What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection
In this blog, I would like to discuss SAP Analytics cloud ‘Tunnel Connection’ features and how to configure one.
We know SAP Analytics Cloud can connect to various data sources both cloud and on-premise. Two most common methods are Live and Import data connection. The solution works when users are on vpn. In case, users are outside corporate firewall they could connect through a SAP Web Dispatcher. Web Dispatcher has its own advantages like load balancing or act as a reverse proxy. While web dispatcher has advantages it does come with some overhead, like cost and maintenance.
In recent past we introduced SAP Analytics cloud Tunnel Connection option, which allows users to make a live connection. This connection type is great new feature and allows user to consume on-primise data through SAC, live. Please note this does not replace SAP Web Dispatcher in any way and it is not a good idea to compare the two. They both serve separate purpose.
When a client issues the HTTP request to a HTTP proxy server. This proxy server makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Based on Tunnel Connection principle, SAP Analytics Cloud Tunnel connection works in the same way.
When to use SAP Analytics Cloud ‘Tunnel Connection’?
Consider SAP Analytics Cloud Tunnel Connection if there is a need to share business findings and insights with external stakeholders, without giving VPN rights.
For example: if your organization wants to expose some of your data to users outside of your corporate network, without giving them VPN rights.
What is the difference between SAP Analytics Cloud Tunnel Connection, Direct Connection and Import Connection?
|Tunnel Connection||Import Connection||Direct Connection|
This is a live data connection.
DATA: Data moves transiently meaning for a very short time, but no data is stored.
Requirements: SAP Cloud Connector
DATA: In import connection the data is imported to SAP Analytics Cloud.
Requirements: SAP Cloud Connector and/or cloud agent
Direct connection a.k.a. CORS – Cross-Origin Resource Sharing is a live data connection.
DATA: No data replication happens in this connection type.
Requirements: CORS Configuration
- Systems on SAP data centers support only SAML connections, while systems on non-SAP data centers support Basic and SAML connections. A two-digit number in your SAP Analytics Cloud URL, for example eu10 or us30, indicates a non-SAP data center.
- Data Sources currently supported under tunnel connection are listed below:
There are currently three ways for the mobile app to support SSO on iOS:
- The mobile app supports SSO using a MDM push-based certificate for logging on to SAP Analytics Cloud. For SSO to live data sources in your stories, individual users can manually import certificates to a device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
- You can also set up SSO using the SAP Cloud Connector to propagate credentials through the system once trust is established between your SAP Analytics Cloud system and your live data source. For more information on this SSO method, see SAP Cloud Connector-based Mobile Single Sign-On.
- Using a customized token for SSO to connected live data sources. Specific endpoints need to be established to configure this SSO method. For more information, see Token-based Single Sign On to Live Data Sources.
The Android app supports SSO by using X509 user certificates for logging on to SAP Analytics Cloud. These certificates need to pushed to the device by either using an MDM profile, or they can be installed manually on the device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
To achieve the best user experience always use responsive pages rather than canvas or grid.
To learn more reference: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/9946e4a060f9431f956ae82e34f4c112.html
How to setup an SAP Analytics Cloud Tunnel Connection?
We will now setup a tunnel connection to backend data source, in this example we will work on SAP HANA.
|Ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users directly.|
|Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection.|
|Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests. For details, see Maintaining HTTP Access to SAP HANA and SAP Knowledge Base Article 2502174.|
|For SAP HANA version 1.00.112.04 and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.|
Step 1: Configure Your On-Premise Systems to Use the SAP Cloud Connector
Log in to the Cloud Connector Administration
In the left-side menu, select Cloud to On-Premise
In the Subaccount field, choose your SAP Analytics Cloud subaccount.
On the Access Controltab, in the Mapping Virtual To Internal System section, click (Add) to add a new mapping to your live data system.
In the Add System Mapping dialog, use the following values:
|Back-end Type||SAP HANA|
<can use the same host as the internal host>
<can use the same port as the internal port>
Allow access to your system paths:
- In the Resources Of section, click (Add).
- Enter the URL Path:“/”.
For SAP HANA, if you don’t want to allow access to all paths under “/”, set the path to /sap/bc/ina/service/v2/.
- Choose Path and all sub-paths.
- Select Save.
Step 2. Increase the session timeout configuration parameters in SAP HANA XS server.
To do this, you will need to increase the sessiontimeout parameter in the httpserver section of the xsengine.ini file. For example, if you change the parameter to 43200, the session will be active for 12 hours.
For more information, see the SAP HANA XS Classic Configuration Parameters.
Step 3 Add the remote HANA system to SAP Analytics Cloud:
Before you add the system, make sure under System–> Administration–>Datasource Configuration
1. Click ‘Allow live data to securely leave my network’
2. Add ‘Default Location’
Go to (Main Menu) Connection Connections (Add Connection)
The Select a datasource dialog will appear.
