sap hana cloud connector 2 - archive.sap.com · sap hana cloud connector – operator’s guide...
TRANSCRIPT
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 1
SAP HANA Cloud Connector 2x
Operatorrsquos Guide Version 10
February 2014
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 2
1 INTRODUCTION 3
11 TARGET AUDIENCE 4
12 ADDITIONAL INFORMATION 4
2 SYSTEM REQUIREMENTS 5
21 HARDWARE REQUIREMENTS 5
22 SOFTWARE REQUIREMENTS 5
23 SUPPORTED BROWSERS 5
24 CLOUD CONNECTOR SOFTWARE DOWNLOAD 5
25 FREE DISK SPACE 5
251 Installation size 5
252 Additional disk space for log and configuration files 5
3 NETWORK ZONES 6
4 CLOUD CONNECTOR ON MICROSOFT WINDOWS 6
41 INSTALLATION 6
42 UPGRADE 6
43 UNINSTALLATION 7
44 STARTING THE CLOUD CONNECTOR 7
5 CLOUD CONNECTOR ON LINUX 7
51 INSTALLATION 7
52 UPGRADE 7
53 UNINSTALLATION 7
54 STARTING THE CLOUD CONNECTOR 7
6 CLOUD CONNECTOR ADMINISTRATION 8
61 OPERATING SYSTEM ACCESS AND CONFIGURATION 8
62 CONFIGURING A TRUSTED CERTIFICATE FOR THE ADMINISTRATION UI 8
63 BASIC CONFIGURATION 8
64 CONNECTING AND DISCONNECTING A CLOUD ACCOUNT 8
65 CONFIGURING ACCESSIBLE RESOURCES 9
66 CONFIGURING TRUST BETWEEN CLOUD CONNECTOR AND ON-PREMISE SYSTEMS 11
67 CONFIGURING NAMED CLOUD CONNECTOR ADMINISTRATOR USERS 11
68 USING THE AUDIT LOG 11
69 AUTHENTICATING USERS FOR ON-PREMISE SYSTEMS 12
7 GUIDELINES FOR SECURE OPERATION OF THE CLOUD CONNECTOR 12
8 MONITORING 13
9 SUPPORTABILITY 14
10 RELEASE AND MAINTENANCE STRATEGY 14
11 PROCESS GUIDELINES FOR HYBRID SCENARIOS 15
111 DOCUMENT LANDSCAPE OF HYBRID SOLUTION 15
112 DOCUMENT ADMINISTRATOR ROLES 15
113 DOCUMENT COMMUNICATION CHANNELS 16
114 DEFINE PROJECT AND DEVELOPMENT GUIDELINES 16
115 DEFINE PROCESS OF HOW TO SET A CLOUD APPLICATION LIVE 16
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 3
1 Introduction
SAP HANA Cloud connector is an on-premise agent that runs in the customer network and takes care of
securely connecting cloud applications running on SAP HANA Cloud Platform with services and systems of the
customer network It is used to implement hybrid scenarios in which cloud applications require point-to-point
integration with existing services or applications in the customer network The following diagram shows a high-
level picture of the landscape
This document provides a guide for IT administrators how to setup configure securely operate and protect
SAP HANA Cloud connector version 2x in productive scenarios
This Operatorrsquos guide is structured as follows
bull System requirements for the Cloud connector
This section provides an overview on the minimal and recommended system requirements needed to
install and run the Cloud connector
bull Installation upgrade and uninstallation of the Cloud connector (on Windows or Linux operating
systems)
This section describes the lifecycle management operations of the Cloud connector ie how to install
upgrade and uninstall it as well as how to start the Cloud connector process after installation
bull Administration and configuration of the Cloud connector
This section provides an overview on how to administrate and configure the Cloud connector and how
to securely operate it For example how to configure on-premise resources which shall be accessible
to the related cloud account how to configure trust between the Cloud connector and an on-premise
system how to configure named administrator users for the Cloud connector administration and so
on
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 4
bull Guidelines for secure operation of the Cloud connector
This section summarizes briefly all guidelines and recommendations for a secure setup of the Cloud
connector as they are relevant for productive scenarios It also provides references to the single
sections of this operatorrsquos guide where the related topics are described in more detail
bull Monitoring
This section provides an overview on how to monitor the Cloud connector-based connectivity to the
cloud and describes high-availability features of the Cloud connector
bull Supportability
This section provides an overview on supportability in case of issues with the Cloud connector
bull Maintenance and release strategy
This section describes the maintenance and release strategy of the Cloud connector how new patches
or new versions are released and where to find information about new releases
bull Process guidelines for hybrid scenarios
This section provides process guidelines which help to manage and operate hybrid scenarios
11 Target Audience
System administrators IT administrators cloud account administrators
12 Additional Information
This document focuses on the operation aspects of the Cloud connector It does not cover a general overview
of the SAP HANA Cloud Platform and its connectivity service neither does it address development related
questions like how an application which needs connectivity is being implemented
For additional information on specific topics see the following online resources
SAP HANA Cloud Platform documentation
httpshelphanaondemandcom
SAP HANA Cloud Platform connectivity service documentation
httpshelphanaondemandcomhelpframesethtme54cc8fbbb571014beb5caaf6aa31280html
SAP HANA Cloud connector documentation
httpshelphanaondemandcomhelpframesethtme6c7616abb5710148cfcf3e75d96d596html
SAP HANA Cloud Platform release notes httpscnsapcomdocsDOC-28833
SAP Community Network httpscnsapcomcommunitydeveloper-centercloud-platform
SAP security httpsservicesapcomsecurity
SAP security guides network security httpsservicesapcomsecurityguide
SAP HANA Cloud Platform openSAP course
httpsopensapcomcoursehanacloud1 httpscnsapcomcommunitydeveloper-centercloud-platformblog20140108videos-of-opensap-course-introduction-to-sap-hana-cloud-platform
Registration for free SAP HANA Cloud Platform account
httpsaccounthanatrialondemandcom
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 5
2 System Requirements
This section describes the hard- and software requirements needed to install and run the Cloud connector
21 Hardware Requirements
Minimum Recommended
CPU Single core 3 GHz x86-64 architecture compatible
Dual core 2 GHz x86-64 architecture compatible
Memory (RAM) 1 GB 4 GB
Free disk space 1 GB 20 GB
22 Software Requirements
Operating System Architecture
Windows 7 Windows Server 2008 R2 x86_64
SUSE Linux Enterprise Server 11 Redhat Enterprise Linux 6 x86_64
23 Supported Browsers
The browsers that can be used for the Cloud connector Administration UI are the ones supported by SAP UI5
Currently these are the following
Internet Explorer 9 or higher
Mozilla Firefox 10 and latest version
Safari 51 and higher
Google Chrome (latest versions)
An up-to-date list of the supported SAP UI5 browsers can be found here
httpshelphanaondemandcomhelpframesethtm91f072cf6f4d1014b6dd926db0e91070html
24 Cloud Connector Software Download
The Cloud connector can be downloaded from the Cloud Tools page
25 Free Disk Space
251 Installation size
To download and install a new Cloud connector server a minimum of free disk space is required as following
Size of downloaded Cloud connector installation file (ZIP TAR MSI files) 50 MB
Newly installed Cloud connector server 70 MB
Total 120 MB as a minimum
252 Additional disk space for log and configuration files
The Cloud connector writes configuration files audit log files and trace files at runtime The recommendation is
to accommodate between 1 and 20 GB of disk space for those files
Trace and log files are written to ltscc_dirgtlog within the Cloud connector root directory
ljs_tracelog contains traces in general communication payload traces are stored in
traffic_trace_trc They are used for support cases to analyze potential issues The default trace level is
set to Information where the amount of written data is in the range of few KB each day You can turn off
these traces to save disk space However it is not recommended to turn off this trace completely but to leave
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 6
it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to
All the amount of data can easily reach the range of several GB per day We recommend that you only use
