SAP Analytics Cloud, SAC, has the ability to load data live from your existing on-premise systems such as HANA, S/4 HANA, BW and the product close to my heart, SAP BI 4.2 Universes. The focus of this blog will be on SAP BI 4.2 Universe live connections.
With SAC, users can access their BI content on the move and no longer have to be on the corporate network as its all cloud based. Or is it? When using live data connection, your data is most certainly not in the cloud, it is still on your company’s internal network. So when you one of your users decides to view their Universe based content while on the move or perhaps giving some important presentation to senior management at some offsite retreat, the poor user is presented with this message in their charts:
This blog post covers the topic on how to make SAC content based on Live Universe connections available to users outside your internal network.
When you set up the Live Universe Data Connection, it is most likely that is was set up to connect directly to your SAP BI 4.2 system on your company network as shown in the example below:
The example assumes that your SAP BI 4.2 server is called bi42server in your company domain called stark-industries.local. This works great as users on your internal network can connect to SAC as that is on the Internet and using Cross-Origin Resource Sharing, CORS, the users’ web browser can connect to the SAP BI 4.2 server:
However, if a user tries to use SAC in this setup when they are on the move or presenting at some offsite location then this set up will not work. This is because the user’s web browser cannot connect to the SAP BI 4.2 system to access data as the SAP BI 4.2 system will be hidden from the Internet by firewalls:
So, how do you allow users access SAC content based on Live Universe connections?
Option 1: VPN
The simplest way in terms set for the SAP BI 4.2 and SAC administrator is Virtual Private Network, VPN. Users can connect to the company network using a VPN client, e.g. Cisco AnyConnect. This would open a secure tunnel from the User’s client machine across the Internet into the internal network. The user’s web browser can then connect to the SAP BI 4.2 server just like if the user was in the office with a machine on the internal network. Easy!
Of course there are other methods of access internal network such as running applications on company servers and provide users with a Virtual Desktop, VDI, or application virtualisation over the Internet. One example of this is Citrix Gateway. That does mean you are having to provide a Virtual Desktop just to run a web browser.
Option 2: Reverse Proxy
The other option is to expose at least the Live Data Connect Aspect to the Internet. This would be achieved by placing a reverse proxy server in the Demilitarized Zone, DMZ. The DMZ is a border area for servers that need to be accessible from the Internet and have restricted access to servers in the internal network. In the case of SAC, a reverse proxy will be used to route connectivity to the Live Data Connect web application running on the SAP BI 4.2 Apache Tomcat server.
Examples of reverse proxy servers that could be use are Apache Web server, SAP’s own web dispatcher or F5 BIG-IP as has been used at some customers I have worked at.
As an example, we will go through the set up of Apache Web Server as a simple reverse proxy.
Apache Reverse Proxy Setup
The following is needed in order to complete the set of Apache as reverse proxy for BOE Live Data Connect:
- A SAC tenant which your organisation will have already have. If you are studying this yourself, I believe you will need to purchase a tenant rather than use the trial version. You can purchase a 1 user license for a year (minimum subscription term). This will give you a license for 1 admin account and 1 user in a single tenant. If you only want it for a year, remember to turn off auto-renew subscription. I paid around £240 for 1 year. Check out https://www.sap.com/uk/products/cloud-analytics.html if you want purchase a tenant.
- SAP BI Platform 4.2 with SP04 or higher deployed. For this guide it assumed that the install has been placed in the default directory of C:\Program Files (x86)\SAP BusinessObjects and the default Tomcat has been used.
- To have performed steps 1-7 of the Live Universe connection guided playlist: https://www.sapanalytics.cloud/guided_playlists/connect-sap-universe-live (Not a fan of the security rights part though, Full Control access to Webi and using Advanced rights, hmmmm)
- A PC with Google Chrome
- A server set up the DMZ. It should have TCP Port 443 (HTTPS) open to the Internet. It should be able to communicate with your SAP BI 4.2 Apache Tomcat. This could be on the HTTPS port you set up for internal BOE Live Connect use which is likely to be 443 or 8443. You can connect to the standard HTTP port instead, 8080. For this example we are going to use 8080 but I think for best security in real life you should use HTTPS all the way.
- A DNS name on the Internet that you use to connect to your reverse proxy. I used No-IP for my system as I was just testing, https://www.noip.com/
- Apache Web Server 2.4, I usually get the latest 64-BIT version from Apache Lounge: https://www.apachelounge.com/download/ (Note: You must install the Visual C++ Redistributable recommend for the version of Apache you are installing). This is for Windows which is what I will use for this example. Of course you can use another O/S like Linux if that is your preference.
In this guide we will assume that :
- The server BI 4.2 is installed is called bi42server.starkindustries.local with Apache Tomcat listening on Port 80.
