Using SAP Cloud Platform Cloud Connector with SAP Cloud Platform Integration
Purpose of a Cloud Connector
Customers’ landscapes have evolved – where on one side more and more applications are moving in the cloud, so is the integration middleware; and all the systems need to be connected – on-demand or on-premise in a secure fashion.
While moving the integration middleware into the cloud is unquestionably a big step forward, it does bring in a new set of challenges, namely, how to get the on-premise systems talk to the outside world without compromising their security.
If your backend system is inside the company’s firewall and expects to receive messages from systems outside the company network, you can leverage SAP Cloud Platform Integration. Together with the SAP Cloud Platform Cloud Connector you can establish a secure connection from any system to your backend systems. Where SAP Cloud Platform Integration allows you to connect to tons of systems using varied protocols, the Cloud Connector allows all applications and services on the SAP Cloud Platform to connect seamlessly and securely to any system inside your company’s firewall.
PS. We consider communications made from the on-premise system to any system outside the network as safe.
The SAP Cloud Platform Cloud Connector is an on-premise piece of software that needs to be installed inside the customer’s landscape; within the firewall. Once configured and paired with your SAP Cloud Platform account, a secure tunnel is established between the Cloud Platform (and all the services and applications that run on it) and the Cloud Connector. So, all the communication between Cloud Platform and the backend system now gets routed via the Cloud Connector over the secure SSL tunnel. As a result, all the access control needs to now be configured only in the cloud connector – It provides fine-grained control over the on-premise systems and resources that shall be accessed by cloud applications and the cloud applications that shall make use of the Cloud Connector. A Cloud Connector can be run in a high-availability setup.It supports multiple protocols – HTTP, SOAP, Odata, LDAP, IDoc, etc.
An SAP Cloud Platform Account can be paired with multiple Cloud Connectors. Each Cloud Connector instance is identified by a parameter called “Location ID”, which you need to define when you pair the Cloud Platform account with the Cloud Connector.
The rest of this blog briefs you about the following steps for the SAP Cloud Platform Cloud Connector:
- Set-up and Configuration
- Pairing with the Cloud Platform Account’s sub-account with the Cloud Connector- establishing the secure TLS tunnel connection
- Setting up access control
- Configurations required in Cloud Platform Integration to ensure that the request to the backend flows via the Cloud Connector.
On a machine visible on the network where the back-end systems are running (or on the same VM where your back-end system is running), download the Cloud Connector from https://tools.hana.ondemand.com/#cloud and follow the documentation corresponding to the OS for the installation.
Once installation is done, you can access the Cloud Connector from https://<hostname>:8443.
On the login screen, use Administrator / manage (case sensitive) as the User Name / Password
After logging in, perform the following steps:
- Change the initial password
- Define the installation type. As mentioned before, the Cloud Connector can run in a high-availability setup. In this step, you will specify the corresponding instance of the Cloud Connector as a Master or Slave.
- For more details, refer initial configuration.
Set-up and Configuration:
- Defining HTTPS Proxy: if your customer’s network uses a proxy to connect to the internet, set the corresponding host and port as follows:
Go to Configuration from the menu on the left side and then choose the tab Cloud > section HTTPS Proxy.
Some proxy servers require credentials for authentication. In this case, you need to provide the relevant user/password.
Click on the pencil sign on the right hand side of “HTTPS Proxy”
- If you want to use https between the Cloud Connector and the back-end system, you need to upload a valid certificate for the Cloud Connector that is trusted on your back-end system:
Go to Configuration from the menu on the left side and then choose the tab On Premise> section System Certificates
Pairing with the Cloud Platform Account’s sub-account with the Cloud Connector
In order to connect SAP Cloud Platform Integration to an on-premise backend via the Cloud Connector, you will need to configure the sub-account of SAP Cloud Platform Integration in the Cloud Connector.
Click on Connectors and Choose “+ Add Subaccount” from the Connector Dashboard:
PS. you can connect multiple Cloud Platform accounts to the same Cloud Connector – here you differentiate the different accounts by the account’s technical name.
