Technical Articles
[Part 2] Connect on-premise systems on SCP through Cloud Connector (Neo)
Hey, welcome back! This is the second part of our “The Dev Hero, a journey in the digital transformation” journey.
In today’s post, we’re going to connect a system – which is located in a on premise architecture, to a SCP account through SAP Cloud Connector. Regardless the type of account you owns (trial/paid), the procedure described here works for both, and at the end you will be able to connect SAP and non-SAP solutions on it.
Do not forget to like and to leave a comment, help us to improve our work 🙂
The diagram below higlights SAP SCC in a simple architeture.
If you dont have any AS ABAP system installed, take a look at [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04)
The high availability and failover mechanisms will be discussed in a different post. Failover and High Availability for SAP Cloud Connector (using Docker)
Glossary
1. What’s SAP Cloud Connector (briefly)
2. Before start, make sure that:
3. Use case
4. Configure SCC
4.1 Logon and first steps
4.2 Add System Mapping
4.2.1 Choose Back-end Type as ABAP System
4.2.2 Choose HTTP protocol
4.2.3 Internal<host>and<port>
4.2.4 Virtual<host>and<port>
4.2.5 Choose the Principal Type
4.2.6 Enter any description
4.2.7 Check host connection after finishing configuration
4.2.8 System reachable
4.2.9 Proxy configuration
4.3 Resources accessible on instance
1. What’s SAP Cloud Connector (briefly)
SCC – short of SAP Cloud Connector, is an on-premise agent that acts as a proxy (not a reverse one) by establishing a secure tunnel between on-premise system and SCP – short of SAP Cloud Platform. In this manner, is possible to expose local services to cloud efficiently, and use them in a chain of communiction.
2. Before start, make sure that:
- The AS ABAP is installed according with [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04) (Optional)
- You’ve downloaded the SAP Cloud Connector (SCC); Download
3. Use Case
An AS ABAP system is up and running locally, business want to expose a few services outside company boundaries to be consumed in Apps, SAP cloud solutions and even third-party solutions. As most of the AS are SAP based – and the cloud system is also SAP based, the solution architect have decided the use of SAP Cloud Connector to establish secure tunnel between on premise system and cloud landscape.
*AS – Application Server
Take a look on the diagram below. The system to be exposed is the ECC, and only the Gateway part containing OData will be exposed. In this manner, ECC is securely connected to SCC, which provides a secure tunnel SAP Cloud Platform.
Also notice there’s another SCC server connected representing the failover instance for high availability. It won’t be discussed here today, but if you want to know more about it take a look at Install a Failover Instance for High Availability and Failover and High Availability for SAP Cloud Connector (using Docker).
Does the solution architect could decide to use a different tool than SCC ?
A: Surely, it’s possible to create a secure chain communication by using Nginx as reverse proxy instead.
4. Configure SCC
4.1 Logon and first steps
Pre requisite: the subaccount is already configure on Cloud Connector. Read more in Connect Cloud Connector with trial subaccount.
Log on to the SCC administration UI and choose Cloud To On-Premise under the subaccount menu option. When the left window opened, choose ACCESS CONTROL > Mapping Virtual to Internal System > Add (+).
4.2 Add System Mapping
In this step, a mapping of an existance system will be created by using the IP or hostname of the ABAP system. The Internal Host system will be mapped to an Virtual Host one hidding sensetive information and attributes of. Virtual Host itself can be access through the SAP Cloud Platform Connectivity service.
-
Choose Back-end Type as ABAP System
-
Choose HTTP protocol
-
Internal
<host>and<port>
For this example the AS ABAP system NPL – which is a free of charge instance, is used. If you’ve followed the [Part 1] – Installing SAP NetWeaver AS ABAP Developer Edition 7.52 SP01 on VirtualBox (Ubuntu 16.04), the hostname used is simply the same. Otherwise, you have to get further IP or hostname details of server in SAPGUI or with the IT administrator.
The FQNDvhcalnplciwas previously configured on /etc/hosts.Using server IP also works, but using the hostname approach turns the configuration IP indepedent, that means if the server configuration have change for any circunstance, the SCC connection won’t fail.
-
Virtual
<host>and<port>
-
Choose the Principal Type
-
Enter any Description
-
Check host connection after finishing configuration
-
System reachable
Finally, the ABAP system is shown as reachable. If you notice for a different status than this one, review every step for some missing or wrong configuration. The most errors are related to host and port, but proxy errors might happen too, so make sure you’ve configured properly on Configuration.
-
Proxy configuration
Go through Configuration > Cloud > HTTPS Proxy
4.3 Resources accessible on instance
As mentioned previously, we want to expose only the Gateway part of the AS ABAP server, so it’s necessary to provide the appropriate configuration in order to make gateway objects accessible outside of SCC.
In Cloud to On-Premise > ACCESS CONTROL > Resources Accessible On abap-as-hanatrial:443 hit the Add (+) button
The Add Resource is displayed, so inform the OData Gateway path, and choose Path and all sub-paths. It will make services resources available at all.
Done! Now you have a fully secure tunnel established between on-premise and SCP subaccount. To make sure you’ve completed the configuration successfully, access your subaccount on browser and choose Cloud Connetors under Connectivity
As result, the Resource is shown as available.