trace level All for analyzing a particular issue Payload trace however should be turned off normally and only
in case of certain issues turned on for supporting analysis by SAP support
From operations perspective we recommend that you back up or delete written trace files regularly in order to
clean up the used disk space
Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv
within the Cloud connector root directory By default only security related events are written within the audit
log The Cloud connector administrator can change the audit log level using the administration UI as described
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
To be compliant with the regulatory requirements of your organization and the regional laws the audit log files
must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back
up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period
of time fitting to those rules
3 Network Zones
Usually a customer network is divided into multiple network zones or sub-networks according to the security
level of the contained components There is for instance the DMZ that contains and exposes the external-
facing services of an organization to an untrusted network usually the Internet and there is one or multiple
other network zones which contain the components and services provided in the companyrsquos intranet
Generally customers have the choice in which network zone the Cloud connector should be set-up in their
network Technical prerequisites for the Cloud connector to work properly are
Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either
directly or via HTTPS proxy
Cloud connector must have direct access to the internal systems it shall provide access to That means
there must be transparent connectivity between the Cloud connector and the internal system
Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated
centrally by the IT department or set-up in the intranet and operated by the line-of-business
4 Cloud Connector on Microsoft Windows
Currently the following Windows operating system versions are supported by the Cloud connector Windows 7
64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Windows operating systems
41 Installation
Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html
NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets
registered as a Windows service
42 Upgrade
Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 2
1 INTRODUCTION 3
11 TARGET AUDIENCE 4
12 ADDITIONAL INFORMATION 4
2 SYSTEM REQUIREMENTS 5
21 HARDWARE REQUIREMENTS 5
22 SOFTWARE REQUIREMENTS 5
23 SUPPORTED BROWSERS 5
24 CLOUD CONNECTOR SOFTWARE DOWNLOAD 5
25 FREE DISK SPACE 5
251 Installation size 5
252 Additional disk space for log and configuration files 5
3 NETWORK ZONES 6
4 CLOUD CONNECTOR ON MICROSOFT WINDOWS 6
41 INSTALLATION 6
42 UPGRADE 6
43 UNINSTALLATION 7
44 STARTING THE CLOUD CONNECTOR 7
5 CLOUD CONNECTOR ON LINUX 7
51 INSTALLATION 7
52 UPGRADE 7
53 UNINSTALLATION 7
54 STARTING THE CLOUD CONNECTOR 7
6 CLOUD CONNECTOR ADMINISTRATION 8
61 OPERATING SYSTEM ACCESS AND CONFIGURATION 8
62 CONFIGURING A TRUSTED CERTIFICATE FOR THE ADMINISTRATION UI 8
63 BASIC CONFIGURATION 8
64 CONNECTING AND DISCONNECTING A CLOUD ACCOUNT 8
65 CONFIGURING ACCESSIBLE RESOURCES 9
66 CONFIGURING TRUST BETWEEN CLOUD CONNECTOR AND ON-PREMISE SYSTEMS 11
67 CONFIGURING NAMED CLOUD CONNECTOR ADMINISTRATOR USERS 11
68 USING THE AUDIT LOG 11
69 AUTHENTICATING USERS FOR ON-PREMISE SYSTEMS 12
7 GUIDELINES FOR SECURE OPERATION OF THE CLOUD CONNECTOR 12
8 MONITORING 13
9 SUPPORTABILITY 14
10 RELEASE AND MAINTENANCE STRATEGY 14
11 PROCESS GUIDELINES FOR HYBRID SCENARIOS 15
111 DOCUMENT LANDSCAPE OF HYBRID SOLUTION 15
112 DOCUMENT ADMINISTRATOR ROLES 15
113 DOCUMENT COMMUNICATION CHANNELS 16
114 DEFINE PROJECT AND DEVELOPMENT GUIDELINES 16
115 DEFINE PROCESS OF HOW TO SET A CLOUD APPLICATION LIVE 16
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 3
1 Introduction
SAP HANA Cloud connector is an on-premise agent that runs in the customer network and takes care of
securely connecting cloud applications running on SAP HANA Cloud Platform with services and systems of the
customer network It is used to implement hybrid scenarios in which cloud applications require point-to-point
integration with existing services or applications in the customer network The following diagram shows a high-
level picture of the landscape
This document provides a guide for IT administrators how to setup configure securely operate and protect
SAP HANA Cloud connector version 2x in productive scenarios
This Operatorrsquos guide is structured as follows
bull System requirements for the Cloud connector
This section provides an overview on the minimal and recommended system requirements needed to
install and run the Cloud connector
bull Installation upgrade and uninstallation of the Cloud connector (on Windows or Linux operating
systems)
This section describes the lifecycle management operations of the Cloud connector ie how to install
upgrade and uninstall it as well as how to start the Cloud connector process after installation
bull Administration and configuration of the Cloud connector
This section provides an overview on how to administrate and configure the Cloud connector and how
to securely operate it For example how to configure on-premise resources which shall be accessible
to the related cloud account how to configure trust between the Cloud connector and an on-premise
system how to configure named administrator users for the Cloud connector administration and so
on
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 4
bull Guidelines for secure operation of the Cloud connector
This section summarizes briefly all guidelines and recommendations for a secure setup of the Cloud
connector as they are relevant for productive scenarios It also provides references to the single
sections of this operatorrsquos guide where the related topics are described in more detail
bull Monitoring
This section provides an overview on how to monitor the Cloud connector-based connectivity to the
cloud and describes high-availability features of the Cloud connector
bull Supportability
This section provides an overview on supportability in case of issues with the Cloud connector
bull Maintenance and release strategy
This section describes the maintenance and release strategy of the Cloud connector how new patches
or new versions are released and where to find information about new releases
bull Process guidelines for hybrid scenarios
This section provides process guidelines which help to manage and operate hybrid scenarios
11 Target Audience
System administrators IT administrators cloud account administrators
12 Additional Information
This document focuses on the operation aspects of the Cloud connector It does not cover a general overview
of the SAP HANA Cloud Platform and its connectivity service neither does it address development related
questions like how an application which needs connectivity is being implemented
For additional information on specific topics see the following online resources
SAP HANA Cloud Platform documentation
httpshelphanaondemandcom
SAP HANA Cloud Platform connectivity service documentation
httpshelphanaondemandcomhelpframesethtme54cc8fbbb571014beb5caaf6aa31280html
SAP HANA Cloud connector documentation
httpshelphanaondemandcomhelpframesethtme6c7616abb5710148cfcf3e75d96d596html
SAP HANA Cloud Platform release notes httpscnsapcomdocsDOC-28833
SAP Community Network httpscnsapcomcommunitydeveloper-centercloud-platform
SAP security httpsservicesapcomsecurity
SAP security guides network security httpsservicesapcomsecurityguide
SAP HANA Cloud Platform openSAP course
httpsopensapcomcoursehanacloud1 httpscnsapcomcommunitydeveloper-centercloud-platformblog20140108videos-of-opensap-course-introduction-to-sap-hana-cloud-platform
Registration for free SAP HANA Cloud Platform account
httpsaccounthanatrialondemandcom
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 5
2 System Requirements
This section describes the hard- and software requirements needed to install and run the Cloud connector
21 Hardware Requirements
Minimum Recommended
CPU Single core 3 GHz x86-64 architecture compatible
