Skip to Content
Technical Articles
Author's profile photo Denys van Kempen

SAP Analytics Cloud – Live Connection to SAP HANA using Direct (CORS)

SAP Analytics Cloud – Live Connections

In this blog you will find the code snippets, some background and additional information together with links to documentation for the tutorial video playlist on YouTube.

/wp-content/uploads/2016/02/sapnwabline_885687.png

YouTube Tutorial Video Playlist

SAP Analytics Cloud Live Connection

/wp-content/uploads/2016/02/sapnwabline_885687.png

Live Connections

We can connect SAP Analytics Cloud to a multitude of data sources. The focus of this blog is on Live Connections to SAP HANA (Direct Path | CORS).

Direct (CORS) is the recommend approach over PATH (reverse proxy), cf. SAP Analytics Cloud – Live connections to on-premise data systems (CORS recommended)

SAC_DataConnections

In this series, we cover a live connection to SAP HANA using the Information Access (InA) Service. This service is exposed by SAP HANA XS (classic) and requires the following configuration before the connection can be established.

  1. Configure a public URL for the XS server. By default, XS is only accessible internally.
  2. Certify the public URL. By default, the XS server (Web Dispatcher) uses only self-signed certificates.
  3. Grant the INA_ROLE to a user. By default, no user has this role granted.
  4. Enable and confgiure external access to the InA service. By default, CORS (Cross Origin Resource Sharing) is disabled.
  5. Modify the session server timeout for the XS server. By default, the session times out in 90 seconds.

Create Live Connection

Creating a Live Connection to a SAP HANA system on SAP Analytics Cloud is a simple task for the business user once all the prerequisites have been met. We need to provide the public URL for the system, the HTTPS port, and for basic authentication a user name and password, e.g.:

host = myhost.lab.cloud.sap
port = 4390
user = INA_USER
password = *******

Video Tutorial

[2019.05] SAP Cloud Analytics Live Connections: Create Connection – SAP Digital Enablement

Documentation

/wp-content/uploads/2016/02/sapnwabline_885687.png

SAP HANA Live Connection Prerequisites

1. Configure Public URL (XS)

To access information views in a HANA tenant database from SAP Analytics Cloud, the HANA XS server needs to listen to a public URL. It is not required to register the public URL with a public DNS. Only the computer accessing SAC needs to be able to resolve the address. This means that even the local hosts file can be used for name resolution. More common will be DNS registration inside the corporate network.

## execute as INI ADMIN on SYSTEMDB
ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE') 
 SET ('public_urls', 'http_url') = 'http://myhost.lab.cloud.sap:8090' 
WITH RECONFIGURE;
ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE') 
 SET ('public_urls', 'https_url') = 'https://myhost.lab.cloud.sap:4390' 
WITH RECONFIGURE;

For testing, you can add the FQDN of the host to your local hosts file (Linux, macOS /etc/hosts; Windows %WINDIR%\system32\drivers\etc)

127.0.0.1       localhost
153.127.3.52    myhost.lab.cloud.sap

Video Tutorial

[2019.05] SAP Cloud Analytics Live Connections: 1. Public URL (XS) – SAP Digital Enablement

Documentation

/wp-content/uploads/2016/02/sapnwabline_885687.png

2. Certify Public URL (XS)

The public URL needs to be signed by a certificate authority (CA). Digital web server certificates are provided by companies like DigiCert and Symantec (random list). For corporate environments, this service is typically by the IT department (SAP colleagues, visit Global PKI Certificate Management).

The public/private keys of the PSE (Personal Security Environment) of the HTTP Server (Web Dispatcher) are signed with host name only (CN=sid-hxe in case of HANA express). Recreate the SAPSSLS PSE with proper identification and with the CN corresponding to the public URL, e.g.

DE=Germany
ST=Baden-Wuertemberg
L=Walldorf
O=SAP
OU=IT
CN=myhost.lab.cloud.sap

Then generate the CSR (certificate sign request), upload it to the CA and import the web server certificate.

