Technical connectivity between cloud and on-premise systems via the SAP HANA Cloud Connector
Overview
When integrating SAP Cloud for Customer (C4C) with the customer’s on-premise landscape, the direction from the cloud to on-premise is the most critical in regards to security. It is best-practice to not directly expose the business systems (ERP, CRM) via the internet as they contain mission-critical business data. To secure the customer landscape and setup, SAP has proposed a reference architecture described in the Technical Connectivity Guide. Its major component is the so-called “Reverse Proxy” (RP) which acts as a gateway and single point of entry into the customer landscape. The RP terminates the HTTPs connection originating from the cloud and sets up another HTTPs or HTTP connection to the internal business systems (ERP, CRM) or the middleware (SAP PI). The setup of the SAP Web Dispatcher, SAP’s own RP product, is described in detail in this blog.
For integration scenarios which are mediated via SAP HANA Cloud Integration (HCI), connection to the customer’s on-premise landscape can also be setup via the SAP HANA Cloud Connector (SCC), an on-premise agent running within the secured network of the customer, as an alternative to the RP. The SCC sets up a permanent SSL tunnel between the HANA Cloud Platform (HCP) and the demilitarized zone (DMZ) of the customer, routing requests to the attached business systems such as ERP. Major advantages compared to the traditional RP setup are:
- No need to open any ports in firewall
- Easy configuration
- Increased level of security
The following picture provides an overview of an integration architecture based on the SCC. Details can be found in the Security Whitepaper and the Cloud Connector Operator’s Guide.
Configuration Steps
The setup of the SCC is described in detail in the SAP HANA Cloud Documentation. The most important steps are:
1. Install the SCC (see documentation)
2. Set up connection between SCC and HCP:
– Copy account name of HCI instance in HCP
– Set up HCP user with role “Cloud Connector Admin”
– Set up connection between SCC and HCI
3. Set up connection between SCC and on-premise backends:
– Expose on-premise backend (internal host) via a well-defined URL (virtual host name)
– Connect to backend via desired protocol (e.g. HTTP, HTTPS)
– Expose specific services on the on-premise backend (URL path whitelisting)
In addition to the setup of the SCC, the IFLOW on HCI side needs to be adapted in the following way:
- Protocol in the receiver channel settings needs to be changed from “HTTPS” to “HTTP” (as the SSL tunnel is permanent, the requests themselves are transmitted via standard HTTP protocol)
- Proxy Type changed from “Internet” to “OnPremise” (this is the indication from HCI runtime side to use the permanent SSL tunnel setup by the SCC)
Once these configuration steps have been performed, data can be sent from the cloud to the customer’s on-premise systems via the SCC.
Great info! It's interesting that Hana Cloud Connector is called SCC, and not HCC...
SCC stands for SAP Cloud Connector, which is now called SAP HANA Cloud Connector.
Best regards, Abinash
Hi Marcus
Great Info. I have couple of questions
- Can SCC can be only used with HCI as middleware, or can it also be used with PI middleware.
- Is SCC also supported by C4C ?
- When SCC is purchased by Customer, does he also has to purchase SAP authorized CAs similar to the way we purchase for Web Dispatcher?
BR
Dedeepya
Hi Dedeepya,
- only HCI
- SCC not suppported by C4C
- no need to purchase serevr certificate as connection happens via HTTP
Regards, Marcus
HI Marcus,
If we want to use PI as pass through for standard replication of emp data from SFSF EC to SAP on premise then can we connect HCI to PI without cloud connector.
Regards
Hi Marcus,
We are doing an C4C implementation and the customer would like to use use SCC to connect HCI to the backend SAP ECC system for C4C integration. I read you blog in April 2016 about SCC is not supported by C4C. Is this still true?
Thanks in advance for your clarification.
Rivers
Will pass this great info to my students next week. Thanks Marcus
Thanks for Sharing
Great info.
Hi Marcus,
Many thanks for this blog post.
Do you have already used HCC (HANA Cloud Connector) in customer projects and if so, can you share your experiences (stability of connection, system stability in general, etc.).
Would it be possible to re-use the HCC for a MashUp scenario where for example a ERP WebDynpro is used by a C4C tenant?
Best Regards
Fabian
Hi Fabian,
we still recommend the reverse proxy as default option for connecting against OnPrem. I have implemented the SCC in a POC project with one of our big customers, do not have any experience in large-scale usage though.
The SCC can also be used in a mashup scenario, it can basically be used in any scenario where a specific OP service shall be exposed.