Dual core 2 GHz x86-64 architecture compatible
Memory (RAM) 1 GB 4 GB
Free disk space 1 GB 20 GB
22 Software Requirements
Operating System Architecture
Windows 7 Windows Server 2008 R2 x86_64
SUSE Linux Enterprise Server 11 Redhat Enterprise Linux 6 x86_64
23 Supported Browsers
The browsers that can be used for the Cloud connector Administration UI are the ones supported by SAP UI5
Currently these are the following
Internet Explorer 9 or higher
Mozilla Firefox 10 and latest version
Safari 51 and higher
Google Chrome (latest versions)
An up-to-date list of the supported SAP UI5 browsers can be found here
httpshelphanaondemandcomhelpframesethtm91f072cf6f4d1014b6dd926db0e91070html
24 Cloud Connector Software Download
The Cloud connector can be downloaded from the Cloud Tools page
25 Free Disk Space
251 Installation size
To download and install a new Cloud connector server a minimum of free disk space is required as following
Size of downloaded Cloud connector installation file (ZIP TAR MSI files) 50 MB
Newly installed Cloud connector server 70 MB
Total 120 MB as a minimum
252 Additional disk space for log and configuration files
The Cloud connector writes configuration files audit log files and trace files at runtime The recommendation is
to accommodate between 1 and 20 GB of disk space for those files
Trace and log files are written to ltscc_dirgtlog within the Cloud connector root directory
ljs_tracelog contains traces in general communication payload traces are stored in
traffic_trace_trc They are used for support cases to analyze potential issues The default trace level is
set to Information where the amount of written data is in the range of few KB each day You can turn off
these traces to save disk space However it is not recommended to turn off this trace completely but to leave
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 6
it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to
All the amount of data can easily reach the range of several GB per day We recommend that you only use
trace level All for analyzing a particular issue Payload trace however should be turned off normally and only
in case of certain issues turned on for supporting analysis by SAP support
From operations perspective we recommend that you back up or delete written trace files regularly in order to
clean up the used disk space
Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv
within the Cloud connector root directory By default only security related events are written within the audit
log The Cloud connector administrator can change the audit log level using the administration UI as described
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
To be compliant with the regulatory requirements of your organization and the regional laws the audit log files
must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back
up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period
of time fitting to those rules
3 Network Zones
Usually a customer network is divided into multiple network zones or sub-networks according to the security
level of the contained components There is for instance the DMZ that contains and exposes the external-
facing services of an organization to an untrusted network usually the Internet and there is one or multiple
other network zones which contain the components and services provided in the companyrsquos intranet
Generally customers have the choice in which network zone the Cloud connector should be set-up in their
network Technical prerequisites for the Cloud connector to work properly are
Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either
directly or via HTTPS proxy
Cloud connector must have direct access to the internal systems it shall provide access to That means
there must be transparent connectivity between the Cloud connector and the internal system
Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated
centrally by the IT department or set-up in the intranet and operated by the line-of-business
4 Cloud Connector on Microsoft Windows
Currently the following Windows operating system versions are supported by the Cloud connector Windows 7
64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Windows operating systems
41 Installation
Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html
NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets
registered as a Windows service
42 Upgrade
Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 3
1 Introduction
SAP HANA Cloud connector is an on-premise agent that runs in the customer network and takes care of
securely connecting cloud applications running on SAP HANA Cloud Platform with services and systems of the
customer network It is used to implement hybrid scenarios in which cloud applications require point-to-point
integration with existing services or applications in the customer network The following diagram shows a high-
level picture of the landscape
This document provides a guide for IT administrators how to setup configure securely operate and protect
SAP HANA Cloud connector version 2x in productive scenarios
This Operatorrsquos guide is structured as follows
bull System requirements for the Cloud connector
This section provides an overview on the minimal and recommended system requirements needed to
install and run the Cloud connector
bull Installation upgrade and uninstallation of the Cloud connector (on Windows or Linux operating
systems)
This section describes the lifecycle management operations of the Cloud connector ie how to install
upgrade and uninstall it as well as how to start the Cloud connector process after installation
bull Administration and configuration of the Cloud connector
This section provides an overview on how to administrate and configure the Cloud connector and how
to securely operate it For example how to configure on-premise resources which shall be accessible
to the related cloud account how to configure trust between the Cloud connector and an on-premise
system how to configure named administrator users for the Cloud connector administration and so
on
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 4
bull Guidelines for secure operation of the Cloud connector
This section summarizes briefly all guidelines and recommendations for a secure setup of the Cloud
connector as they are relevant for productive scenarios It also provides references to the single
sections of this operatorrsquos guide where the related topics are described in more detail
bull Monitoring
This section provides an overview on how to monitor the Cloud connector-based connectivity to the
cloud and describes high-availability features of the Cloud connector
bull Supportability
This section provides an overview on supportability in case of issues with the Cloud connector
bull Maintenance and release strategy
This section describes the maintenance and release strategy of the Cloud connector how new patches
or new versions are released and where to find information about new releases
bull Process guidelines for hybrid scenarios
This section provides process guidelines which help to manage and operate hybrid scenarios
11 Target Audience
System administrators IT administrators cloud account administrators
12 Additional Information
This document focuses on the operation aspects of the Cloud connector It does not cover a general overview
of the SAP HANA Cloud Platform and its connectivity service neither does it address development related
questions like how an application which needs connectivity is being implemented
For additional information on specific topics see the following online resources
SAP HANA Cloud Platform documentation
httpshelphanaondemandcom
SAP HANA Cloud Platform connectivity service documentation
httpshelphanaondemandcomhelpframesethtme54cc8fbbb571014beb5caaf6aa31280html
SAP HANA Cloud connector documentation
httpshelphanaondemandcomhelpframesethtme6c7616abb5710148cfcf3e75d96d596html
SAP HANA Cloud Platform release notes httpscnsapcomdocsDOC-28833
SAP Community Network httpscnsapcomcommunitydeveloper-centercloud-platform
SAP security httpsservicesapcomsecurity
SAP security guides network security httpsservicesapcomsecurityguide
