Skip to Content
Technical Articles
Author's profile photo Ian Henry

SAP Analytics Cloud Live Data Connection to HANA on-premise using CORS

The HANA CORS (Cross Origin Resource Sharing) configuration is straight forward but as the old saying goes, a picture paints a thousand words.  Such a shame that the SAP documentation policy does not allow screenshots.  I have captured the configuration steps here.

SAP Analytics Cloud Version 2018.1.0
SAP HANA Version 1.00.111 (SPS 11).

The official SAP Analytics Cloud documentation is good and could be found here.
Live Data Connection to SAP HANA

This CORS setup is pretty simple.

  1. Configure HANA HTTPS (SSL)
  2. InA (Information Access)
  3. CORS Configuration
  4. XS Timeout
  5. SameSite Cookie Settings

1. Configure HANA HTTPS (SSL)

The Configuration of the SSL certificate is within the Web Dispatcher at the URL below.
The following role is required.



For me that is


Once completed you must be able to access XS classic urls via HTTPS, without any security pop-ups or certificate errors. Usually this is port 4300, if your SAP HANA instance number is 00, but 24 in my case, therefore port 4324.

The full configuration steps for HTTPS are outlined within the SAP HANA help documentation so I won’t repeat those here.

Configure HTTPS (SSL) for Client Application Access


2. Information Access (InA) using EPM-MDS

Verify InA is installed and you have rights to access this service.


For me that is


The response from InA is in JSON, using a JSON browser extension makes the response more readable.

If InA is not working it may not be installed (as below).  Errors such as

“InformationAccess Service GetServerInfo is not available. Install the SAP HANA EPM-MDS plugin.”

You will need to download the the HANA EPM-MDS package from SWDC.

Check that your user has access to this package via the sap.bc.ina.service.v2.userRole::INA_USER role.

Verify that you can access Metadata via InA


For me that is{%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}


3. CORS Configuration

Be aware the CORS config below needs to be repeated after each and every HANA update, e.g moving from revision 122.12 to 122.15.

To access the XS admin site your user requires the following roles.

sap.hana.xs.admin.roles::RuntimeConfAdministrator  sap.hana.xs.admin.roles::SAMLViewer

Login to your XS (classic) admin site, the URL would be something like


For me that becomes


Verify that Basic Authentication is allowed as below

Configure CORS, with the Allowed Origins, Allowed Headers and Exposed Headers as specified below.

# Allowed Headers

# Exposed Headers

As an alternative, or if you experience any issues with the XS user interface, SQL can be used.
An example SQL statement is show, that can apply this configuration. The SQL needs to be modified with your appropriate SAP Analytics Cloud URL.

SET "CONFIGURATION" = ' {"cors":{"enabled":true,"allowOrigin":["https://<url_address>"],"exposeHeaders":["x-csrf-token"],"allowHeaders":["accept-language","x-sap-cid","x-request-with","x-csrf-token","content-type","authorization","accept"],"allowMethods":["GET","HEAD","POST","OPTIONS"],"maxAge":3600}}' 
WHERE "PACKAGE_ID" = 'sap.bc.ina.service.v2';

This is also described in the SAP Note 2655556

4. XS Timeout

We should also increase the XS timeout from the default of 900 seconds (15 minutes) to 43200 (12 hours). Below is the SQL to do this.

alter system alter configuration ('xsengine.ini','SYSTEM') set ('httpserver','sessiontimeout')='43200' with reconfigure;

This can also be changed in HANA Studio.

5. SameSite Cookies Settings

I have captured these steps in a separate blogpost that can be found here

SAP Analytics Cloud

With the CORS configuration now completed we can establish the Live Direct HANA connection within SAP Analytics Cloud.


Recently (during 2020 and early 2021) Google Chrome has included additional privacy settings for blocking third-party cookies. The impact of this is that live HANA connections can fail due to the site being seen as a third-party.

You can check for third-party cookies being blocked.

With Chrome Site Settings, you can allow the blocked Cookies


If SAC refuses to connect, then further information can be seen in the web browser Developer  Console (F12) or (View/Tools -> Web Developer -> Console)

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Julian Jimenez
      Julian Jimenez

      Excellent blog Ian, very clear. If somebody needs more info on requesting a certificate for HANA, I would recommend this KBA:

      Author's profile photo John Kearns
      John Kearns

      Agree that this was a very helpful document.  The use of screenshots and actual URLs helped immensely.

      I realized from the screenshots provided that I had entered the allowed headers as a single string instead of 6 discreet headers.

      Changing that solved my connectivity issue.

      Author's profile photo Mario Bisonti
      Mario Bisonti


      Is it possible to use a self-signed certificate ?

      Thanks a lot


      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Mario,

      There is a hack that you can try for testing, that allows self-signed certs to work.

      **Updated 18th Sept 2019**

      You need to tell your browser to ignore certificate errors and trust the self signed certificates.

      To do this you need to modify the browser start-up parameters, and add –ignore-certificate-errors
      On windows this is the windows shortcut to Chrome.exe,  on Mac you can launch chrome via the terminal.

      cd /Applications/Google\

      ./Google\ Chrome –ignore-certificate-errors 2>/dev/null &

      If launched successfully, you will then receive a warning that this is an unsupported command line flag, but SAC will now connect to HANA ?

      Author's profile photo Michael Howles
      Michael Howles

      Is anybody else having a problem adding the exposed header 'x-csrf-token'?  I can do everything else but I get a UI5 error in JavaScript console when trying to add this particular one...

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Mike,

      I have not come across that one, could be browser related - perhaps try with a different browser, or clear browser the cache?


      Author's profile photo Michael Howles
      Michael Howles


      I ruled all that out. Tried different browsers and killed cache/cookies etc.  It's a genuine code bug, at least in 2.0 SP3...  For clarity's sake, I'm using the XS Classic HANA admin services (not XSA that pulls its stuff from a public CDN, so I've heard) which may explain why not everybody is struggling with this, as I'm probably an oddity with still only using XS Classic.  I managed to "hot fix" it by modifying a JS file to prevent the JS error and now I've got the connection working in SAC.  Screenshot below shows the hot fix. (Yeah, yeah, not supported by SAP, but whatever, I'm using HANA Express, and the code was broken, and now it's not)



      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Wow, thanks for sharing Mike.

      I'm on 2.0 SP2, so I haven't come across this one yet.

      I did see that HANA 2.0 SPS03 Revision 31 is now available, let's hope that fixes it too.


      Author's profile photo Harjeet Judge
      Harjeet Judge

      I've come across this in the past with some HANA systems.  Use the reset button to reset the CORS configuration and add x-csrf-token to the Expose Headers area first.  Add the additional "Allowed Headers" after.


      Author's profile photo Praveen Bheemarapu
      Praveen Bheemarapu

      Thanks for sharing the steps, Could you please help me to have the CORS code.



      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Praveen,

      I am not sure what you are after?

      There is no CORS code per say, just the configuration of CORS, which I have described above.


      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Yes, that looks to be good.  It looks like you haven't applied the configuration yet.

      Your screenshot is cut off - do you see the Edit option as below?

      Author's profile photo BDC ERP
      BDC ERP

      Hello Ian,

      your introduction is about SAC connect to HANA XS classic Views, how about XS Advanced Information Views? they will not present in _SYS_BIC schema, and XS Advanced has its application role setting, so I assume there is a different way to config, right?




      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Jinni,

      Yes, this is true.

      There are two alternative approaches to solve this problem.

      Either Synonyms or the HANA Analytics Adapter (HAA)

      Synonyms, setup synonyms that reference the Column Views (Calc Views) in your HDI container to _SYS_BIC.  These can be created with .hdbsysbicsynonym file type, this is described here.


      HAA, Deploy the new InA connectivity that use XSA/Cloud Foundry. The HANA Analytics Adapter, has been documented here

      Author's profile photo Denys van Kempen
      Denys van Kempen

      Great blog, Ian

      Just recorded a series of video tutorials on this topic, based on the documentation and shamefully unaware of your post!

      SAP Analytics Cloud Live Connection (YouTube)

      Fortunately, we seemed to have followed the same approach, so let's say its an update...

      I will add a link to your blog for reference. 

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Thanks Denys,

      HANA Academy videos are always welcome.

      Author's profile photo Denys van Kempen
      Denys van Kempen

      Thank you, sir.

      Author's profile photo Mazen Abbas
      Mazen Abbas

      Thanks for this blog


      is this also applicable for XSA?

      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      No, not really...

      SAC requires InA and CORS

      XSC is the quickest and easiest way to establish this.

      XSA can also provide InA but that requires you to configure and deploy the HAA (Hana Analytics Adapter) MTAR.  This can be found here

      Author's profile photo Frank Zhu
      Frank Zhu

      Hi Ian,

      Thanks very much for your documents. It's pretty usefull.

      Currently SAP HANA 2.0 doesn't inlcude HANA EPM-MDS package. May I know what does it

      use for? Is there any impact of Hana XS application which we developed?


      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Frank,

      The EPM-MDS has always been an additional plugin that you had to download. It is available for botht HANA 1.0 and HANA 2.0.
      MDS is Multi Dimensional Services.

      In HANA the EPM-MDS gives us the Information Access Protocol (InA), this provides analytic, planning, metadata and search services over http/s.

      Sorry, I don't understand you second question.

      Author's profile photo Frank Zhu
      Frank Zhu

      Hi lan,


      Thanks very much for your feedback. just ignore the send question. I think I already get the answer.

      Truly appreciate for your post.

      Author's profile photo Joseph yeruva
      Joseph yeruva

      Hi Ian,

      This is nice blog with details. I fallowed all the steps to connect LIVE on prem-HANA(2.0 SPS04) From SAC. Connection creation is successful (use rid, password based), sso not enabled for now. But when i try to create story the connector is not appearing in the list of data sources? what could be the reason ? can you guide me on this.

      Appreciate your help.




      Author's profile photo Matthew Shaw
      Matthew Shaw

      Can you confirm you created the model in SAC?

      Within the story you pick a model rather than a connection.

      Regards Matthew

      Author's profile photo Joseph yeruva
      Joseph yeruva

      Hi Matthew.

      no. i did not create model. I am going through these steps create story  --> access & exploredata-->data from data source -->then i dont see HANA Connector there.(attached the screen)

      Author's profile photo Sravan Kumar Gostu
      Sravan Kumar Gostu

      Thanks for the nice blog,

      The one thing I don understand is even though the EPM MDS is not installed in our system I can still see the ina service in XS portal

      attached the screenshot

      So, do we still need to install EPM MDS in our system?

      Author's profile photo Sravan Kumar Gostu
      Sravan Kumar Gostu

      Nice blog explaining the HANA live connection, please add steps to enable SAML SSO for the HANA live connection