Hey, welcome back! This is the second part of our “The Dev Hero, a journey in the digital transformation” journey.
In today's post, we're going to connect a system - which is located in a on premise architecture, to a SCP account through SAP Cloud Connector. Regardless the type of account you owns (trial/paid), the procedure described here works for both, and at the end you will be able to connect SAP and non-SAP solutions on it.
The diagram below higlights SAP SCC in a simple architeture.
If you dont have any AS ABAP system installed, take a look at [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04)
The high availability and failover mechanisms will be discussed in a different post. Failover and High Availability for SAP Cloud Connector (using Docker)
1. What's SAP Cloud Connector (briefly)
2. Before start, make sure that:
3. Use case
4. Configure SCC
4.1 Logon and first steps
4.2 Add System Mapping
4.2.1 Choose Back-end Type as ABAP System
4.2.2 Choose HTTP protocol
4.2.3 Internal
4.2.4 Virtual
4.2.5 Choose the Principal Type
4.2.6 Enter any description
4.2.7 Check host connection after finishing configuration
4.2.8 System reachable
4.2.9 Proxy configuration
4.3 Resources accessible on instance
SCC - short of SAP Cloud Connector, is an on-premise agent that acts as a proxy (not a reverse one) by establishing a secure tunnel between on-premise system and SCP - short of SAP Cloud Platform. In this manner, is possible to expose local services to cloud efficiently, and use them in a chain of communiction.
An AS ABAP system is up and running locally, business want to expose a few services outside company boundaries to be consumed in Apps, SAP cloud solutions and even third-party solutions. As most of the AS are SAP based - and the cloud system is also SAP based, the solution architect have decided the use of SAP Cloud Connector to establish secure tunnel between on premise system and cloud landscape.
*AS - Application Server
Take a look on the diagram below. The system to be exposed is the ECC, and only the Gateway part containing OData will be exposed. In this manner, ECC is securely connected to SCC, which provides a secure tunnel SAP Cloud Platform.
Also notice there's another SCC server connected representing the failover instance for high availability. It won't be discussed here today, but if you want to know more about it take a look at Install a Failover Instance for High Availability and Failover and High Availability for SAP Cloud Connector (using Docker).
Does the solution architect could decide to use a different tool than SCC ?
A: Surely, it's possible to create a secure chain communication by using Nginx as reverse proxy instead.
Pre requisite: the subaccount is already configure on Cloud Connector. Read more in Connect Cloud Connector with trial subaccount.
Log on to the SCC administration UI and choose Cloud To On-Premise under the subaccount menu option. When the left window opened, choose ACCESS CONTROL > Mapping Virtual to Internal System > Add (+).
In this step, a mapping of an existance system will be created by using the IP or hostname of the ABAP system. The Internal Host system will be mapped to an Virtual Host one hidding sensetive information and attributes of. Virtual Host itself can be access through the SAP Cloud Platform Connectivity service.
For this example the AS ABAP system NPL - which is a free of charge instance, is used. If you've followed the [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04), the hostname used is simply the same. Otherwise, you have to get further IP or hostname details of server in SAPGUI or with the IT administrator.
The FQND
Finally, the ABAP system is shown as reachable. If you notice for a different status than this one, review every step for some missing or wrong configuration. The most errors are related to host and port, but proxy errors might happen too, so make sure you've configured properly on Configuration.
Go through Configuration > Cloud > HTTPS Proxy
As mentioned previously, we want to expose only the Gateway part of the AS ABAP server, so it's necessary to provide the appropriate configuration in order to make gateway objects accessible outside of SCC.
In Cloud to On-Premise > ACCESS CONTROL > Resources Accessible On abap-as-hanatrial:443 hit the Add (+) button
The Add Resource is displayed, so inform the OData Gateway path, and choose Path and all sub-paths. It will make services resources available at all.
Done! Now you have a fully secure tunnel established between on-premise and SCP subaccount. To make sure you've completed the configuration successfully, access your subaccount on browser and choose Cloud Connetors under Connectivity
As result, the Resource is shown as available.
Did you enjoy ? Don't forget to comment below.
Cheers
Arthur Silva
In today's post, we're going to connect a system - which is located in a on premise architecture, to a SCP account through SAP Cloud Connector. Regardless the type of account you owns (trial/paid), the procedure described here works for both, and at the end you will be able to connect SAP and non-SAP solutions on it.
Do not forget to like and to leave a comment, help us to improve our work 🙂
The diagram below higlights SAP SCC in a simple architeture.