SAP HANA Cloud Platform openSAP course
httpsopensapcomcoursehanacloud1 httpscnsapcomcommunitydeveloper-centercloud-platformblog20140108videos-of-opensap-course-introduction-to-sap-hana-cloud-platform
Registration for free SAP HANA Cloud Platform account
httpsaccounthanatrialondemandcom
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 5
2 System Requirements
This section describes the hard- and software requirements needed to install and run the Cloud connector
21 Hardware Requirements
Minimum Recommended
CPU Single core 3 GHz x86-64 architecture compatible
Dual core 2 GHz x86-64 architecture compatible
Memory (RAM) 1 GB 4 GB
Free disk space 1 GB 20 GB
22 Software Requirements
Operating System Architecture
Windows 7 Windows Server 2008 R2 x86_64
SUSE Linux Enterprise Server 11 Redhat Enterprise Linux 6 x86_64
23 Supported Browsers
The browsers that can be used for the Cloud connector Administration UI are the ones supported by SAP UI5
Currently these are the following
Internet Explorer 9 or higher
Mozilla Firefox 10 and latest version
Safari 51 and higher
Google Chrome (latest versions)
An up-to-date list of the supported SAP UI5 browsers can be found here
httpshelphanaondemandcomhelpframesethtm91f072cf6f4d1014b6dd926db0e91070html
24 Cloud Connector Software Download
The Cloud connector can be downloaded from the Cloud Tools page
25 Free Disk Space
251 Installation size
To download and install a new Cloud connector server a minimum of free disk space is required as following
Size of downloaded Cloud connector installation file (ZIP TAR MSI files) 50 MB
Newly installed Cloud connector server 70 MB
Total 120 MB as a minimum
252 Additional disk space for log and configuration files
The Cloud connector writes configuration files audit log files and trace files at runtime The recommendation is
to accommodate between 1 and 20 GB of disk space for those files
Trace and log files are written to ltscc_dirgtlog within the Cloud connector root directory
ljs_tracelog contains traces in general communication payload traces are stored in
traffic_trace_trc They are used for support cases to analyze potential issues The default trace level is
set to Information where the amount of written data is in the range of few KB each day You can turn off
these traces to save disk space However it is not recommended to turn off this trace completely but to leave
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 6
it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to
All the amount of data can easily reach the range of several GB per day We recommend that you only use
trace level All for analyzing a particular issue Payload trace however should be turned off normally and only
in case of certain issues turned on for supporting analysis by SAP support
From operations perspective we recommend that you back up or delete written trace files regularly in order to
clean up the used disk space
Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv
within the Cloud connector root directory By default only security related events are written within the audit
log The Cloud connector administrator can change the audit log level using the administration UI as described
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
To be compliant with the regulatory requirements of your organization and the regional laws the audit log files
must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back
up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period
of time fitting to those rules
3 Network Zones
Usually a customer network is divided into multiple network zones or sub-networks according to the security
level of the contained components There is for instance the DMZ that contains and exposes the external-
facing services of an organization to an untrusted network usually the Internet and there is one or multiple
other network zones which contain the components and services provided in the companyrsquos intranet
Generally customers have the choice in which network zone the Cloud connector should be set-up in their
network Technical prerequisites for the Cloud connector to work properly are
Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either
directly or via HTTPS proxy
Cloud connector must have direct access to the internal systems it shall provide access to That means
there must be transparent connectivity between the Cloud connector and the internal system
Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated
centrally by the IT department or set-up in the intranet and operated by the line-of-business
4 Cloud Connector on Microsoft Windows
Currently the following Windows operating system versions are supported by the Cloud connector Windows 7
64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Windows operating systems
41 Installation
Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html
NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets
registered as a Windows service
42 Upgrade
Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 4
bull Guidelines for secure operation of the Cloud connector
This section summarizes briefly all guidelines and recommendations for a secure setup of the Cloud
connector as they are relevant for productive scenarios It also provides references to the single
sections of this operatorrsquos guide where the related topics are described in more detail
bull Monitoring
This section provides an overview on how to monitor the Cloud connector-based connectivity to the
cloud and describes high-availability features of the Cloud connector
bull Supportability
This section provides an overview on supportability in case of issues with the Cloud connector
bull Maintenance and release strategy
This section describes the maintenance and release strategy of the Cloud connector how new patches
or new versions are released and where to find information about new releases
bull Process guidelines for hybrid scenarios
This section provides process guidelines which help to manage and operate hybrid scenarios
11 Target Audience
System administrators IT administrators cloud account administrators
12 Additional Information
This document focuses on the operation aspects of the Cloud connector It does not cover a general overview
of the SAP HANA Cloud Platform and its connectivity service neither does it address development related
questions like how an application which needs connectivity is being implemented
For additional information on specific topics see the following online resources
SAP HANA Cloud Platform documentation
httpshelphanaondemandcom
SAP HANA Cloud Platform connectivity service documentation
httpshelphanaondemandcomhelpframesethtme54cc8fbbb571014beb5caaf6aa31280html
SAP HANA Cloud connector documentation
httpshelphanaondemandcomhelpframesethtme6c7616abb5710148cfcf3e75d96d596html
SAP HANA Cloud Platform release notes httpscnsapcomdocsDOC-28833
SAP Community Network httpscnsapcomcommunitydeveloper-centercloud-platform
SAP security httpsservicesapcomsecurity
SAP security guides network security httpsservicesapcomsecurityguide
SAP HANA Cloud Platform openSAP course
httpsopensapcomcoursehanacloud1 httpscnsapcomcommunitydeveloper-centercloud-platformblog20140108videos-of-opensap-course-introduction-to-sap-hana-cloud-platform
Registration for free SAP HANA Cloud Platform account
httpsaccounthanatrialondemandcom
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 5
2 System Requirements
This section describes the hard- and software requirements needed to install and run the Cloud connector
21 Hardware Requirements
Minimum Recommended
CPU Single core 3 GHz x86-64 architecture compatible
Dual core 2 GHz x86-64 architecture compatible
Memory (RAM) 1 GB 4 GB
Free disk space 1 GB 20 GB
22 Software Requirements
Operating System Architecture
Windows 7 Windows Server 2008 R2 x86_64
SUSE Linux Enterprise Server 11 Redhat Enterprise Linux 6 x86_64
23 Supported Browsers
The browsers that can be used for the Cloud connector Administration UI are the ones supported by SAP UI5
Currently these are the following
Internet Explorer 9 or higher
Mozilla Firefox 10 and latest version
Safari 51 and higher
