Cloud Integration – How to Connect to an On-Premise sftp server via Cloud Connector
You may use the SAP Cloud Connector to securely connect to On-Premise systems. SAP Cloud Integration supports this configuration via the connection proxy type ‘On-Premise’ currently in the following receiver adapters:
- AS2 (enterprise license only)
- SOAP | SAP RM
- SOAP | SOAP 1.x
- SFTP (with November release)
This includes support for connections to multiple SAP Cloud Connectors. For this use case you specify in your SAP Cloud Connector configuration a Location ID which you refer to in your sender or receiver adapter configuration.
Connect to an On-Premise sftp server via Cloud Connector
With the November 2018 release of SAP Cloud Integration we release a new version of the sftp sender and receiver adapter that supports connecting to On-Premise sftp servers using the SAP Cloud Connector. This configuration utilizes the SOCKS5 proxy supported in SAP Cloud Connector version 2.10 and higher.
You may use it in your sftp sender and receiver adapters to connect via TCP to your On-Premise sftp server. This scenario required so far dedicated ports to be opened in your fire-wall which was often not supported by your security policy. Opening of ports is now obsolete.
I assume you have already installed the SAP Cloud Connector and connected it to your SAP Cloud Platform account in which your subscription to SAP Cloud Integration resides. If not download a SAP Cloud Connector from our tools page and follow it’s installation documentation.
All you need to do now is to
- configure a new Cloud to On-Premise system mapping in your Cloud Connector and
- configure your sftp sender or receiver adapter accordingly
Let’s go step by step.
Configure a Cloud to On-Premise system mapping in the Cloud Connector
Logon to your Cloud Connector and add a Cloud to On-Premise system mapping. Maintain the parameter in the wizard as follows.
Set the Backend Type to ‘Non-SAP System’.
Select the ‘TCP’ Protocol. The configuration options for TCP are not as specific as for e.g. HTTP, i.e. the SAP Cloud Connector may not restrict potential misuse from your SAP Cloud Platform account. This is referred as security risk.
Maintain your On-Premise sftp server & port you want to connect to.
Define the virtual sftp server & port you want to expose to your SAP Cloud Platform Account (it will be re-used later in the sftp receiver adapter configuration).
Maintain an optional description, tick the ‘Check Internal Host’ checkbox (to have enable the ping test from SAP Cloud Connector to your On-Premise sftp server) and finish.
You may check and maintain your system mapping in the Cloud To On-Premise overview.
Logon to your Cloud Platform account and check the corresponding Cloud Connector status.
If all is fine you may consume your just established TCP connection in the sftp sender or receiver adapter.
Configure the sftp Sender or Receiver Adapter
Log on to the Cloud Integration WebUI and maintain the connection parameter in the sftp adapter properties as follows.
Maintain the virtual sftp server name & port for the proxy type ‘On-Premise’. Maintain the Location ID of the Cloud Connector, if configured in the Cloud Connector. Define the Authentication configuration as required by your On-Premise sftp server.
Important is that the public key of the sftp server must be added to the known host file with the address set in the channel. This correlates to the virtual server name as used in the Cloud Connector, do not use the real server name as defined in the Cloud Connector. This is because only the virtual server name is known by Cloud Integration.
Done, save and deploy the integration flow. Start sending messages from SAP Cloud Integration via your own On-Premise sftp server or start polling files from your On-Premise sftp server.
If you run into errors executing your scenario you may find information for error analysis at the following places:
- Integration Content Monitor in Cloud Integration
- Message Processing Monitor in Cloud Integration
- Cloud Connector Connectivity Test
- SSH Connectivity Test
- Log File in Cloud Connector
Let’s have a short look at the different tools.
Integration Content Monitor
After deploying the integration flow you should first check in the Integration Content monitor in SAP Cloud Integration if the integration flow is started successfully. As integration flows with sftp sender adapters start polling immediately after the integration flow is started, errors during the poll are shown here. No message processing log is created in this case.
Poll Status (available with the 16-Feb-2020 update)
In the Status Details area you may find the status and the details about the current poll status:
If there is an error when polling messages via the sftp sender adapter the error would be shown here for the respective integration flow. In the Polling Information the status of the consumption is shown as Failed.
