Skip to Content
Technical Articles
Author's profile photo Arthur Fuscella Silva

[Part 2] Connect on-premise systems on SCP through Cloud Connector (Neo)

Hey, welcome back! This is the second part of our “The Dev Hero, a journey in the digital transformation” journey.

In today’s post, we’re going to connect a system – which is located in a on premise architecture, to a SCP account through SAP Cloud Connector. Regardless the type of account you owns (trial/paid), the procedure described here works for both, and at the end you will be able to connect SAP and non-SAP solutions on it.

Do not forget to like and to leave a comment,  help us to improve our work 🙂

The diagram below higlights SAP SCC in a simple architeture.

If you dont have any AS ABAP system installed, take a look at [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04)

The high availability and failover mechanisms will be discussed in a different post. Failover and High Availability for SAP Cloud Connector (using Docker)


1. What’s SAP Cloud Connector (briefly)
2. Before start, make sure that:
3. Use case
4. Configure SCC
4.1 Logon and first steps
4.2 Add System Mapping
4.2.1 Choose Back-end Type as ABAP System
4.2.2 Choose HTTP protocol
4.2.3 Internal<host>and<port>
4.2.4 Virtual<host>and<port>
4.2.5 Choose the Principal Type
4.2.6 Enter any description
4.2.7 Check host connection after finishing configuration
4.2.8 System reachable
4.2.9 Proxy configuration
4.3 Resources accessible on instance

1. What’s SAP Cloud Connector (briefly)

SCC – short of SAP Cloud Connector, is an on-premise agent that acts as a proxy (not a reverse one) by establishing a secure tunnel between on-premise system and SCP – short of SAP Cloud Platform. In this manner, is possible to expose local services to cloud efficiently, and use them in a chain of communiction.

2. Before start, make sure that:

3. Use Case

An AS ABAP system is up and running locally, business want to expose a few services outside company boundaries to be consumed in Apps, SAP cloud solutions and even third-party solutions. As most of the AS are SAP based – and the cloud system is also SAP based, the solution architect have decided the use of SAP Cloud Connector to establish secure tunnel between on premise system and cloud landscape.
*AS – Application Server

Take a look on the diagram below. The system to be exposed is the ECC, and only the Gateway part containing OData will be exposed. In this manner, ECC is securely connected to SCC, which provides a secure tunnel SAP Cloud Platform.

Also notice there’s another SCC server connected representing the failover instance for high availability. It won’t be discussed here today, but if you want to know more about it take a look at Install a Failover Instance for High Availability and Failover and High Availability for SAP Cloud Connector (using Docker).

Does the solution architect could decide to use a different tool than SCC ?
A: Surely, it’s possible to create a secure chain communication by using Nginx as reverse proxy instead.

4. Configure SCC

4.1 Logon and first steps

Pre requisite: the subaccount is already configure on Cloud Connector. Read more in Connect Cloud Connector with trial subaccount.

Log on to the SCC administration UI and choose Cloud To On-Premise under the subaccount menu option. When the left window opened, choose ACCESS CONTROL > Mapping Virtual to Internal System > Add (+).

4.2 Add System Mapping

In this step, a mapping of an existance system will be created by using the IP or hostname of the ABAP system. The Internal Host system will be mapped to an Virtual Host one hidding sensetive information and attributes of. Virtual Host itself can  be access through the SAP Cloud Platform Connectivity service.

  • Choose Back-end Type as ABAP System

  • Choose HTTP protocol

  • Internal<host>and<port>

For this example the AS ABAP system NPL – which is a free of charge instance, is used. If you’ve followed the [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04), the hostname used is simply the same. Otherwise, you have to get further IP or hostname details of server in SAPGUI or with the IT administrator.

The FQNDvhcalnplciwas previously configured on /etc/hosts.Using server IP also works, but using the hostname approach turns the configuration IP indepedent, that means if the server configuration have change for any circunstance, the SCC connection won’t fail.

