Skip to Content

Part 1: How to use SAP Cloud Platform Connectivity and Cloud Connector in the Cloud Foundry environment

*********** Updates ************

Last update on 11.12.2017

See details at the end of the blog



As mentioned in my last blog about the release 2.10. of the Cloud Connector, I would like to take more time to explain in details how to configure the SAP Cloud Platform Connectivity and the Cloud Connector so that you can consume data coming from an on-premise system in a Cloud Foundry based application.


As I want to focus more on the connectivity part, I will keep the application very simple. So the Fiori-based web application will just show a table with products and prices coming from an on-premise backend service. Here a visual overview of what I want to achieve:


This blog will be structured as follow:

Part 1: Initial setup of SAP Cloud Platform Account and Cloud Connector.

Part 2: Configuration of SAP Cloud Platform Connectivity and deployment of the web application.

Part 3: Update of the configuration to enable principal propagation instead of basic authentication.


To demonstrate it, I will use the following setup:

  • SAP Backend system with Fiori Reference applications installed. Odata services have been prepared and configured so that I can add them as resource in the Cloud Connector.
  • Cloud Connector v. – portable version (of course, it could be a productive version).
  • SAP Cloud Platform Trial account (Cloud Foundry environment).

Initial setup of SAP Cloud Platform subaccount

Before configuring anything, we need a SAP Cloud Platform Trial subaccount for the Cloud Foundry environment.

Note: If you created already a Cloud Foundry Trial account in the past, please verify that the global account is not a standalone (account created before Mai 2017) as we have at the moment a small bug with standalone accounts. We are working on it and I will update the blog as soon as this is perfectly working. In the meantime, I would suggest you to create a new Trial Account if you want to test it now.


So let’s go to and register for a trial account.

After the registration a P-user has been created for me: P1942746397. Now I can login and start the Cloud Foundry Trial by clicking in  the breadcrumb on “Home” and then on the button “Start Cloud Foundry Trial.

Select your region and initialize your trial subaccount. An organization and a space will be also automatically created.

In order to establish later on the trust between the SAP Cloud Platform Trial subaccount and the Cloud Connector, we will need the ID of the subaccount. You can find it by clicking on the global account in the breadcrumb and then on the “show more” icon of the subaccount tile.


Initial setup of Cloud Connector

Now let’s go to the Cloud Connector and configure it. You can use the same Cloud Connector for the NEO and the Cloud Foundry environments. So if you have already one installed, just make sure that you have at least the version and you are good to go. You can verify the version in the top right corner under Administrator / About.

More information about upgrade can be found here.

If you prefer to test with another Cloud Connector or if you don’t have one in place, you can download it from here and install it as described in the official documentation. Once it’s done, go the the admin UI of the Cloud Connector (https://localhost:8443/), change your password and add your new created Cloud Foundry Trial. Click in the button “Add Subaccount” and insert the details as described below.

Let me emphasize 3 small Cloud Foundry specifications compared to the usual configuration:

  1. The region is not “” like expected but it should be “” or “” based on the region you have selected during the creation of your Trial account.
  2. By selecting Cloud Foundry region host, the label “Subaccount User” would automatically change to “Login E-Mail”. Please use here your email address instead of your P-user.
  3. Please be aware that the user that establishes the trust between the Cloud Connector and the SAP Cloud Platform must be a Global Account member (See Add Global Account Members) or a Security Administrator (See Security Administrators in Your Subaccount). In the trial account, you’re per default member of the Global Account, so you don’t need to change anything.

Note 1: the configuration for the SAP internal landscape is slightly different. Please drop me an email to get the details.

Note 2: The first time you will map a subaccount to your Cloud Connector, you can see on the right side the settings for the proxy. Don’t forget to add your proxy host and your proxy port if you are behind the proxy. If you forget it, you can configure it later on by going to Configuration > CLOUD > HTTPS Proxy.

Note 3: I didn’t add any location ID. This is an optional field as I’m connecting only this Cloud Connector to this account. Be aware that the location ID is mandatory as soon as you are using multiple Cloud Connectors. See this blog for more information about it.

Once you clicked on “save”, you should see your Subaccount listed to the “Subaccount Dashboard”. Navigate to the detail page to verify that the connection has been activated.

If every works fine, you should see on the top the following notification in green:

The notification mentions that “no active resources available”. Let’s do it and add our odata service of the on-premise backend system (Fiori Reference applications). Click on the tab “Cloud To On-Premise and create an “Access Control” by clicking on the “Add” icon.

Check the official documentation for more details on access control.

Here is my configuration for example:

Important for us are the Virtual Host and the Virtual Port which will be needed later on in the SAP Cloud Platform.

I have also added the needed resources to consume the odata service. Here an overview about the final configuration of the access control:

That’s all! Now we have everything in place to continue in the cloud. In the following part of the blog, I will explain how to setup the SAP Cloud Platform Connectivity and consume the data provided by the Cloud Connector in the Fiori application.

I will publish the second part of the blog very soon. In meantime, just try to create your Cloud Foundry Trial Account, upgrade/install your Cloud Connector and connect both together.


*********** Updates ************

09.01.2017: Small improvements in the blog for a better understanding.

09.08.2018: Added the link of the 3rd part of the blog series explaining how to use principal propagation.

11.12.2018: Security Administrators (without being a Global Account Member) can now establish the connection between the Cloud Connector and the SAP Cloud Platform. See Prerequisites section here.



Feedbacks are of course welcome!


You must be Logged on to comment or reply to a post.
    • Hi Nick,

      not sure to really understand the question...

      Getting access to on-premise system like S/4HANA is done via the Cloud Connector. See the blog details for more info. Let me know if you have a more concrete question.



      • hello Matthieu

        I mean, in HCP, destination. Don't i need there a s4h system destination that i can create fiori with access to a s4h system?

        So the relevant parameter in HCP --> destination for a latest s4h system is not clear also user and pw then to login.

        many thanks. Nick


        • Hi Nick,

          Indeed, there is no destination runtime right now in the Cloud Foundry environment as you may know it from the Neo environment. We are working hard to deliver it as soon as possible. In the meanwhile, you can implement it like proposed in the second part of the blog. For Principal propagation, we will add a new blog to explain in details how to configure it.

          BR, Matthieu

          • hi,

            Neo environment close  on November 13, when is available destination runtime  on Cloud Foundry ?

            or how i can set up on a trial account to get access to on-premise system s4h with CC?


      • Hi Matthieu,


        May i know to which mail id i have to mail for Internal landscape details if i need to reach you.

        Please let me know the same




  • hello Matthieu

    is it not possible, that you could check my HCP and Connector please? Have implemented Connector 2.10 but have doubts i have done all well and it will work.

    What i want to achieve is: properly working in WEB IDE for Fiori and IoT.
    For sapui5 i need to be connected to the latest s4h system.

    I have Team Viewer 12 if you would be so kind and help me. please give me your email Adresse for further communication.
    Many thanks for your help.


  • HI Matthieu

    Im running CloudConnector (CC) on my location machine and trying to create a new subaccount. have a look at the screenshot.

    Getting this error while doing initial setup. (Attachemnts: 1 & 2)

    417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password — see ”Logs” for details

    Seems, I have all the prerequisites on the org and space in CF.

    My subaccount is created just 2 days back.

    What is that Im missing here.


      • Hi Matthieu,


        I do have the exact same issue. I've tried with and without Proxy-Settings within "SAP Cloud Connector Settings --> Cloud". When using no proxy I did get 500 error.


        Where are the log files this error message talks about located?

        Thanks in advance for any hint.


        BR André

        • Finally we found the solution on our own.

          The user used to create the subaccount in SAP Cloud Connector need to be assigned with Administrator role to the CF account. The assignment to the subaccount only is not sufficient.

          • Hi, Man

            You mean to assign the user at subaccount level with "manager" role?

            I can only find "manager", "auditor", "billing manger", etc roles there.

          • Hi Ming Zhang,


            assigning the user to the subaccount level is not enough and is not needed.

            The user need to be assigned on account level with "Administrator" role.

          • Thanks Andre. This info was missing in the blog. I have added it now.