Did you enjoy ? Don’t forget to comment below.
Cheers
Arthur Silva
Hi Arthur,
it's SCC not HCC.
Best regards,
Markus
Hello Markus,
Thanks for the information. I've adjust the post properly 🙂
Hi Arthur,
great 🙂
Best regards,
Markus
Hi Arthur,
I have followed the steps given above, i am having Not Reachable error while checking internal host.
What to maintain in the internal host and proxy configuration?
Thanks,
Shan
Hey Shanmunga, hope you're well.
Make sure your internal host is reachable by SCC by pinging from the OS to the internal host.
For a better understanding, please share your system mapping configuration.
Cheers,
Arthur Silva
Very useful steps with correct parameters, Thank you!
Thanks for the Blog.
Connection from Cloud Platform to S/4 STE system works.
But how do we handle the following scenario?
S/4 On premise <-SOAP-> CPI <-SOAP-> 3rd Party Application On premise
I guess we will not use the address https://XYZ.hci.eu2.hana.ondemand.com/cxf/mySOAPService to call the CPI SOAP service, because then we move outside of the local network.
So how do I call a SOAP service on CPI from on-premise S/4 system?
Thanks in advance!
Best regards,
Thorsten.
Thank you very much
Thanks for sharing info.
Do we have any space quota to be allocated or restricted for connected in Cloud apps via onpremise ? Or Full stack Developer by online?
OP2SCP :
Hey!
In case you're working on the trial version, you have some limit. Check the Quota Plans on the SCP cockpit.
For productive use, I would suggest you to contact the service provider directly for further info.
KR,
Arthur Silva
Hello,
I followed Part 1 and 2 of your tutorial – thank you for the information you put togehter!
I am having one problem at the end: in the SAP Cloud Foundry (not the neo edition) the Cloud to On-Premise Connection is not shown since there is not “Cloud Connectors” Button / Menu below the “Connectivity” Menu. I tried to add a Destination to access the on premise backend, but when I click on “Check Connection” (under “Connectivity” in the SAP Cloud Platform Cockpit”) I get an error:
I will take a look and talk with you later.
It seems a parameter missing on destinations config in the CF side
KR,
Arthur Silva
Hello Arthur,
I am encountering the same issue as Marco described above. I also do not see the "Cloud Connectors" button underneath the "Connectivity" drop down menu.
Were you able to help Marco resolve this issue? If so, Can you please point me in the right direction?
I appreciate your help.
Thanks,
Sal
Hello Arthur, I am facing the same issue too...Cannot find "Cloud connector" button in SCP cockpit. Any suggestions are welcome.
Hi Arthur Fuscella Silva, thanks for this blog. Do you know the procedure to make connection with SCP Cloud Foundry? I have done the same procedure that I had done in Neo, but in CF a error persists when checking connection "Failure reason: "Could not check at the moment. Please try again later""
Hey Cristiano,
It should be pretty the same, as soon CF also has an endpoint to get access.
Could you please bring more details about the issue you're facing ? Are you using the free tier CF in order to establish connection?
KR,
Arthur Silva
Hi Arthur,
thank you for your excellent blog. I am facing the same problem Cristiano and Marco are reporting.
I set up a connection to my local SAP NLP system running in a VM. System is reachable, resources are exposed and everything seems fine:
I can define a destination in the SCP
but connection test always fails
No further explanation is given.
Any ideas what is the issue here ?
Thank you and best wishes,
Axel
Great effort. Thank you !
Hi Arthur,
Thumbs up for your tutorial. Provide step by step with details and guide us a lot. Thanks!!!
Continuing sap cloud connector installation and setting initial subaccount, have face one issue when submitting new trial account as screenshots below
When open ljs_trace_log file found the connection got failed when hiting this address
Have tried to test this url at new session at browser found this address could not be reach and have error for resolve domain at browser. I have installed my SAP Netweaver 7.52 SP04 within my home network without using Proxy and Firewall is disabled both for VM ware and Windows.
Does any changes for connectivity certification signing address for this Cloud Connector version?
I'm using this SCC version installed into my SAP Netweaver 7.52 SP04
Appreciate your help .
Best Regards,
Liyana
Hi,
I am setting up certification based authentication between CPI and ECC, CPI is connected to ECC via SAP Cloud Connector (SCC).
NOTE: Using Cloud Foundry environment on BTP.
Could you please confirm if my understanding of this scenario is correct?
Scenario: CPI is the client, ECC is the server:
-Get the CPI client certificate and import it into the STRUST in ECC.
We can get the CPI client cert by downloading sap_cloudintegrationcertificate from the CPI keystore:
-Mapping the Integration User to the CPI client Certificate in VUSREXTID view.
-Because SCC creates a private tunnel between SAP BTP and ECC, no need to import/export any certificates between CPI - SCC and SCC - ECC. Also, no need to install ECC server cert in the CPI keystore. [ This part is what I want to confirm]
Refer to my question for the cert based C4C-CPI-ECC end-to-end connectivity, here:
https://answers.sap.com/questions/13553473/certificate-based-auth-between-c4c-cpi-ecc-cpi-is.html
Thanks