Tunnel Live Data Connection from SAP Analytics Cloud to SAP BW or S4HANA with Principal Propogation
SAP Analytics cloud (SAC) is a new generation of Software-as-a-Service (SaaS) that redefines analytics in the cloud by providing all analytical capabilities for all user types in one product. It is built on SAP HANA Cloud Platform. SAC is a public SaaS solution that enables access to both on-premise and cloud data sources. In this blog, I will try to explain how tunnel live data connection from SAP Analytics cloud to on-premise SAP Business Warehouse system or SAP S4HANA works with principal propagation. The blog is relevant for SAP Analytics cloud (SAC) system owner and different IT and application stakeholders within your organization that consume SAC.
In my previous blog, I covered tunnel connection from SAP Analytics cloud to SAP HANA. If you would like to learn about what is a tunnel connection and how it works, or understand the comparison between available connection types, please check out my previous blogs*
*SAP Analytics Cloud Tunnel Connection to SAP HANA.
What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection
How does this whole thing work?
The tunnel live data connection type from SAP Analytics cloud to backend server (SAP BW or S4HANA) is based on ‘Principal Propagation’. In this Cloud to on-premise scenario, we want to securely pass the identity of a cloud user to an on-prim backend data server(SAP BW or SAP S4HANA).
To securely pass the user identity, this setup is designed with two authentication steps. This two-step authentication is designed to authenticate the claim, before granting access to the requested resource.
First, the SAP Cloud Connector proves its identity to the backend SAP system via native client certificate authentication. In order to turn on the client certificate authentication on the BW system, we need to set the parameter icm/HTTPS/verify_client value in the backend system to ‘1’. It is important to note that in this first authentication, the backend system is not mapping the cloud connector identity.
In this scenario, we need to enables the backend server to accept the SSL header field. This is achieved by setting the two parameters mentioned below:
- icm/HTTPS/trust_client_with_subject = <subject>
- icm/HTTPS/trust_client_with_issuer = <issuer>
If <subject> and <issuer> of the client certificate (cloud connector here) are the same as these values, the backend server accepts the SSL header fields. If they are not the same, the ICM deletes them.
Secondly, there is a second authentication to authenticate the end user. To achieve this, cloud connector generates a short-lived X.509 certificate representing the end user identity. The Cloud Connector sends this short-lived X.509 certificate in an HTTP header named SSL_CLIENT_CERT. The backend system is configured to use this certificate for logging on the real user. The backend system uses the user identity passed here to login the user. The backend server will not ask for any password, because of the pre-existing trust, hence no password is shared here, only user identity.
To login the user in to the backend system we need to do some configuration in the server. This is achieved by setting the parameter login/certificate_mapping_rulebased value to ‘1’. Setting the value to ‘1’ allows the gateway to map, based on a rule defined in CERTRULE, the identity contained in an identity certificate received during the authentication with an internal user.
This is how we securely pass the identity of a cloud user to a backend server, the process is called principal propagation.
Please note: The SAP cloud connector should always be installed in corporate network and not in DMZ.
We learned how the whole thing works, below, you will find some configuration steps:
Like any other configuration you want to make sure you are using the supported SAP Business Warehouse version.
Please look at the diagram below, I will try to break it down into three steps. Step 1 shows configuration required in SAP BW or SAP S4HANA system, 2nd step shows the configuration required in SAP Cloud Connector and finally in step 3 we create a live connection in SAC
In the first step, most of the configuration is done in SAP Cloud Connector.
Next, we will setup the SAP Cloud Connector between data source system and SAP Analytics Cloud to establish a live tunnel connection.
The SAP Cloud Connector provides a secure tunnel between SAP Analytics Cloud and SAP BW or S4HANA. It runs as a reverse invoke proxy between the live system/on-premise network and the SAP Cloud Platform.
To use the SAP Cloud Platform cloud connector for data source connections, you’ll need to complete these configuration steps:
- Log in to the Cloud Connector Administration application.
- In the left-side menu, select Cloud To On-Premise.
- In the Subaccount field, choose your SAP Analytics Cloud subaccount.
- On the Access Control tab, in the Mapping Virtual To Internal System section, click (Add) to add a new mapping to your live data system.
- In the Add System Mapping dialog, use the following values:
|SAP BW or SAP S4HANA|
|Back-end Type||ABAP system|
|<can use the same host as the internal host>
<can use the same port as the internal port>
|Principal Type||If using single sign-on, choose X.509 Certificate (General Usage). If using a username and password, choose None. We plan to use SSO in this blog|
Once you complete the above step make sure the system is reachable and looks like the image shown below.
Next, we will allow access to SAP BW or S4HANA system paths:
- In the Resources Of section, click (Add).
- Enter the URL Path: “/”.
- Choose Path and all sub-paths.
- Select Save.
