Skip to Content
Technical Articles
Author's profile photo Prarit Sehgal

What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection


In this blog, I would like to discuss SAP Analytics cloud ‘Tunnel Connection’ features and how to configure one.


We know SAP Analytics Cloud can connect to various data sources both cloud and on-premise. Two most common methods are Live and Import data connection. The solution works when users are on vpn. In case, users are outside corporate firewall they could connect through a SAP Web Dispatcher. Web Dispatcher has its own advantages like load balancing or act as a reverse proxy. While web dispatcher has advantages it does come with some overhead, like cost and maintenance.

In recent past we introduced SAP Analytics cloud Tunnel Connection option, which allows users to make a live connection. This connection type is great new feature and allows user to consume on-primise data through SAC, live. Please note this does not replace SAP Web Dispatcher in any way and it is not a good idea to compare the two. They both serve separate purpose.

When a client issues the HTTP request to a HTTP proxy server. This proxy server makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Based on Tunnel Connection principle, SAP Analytics Cloud Tunnel connection works in the same way.

When to use SAP Analytics Cloud ‘Tunnel Connection’?

Consider SAP Analytics Cloud Tunnel Connection if there is a need to share business findings and insights with external stakeholders, without giving VPN rights.

For example: if your organization wants to expose some of your data to users outside of your corporate network, without giving them VPN rights.

What is the difference between SAP Analytics Cloud Tunnel Connection, Direct Connection and Import Connection?

Tunnel Connection Import Connection Direct Connection

This is a live data connection.

DATA: Data moves transiently meaning for a very short time, but no data is stored.

Requirements: SAP Cloud Connector


Not Live.

DATA: In import connection the data is imported to SAP Analytics Cloud.

Requirements: SAP Cloud Connector and/or cloud agent

Direct connection a.k.a. CORS – Cross-Origin Resource Sharing is a live data connection.

DATA: No data replication happens in this connection type.

Requirements: CORS Configuration

Please Note

  • Systems on SAP data centers support only SAML connections, while systems on non-SAP data centers support Basic and SAML connections. A two-digit number in your SAP Analytics Cloud URL, for example eu10 or us30, indicates a non-SAP data center.
  • Data Sources currently supported under tunnel connection are listed below:
    • HANA
    • BW
    • S4HANA
To achieve SSO experience on mobile devices, we have following options: iOS SSO

There are currently three ways for the mobile app to support SSO on iOS:

  • The mobile app supports SSO using a MDM push-based certificate for logging on to SAP Analytics Cloud. For SSO to live data sources in your stories, individual users can manually import certificates to a device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
  • You can also set up SSO using the SAP Cloud Connector to propagate credentials through the system once trust is established between your SAP Analytics Cloud system and your live data source. For more information on this SSO method, see SAP Cloud Connector-based Mobile Single Sign-On.
  • Using a customized token for SSO to connected live data sources. Specific endpoints need to be established to configure this SSO method. For more information, see Token-based Single Sign On to Live Data Sources.

Android SSO

The Android app supports SSO by using X509 user certificates for logging on to SAP Analytics Cloud. These certificates need to pushed to the device by either using an MDM profile, or they can be installed manually on the device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.

To achieve the best user experience always use responsive pages rather than canvas or grid. 

To learn more reference:

How to setup an SAP Analytics Cloud Tunnel Connection?

We will now setup a tunnel connection to backend data source, in this example we will work on SAP HANA.


Ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users directly.
Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection.
Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests. For details, see Maintaining HTTP Access to SAP HANA and SAP Knowledge Base Article 2502174.
For SAP HANA version and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.


Step 1: Configure Your On-Premise Systems to Use the SAP Cloud Connector

Log in to the Cloud Connector Administration

In the left-side menu, select Cloud to On-Premise

In the Subaccount field, choose your SAP Analytics Cloud subaccount.

On the Access Controltab, in the Mapping Virtual To Internal System section, click  (Add) to add a new mapping to your live data system.

In the Add System Mapping dialog, use the following values:

Back-end Type SAP HANA
Protocol HTTPS

Internal Host

Internal Port

<system host>

<system port>

Virtual Host

Virtual Port

<can use the same host as the internal host>

<can use the same port as the internal port>

Principal Type None

Allow access to your system paths:

  1. In the Resources Of section, click  (Add).
  2. Enter the URL Path:“/”.
    For SAP HANA, if you don’t want to allow access to all paths under “/”, set the path to /sap/bc/ina/service/v2/.
  3. Choose Path and all sub-paths.
  4. Select Save.