In the below sample error, you see that an error is coming back from the SOCKS proxy of the cloud connector. In this case you would have to check the monitor and the log files in the Cloud Connector for more details. Check that the request reaches your Cloud Connector instance at all, maybe the Location ID in Cloud Connector configuration does not fit to the Location ID used in sftp channel?
Message Processing Monitor
The second important monitor to be checked if your scenario does not work is the Message Processing monitor in the Cloud Integration Monitoring. If there is an error sending messages to a specific sftp receiver the error would be shown here.
In the below sample error, you see that the hostkey is rejected. This means that the public key of the sftp server is not maintained in the known hosts file for the configured virtual sftp host. Maybe the public key is maintained with the real sftp server address? If so, this entry needs to be changed in the known hosts file. Details about known hosts file maintenance you find in the blog How to setup secure connection to sftp server. Note that the public key cannot yet be downloaded via the Connectivity Test when connecting to the sftp server via Clod Connector. The Connectivity Test will be updated soon to support this, the blog will then be updated.
SSH Connection Test
The Connectivity Test is available in Operations View in Web UI, in section Manage Security Material. Selecting the Connectivity Test tile from Overview Page opens the test tool offering tests for different protocols. To test the communication to the SFTP server, the SSH option is to be selected.
With the update on 6th of January you can select the On-Premise Cloud Connector proxy and enter a Location ID also in the SSH test to test the connection to the SFTP server via the Cloud Connector:
More details about the SSH connection test can be found in the blog How to Setup Secure Connection to SFTP Server.
Cloud Connector Connectivity Test (available with 29-September-2019 release)
The Cloud Connector Connectivity Test can be used to test if the Cloud Connector connected to the Cloud Integration tenant can be reached via the Cloud Integration’s runtime with the defined Location ID.
Like the SSH Connection Test, the Cloud Connector Test can be found in the Connectivity Tests tile in the Operations View in Web UI in section Manage Security Material. In the test tool select Cloud Connector. The only input field for the Cloud Connector test is the Location ID. Enter the Location ID you have configured in the Cloud Connector and also use in the adapter channel in the integration flow.
The test pings the Cloud Connector with this Location ID. If no Cloud Connector is connected with this Location ID the test fails:
If the Cloud Connector can be reached with the given Location ID the test executes successfully:
Cloud Connector Log
If you receive errors coming from the SOCKS proxy, you have to check the Cloud Connector log file for more information. Maybe the mapping for the used virtual host does not exist?
Great, long awaited functionality!
Nice, looks like improvements in both CPI and Cloud Connectors are coming really fast! Extending patterns for cloud 2 on-prem integrations will be really useful.
Very well and step by step explained... Thank you for sharing it!!!
Is there anyway to get access to CPI/HCI system?
to get access to a trial tenant you may contact the mail address mentioned in the blog: https://blogs.sap.com/2013/10/22/sap-hana-cloud-integration-test-and-learn-more-about-sap-s-cloud-based-integration-solution/
if any document or pdf of sap cpi with success factors scenarios and study material can mailed me on firstname.lastname@example.org
It was Indeed ..
Excellent post Mandy and great to see this feature is now enabled.
For the incoming SFTP connection from SCP-I to Cloud Connector, is there a list of IPs that have to be whitelisted on firewall?
the connection from Cloud Platform Integration to the Cloud Connector is done using a secure tunnel that is established from the Cloud Connector agent running in the On-Premise network.
the Cloud Connector Setup including setup/configuration/network/security is described in the Cloud Connector Documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html
Very nice feature, it's great to have it.
Is "TLS Connectivity Test via SCC" on the roadmap?
Intuitively it's a very similar feature - but probably less useful than SFTP connectivity though.
TLS test is testing the SSL connection setup. In case of Cloud Connector, this is not possible as the connection to the Cloud Connector is done via HTTP and no SSL handshake is taken place. The SSL connection is only established between Cloud Connector and Backend. But yes, we are thinking about options how to offer a connectivity test for HTTP connectivity via Cloud Connector.
Thanks for the answer, that's what I'm asking. Sorry for the confusion.
Thank you for the nice blog. I've a slightly different scenario that I can't seem to get working. Hopefully you might be able to provide some insight.