Google Chrome (latest versions)
An up-to-date list of the supported SAP UI5 browsers can be found here
httpshelphanaondemandcomhelpframesethtm91f072cf6f4d1014b6dd926db0e91070html
24 Cloud Connector Software Download
The Cloud connector can be downloaded from the Cloud Tools page
25 Free Disk Space
251 Installation size
To download and install a new Cloud connector server a minimum of free disk space is required as following
Size of downloaded Cloud connector installation file (ZIP TAR MSI files) 50 MB
Newly installed Cloud connector server 70 MB
Total 120 MB as a minimum
252 Additional disk space for log and configuration files
The Cloud connector writes configuration files audit log files and trace files at runtime The recommendation is
to accommodate between 1 and 20 GB of disk space for those files
Trace and log files are written to ltscc_dirgtlog within the Cloud connector root directory
ljs_tracelog contains traces in general communication payload traces are stored in
traffic_trace_trc They are used for support cases to analyze potential issues The default trace level is
set to Information where the amount of written data is in the range of few KB each day You can turn off
these traces to save disk space However it is not recommended to turn off this trace completely but to leave
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 6
it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to
All the amount of data can easily reach the range of several GB per day We recommend that you only use
trace level All for analyzing a particular issue Payload trace however should be turned off normally and only
in case of certain issues turned on for supporting analysis by SAP support
From operations perspective we recommend that you back up or delete written trace files regularly in order to
clean up the used disk space
Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv
within the Cloud connector root directory By default only security related events are written within the audit
log The Cloud connector administrator can change the audit log level using the administration UI as described
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
To be compliant with the regulatory requirements of your organization and the regional laws the audit log files
must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back
up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period
of time fitting to those rules
3 Network Zones
Usually a customer network is divided into multiple network zones or sub-networks according to the security
level of the contained components There is for instance the DMZ that contains and exposes the external-
facing services of an organization to an untrusted network usually the Internet and there is one or multiple
other network zones which contain the components and services provided in the companyrsquos intranet
Generally customers have the choice in which network zone the Cloud connector should be set-up in their
network Technical prerequisites for the Cloud connector to work properly are
Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either
directly or via HTTPS proxy
Cloud connector must have direct access to the internal systems it shall provide access to That means
there must be transparent connectivity between the Cloud connector and the internal system
Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated
centrally by the IT department or set-up in the intranet and operated by the line-of-business
4 Cloud Connector on Microsoft Windows
Currently the following Windows operating system versions are supported by the Cloud connector Windows 7
64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Windows operating systems
41 Installation
Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html
NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets
registered as a Windows service
42 Upgrade
Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 5
2 System Requirements
This section describes the hard- and software requirements needed to install and run the Cloud connector
21 Hardware Requirements
Minimum Recommended
CPU Single core 3 GHz x86-64 architecture compatible
Dual core 2 GHz x86-64 architecture compatible
Memory (RAM) 1 GB 4 GB
Free disk space 1 GB 20 GB
22 Software Requirements
Operating System Architecture
Windows 7 Windows Server 2008 R2 x86_64
SUSE Linux Enterprise Server 11 Redhat Enterprise Linux 6 x86_64
23 Supported Browsers
The browsers that can be used for the Cloud connector Administration UI are the ones supported by SAP UI5
Currently these are the following
Internet Explorer 9 or higher
Mozilla Firefox 10 and latest version
Safari 51 and higher
Google Chrome (latest versions)
An up-to-date list of the supported SAP UI5 browsers can be found here
httpshelphanaondemandcomhelpframesethtm91f072cf6f4d1014b6dd926db0e91070html
24 Cloud Connector Software Download
The Cloud connector can be downloaded from the Cloud Tools page
25 Free Disk Space
251 Installation size
To download and install a new Cloud connector server a minimum of free disk space is required as following
Size of downloaded Cloud connector installation file (ZIP TAR MSI files) 50 MB
Newly installed Cloud connector server 70 MB
Total 120 MB as a minimum
252 Additional disk space for log and configuration files
The Cloud connector writes configuration files audit log files and trace files at runtime The recommendation is
to accommodate between 1 and 20 GB of disk space for those files
Trace and log files are written to ltscc_dirgtlog within the Cloud connector root directory
ljs_tracelog contains traces in general communication payload traces are stored in
traffic_trace_trc They are used for support cases to analyze potential issues The default trace level is
set to Information where the amount of written data is in the range of few KB each day You can turn off
these traces to save disk space However it is not recommended to turn off this trace completely but to leave
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 6
it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to
All the amount of data can easily reach the range of several GB per day We recommend that you only use
trace level All for analyzing a particular issue Payload trace however should be turned off normally and only
in case of certain issues turned on for supporting analysis by SAP support
From operations perspective we recommend that you back up or delete written trace files regularly in order to
clean up the used disk space
Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv
within the Cloud connector root directory By default only security related events are written within the audit
log The Cloud connector administrator can change the audit log level using the administration UI as described
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
To be compliant with the regulatory requirements of your organization and the regional laws the audit log files
must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back
up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period
of time fitting to those rules
3 Network Zones
Usually a customer network is divided into multiple network zones or sub-networks according to the security
level of the contained components There is for instance the DMZ that contains and exposes the external-
facing services of an organization to an untrusted network usually the Internet and there is one or multiple
other network zones which contain the components and services provided in the companyrsquos intranet
Generally customers have the choice in which network zone the Cloud connector should be set-up in their
network Technical prerequisites for the Cloud connector to work properly are
Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either
directly or via HTTPS proxy
Cloud connector must have direct access to the internal systems it shall provide access to That means
there must be transparent connectivity between the Cloud connector and the internal system
Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated
centrally by the IT department or set-up in the intranet and operated by the line-of-business