You can also connect 1 Cloud Platform account to multiple Cloud Connectors – here you differentiate the different Cloud Connectors by the Location ID.
Do not forget to add the Location ID if you intent to add multiple Cloud Connectors to the same Cloud Platform account.
You can get the sub-account’s technical name from the account page of the Cloud Platform Cockpit:
Once your sub-account is successfully added as a connector, you should see an entry for it in the list of connectors:
Setting up access control:
You will now need to configure the backends that you need to connect from SAP Cloud Platform Integration via this Cloud Connector. You will need to create a virtual host that points to actual backend system.
Note that only the systems you configure here will be accessible from SAP Cloud Platform Integration.
Click on the greater-than-sign ‘>’ at the right end of the row of your connector.
The technical name of the sub-account should now appear in the lower section of the left pane:
Click on Cloud To On-Premise:
Now Map Virtual Host to Internal Host: Click on the plus sign and fill in the something like below:
Here, the internal host and port are the actual system details, whereas virtual host and port can be anything. You shall use this virtual host in the SAP Cloud Platform Integration scenarios to point to the corresponding backend.
Now you need to Add resources on that backend that can be accessed from SAP Cloud Platform Integration. Select the mapping entry you just created. Under “Resources on …” click on “+” and configure the path(s) that should be accessible on the internal host (from the virtual host). For all, use “/”.
Enter the following:
Once all this is done, the status of mapping should be set to “Reachable”. If not, click on “Check Availability” on that row.
Configurations required in Cloud Platform Integration:
Finally, while configuring the connectivity in SAP Cloud Integration, set the Proxy Type to “On-premise” and use the virtual host that you created in the previous step as the address in the adapter specific details of the receiver channel. Also, in case you have configured multiple Cloud Connectors to your Cloud Platform account, choose the Cloud connector you’d wish to use by adding the Location ID in the corresponding field.
Note that even if you are using https between SCC and the back-end system, you need to use http on the URL for the iflow. This is however not a security risk since the Cloud Connector proxy / connectivity agent runs on the same application VM.
Official SAP HANA Cloud Connector documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html
Using SAP Cloud Connector with Cloud Integration Adapters: https://help.sap.com/viewer/4e2b95bfe5f84915b5e54a6dd9213b46/Cloud/en-US/65a60e750eca49328fef93c0723ad4b8.html
Configure Principal Propagation to an ABAP System for HTTPS: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/a8bb87a72d094e0d981d2b1f67df7bc3.html
Hi Meghna! This is great, thank you so much for your post.
We have a scenario where we want to connect C4C to a backend SAP ERP, and I'm thinking that the cloud connector might do the trick. We know which HCI account we wish to use, but my question is then: Do we connect the SCC to SCP or to HCI? I'm finding it hard to understand the technical relations between a Cloud Integration account and a SCP account 🙂
The Cloud Connector needs to be configured with the Cloud Platform. Cloud Platform Integration takes the information about the configured cloud connectors from the platform - in case multiple cloud connectors are configured with the same Cloud Platform account, the location ID parameter can be used. I hope this clarifies.
Hi Meghna thank you for your post,
I dont know where we should install de Cloud Connector or what should be the best practice for this... should we install it in the same place as the on-premise system (i.e. the same server/machine/vm) or we should get an additional Machine for this?
thank you again,
I would suggest you install it on a separate server rather than installing it on a server with other software though technically there are no restrictions to do it. But, if you have a dedicated server for SCC it is not affected if you need a downtime for other software updates.
You can find sizing guide here: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e23f776e4d594fdbaeeb1196d47bbcc0.html
Customer Success team
As pointed by Midhun, as the SAP Cloud Connector connects to multiple backend systems, there should be a separate host used for it.
Also, to add, we recommend to setup the Cloud Connector on a system located in the DMZ. However, a setup directly in the network of the attached systems is also ok.