I do want to develop a CPI flow that connects to an on-premise SFTP platform with Basic Authentication, however I want it deployed on SAP PO and not run from the cloud. Since my SAP PO and the SFTP platform are both on-premise I expected to be able to connect via regular SFTP configuration in CPI, but that doesn't seem te work (Cannot connect to sftp://<User>@<Host>:22).
Any suggestions? Do I still need the Cloud Connector although my CPI flow runs on SAP PO?!
I don't fully understand your scenario. The CPI flow should connect to the sftp server running on-premise or do you want to run the whole flow on PO via profile IGW in the Integration flow configuration? Meaning the integration flow shall be deployed to the on-premise system?
If the flow is running in IGW runtime, there is no need to configure the Cloud Connector. This should run directly.
Maybe you could open a ticket for the issue?
Thank you for the quick reply. I indeed want to run the whole flow on PO via profile IGW in the Integration flow configuration. Thank you for confirming that, in that case, I don’t need the Cloud Connector.
Now that I know my setup should be correct, I’ll open a ticket to ask further assistance with the issue I’m encountering.
Can you help me with the queries in this link regarding hybrid landscape setup. Thanks for your kind support.
we are working with the 1811 SCPI release.
we do not have the "proxy Type" option.
therefore we cannot select the "on Premise" option as our SFTP is exposed by the cloud connector.
where or what can we do to have this option?
you not only need the newest stack version, but also use the latest version of the sftp adapter. Please delete the sftp channel and newly create it. Then the latest version of the adapter is taken, old versions of the sftp adapter will not have the CC option.
tks a lot, the option is now available.
one different question, how to set the FM (into the SCPI) for a RFC call from a SCPI to a on-premise target?
for RFC adapter I'm actually the wrong contact. Here I would refer to the blog: https://blogs.sap.com/2017/07/20/how-to-use-rfc-adapter-to-execute-remote-function-module-on-abap-system/
Maybe ask your question there?
Thank you for the support
Good morning, Mandt.
How are you?
We started the development of proof of concept for a client this week and a I have a doubt about the parameters that must be filled for the soap adapter receiver communication channel in SAP HCI:
Following is the architecture that was defined for this POC:
Legacy System Lecom (API) (On Premise) -> SAP Cloud Platform -> SAP API Management -> SAP HCI -> SAP Cloud Connector> Legacy System MXM (WebService XML/SOAP) (On Premise).
How do I configure the adapter soap recevier to access WebSerivce of the Legacy MXM System via the SAP Cloud Connector?
For this situation, I imported the WSDL from Legacy System MXM to SAP HCI according to the screen below, however I am in doubt about which value I should fill in the Address field.
Should I fill the value of the Address field with the content of the Soap Address property contained in the WSDL file? Or with the content of the virtual host configured in the SAP Cloud Connector (screen also below)?
The configuration made in the SAP Cloud Connector is with the TCP protocol and the address field on the soap adapter receiver (HCI) only accepts value with the nomenclature http: // <host>: <port>
Could you help me?
this blog is about connecting to a sftp server via Cloud Connector, not how to connect via SOAP adapter to an on-prem backend.
But let me give you some hints about the SOAP adapter:
I hope this helps you to set-up your communication.
Thank you very much for the information
Thanks Mandy for the great blogs!!
this sFTP adapter seems to be only for on-premise systems, is this correct?
I need an sFTP receiver & sender adapter to a 3'rd party cloud system. Is this a go or no-go at this point or is it a similar configuration process? Any other things to consider for a cPI to Cloud connector?
Thanks in advance for shedding light on this.
no, the sftp adapter can be used to any accessibly sftp server as well. If the adapter is used without proxy On-Premise than you can connect to any sftp server accessible from the internet.
Thanks for the blog. I have a question, how can I pick files from local directory(NFS). Do I use the same concept. But what will be the address then?
this is not supported with the sftp adapter.
Thanks for your reply. Would you know how we can pick files from on prem directory in CPI. In PO 7.5 it is using NFS.
I assumed we could follow the same approch to connect to system on prem and fetch file using SFTP adapter.
in PO this can be done using the file adapter, the sftp adapter cannot access NFS on-prem file shares. This is not possible with CPI, you need to use an sftp server.
