A Simple HCI to SAP Cloud Connector to On-Premise Scenario.

Pre-requisites systems setup and requirements:

  • SAP Cloud Connector (SCC) (for windows/linux/Mac) installed in your on-premise system landscape.
  • On-Premise system (ERP/CRM/..).
  • HCI IFLMAP node Tenant subscribed to an SAP HCP account (sibling/customer account).
  • Your user should be a member of this SAP HCP tenant with “Cloud Connector Admin” role. This role can be removed later after the SSL tunnel setup.
  • Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host, either directly or via HTTPS proxy.
  • Cloud connector must have direct access to the internal system.

Configuration steps overview:

  1. In SCC add the HCP Account to establish SSL Tunnel between the SAP HCP account and SCC.
  2. In SCC Create On-Premise system host name mapping to virtual host name. This is to create https/http/RFC channel between On-Premise system and SCC. In our scenario create https channel.
  3. In HCI create simple iflow to do a “Get” http call using the virtual host URL and receive the response to mail receiver.

Configuration Scenario:

Scenario.jpg

A. Configuration Step 1:

        In SCC add the HCP Account to establish SSL Tunnel between the SAP HCP account and SCC.

    1. Login to SCC with your user/password as shown in Figure 1. In case you have forward proxy setup please maintain the forward proxy setting. (Go-to Settings -> https proxy) Refer Figure 1.1


   Figure 1

/wp-content/uploads/2016/03/fig1_899541.jpg

   Figure 1.1

/wp-content/uploads/2016/03/fig2_899542.jpg


2. Add the HCP account name to create SSL Tunnel as shown in the figure 2 below.

      • Go to Account Dashboard
      • Choose Add
      • Supply the inputs and save it. (HCP Account name can be taken from the HCI tenant from HCP account page as shown in figure 4 in appendix below).
      • After the inputs are saved should get an entry in the Account Dashboard as shown in the figure 3 below.


   Figure 2

/wp-content/uploads/2016/03/fig2_899542.jpg

  Figure 3

/wp-content/uploads/2016/03/fig3_899545.jpg

               Appendix for configuration step 1:

      1. Go to HCP account page (account.hana.ondemand.com) and navigate to the dashboard of your HCP account take the account id as shown in the Figure 4.

                    

                        Figure 4

                     HCP_Acc_name.jpg

            2. When you get this authorization problem while adding the HCP Account Please ensure your user should be a member of this HCP Account with “Cloud Connector Admin” role. This role shall be removed after this SSL Tunnel setup.


                        Figure 5

                    /wp-content/uploads/2016/03/fig5_899550.jpg




B. Configuration Step 2:

In SCC Create On-Premise system host name mapping to virtual host name. This is to create https/http/RFC channel between On-Premise system and SCC. In our scenario create https channel.

  1. Select the account name created in the above configuration step from drop down menu. Refer figure 6.
  2. Select the Access Control. Refer figure 6.
  3. Select “Add“ from “Mapping Virtual to Internal System”. Refer figure 6.
  4. Choose the Backend type as ABAP system and Proceed to Next step in the wizard. Refer figure 6.
  5. Select Protocol as “https”. Refer figure 7.
  6. Enter the “internal host name” and port number of the on-premise system. This can be taken from the abap system using tcode: smicm ;  Menu “Go to” and choose “Services” Refer figure 8 and 9.
  7. Enter the arbitrary name and port for the virtual host and port. Refer figure 10.
  8. Choose the Principal type “None”.  Refer Figure 11.
  9. Enter the description that is optional.
  10. Finish the step with check box ticked “Check availability of internal host”. Refer figure 12.
  11. Should get an entry as shown in the figure 13.
  12. Add the service URL resource path of the backend system as shown in figure 14.
  13. Finally should see the icon turns to green color as shown in figure 15.
  14. Go-to your HCP Account page “account.hana.ondemand.com”. Choose your HCP Account and see under “Connectivity” menu the Cloud connector status is connected and the available exposed backend systems from HCP Cloud. Refer figure 16.