Note that you have to import the full certificate trust chain:

  • Top: X.509 certificate received from the CA;
  • Middle: any intermediate certificate;
  • Bottom: (Global) Root Certificate

Typically, the CA provides just the signed certificate and you have to download the other from their website. Open the certificate as text file and copy/paste the content to the Import CA Response field. 

You can see this in action at time stamp 6:40 of the video https://youtu.be/SAoG4T1NFbQ?t=400.

Should you use a Corporate CA (e.g. SAP) and not a global one (e.g. DigiCert), make sure to import the certificate trust chain on your client computer. Without the chain, browsers cannot trust the server certificate. Corporate client computers typically come with corporate certificates installed but should you have powered up a client with a cloud provider, you will have to import corporate root certificates yourself. 

In the video tutorial, we use the SAP Web Dispatcher to recreate the PSE, generate the CRS and import the certificate. You can access the tenant database web dispatcher using the URL configured above with path:

https://myhost.lab.cloud.sap:4390/sap/hana/xs/wdisp/admin/

To connect to the Web Dispatcher, we need the WebDispatcherAdmin role. Any user could be used but a least-privileged user approach is generally recommended. In the code example below we create the XS_ADMIN user and grant the user the WebDispatcherAdmin role.

CREATE USER xs_admin PASSWORD  ****;
CALL GRANT_ACTIVATED_ROLE('sap.hana.xs.wdisp.admin::WebDispatcherAdmin','XS_ADMIN');

Video Tutorial

[2019.05] SAP Cloud Analytics Live Connections: 2. Certify Public URL (XS) – SAP Digital Enablement

Documentation

/wp-content/uploads/2016/02/sapnwabline_885687.png

3a. EPM-MDS

For the tutorial videos, we used the SAP HANA, express edition system as provided by SAP Cloud Appliance Library. This development environment already includes the required EPMMDS plug-in. A standard “out-of-the-box” SAP HANA 2.0 SPS 01 platform edition does not include the EPMMDS component, so you would need to install it. The component is included with the media set or can be downloaded from the SAP ONE Support Launchpad, Software Downloads (“SAP HANA EPM-MDS”).

Use the platform lifecycle management tool (hdblcm) to install it. The web interface is accessible from HANA cockpit.

./hdblcm --components=epmmds --action=install

Documentation

3b. GRANT INA_ROLE (XS)

To connect to the InA service we need the INA_USER role. Any user could be used but a least-privileged user approach is generally recommended. In the code example below we create the INA_USER user and grant the user the INA_USER role.

CREATE USER ina_user PASSWORD ****;
CALL GRANT_ACTIVATED_ROLE('sap.bc.ina.service.v2.userRole::INA_USER','INA_USER');

To access specific information views, we need to grant this user SELECT privileges on the views:

GRANT SELECT ON "_SYS_BIC"."MY_USER/MY_VIEW" to "INA_USER";

Verify connectivity with GetServerInfo:

https://myhost.lab.cloud.sap:4390/sap/bc/ina/service/v2/GetServerInfo

Verify connectivity with GetResponse:

https://myhost.lab.cloud.sap:4390/sap/bc/ina/service/v2/GetResponse?Request={%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}

Error

If the user does not have the INA_USER role, the following error message is returned when saving the Live Connection configuration:

You are not authorized to query the remote system. 
Please ask your administrator to grant you the InA role.

The GetServerInfo URL returns the following error when the component is not installed.

{"Messages":[{"Number":42001,"Type":2,"Text":"InformationAccess Service GetServerInfo is not available. Install EPM."}]}

Video Tutorial

[2019.05] SAP Cloud Analytics Live Connections: 3. User with INA_ROLE (XS) – SAP Digital Enablement

Documentation

/wp-content/uploads/2016/02/sapnwabline_885687.png

4. CORS Configuration InA Service (XS)

Cross-Origin Resource Sharing (CORS) needs to be enabled for the InA service. You can access the tenant database XS artifact administration tool using the URL configured above with path:

https://myhost.lab.cloud.sap:4390/sap/hana/xs/admin/

To connect to tool we need the RuntimeConfAdministrator role. Any user could be used but a least-privileged user approach is generally recommended. In the code example below we grant the role to the user created in step 2 above.