SFTP is installed on S4 HANA and Cloud connector is installed on S4 HANA.
I did Virtual host mapping on cloud connector then I use Virtual host in SFTP Receiver adapter.
I used Virtual host name-ssh-rsa - <Public key> in KNOWN_HOST file
My Proxy type is "ON PREMISE" and I am using Authentication as UserName/password ,
Still I am getting Error
HostKey has been changed
is issue that SFTP on S4 HANA?
it’s hard to analyze with having only these details. In general the configuration you described should be sufficient. What does the Connectivity Test tell you? Maybe the known hosts file does not really contain the correct host key?
The error means that there is an entry for this host in the known hosts file, but the host key does not fit to the one provided by the server.
Please do the connectivity test with the virtual host name you also use in the cloud connector. And add the host key returned in the known host file with virtual host name.
Maybe someone changed the configuration in the cloud connector and the real host now points to a different host? Or there is another Cloud Connector with another location ID using the same virtual host? The virtual host needs to be unique across location IDs.
This should work.
Thanks a lot Mandy.
You are incredible.
S4 HANA SFTP team give me public key. I was using that in Known_Host file.
after you suggestion, I use connectivity test and copy host key from Connectivity test.
I used that In Known_host file.
It is working now.
Thank you for the info. I'm happy that it works now 🙂
It seems you're the best person to which to ask the following : is there a way to connect SMB/CIFS shares, from C/4 Cloud to an on-premises Windows server. I've the feeling the answer will be no, but I keep my fingers crossed 😉 And if not, is such a function in the SCC development pipeline ?
Thanks in advance for youur precious help
sorry, but I do not understand how this is related to CPI? Maybe you could give some more context on the part of CPI in such a scenario? In CPI there is no adapter to connect via SMB/CIFS to Windows servers.
Thanks for the detailed blog.
I am trying to deploy the known_hosts file to my CPI tenant to establish the connection between SFTP and CPI.
But I am getting the below error:
“Deploy artifact failed with error: You are not authorized to perform this operation”
I am having the admin roles.
Please let me know if I am missing anything.
As the message indicates you have no authorization to deploy security artifacts. You need tenant administrator rights for deploying security artifacts.
I have assigned the roles to my S-User and I am able to deploy the known_hosts file now.
Thanks for sharing this.
Is there any option to connect to NFS from CPI via Cloud Connector ?
No, this is not possible with the sftp adapter.
Thanks Mandy for your reply, do you think it can be a possibility with future release ?
It's currently not on the roadmap. But if there are multiple customer requests into this direction we will for sure evaluate the request further.
If I need to connect to SFTP Server through Internet (not cloud connector On-Premise), do I need to Create a OSS note to SAP OPS team to whitelist the SFTP Server IP address ?
Asking since I am getting "socket is not established" exception while testing the connectivity from CPI. I have maintained known_host file correctly.
you need to open the ports in your firewall to allow connection to your sftp server. The sftp server needs to be accessible from internet. See: https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/d722f7cea9ec408b85db4c3dcba07b52.html
Thanks for the valuable blog.
I have a scenario where the requirement is to place a file in a local folder in S4 HANA via CPI.
I understand we cannot do it by using ftp/nfs in CPI.
Can you suggest if there is an option to place a file in S4 HANA folder by using CPI.
Thanks in advance.
in CPI there is no file/nfs adapter. You need a sftp or after the T5 upgrade a ftp adapter that can put files to sftp or ftp servers. From there you may have some file move tool running that puts the file to the S/4 local folder.
Mandy Krimmel we get the following error when try to connect to on premise sftp from cloud connector:
this error comes from the Cloud Connector. Please re-check the configuration in the sftp channel and the virtual host mapping in the Cloud Connector. And check that the known host entry for the key is maintained with the server configured in the sftp channel.
Furthermore please check in the Cloud Connector logs.
in the cloud connector, at mapping level check it is not reachable. in the cloud connector log there is timeout exception.
then the sftp server seems not reachable from where the Cloud Connector is installed?
Yes, it's not reachable from cloud connector. Is it firewall or white listing issue?
As this is all installed in the on-prem landscape you should know if there is a firewall between the CC and the sftp server and what to configure that the connection can be established. Maybe you consult with your network administrator?