Regarding this note "Note that even if you are using https between SCC and the back-end system, you need to use http on the URL for the iflow. This is however not a security risk since the Cloud Connector proxy / connectivity agent runs on the same application VM."
Any thoughts or experience if this is needed using the LDAP adapter?
Connecting to an LDAP server using the LDAP adapter of Cloud Platform Integration can only happen via the Cloud connector - this is mandatory.
Thanks and Regards,
Thanks Meghna Shishodiya for comming back on this.
Any news on the supported operations. Currently only insert and modify.
Will we see read as an option?
Meghna / all
with interest I saw that you could specify the location ID in a SOAP receiver channel. We are to integrate standard content that uses IDoc as receiver channel. However, there seems no field for location ID with that channel type. Is this a missing functionality or not possible due to technical reasons?
You are now able to add the location ID to the IDoc channel. See the attached screenshot.
Thanks for coming back 🙂 This is good news (I think it has been available for some time now, however, not at the time of the initial post). SAP seems to be getting there, though still some rough edged on CPI that need to be smoothened out.
Thanks Jens! It would be nice to know more about the rough edges - hopefully we already have a plan around them. Lets share our thoughts over a quick meeting. Please share your contacts over email to Meghna.Shishodiya@sap.com.
Hi Meghna, thank you for your post
It is possible to install the SAP Cloud Connector in the same server where the Saprouter is installed?, what are the technical problems we will experience if we install the SAP Cloud connector in the same server?
Or it is strongly recommended that install it in a separate server?
Installing SAP Cloud Connector on the same machine as an SAProuter is possible, no technical issues to expect due to co-location.
How to connect S4 Hana Cloud RFC related interfaces mentioned below.
W.r.t this step ,
Select the entry you have created. Under “Resources Accessible on …” click on “Add…” and configure the path(s) that should be accessible on the internal host (from the virtual host). For all, use “/”.
Along with can we add like " /#/site " as white-listing to a on premise system ?
It is throwing errors as "/#/site is not a valid path" .
What are the special characters allowed ? Do we any help documentation ?
Thanks in advance .
I am getting the same error Service Channel" could not be opened for SAP On-premise to cloud connection in SAP Cloud Connector
I have a question, Is there a way to connect CPI and SAP ERP directly without the connector?
I have Sap Commerce Cloud v2 (backcoffice)
Is it possible to connect the same cloud connector to two separate clients of same SAP backend system?
For e.g. we are trying to connect SAP cloud connector to ST2-100 & ST2-200 client. client 200 is a copy of the client 100.
Somehow the client 100 connection works but the client 200 connections errors with HTTP 503 error in CIG portal-->CC--ST2.
We have followed the steps described by you to setup our cloud connector connection with SAP ECC on premise and trying to connect to it using ODATA adapter in CPI & API-M both. When we are connecting via CPI, we are getting authorization errors however via API-M it is working perfectly.
Here are the details of the setup that we have done -
CPI & API-M has the same configurations (including ECC system user)
Cloud Connector ( Connecting to SAP ECC via https with valid system certificates installed)
Both CPI and API-M are using the same Cloud Connector, the traffic from API-M is going through, however the traffic from CPI is getting errored out.
For now, we are planning to investigate the authentication properties being passed from both CPI and API-M to see the difference, because the setup is working in case of API-M, it is highly unlikely that the setups in Cloud Connector and access permissions in SAP ECC are an issue.
What do you think could be the issue in this case, should we check something else?
A temporary workaround worked for us when we updated sicf service to prioritize basic authentication, but this cannot be used as a long term solution as it would be needed for each and every service we are using in SAP
Appreciate your help!
Could you throw some light with the need of using Location ID if the Cloud Connector is set up in HA environment? It is not two CCs but a single On-Premise CC connection using load balancer. In this case, is the "Location ID" mandatory? I am not able to do connection test successfully with a blank Location ID from CPI tenant in this case. Is that how it is supposed to be?
Vijay Konam (VJ)