Regards, Marcus
Hello Marcus,
We are trying to implement SF->HCI->ECC and we are using SCC. After doing the setup as described in your blog we are still getting error in HCI SOAP receiver channel. I have the following questions:
1. Do we need to exchange certificate between HCI Tenant and Windows Server where SCC is installed.
2. Do we need to exchange certificate between SCC and ECC servers?
3. We are using SOAP channel to connect to ECC, do we need to use the message protocol SOAP 1.X or SAP RM
4. In the SOAP receiver channel is it possible to give the target websevice URL or we have to download the WSDL and provide the path always?
I am getting the following error:
org.apache.cxf.interceptor.Fault: Failed to send RM protocol message {http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence., cause: org.apache.cxf.ws.policy.PolicyException: Assertion of type {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken could not be asserted: Not an HTTPs connection
Thanks,
Nilesh
Hello Nilesh,
Please see my answer below
1. No need, SCC creates a SSL tunnel from the windows server to the HCP account on which your HCI instant is running
2. Depends if you want to secure the communication from SCC to your back end system over SSL, this is very similar to any HTTPS-HTTPS communication
3. Again depends what you want to on your receiver system. incase you want to create an IDOC or want to execute an asynchronous service you can go for SAP-RM. But then make sure to set the SapMessageId and MessageIdEx
4. It is not required, but you can maintain the WSDL. Please note still you need to manually maintain the path, HCI will not retrieve the path from WSDL
Best regards, Abinash
Hello Nilesh,
Were you able to solve this problem? I am getting exactly the same error.
Regards,
Vijay K
Hello Marcus,
Is there any other way to connect SAP HCI to SAP ERP On-Premise other than using SCC.
Regards,
Aman Raj
Yes Aman - via a traditional reverse proxy! Of course you can also directly expose ECC via its ICM, but that is not recommendable due to security issues.
Hi Marcus,
For such traditional reverse proxy integration, if I want to use existing on premise PO interface in the SAP Cloud Platform, what would be the connector configuration in the cloud platform or in PO? I am not able to find technical configuration steps or guide for this type of integration. Can you provide some details/ hints? Thanks!
Hi Marcus,
If we go by SCC, then customer also has to buy the HCP license ?
Hi Sanjaya,
The HCP license does not depend on the connection method that is used to connect to the HCP. If you want to use the services from the HCP productively, you will need to buy a license. And if you then want to connect these services to your on premise systems, you can use SCC or a reverse proxy. SCC is for free, but to use services of the HCP productively, you need an account and a license.
For testing purposes, you can create a trial account at HCP and connect your locally installed SCC to this trial account.
Best regards
Dominik
Hi Experts,
I have a question regarding Cloud connector usage for HTTPS connection.
1.Cloud connector to ERP via HTTPS using Basic Authentication - Where do we need to import the ERP Server certificates CA's ?
Can these certificates of ERP be self-signed or only CA's trusted by HCP ?
2.Cloud connector to ERP via HTTPS using Client Certificate:
Does the customer need to get the client certificate ? I assume so, please confirm.
If so, can this client certificate of SCC be self-signed ?
can this client certificate of SCC be signed by internal CA or only a public CA ?
Also the root CA's signing the SCC client certificate needs to be imported in SSL Server standard.
3.Mash Ups via SCC: I saw in one of the comments that SCC can be usef for UI Mash Ups as well.
Let us take an example of UI mash up between Successfactors and ERP...SFSF has to display a WebDynpro screen of ERP...how can we use SCC(without HCI) in this case as HCI will not be used here since it is UI integration.
Are you referring to UI applications hosted on HCP ?
Hi,
I wanted to find out what your experience is, using cloud connector to configure your SuccessFactors mashups (WebDynpro).
Am still skeptical to you cloud connector for production environment. But i do see a strong usecase for development, especially On Prem Fiori extension where you can leverage the WebIDE tools via cloud connector to enhance the on prem fiori objects.
Hi Marcus! I holpe you are fine!
Please folks, I need help :/
I have doubts in the configuration part:
Scenario: I would like to create an ABAP System type cloud connector with the RFC protocol.
My question is: is it mandatory to install the SNC? Or is it just an extra security option?
Another question related to configuration: For installation, does the basis need to configure something? I have seen many places where I do not think so, but I preferred to ask those who understand the subject! Hahaha
Is trust use required? If I use snc do I have to use the trust?
Thank you very much and I await your return.
Note: By making an estimate by default, how many hours are needed to implement HCC on my client (client does not have snc)?
Hi Marcus / Experts,
Thanks for sharing this.
I will like you to provide further insight into the message direction; it seems the main job of SCC is to facilitate seamlessly, the connectivity of the Cloud based S/4 HANA to the the On-Premise business services (SAP and Non-SAP).
We are looking at bi-directional, point-2-point connectivity between the SAP Cloud Platform (and by extension, the S/4 HANA Cloud) over the HTTP(s) protocol.
We have existing point-2-point scenarios running between SAP ECC and Third-Party business services; our plan is to replicate the same scenario in the cloud-2-OnPremise and vice versa.
