SAP Analytics Cloud: Publication based on SAP HANA live connection
Being able to schedule publications on stories and analytical applications is a long-awaited feature for SAP Analytics Cloud. In the ‘release notes’ of wave 2020.03, SAP announced the availability of the possibility to schedule publications with a recurring pattern that allows distributing content as a PDF over email.
Recently Karthik Kanniyappan published an excellent blog where he explained all the details. Furthermore, he just published a blog explaining the number of publications you are allowed to schedule: Schedule Publications on SAP Analytics Cloud – Number of Publications.
In this blog, I will guide you through the additional configuration steps you need to perform to enable the scheduling of publications of stories that are based on an SAP HANA live connection.
Configure on-premise SAP HANA system in SAPCP Cloud Connector
Connectivity between SAP Analytics Cloud and your on-premise SAP HANA system will be handled through the SAP Cloud Connector. If you have not installed a SAPCP Cloud Connector yet please follow the instructions specified here: Installing the SAPCP Cloud Connector.
After you have successfully installed the SAPCP Cloud Connector you need to configure it. Please follow the steps described here: Configuring the SAPCP Cloud Connector.
When your SAPCP Cloud Connector is up-and-running and configured we need to add a system mapping for our on-premise SAP HANA system.
Select your subaccount corresponding with your SAP Analytics Cloud tenant in the SAPCP Cloud Connector and select ‘Cloud To On-Premise’.
Click on ‘Add System Mapping’ via the + on the ‘Access Control’ tab.
Select ‘SAP HANA’ as ‘Back-end Type’ and click ‘Next’.
Select ‘HTTPS’ as ‘Protocol’ and click ‘Next’.
Enter the ‘Internal Host’ and the ‘Internal Port’ of your on-premise SAP HANA system.
Enter a ‘Virtual Host’ and ‘Virtual Port’. This corresponds with the SAP Analytics Cloud SAP HANA live connection details.
In this example, I use ‘None’ as ‘Principal Type’.
Select which host needs to be displayed in the request header.
Optionally you can enter a ‘Description’.
Click on ‘Finish’ in the ‘Summary’ to add the system mapping.
Please select the system mapping and click on the ‘Check Availability’ icon, available in the ‘Actions’ column on the right side of the screen and check if the system is reachable in the ‘Check Results’ column. If it turns green your on-premise SAP HANA system is reachable.
The final step is to allow access to the system paths. In this case, we will allow all resources to be available but you can restrict this is needed.
In the ‘Resources Of’ section click on ‘+’.
Enter ‘/’ as ‘URL Path’ and select ‘Path and all sub-paths’. Click ‘Save’ to confirm.
The resource should be listed and the ‘Status’ should be active.
Setup Trust between SAPCP Cloud Connector and SAP HANA system
The next step is to set up a trust between the SAPCP Cloud Connector and the on-premise SAP HANA system.
Switch to the ‘Principal Propagation’ tab and click on the ‘Synchronize’ icon to synchronize the identity providers.
The next step is to download the SAPCP Cloud Connector’s system certificate.
Switch back to the ‘Access Control’ tab and select ‘Configuration’ in the left side menu and select the ‘On Premise’ tab.
In the ‘System Certificate’ section click on ‘Download certificate in DER format’.
If the SAPCP Cloud Connector is newly installed, there is no certificate to download. The certificate needs to be either uploaded or generated first. To add a certificate please see: Configure a CA Certificate for Principal Propagation.
The final step in the SAPCP Cloud Connector is to generate a sample certificate based on a valid user’s identifier value.
Scroll down to the ‘Principal Propagation’ and click on ‘Create a sample certificate’.
Enter a valid ‘CN name’ and ‘EMAIL name’ of an existing user in your on-premise SAP HANA system and click on ‘Generate’.
Setup Trust between SAP Analytics Cloud, the Live Connectivity Service, and your on-premise SAP HANA system.
There are two levels of trust: you need to allow the SAPCP Cloud Connector to identify itself with its system certificate for the HTTPS case and you need to allow this identity to propagate the user accordingly so that the short-living X.509 certificate can be forwarded. A pre-requisite is that the user with the correct mapping exists in your on-premise SAP HANA system. The X.509 certificate contains information about the cloud user in its subject.
Now let’s follow the next steps to set up a trust.
Browse to your SAP HANA XS Administration Tool, open the ‘SAML Service Provider’ screen and on the ‘Service Provider Information’ tab, get the SAML provider name.
Now login to your SAP Analytics Cloud tenant and create a new HANA Live connection. Enter all the required information and make sure you enter the virtual host and port defined in the system mapping. In this example, I use ‘SAML Single Sign On’ as ‘Authentication Method’.
Now click on the ‘>’ to access the ‘Advanced Features’.
Select the checkbox that allows users to set up a schedule for publishing stories. Now click on the ‘Download Metadata’ button.
Switch back to the SAP HANA XS Administration Tool, open the ‘SAML Identity Provider’ screen and click on the ‘+’.
Copy and past the metadata and click outside the text box. The ‘General Data’ and ‘Destination’ fields will be populated automatically based on the metadata.
Click on ‘Save’ to add the SAML Identity Provider.
Switch back to the dialog in SAP Analytics Cloud to finalize the HANA Live connection. Enter the ‘Virtual Host’ and ‘Port’. Enter the ‘SAML Provider Name’ and click ‘OK’ to create the connection.
Now you are ready to create a publication of a story that is based on a model, based on the HANA Live connection just configured. The username of the user that creates the publication is used to retrieve the data when the publication is processed.
Please leave a comment if you have any questions! Thanks for reading!
First thanks for the blog, there is nothing like this information right now. I've not been capable to set up in my case. Is there any difference if we got our SAC configured with Microsoft ADFS as IdP?
Is there any missing step in the part "Setup Trust between SAPCP Cloud Connector and SAP HANA system", you mentioned to donwload the CP certificate but do we need to upload it anywhere?
Kind regards, Antonio
The missing piece in my case is that you need to add to your HANA user a new external identity provider with the new identity provider you have uploaded to HANA (section ‘Download Metadata’ button.)
Is schedule publication based on live connection available only for on-premise SAP HANA system?
I have a SAPCP HANA service instance running in a Cloud Foundry environment and I would like to set up a schedule publication in SAC using an active live connection stablished with my HDI Container (which consumes data from my HANA service database).