  • Virtual<host>and<port>

  • Choose the Principal Type

  • Enter any Description

  • Check host connection after finishing configuration

  • System reachable

Finally, the ABAP system is shown as reachable. If you notice for a different status than this one, review every step for some missing or wrong configuration. The most errors are related to host and port, but proxy errors might happen too, so make sure you’ve configured properly on Configuration.

  • Proxy configuration

Go through Configuration > Cloud > HTTPS Proxy

4.3 Resources accessible on instance

As mentioned previously, we want to expose only the Gateway part of the AS ABAP server, so it’s necessary to provide the appropriate configuration in order to make gateway objects accessible outside of SCC.

In Cloud to On-Premise > ACCESS CONTROL > Resources Accessible On abap-as-hanatrial:443 hit the Add (+) button

The Add Resource is displayed, so inform the OData Gateway path, and choose Path and all sub-paths. It will make services resources available at all.

Done! Now you have a fully secure tunnel established between on-premise and SCP subaccount. To make sure you’ve completed the configuration successfully, access your subaccount on browser and choose Cloud Connetors under Connectivity

As result, the Resource is shown as available.

Did you enjoy ? Don’t forget to comment below.

Arthur Silva


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Markus Tolksdorf
      Markus Tolksdorf

      Hi Arthur,

      it's SCC not HCC.

      Best regards,

      Author's profile photo Arthur Fuscella Silva
      Arthur Fuscella Silva
      Blog Post Author

      Hello Markus,

      Thanks for the information. I've adjust the post properly 🙂

      Author's profile photo Markus Tolksdorf
      Markus Tolksdorf

      Hi Arthur,

      great 🙂

      Best regards,

      Author's profile photo shanmuga perumal
      shanmuga perumal

      Hi Arthur,

      I have followed the steps given above, i am having Not Reachable error while checking internal host.

      What to maintain in the internal host and proxy configuration?




      Author's profile photo Arthur Silva
      Arthur Silva

      Hey Shanmunga, hope you're well.

      Make sure your internal host is reachable by SCC by pinging from the OS to the internal host.


      For a better understanding, please share your system mapping configuration.

      Arthur Silva

      Author's profile photo Ramesh Parthiban
      Ramesh Parthiban

      Very useful steps with correct parameters, Thank you!

      Author's profile photo Thorsten Kolz
      Thorsten Kolz

      Thanks for the Blog.

      Connection from Cloud Platform to S/4 STE system works.
      But how do we handle the following scenario?
      S/4 On premise <-SOAP-> CPI <-SOAP-> 3rd Party Application On premise

      I guess we will not use the address to call the CPI SOAP service, because then we move outside of the local network.

      So how do I call a SOAP service on CPI from on-premise S/4 system?

      Thanks in advance!

      Best regards,


      Author's profile photo Sandra Milena Ruiz
      Sandra Milena Ruiz

      Thank you very much

      Author's profile photo Susindiran Rao
      Susindiran Rao

      Thanks for sharing info.

      Do we have any space quota to be allocated or restricted for connected in Cloud apps  via onpremise ? Or Full stack Developer by online?

      OP2SCP :

      Author's profile photo Arthur Silva
      Arthur Silva



      In case you're working on the trial version, you have some limit. Check the Quota Plans on the SCP cockpit.

      For productive use, I would suggest you to contact the service provider directly for further info.



      Arthur Silva

      Author's profile photo Marco Blevins
      Marco Blevins



      I followed Part 1 and 2 of your tutorial – thank you for the information you put togehter!