CALL GRANT_ACTIVATED_ROLE('sap.hana.xs.admin.roles::RuntimeConfAdministrator','XS_ADMIN');
CALL GRANT_ACTIVATED_ROLE('sap.hana.xs.admin.roles::SAMLViewer','XS_ADMIN');

Edit the CORS settings for the following package:

sap.bc.ina.service.v2

Add the following to Allowed Headers:

accept
authorization
content-type
x-csrf-token
x-request-with
x-sap-cid
accept-language

Add the following to Exposed Headers:

x-csrf-token

Select the following Allowed Methods:

GET, HEAD, POST, OPTIONS, PUT

Alternatively, you can perform this task using SQL.

  • Connect to XS Admin with a user with RuntimeConfAdministrator role.
  • Navigate to sap.bc.ina.service.v2 package (as shown in the print screen)
  • Select Reset on the bottom right menu bar
  • Execute the SQL script
  • Reload the page to verify the changes have been applied.

 

REM execute on <tenant_db>
REM execute with role sap.hana.xs.admin.roles::RuntimeConfAdministrator

UPDATE "_SYS_XS"."RUNTIME_CONFIGURATION"
SET "CONFIGURATION" = ' {"cors":{
  "enabled":true,
  "allowOrigin":["https://XXX.XXX.sapanalytics.cloud"],
  "exposeHeaders":["x-csrf-token"],
  "allowHeaders":["accept-language","x-sap-cid","x-request-with","x-csrf-token","content-type","authorization","accept"],
  "allowMethods":["GET","HEAD","POST","OPTIONS"],
  "maxAge":3600}
}'
WHERE "PACKAGE_ID" = 'sap.bc.ina.service.v2';

 

Video Tutorial

[2019.05] SAP Cloud Analytics Live Connections: 4. CORS Configuration (XS) – SAP Digital Enablement

Documentation

Error

If CORS has not been configured for the InA service, the following error is returned when creating the Live Connection

Failed to connect to HANA system. 
Possible causes: CORS Settings; incorrect credentials. 
More information can be found on the troubleshooting page.

/wp-content/uploads/2016/02/sapnwabline_885687.png

5. HTTP Server Session Timeout (XS)

Default value for the HTTP Server (XS Engine) session timeout parameter is 900 seconds. The SAP Analytics Cloud Online Help recommends 12 hours.

REM execute as INI ADMIN on SYSTEMDB
ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE') 
SET ('httpserver', 'sessiontimeout') ='43200' 
WITH RECONFIGURE;

Video Tutorial

[2019.05] SAP Cloud Analytics Live Connections: 5. HTTP Server Timeout – SAP Digital Enablement

/wp-content/uploads/2016/02/sapnwabline_885687.png

HelpDesk.png

Additional Documentation

This topic was also covered for earlier releases by Ian Henry

/wp-content/uploads/2016/02/sapnwabline_885687.png

Thank you for watching

The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

 

Assigned tags

      14 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Ravi Condamoor
      Ravi Condamoor

      Hi,

      I set the CORS Allowed header to:

      accept
      authorization
      content-type
      x-csrf-token
      x-request-with
      x-sap-cid
      accept-language

      and Exposed Header to

      x-csrf-token

      Still I get this error..

      Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

      Any ideas on how to fix this?

      Thanks

      -ravi

       

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Ravi,

      If you configured the environment exactly as document (of which my blog is just a reproduction) and you encounter an issue / error than I would conclude you identified a bug.

      Although unfortunate for you, this is great news for SAP development and I am sure they would love to hear about it so it can either be fixed in the code or, in case the issue is caused by external factors, have it documented in a note so future customers won’t have this problem. Did you already submitted a ticket?

