Context:

Let us consider the following scenario:

John is the CIO of ‘CompanyA’, a big manufacturing corporation and a long time customer of SAP. His company has started its journey towards Digital Transformation, and as a first step they have (rightly..) decided to go for the SAP HANA Cloud Platform (HCP), to form the agile foundation of their digital future.

Jack is a developer in ‘CompanyB’, a trusted cloud-partner of SAP, who has implemented applications(app) on HCP which can help manufacturing companies slice and dice their day-to-day transactional data, to reveal insights on inefficient processes and possibilities of optimization; or the app could also help in building efficient process chains to enhance and optimize the existing processes.

John (CompanyA) has recently purchased a HCP package with a HANA database and an ASE database. He has received a HCP Global Account and an account with the HANA and ASE database systems provisioned in it.

John wants to implement Jack’s HCP app for his company’s needs. For security reasons, John does not want to give Jack access to his account containing the databases and other applications of CompanyA. Jack needs to access the database in John’s HCP account, for his apps to work. 

Both John and Jack are now confused on how to move forward with the HCP app implementation.

This is a very common scenario, among customers trying to implement partner applications on HCP. Is there a way out?!!

SAP HANA Cloud Platform, now provides an option to share your productive SAP HANA and SAP ASE databases with other accounts within the same global account using the SAP HANA Cloud Platform Cockpit. By managing account permissions for your databases, you can control which operations (binding, tunneling, ..) are allowed in each of your accounts.

Note: It is also possible to share your database with accounts that do not belong to your global account using the HCP console client.


Recommended Solution:
What John can now do is, to create a new Account within his HCP global account and adds Jack as the user of the new account. Jack can now deploy his app in the new account and John can share the database within his account to the account where Jack has deployed his app. John can also allot a Java quota from his Global account quota to the new account he has created for Jack.Let us see how this can be done!

This blog will be a step-by-step guide, detailing how we can share a productive database in our account with other accounts within a HCP global account.

Step-by-step guide:

In this guide we showcase a simple scenario where we deploy a simple Java app on one HCP account (henceforth called App Account) and bind this application with an ASE database which is provisioned in another HCP account (henceforth called DB Account).

Prerequisites:

  • The user should have a productive HCP account in the factory landscape. This is needed to create multiple accounts, which is not possible on the trial landscape.
  • The user should have a Java quota of at-least 1 on one of the accounts to deploy the Java application.
  • The user should have an ASE (or HANA) database system provisioned on the other account.

Let us quickly check the pre-requisites needed for the scenario:

  1. Login to the HCP cockpit and check the account structures.
    (An informative blog on understanding accounts in HCP can be found Here)In the above figure, (1) refers to the HCP Global Account and (2),(3) depict the accounts within (1). When a customer purchases HCP, he is provided with a global account (1) and a default account (2). Any databases provisioned will be associated with a account (2). The customer can then create any number of accounts like (3) using the steps outlined Here
  2. On the DB Account, navigate to Persistence –> Database Systems and verify that the asedb (ASE) system is present in the list.
    Check that a database, based on this system is also created and listed in Persistence –> Databases & Schemas. If not, create a database using the steps outlined Here
  3. Check that the App Account has at least 1 Java quota to deploy the application. If not adjust the quota between your accounts using the steps outlined Here 

Execution:

Navigate to the DB Account; which has the database created in it. Go to Persistence –> Databases & Schemas and click on the link of the database which was created a part of the pre-requisite.

Once the database Overview page is open, navigate to the new cockpit option Cross-Account Permissions.

In the permissions page, click on Grant Account button and in the pop up dialog, from the Account drop down list, select the App Account. There are two types of cross-account permissions:

  • Permission to access the database for a data source binding to an application: Without this permission, applications in other accounts will not have your database displayed in the list during data source binding
  • Permission to open database tunnels to the database: Without this permission, there cannot be any database tunnels which can be opened to this database from the users of other accounts. (As an example, we would require to open a database tunnel to connect to an ASE database using eclipse or SQL clients)

Based on the requirement, select the corresponding checkbox BINDING or TUNNEL and click on SAVE button.