            "Please be aware that the user needs the "Administrator" role on the global account and not only on the subaccount level. It's already setup by default for the trial account but if you are using your own account, please keep it in mind."

          • Hi


            I have tried the same but I am also getting the same error.


            417 An authorization problem occurred when downloading the configuration. Please ensure that the subaccount exists and the user has the appropriate permissions for the subaccount. See ''Log And Trace Files'' and in particular ljs_trace.log for details. Consult SAP note 2697152 for possible remedies.



            Can anyone help me what this could be an issue?




    • Hi, bro

      I also encounter the same issue as you when creating subaccount.

      "417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized"

      Have you found any solution?

      • Hi Ming Zhang,

        as replied to your other post: Your user need to be assigned on Account level not subaccount level. On account level you can assign "Administrator" role.

          • Hi,

            I might have explained it very poor. Sorry for this.

            When you open the SAP Cloud Platform Cockpit you need to navigate to the Global Account your subaccount belongs to. Once opened you should see on the left hand navigation area the “Members” entry. Open this and add yourself using the “Add Members” button. I guess the only available role is “Administrator” here as I’ve not seen any other.

            Hope this helps, sorting you issue.


      • Hi,

        another possible reason for failing could be firewall restrictions.
        Please ensure your SAP CloudConnector is able to access this URL:<your-sub-account-id>

        When accessing this URL for example from your browser given your SAP CloudPlatform credentials you should receive a certificate string.

        • Thank you Andre! You point is valid.

          I have found the root cause, the subaccount ID here, must be a GUID.

          While I my SCP subaccount was provisioned by the command tool xs-security-configuration-0.22.2-jar-with-dependencies.jar, no GUID generated in this way. For all guys, please aware this tool has been deprecated!

          So I have requested the SCP platform about how to migrate my SCP subaccount or simply re-provision it...

  • Hello,

    When I try to connect CF with R3 On Premise, i get the following error

    417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized

    Any clue on how to solve this?


  • Hello,

    While Starting my cloud foundry trial, I get the below error

    When I tried to manually create organization, I get the below failure

    Could someone please help me resolve?

    Many thanks,


  • Hi Matthieu,

    first of all very nice blog with good explanation. I tried to follow the step which you have given.However i am not getting any region host for  in HCC while adding sub-account. I already upgraded my HCC to version 2.10.2.below are the screenshot.

    What could be the reason.





    • Hi Shadan,

      strange, I've just downloaded the same version from the hana-tools page and I'm able to see all regions in the dropdown list. Which OS do you have and is it the productive or the portable version?

      See below my screenshot of the mac version...

  • Hi Matthieu,

    I'm using my CF trial account, and I'm facing the same issue. (Cloud Connector

    417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized

    From Cloud Connector trace, I see accessing the following URL got 401 error.

    #Executing Http Get request to

    #Returned Http Response with code 401

    Is it possible my user (my SAP I number) is not the Administrator of the global account? Per your comments, "...  It’s already setup by default for the trial account ...". But I just cannot check if it is, because there is no ''Members" entry in the left side navigation of the trial global account on the Cockpit.




    • Hi Jian,


      as mentioned in my blog, the configuration for SAP internal landscapes is slightly different. Drop me an email for more details.



      • Hi Matthieu,

        As suggested, I dropped you an email asking for more details about the configuration for SAP internal landscapes.

        While I can connect from SCC to my CF trial sub-account, I keep getting 403-Forbidden when trying to connect to a CF canary sub-account (even though I have administrator permissions at the global account level and OrgManager rights at the sub-account level).

        Please let me know how the configuration to SAP Internal landscapes (e.g. Canary in this case) is different from trial.



  • Hi Matthieu,

    I have deployed my HTML 5 on the Neo environment using Destination and Cloud Connector to access my xsjs service etc on the XS Engine. How would I go about by passing the standard HCP login screen or do I need to use Cloud Foundry to this ?

    Also if I need to deploy to cloud foundry, will the way I am currently doing my http calls change as it was written to work with the neo environment destination. I am battling a bit to get the existing app to connect to the XS Engine service from the Cloud Foundry.

