A Simple HCI to SAP Cloud Connector to On-Premise Scenario.
Pre-requisites systems setup and requirements:
- SAP Cloud Connector (SCC) (for windows/linux/Mac) installed in your on-premise system landscape.
- On-Premise system (ERP/CRM/..).
- HCI IFLMAP node Tenant subscribed to an SAP HCP account (sibling/customer account).
- Your user should be a member of this SAP HCP tenant with “Cloud Connector Admin” role. This role can be removed later after the SSL tunnel setup.
- Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host, either directly or via HTTPS proxy.
- Cloud connector must have direct access to the internal system.
Configuration steps overview:
- In SCC add the HCP Account to establish SSL Tunnel between the SAP HCP account and SCC.
- In SCC Create On-Premise system host name mapping to virtual host name. This is to create https/http/RFC channel between On-Premise system and SCC. In our scenario create https channel.
- In HCI create simple iflow to do a “Get” http call using the virtual host URL and receive the response to mail receiver.
A. Configuration Step 1:
In SCC add the HCP Account to establish SSL Tunnel between the SAP HCP account and SCC.
- Login to SCC with your user/password as shown in Figure 1. In case you have forward proxy setup please maintain the forward proxy setting. (Go-to Settings -> https proxy) Refer Figure 1.1
2. Add the HCP account name to create SSL Tunnel as shown in the figure 2 below.
- Go to Account Dashboard
- Choose Add
- Supply the inputs and save it. (HCP Account name can be taken from the HCI tenant from HCP account page as shown in figure 4 in appendix below).
- After the inputs are saved should get an entry in the Account Dashboard as shown in the figure 3 below.
Appendix for configuration step 1:
- Go to HCP account page (account.hana.ondemand.com) and navigate to the dashboard of your HCP account take the account id as shown in the Figure 4.
2. When you get this authorization problem while adding the HCP Account Please ensure your user should be a member of this HCP Account with “Cloud Connector Admin” role. This role shall be removed after this SSL Tunnel setup.
B. Configuration Step 2:
In SCC Create On-Premise system host name mapping to virtual host name. This is to create https/http/RFC channel between On-Premise system and SCC. In our scenario create https channel.
- Select the account name created in the above configuration step from drop down menu. Refer figure 6.
- Select the Access Control. Refer figure 6.
- Select “Add“ from “Mapping Virtual to Internal System”. Refer figure 6.
- Choose the Backend type as ABAP system and Proceed to Next step in the wizard. Refer figure 6.
- Select Protocol as “https”. Refer figure 7.
- Enter the “internal host name” and port number of the on-premise system. This can be taken from the abap system using tcode: smicm ; Menu “Go to” and choose “Services” Refer figure 8 and 9.
- Enter the arbitrary name and port for the virtual host and port. Refer figure 10.
- Choose the Principal type “None”. Refer Figure 11.
- Enter the description that is optional.
- Finish the step with check box ticked “Check availability of internal host”. Refer figure 12.
- Should get an entry as shown in the figure 13.
- Add the service URL resource path of the backend system as shown in figure 14.
- Finally should see the icon turns to green color as shown in figure 15.
- Go-to your HCP Account page “account.hana.ondemand.com”. Choose your HCP Account and see under “Connectivity” menu the Cloud connector status is connected and the available exposed backend systems from HCP Cloud. Refer figure 16.
C. Configuration Step 3:
In HCI create simple iflow to do a “Get” http call using the virtual host URL and receive the response to the mail receiver.
- Create a simple “request-reply” iflow to do an http call to the On-premise via SCC as shown below. Refer figure 17.
- The “Request-Reply” to Http adapter address is the virtual host URL that is configured in SCC. Refer figure 18.
- The Proxy type should be “On-Premise”. Refer figure 18.
- Receiver Mail adapter is configured to receive the response of the on-premise system. The receiver adapter shall be any.
- Deploy this iflow to the HCI tenant subscribed under the HCP Sibling account that is connected to SCC.
- Please note the MPL log as it should show the http call pointing to the virtual URL. (HCI Tenant->Message monitoring->Properties) Refer figure 19.
- Go-to SAP Cloud Connector page and notice the “Connector State” and the “Connections” after your successful request from HCI iflow to SCC. Refer figure 20.
- Check the Audit log of the SAP Cloud connector and note the access allowed via SCC for the virtual host URL and its resource “/sap/public/ping”. Refer figure 21.
When you get error in HCI Message log as shown here:
- HTTP response ‘403: Forbidden’ when communicating with http://virtualping:1234/sap/public/ping
Since the called or mapped URL is “https” https://hostname/sap/public/ping the sap cloud connector has to trust the Certificate Authority or the issuer of this backend service URL.
Steps to add the Certificate Authority into the Trust store of the SCC.
- Download the Certificate Authority by following the steps:
- Select the Lock gree icon (in google chrome) prefixed to the URL.
- Select the “Connection” tab and “Certificate information” link.
- Click on the “Certificate path” tab and Double click the top root certificate.
- Go-to “Details” tab of the root certificate and “Copy to file” and export it to the default format.
2. Go-to SCC page -> Settings -> Trust Store
References to SAP Cloud Connector guides.