In the configuration of a direct connection to SAP Analytics Cloud to on-premise systems there are many conflicting opinions and selections. Much of this is the result of the maturity of the product line. SAP Analytics Cloud (SAC) was originally developed from a purely BI dashboard perspective for the SAP Business Objects Products (SBOP). It has evolved from a niche to be a preferred method of analysis and visualization of data.
We will concentrate on the current product and it’s configuration for a direct connection to a backend Netweaver ABAP system. SAC has a lot of capabilities and a myriad of ways of connecting to it, so we want to narrow the focus.
Connection of a cloud resource to an on-premise one brings to light some challenges which may not be immediately apparent. In our ‘everything’s connected’ culture it may seem natural that data from your BW BeX query could be analyzed by a tool in the cloud. That’s when the network manager says “wait a minute…you want to do WHAT?” We need a proxy path through our firewall.
There are firewalls, router rules, load-balancing appliances, whitelists, blacklists, blocked ports, certs, proxies and all kinds of stuff. The ‘stuff’ that keeps your company from having to deal with the “Millions Of Customer Records Exposed In Data Breach” headline and all the legal, business, technical and PR headaches that come from such a disaster.
Your other choice would be using the upload/download data function to the cloud analytics engine.
But that’s not secure either.
(remember, those headlines above often say “…from an IT analyst’s laptop…” too).
The Solution is to use these functions in concert: CORS, UCON, and SAML.
CORS is Cross-origin resource sharing. “A mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy.
CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS was originally published as a W3C recommendation…” (Wikipedia)
Why is this Important for a direct connection to BW from SAC? Open a session from your browser to SAC, and log in. Go to connections and attempt to create a connection to your BW system.
Without CORS you can’t. The SSL connection you initiated was to the ‘sapanlytics.cloud’ domain, but you want to connect, in the same session, a login to a web server (BW Netweaver) on ‘yourcompany.corp’. A corporate firewall separates them, and they are in different domains.
But that should work, right, I mean I’m inside the firewall? No. For security reasons, no connecting to systems with the same session to different systems originating from different domains. The architecture of HTTP(S) prevents that.
This is the problem CORS was designed to solve. In the SAP Netweaver on-premise <=> SAP Analytics cloud scenario, we change the properties of the Netweaver server to allow HTTP headers from another specific domain. In this case company-name.data-center.sapanalytics.cloud is that domain. We also only allow a specific path in the ICF to be allowed to do this. For this connection it’s the “InA” pages under sap/bw/ina .
UCON is Unified Connectivity. UCON was developed with the main purpose of securing RFC’s and the function modules that use them. It creates a Framework that allows all of the connectivity issues to be resolved in one place. But, it also controls HTTP Whitelists.
The HTTP whitelist scenario helps you to monitor HTTP(S) calls in your system. Using various whitelists, you can specify which HTTP(S) calls are to be allowed and which are to be blocked. Each whitelist is assigned an HTTP context type that covers a particular type of HTTP call:
We will be using the Cross-Origin Resource Sharing configuration and the UCON settings as described in this Guided Playlist
SAML The Security Assertion Markup Language is an open standard for sharing security information about identity, authentication and authorization across different systems.
SAML is used to share security credentials across one or more networked systems. The SAML framework is specifically designed to accomplish two things: authentication and authorization.
Authentication is the process of determining whether an entity is who it claims to be, and it is required before authorization, which is the process of determining whether the authenticated identity actually has permission -- authorization -- to use a resource. (TechTarget)
SAC uses SAML natively for Single Sign-On Here's the SAC SAML Guided Playlist
You must be on SAP Kernel 7.49 PL 315 or higher.
In your BW development instance create the following Class Object (Developer Key required)
Double click on IF_HTTP_EXTENSION~HANDLE_REQUEST and add the following code:
Your end users' web browsers must be configured to:
This procedure is documented in this Guided Procedure.
To modify HTTP whitelists and no-log lists for the context type CORS, execute the following steps:
A dialog box appears for input of the whitelist specifications.
Allowed Methods: Select GET, HEAD, POST, and OPTIONS.
