Skip to Content
Product Information

Using SAP Cloud Platform Cloud Connector with SAP Cloud Platform Integration

Purpose of a Cloud Connector

Customers’ landscapes have evolved – where on one side more and more applications are moving in the cloud, so is the integration middleware; and all the systems need to be connected – on-demand or on-premise in a secure fashion.

While moving the integration middleware into the cloud is unquestionably a big step forward, it does bring in a new set of challenges, namely, how to get the on-premise systems talk to the outside world without compromising their security.

 

If your backend system is inside the company’s firewall and expects to receive messages from systems outside the company network, you can leverage SAP Cloud Platform Integration. Together with the SAP Cloud Platform Cloud Connector you can establish a secure connection from any system to your backend systems. Where SAP Cloud Platform Integration allows you to connect to tons of systems using varied protocols, the Cloud Connector allows all applications and services on the SAP Cloud Platform to connect seamlessly and securely to any system inside your company’s firewall.
PS. We consider communications made from the on-premise system to any system outside the network as safe.

 

 

The SAP Cloud Platform Cloud Connector is an on-premise piece of software that needs to be installed inside the customer’s landscape; within the firewall. Once configured and paired with your SAP Cloud Platform account, a secure tunnel is established between the Cloud Platform (and all the services and applications that run on it) and the Cloud Connector. So, all the communication between Cloud Platform and the backend system now gets routed via the Cloud Connector over the secure SSL tunnel.  As a result, all the access control needs to now be configured only in the cloud connector – It provides fine-grained control over the on-premise systems and resources that shall be accessed by cloud applications and the cloud applications that shall make use of the Cloud Connector. A Cloud Connector can be run in a high-availability setup.It supports multiple protocols – HTTP, SOAP, Odata, LDAP, IDoc, etc.

An SAP Cloud Platform Account can be paired with multiple Cloud Connectors. Each Cloud Connector instance is identified by a parameter called “Location ID”, which you need to define when you pair the Cloud Platform account with the Cloud Connector.

The rest of this blog briefs you about the following steps for the SAP Cloud Platform Cloud Connector:

  • Installation
  • Set-up and Configuration
  • Pairing with the Cloud Platform Account’s sub-account with the Cloud Connector- establishing the secure TLS tunnel connection
  • Setting up access control
  • Configurations required in Cloud Platform Integration to ensure that the request to the backend flows via the Cloud Connector.

 

Installation:

On a machine visible on the network where the back-end systems are running (or on the same VM where your back-end system is running), download the Cloud Connector from https://tools.hana.ondemand.com/#cloud and follow the documentation corresponding to the OS for the installation.

Once installation is done, you can access the Cloud Connector from https://<hostname>:8443.

On the login screen, use Administrator / manage (case sensitive) as the User Name / Password

After logging in, perform the following steps:

  1. Change the initial password
  2. Define the installation type. As mentioned before, the Cloud Connector can run in a high-availability setup. In this step, you will specify the corresponding instance of the Cloud Connector as a Master or Slave.
  3. For more details, refer initial configuration.

 

Set-up and Configuration:

  1. Defining HTTPS Proxy: if your customer’s network uses a proxy to connect to the internet, set the corresponding host and port as follows:
    Go to Configuration from the menu on the left side and then choose the tab Cloud > section HTTPS Proxy.
    Some proxy servers require credentials for authentication. In this case, you need to provide the relevant user/password.
    Click on the pencil sign on the right hand side of “HTTPS Proxy”
  2. If you want to use https between the Cloud Connector and the back-end system, you need to upload a valid certificate for the Cloud Connector that is trusted on your back-end system:
    Go to Configuration from the menu on the left side and then choose the tab On Premise> section System Certificates

Pairing with the Cloud Platform Account’s sub-account with the Cloud Connector

In order to connect SAP Cloud Platform Integration to an on-premise backend via the Cloud Connector, you will need to configure the sub-account of SAP Cloud Platform Integration in the Cloud Connector.

Click on Connectors and Choose “+ Add Subaccount” from the Connector Dashboard:

 

PS. you can connect multiple Cloud Platform accounts to the same Cloud Connector – here you differentiate the different accounts by the account’s technical name.
You can also connect 1 Cloud Platform account to multiple Cloud Connectors – here you differentiate the different Cloud Connectors by the Location ID.

Do not forget to add the Location ID if you intent to add multiple Cloud Connectors to the same Cloud Platform account.

You can get the sub-account’s technical name from the account page of the Cloud Platform Cockpit:

Once your sub-account is successfully added as a connector, you should see an entry for it in the list of connectors:

Setting up access control:

You will now need to configure the backends that you need to connect from SAP Cloud Platform Integration via this Cloud Connector. You will need to create a virtual host that points to actual backend system.