If you dont have any AS ABAP system installed, take a look at [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04)
The high availability and failover mechanisms will be discussed in a different post. Failover and High Availability for SAP Cloud Connector (using Docker)
Glossary
1. What's SAP Cloud Connector (briefly)
2. Before start, make sure that:
3. Use case
4. Configure SCC
4.1 Logon and first steps
4.2 Add System Mapping
4.2.1 Choose Back-end Type as ABAP System
4.2.2 Choose HTTP protocol
4.2.3 Internal
<host>and<port>4.2.4 Virtual
<host>and<port>4.2.5 Choose the Principal Type
4.2.6 Enter any description
4.2.7 Check host connection after finishing configuration
4.2.8 System reachable
4.2.9 Proxy configuration
4.3 Resources accessible on instance
1. What's SAP Cloud Connector (briefly)
SCC - short of SAP Cloud Connector, is an on-premise agent that acts as a proxy (not a reverse one) by establishing a secure tunnel between on-premise system and SCP - short of SAP Cloud Platform. In this manner, is possible to expose local services to cloud efficiently, and use them in a chain of communiction.
2. Before start, make sure that:
- The AS ABAP is installed according with [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04) (Optional)
- You've downloaded the SAP Cloud Connector (SCC); Download
3. Use Case
An AS ABAP system is up and running locally, business want to expose a few services outside company boundaries to be consumed in Apps, SAP cloud solutions and even third-party solutions. As most of the AS are SAP based - and the cloud system is also SAP based, the solution architect have decided the use of SAP Cloud Connector to establish secure tunnel between on premise system and cloud landscape.
*AS - Application Server
Take a look on the diagram below. The system to be exposed is the ECC, and only the Gateway part containing OData will be exposed. In this manner, ECC is securely connected to SCC, which provides a secure tunnel SAP Cloud Platform.
Also notice there's another SCC server connected representing the failover instance for high availability. It won't be discussed here today, but if you want to know more about it take a look at Install a Failover Instance for High Availability and Failover and High Availability for SAP Cloud Connector (using Docker).
Does the solution architect could decide to use a different tool than SCC ?
A: Surely, it's possible to create a secure chain communication by using Nginx as reverse proxy instead.
4. Configure SCC
4.1 Logon and first steps
Pre requisite: the subaccount is already configure on Cloud Connector. Read more in Connect Cloud Connector with trial subaccount.
Log on to the SCC administration UI and choose Cloud To On-Premise under the subaccount menu option. When the left window opened, choose ACCESS CONTROL > Mapping Virtual to Internal System > Add (+).
4.2 Add System Mapping
In this step, a mapping of an existance system will be created by using the IP or hostname of the ABAP system. The Internal Host system will be mapped to an Virtual Host one hidding sensetive information and attributes of. Virtual Host itself can be access through the SAP Cloud Platform Connectivity service.
Choose Back-end Type as ABAP System
Choose HTTP protocol
Internal
<host>and<port>
For this example the AS ABAP system NPL - which is a free of charge instance, is used. If you've followed the [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04), the hostname used is simply the same. Otherwise, you have to get further IP or hostname details of server in SAPGUI or with the IT administrator.
The FQND
vhcalnplciwas previously configured on /etc/hosts.Using server IP also works, but using the hostname approach turns the configuration IP indepedent, that means if the server configuration have change for any circunstance, the SCC connection won't fail.
Virtual
<host>and<port>
Choose the Principal Type
Enter any Description
Check host connection after finishing configuration
System reachable
Finally, the ABAP system is shown as reachable. If you notice for a different status than this one, review every step for some missing or wrong configuration. The most errors are related to host and port, but proxy errors might happen too, so make sure you've configured properly on Configuration.
Proxy configuration
Go through Configuration > Cloud > HTTPS Proxy
4.3 Resources accessible on instance
As mentioned previously, we want to expose only the Gateway part of the AS ABAP server, so it's necessary to provide the appropriate configuration in order to make gateway objects accessible outside of SCC.
In Cloud to On-Premise > ACCESS CONTROL > Resources Accessible On abap-as-hanatrial:443 hit the Add (+) button
The Add Resource is displayed, so inform the OData Gateway path, and choose Path and all sub-paths. It will make services resources available at all.
Done! Now you have a fully secure tunnel established between on-premise and SCP subaccount. To make sure you've completed the configuration successfully, access your subaccount on browser and choose Cloud Connetors under Connectivity
As result, the Resource is shown as available.
Did you enjoy ? Don't forget to comment below.
Cheers
Arthur Silva
- SAP Managed Tags:
20 Comments