Expand Connect to Live Data and select SAP HANA.
- In the dialog, enter a name and description for your connection. The connection name cannot be changed later.
- Set the connection type to Tunnel.
- Add your SAP HANA host name, and HTTPS port.
Use the virtual host name and virtual port that were configured in the cloud connector
- (Optional) Choose a Default Language from the list.
This language will always be used for this connection and cannot be changed by users without administrator privileges.
5. Under Authentication Method select User Name and Password.
6.. Enter an SAP HANA user name and password.
The user must be assigned to the sap.bc.ina.service.v2.userrole::INA_USER role in SAP HANA.
Common Errors and Solution
- Ensure that the SAP Information Access (ina) service (/sap/bc/ina/service/v2) on your SAP HANAserver is exposed to browser users directly.
- Ensure the bc.ina.service.v2.userrole::INA_USERrole is assigned to all users who will use the live connection.
- Live Data Connection to SAP HANA Using a Tunnel Connection with Password Authentication
- Live Data Connection to SAP HANA Using a Tunnel Connection and SSO
- Download Cloud Connector here: https://tools.hana.ondemand.com/#cloud
- Download SAP JVM here: https://tools.hana.ondemand.com/#cloud
We discussed about the new Tunnel Connection type, when you should consider this type of connection. We also compared the different type of connections and finally how to setup one. Please do leave a feedback if you have any question that I can help answer.
Hi Prarit Sehgal,
First of all thanks for sharing this info. Well explained and step by step info.
Out of curiosity - how this is maintenance free, compared to "Cloud Connector +Cloud Agent" setup.
Is it that C4Agent required more frequent update compared to Cloud Connector? or there is something more to it...
We do not require a cloud agent in this setup, only cloud connector.
One more thing, this is not an 'Import connection', it is a live connection.
Import connection required CC or both CC and agent. Hope this helps.
Thanks Prarit Sehgal for your reply. I am clear about the live connection part. I am curious about how this setup will be low maintenance compared to the other options.
Is it recommended to keep Cloud Agent up to date.
New feature bugfixes gets rolled out every two weeks via updated version of agent. Some are big enough to be considering update. We have seen some significant performance improvement in terms of import package size (compared to early 2019). Not to mention one date field related issues from HANA , BW and ECC fields are corrected.
C4Agent includes the code changes with respect to underneath source system. We need to go through the cycle of testing and updating C4Agent
Let's say that you have to share the same story with 3 different categories of stakeholders: desktop stakeholders, desktop external stakeholders, mobile stakeholders.
Do you create 3 stories (clones) using 3 different connections ?
What are the best practices for such scenarios?
You create a single story with 1 live connection and make sure you expose your back-end data source via a reverse proxy setup. So, create a separate URL and configure a proxypass that only allows a request to be passed from a certain origin to a specific service.
Martijn van Foeken | Interdobs
Of course that this would work, but this is defeating the purpose of using the CC and tunneling the live connection.
Or am I missing something ?
Yes, it's a different concept for achieving the same without having to maintain different stories, connections, etc.
Martijn van Foeken | Interdobs
Hi Parit Sehgal,
I am facing when trying to add live connection using tunnel.
Kindly guide me how to resolve this.
Looks like your backend server is not reachable.
I would also make sure the Cloud Connector can connect to the backend server S/4HANA first.
Backend system is reachable from cloud connector.
Kindly let me know which username and password should I use in SAC tunnel connectivity.
M. Adeel Khan
Hi Mohammed Adeel Khan
in the SAC Connection screen, it's the user name and password for the data source system you need to enter, in this case the S/4HANA user.
As per help guide here: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/aa97e36b36624eaa9029b02bdb779b13.html
Thanks for the reply.
As per guide in the link you mentioned above I configured all the settings with respect to tunnel connection but still couldn't able to connect to S4HANA system as I mentioned in the my earlier post.
M .Adeel Khan
Hi Mohammed Adeel Khan
it might be an idea to contact SAP product support by logging a ticket with them to help with the troubleshooting https://launchpad.support.sap.com/#/incident/create
the component (queue) would be LOD-ANA-LDC (SAC Live Data Connection)
They will likely ask for you to capture a trace from your browser, as per this Note https://userapps.support.sap.com/sap/support/knowledge/E/2280022
.. as it will yield some clues as to where the problem is in the configuration.
Great article for the new hires to understand the different types of connections!
We have requirement to connect on premise B/4 HANA system to SAC using CORS(Unified Connectivity).
I followed procedure mentioned in below link and when I try to create a connection in SAC it is giving connection errors.
So not sure whether we have to publish the BW HTTPS URL to public or not, if yes is it ok if we publish that using web dispatcher and my client also wants to use SSO capability.
Waiting for the suggestions.