Skip to Content

Overview

When integrating SAP Cloud for Customer (C4C) with the customer’s on-premise landscape, the direction from the cloud to on-premise is the most critical in regards to security. It is best-practice to not directly expose the business systems (ERP, CRM) via the internet as they contain mission-critical business data. To secure the customer landscape and setup, SAP has proposed a reference architecture described in the Technical Connectivity Guide. Its major component is the so-called “Reverse Proxy” (RP) which acts as a gateway and single point of entry into the customer landscape. The RP terminates the HTTPs connection originating from the cloud and sets up another HTTPs or HTTP connection to the internal business systems (ERP, CRM) or the middleware (SAP PI). The setup of the SAP Web Dispatcher, SAP’s own RP product, is described in detail in this blog.

For integration scenarios which are mediated via SAP HANA Cloud Integration (HCI), connection to the customer’s on-premise landscape can also be setup via the SAP HANA Cloud Connector (SCC), an on-premise agent running within the secured network of the customer, as an alternative to the RP. The SCC sets up a permanent SSL tunnel between the HANA Cloud Platform (HCP) and the demilitarized zone (DMZ) of the customer, routing requests to the attached business systems such as ERP. Major advantages compared to the traditional RP setup are:

  • No need to open any ports in firewall
  • Easy configuration
  • Increased level of security

The following picture provides an overview of an integration architecture based on the SCC. Details can be found in the Security Whitepaper and the Cloud Connector Operator’s Guide.

SCC_overview.png

Configuration Steps

The setup of the SCC is described in detail in the SAP HANA Cloud Documentation. The most important steps are:


     1. Install the SCC (see documentation)


     2. Set up connection between SCC and HCP:

          – Copy account name of HCI instance in HCP

SCC_Account_HCP.PNG


          – Set up HCP user with role “Cloud Connector Admin”


SCC_Roles.PNG


          – Set up connection between SCC and HCI


SCC_Account.PNG


     3. Set up connection between SCC and on-premise backends:

          – Expose on-premise backend (internal host) via a well-defined URL (virtual host name)

          – Connect to backend via desired protocol (e.g. HTTP, HTTPS)

          – Expose specific services on the on-premise backend (URL path whitelisting)


SCC_Connections.PNG




In addition to the setup of the SCC, the IFLOW on HCI side needs to be adapted in the following way:

  • Protocol in the receiver channel settings needs to be changed from “HTTPS” to “HTTP” (as the SSL tunnel is permanent, the requests themselves are transmitted via standard HTTP protocol)
  • Proxy Type changed from “Internet” to “OnPremise” (this is the indication from HCI runtime side to use the permanent SSL tunnel setup by the SCC)


SCC_iflow.PNG


Once these configuration steps have been performed, data can be sent from the cloud to the customer’s on-premise systems via the SCC.

To report this post you need to login first.

26 Comments

You must be Logged on to comment or reply to a post.

  1. Dedeepya Reddy

    Hi Marcus

    Great Info. I have couple of questions

    – Can SCC can be only used with HCI as middleware, or can it also be used with PI middleware.

    – Is SCC also supported by C4C ?

    – When SCC is purchased by Customer, does he also has to purchase SAP authorized CAs similar to the way we purchase for Web Dispatcher?

     

    BR
    Dedeepya

    (0) 
    1. Marcus Echter Post author

      Hi Dedeepya,

       

      – only HCI

      – SCC not suppported by C4C

      – no need to purchase serevr certificate as connection happens via HTTP

       

      Regards, Marcus

      (0) 
      1. Manu Bhutani

        HI Marcus,

        If we want to use PI as pass through for standard replication of emp data from SFSF EC to SAP on premise then can we connect HCI to PI without cloud connector.

         

        Regards

        (0) 
  2. Fabian Otto

    Hi Marcus,

     

    Many thanks for this blog post.

     

    Do you have already used HCC (HANA Cloud Connector) in customer projects and if so, can you share your experiences (stability of connection, system stability in general, etc.).

     

    Would it be possible to re-use the HCC for a MashUp scenario where for example a ERP WebDynpro is used by a C4C tenant?

     

    Best Regards

    Fabian

    (0) 
    1. Marcus Echter Post author

      Hi Fabian,

       

      we still recommend the reverse proxy as default option for connecting against OnPrem. I have implemented the SCC in a POC project with one of our big customers, do not have any experience in large-scale usage though.

       

      The SCC can also be used in a mashup scenario, it can basically be used in any scenario where a specific OP service shall be exposed.

       

      Regards, Marcus

      (0) 
  3. Nilesh Kumar

    Hello Marcus,

     

    We are trying to implement SF->HCI->ECC and we are using SCC. After doing the setup as described in your blog we are still getting error in HCI SOAP receiver channel. I have the following questions:

    1. Do we need to exchange certificate between HCI Tenant and Windows Server where SCC is installed.

    2. Do we need to exchange certificate between SCC and ECC servers?

    3. We are using SOAP channel to connect to ECC, do we need to use the message protocol SOAP 1.X or SAP RM

    4. In the SOAP receiver channel is it possible to give the target websevice URL or we have to download the WSDL and provide the path always?

     

    I am getting the following error:

    org.apache.cxf.interceptor.Fault: Failed to send RM protocol message {http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence., cause: org.apache.cxf.ws.policy.PolicyException: Assertion of type {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken could not be asserted: Not an HTTPs connection


    Thanks,

    Nilesh

    (0) 
    1. Abinash Nanda

      Hello Nilesh,

      Please see my answer below

      1. No need, SCC creates a SSL tunnel from the windows server to the HCP account on which your HCI instant is running

      2. Depends if you want to secure the communication from SCC to your back end system over SSL, this is very similar to any HTTPS-HTTPS communication

      3. Again depends what you want to on your receiver system. incase you want to create an IDOC or want to execute an asynchronous service you can go for SAP-RM. But then make sure to set the SapMessageId and MessageIdEx

      4. It is not required, but you can maintain the WSDL. Please note still you need to manually maintain the path, HCI will not retrieve the path from WSDL

       

      Best regards, Abinash

      (0) 
    1. Marcus Echter Post author

      Yes Aman – via a traditional reverse proxy! Of course you can also directly expose ECC via its ICM, but that is not recommendable due to security issues.

      (0) 
    1. Dominik Markus

      Hi Sanjaya,

      The HCP license does not depend on the connection method  that is used to connect to the HCP. If you want to use the services from the HCP productively, you will need to buy a license. And if you then want to connect these services to your on premise systems, you can use SCC or a reverse proxy. SCC is for free, but to use services of the HCP productively, you need an account and a license.
      For testing purposes, you can create a trial account at HCP and connect your locally installed SCC to this trial account.

      Best regards
      Dominik

      (0) 
  4. Chemistry Integration

    Hi Experts,

    I have a question regarding Cloud connector usage for HTTPS connection.

    1.Cloud connector to ERP via HTTPS using Basic Authentication – Where do we need to import the ERP Server certificates CA’s ?
    Can these certificates of ERP be self-signed or only CA’s trusted by HCP ?

    2.Cloud connector to ERP via HTTPS using Client Certificate:
    Does the customer need to get the client certificate ? I assume so, please confirm.
    If so, can this client certificate of SCC be self-signed ?
    can this client certificate of SCC be signed by internal CA or only a public CA ?
    Also the root CA’s signing the SCC client certificate needs to be imported in SSL Server standard.

    3.Mash Ups via SCC: I saw in one of the comments that SCC can be usef for UI Mash Ups as well.
    Let us take an example of UI mash up between Successfactors and ERP…SFSF has to display a WebDynpro screen of ERP…how can we use SCC(without HCI) in this case as HCI will not be used here since it is UI integration.

    Are you referring to UI applications hosted on HCP ?

    (1) 
  5. Thallita Cardeal

     

    Hi Marcus! I holpe you are fine!

    Please folks, I need help :/

    I have doubts in the configuration part:
    Scenario: I would like to create an ABAP System type cloud connector with the RFC protocol.