4 Cloud Connector on Microsoft Windows
Currently the following Windows operating system versions are supported by the Cloud connector Windows 7
64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Windows operating systems
41 Installation
Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html
NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets
registered as a Windows service
42 Upgrade
Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 6
it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to
All the amount of data can easily reach the range of several GB per day We recommend that you only use
trace level All for analyzing a particular issue Payload trace however should be turned off normally and only
in case of certain issues turned on for supporting analysis by SAP support
From operations perspective we recommend that you back up or delete written trace files regularly in order to
clean up the used disk space
Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv
within the Cloud connector root directory By default only security related events are written within the audit
log The Cloud connector administrator can change the audit log level using the administration UI as described
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
To be compliant with the regulatory requirements of your organization and the regional laws the audit log files
must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back
up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period
of time fitting to those rules
3 Network Zones
Usually a customer network is divided into multiple network zones or sub-networks according to the security
level of the contained components There is for instance the DMZ that contains and exposes the external-
facing services of an organization to an untrusted network usually the Internet and there is one or multiple
other network zones which contain the components and services provided in the companyrsquos intranet
Generally customers have the choice in which network zone the Cloud connector should be set-up in their
network Technical prerequisites for the Cloud connector to work properly are
Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either
directly or via HTTPS proxy
Cloud connector must have direct access to the internal systems it shall provide access to That means
there must be transparent connectivity between the Cloud connector and the internal system
Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated
centrally by the IT department or set-up in the intranet and operated by the line-of-business
4 Cloud Connector on Microsoft Windows
Currently the following Windows operating system versions are supported by the Cloud connector Windows 7
64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Windows operating systems
41 Installation
Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html
NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets
registered as a Windows service
42 Upgrade
Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 7
43 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
44 Starting the Cloud Connector
After the installation the Cloud connector is registered as Windows service which is configured to be started
automatically With this configuration the Cloud connector process will be started automatically after a reboot
of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA
Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows
Services manager and look for the service SAP HANA Cloud connector 20
Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the
default port is 8443 (this port could have been modified during the installation)
5 Cloud Connector on Linux
Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11
64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and
startstop the Cloud connector process on Linux operating systems
51 Installation
Detailed documentation how to install the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml
NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud
connector will be registered as a daemon process
52 Upgrade
Detailed documentation how to upgrade the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html
53 Uninstallation
Detailed documentation how to uninstall the Cloud connector on Linux can be found here
httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html
54 Starting the Cloud Connector
After installing the Cloud connector via RPM manager the Cloud connector process is started automatically
and registered as a daemon process which takes care of restarting the Cloud connector automatically after a
reboot of the system
To startstoprestart the process explicitly you can open a command shell and use the following commands
which require root permissions
service scc_daemon stop|restart|start|status
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 8
6 Cloud Connector Administration
61 Operating System Access and Configuration
As the Cloud connector is a security critical component enabling external access to systems of an isolated
network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating
system on which the Cloud connector is installed to the minimal set of users who shall administrate the system
This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify
or damage a running Cloud connector instance
We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the
Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the
hard drive
62 Configuring a Trusted Certificate for the Administration UI
After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL
communication between the Cloud connector Administration UI running in a Web browser and the Cloud
connector process itself For security reasons this certificate should be replaced for productive scenarios with a
certificate trusted by your organization To learn in detail how to do this read this page
httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html
63 Basic Configuration
The basic configuration steps for the Cloud connector consist of
Changing the initial password for the built-in Administrator user
Connecting the Cloud connector against a cloud account
A detailed documentation of these two steps can be found here
httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html
You are forced to change the initial password to a specific one immediately after installation The Cloud
connector itself does not check the strength of the password ie the Cloud connector administrators should
voluntarily choose a strong password that cannot be guessed easily
64 Connecting and Disconnecting a Cloud Account
The major principle for the connectivity established by the Cloud connector is that the Cloud connector
administrator should have full control over the connection to the cloud ie they should be able to decide if and
when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected
and which on-premise systems and resources shall be accessible to applications of the connected account
Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud
connector to the configured cloud account Once disconnected there is no communication possible ndash neither
between the cloud account and the Cloud connector nor to the internal systems The connection state can be
verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as
shown in the following screen shot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 9
It is important to note that once the Cloud connector is newly installed and connected to a cloud account still
none of the systems available in the customer network are accessible to the applications of the related cloud
account The systems and resources that shall be made accessible must be configured explicitly in the Cloud
connector one by one as it is described in section 66
Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple
accounts in the cloud This is useful especially for customers who need multiple accounts to structure their
development or to stage their cloud landscape into development test and production These customers have
the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is
recommended to not use accounts running productive scenarios and accounts used for development or test
purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud
connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)
A detailed description how to add delete connect or disconnect accounts can be also found here
httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml
65 Configuring Accessible Resources
After a new Cloud connector installation in a network no systems or resources of the network have been
exposed to the cloud yet The Cloud connector administrator must configure each system and resource that
shall be used by applications of the connected cloud account in the Access Control view of the Cloud
connector as shown in the following screenshot
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 10
Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)
ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system
in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via
HTTP and open standards
Detailed documentation on how HTTP resources are configured can be found here
httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html
Detailed documentation on how RFC resources are configured can be found here
httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html
We recommend that you narrow the access only to those backend services and resources that are explicitly
needed by the cloud applications Instead of configuring for example a system and granting access to all its
resources we recommend that you only grant access to the concrete resources which are needed by the cloud
application For example define access to an HTTP service by specifying the service URL root path and allowing
access to all its sub-paths
When configuring an on-premise system it is possible to define a virtual host and port for the specified system
as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of
the related system in the cloud We recommend that you use the virtual host nameport mapping in order to
prevent from leaking information about the physical machine name and port of an on-premise system and thus
ndash of your internal network infrastructure getting published to the cloud
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 11
66 Configuring Trust between Cloud Connector and On-Premise Systems
For secure communication between the Cloud connector and the used on-premise systems it is recommended
to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud
connector and the on-premise systems by exchanging certificates
When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate
in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud
connector instance and is used as a client certificate in the HTTPS communication between the Cloud
connector and the on-premise system The used on-premise system should be configured to validate the
system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted
A detailed documentation on how to use and configure the system certificate for a Cloud connector can be
found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html
Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here
httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml
67 Configuring Named Cloud Connector Administrator Users
We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector
Administration UI so that only named administrator users can log on to the administration UI This is important
to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With
the default and built-in Administrator user it is not possible to identify the physical person who has done a
possibly security-sensitive configuration change in the Cloud connector
If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud
connector administrator users against the LDAP server Valid administrator users must belong to the user group
named admin or sccadmin Documentation on how to configure an LDAP server can be found here
httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml
Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator
user will be inactive and canrsquot be used anymore for the log on to the Cloud connector
68 Using the Audit Log
Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides
audit logging for the complete record of access between cloud and Cloud connector as well as of configuration
changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 12
that their integrity can be checked by the Cloud connector auditor tool as described here
httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or
suspicious network and system behavior Additionally the audit log data can provide auditors with information
required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log
data for root-cause analysis following a security incident
Information how to configure and use the audit logging in the Cloud connector administrator UI can be found
here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html
We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios
and to set it to All (the default configuration is Security) By this the audit log files can be used to detect
attacks of for example a malicious cloud application that tries to access on-premise services without
permission or in a forensic analysis of a security incident
It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent
storage according to your local regulations The audit log files can be found in the Cloud connector root
directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv
69 Authenticating Users for On-Premise Systems
Currently the Cloud connector supports basic authentication and principal propagation as user authentication
types towards internal systems The destination configuration of the used cloud application defines which of
these types is used for the actual communication to an on-premise system through the Cloud connector
Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)
In case basic authentication is used the on-premise system must be configured to accept basic authentication
and to provide one or multiple service users There are no additional steps which are needed in the Cloud
connector for this authentication type
In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to
those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the
Cloud connector and is described in more detail here
httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml
7 Guidelines for Secure Operation of the Cloud Connector
The following table summarizes the guidelines and recommendations for a secure setup and operation of the
Cloud connector in a productive scenario
Activity Recommendation Reference
1 Restrict OS level access to the Cloud connector
Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector
section 61
2 Use hard drive encryption for the Cloud connector operating system
Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen
section 61
3 Change password of built-in Administrator user immediately after installation and choose a strong password
Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed
section 63
3 Authenticate with named Configure an LDAP system in the Cloud connector section 67
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 13
users to the Cloud connector Administrator UI
and work with named administrator users to have better traceability
4 Change default X509 certificate of Cloud connector Administration UI
The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI
section 62
5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend
For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC
section 66
6 Use host name mapping of exposed backend systems
When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud
section 0
7 Narrow access to backend systems to required services
When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work
section 0
8 Switch on audit logging in Cloud connector to All
To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All
section 68
9 Copy and persist audit log files of Cloud connector regularly
The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements
section 68 section 252
10 Clean up Cloud connector traces regularly and set default trace level to Information
Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved
section 252
8 Monitoring
To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If
the UI can be opened in a Web browser the Cloud connector process is running
On Windows operating systems the Cloud connector process is registered as a Windows service which is
configured to start automatically after a new Cloud connector installation In case the machine gets rebooted
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 14
the Cloud connector process should then be auto-restarted immediately You can check the state with the
following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the
service
On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted
automatically each time the Cloud connector process is down like after a reboot of the whole system The
daemon state can be checked with service Cloud connector_daemon status
To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector
Administration UI and go to the Accounts Dashboard where the connection state of the connected
accounts are visible as described in section 64
9 Supportability
In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the
component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA
Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we
recommend that you download the logs of the corresponding Cloud connector using the Download button on
the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the
issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive
10 Release and Maintenance Strategy
As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the
Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud
connector could occur every other week although the actual releases will be more seldom (new releases are
shipped when new features or important bug fixes shall be delivered)
Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major
version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay
with the same feature set and higher minor versions usually support additional features compared to lower
minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to
deliver bug fixes
For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version
will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing
Cloud connectors in order to get a patch for a bug or to make use of new features
New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We
recommend that Cloud connector administrators check regularly the release notes for Cloud connector
updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade
capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the
Cloud connector test landscape to validate that the running applications are working and then continue with
the productive landscape
When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections
are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the
cloud side gets updated
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 15
11 Process Guidelines for Hybrid Scenarios
The following chapter provides process guidelines that help you to manage productive hybrid scenarios in
which applications running on SAP HANA Cloud Platform require access to on-premise systems
111 Document Landscape of Hybrid Solution
To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend
that you document the used cloud accounts their connected Cloud connectors and the used on-premise
backend systems in landscape overview diagrams Document the account names the purpose of the accounts
(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud
connectors in the landscape overview document and possibly more details
An example of landscape overview documentation could look like this
112 Document Administrator Roles
It is recommended to document which users have administrator access to the cloud accounts to the Cloud
connector operating system and to the Cloud connector Administration UI
An example of such administrator role documentation could look like following sample table
Resource
johnacmecom marryacmecom peteacmecom gregacmecom
Cloud Account (CA) Dev1
x
CA Dev2 X
CA Test x X
CA Prod X
Cloud connector Dev 1 + 2
x x
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 16
Cloud connector Test x X
Cloud connector Prod X
Cloud connector Dev 1 + 2 file system
Cloud connector Test file system
x X
Cloud connector Prod file system
X
113 Document Communication Channels
It is recommended to create and document separate email distribution lists for both the cloud account
administrators and the Cloud connector administrators
An example of the documented communication channels could look like this
Landscape Distribution List
Cloud Account Administrators DL ACME HCP Account Admins
Cloud connector Administrators DL ACME Cloud connector Admins
114 Define Project and Development Guidelines
It is recommended to define and document mandatory project and development guidelines for your SAP HANA
Cloud Platform projects An example of such a guideline could look like the following
For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory
bull Usage of Maven Nexus Git-amp-Gerrit for the application development
bull Alignment with accountable manager in projects (name Flora Miller)
bull Alignment with accountable security officer in projects (name Pete Johnson)
bull For externally developed source code a hand over to your organization is required
bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test
and prod and eg dev landscape only connects to dev systems etc
bull Productive accounts do not use the same Cloud connector like a dev or test account
115 Define Process of how to Set a Cloud Application Live
It is recommended to define and document the process of how to set a cloud application live and how to
configure needed connectivity for such an application
For example the following processes could be seen as relevant and shall be defined and document in more
detail
1 Transferring application to production This process defines the steps which are necessary for transferring
an application to the productive status on the SAP HANA Cloud Platform
2 Application Connectivity This process defines the steps which are necessary to add a connectivity
destination to a deployed application for connections to other resources in the test or productive
landscape
3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise
resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the
connected cloud accounts
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
SAP HANA Cloud connector ndash Operatorrsquos Guide Page 17
4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust
relationship between an on-premise system and the SAP HANA Cloud connector and to configure user
authentication and authorization in the on-premise system in the test or productive landscapes
5 Application Authorization This process defines the steps which are necessary to request and assign an
authorization which is available inside the SAP HANA Cloud application to a user in the test or productive
landscapes
6 Administrator Permissions This process defines the steps which are necessary to request and assign the
administrator permissions in a cloud account to a user in the test or productive landscape
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty
Copyright
copy Copyright 2014 SAP AG All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors
Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation
IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation
Linux is the registered trademark of Linus Torvalds in the US and other countries
Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries
Oracle is a registered trademark of Oracle Corporation
UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group
Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc
HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology
Java is a registered trademark of Sun Microsystems Inc
JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape
SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company
All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary
These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty