Technical Articles
SAP Analytics Cloud Live Data Connection to HANA on-premise using CORS
The HANA CORS (Cross Origin Resource Sharing) configuration is straight forward but as the old saying goes, a picture paints a thousand words. Such a shame that the SAP documentation policy does not allow screenshots. I have captured the configuration steps here.
SAP Analytics Cloud Version 2018.1.0
SAP HANA Version 1.00.111 (SPS 11).
The official SAP Analytics Cloud documentation is good and could be found here.
Live Data Connection to SAP HANA
This CORS setup is pretty simple.
- Configure HANA HTTPS (SSL)
- InA (Information Access)
- CORS Configuration
- XS Timeout
- SameSite Cookie Settings
1. Configure HANA HTTPS (SSL)
The Configuration of the SSL certificate is within the Web Dispatcher at the URL below.
The following role is required.
sap.hana.xs.wdisp.admin::WebDispatcherAdmin
http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/wdisp/admin/
For me that is http://ivml2152.wdf.sap.corp:8024/sap/hana/xs/wdisp/admin/public/default.html
/sap/hana/xs/wdisp/admin/
Once completed you must be able to access XS classic urls via HTTPS, without any security pop-ups or certificate errors. Usually this is port 4300, if your SAP HANA instance number is 00, but 24 in my case, therefore port 4324.
The full configuration steps for HTTPS are outlined within the SAP HANA help documentation so I won’t repeat those here.
Configure HTTPS (SSL) for Client Application Access
2. Information Access (InA) using EPM-MDS
Verify InA is installed and you have rights to access this service.
https://<hana-hostname>:43<SAPHANAinstance>/sap/bc/ina/service/v2/GetServerInfo
For me that is https://ivml2152.wdf.sap.corp:4324/sap/bc/ina/service/v2/GetServerInfo
/sap/bc/ina/service/v2/GetServerInfoThe response from InA is in JSON, using a JSON browser extension makes the response more readable.
If InA is not working it may not be installed (as below). Errors such as
“InformationAccess Service GetServerInfo is not available. Install the SAP HANA EPM-MDS plugin.”
You will need to download the the HANA EPM-MDS package from SWDC.
Check that your user has access to this package via the sap.bc.ina.service.v2.userRole::INA_USER role.
Verify that you can access Metadata via InA
https://<hana-hostname>:43<SAPHANAinstance>/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}
For me that is https://ivml2152.wdf.sap.corp:4324/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}
/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}
3. CORS Configuration
Be aware the CORS config below needs to be repeated after each and every HANA update, e.g moving from revision 122.12 to 122.15.
To access the XS admin site your user requires the following roles.
sap.hana.xs.admin.roles::RuntimeConfAdministrator sap.hana.xs.admin.roles::SAMLViewer
sap.hana.xs.admin.roles::HTTPDestViewer
Login to your XS (classic) admin site, the URL would be something like
https://<hana-hostname>:43<SAPHANAinstance>/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2
For me that becomes https://ivml2152.wdf.sap.corp:4324/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2
/sap/hana/xs/admin/#/package/sap.bc.ina.service.v2Verify that Basic Authentication is allowed as below
Configure CORS, with the Allowed Origins, Allowed Headers and Exposed Headers as specified below.
# Allowed Headers
accept
authorization
content-type
x-csrf-token
x-request-with
x-sap-cid
accept-language
# Exposed Headers
x-csrf-tokenAs an alternative, or if you experience any issues with the XS user interface, SQL can be used.
An example SQL statement is show, that can apply this configuration. The SQL needs to be modified with your appropriate SAP Analytics Cloud URL.
UPDATE "_SYS_XS"."RUNTIME_CONFIGURATION"
SET "CONFIGURATION" = ' {"cors":{"enabled":true,"allowOrigin":["https://<url_address>"],"exposeHeaders":["x-csrf-token"],"allowHeaders":["accept-language","x-sap-cid","x-request-with","x-csrf-token","content-type","authorization","accept"],"allowMethods":["GET","HEAD","POST","OPTIONS"],"maxAge":3600}}'
WHERE "PACKAGE_ID" = 'sap.bc.ina.service.v2';This is also described in the SAP Note 2655556
4. XS Timeout
We should also increase the XS timeout from the default of 900 seconds (15 minutes) to 43200 (12 hours). Below is the SQL to do this.
alter system alter configuration ('xsengine.ini','SYSTEM') set ('httpserver','sessiontimeout')='43200' with reconfigure;This can also be changed in HANA Studio.
5. SameSite Cookies Settings
I have captured these steps in a separate blogpost that can be found here
https://blogs.sap.com/2020/08/26/how-to-fix-google-chrome-samesite-cookie-issue-with-sac-and-hana/
SAP Analytics Cloud
With the CORS configuration now completed we can establish the Live Direct HANA connection within SAP Analytics Cloud.
Troubleshooting
Recently (during 2020 and early 2021) Google Chrome has included additional privacy settings for blocking third-party cookies. The impact of this is that live HANA connections can fail due to the site being seen as a third-party.
You can check for third-party cookies being blocked.
With Chrome Site Settings, you can allow the blocked Cookies
If SAC refuses to connect, then further information can be seen in the web browser Developer Console (F12) or (View/Tools -> Web Developer -> Console)
Excellent blog Ian, very clear. If somebody needs more info on requesting a certificate for HANA, I would recommend this KBA: https://launchpad.support.sap.com/#/notes/2502174
Agree that this was a very helpful document. The use of screenshots and actual URLs helped immensely.
I realized from the screenshots provided that I had entered the allowed headers as a single string instead of 6 discreet headers.
Changing that solved my connectivity issue.
Hallo
Is it possible to use a self-signed certificate ?
Thanks a lot
Hi Mario,
There is a hack that you can try for testing, that allows self-signed certs to work.
**Updated 18th Sept 2019**
You need to tell your browser to ignore certificate errors and trust the self signed certificates.
To do this you need to modify the browser start-up parameters, and add –ignore-certificate-errors
On windows this is the windows shortcut to Chrome.exe, on Mac you can launch chrome via the terminal.
cd /Applications/Google\ Chrome.app/Contents/MacOS/
./Google\ Chrome –ignore-certificate-errors 2>/dev/null &
If launched successfully, you will then receive a warning that this is an unsupported command line flag, but SAC will now connect to HANA ?
Is anybody else having a problem adding the exposed header 'x-csrf-token'? I can do everything else but I get a UI5 error in JavaScript console when trying to add this particular one...
Hi Mike,
I have not come across that one, could be browser related - perhaps try with a different browser, or clear browser the cache?
I ruled all that out. Tried different browsers and killed cache/cookies etc. It's a genuine code bug, at least in 2.0 SP3... For clarity's sake, I'm using the XS Classic HANA admin services (not XSA that pulls its stuff from a public CDN, so I've heard) which may explain why not everybody is struggling with this, as I'm probably an oddity with still only using XS Classic. I managed to "hot fix" it by modifying a JS file to prevent the JS error and now I've got the connection working in SAC. Screenshot below shows the hot fix. (Yeah, yeah, not supported by SAP, but whatever, I'm using HANA Express, and the code was broken, and now it's not)
Wow, thanks for sharing Mike.
I'm on 2.0 SP2, so I haven't come across this one yet.
I did see that HANA 2.0 SPS03 Revision 31 is now available, let's hope that fixes it too.
I've come across this in the past with some HANA systems. Use the reset button to reset the CORS configuration and add x-csrf-token to the Expose Headers area first. Add the additional "Allowed Headers" after.
Thanks for sharing the steps, Could you please help me to have the CORS code.
Thanks
Praveen
Hi Praveen,
I am not sure what you are after?
There is no CORS code per say, just the configuration of CORS, which I have described above.
Yes, that looks to be good. It looks like you haven't applied the configuration yet.
Your screenshot is cut off - do you see the Edit option as below?
Hello Ian,
your introduction is about SAC connect to HANA XS classic Views, how about XS Advanced Information Views? they will not present in _SYS_BIC schema, and XS Advanced has its application role setting, so I assume there is a different way to config, right?
Thanks
Jinni
Hi Jinni,
Yes, this is true.
There are two alternative approaches to solve this problem.
Either Synonyms or the HANA Analytics Adapter (HAA)
Synonyms, setup synonyms that reference the Column Views (Calc Views) in your HDI container to _SYS_BIC. These can be created with .hdbsysbicsynonym file type, this is described here.
https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.03/en-US/0bf88516d12b40ee9605b9f75fae568e.html.
HAA, Deploy the new InA connectivity that use XSA/Cloud Foundry. The HANA Analytics Adapter, has been documented here
https://blogs.sap.com/2019/01/22/from-zero-to-analytics-setting-up-a-user-for-the-hana-analytics-adapter/
Great blog, Ian
Just recorded a series of video tutorials on this topic, based on the documentation and shamefully unaware of your post!
SAP Analytics Cloud Live Connection (YouTube)
Fortunately, we seemed to have followed the same approach, so let's say its an update...
I will add a link to your blog for reference.
https://blogs.sap.com/2019/05/28/sap-analytics-cloud-live-connection-to-sap-hana/
Thanks Denys,
HANA Academy videos are always welcome.
Thank you, sir.
Thanks for this blog
is this also applicable for XSA?
No, not really...
SAC requires InA and CORS
XSC is the quickest and easiest way to establish this.
XSA can also provide InA but that requires you to configure and deploy the HAA (Hana Analytics Adapter) MTAR. This can be found here https://tools.hana.ondemand.com/#hanatools
Hi Ian,
Thanks very much for your documents. It's pretty usefull.
Currently SAP HANA 2.0 doesn't inlcude HANA EPM-MDS package. May I know what does it
use for? Is there any impact of Hana XS application which we developed?
Hi Frank,
The EPM-MDS has always been an additional plugin that you had to download. It is available for botht HANA 1.0 and HANA 2.0.
MDS is Multi Dimensional Services.
In HANA the EPM-MDS gives us the Information Access Protocol (InA), this provides analytic, planning, metadata and search services over http/s.
Sorry, I don't understand you second question.
Hi lan,
Thanks very much for your feedback. just ignore the send question. I think I already get the answer.
Truly appreciate for your post.
Hi Ian,
This is nice blog with details. I fallowed all the steps to connect LIVE on prem-HANA(2.0 SPS04) From SAC. Connection creation is successful (use rid, password based), sso not enabled for now. But when i try to create story the connector is not appearing in the list of data sources? what could be the reason ? can you guide me on this.
Appreciate your help.
Regards,
Joseph
Can you confirm you created the model in SAC?
Within the story you pick a model rather than a connection.
Regards Matthew
Hi Matthew.
no. i did not create model. I am going through these steps create story --> access & exploredata-->data from data source -->then i dont see HANA Connector there.(attached the screen)
Thanks for the nice blog,
The one thing I don understand is even though the EPM MDS is not installed in our system I can still see the ina service in XS portal
attached the screenshot
So, do we still need to install EPM MDS in our system?
Nice blog explaining the HANA live connection, please add steps to enable SAML SSO for the HANA live connection