Add a Basic Authentication remote system to SAP Analytics Cloud:
Add a SAML2 remote system to SAP Analytics Cloud:
The Cloud components are continuing to evolve. With each iteration they are more powerful and flexible. Take advantage of the tools SAP has to offer in the Cloud! You will see that they can safely and easily integrate into your environment.
2482807 - Secure HTTPS Browser configuration using Live Data Connections (CORS) in SAP Analytics Cloud
2659735 - Troubleshooting CORS issues with SAP Analytics Cloud (SAC)
2420960 - Using SAP Analytics Cloud as Client for SAP BW queries in BW 7.4
2596285 - How to enable CORS for Live Data Connection to BW in SAP Analytics Cloud (SAC) on SAP NetWeaver releases where native CORS is not supported
2547381 - CORS integration in UCON HTTP Whitelist and Internet Communication Framework and and Clickjacking integration in HTTP Whitelist
2589761 - Connecting to Live Data sources in SAP Analytics Cloud *** Master KBA ***
Cross Origin Resource Sharing Wikipedia
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
W3C recommendation for CORS
https://www.w3.org/TR/cors/
HTTP Whitelist check with the Unified Connectivity (UCON) Concept
https://wiki.scn.sap.com/wiki/display/ABAPConn/HTTP+Whitelist+Check+with+the+Unified+Connectivity+%2...
We will concentrate on the current product and it’s configuration for a direct connection to a backend Netweaver ABAP system. SAC has a lot of capabilities and a myriad of ways of connecting to it, so we want to narrow the focus.
The Dilemma
Connection of a cloud resource to an on-premise one brings to light some challenges which may not be immediately apparent. In our ‘everything’s connected’ culture it may seem natural that data from your BW BeX query could be analyzed by a tool in the cloud. That’s when the network manager says “wait a minute…you want to do WHAT?” We need a proxy path through our firewall.
There are firewalls, router rules, load-balancing appliances, whitelists, blacklists, blocked ports, certs, proxies and all kinds of stuff. The ‘stuff’ that keeps your company from having to deal with the “Millions Of Customer Records Exposed In Data Breach” headline and all the legal, business, technical and PR headaches that come from such a disaster.
Your other choice would be using the upload/download data function to the cloud analytics engine.
But that’s not secure either.
(remember, those headlines above often say “…from an IT analyst’s laptop…” too).
The Solution is to use these functions in concert: CORS, UCON, and SAML.
The Solution
CORS is Cross-origin resource sharing. “A mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy.
CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS was originally published as a W3C recommendation…” (Wikipedia)
Why is this Important for a direct connection to BW from SAC? Open a session from your browser to SAC, and log in. Go to connections and attempt to create a connection to your BW system.
Without CORS you can’t. The SSL connection you initiated was to the ‘sapanlytics.cloud’ domain, but you want to connect, in the same session, a login to a web server (BW Netweaver) on ‘yourcompany.corp’. A corporate firewall separates them, and they are in different domains.
But that should work, right, I mean I’m inside the firewall? No. For security reasons, no connecting to systems with the same session to different systems originating from different domains. The architecture of HTTP(S) prevents that.
This is the problem CORS was designed to solve. In the SAP Netweaver on-premise <=> SAP Analytics cloud scenario, we change the properties of the Netweaver server to allow HTTP headers from another specific domain. In this case company-name.data-center.sapanalytics.cloud is that domain. We also only allow a specific path in the ICF to be allowed to do this. For this connection it’s the “InA” pages under sap/bw/ina .
UCON is Unified Connectivity. UCON was developed with the main purpose of securing RFC’s and the function modules that use them. It creates a Framework that allows all of the connectivity issues to be resolved in one place. But, it also controls HTTP Whitelists.
The HTTP whitelist scenario helps you to monitor HTTP(S) calls in your system. Using various whitelists, you can specify which HTTP(S) calls are to be allowed and which are to be blocked. Each whitelist is assigned an HTTP context type that covers a particular type of HTTP call:
- Trusted Network Zone
- Clickjacking Framing Protection
- CSS Style Sheet
- Cross-Origin Resource Sharing
We will be using the Cross-Origin Resource Sharing configuration and the UCON settings as described in this Guided Playlist
SAML The Security Assertion Markup Language is an open standard for sharing security information about identity, authentication and authorization across different systems.
SAML is used to share security credentials across one or more networked systems. The SAML framework is specifically designed to accomplish two things: authentication and authorization.
Authentication is the process of determining whether an entity is who it claims to be, and it is required before authorization, which is the process of determining whether the authenticated identity actually has permission -- authorization -- to use a resource. (TechTarget)
SAC uses SAML natively for Single Sign-On Here's the SAC SAML Guided Playlist
The Procedure:
Prerequisites
- Apply the necessary Support Packages and Notes to your on-premise system. The minimum is Netweaver BW 740 SPS 20. There are addtional notes to be applied. Use a utility program called “Z_SAP_BW_NOTE_ANALYZER”. This is the same note needed to prepare to migrate to HANA or BW/4 HANA. Install the program and run in with the latest control file attached to Note 2541557. NetWeaver AS ABAP versions and service packages supporting UCON are listed in the SAP Note 2547381. SAP NetWeaver releases below these do not support parameter "icf/cors_enabled" and transaction "UCONCOCKPIT":
- NetWeaver AS ABAP 7.52 SP02
- NetWeaver AS ABAP 7.51 SP06
- NetWeaver AS ABAP 7.50 SP12
- NetWeaver AS ABAP 7.40 SP20
You must be on SAP Kernel 7.49 PL 315 or higher.
New Parameters
- Create the rewrite.txt file and place it somewhere each ABAP app server can read it. i.e. /sapmnt<SID>/profile/rewrite.txt. Create the rewrite.txt file according to Step 3 in this help.
- In RZ10 create the following parameters in each app server you want to connect to SAC
icf/cors_enabled = 1
icm/HTTP/mod_0 = PREFIX=/,FILE=<Path_To_CORS_Rewrite_File>- Save and activate the profiles
Create the ZCL_DUMMYAUTH_SERVICE Class/Method
In your BW development instance create the following Class Object (Developer Key required)
- Enter transaction code: SE24.
- Enter Object Type: ZCL_DUMMYAUTH_SERVICE, select Create, and then select Save.
- Go to the Interfaces tab, and add IF_HTTP_EXTENSION, plus a description.
- Go to the Methods tab, and add the following information:
- Method: IF_HTTP_EXTENSION~HANDLE_REQUEST
- Level: Instance Method
- Visibility: Public
- Description: Add a description
Double click on IF_HTTP_EXTENSION~HANDLE_REQUEST and add the following code:
method IF_HTTP_EXTENSION~HANDLE_REQUEST.
DATA:
html_content TYPE string.
html_content = '<html><script type="text/javascript">window.close();</script></html>'.
server->response->set_header_field( name = 'Cache-Control' value = 'no-cache,no-store').
server->response->set_cdata( data = html_content ).
endmethod.- Select Save, and then Activate.
- Save into a transport so that you can move this up to production.
Changes to the Internet Connection Framework
- Enter transaction code: SICF.
- Enter Service Path: /sap/bw/ina, and then press Enter.
- Select the path: default_host > sap > bw > ina , right click GetServerInfo
- Select Activate Service.
- Right Click GetServerInfo and then select Test Service.
- Make sure you are redirected to your IdP login page, and that you do not get 404 page after login.
- Under default_host > sap > bw > ina, right click ina, then choose New Sub-Element.
- In Service Name, enter auth.
- Add a description.
- Open the Handler List tab, and enter ZCL_DUMMYAUTH_SERVICE
- Save and return to the main menu.
- Check if the auth package is installed.Open the following URL in your browser: https://<Your_ABAP_System>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>. Make sure you are redirected to your IdP login page, and that you do not get 404 page after login.Replace <Your_ABAP_System> with your ABAP system host, and <Your_Client_ID> with your SAP BW client ID.
Verify end-users' web browser configuration and access
Your end users' web browsers must be configured to:
- Allow pop-up windows from the SAP Analytics Cloud domain: [*.]sapbusinessobjects.cloud.
- Allow 3rd party cookies from the SAP BW server's domain or the domain of your reverse proxy.
Setup the Universal Connection (UCON)
This procedure is documented in this Guided Procedure.
To modify HTTP whitelists and no-log lists for the context type CORS, execute the following steps:
- Open the Universal Connection Cockpit with transaction UCONCOCKPIT
- Select the HTTP Whitelist Scenario
- Click on the Display/Change icon
- Change the Mode of Cross-origin Resource Sharing to Active Check
- Click Save
- Double-click the Cross-origin Resource Sharing.
- In the Whitelist screen area to the right, choose New Entry
A dialog box appears for input of the whitelist specifications.
Allowed Methods: Select GET, HEAD, POST, and OPTIONS.
- Add the following comma separated list to Allowed Headers:
X-CSRF-TOKEN,X-SAP-CID,AUTHORIZATION,MYSAPSSO2,X-REQUEST-WITH,SAP-REWRITEURL,SAP-URL-SESSION-ID,CONTENT-TYPE,ACCEPT-LANGUAGE - Add the following comma separated list to Exposed Headers:
X-CSRF-TOKEN,SAP-REWRITEURL,SAP-URL-SESSION-ID,SAP-PERF-FESREC,SAP-SYSTEM
- Allow Credentials: Ensure this is selected
- Click on green checkmark to continue the setup
- Save the configuration
- Restart your App servers with the changed parameters
Add A Basic Authentication Connection to your SAP Analytics Cloud Tenant
Add a Basic Authentication remote system to SAP Analytics Cloud:
- Go to
(Main Menu) 
Connection Connections 
(Add Connection)
The Select a datasource dialog will appear.
- Expand Connect to Live Data and select SAP BW.
- In the dialog, enter a name and description for your connection.
- The connection name cannot be changed later.
- Set the connection type to Direct.
- Add your SAP BW host name, HTTPS port, and Client.
- (Optional) Choose a Default Language from the list.
- Under Authentication Method select User and Password
- Provide the User and credentials.
- Select OK.
Use the SAML2 Connection for the Analytics Cloud
Add a SAML2 remote system to SAP Analytics Cloud:
- Go to (Main Menu) Connection Connections (Add Connection)
The Select a datasource dialog will appear.
- Expand Connect to Live Data and select SAP BW.
- In the dialog, enter a name and description for your connection.
- The connection name cannot be changed later.
- Set the connection type to Direct.
- Add your SAP BW host name, HTTPS port, and Client.
- (Optional) Choose a Default Language from the list.
- Under Authentication Method select SAML Single Sign On.
- Select OK.
Conclusion
The Cloud components are continuing to evolve. With each iteration they are more powerful and flexible. Take advantage of the tools SAP has to offer in the Cloud! You will see that they can safely and easily integrate into your environment.
Links And reference material
2482807 - Secure HTTPS Browser configuration using Live Data Connections (CORS) in SAP Analytics Cloud
2659735 - Troubleshooting CORS issues with SAP Analytics Cloud (SAC)
2420960 - Using SAP Analytics Cloud as Client for SAP BW queries in BW 7.4
2596285 - How to enable CORS for Live Data Connection to BW in SAP Analytics Cloud (SAC) on SAP NetWeaver releases where native CORS is not supported
2547381 - CORS integration in UCON HTTP Whitelist and Internet Communication Framework and and Clickjacking integration in HTTP Whitelist
2589761 - Connecting to Live Data sources in SAP Analytics Cloud *** Master KBA ***
Cross Origin Resource Sharing Wikipedia
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
W3C recommendation for CORS
https://www.w3.org/TR/cors/
HTTP Whitelist check with the Unified Connectivity (UCON) Concept
https://wiki.scn.sap.com/wiki/display/ABAPConn/HTTP+Whitelist+Check+with+the+Unified+Connectivity+%2...
- SAP Managed Tags:
1 Comment
