Purpose of a Cloud Connector
Customers’ landscapes have evolved – where on one side more and more applications are moving in the cloud, so is the integration middleware; and all the systems need to be connected – on-demand or on-premise in a secure fashion.
While moving the integration middleware into the cloud is unquestionably a big step forward, it does bring in a new set of challenges, namely, how to get the on-premise systems talk to the outside world without compromising their security.
If your backend system is inside the company’s firewall and expects to receive messages from systems outside the company network, you can leverage SAP Cloud Platform Integration. Together with the SAP Cloud Platform Cloud Connector you can establish a secure connection from any system to your backend systems. Where SAP Cloud Platform Integration allows you to connect to tons of systems using varied protocols, the Cloud Connector allows all applications and services on the SAP Cloud Platform to connect seamlessly and securely to any system inside your company’s firewall.
PS. We consider communications made from the on-premise system to any system outside the network as safe.
The SAP Cloud Platform Cloud Connector is an on-premise piece of software that needs to be installed inside the customer’s landscape; within the firewall. Once configured and paired with your SAP Cloud Platform account, a secure tunnel is established between the Cloud Platform (and all the services and applications that run on it) and the Cloud Connector. So, all the communication between Cloud Platform and the backend system now gets routed via the Cloud Connector over the secure SSL tunnel. As a result, all the access control needs to now be configured only in the cloud connector – It provides fine-grained control over the on-premise systems and resources that shall be accessed by cloud applications and the cloud applications that shall make use of the Cloud Connector. A Cloud Connector can be run in a high-availability setup.It supports multiple protocols – HTTP, SOAP, Odata, LDAP, IDoc, etc.
An SAP Cloud Platform Account can be paired with multiple Cloud Connectors. Each Cloud Connector instance is identified by a parameter called “Location ID”, which you need to define when you pair the Cloud Platform account with the Cloud Connector.
The rest of this blog briefs you about the following steps for the SAP Cloud Platform Cloud Connector:
- Set-up and Configuration
- Pairing with the Cloud Platform Account’s sub-account with the Cloud Connector- establishing the secure TLS tunnel connection
- Setting up access control
- Configurations required in Cloud Platform Integration to ensure that the request to the backend flows via the Cloud Connector.
On a machine visible on the network where the back-end systems are running (or on the same VM where your back-end system is running), download the Cloud Connector from https://tools.hana.ondemand.com/#cloud and follow the documentation corresponding to the OS for the installation.
Once installation is done, you can access the Cloud Connector from https://<hostname>:8443.
On the login screen, use Administrator / manage (case sensitive) as the User Name / Password
After logging in, perform the following steps:
- Change the initial password
- Define the installation type. As mentioned before, the Cloud Connector can run in a high-availability setup. In this step, you will specify the corresponding instance of the Cloud Connector as a Master or Slave.
- For more details, refer initial configuration.
Set-up and Configuration:
- Defining HTTPS Proxy: if your customer’s network uses a proxy to connect to the internet, set the corresponding host and port as follows:
Go to Configuration from the menu on the left side and then choose the tab Cloud > section HTTPS Proxy.
Some proxy servers require credentials for authentication. In this case, you need to provide the relevant user/password.
Click on the pencil sign on the right hand side of “HTTPS Proxy”
- If you want to use https between the Cloud Connector and the back-end system, you need to upload a valid certificate for the Cloud Connector that is trusted on your back-end system:
Go to Configuration from the menu on the left side and then choose the tab On Premise> section System Certificates
Pairing with the Cloud Platform Account’s sub-account with the Cloud Connector
In order to connect SAP Cloud Platform Integration to an on-premise backend via the Cloud Connector, you will need to configure the sub-account of SAP Cloud Platform Integration in the Cloud Connector.
Click on Connectors and Choose “+ Add Subaccount” from the Connector Dashboard:
PS. you can connect multiple Cloud Platform accounts to the same Cloud Connector – here you differentiate the different accounts by the account’s technical name.
You can also connect 1 Cloud Platform account to multiple Cloud Connectors – here you differentiate the different Cloud Connectors by the Location ID.
Do not forget to add the Location ID if you intent to add multiple Cloud Connectors to the same Cloud Platform account.
You can get the sub-account’s technical name from the account page of the Cloud Platform Cockpit:
Once your sub-account is successfully added as a connector, you should see an entry for it in the list of connectors:
Setting up access control:
You will now need to configure the backends that you need to connect from SAP Cloud Platform Integration via this Cloud Connector. You will need to create a virtual host that points to actual backend system.
Note that only the systems you configure here will be accessible from SAP Cloud Platform Integration.
Click on the greater-than-sign ‘>’ at the right end of the row of your connector.
The technical name of the sub-account should now appear in the lower section of the left pane:
Click on Cloud To On-Premise:
Now Map Virtual Host to Internal Host: Click on the plus sign and fill in the something like below:
Here, the internal host and port are the actual system details, whereas virtual host and port can be anything. You shall use this virtual host in the SAP Cloud Platform Integration scenarios to point to the corresponding backend.
Now you need to Add resources on that backend that can be accessed from SAP Cloud Platform Integration. Select the mapping entry you just created. Under “Resources on …” click on “+” and configure the path(s) that should be accessible on the internal host (from the virtual host). For all, use “/”.
Enter the following:
Once all this is done, the status of mapping should be set to “Reachable”. If not, click on “Check Availability” on that row.
Configurations required in Cloud Platform Integration:
Finally, while configuring the connectivity in SAP Cloud Integration, set the Proxy Type to “On-premise” and use the virtual host that you created in the previous step as the address in the adapter specific details of the receiver channel. Also, in case you have configured multiple Cloud Connectors to your Cloud Platform account, choose the Cloud connector you’d wish to use by adding the Location ID in the corresponding field.
Note that even if you are using https between SCC and the back-end system, you need to use http on the URL for the iflow. This is however not a security risk since the Cloud Connector proxy / connectivity agent runs on the same application VM.
Official SAP HANA Cloud Connector documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html
Using SAP Cloud Connector with Cloud Integration Adapters: https://help.sap.com/viewer/4e2b95bfe5f84915b5e54a6dd9213b46/Cloud/en-US/65a60e750eca49328fef93c0723ad4b8.html
Configure Principal Propagation to an ABAP System for HTTPS: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/a8bb87a72d094e0d981d2b1f67df7bc3.html