Skip to Content
Technical Articles
Author's profile photo Ian Henry

SAP Analytics Cloud Live Data Connection to HANA on-premise using CORS

The HANA CORS (Cross Origin Resource Sharing) configuration is straight forward but as the old saying goes, a picture paints a thousand words.  Such a shame that the SAP documentation policy does not allow screenshots.  I have captured the configuration steps here.

SAP Analytics Cloud Version 2018.1.0
SAP HANA Version 1.00.111 (SPS 11).

The official SAP Analytics Cloud documentation is good and could be found here.
Live Data Connection to SAP HANA

This CORS setup is pretty simple.

  1. Configure HANA HTTPS (SSL)
  2. InA (Information Access)
  3. CORS Configuration
  4. XS Timeout
  5. SameSite Cookie Settings

1. Configure HANA HTTPS (SSL)

The Configuration of the SSL certificate is within the Web Dispatcher at the URL below.
The following role is required.

sap.hana.xs.wdisp.admin::WebDispatcherAdmin

http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/wdisp/admin/

For me that is http://ivml2152.wdf.sap.corp:8024/sap/hana/xs/wdisp/admin/public/default.html

/sap/hana/xs/wdisp/admin/

Once completed you must be able to access XS classic urls via HTTPS, without any security pop-ups or certificate errors. Usually this is port 4300, if your SAP HANA instance number is 00, but 24 in my case, therefore port 4324.

The full configuration steps for HTTPS are outlined within the SAP HANA help documentation so I won’t repeat those here.

Configure HTTPS (SSL) for Client Application Access

 

2. Information Access (InA) using EPM-MDS

Verify InA is installed and you have rights to access this service.

https://<hana-hostname>:43<SAPHANAinstance>/sap/bc/ina/service/v2/GetServerInfo

For me that is https://ivml2152.wdf.sap.corp:4324/sap/bc/ina/service/v2/GetServerInfo

/sap/bc/ina/service/v2/GetServerInfo

The response from InA is in JSON, using a JSON browser extension makes the response more readable.

If InA is not working it may not be installed (as below).  Errors such as

“InformationAccess Service GetServerInfo is not available. Install the SAP HANA EPM-MDS plugin.”

You will need to download the the HANA EPM-MDS package from SWDC.

Check that your user has access to this package via the sap.bc.ina.service.v2.userRole::INA_USER role.

Verify that you can access Metadata via InA

https://<hana-hostname>:43<SAPHANAinstance>/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}

For me that is https://ivml2152.wdf.sap.corp:4324/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}

/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}

3. CORS Configuration

Be aware the CORS config below needs to be repeated after each and every HANA update, e.g moving from revision 122.12 to 122.15.

To access the XS admin site your user requires the following roles.

sap.hana.xs.admin.roles::RuntimeConfAdministrator  sap.hana.xs.admin.roles::SAMLViewer
sap.hana.xs.admin.roles::HTTPDestViewer

Login to your XS (classic) admin site, the URL would be something like

https://<hana-hostname>:43<SAPHANAinstance>/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2

For me that becomes https://ivml2152.wdf.sap.corp:4324/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2

/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2

Verify that Basic Authentication is allowed as below

Configure CORS, with the Allowed Origins, Allowed Headers and Exposed Headers as specified below.

# Allowed Headers
accept
authorization
content-type
x-csrf-token
x-request-with
x-sap-cid
accept-language

# Exposed Headers
x-csrf-token

As an alternative, or if you experience any issues with the XS user interface, SQL can be used.
An example SQL statement is show, that can apply this configuration. The SQL needs to be modified with your appropriate SAP Analytics Cloud URL.

UPDATE "_SYS_XS"."RUNTIME_CONFIGURATION" 
SET "CONFIGURATION" = ' {"cors":{"enabled":true,"allowOrigin":["https://<url_address>"],"exposeHeaders":["x-csrf-token"],"allowHeaders":["accept-language","x-sap-cid","x-request-with","x-csrf-token","content-type","authorization","accept"],"allowMethods":["GET","HEAD","POST","OPTIONS"],"maxAge":3600}}' 
WHERE "PACKAGE_ID" = 'sap.bc.ina.service.v2';

This is also described in the SAP Note 2655556

4. XS Timeout

We should also increase the XS timeout from the default of 900 seconds (15 minutes) to 43200 (12 hours). Below is the SQL to do this.

alter system alter configuration ('xsengine.ini','SYSTEM') set ('httpserver','sessiontimeout')='43200' with reconfigure;

This can also be changed in HANA Studio.

5. SameSite Cookies Settings

I have captured these steps in a separate blogpost that can be found here

https://blogs.sap.com/2020/08/26/how-to-fix-google-chrome-samesite-cookie-issue-with-sac-and-hana/

SAP Analytics Cloud

With the CORS configuration now completed we can establish the Live Direct HANA connection within SAP Analytics Cloud.

Troubleshooting

Recently (during 2020 and early 2021) Google Chrome has included additional privacy settings for blocking third-party cookies. The impact of this is that live HANA connections can fail due to the site being seen as a third-party.

You can check for third-party cookies being blocked.

With Chrome Site Settings, you can allow the blocked Cookies

 

If SAC refuses to connect, then further information can be seen in the web browser Developer  Console (F12) or (View/Tools -> Web Developer -> Console)

Assigned tags

      25 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Julian Jimenez
      Julian Jimenez

      Excellent blog Ian, very clear. If somebody needs more info on requesting a certificate for HANA, I would recommend this KBA: https://launchpad.support.sap.com/#/notes/2502174

      Author's profile photo John Kearns
      John Kearns

      Agree that this was a very helpful document.  The use of screenshots and actual URLs helped immensely.

      I realized from the screenshots provided that I had entered the allowed headers as a single string instead of 6 discreet headers.

      Changing that solved my connectivity issue.

      Author's profile photo Mario Bisonti
      Mario Bisonti

      Hallo

      Is it possible to use a self-signed certificate ?

      Thanks a lot

       

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Mario,

      There is a hack that you can try for testing, that allows self-signed certs to work.

      **Updated 18th Sept 2019**

      You need to tell your browser to ignore certificate errors and trust the self signed certificates.

      To do this you need to modify the browser start-up parameters, and add –ignore-certificate-errors
      On windows this is the windows shortcut to Chrome.exe,  on Mac you can launch chrome via the terminal.

      cd /Applications/Google\ Chrome.app/Contents/MacOS/

      ./Google\ Chrome –ignore-certificate-errors 2>/dev/null &

      If launched successfully, you will then receive a warning that this is an unsupported command line flag, but SAC will now connect to HANA ?

      Author's profile photo Mike Howles
      Mike Howles

      Is anybody else having a problem adding the exposed header 'x-csrf-token'?  I can do everything else but I get a UI5 error in JavaScript console when trying to add this particular one...

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Mike,

      I have not come across that one, could be browser related - perhaps try with a different browser, or clear browser the cache?

       

      Author's profile photo Mike Howles
      Mike Howles

       

      I ruled all that out. Tried different browsers and killed cache/cookies etc.  It's a genuine code bug, at least in 2.0 SP3...  For clarity's sake, I'm using the XS Classic HANA admin services (not XSA that pulls its stuff from a public CDN, so I've heard) which may explain why not everybody is struggling with this, as I'm probably an oddity with still only using XS Classic.  I managed to "hot fix" it by modifying a JS file to prevent the JS error and now I've got the connection working in SAC.  Screenshot below shows the hot fix. (Yeah, yeah, not supported by SAP, but whatever, I'm using HANA Express, and the code was broken, and now it's not)

       

       

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Wow, thanks for sharing Mike.

      I'm on 2.0 SP2, so I haven't come across this one yet.

      I did see that HANA 2.0 SPS03 Revision 31 is now available, let's hope that fixes it too.

       

      Author's profile photo Harjeet Judge
      Harjeet Judge

      I've come across this in the past with some HANA systems.  Use the reset button to reset the CORS configuration and add x-csrf-token to the Expose Headers area first.  Add the additional "Allowed Headers" after.

       

      Author's profile photo Praveen Bheemarapu
      Praveen Bheemarapu

      Thanks for sharing the steps, Could you please help me to have the CORS code.

      Thanks

      Praveen

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Praveen,

      I am not sure what you are after?

      There is no CORS code per say, just the configuration of CORS, which I have described above.

       

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Yes, that looks to be good.  It looks like you haven't applied the configuration yet.

      Your screenshot is cut off - do you see the Edit option as below?

      Author's profile photo IT_ERP MEDIATEK.COM
      IT_ERP MEDIATEK.COM

      Hello Ian,

      your introduction is about SAC connect to HANA XS classic Views, how about XS Advanced Information Views? they will not present in _SYS_BIC schema, and XS Advanced has its application role setting, so I assume there is a different way to config, right?

      Thanks

      Jinni

       

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Jinni,

      Yes, this is true.

      There are two alternative approaches to solve this problem.

      Either Synonyms or the HANA Analytics Adapter (HAA)

      Synonyms, setup synonyms that reference the Column Views (Calc Views) in your HDI container to _SYS_BIC.  These can be created with .hdbsysbicsynonym file type, this is described here.

      https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.03/en-US/0bf88516d12b40ee9605b9f75fae568e.html.

       

      HAA, Deploy the new InA connectivity that use XSA/Cloud Foundry. The HANA Analytics Adapter, has been documented here

      https://blogs.sap.com/2019/01/22/from-zero-to-analytics-setting-up-a-user-for-the-hana-analytics-adapter/

      Author's profile photo Denys van Kempen
      Denys van Kempen

      Great blog, Ian

      Just recorded a series of video tutorials on this topic, based on the documentation and shamefully unaware of your post!

      SAP Analytics Cloud Live Connection (YouTube)

      Fortunately, we seemed to have followed the same approach, so let's say its an update...

      I will add a link to your blog for reference.

      https://blogs.sap.com/2019/05/28/sap-analytics-cloud-live-connection-to-sap-hana/ 

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Thanks Denys,

      HANA Academy videos are always welcome.

      Author's profile photo Denys van Kempen
      Denys van Kempen

      Thank you, sir.

      Author's profile photo Mazen Abbas
      Mazen Abbas

      Thanks for this blog

       

      is this also applicable for XSA?

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      No, not really...

      SAC requires InA and CORS

      XSC is the quickest and easiest way to establish this.

      XSA can also provide InA but that requires you to configure and deploy the HAA (Hana Analytics Adapter) MTAR.  This can be found here https://tools.hana.ondemand.com/#hanatools

      Author's profile photo Frank Zhu
      Frank Zhu

      Hi Ian,

      Thanks very much for your documents. It's pretty usefull.

      Currently SAP HANA 2.0 doesn't inlcude HANA EPM-MDS package. May I know what does it

      use for? Is there any impact of Hana XS application which we developed?

       

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Frank,

      The EPM-MDS has always been an additional plugin that you had to download. It is available for botht HANA 1.0 and HANA 2.0.
      MDS is Multi Dimensional Services.

      In HANA the EPM-MDS gives us the Information Access Protocol (InA), this provides analytic, planning, metadata and search services over http/s.

      Sorry, I don't understand you second question.

      Author's profile photo Frank Zhu
      Frank Zhu

      Hi lan,

       

      Thanks very much for your feedback. just ignore the send question. I think I already get the answer.

      Truly appreciate for your post.

      Author's profile photo Joseph yeruva
      Joseph yeruva

      Hi Ian,

      This is nice blog with details. I fallowed all the steps to connect LIVE on prem-HANA(2.0 SPS04) From SAC. Connection creation is successful (use rid, password based), sso not enabled for now. But when i try to create story the connector is not appearing in the list of data sources? what could be the reason ? can you guide me on this.

      Appreciate your help.

       

      Regards,

      Joseph

      Author's profile photo Matthew Shaw
      Matthew Shaw

      Can you confirm you created the model in SAC?

      Within the story you pick a model rather than a connection.

      Regards Matthew

      Author's profile photo Joseph yeruva
      Joseph yeruva

      Hi Matthew.

      no. i did not create model. I am going through these steps create story  --> access & exploredata-->data from data source -->then i dont see HANA Connector there.(attached the screen)