      Searching the error message a bit, revealed it appears not to be uncommon. Maybe this article can bring some inspiration

      Should the issue be identified, please follow up on this post. Sharing is caring. Thanks

      Author's profile photo Eduardo Jarauta
      Eduardo Jarauta

      In point 3b

      Would it be possible to add permissions to all views by using *?

      GRANT SELECT ON "_SYS_BIC"."INA_USER/*" to "INA_USER";

       

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      What happens if you do?

      Author's profile photo Gulshan Goyal
      Gulshan Goyal

      Hi Denys,

      I have been trying to connect to an on-premise HANA DB via SAC.

      HDB version info:
      version: 2.00.050.00.1592305219
      branch: fa/hana2sp05

      I am able to make a live connection as well. However, when I try to create a model out of this live connection. I get the no Data Source option to select from.

      I do have analytical views and tables created via the user.

      select privilege on _SYS_BIC schema  is also assigned.

      I checked the network tab, it makes a POST request - which is 403 Forbidden https://<on_premisehost>4300/sap/bc/ina/service/v2/GetResponse
      with  payload

      I have tried GET request - sap/bc/ina/service/v2/GetResponse?Request={"Metadata":{"Expand":["Cubes"]}}and also/GetServerInfo
      This returns the data indeed.

      User has the INA_USER role assigned as well.
      I checked CORS settings also.

      Can you please suggest what could be the reason for this.

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Gulshan Goyal,

      Did you check the notes?

      Component LOD-ANA

      e.g. https://apps.support.sap.com/sap/support/knowledge/en/2777129

      There are a couple which reference protocol error #73, so it appears to be common.

      Should this not provide any solution, suggest to post the question on answer.sap.com and tag with SAP Analytics Cloud to notify all those subscribed. 

       

      Author's profile photo Gulshan Goyal
      Gulshan Goyal

      Thanks Denys for the quick reply.

      I have checked several notes
      2500486
      2659652
      2525234
      2777129
      2252747

      However none of the resolution proposed has worked for me as of now.
      I will post the same query on answers.sap.com as you mentioned and will update here as well, once the issue is resolved.

      Author's profile photo Gulshan Goyal
      Gulshan Goyal

      The issue is resolved! I found the cause.

      There was web-dispatcher configuration setting missing.

      HANA on-premise has to explicitly mark cookies for access in third-party, or cross-site, contexts.

      Only cookies with the SameSite=None; Secure attributes will be available for cross-site access, and require secure HTTPS connections.

      More information regarding configuration can be found here

      BR, Gulshan

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Awesome; and many thanks for sharing the solution as well, Gulshan!

      Author's profile photo Giuseppe Miceli
      Giuseppe Miceli

      Hello Denys,

       

      we were not able to create live connection from SAC to HANA using Chrome browser.

      Following the note 2968494 we were able to do it using Firefox

      Also application team were not able to create a model (from the live data connection above)  using Chrome (the same with Edge) but only with Firefox

      But as far as I know the best browser for SAC is Chrome:

      What do you think about that?
      Many thanks
      Kind regards,
      Giuseppe
      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Guiseppe,

      Best to post this comment (copy/paste) as question > answers.sap.com

      Author's profile photo Yumiko HATA
      Yumiko HATA

      Hi Denys

      On SAC, is it possible to create 2 direct connections against a single HANA (on Premise) with different authentication types : 1 with user/pass, and another with SSO ?

      Thanks

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Yumiko,

      Same as above; best to post this comment (copy/paste) as question > https://answers.sap.com

      This notifies the experts and interested parties following the tag (SAP Analytics Cloud) and allows for knowledge sharing.

      Thanks!

      Author's profile photo Martin Kreitlein
      Martin Kreitlein

      Hello,

      nice and interesting blog... I think now I understand where the error message in SAC comes from:

      You are not authorized to query the remote system. Please ask your administrator to grant you the InA role

      https://launchpad.support.sap.com/#/notes/2805974

      Can you please let me know which role in an S4 System or e.g. SAP Marketing Cloud system represents this: "sap.bc.ina.service.v2.userRole::INA_USER" ?

       

      Thanks, Martin