Once you complete the above step make sure the system is reachable and looks like the image shown below.
1.2 Setup Trust for Principal Propagation
The Principal Propagation method is very common among customers that have system to system communication and want their users to have seamless SSO experience.
The SAP Cloud Connector recognize and use the SAML attributes to generate the X.509 certificate, this short-lived certificate is then used to authenticate the user in the backend (in our case S4HANA). The X.509 certificate contains information about the cloud user in its subject.
In your SAP Cloud Connector, switch to the Principal Propagation tab, here we will establish trust to an ‘Identity Provider’ to support principal propagation. Here we will be performing following tasks:
- Configure Trusted Entities in the Cloud Connector
You perform trust configuration to support principal propagation. By default, your Cloud Connector does not trust any entity that issues tokens for principal propagation. Therefore, the list of trusted identity providers is empty by default. If you decide to use the principal propagation feature, you must establish trust to at least one identity provider. Currently, SAML2 identity providers are supported. You can configure trust to one or more SAML2 IdPs per subaccount. After you’ve configured trust in the cockpit for your subaccount, for example, to your own company’s identity provider(s), you can synchronize this list with your Cloud Connector.
From your subaccount menu, choose Cloud to On-Premise and go to the Principal Propagation tab. Choose the Synchronize button to store the list of existing identity providers locally in your Cloud Connector.
Select an entry to see its details:
- Name: the name associated with the identity provider.
- Description: descriptive information about this entry.
- Type: type of the trusted entity.
- Trusted: indicates whether the entry is trusted for principal propagation.
- Actions: Choose the Show Certificate Information icon to display detail information for the corresponding entry. The Cloud Connector runtime will use the certificate associated with the entry to verify that the assertion used for principal propagation was issued by a trusted entity.
Note: Whenever you update the SAML IdP configuration for a subaccount on cloud side, you must synchronize the trusted entities in the Cloud Connector.
1.3 SAP Cloud Connector should trust Identity Provider (IdP)
The SAP Cloud Connector needs to trust the identity provider (IdP) that the customer uses (via syncing the IdPs in the cloud connector interface).
Most of the configuration in step 2, is done on SAP BW or S4HANA system.
2.1 Configure SSL on your SAP BW or S4HANA
TLS protocol, commonly referred to as SSL, uses public-key technology to provide its protection. Use the Transport Layer Security (TLS) protocol to secure HTTP connections to and from AS ABAP. When using TLS, the data being transferred between the two parties (client and server, in our case SAC and S4HANA or BW) is encrypted and the two partners can be authenticated.
To setup, see Configuring SAP NetWeaver AS for ABAP to Support SSL, and SAP Note 510007.
2.2 Enable SAP InA on your ABAP Application Server
SAP Information Access (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query your data sources in real time. Confirm that your InA package is enabled and services are running on the ABAP AS for your data source.
2.3 Configure SAP BW or S4HANA to trust SAP Cloud Connector
In order for SAP BW or S4HANA to trust SAP Cloud Connector we need to configure an ABAP system to trust the Cloud Connector’s System Certificate
This step includes two sub-steps:
- Configure the ABAP system to trust the Cloud Connector’s system certificate.
- Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users.
Configure the ABAP system to trust the Cloud Connector’s system certificate: In Cloud Connector select the ‘configuration’ on left side and then under On-Premise tab generate self-signed system certificate and CA certificate. In this scenario, I will use the self-signed cert to establish the trust with the SAP BW or S4HANA system. Download the certificate. In live scenario consider using a signed certificate.
Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users
Maintain 4 profile parameters as shown below in transaction RZ10 transaction
- icm/HTTPS/trust_client_with_issuer=Value of Issuer of Cloud Connector System Certificate
- icm/HTTPS/trust_client_with_subject=Value of subject of Cloud Connector System Certificate
2.4 Configure to Accept Short-Lived X.509 Certificate from SAP Cloud Connector
Here we will map Short-Lived Certificates to Users in the SAP BW or S4HANA system. In the previous step we update the parameter login/certificate_mapping_rulebased value to ‘1’.
Import your SAP Cloud connector system certificate into SAP BW or S4HANA.
To do this go to TCODE: CERTRULE
Select Rule to define the mapping and click Save.
You will notice ‘User Status’ turns green, and shows the user found in the system if your mapping is correct.
In the final step, step 3, now that you’ve configured your data source, you can finally create the live connection in SAP Analytics Cloud.
- From the side navigation, choose ‘Connections’ (Add Connection).
- Expand Connect to Live Data and select SAP BW.
- In the dialog, enter a name and description for your connection.
- Set the connection type to Tunnel.
- Add your data source’s virtual host name, HTTPS port, and Client.
- Under Authentication, select SAML Single Sign On.
Once you’ve created your live data connection, test it by creating a model.