© 2014 IBM Corporation

SAP HANA Cloud Connector

Prasenjit Paul

© 2014 IBM Corporation

Agenda

1. What is SAP HANA Cloud Connector ?

2. Advantages of SAP HANA Cloud Connector.

3. Architecture : Connecting Cloud Applications to On-Premise Systems

4. Install SAP HANA Cloud Connector

5. Setup initial configuration of SAP HANA Cloud Connector.

6. Connect On Premise System from SAP HANA Cloud via HTTP.

© 2014 IBM Corporation

• SAP HANA Cloud connector serves as the link between on-demand applications in SAP HANA Cloud Platform and existing on-premise systems.

• It combines an easy setup with a clear configuration of the systems that are exposed to SAP HANA Cloud Platform. In addition, the resources' availability can be controlled for the cloud applications in those systems.

• The Cloud connector runs as on-premise agent in a secured network and acts as a reverse invoke proxy between the on-premise network and SAP HANA Cloud Platform.

• Due to its reverse invoke support, don't need to configure the on-premise firewall to allow external access from the cloud to internal systems. The Cloud connector provides fine-grained control over:

On-premise systems and resources that shall be accessible by cloud applications; loud applications that shall make use of the Cloud connector.

• Cloud connector can be used in business critical enterprise scenarios. The tool takes care to automatically re-establish broken connections, provides audit logging of the inbound traffic and configuration changes, and can be run in a high-availability setup.

What is SAP HANA Cloud Connector ?

© 2014 IBM Corporation

Compared to the approach of opening ports in the firewall and using reverse proxies in the DMZ to establish access to on-premise systems, the Cloud connector has the following advantages:

The firewall of the on-premise network does not have to open an inbound port to establish connectivity from SAP HANA Cloud Platform to an on-premise system. In the case of allowed outbound connections, no modifications are required.

The Cloud connector supports additional protocols, apart from HTTP. For example, the RFC protocol supports native access to ABAP systems by invoking function modules.

The Cloud connector can be used to connect on-premise database, or BI tools to SAP HANA databases in the cloud. That means, it also supports the opposite connection direction (from the on-premise system to the cloud). The Cloud connector allows propagating identity of cloud users to on-premise systems in a secure way.

The Cloud connector is easy to install and configure, that is, it comes with a low TCO and fits well to cloud scenarios. SAP provides standard support for it.

Advantages of SAP HANA Cloud Connector

© 2014 IBM Corporation

Architecture : Connecting Cloud Applications to On-Premise Systems

© 2014 IBM Corporation

Install SAP HANA Cloud Connector on Microsoft Windows OS

Prerequisites

Downloaded either the ZIP archive or the MSI installer.Install Microsoft Visual Studio C++ 2010 runtime libraries.Install Java 6 or Java 7 or use sapjvm JDK

Procedure

Developer Scenarioi.Extract the <sapcc-<version>-windows-x64.zip> ZIP file to an arbitrary directory on your local file system. ii.Change to this directory and start Cloud connector 2.x via the go.bat batch file. iii.Continue with the Next Steps section. Productive Scenario• Install by double-clicking on <sapcc-<version>-windows-x64.msi> installer. • Continue with the Next Steps section. Next Steps In a browser, enter: https://<hostname>:8443, where <hostname> is the host name of the machine on which you have installed the Cloud connector. If you access the Cloud connector locally from the same machine, you can just enter localhost.

© 2014 IBM Corporation

Install SAP HANA Cloud Connector

Initial Configuration

Following steps below :

Log inChange your passwordSet up parameters and HTTPS proxyEstablish connections to SAP HANA Cloud Platform

Log in to the Cloud connector

In a Web browser, enter: https://<hostname>:<port> ( note : 8443 is default port and use localhost if url open in same system where clouds connector is running )

For User Name / Password enter Administrator / manage (case sensitive).

Choose between master and shadow installation. Use Master

https://localhost:8443

© 2014 IBM Corporation8

Change your password

Change the password once login for first time.

Password can be changed again Administrator user from the Settings menu:

Install SAP HANA Cloud Connector ( contd.. )

© 2014 IBM Corporation

Install SAP HANA Cloud Connector ( contd.. )

After first log on, the Cloud connector collects the following required information:

For Landscape Host, specify the SAP HANA Cloud Platform landscape that should be used.

Enter registered Account Name, Account User and Password, of SAP HANA Cloud Platform.

Optional: Define a Display Name, which allows to easily recognize a specific account

Optional: Define a Location ID, which identifies the location of this Cloud connector for a specific account

Enter proxy host and port.

Optionally: Provide a Description (free-text) for this Cloud connector instance.

choose Apply.

© 2014 IBM Corporation

To change proxy settings (for example, because the company firewall rules have changed), choose the Settings menu in the upper right corner. Some proxy servers require credentials for authentication. In this case, need to provide the relevant user/password information.

Install SAP HANA Cloud Connector ( contd.. )

© 2014 IBM Corporation

To change the description of Cloud connector, in the upper right corner choose Settings, open the Connector Info section and edit the description

Install SAP HANA Cloud Connector ( contd.. )

© 2014 IBM Corporation

To change the description for Cloud connector, in the upper right corner choose Settings, open the Connector Info section and edit the description.

Install SAP HANA Cloud Connector ( contd.. )

© 2014 IBM Corporation

Once the initial setup has been completed successfully, the tunnel to the cloud endpoint is open (even though no requests are allowed to pass until you have completed the access control setup).

Click on Disconnect button (or the Connect button to reconnect to SAP HANA Cloud Platform).

The yellow state icon and the text indicates that there is still no resource exposed that could be used from a cloud application. This requires additional configuration, which is mentioned in the Related Information section.

Install SAP HANA Cloud Connector - Establish connections to SAP HANA Cloud Platform

© 2014 IBM Corporation

The green icons next to Landscape Host and HTTPS Proxy indicate that they both are valid and work properly.

In case of a timeout or a connectivity issue, the icon is respectively yellow (warning) or red (error), and a tooltip displays the cause of the problem.

The Account User is the user that has originally established the tunnel. During a normal operation, this user is no longer needed but some certificates, exchanged during establishing a connection to an account, are used instead

Install SAP HANA Cloud Connector - Establish connections to SAP HANA Cloud Platform ( Contd.. )

© 2014 IBM Corporation

Cloud Connector: Installation of a System Certificate for Mutual Authentication

Import an X.509 client certificate into the Cloud connector.

This system certificate needs to be provided as PKCS#12 file containing the client certificate, the corresponding private key and the CA root certificate that signed the client certificate (plus potentially the certificates of any intermediate CAs, if the certificate chain is longer than 2).

© 2014 IBM Corporation16

If a system certificate has been imported successfully, its distinguished name, the name of the issuer, and the validity dates are displayed:

Cloud Connector: Installation of a System Certificate for Mutual Authentication

© 2014 IBM Corporation

Exposing Intranet Systems

To allow on-demand applications to access a certain back-end system on the intranet, need to insert an extra line into the Cloud connector access control management.

Go to the Access Control tab page.

Choose Add.

Back-end Type: Select the description that best matches the addressed back-end system. This is important mainly for metering information: tunnel connections to any kind of SAP system are free of charge, while using the tunnel for connecting to a non-SAP system costs a fee. Furthermore, it will define, which steps the wizard will offer and which values are possible.

Protocol: This field allows to decide whether the Cloud connector should use HTTP or HTTPS for the connection to the back-end system.

o If you specify HTTPS and there is a "system certificate" imported in the Cloud connector, the latter attempts to use that certificate for performing a client-certificate-based login to the back-end system.

o If there is no system certificate imported, the Cloud connector opens an HTTPS connection without client certificate.

Cloud Connector: Configuring Access Control (HTTP)

© 2014 IBM Corporation

Internal Host and Internal Port specify the actual host and port under which the target system can be reached within the intranet.

Virtual Host specifies the host name exactly as it is specified as the URL property in the HTTP destination configuration in SAP HANA Cloud Platform.

Principal Type defines what kind of principal is used when configuring a destination on the cloud side using this system mapping with authentication type Principal Propagation.

The summary shows information about the system to be stored

Cloud Connector: Configuring Access Control (HTTP)

Optional: Edit such a system mapping (via Edit) to make the Cloud connector route the requests for sales-system.cloud:443 to a different back-end system.

© 2014 IBM Corporation

Limiting the Accessible Services for HTTP(S)

In addition to allowing access to a particular host and port, also need to specify which URL paths (Resources) are allowed to be invoked on that host. The Cloud connector uses very strict white-lists for its access control, so only those URLs for which you explicitly granted access are allowed.

All other HTTP(S) requests are denied by the Cloud connector. To define the permitted URLs (Resources) for a particular back-end system, choose the line corresponding to that back-end system.

A dialog appears prompting you to enter the specific URL path that you want to allow to be invoked.

Cloud Connector: Configuring Access Control (HTTP)

© 2014 IBM Corporation

.

Enabling/Disabling Resources On-the-Fly

In some cases, it is useful for testing purposes to temporarily disable certain resources without having to delete them from the configuration. This allows user to easily re-provide access to these resources at a later point of time without having to type in everything once again.

To disable a resource, select it and choose the Disable button:

The traffic light turns red, and from now on, the Cloud connector will deny all requests coming in for this resource.

The traffic light turns red, and from now on, the Cloud connector will deny all requests coming in for this resource. To enable the resource again, select it and choose the Enable button.

It is also possible to mark multiple lines and then to disable/enable all of them in one go by clicking the Enable/Disable buttons in the top row.

Cloud Connector: Configuring Access Control (HTTP)

© 2014 IBM Corporation21

Examples:

/production/accounting and Path only (sub-paths are excluded) are selected. Only requests of the form GET /production/accounting or GET /production/accounting?name1=value1&name2=value2... are allowed. (GET can also be replaced by POST, PUT, DELETE, and so on.)

/production/accounting and Path and all sub-paths are selected. All requests of the form GET /production/accounting-plus-some-more-stuff-here?name1=value1... are allowed.

/ and Path and all sub-paths are selected. All requests to this server are allowed.

Cloud Connector: Configuring Access Control (HTTP)

© 2014 IBM Corporation