Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
quovadis
Product and Topic Expert
Product and Topic Expert

Abstract.









The requirement is to be able to combine the direct and live user access to internal SAP HANA systems [within corporate firewalls] and when users are not connected to the corporate network [from outside of corporate firewalls].

  • SAP Analytics Cloud [SAC] is a SaaS tenant running on public internet.

  • Live connectivity is required as data must not be duplicated or moved.

  • Direct access. The internal [on premise] SAP HANA [HANA] backend systems InA endpoints cannot be accessed outside of the corporate firewall.



 

What is the situation:










Nowadays, users would rather be connecting to corporate assets from public internet with SAML Single Sign On [SAML SSO].

When it comes to SAC it means that the internal backend HANA systems InA endpoint must be somehow accessible in that context; otherwise access to SAC models and stories may be denied.

Thus for a direct connection to work from outside of the corporate firewall the InA endpoint of the internal SAP HANA system must have been published to the outside context (public internet or another corporate network)

Even if there are ways to have the HTTPS InA endpoint published outside of corporate firewall they all require intimate knowledge of networking and having in place the InA endpoint publication mechanism.

Good to know:



  • SAP Webdispatcher can be used to publish the InA endpoint to the public internet.

  • SAP Cloud Connector can be used to establish a tunnel between SAP Cloud Platform connectivity endpoint and on premise backend systems.



 

The tunnel connection with SAP Analytics Cloud.








In order to alleviate the burden of using SAP Analytics Cloud [SAC] :

  • with the enterprise assets [when connecting from outside of corporate firewalls]

  • and fetching data from internal on premise SAP HANA systems [within corporate firewalls]


SAP has released a new type of a SAC HANA Live connection called tunnel connection.

The tunnel connection leverages the SAP Cloud Connector [SCC] to establish a secured communication tunnel between SAC and your SAP HANA on-premise system(s);

 

Live Data Connection to SAP HANA Using a Tunnel Connection.


This blog assumes you have access to:

  • SAP Analytics Cloud Cloud Foundry enterprise tenant [SAC]

  • SAP Cloud Connector [SCC]

  • SAP HANA on premise with the HTTPS InA endpoint configured (cf. Appendix)


 

Moreover:

  • HANA and SCC should be installed in one network segment and behind a firewall.

  • SAC should be running in a compatible browser outside of the firewall.


One important thing to understand is that any SAC tenant "sits" in its own SAP Cloud Platform sub-account.

[SCC] is just a conduit between the internal SAP HANA system's InA endpoint and the SAP BTP Platform connectivity service of the [SAC] tenant.

We shall need to retrieve the SAC's BTP account information in order to be able to create the corresponding sub-account entry in the SAP Cloud Connector.

1.Goto [SAC]: Home/System/Administration/Data Source Configuration and retrieve the SAP Cloud Platform account information from there, for instance:
Account Information

Subaccount
647eea61-5e1e-4c8c-8d1e-xxxxxxxxxxxx

Region Host
cf.xx10.hana.ondemand.com

Subaccount User
firstname.lastname@domain.com

 


 

and with this information at hand:

2. Goto [SCC]: Connector/+Add Subaccount, for instance:
Add Subaccount

Region:
cf.xx10.hana.ondemand.com

Subaccount:
647eea61-5e1e-4c8c-8d1e-xxxxxxxxxxxx

Subaccount User:
firstname.lastname@domain.com [this is your SAP ID user from Step1 above]

Password: [SAP ID user password]

 


 

3. Goto [SCC]: Subaccount/Cloud-to-on-premise/Access Control and create your physical to virtual SAP HANA host mapping as depicted below:

 


 

4. Goto [SAC]: Home/Connection/+Select a DataSource/Connect to Live Data/SAP HANA/Tunnel connection type

Fill in all the required fields. You may notice that instead of using the host name and port number we are using the virtual host name and port number as defined in step 3.

 


 

If you opted for basic authentication in the connection with SAP HANA user and password you are done. Moreover you may be able to save this user's credentials for all users on this SAC tenant [this may vary with SAC tenant version]

If you opted for SAML SSO instead you will have to download the LCS service metadata and add this metadata into your SAP HANA Identity Provider's list.