Kindly share your thoughts.
Thanks
Hello - Can some one confirm , like SAP Data Services Agent, the connection is ALWAYS initiated by Cloud Connector ? or Cloud Application can call Connector URL...If so, still some work needed to white list SAP cloud IP's to allow traffic inbound into on-premise ...right .
What are the big differences between SAP Data Services Agent and SAP Cloud Platform Cloud Connector ? I am missing some some key info here. Thanks.
Hi Everyone,
I have a question..If we will be integrating SCP and SAP PrO to mediate information to onPrem apps, do we need to setup Cloud Connector as well in the environment of SAP PrO. Judging from the the information I got while googling, you use cloud connector directly to onPrem apps if you won't be using mediation (map, route, security). If that is the case, how should I configure the link between SCP and SAP PrO? Any guide or link would be of help. I'm trying to simulate an IoT scenario without using HCI (not sure if HCI is the only one that should be used for IoT scenarios) to onPremise apps. I thinking that SAP PrO should be possible as well.
Cheers,
R-jay
Hi Experts ,
Have few points to discss here:
We are developing some fiori apps on SCP , we will need to do "CRUD" functionality in SAP C4C .
Had few questions , if someone has expertise:
1). Best practices to connect SCP with C4C.
2). Can we use SAP GATEWAY central hub for SCP->GATEWAY->C4C
3).If we somehow make a setup in SAP GATEWAY for C4C, can we view our standard / Custom SAP C4C OData , Webservices of C4C in Gateway.
Hoping for a quick reply.
Thanks!!
Br'
Daljeet
Hi Experts,
I have a scenario where we have a Cloud Connector set up between SCP and an on-premise SAP ERP backend. It works find for the incoming traffic from SCP to the backend.
However we need to send an HTTPs outbound notification (header) from the SAP ERP backend to SCP. By default the message is triggered via the HTTPS port or (HTTPS Client Proxy if it is configured). Is there a way in which we can force the message via the Cloud Connector?
IThanks,
Wenonah
Hi Marcus,
I have a web application in the localhost and a connectivity war(basic sample) deployed in HCP. I have created the destination required and connected connectivity war in HCP with the web application via on-premise using Cloud Connector.
But when I run the connectivity app in the HCP, I can access the webapplication and get data from backend system. But When I try to send response, it is not getting through. ie., GET method works but POST method is not working (when I try from postman I get 405 error).
Do I have to make changes in the connectivity sample or did I miss any configuration in the cloud?
If in Connectivity, what should I change or any reference material?
Hi Elangovan,
Are you able to resolve the issue?
If yes, please share your finding.
Regards,
Prashant
Hi Experts
We are planning to connect Informatica Cloud to SAP S/4 Hana on cloud to call an API for posting some data into SAP.. Can somebody please enlighten on a high level as to what all we have to configure to enable this.. Like what we need for connecting to SAP Hana Cloud from a third party on premise system.
Hi,
Could you please share how to connect SAP PI with Cloud Connector?
Thanks
Sathish
Can the Live connector 1.0.7 version be installed on the same machine as Cloud Agent and Cloud connector? Thanks!!
Thank you for a great post. We also need to make the setup for the HTTPS inbound traffic load balanced by utilizing all the app servers of the receiving ECC system. Our customer does not want to install Web Dispatcher but we found this limited use case that we are trying: https://help.sap.com/doc/saphelp_nw70/7.0.31/en-US/28/75153a1a5b4c2de10000000a114084/content.htm?no_cache=true
If anyone else has experience with this, please let us know. We will also update our experience as we complete it. In our case, we have an additional complication that we have two Cloud providers.
Hi,
Can you please tell me if SCPI to On-Premise systems using the SOAP adapter via SCC can:
a) Use Client Certificate Authentication? From SCPI you can only configure Basic Authentication or Principal Propogation when On-Premise is configured in the SOAP Adapter. If so, any references or instructions on how this might work / be configured would be great!
I have found an SCC page which confirms that Client Cert Auth seemingly isn't a supported authentication method for On Premise systems:
"Currently, the Cloud Connector supports basic authentication and principal propagation (user propagation) as user authentication types towards internal systems. "
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/b643fbecb14e4c89ab3c03b21200cb08.html
b) If Client Certificate Authentication is not supported by SCC from SCPI, as a work around, can Principal Propogation pass a certificate from a calling system eg. S/4HANA (Cloud) to the destination system?
c) use SSL/TLS between the SCC on-premise endpoint and the destination? (I believe this is true as I think we are already doing this, but wanted to confirm)
Thanks,
Jason
Remember, there is no such thing as "on-premise" in real English.
"https://collectivecontent.agency/2018/04/19/should-i-say-on-premise-or-on-premises-it/"