- The DNS name on the Internet for your reverse proxy server is boe.stark-industries.com.
Step 1: Install Apache
- Unzip the Apache zip file, httpd-2.4.41-win64-VC16 to a folder. C:\Apache24 Is used.
- Edit the httpd.conf file, and specify values for the following parameters
- Listen 80
- ServerName localhost
- Install the Visual C++ 2019 Redistributable, VC_redist.x64.exe
- Install Apache as Service.
- Load up Command Prompt in Administrator mode
- Run the following the commands
- cd C:\Apache24\bin\
- exe -k install -n “BOEXI40Apache”
- Start the Apache Server, this will be listed as “BOEXI40Apache in Windows Services
- On the server, open a web browser and navigate to http://localhost. You should be presented with “It works!”
Step 2: Enable Proxy and SSL
The first part is to enable the appropriate modules:
- Stop the Apache Server
- Edit the httpd.conf file in C:\Apache24\conf and make the following changes:
- Uncomment the following modules by removing the # symbol before each module
LoadModule headers_module modules/mod_headers.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ssl_module modules/mod_ssl.so
Following this you need to add a Virtual host for port 443 and set up a reverse proxy to link the BOE Live Data Connect webapp hosted on the BI 4.2 server, bi42server.starkindustries.local in this example:
Listen 443 <VirtualHost *:443> SSLEngine on SSLCertificateFile "D:\ssl\ssl.crt" SSLCertificateKeyFile "D:\ssl\ssl.key" <Proxy *> Require all granted </Proxy> <Location /sap/boc/ina> ProxyPass http://bi42server.starkindustries.local:8080/sap/boc/ina ProxyPassReverse http://bi42server.starkindustries.local:8080/sap/boc/ina ProxyPassReverseCookiePath http://bi42server.starkindustries.local:8080/sap/boc/ina /sap/boc/ina </Location> </VirtualHost>
You will notice that I have an SSL certificate and key file. You will need to obtain these for your web address on the Internet. For my testing, I was able to get free SSL certificate from Let’s Encrypt: https://letsencrypt.org/
Step 3: Test Connectivity
The next step is test that users over the Internet can actually connect to BOE Live Data Connect application.
I would suggest following the guide provided in SAP Note Link below:
If we assume that your DNS name on the Internet is boe.stark-industries.com, then the test URL you would use is:
Step 4: SAC – Update Connection to use Internet Address
You now just need to point SAP Analytics Cloud Live Universe connection to the Internet Facing address. To do this:
- Login to SAP Analytics Cloud Tenant as the user with privileges to edit connections
- Click on Menu > Connections
- Select the connection you wish to edit, “UNX Live” in my example, and then click the edit icon.
- Change the host to match your Internet DNS name, e.g boe.stark-industries.com
- Click Save. If successful, your connection will Save.
Following this step you have now completed all the technical aspects of setting up BOE Live data connect to work over the Internet.
Bonus: SAP BI Mobile
If you fancied making SAP BI Mobile work over the Internet, then you can make the relevant BI Mobile webapps available through the reverse proxy too. You can follow the guide above but for Step 2 you add entries for the MOBIServer and MobileBIService webapps as shown below:
Listen 443 <VirtualHost *:443> SSLEngine on SSLCertificateFile "D:\ssl\ssl.crt" SSLCertificateKeyFile "D:\ssl\ssl.key" <Proxy *> Require all granted </Proxy> <Location /sap/boc/ina> ProxyPass http://bi42server.starkindustries.local:8080/sap/boc/ina ProxyPassReverse http://bi42server.starkindustries.local:8080/sap/boc/ina ProxyPassReverseCookiePath http://bi42server.starkindustries.local:8080/sap/boc/ina /sap/boc/ina </Location> <Location /MobileBIService> ProxyPass http://bi42server.starkindustries.local:8080/MobileBIService ProxyPassReverse http://bi42server.starkindustries.local:8080/MobileBIService ProxyPassReverseCookiePath http://bi42server.starkindustries.local:8080/MobileBIService /MobileBIService </Location> <Location /MOBIServer> ProxyPass http://bi42server.starkindustries.local:8080/MOBIServer ProxyPassReverse http://bi42server.starkindustries.local:8080/MOBIServer ProxyPassReverseCookiePath http://bi42server.starkindustries.local:8080/MOBIServer /MOBIServer </Location> </VirtualHost>
I hope that you find this blog post useful in helping to understand how live connections work with on-premise systems. This blog post took a bit longer than expected to complete since I started back in the beginning of September.
The next thing I am looking forward to working with is the SAP BusinessObjects BI 4.3 Beta. I am especially interested in seeing how this integrates with SAP Analytics Cloud with the Webi Data Model and user management.