CRM and CX Blogs by SAP
Stay up-to-date on the latest developments and product news about intelligent customer experience and CRM technologies through blog posts from SAP experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Technical connectivity between cloud and on-premise systems via the SAP HANA Cloud Connector

marcus_echter
Advisor
Advisor
‎03-17-2016 3:47 PM

Overview

When integrating SAP Cloud for Customer (C4C) with the customer's on-premise landscape, the direction from the cloud to on-premise is the most critical in regards to security. It is best-practice to not directly expose the business systems (ERP, CRM) via the internet as they contain mission-critical business data. To secure the customer landscape and setup, SAP has proposed a reference architecture described in the Technical Connectivity Guide. Its major component is the so-called "Reverse Proxy" (RP) which acts as a gateway and single point of entry into the customer landscape. The RP terminates the HTTPs connection originating from the cloud and sets up another HTTPs or HTTP connection to the internal business systems (ERP, CRM) or the middleware (SAP PI). The setup of the SAP Web Dispatcher, SAP's own RP product, is described in detail in this blog.

For integration scenarios which are mediated via SAP HANA Cloud Integration (HCI), connection to the customer's on-premise landscape can also be setup via the SAP HANA Cloud Connector (SCC), an on-premise agent running within the secured network of the customer, as an alternative to the RP. The SCC sets up a permanent SSL tunnel between the HANA Cloud Platform (HCP) and the demilitarized zone (DMZ) of the customer, routing requests to the attached business systems such as ERP. Major advantages compared to the traditional RP setup are:

  • No need to open any ports in firewall
  • Easy configuration
  • Increased level of security

The following picture provides an overview of an integration architecture based on the SCC. Details can be found in the Security Whitepaper and the Cloud Connector Operator's Guide.

Configuration Steps

The setup of the SCC is described in detail in the SAP HANA Cloud Documentation. The most important steps are:


     1. Install the SCC (see documentation)


     2. Set up connection between SCC and HCP:

          - Copy account name of HCI instance in HCP


          - Set up HCP user with role "Cloud Connector Admin"



          - Set up connection between SCC and HCI



     3. Set up connection between SCC and on-premise backends:

          - Expose on-premise backend (internal host) via a well-defined URL (virtual host name)

          - Connect to backend via desired protocol (e.g. HTTP, HTTPS)

          - Expose specific services on the on-premise backend (URL path whitelisting)





In addition to the setup of the SCC, the IFLOW on HCI side needs to be adapted in the following way:

  • Protocol in the receiver channel settings needs to be changed from "HTTPS" to "HTTP" (as the SSL tunnel is permanent, the requests themselves are transmitted via standard HTTP protocol)
  • Proxy Type changed from "Internet" to "OnPremise" (this is the indication from HCI runtime side to use the permanent SSL tunnel setup by the SCC)



Once these configuration steps have been performed, data can be sent from the cloud to the customer's on-premise systems via the SCC.

35 Comments
Popular Blog Posts