AS-IS Interface on SAP PO is:
Concur SFTP --> (SFTP Sender channel) --> SAP PO -> (File/NFS channel) SAP ECC directory (AL11)
As part of SAP PO to SAP CPI migration, we have to move this Integration from SAP PO to CPI.
Hence looking to establish a connection from SAP CPI to SAP SCC to SAP ECC (AL11).
Since there is no NFS/File adapter available in CPI adapters list, how can we move forward here? Moving the file to SFTP and setting up another job to move the file from SFTP to ECC AL11 doesn't look good here as it has many hops. File/NFS adapter is pretty much required for the customers who migrate their interfaces from SAP PO to SAP CPI. It would be really helpful If SAP can get this adapter at the earliest.
in Cloud Integration there is no File Adapter planned at the moment. The adapters for file transfer are sftp and ftp, because the file adapter is nothing that works in the cloud.
If you want to move such scenarios using file transfer you need to adjust the scenario.
Submitted an Improvement Idea for File adapter in SAP CPI.
Very good link
this error sounds like the hostname in your channel does not match the virtual host in the cloud connector configuration.
I am unable to add known host file in security material. I have copied the Host key for Host and port configured in cloud connector but unable to add key in known host file.
Please find the screenshots below.
Virtual Host and port as configured in CC
Copied the key and pasted it in Notepad and uploaded it in Security Material --> known hosts
Error when uploaded in Security Material
Is it validating host used as Virtual Host in Cloud connector? If so, what should be configured in known_hosts file.
Looks like the format of the known hosts file is wrong, please check that it really is having following format:
ld2345.wdf.sap.corp ssh-rsa AAAAB3NzaC1yc2EAAAo………2pOx2ADnZ1WwtjW48=
Whereas the server name needs to be the virtual host name entered in the sftp channel.
I have configured below details in SFTP sender channel.
Address = Hostname:Port (virtual_sftp:450)
SFTP channel Configuration
I tried uploading known hosts files in below 2 formats.
Hostname:Port as configured in Sender channel (copied and pasted the host key from Connectivity Test tab)
Modified file with only Hostname(i.e. server name) as per host key file structure
but I am getting same error as below for 2 files
and I assume Iflow could not be deployed because of known hosts file issue as per below issue while deployment
Could you please change your virtual host name to something without underscore. The underscore is the problematic character. See:
Note that you will then also have to change it in Cloud Connector and in sftp channel.
Your scenario seems pretty much like mine, I just have a query, I am getting the below error after creating the cloud-on premise system mapping and hence the connectivity test ping from CPI is also not successful.
Any help would be appreciated.
I tried by removing "_" in Virtual host as Mandy stated above but at Cloud connector level "_" does not matter. Please check by removing "_" and also try deleting mapping and create again as status is "Not Reachable".
I am able to pick file from on-premise sftp server now after removing "_".
Thanks for confirming 🙂
I have the exact scenario(S4 on premise -> CPI -> cloud application) in my project, but we are struggling at the "Connectivity Test" step in CPI. I have done all the configurations in CPI & cloud connector but still not able to generate the "known_hosts" file in CPI, getting the below error.
Any idea what might be the issue? also is there any other way to generate the known_hosts file?
Thanks in advance.
I think Cloud connector is not required for S4 on-prem --> CPI(required only for CPI --> S4 on-prem) connectivity and known hosts file is only for integrating CPI with SFTP server.
If SFTP adapter with on-prem server is on sender or receiver side is used, then Cloud connector is mandatory(as CPI needs to pick/drop file in SFTP server folder).
That's absolutely true, and we won't be using the cloud connector for any outbound SFTP interface from S4 to CPI. The issue we have is the generation of "known_hosts" file which we are not able to generate.
We have tried pinging S4 SFTP host and as well as cloud connector (virtual host) from CPI's test connectivity tab but neither of these connections have been yet successful.
still struggling to understand the problem. you are trying to connect to a sftp server from CPI?
What do you mean by generate known_hosts file? This file is not generated, this file is usually created by the admin and contains all connected sftp hosts with their public keys.
Known Hosts File - SAP Help Portal
Did you create the known hosts file and deploy it in the cloud integration tenant?
I'm trying to connect single On-Premise system as both sender and receiver to test the transmission of file using SFTP adapter.
