Purpose of a Cloud Connector
Customers’ landscapes have evolved – where on one side more and more applications are moving in the cloud, so is the integration middleware; and all the systems need to be connected – on-demand or on-premise in a secure fashion.
While moving the integration middleware into the cloud is unquestionably a big step forward, it does bring in a new set of challenges, namely, how to get the on-premise systems talk to the outside world without compromising their security.
If your backend system is inside the company’s firewall and expects to receive messages from systems outside the company network, you can leverage SAP Cloud Platform Integration. Together with the SAP Cloud Platform Cloud Connector you can establish a secure connection from any system to your backend systems. Where SAP Cloud Platform Integration allows you to connect to tons of systems using varied protocols, the Cloud Connector allows all applications and services on the SAP Cloud Platform to connect seamlessly and securely to any system inside your company’s firewall.
PS. We consider communications made from the on-premise system to any system outside the network as safe.
The SAP Cloud Platform Cloud Connector is an on-premise piece of software that needs to be installed inside the customer’s landscape; within the firewall. Once configured and paired with your SAP Cloud Platform account, a secure tunnel is established between the Cloud Platform (and all the services and applications that run on it) and the Cloud Connector. So, all the communication between Cloud Platform and the backend system now gets routed via the Cloud Connector over the secure SSL tunnel. As a result, all the access control needs to now be configured only in the cloud connector – It provides fine-grained control over the on-premise systems and resources that shall be accessed by cloud applications and the cloud applications that shall make use of the Cloud Connector. A Cloud Connector can be run in a high-availability setup.It supports multiple protocols – HTTP, SOAP, Odata, LDAP, IDoc, etc.
An SAP Cloud Platform Account can be paired with multiple Cloud Connectors. Each Cloud Connector instance is identified by a parameter called “Location ID”, which you need to define when you pair the Cloud Platform account with the Cloud Connector.
The rest of this blog briefs you about the following steps for the SAP Cloud Platform Cloud Connector:
- Set-up and Configuration
- Setting up access control
- Pairing with the Cloud Platform Account – establishing the secure SSL tunnel connection
- Configurations required in Cloud Platform Integration to ensure that the request to the backend flows via the Cloud Connector.
On a machine visible on the network where the back-end systems are running (or on the same VM where your back-end system is running), download the Cloud Connector from https://tools.hana.ondemand.com/#cloud and follow the documentation corresponding to the OS for the installation.
Once installation is done, you can access the Cloud Connector from https://<hostname>:8443.
On the login screen, use Administrator / manage (case sensitive) as the User Name / Password
After logging in, perform the following steps:
- Change the initial password
- Define the installation type. As mentioned before, the Cloud Connector can run in a high-availability setup. In this step, you will specify the corresponding instance of the Cloud Connector as a Master or Slave.
- For more details, refer initial configuration.
Set-up and Configuration:
- Defining HTTPS Proxy: if your customer’s network uses a proxy to connect to the internet, set the corresponding host and port as follows:
Go to Configuration from the menu on the left side and then choose the tab Cloud > section HTTPS Proxy.
Some proxy servers require credentials for authentication. In this case, you need to provide the relevant user/password.
Click on the pencil sign on the right hand side of “HTTPS Proxy”
- If you want to use https between the Cloud Connector and the back-end system, you need to upload a valid certificate for the Cloud Connector that is trusted on your back-end system:
Go to Configuration from the menu on the left side and then choose the tab On Premise> section System Certificates
Setting up access control:
You now need to create a virtual host that points to actual backend system. You shall use this virtual host in the SAP Cloud Platform Integration scenarios to point to the corresponding backend.
For the selected Cloud Platform account, select Cloud To On-Premise.
Click on the ‘+’ sign to add an entry
Select Back-end Type, Protocol, internal host/port, virtual host/port and principal type (e.g. needed for https)
Select the entry you have created. Under “Resources Accessible on …” click on “Add…” and configure the path(s) that should be accessible on the internal host (from the virtual host). For all, use “/”.
Pairing with the Cloud Platform Account
You now need to connect the Cloud Connector to one or more Cloud Platform account. You can do this by clicking on “+ Add Account” from the Connector Dashboard:
Do not forget to add the Location ID if you intent to add multiple Cloud Connectors to the same Cloud Platform account.
You can get the account name from the account page of the Cloud Platform Cockpit:
Configurations required in Cloud Platform Integration:
Finally, while configuring the connectivity in SAP Cloud Integration, set the Proxy Type to “On-premise” and use the virtual host that you created in the previous step as the address in the adapter specific details of the receiver channel. Also, in case you have configured multiple Cloud Connectors to your Cloud Platform account, choose the Cloud connector you’d wish to use by adding the Location ID in the corresponding field.
Note that even if you are using https between SCC and the back-end system, you need to use http on the URL for the iflow. This is however not a security risk since the Cloud Connector proxy / connectivity agent runs on the same application VM.
Official SAP HANA Cloud Connector documentation: https://help.hana.ondemand.com/help/frameset.htm -> Services -> Connectivity Services -> SAP HANA Cloud Connector.
Official Cloud Integration documentation: https://cloudintegration.hana.ondemand.com/PI/help -> Designing and Managing Integration Content -> Configuring an Integration Flow -> Defining Channels -> Using SAP HANA Cloud Connector with HCI Adapters.
Configuring ABAP systems to trust Cloud Connector’s System certificate: https://help.hana.ondemand.com/help/frameset.htm?a8bb87a72d094e0d981d2b1f67df7bc3.html