You will also need to map an external identity to your SAP HANA user through this IDP

As the LCS IDP is synchronised with the SAC's primary IDP so no configuration is required with SAC and the external identity is the identity of the SAC user. (To look up the external identity of SAC users please export the SAC users into excel and check the SAML_USER_MAPPING column. The value in SAML_USER_MAPPING columns is the external identity to map to your SAP HANA database user. )

 

5. Validate the connection. 

Using Chrome/View/Developer Tools you may inspect the calls to GetServerInfo:

 
Tunnel HANA live connection:

https://<SAC-host-name><domain name>/lcs/scc/tunnel/HANATUNNEL/sap/bc/ina/service/v2/GetServerInfo

{"ServerInfo":{"BuildTime":"2019-12-06 15:29:38","Client":"000000000000000000","ServerType":"SAP HANA","SystemId":"HXE","UserLanguageCode":"EN","Version":"2.00.045.00.1575639312"}

where HANATUNNEL is the SAC connection name.

and for comparison:
Direct HANA live connection:

https://<HANA-host-name><Port Number>/sap/bc/ina/service/v2/GetServerInfo

{"ServerInfo":{"BuildTime":"2019-12-06 15:29:38","Client":"000000000000000000","ServerType":"SAP HANA","SystemId":"HXE","UserLanguageCode":"EN","Version":"2.00.045.00.1575639312"}

 

Good to know:


Tunnel connections require explicit SAC administration user consent. The following option must be enabled for any tunnel, schedule or mobile type of connectivity that SAC can offer via SAP Cloud Connector:

 


 

To summarise:


The tunnel SAP HANA live connection is an easy and robust alternative to publishing the SAP HANA InA endpoint outside of firewall.

Moreover its secondary LCS service Identity Provider blends with the SAC users SAML identities towards SAP HANA.

I do reckon for the sake of time and space I may have omitted a number of details.

You may further refer to the official documentation as follows:

SAC outside corporate network: tunnel access through SAP cloud connector:

 

You may also find useful the additional information in the blog's appendix, especially with regard to the official SAP recommendations when it comes to managing SAC connectivity as a project.

best wishes

piotr.tesny#content:blogposts


Appendix.



Troubleshooting Cloud Connector set up










Please check the guided answers topic if you happen to encounter issues when trying to add a SAC's BTP sub-account:

https://ga.support.sap.com/dtp/viewer/#/tree/2183/actions/27936:28765:28777.

 

 

 

Add LCS Identity Provider metadata into SAP HANA


 


 

Zoom on Direct Live Data Connection to SAP HANA










SAP Analytics Cloud [SAC] offers direct connectivity to a number of SAP applications including SAP HANA.

A direct connection is always established between the context of the SAC web application [webapp] running on a client side in a browser and the backend system [via the InA endpoint exposed on the SAP HANA backend].

Generally speaking, the only requirement for the direct communication to work is that the SAC webapp browser and the InA endpoint of HANA backend system can communicate securely over HTTPS with each other.

A simple use case is when SAC in-browser webapp runs in the same network as the backend system. This is a typical scenario when a user browser is directly hooked to the corporate network [or when the user dials-into the network via VPN].

Good to know:


Direct connectivity to SAP HANA is implemented with the SAP Information Access (InA) HTTPS protocol that requires the EPM-MDS plugin on HANA side.


The EPM-MDS plugin is included out-of-the-box with the recent SAP HANA on premise or cloud offerings.


 

A single InA endpoint is required of the following format: <FQDN><Port>/sap/boc/ina/version/v2/.


It can be configured either with the XS classic webdispatcher or with the XSA HAA (XS Advance runtime Hana Analytics Adapter).


Thus this can be any flavour of SAP HANA: on premise or cloud managed HANA service including the latest SAP HANA Cloud.


SAC webapp will simply add /sap/boc/ina/version/v2/ resource suffix to whatever host name and port number you have entered in the SAC connection definition.


Chrome or Edge browsers are fully supported.



 

Managing a connectivity project










You may want to get familiar with the official SAP Connectivity guide online (pdf enclosed for convenience).

The guide in the section, The Importance of Managing a Connectivity Project,  will tell what kind of persona may be needed for a specific task.

 
3 Comments