Navigate to the App Account, by clicking on the account name link from the Cross-Account Permissions page.

The database in the DB Account will now be visible in the App Account in the format DB Account name:database name. Check that the permissions are listed accordingly and the Owner account is shown as DB Account.

Click on the App Account Name (numbered as 2) in the bread crumbs on the top of the page (where 1 is the global account, 2 is the account with the Java quota and 3 is the database from the other account) to go to the App Account –> Databases & Schemas page.

The database from the DB Account should be listed here. Check that the Account field shows the DB Account name.

Go to Applications –> Java Applications in the App Account.

Now we need to deploy a simple Java application in the account. We can use sample applications provided by the SAP HANA Cloud Platform SDK, in this scenario. To download the SDK, navigate to the URL https://tools.hana.ondemand.com/#cloud and download and unzip the Java Web Tomcat 7 or Java Web Tomcat 8 versions to your system.

The SDK already provides a set of sample applications. One such application is the ‘persistence-with-jpa’ application.The sample applications can be found under the path /samples/ in the SDK. There should be a target folder in /samples/persistence-with-jpa/ with the persistence-with-jpa.war file present in it.
If not, we need to build the application using maven. Using the command prompt, navigate to the /samples/persistence-with-jpa/ folder, containing the pom.xml file and run the following command to create the war file.

mvn package

The build should result in a Success, thus creating the target folder and within it the persistence-with-jpa.war file. Deploy this .war file in your account using the steps outlined Here

Once the deployment is complete click on the deployed application from the list to navigate to the application overview page.

In the overview page, go to Configuration –> Data Source Binding to create a new database binding.

Click on New Binding button. The database bound from the DB account should be visible by default in the DB/Schema ID and the data source as <default>. Enter the user and password for the database and click on Save.

Note: There are multiple ways John can handle database security. The simplest recommendation would be that John creates a generic technical user in the database and shares the same with Jack, so that he can use the given user to create a binding with the data source.

The new binding will be visible in the list. Start the application and wait till the status becomes Started. Click on arrow in the bread crumbs, to navigate to the DB Account.

Go to Persistence –> Databases & Schemas and check that the Cross account sharing icon is shown beside the database in the list.

Testing:

Open up the deployed application in the App Account. The ‘Persistence with JPA Sample!’ application opens.
Enter ‘hcp’ in First name: ‘user’ in Last name:  and click on Add Person. The record should be created and added to the list Entries in the Database.
The application has JPA code written which will create a table T_PERSON in your database or (in HANA) under the schema of the user mentioned during the creation of data source binding. Check this to make sure that the cross account binding actually works.

Done! You have just shared a database between accounts of a single HCP global account!!

Hoping both John and Jack read this blog and are able to continue with their app implementation project. 🙂

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Dawid Banas

    Hi Manjunath,
    Great job but I have problems.
    In my HCP, I have two accounts for example A and B. Account A is a default and also there I have a database with I would like to share with account B. For both accounts I have diffrent hana cloud connector and now I would like to consume data in SAP HANA Web-based Development Workbench from both connectors. For account A it was easy, in .xshttpdesc I add configuration:

    host = “virtual_hostA”;
    port = 55100;
    pathPrefix = “/path”;
    proxyType = http;
    proxyHost = “localhost”;
    proxyPort = 20003;
    authType = none;
    useSSL = false;
    timeout = 30000;

    but if I create new .xshttpdesc for account B:

    host = “virtual_hostB”;
    port = 55100;
    pathPrefix = “/path”;
    proxyType = http;
    proxyHost = “localhost”;
    proxyPort = 20003;
    authType = none;
    useSSL = false;
    timeout = 30000;

    it doesn`t work. All the time when I try to connect to virtual_hostB, it try to find this host in hana cloud connector in account A.