Figure 6

/wp-content/uploads/2016/03/fig6_899551.jpg


Figure 7

/wp-content/uploads/2016/03/fig7_899561.jpg

Figure 8

/wp-content/uploads/2016/03/fig8_899562.jpg

Figure 9

/wp-content/uploads/2016/03/fig9_899563.jpg

Figure 10

/wp-content/uploads/2016/03/fig10_899564.jpg

Figure 11

/wp-content/uploads/2016/03/fig11_899565.jpg

Figure 12

/wp-content/uploads/2016/03/fig12_899566.jpg

Figure 13

/wp-content/uploads/2016/03/fig13_899567.jpg

Figure 14

/wp-content/uploads/2016/03/fig14_901301.jpg

Figure 15

/wp-content/uploads/2016/03/editedimage_901231.jpg

Figure 16

/wp-content/uploads/2016/03/fig16_899570.jpg

C. Configuration Step 3:

     In HCI create simple iflow to do a “Get” http call using the virtual host URL and receive the response to the mail receiver.

  1. Create a simple “request-reply” iflow to do an http call to the On-premise via SCC as shown below. Refer figure 17.
  2. The “Request-Reply” to Http adapter address is the virtual host URL that is configured in SCC. Refer figure 18.
  3. The Proxy type should be “On-Premise”. Refer figure 18.
  4. Receiver Mail adapter is configured to receive the response of the on-premise system. The receiver adapter shall be any.
  5. Deploy this iflow to the HCI tenant subscribed under the HCP Sibling account that is connected to SCC.
  6. Please note the MPL log as it should show the http call pointing to the virtual URL. (HCI Tenant->Message monitoring->Properties) Refer figure 19.
  7. Go-to SAP Cloud Connector page and notice the “Connector State” and the “Connections” after your successful request from HCI iflow to SCC. Refer figure 20.
  8. Check the Audit log of the SAP Cloud connector and note the access allowed via SCC for the virtual host URL and its resource “/sap/public/ping”. Refer figure 21.


Figure 17

/wp-content/uploads/2016/03/iflow_webgui_900363.jpg

Figure 18

/wp-content/uploads/2016/03/iflow_webgui1_900377.jpg

Figure 19

/wp-content/uploads/2016/03/iflow_webgui2_900378.jpg


Figure 20

/wp-content/uploads/2016/03/fig20_899581.jpg

Figure 21

/wp-content/uploads/2016/03/fig21_899582.jpg

Troubleshooting Steps:


When you get error in HCI Message log as shown here:


Proposed solution:

Since the called or mapped URL is “https” https://hostname/sap/public/ping  the sap cloud connector has to trust the Certificate Authority or the issuer of this backend service URL.

Steps to add the Certificate Authority into the Trust store of the SCC.

    1. Download the Certificate Authority by following the steps:
      • Select the Lock gree icon  (in google chrome) prefixed to the URL.
      • Select the “Connection” tab and “Certificate information” link.
      • Click on the “Certificate path” tab  and Double click the top root certificate.
      • Go-to “Details” tab of the root certificate and “Copy to file” and export it to the default format.

                    /wp-content/uploads/2016/03/mini1_899584.jpg

                           /wp-content/uploads/2016/03/mini2_899600.jpg

                         /wp-content/uploads/2016/03/mini3_899601.jpg

                         /wp-content/uploads/2016/03/mini4_899602.jpg

            2. Go-to SCC page -> Settings -> Trust Store

            3. Browse the Certificate Authority certificate that was downloaded above and Add it to the truststore as shown in the picture below.
          /wp-content/uploads/2016/03/fig22_899583.jpg

References to SAP Cloud Connector guides.

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

    1. Morten Wittrock

      You can connect to on-premise systems without the Cloud Connector. You probably don’t want to allow direct access to backend systems from HCP, though. A reverse¬†proxy setup is the typical solution to that problem.

      (0) 
  1. Thallita Cardeal

     

    Hi experts! I holpe you are fine!

    Please folks, I need help :/

    I have doubts in the configuration part:
    Scenario: I would like to create an ABAP System type cloud connector with the RFC protocol.

    My question is: is it mandatory to install the SNC? Or is it just an extra security option?

    Another question related to configuration: For installation, does the basis need to configure something? I have seen many places where I do not think so, but I preferred to ask those who understand the subject! Hahaha

    Is trust use required? If I use snc do I have to use the trust?

    Thank you very much and I await your return.

    (0) 
  2. Nidhi Srivastava

    Hi Experts,

    I followed all the steps mentioned in this blog, but getting 503 error in the message monitoring.

     

    I am not sure, which link I should download the certificate. I added the certificate in the Trust from SAP ECC system(not sure if this is correct).

    Also, when I am trying to check the connection getting error as shown below –

     

     

    Please suggest, what should be the solution.

     

    Thanks,

    Nidhi Srivastava

     

    (0) 

Leave a Reply