Note that only the systems you configure here will be accessible from SAP Cloud Platform Integration.

Click on the greater-than-sign ‘>’ at the right end of the row of your connector.

The technical name of the sub-account should now appear in the lower section of the left pane:

Click on Cloud To On-Premise:

Now Map Virtual Host to Internal Host: Click on the plus sign and fill in the something like below:

Here, the internal host and port are the actual system details, whereas virtual host and port can be anything. You shall use this virtual host in the SAP Cloud Platform Integration scenarios to point to the corresponding backend.

Now you need to Add resources on that backend that can be accessed from SAP Cloud Platform Integration.  Select the mapping entry you just created. Under “Resources on …” click on “+” and configure the path(s) that should be accessible on the internal host (from the virtual host). For all, use “/”.

Enter the following:

 

Once all this is done, the status of mapping should be set to “Reachable”. If not, click on “Check Availability” on that row.

 

Configurations required in Cloud Platform Integration:

Finally, while configuring the connectivity in SAP Cloud Integration, set the Proxy Type to “On-premise” and use the virtual host that you created in the previous step as the address in the adapter specific details of the receiver channel. Also, in case you have configured multiple Cloud Connectors to your Cloud Platform account, choose the Cloud connector you’d wish to use by adding the Location ID in the corresponding field.

Note that even if you are using https between SCC and the back-end system, you need to use http on the URL for the iflow. This is however not a security risk since the Cloud Connector proxy / connectivity agent runs on the same application VM.

 

Additional References:

Official SAP HANA Cloud Connector documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html

Using SAP Cloud Connector with Cloud Integration Adapters: https://help.sap.com/viewer/4e2b95bfe5f84915b5e54a6dd9213b46/Cloud/en-US/65a60e750eca49328fef93c0723ad4b8.html

Configure Principal Propagation to an ABAP System for HTTPS: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/a8bb87a72d094e0d981d2b1f67df7bc3.html

17 Comments
You must be Logged on to comment or reply to a post.
  • Hi Meghna! This is great, thank you so much for your post.

    We have a scenario where we want to connect C4C to a backend SAP ERP, and I’m thinking that the cloud connector might do the trick. We know which HCI account we wish to use, but my question is then: Do we connect the SCC to SCP or to HCI? I’m finding it hard to understand the technical relations between a Cloud Integration account and a SCP account 🙂

    Best regards,

    Simen

    • The Cloud Connector needs to be configured with the Cloud Platform. Cloud Platform Integration takes the information about the configured cloud connectors from the platform – in case multiple cloud connectors are configured with the same Cloud Platform account, the location ID parameter can be used. I hope this clarifies.

       

       

  • Hi Meghna thank you for your post,

     

    I dont know where we should install de Cloud Connector or what should be the best practice for this… should we install it in the same place as the on-premise system (i.e. the same server/machine/vm) or we should get an additional Machine for this?

     

    thank you again,

    Mike

     

  • Hi Meghna.

    Regarding this note “Note that even if you are using https between SCC and the back-end system, you need to use http on the URL for the iflow. This is however not a security risk since the Cloud Connector proxy / connectivity agent runs on the same application VM.

    Any thoughts or experience if this is needed using the LDAP adapter?

    Regards,

    Gulli

  • Meghna / all

     

    with interest I saw that you could specify the location ID in a SOAP receiver channel. We are to integrate standard content that uses IDoc as receiver channel. However, there seems no field for location ID with that channel type. Is this a missing functionality or not possible due to technical reasons?

     

    Cheers

    Jens

      •  

        Thanks for coming back 🙂 This is good news (I think it has been available for some time now, however, not at the time of the initial post). SAP seems to be getting there, though still some rough edged on CPI that need to be smoothened out.

         

        Cheers

        Jens

  • Hi Meghna, thank you for your post

    It is possible to install the SAP Cloud Connector in the same server where the Saprouter is installed?, what are the technical problems we will experience if we install the SAP Cloud connector in the same server?

    Or it is strongly recommended that install it in a separate server?

     

    regards

     

    William

  • Hi Meghana

     

    W.r.t this step ,

    Select the entry you have created. Under “Resources Accessible on …” click on “Add…” and configure the path(s) that should be accessible on the internal host (from the virtual host). For all, use “/”.

     

    Along with can we add like ”  /#/site ” as white-listing  to a on premise system ?

     

    It is throwing errors as “/#/site is not a valid path”  .

     

    What are the special characters allowed ? Do we any help documentation ?

     

    Thanks in advance .

     

    Regards

    Manjunath