Firas Kassem

November 8, 2017 3 minute read

Enable BW Direct Live connections in SAC

For security reasons, browsers make sure that front end JavaScript code which is originated from a certain origin do only back-end calls to the same origin host. however with CORS, hosts can inform the browser via some headers that such calls from certain origins can be allowed. to read more about CORS please read more here. With this enablement, your SAC will be able to communicate directly with your BW inA API without the need to run an additional reverse proxy.

ABAP Netweaver 7.52+ supports CORS setup out of the box, however for older version there is a workaround which can be done. this brief article will guide you to enable direct connections for both scenarios.

Netweaver 7.52+

Make sure that icf/cors_enabled is set to 1.

Go to transaction UCONCOCKPIT > Uniefeid Conictivity Scenario Selection > HTTP White List Scenario > Cross-Origin Resource Sharing.

Go To Edit Mode and add the following three entries for the BW InA services:

1. GetServerInfo service

Service Path : /sap/bw/ina/getserverinfo/
Host rule: your origin host name, (more entries comma seperated, or * for all).
Allowed Methods: Get, POST,OPTIONS
Allowed Headers: AUTHORIZATION,X-CSRF-TOKEN,X-SAP-CID,ACCEPT-LANGUAGE
Exposed Headers: X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID
Allow Credentials: has to be active.
Max Age: 600

2. GetResponse service

Service Path : /sap/bw/ina/getresponse/
Host rule: your origin host name, (more entries comma seperated, or * for all).
Allowed Methods: Get, POST, OPTIONS
Allowed Headers: AUTHORIZATION,CONTENT-TYPE,MYSAPSSO2,X-CSRF-TOKEN,X-SAP-CID,ACCEPT-LANGUAGE
Exposed Headers: X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID
Allow Credentials: has to be active.
Max Age: 600

2. Logoff service

Service Path : /sap/bw/ina/logoff/
Host rule: your origin host name, (more entries comma seperated, or * for all).
Allowed Methods: GET,OPTIONS
Allowed Headers: AUTHORIZATION,X-SAP-CID,ACCEPT-LANGUAGE
Exposed Headers: X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID
Allow Credentials: has to be active.
Max Age: 600

After adding the three services, you have to save your changes.

Netweaver 7.4+

Note: This workaround relies on the following post. for more detailed information please read more there.

On your BW system, create a file somewhere (ex: /usr/sap/<SID>/SYS/profile/cors_rewrite), then add it to icm/HTTP/mod_0 as the following:

icm/HTTP/mod_0 = PREFIX=/,FILE={path_to_cors_rewrite_file}

The file should hold the following content:

if %{HEADER:isSACOriginAllowed} = true
	setHeader isSACOriginAllowed false

if %{HEADER:ORIGIN} regimatch ^(http(s)?:\/\/)?{SAC_HOSTNAME} [AND]
if %{PATH} regimatch (\/sap(\(.*\))*\/bw\/ina\/*) [AND]
if %{REQUEST_METHOD} regimatch (GET|POST|OPTIONS)
setHeader isSACOriginAllowed true
 
if %{HEADER:isSACOriginAllowed} = true
begin
  setResponseHeader Access-Control-Allow-Origin %{HEADER:ORIGIN}
  setResponseHeader Access-Control-Allow-Methods GET,POST
  setResponseHeader Access-Control-Allow-Headers x-csrf-token,x-sap-cid,authorization,mysapsso2,x-request-with,sap-rewriteurl,sap-url-session-id,content-type,accept-language
  setResponseHeader Access-Control-Max-Age 600
  setResponseHeader Access-Control-Expose-Headers x-csrf-token,sap-rewriteurl,sap-url-session-id,sap-perf-fesrec,sap-system
  setResponseHeader Access-Control-Allow-Credentials true
  setResponseHeader vary Origin
end
 
if %{HEADER:isSACOriginAllowed} = true [AND]
if %{REQUEST_METHOD} stricmp OPTIONS
begin
  regRewriteUrl ^/(.*) /sap/public/ping
  removeResponseHeader Set-Cookie
  removeResponseHeader Expires
end

kindly replace {SAC_HOSTNAME} with your SAC host name(s) ( including port if none standard), you may also adapt the pattern to meet your requirement (http or https or both ..)

Finally you have to restart your ABAP system.

After that you should be able to create a direct Live BW connection in SAC :

Notes

Note #1: as a prerequisite, you will have to unblock third party cookies in your browser

Chrome:

Safari:

Note #2: for the same BW back-end system, you may configure either a direct connection or a path connection over a reverse proxy, if end user mixes between both scenarios in the same session for the same back-end then session handling could be impacted and unpredictable behavior is expected to happen.

9 Comments

You must be Logged on to comment or reply to a post.

Lakshmikanth Adharapurapu

January 9, 2018 at 8:52 am

Thanks for the Detailed write up...I have made a connection with BW in 2016 when the product was new, I have installed tom cat servers and made few prerequsites to make a connection, at that time BW was not supported with live connection and i was importing data...My question is for SAP BW live connections do we need to all those set ups like Tom cat servers, JVA connectors, HANA cloud connector installations etc?

Firas Kassem

Blog Post Author

January 16, 2018 at 3:34 pm

Hello Lakshmikanth,

The idea hear is to avoid the overhead of having a reverse proxy, with this guideline you can enable SAC to directly consume the BW InA HTTP service.

best regards,

Roland Kramer

January 31, 2018 at 12:38 pm

Hello Firas
This is a very nice feature and quite useful for BW on HANA 7.50 and BW/4HANA 1.0
Unfortunally these Releases are based on NetWeaver 7.50 and SAP Application Server 7.50

Any change to see this down-ported to 7.50?

Best Regards Roland
PM BW/EDW, SAP SE

Firas Kassem

Blog Post Author

August 8, 2018 at 6:59 am

Hi Roland,

The scripts can also run on lower NW version (7.4).. I am not sure if the the ABAP cors ennoblement will be down ported to 7.50 ..

regards,

Firas

Roland Kramer

August 13, 2018 at 7:59 pm

Hi,

We figured out that with BW/4 we can use the SAP_UI 7.52 CORS Implementation without any scripts/file, etc.

See - SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud

Best Regards Roland

Werner Rodolfo Hauck

July 5, 2018 at 1:35 pm

Thanks for sharing the configuration details. While the steps are clearly described we are having some issues connecting to a SAP BW via Live Connection. Our steps for NW 7.5:

Create the parameter file {path_to_cors_rewrite_file} where we put our setting like.."if %{HEADER:ORIGIN} regimatch ^(http(s)?:\/\/)?nameofsystem.eu.sapbusinessobjects.cloud [AND]"..
Copy that file to $(DIR_GLOBAL)
Set the new Profile Entry: icm/HTTP/mod_0 = PREFIX = /,FILE=$(DIR_GLOBAL)CORS.TXT
Restart of ABAP Server
Check of Chrome Browser Setting as defined
Setting up Live BW Connection from SAC with Username and Password -> Failed to connect to System
In our use case we leave the HTTPS Port undefined which maybe could be the issue here?

Our System Landscape is based on SAP BW on HANA 7.5 so we use the guide for "under 7.52". Both of the Systems (Browser/Client and BW System) are on the same network domain, where only the client has Internet Access.

By now we don't see the problem so we hope for your help. Thanks!

Br Werner.

Firas Kassem

Blog Post Author

August 8, 2018 at 7:00 am

Hi Werner,

yes I think you have to specify the https port correctly in the connection window. kindly let me know if this also doesn't work.

regards,

Firas

Arnold Lequin

March 12, 2020 at 11:39 am

Hi Firas,

We've been working on our BW 7.50 SSO for our SAC, we have followed the instruction, unfortunately, I'm still getting a 404 error. Any suggestions?

Thanks,

Arnold L.

Amit Tewatia

March 27, 2020 at 11:38 am

Hi Arnold,

Please check the content of your rewrite file.

Below url shall be helpful:

https://blogs.sap.com/2017/02/08/how-to-enable-cors-on-sap-netweaver-platform/

Thanks

Amit T

Enable BW Direct Live connections in SAC

Netweaver 7.52+

1. GetServerInfo service

2. GetResponse service

2. Logoff service

Netweaver 7.4+

Notes

Assigned Tags