Step 2. Increase the session timeout configuration parameters in SAP HANA XS server.

To do this, you will need to increase the sessiontimeout parameter in the httpserver section of the xsengine.ini file. For example, if you change the parameter to 43200, the session will be active for 12 hours.

For more information, see the SAP HANA XS Classic Configuration Parameters.

Step 3 Add the remote HANA system to SAP Analytics Cloud:

Before you add the system, make sure under System–> Administration–>Datasource Configuration
1. Click ‘Allow live data to securely leave my network’
2. Add ‘Default Location’

Go to (Main Menu)   Connection  Connections   (Add Connection)

The Select a datasource dialog will appear.

Expand Connect to Live Data and select SAP HANA.

  1. In the dialog, enter a name and description for your connection. The connection name cannot be changed later.
  2. Set the connection type to Tunnel.
  3. Add your SAP HANA host name, and HTTPS port.
    Use the virtual host name and virtual port that were configured in the cloud connector
  4. (Optional) Choose a Default Language from the list.
    This language will always be used for this connection and cannot be changed by users without administrator privileges.

5. Under Authentication Method select User Name and Password.

6.. Enter an SAP HANA user name and password.


The user must be assigned to the sap.bc.ina.service.v2.userrole::INA_USER role in SAP HANA.

Select OK


Common Errors and Solution

Error 1.

Solution 1

  • Ensure that the SAP Information Access (ina) service (/sap/bc/ina/service/v2) on your SAP HANAserver is exposed to browser users directly.
  • Ensure the bc.ina.service.v2.userrole::INA_USERrole is assigned to all users who will use the live connection.


Error 2

Solution 2
My firewall was blocking, once I disabled it worked.



We discussed about the new Tunnel Connection type, when you should consider this type of connection. We also compared the different type of connections and finally how to setup one. Please do leave a feedback if you have any question that I can help answer.


Assigned tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Debjit Singha
      Debjit Singha

      Hi Prarit Sehgal,

      First of all thanks for sharing this info. Well explained and step by step info.
      Out of curiosity - how this is maintenance free, compared to "Cloud Connector +Cloud Agent" setup.

      Is it that C4Agent required more frequent update compared to Cloud Connector? or there is something more to it...



      Author's profile photo Prarit Sehgal
      Prarit Sehgal
      Blog Post Author

      Hi Debjit,

      We do not require a cloud agent in this setup, only cloud connector.

      One more thing, this is not an 'Import connection', it is a live connection.
      Import connection required CC or both CC and agent. Hope this helps.



      Author's profile photo Debjit Singha
      Debjit Singha

      Thanks Prarit Sehgal  for your reply. I am clear about the live connection part. I am curious about how this setup will be low maintenance compared to the other options.


      Author's profile photo Prarit Sehgal
      Prarit Sehgal
      Blog Post Author

      Is it recommended to keep Cloud Agent up to date.

      Author's profile photo Debjit Singha
      Debjit Singha

      New feature bugfixes gets rolled out every two weeks via updated version of agent. Some are big enough to be considering update. We have seen some significant performance improvement in terms of import package size (compared to early 2019). Not to mention one date field related issues from HANA , BW and ECC fields are corrected.
      C4Agent includes the code changes with respect to underneath source system. We need to go through the cycle of testing and updating C4Agent

      Author's profile photo Marian Canciu
      Marian Canciu

      Hello Prarit

      Let's say that you have to share the same story with 3 different categories of stakeholders: desktop stakeholders, desktop external stakeholders, mobile stakeholders.

      Do you create 3 stories (clones) using 3 different connections ?

      What are the best practices for such scenarios?





      Author's profile photo Martijn van Foeken
      Martijn van Foeken

      Hi Marian,

      You create a single story with 1 live connection and make sure you expose your back-end data source via a reverse proxy setup. So, create a separate URL and configure a proxypass that only allows a request to be passed from a certain origin to a specific service.

      Kind regards,

      Martijn van Foeken | Interdobs

      Author's profile photo Marian Canciu
      Marian Canciu

      Hi Martijn


      Of course that this would work, but this is defeating the purpose of using the CC and tunneling the live connection.

      Or am I missing something ?


      Best regards


      Author's profile photo Martijn van Foeken
      Martijn van Foeken

      Hi Marian,

      Yes, it's a different concept for achieving the same without having to maintain different stories, connections, etc.

      Kind regards,

      Martijn van Foeken | Interdobs