize
a specific account
Optional: Define a Location ID, which identifies the location of this
Cloud connector for a specific account
Enter proxy host and port.
Optionally: Provide a Description (free-text) for this Cloud
connector instance.
choose Apply.

2014 IBM Corporation

Install SAP HANA Cloud Connector ( contd.. )

To change proxy settings (for example, because the company
firewall rules have changed), choose the Settings menu in the
upper right corner. Some proxy servers require credentials for
authentication. In this case, need to provide the relevant
user/password information.

2014 IBM Corporation

Install SAP HANA Cloud Connector ( contd.. )

To change the description of Cloud connector, in the upper right
corner choose Settings, open the Connector Info section and edit
the description

2014 IBM Corporation

Install SAP HANA Cloud Connector ( contd.. )

To change the description for Cloud connector, in the upper

right corner choose Settings, open the Connector Info section
and edit the description.

2014 IBM Corporation

Install SAP HANA Cloud Connector - Establish connections to SAP HANA Cloud
Platform
Once the initial setup has been completed successfully,
the tunnel to the cloud endpoint is open (even though no
requests are allowed to pass until you have completed the
access control setup).
Click on Disconnect button (or the Connect button to
reconnect to SAP HANA Cloud Platform).
The yellow state icon and the text indicates that there is
still no resource exposed that could be used from a cloud
application. This requires additional configuration, which is
mentioned in the Related Information section.

2014 IBM Corporation

Install SAP HANA Cloud Connector - Establish connections to SAP HANA Cloud
Platform ( Contd.. )
The green icons next to Landscape Host and HTTPS
Proxy indicate that they both are valid and work properly.
In case of a timeout or a connectivity issue, the icon is
respectively yellow (warning) or red (error), and a tooltip
displays the cause of the problem.
The Account User is the user that has originally
established the tunnel. During a normal operation, this
user is no longer needed but some certificates,
exchanged during establishing a connection to an
account, are used instead

2014 IBM Corporation

Cloud Connector: Installation of a System Certificate for Mutual Authentication

Import an X.509 client certificate into the Cloud

connector.
This system certificate needs to be provided as
PKCS#12 file containing the client certificate, the
corresponding private key and the CA root
certificate that signed the client certificate (plus
potentially the certificates of any intermediate
CAs, if the certificate chain is longer than 2).

2014 IBM Corporation

Cloud Connector: Installation of a System Certificate for Mutual Authentication

If a system certificate has been imported successfully, its distinguished name, the name of the issuer, and
the validity dates are displayed:

16

2014 IBM Corporation

Cloud Connector: Configuring Access Control (HTTP)

Exposing Intranet Systems
To allow on-demand applications to access a certain back-end system on the intranet, need to insert an extra line into the
Cloud connector access control management.
Go to the Access Control tab page.
Choose Add.
Back-end Type: Select the description that best matches the addressed back-end system. This is important mainly for
metering information: tunnel connections to any kind of SAP system are free of charge, while using the tunnel for connecting
to a non-SAP system costs a fee. Furthermore, it will define, which steps the wizard will offer and which values are possible.
Protocol: This field allows to decide whether the Cloud connector should use HTTP or HTTPS for the connection to the
back-end system.
o If you specify HTTPS and there is a "system certificate" imported in the Cloud connector, the latter attempts to use
that certificate for performing a client-certificate-based login to the back-end system.
o If there is no system certificate imported, the Cloud connector opens an HTTPS connection without client certificate.

2014 IBM Corporation

Cloud Connector: Configuring Access Control (HTTP)

Internal Host and Internal Port specify the actual host and port under
which the target system can be reached within the intranet.
Virtual Host specifies the host name exactly as it is specified as the
URL property in the HTTP destination configuration in SAP HANA
Cloud Platform.
Principal Type defines what kind of principal is used when
configuring a destination on the cloud side using this system
mapping with authentication type Principal Propagation.
The summary shows information about the system to be stored

Optional: Edit such a system mapping (via Edit) to make the Cloud
connector route the requests for sales-system.cloud:443 to a different
back-end system.

2014 IBM Corporation

Cloud Connector: Configuring Access Control (HTTP)

Limiting the Accessible Services for HTTP(S)

In addition to allowing access to a particular host and port, also
need to specify which URL paths (Resources) are allowed to be
invoked on that host.
The Cloud connector uses very strict white-lists for its access
control, so only those URLs for which you explicitly granted
access are allowed.
All other HTTP(S) requests are denied by the Cloud connector.
To define the permitted URLs (Resources) for a particular backend system, choose the line corresponding to that back-end
system.
A dialog appears prompting you to enter the specific URL path
that you want to allow to be invoked.

2014 IBM Corporation

Cloud Connector: Configuring Access Control (HTTP)

Enabling/Disabling Resources On-the-Fly

.
In some
cases, it is useful for testing purposes to temporarily disable certain resources without having to
delete them from the configuration. This allows user to easily re-provide access to these resources at a later
point of time without having to type in everything once again.
To disable a resource, select it and choose the Disable button:
The traffic light turns red, and from now on, the Cloud connector will deny all requests coming in for this
resource.
The traffic light turns red, and from now on, the Cloud connector will deny all requests coming in for this
resource. To enable the resource again, select it and choose the Enable button.
It is also possible to mark multiple lines and then to disable/enable all of them in one go by clicking the
Enable/Disable buttons in the top row.

2014 IBM Corporation

Cloud Connector: Configuring Access Control (HTTP)

Examples:

/production/accounting and Path only (sub-paths are excluded) are selected. Only requests of the form GET
/production/accounting or GET /production/accounting?name1=value1&name2=value2... are allowed. (GET can also be
replaced by POST, PUT, DELETE, and so on.)
/production/accounting and Path and all sub-paths are selected. All requests of the form GET /production/accountingplus-some-more-stuff-here?name1=value1... are allowed.
/ and Path and all sub-paths are selected. All requests to this server are allowed.

21

2014 IBM Corporation

 2014 IBM Corporation