      I am having one problem at the end: in the SAP Cloud Foundry (not the neo edition) the Cloud to On-Premise Connection is not shown since there is not “Cloud Connectors” Button / Menu below the “Connectivity” Menu. I tried to add a Destination to access the on premise backend, but when I click on “Check Connection” (under “Connectivity” in the SAP Cloud Platform Cockpit”) I get an error:


      Failure reason: “Could not check at the moment. Please try again later”
      I entered the following information in the destination configuration:
      Name: abapBackend1
      Type: HTTP
      Proxy Type: OnPremise
      Authentication: BasicAuthentication
      User DEVELOPER
      Password: Down1oad
      Am I missing something?
      Author's profile photo Arthur Silva
      Arthur Silva

      I will take a look and talk with you later.

      It seems a parameter missing on destinations config in the CF side

      Arthur Silva

      Author's profile photo Sal Gonzalez
      Sal Gonzalez

      Hello Arthur,

      I am encountering the same issue as Marco described above. I also do not see the "Cloud Connectors" button underneath the "Connectivity" drop down menu.

      Were you able to help Marco resolve this issue? If so, Can you please point me in the right direction?

      I appreciate your help.



      Author's profile photo Shireen Sheikh
      Shireen Sheikh

      Hello Arthur, I am facing the same issue too...Cannot find "Cloud connector" button in SCP cockpit. Any suggestions are welcome.

      Author's profile photo Cristiano Marques
      Cristiano Marques

      Hi  Arthur Fuscella Silva, thanks for this blog. Do you know the procedure to make connection with SCP  Cloud Foundry? I have done the same procedure that I had done in Neo, but in CF a error persists when checking connection "Failure reason: "Could not check at the moment. Please try again later""

      Author's profile photo Arthur Silva
      Arthur Silva

      Hey Cristiano,

      It should be pretty the same, as soon CF also has an endpoint to get access.

      Could you please bring more details about the issue you're facing ? Are you using the free tier CF in order to establish connection?

      Arthur Silva

      Author's profile photo Axel Moschuering
      Axel Moschuering

      Hi Arthur,

      thank you for your excellent blog. I am facing the same problem Cristiano and Marco are reporting.

      I set up a connection to my local SAP NLP system running in a VM. System is reachable, resources are exposed and everything seems fine:


      I can define a destination in the SCP

      but connection test always fails


      No further explanation is given.

      Any ideas what is the issue here ?

      Thank you and best wishes,



      Author's profile photo John Vinh
      John Vinh

      Great effort. Thank you !

      Author's profile photo Liyana Liyana
      Liyana Liyana

      Hi Arthur,


      Thumbs up for your tutorial. Provide step by step with details and guide us a lot. Thanks!!!

      Continuing sap cloud connector installation and setting initial subaccount, have face one issue when submitting new trial account as screenshots below

      When open ljs_trace_log file found the connection got failed when hiting this address

      Have tried to test this url at new session at browser found this address could not be reach and have error for resolve domain at browser. I have installed my SAP Netweaver 7.52 SP04 within my home network without using Proxy and Firewall is disabled both for VM ware and Windows.

      Does any changes for connectivity certification signing address for this Cloud Connector version?

      I'm using this SCC version installed into my SAP Netweaver 7.52 SP04

      Appreciate your help .


      Best Regards,


      Author's profile photo Shahrukh Bhat
      Shahrukh Bhat


      I am setting up certification based authentication between CPI and ECC, CPI is connected to ECC via SAP Cloud Connector (SCC).

      NOTE: Using Cloud Foundry environment on BTP.

      Could you please confirm if my understanding of this scenario is correct?

      Scenario: CPI is the client, ECC is the server:

      -Get the CPI client certificate and import it into the STRUST in ECC.

      We can get the CPI client cert by downloading sap_cloudintegrationcertificate from the CPI keystore:


      -Mapping the Integration User to the CPI client Certificate in VUSREXTID view.

      -Because SCC creates a private tunnel between SAP BTP and ECC, no need to import/export any certificates between CPI - SCC and SCC - ECC. Also, no need to install ECC server cert in the CPI keystore. [ This part is what I want to confirm]


      Refer to my question for the cert based C4C-CPI-ECC end-to-end connectivity, here: