What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection with Password Authentication
In this blog, I would like to discuss SAP Analytics cloud ‘Tunnel Connection’ features and how to configure one.
We know SAP Analytics Cloud can connect to various data sources both cloud and on-premise. Two most common methods are Live and Import data connection. The solution works when users are on vpn. In case, users are outside corporate firewall they could connect through a SAP Web Dispatcher. Web Dispatcher has its own advantages like load balancing or act as a reverse proxy. While web dispatcher has advantages it does come with some overhead, like cost and maintenance.
In recent past we introduced SAP Analytics cloud Tunnel Connection option, which allows users to make a live connection. This connection type is great new feature and allows user to consume on-primise data through SAC, live. Please note this does not replace SAP Web Dispatcher in any way and it is not a good idea to compare the two. They both serve separate purpose.
When a client issues the HTTP request to a HTTP proxy server. This proxy server makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Based on Tunnel Connection principle, SAP Analytics Cloud Tunnel connection works in the same way.
When to use SAP Analytics Cloud ‘Tunnel Connection’?
Consider SAP Analytics Cloud Tunnel Connection if there is a need to share business findings and insights with external stakeholders, without giving VPN rights.
For example: if your organization wants to expose some of your data to users outside of your corporate network, without giving them VPN rights.
What is the difference between SAP Analytics Cloud Tunnel Connection, Direct Connection and Import Connection?
|Tunnel Connection||Import Connection||Direct Connection|
This is a live data connection.
DATA: Data moves transiently meaning for a very short time, but no data is stored.
Requirements: SAP Cloud Connector
DATA: In import connection the data is imported to SAP Analytics Cloud.
Requirements: SAP Cloud Connector and/or cloud agent
Direct connection a.k.a. CORS – Cross-Origin Resource Sharing is a live data connection.
DATA: No data replication happens in this connection type.
Requirements: CORS Configuration
- Systems on SAP data centers support only SAML connections, while systems on non-SAP data centers support Basic and SAML connections. A two-digit number in your SAP Analytics Cloud URL, for example eu10 or us30, indicates a non-SAP data center.
- Data Sources currently supported under tunnel connection are listed below:
There are currently three ways for the mobile app to support SSO on iOS:
- The mobile app supports SSO using a MDM push-based certificate for logging on to SAP Analytics Cloud. For SSO to live data sources in your stories, individual users can manually import certificates to a device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
- You can also set up SSO using the SAP Cloud Connector to propagate credentials through the system once trust is established between your SAP Analytics Cloud system and your live data source. For more information on this SSO method, see SAP Cloud Connector-based Mobile Single Sign-On.
- Using a customized token for SSO to connected live data sources. Specific endpoints need to be established to configure this SSO method. For more information, see Token-based Single Sign On to Live Data Sources.
The Android app supports SSO by using X509 user certificates for logging on to SAP Analytics Cloud. These certificates need to pushed to the device by either using an MDM profile, or they can be installed manually on the device. For detailed information on how to configure this method, see Certificate-Based Authentication for Mobile.
To achieve the best user experience always use responsive pages rather than canvas or grid.
To learn more reference: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/9946e4a060f9431f956ae82e34f4c112.html
How to setup an SAP Analytics Cloud Tunnel Connection?
We will now setup a tunnel connection to backend data source, in this example we will work on SAP HANA using user name and password.
|Ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users directly.|
|Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection.|
|Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests. For details, see Maintaining HTTP Access to SAP HANA and SAP Knowledge Base Article 2502174.|
|For SAP HANA version 1.00.112.04 and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.|
Log in to the Cloud Connector Administration
In the left-side menu, select Cloud to On-Premise
In the Subaccount field, choose your SAP Analytics Cloud subaccount.
On the Access Controltab, in the Mapping Virtual To Internal System section, click (Add) to add a new mapping to your live data system.
In the Add System Mapping dialog, use the following values:
|Back-end Type||SAP HANA|
<can use the same host as the internal host>
<can use the same port as the internal port>
Allow access to your system paths:
- In the Resources Of section, click (Add).
- Enter the URL Path:“/”.
For SAP HANA, if you don’t want to allow access to all paths under “/”, set the path to /sap/bc/ina/service/v2/.
- Choose Path and all sub-paths.
- Select Save.
Step 2. Increase the session timeout configuration parameters in SAP HANA XS server.
To do this, you will need to increase the sessiontimeout parameter in the httpserver section of the xsengine.ini file. For example, if you change the parameter to 43200, the session will be active for 12 hours.
For more information, see the SAP HANA XS Classic Configuration Parameters.
Step 3 Add the remote HANA system to SAP Analytics Cloud:
Before you add the system, make sure under System–> Administration–>Datasource Configuration
1. Click ‘Allow live data to securely leave my network’
2. Add ‘Default Location’
Go to (Main Menu) Connection Connections (Add Connection)
The Select a datasource dialog will appear.
Expand Connect to Live Data and select SAP HANA.
- In the dialog, enter a name and description for your connection. The connection name cannot be changed later.
- Set the connection type to Tunnel.
- Add your SAP HANA host name, and HTTPS port.
Use the virtual host name and virtual port that were configured in the cloud connector
- (Optional) Choose a Default Language from the list.
This language will always be used for this connection and cannot be changed by users without administrator privileges.
5. Under Authentication Method select User Name and Password.
6.. Enter an SAP HANA user name and password.
The user must be assigned to the sap.bc.ina.service.v2.userrole::INA_USER role in SAP HANA.
Common Errors and Solution
- Ensure that the SAP Information Access (ina) service (/sap/bc/ina/service/v2) on your SAP HANAserver is exposed to browser users directly.
- Ensure the bc.ina.service.v2.userrole::INA_USERrole is assigned to all users who will use the live connection.
- Live Data Connection to SAP HANA Using a Tunnel Connection with Password Authentication
- Live Data Connection to SAP HANA Using a Tunnel Connection and SSO
- Download Cloud Connector here: https://tools.hana.ondemand.com/#cloud
- Download SAP JVM here: https://tools.hana.ondemand.com/#cloud
We discussed about the new Tunnel Connection type, when you should consider this type of connection. We also compared the different type of connections and finally how to setup one. Please do leave a feedback if you have any question that I can help answer.