    My question is: is it mandatory to install the SNC? Or is it just an extra security option?

    Another question related to configuration: For installation, does the basis need to configure something? I have seen many places where I do not think so, but I preferred to ask those who understand the subject! Hahaha

    Is trust use required? If I use snc do I have to use the trust?

    Thank you very much and I await your return.

    Note: By making an estimate by default, how many hours are needed to implement HCC on my client (client does not have snc)?

    (0) 
  6. Bakau Onafuwa

    Hi Marcus / Experts,

    Thanks for sharing this.

    I will like you to provide further insight into the message direction; it seems the main job of SCC is to facilitate seamlessly, the connectivity of the Cloud based S/4 HANA to the the On-Premise business services (SAP and Non-SAP).

    We are looking at bi-directional, point-2-point connectivity between the SAP Cloud Platform (and by extension, the S/4 HANA Cloud) over the HTTP(s) protocol.

    We have existing point-2-point scenarios running between SAP ECC and Third-Party business services; our plan is to replicate the same scenario in the cloud-2-OnPremise and vice versa.

    Kindly share your thoughts.

    Thanks

     

     

     

    (0) 
  7. Nagavenkata Grandhi

    Hello – Can some one confirm , like SAP Data Services Agent, the connection is ALWAYS initiated by Cloud Connector ? or Cloud Application can call Connector URL…If so, still some work needed to white list SAP cloud IP’s to allow traffic inbound into on-premise …right .

    What are the big differences between SAP Data Services Agent and SAP Cloud Platform Cloud Connector ? I am missing some some key info here. Thanks.

    (0) 
  8. R-jay Galbizo

    Hi Everyone,

    I have a question..If we will be integrating SCP and SAP PrO to mediate information to onPrem apps, do we need to setup Cloud Connector as well in the environment of SAP PrO. Judging from the the information I got while googling, you use cloud connector directly to onPrem apps if you won’t be using mediation (map, route, security). If that is the case, how should I configure the link between SCP and SAP PrO? Any guide or link would be of help. I’m trying to simulate an IoT scenario without using HCI (not sure if HCI is the only one that should be used for IoT scenarios) to onPremise apps. I thinking that SAP PrO should be possible as well.

    Cheers,

    R-jay

    (0) 
  9. Daljeet Singh Kohli

    Hi Experts ,

    Have few points to discss here:

    We are developing some fiori apps on SCP , we will need to do “CRUD” functionality in SAP C4C .

    Had few questions , if someone has expertise:

    1). Best practices to connect SCP with C4C.

    2). Can we use SAP GATEWAY central hub for SCP->GATEWAY->C4C

    3).If we somehow make a setup in SAP GATEWAY for C4C, can we view our standard / Custom SAP C4C OData , Webservices  of C4C in Gateway.

    Hoping for a quick reply.

    Thanks!!

    Br’

    Daljeet

     

    (0) 
  10. Wenonah Jaques

    Hi Experts,

    I have a scenario where we have a Cloud Connector set up between SCP and an on-premise SAP ERP backend. It works find for the incoming traffic from SCP to the backend.

    However we need to send an HTTPs outbound notification (header) from the SAP ERP backend to SCP. By default the message is triggered via the HTTPS port or (HTTPS Client Proxy if it is configured). Is there a way in which we can force the message via the Cloud Connector?

    IThanks,

    Wenonah

    (0) 
  11. Elangovan Eranian

    Hi Marcus,

    I have a web application in the localhost and a connectivity war(basic sample) deployed in HCP. I have created the destination required and connected connectivity war in HCP with the web application via on-premise using Cloud Connector.

    But when I run the connectivity app in the HCP, I can access the webapplication and get data from backend system. But When I try to send response, it is not getting through. ie., GET method works but POST method is not working (when I try from postman I get 405 error).

    Do I have to make changes in the connectivity sample or did I miss any configuration in the cloud?

    If in Connectivity, what should I change or any reference material?

    (1) 

Leave a Reply