    Kind Regards,




  • Hi Matthieu Pelatan,

    I just completed the tutorial, my tunnel works, and I successfully connected a UI5 app to our on-premise systems.

    However, the region host is still displayed in red (Region host cannot be reached), which doesn’t seem to make much sense.

    Is this the standalone account bug you were talking about?


  • Hi Matthieu Pelatan,

    very interesting blog!

    I deployed a Node.js app on Cloud Foundry and i'm trying to allow the app reach an on-premise Hana via TCP (for direct SQL connection,e.g. calling stored procedures) but i can't figure how through CF connectivity.


    Is TCP connection available in cloud foundry or we only have HTTP at the moment?


    Thanks a lot,




  • Hi Mattieu,


    Greetings. Thanks for writing this blog. We are trying to use a trial account and trying to connect on-premise system using SCC 2.11.1 and HCP - Neo environment using a trial account.


    Though we are able to create Access control and the resources, the cloud connector in HCP shows as NOT CONNECTED. There is no cloud connector connected to this subaccount.

    We tried all possible solutions mentioned but missing the Administrator role on Global account part of this blog.


    During registration, the region we have opted is Europe (Frankfurt) and hence the region we have used in scc is Europe (Frankfurt)

    Any suggestions are highly appreciated


    Thanks and Regards




  • Hi Matthieu,


    Further to this, we tried this link<sub-account>; (we use this subaccount to create the initial configuration in scc)


    It says access denied


    Would this be an issue of cloud connector not connecting with HCP


    Thanks and Regards


  • Hi Matthieu,

    Thanks for this blog. I also suffered from the authorization problem which says "417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized". So I tried the link:

    Since the global account is on Europe(Rot), I changed the URL a little bit. But when trying to logon, the access was always denied. I'd like to ask, is the url modification correct? If yes, why I can't logon with the user and password which I use to log on windows everyday?

    Best Regards,



    • Hi George,

      Under Europe(Rot),  you can choose Cloud Foundry Trial Europe(Frankfurt). I think subaccount under Neo will not work.  Since I tried with Neo env and it didn't work firstly but with Cloud Foundry env worked well.

      Hope this helps.

      Best regards,


  • Salut Mathieu,

    we're setting up SCP combined with SAC and connections to internal systems (BO, SAP HANA, SAP BW) with the method you describe abvoe.

    One particularity though is that we want the links to the on premise systems to work both from inside the company network as well as outside of the company network.

    We did this for SAC by using a split DNS for the live connections to our BW systems and this seems to work.

    So now the question rises what we need to specify in the virtual host name field in this particular case? A Fully Qualified Hostname which points to a public IP which resolves to an internal IP when used internally? If yes, then I guess we'll need to set up a web dispatcher to transfer the requests to the appropriate systems.




  • Hi Matthieu,

    thanks for this blog! I've just set up our existing Cloud Connector to connect to our two Cloud Foundry subaccounts but the Cloud Connector can't connect as it gets the error "Invalid status of handshake response: 400 Bad Request".

    In the "Connector State" the region host can be reached and the "Refresh subaccount certificate" button works without an error message when putting in my user/password.

    Do you have any idea what could be wrong here?

    Best regards,


  • Hi Mathieu,


    I am trying to connect to ldap through connectivity service  in java but  i am  not able to connect due to it is a ldap protocol not Http .Please suggest solution



    Himesh Dubey

  • Hi Matthieu Pelatan


    Great Blog - It did help us with configuration for CF with Back-end system for OData.


    Now we trying out the S4HANA SDK to consume a RFC enabled FM in CF using the Connectivity Service and destination Service.

    Is RFC destination is supported end to end now in SCP CF ?




    • Hi Matthieu,


      I am trying to configure the Back end system, it wont be allowing to configure the above mentioned steps without internal landscape details. If your mail details can be provided i can reach you there.




  • Hi Matthieu Pelatan . Thanks for the tip. I had followed the procedure and it worked!

    Question: Does exists In SCP Cloud Foundry a menu that shows that the connection is ok? Like it is available in Neo (below the destinations menu) I have not found such menu