I deployed the iFlow perfectly and the status is started. But the file didn't move to the target path which was configured in the receiver point.
Is there anything that needs to be setup?
what is the error you see in the message processing log?
I exposed one of my folder in system , The root directory is as below
Root Folder: data
When I mention the root path exactly( as given above) in CPI, it throws error as invalid so I changed backward slash to forward slash. Now, flow is deployed but the data transfer is not happening
Any idea what could be the issue?
(I tried by giving only root folder path as well instead of full path but even in that case data transfer is not happening )
please note that this is an SFTP Adapter, not a file adapter. It picks files from sftp servers, not from your local system. You need to offer the files on an sftp server that can be connected via SSH. Please use the SSH connectivity test to test this connectivity.
I used an external app to expose my folders. I fixed the issue
Directory path I haven't provided properly.
Its absolutely a great article but still finding it difficult to connect the dots for various business use cases.
We have a scenario, where S4HANA is the source and want the customer requisitions to be captured in a downstream application. We recently purchased HCI PI for different API solutions and also since CPI-DS was not able to give the results as the destination is only IBP. or SFTP or FTP
We would like to pull the data either by using ODATA or IDOC or extractors and then convert it into CSV file and upload to SharePoint/SFTP/FTP anyone should be fine.
Can you please let us know if there is any such use case built or details that can help us to build this solution. Definitely from the beginning.
We do not have a cloud connector. We have our own proxies.
Really Appreciate your help.
cloud integration is providing a wide range of adapters, not only sftp and ftp. It is also providing OData and SOAP and IDoc adapters for connectivity towards different backends. It provides a CSV converter to convert data to csv format.
Best is to first check in the API business hub (SAP API Business Hub) if integration examples for your kind of scenario already exist. This would be the easiest solution. Else you can still build your custom integration with cloud integration.
Please refer to this getting started documentation:
Learn the Basics - SAP Help Portal
Integration Flow Design Guidelines - SAP Help Portal
These links are quiet helpful to start with.
Appreciate your help for supporting us.
Thank you so much for this blog, and also thank you for keep coming here to solve each and everyone's query.
That being said, I have an ftp to sftp scenario. I know it is not the same as yours but I am a little stuck here, so it wud be great if you can help me out.
I have setup the cloud connector and added an entry in the ACL for the FTP server, and the server is reachable.
Now in the above image, If perform the test without the "Check Directory Access" option, the test is coming successfull.
Can you please tell me what mistake I am making ? If i browse the ftp url in the local system browser with the folder path, I am able to see the files getting listed.
Any help will be appreciated.
this error comes from the Cloud connector, probably you have only maintained port 21 for the control connection but not the other ports for the data connections.
For the setup of the connection to ftp server please refer to this blog: Cloud Integration – Connecting to FTP(S)-servers using the FTP Adapter | SAP Blogs
Check especially the chapter about Cloud Connector configuration.
Thank you so much for coming to the rescue. Yes you are correct, we have only made a single entry of port 21 in the Cloud Connector.
ftp:21 entry in SAP CC
So the way I see it, these are the following additional steps I need to have :
list will be like :
These sound correct right ?
Please follow the description from the ftp blog and the linked Cloud Connector documentation.
Yeah, I am doing it right now.
Thank you so much for the inputs, it put me on the right path.
Thanks for the blog.
SFTP server set up at Cloud connector is reachable ,But it is not getting reflected in CPI BTP Cloud connector in any instance.
Due to which while doing connectivity test I am getting Error : ProxySOCKS5 server returns2.
Please suggest .
This sounds like a misconfiguration of the settings in the cloud connector. Maybe the location ID does not fit or the settings in the configuration of the instance are not correct? It is hard to analyze without details and logs. I would propose you open a ticket on LOD-HCI-PI-CON-SOAP so that the colleagues can have a look.
Recently I had a requirement to connect on premise system to IAS cloud. For that I have defined the destinations in SAP BTP and given a technical user( communications type) to connect to backend.
Suddenlly it removed the roles from J2ee_admin * SAPJSF user and all other roles related to java are deleted from the ABAP side. Is there any specific reason it would have happened. Kindly let me know what per cautions do we need to take while setting the destinations in SAP BTP.