    (0) 
    1. Manjunath Baburao Post author

      Hello Dawid,

      Thank you for your interest in the topic. Can you please share more details on the scenario you are trying to achieve? I am not able to understand the use of Cloud Connector. Are you using a Service Channel for some On-Prem connectivity case?

      Regards,
      Manju

      (0) 
      1. Dawid Banas

        We have dev, test and prod in one HCP like https://blogs.sap.com/2016/08/22/understanding-accounts-within-hcp/ , but each group of systems are separated so we need three HCC for On-Premise connectivity. For one account we can connect only one HCC.

        So, we have three accounts: DEV, TEST, PROD and each have a diffrent HCC, but in one hana database we would like to collect systems logs and now from HANA Web-based Development Workbench we call to each systems from each accounts.

        (0) 
    2. Manjunath Baburao Post author

      Hello Dawid,

      From your explanation of the use case, I guess creating a connection between the 3 Cloud Connectors and your DEV HCP account should solve the issue. With Cloud Connector version 2.9, we have added functionality for one HCP account to be connected to multiple cloud connectors.

      This should be helpful. Kindly try it out and let me know how it goes.

      Regards,
      Manju

      (1) 
  2. Matthieu Pelatan

    Hi Dawid,

    the value of the property “CloudConnectorLocationId” in the destination should exactly be the same as the one you have in the configuration of your SAP Cloud Connector (see location ID in the Admin UI).

    (0) 
    1. Dawid Banas

      Hi,
      Yes, you are right.

      On the HCP side:
      CloudConnectorLocationId = se16n

      On the HCC side
      Location Id = se16n

      Connection between HCC and HCP works, but after you set Location id, tunnel id on the HCC side is changing.

      Location Id = empty
      account:///aa..fsd/

      Location Id = se16n
      account:///aa..fsd/se16n

      And now from HANA Web-based Development Workbench we make On-Demand to On-Premise Connectivity with another tunnel id account:///aa..fsd/se16n. It isn’t enough to set CloudConnectorLocationId in cockpit, we probably need to add something in the file xshttpdest.

      (0) 
      1. Eduardo Espinosa

        Hi Dawid, did you have success by adding “CloudConnectorLocationId” property to the “xshttpdest” file? See me comments related in the blog.

        Thanks and Regards

        Eduardo

        (0) 
  3. Eduardo Espinosa

    Hi Dawid.

    Did you have success by adding “CloudConnectorLocationId” property to the “xshttpdest” file?

    There is no formal parameter at the XS Destination configuration UI view/tabs and if I try to add it directly at the file, this is not activated and the error says: “…Syntax error: unknown variable name: CloudConnectorLocationId…”

    Also some help links like the following says that by adding the variable at the request will work for multi-tenant scenario (not our case), and it is not working for our scenario (1 HCP account, 2 cloud connectors, 1 XS destination artifact):

    https://help.hana.ondemand.com/help/frameset.htm?d872cfb4801c4b54896816df4b75c75d.html

    My call example:

    var lv_req =
    “/sap/opu/odata/sap/<service><customparams>” ;

    var req = new $.net.http.Request($.net.http.GET, lv_req) ;

    req.headers.set(“SAP-Connectivity-SCC-Location_ID”, <LocationID>);
    req.headers.set(“CloudConnectorLocationId”, <LocationID>);

    var error = ”;

    client.setTimeout(10000);
    client.read_timeout = -1;
    req.timeout = -1;

    client.request(req, dest);

    var response = client.getResponse();

    Response:

    “Access denied to <system>:443. In case this was a valid request, ensure to expose the system correctly in your SAP HANA Cloud connector.”

     

    Thanks and Regards

    Eduardo

    (2) 
    1. Dawid Banas

      I was looking for this part:

      req.headers.set(“SAP-Connectivity-SCC-Location_ID”, <LocationID>);
      req.headers.set(“CloudConnectorLocationId”, <LocationID>);

       

      Thank you so much 🙂

      (0) 

Leave a Reply