I can not imagine that the roles were deleted because there was a BTP destination pointing to the PO system. I would suggest you open a ticket on PO for this to find the root cause.
awesome blogs and information on your blog posts. Thanks a lot for sharing those with us.
We are on our way from SAP PO --> Integration Suite and have successfully installed the Cloud Connector and also configured it to our tenant. In the Subaccount I see the CloudConnector successful connected as well as the exposed backend systems as available.
Anyhow, when I try the mentioned Connectivity Test within the Integration Suite I'm getting a "Could not connect to Cloud Connector"
Any help will be appreciated.
its hard to analyze this from remote. I would first suggest to test the Cloud Connector connectivity test, afterwards try SSH connectivity test with Cloud connector option. Select authentication None for the beginning to check the basic connectivity.
Please make sure you fill the correct location ID as used in the cloud connector, check for correct typing, also for capital and small letters.
thanks for your answer - of course it is VERY(!) difficult via remote 😉
Here is a screenshot from the Subaccount
As you can see the Instance with the destination ID CC1 is connected
When I now try the connectivity test in the integration suite it didn't work:
I also has changed the Location ID to nothing (default) also to small letters also to only characters without numbers.
The same behavior is true for my trail account also.
Thanks again for your help
that looks indeed strange. Is the subaccount were the cloud connector configuration screenshot is taken from really the same one you execute the connectivity test?
Did you check the logs in the cloud connector and the logs in Cloud Integration? Can you see some error there?
we only have one subaccount, so this should be ok 😉
I see SSL-Handshake Errors in the logs of the CC
An exceptioni was thrown by com.sap.core.connectivity.spi.ssl.SSLHandshakeValidator.operationComplete()
handshake timed out after 10000ms
Did I miss a configuration step? But why is everything green? I'm also able to disconnect from Cloud Cockpit and reconnect via CloudConnector - all this works as expected.
Thanks for your reply
valid points, which I cannot answer. I would suggest to open a ticket on Cloud Connector component: BC-MID-SCC. Please add the configuration details and the error details from the log.
Would be great if you could update here after the error is resolved.
we've circumscribed the error regarding to the firewall. Despite we have all configured as mentioned at https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/e23f776e4d594fdbaeeb1196d47bbcc0.html?locale=en-US something is very dynamicly handled from AWS when upgrading to websocket communication (this can be found in the logs of the CloudConnector).
Our security team told me that handling this behavior is very hardware/firewall specific and depends also on the security guidelines of the company.
For others, facing this error, it may be helpfull to look on the ssl logs in CloudConnector and find entries like "upgrading to Websocket" / "Will use connection upgrade protocol websocket". In the next lines you'll find some proxy-URLs from AWS and also IPs that are not mentioned in the SAP Doku.
thank you for sharing those details.
Thank you for the detailed steps. the exact configuration is working when we give one of the application servers (its working with ci hostname or additional application server hostname but with the web dispatcher - we are trying with web dispatcher to dispatch requests to the backend servers).
SAP CPI ->Cloud Connector -> Backend systems (works)
SAP CPI ->Cloud Connector -> Web Dispatcher -> Backend systems (Not working)
Can the web dispatcher dispatch request from CPI to backend requests? is this scenario supported with CPI? Could you please confirm?
Thanks in advance.
I dont fully understand your question. Are you trying to connect to an sftp server via web dispatcher? This does not work, web dispatcher is used for HTTP requests, sftp is using SSH protocol (SOCKS proxy in the cloud connector/TCP connection).
Or are your trying to connect to ABAP, which has nothing to do with the description in this blog as this is for sftp using the SOCKS proxy in the cloud connector.
If connecting via HTTP the configuration is different and should be via the HTTP connection in the cloud connector. Please refer to Cloud Connector | SAP Help Portal. If something is not working in this configuration I would suggest you open a ticket on BC-MID-SCC.
Are the steps listed, also applicable for connecting to sFTP servers that are outside the intranet in which the SAP BTP Integration platform resides?
As an example, connecting to on-premise sFTP servers of external partners(logistic partners, banks etc.) that reside outside the organization intranet.
in general there are three different configurations:
Thank you, Mandy for the detailed response. It has made things a lot clearer now.