Skip to Content
Technical Articles
Author's profile photo Claus Burgaard

Installation and Configuration of SAP Cloud Connector


This blog post is part of the series covering SAP Mobile Start app empowerment.

Whenever you want to consume data from one or more on-premise backend systems like SAP S/4HANA or SAP Business Suite, you need to provide a secure and stable connection between BTP and your on-premise landscape. This can be achieved with SAP Cloud Connector (SCC) which is a component that is installed on Windows or Linux machine in your on-premise landscape.

In this blog post you will learn where to download the SCC and how to install and configure it in a basic setup, which easily can be used in a PoC scenario. Most of this content was taken from the SAP Enterprise Support Advisory Council (ESAC – for our Enterprise Support customers), where I’m the technical lead for the workstream titled “SAP Launchpad and SAP Work Zone Service”.

Download and Install SCC

The Cloud Connector can be downloaded from this link If Java is not installed on the server, it is necessary also to download and install Java


Downloading SCC

For Windows, you can download the zip archive for development use cases on Windows or the MSI installer for productive usage. It is recommended to use the MSI installer as this will install as a Service on the server.

In this blog we will use the Windows version, but as you can see there are also a Linux and Mac version available.

You need access and authorisations to install the SCC on an on-premise server.

Once downloaded, run the MSI installer package and follow the on-screen installation guide. If the installation finish successfully the Cloud Connector is started automatically.

Initial Configuration

To configure the SCC, enter: https://<hostname>:8443 in a browser, where the <hostname> is the hostname of the machine on which the connector is installed, and the port number is the one configured during installation. The default port number is 8443


Initial logon to Cloud Connector

Enter below default credentials (case sensitive) and click on Login:

Username: Administrator

Password: manage

The first time you log in, you need to change the password and choose Master as the installation type. Click on save.

In the following screen we need to provide information about your created BTP subaccount so we can build a secure tunnel between the SCC and BTP


Initial setup of Cloud Connector

The following entries are mandatory:

·   Region: The region you were you subaccount is created in – see picture below
·   Subaccount: Your subaccount ID – see the picture below
·   Login E-Mail: E-mail addressed used when creating the BTP account
·   Password: password used when creating the BTP account

Depending on your company’s Internet proxy settings, information about HTTP proxy might also be needed


Identify subaccount number

If successful you will see a screen with similar settings as below


SAP Cloud Connector successfully installed and configured

This conclude the initial installation and configuration of the SAP Cloud Connector. In the remaining of this blog post we will connect your BTP subaccount and a on-premise system

Creating “Cloud to on-premise” Connection

To make a on-premise resource available to the services on the Business Technology Platform subaccount we first need to create a mapping between the SCC and the on-premise system.

In the SCC admin cockpit firstly make sure you select the right one in case you have created more than one subaccount , click on “Cloud to On-premise” in the menu on the left followed by a click on the “+” sign to the right. This will open the guide for adding mappings


Create a mapping

Follow the wizard which opens up to create a HTTPS mapping.

“Internal Host” is the hostname or ip address of the backend system and the corresponding ICM port

“Virtual Host” is the host name you will be using in the BTP, you can select the default value which are the same as the Internal Host or select another less revealing name.

The “Principal Type” we will leave as “None” for the time being and change it to “Principal Propagation” later. How to do this is described in this blog post

Lastly you get a summary of the entered data and if you like you can tick the “Check Internal Host” which will perform a simple check to verify that the mapping is working.

Next, we need to add resources to the mapping i.e., services from the backend Select the newly created mapping and click the “+” sign just below to add resources


Add resources to your new mapping

In this blog we make all services available to the subaccount by entering /sap in the URL path and select “Path And All Sub-Paths” under Access Policy. You can fine tune this later if you want to limit the resources available, which it highly recommended in a productive solution.

The table below list all the required services which as a minimum are needed when you want to expose content from a S/4HANA On-premise system.

Embedded Front-end Server 

With this we have mapped a HTTPS system and made all the service available via HTTPS,

So far it has been a generic setup and configuration of the Cloud Connector. To continue the configuration of the Cloud Connector to work with the Mobile Start app we need to setup principle propagation, this will be described in another blog  post coming shortly


In this blog post you have learned how to install the SAP Cloud Connector and perform the initial configuration i.e., connecting to the SCC admin cockpit, changing initial password and connect the SCC to your Business Technology Platform account. With this we have created a secure tunnel between BTP and your on-premise landscape

In addition to this we have created a mapping between the SAP Cloud Connector and the on-premise system – a HTTPS connection and assigned resources in the form of ICF services on the backend system.


We look forward to your comments.

Stay up to date with latest news and post your questions or feedback about SAP Mobile Start in the Q&A area. Start by visiting your SAP Mobile Experience community page and click “follow”. We’ll be publishing more informative blog posts.

Want to be notified? Check your profile settings to ensure you have your settings activated.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Willard Chingarande
      Willard Chingarande

      Thank you

      Author's profile photo Martin Pankraz
      Martin Pankraz

      Hey Claus,

      always good to see blog series to cover complex topics. I wonder about the Cloud Connector intro. There are probably hundreds of guides for the SCC by now. How about different options like the new BTP Private Link service to explain the spectrum of options?


      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hey Martin,

      Thanks for the feedback, yes thats for sure something to consider 🙂



      Author's profile photo Setu Saxena
      Setu Saxena

      Informative, thank you for the post!

      Author's profile photo Nimish Garg
      Nimish Garg

      Thanks for the helped me to setup cloud connecter by my own.

      Author's profile photo Thomas Beutin
      Thomas Beutin

      Hey Claus,


      thanks a a lot for this helpful article - i used it to set up the device (on WinSrv2019 64bit) in our organization. But now (after running for some month) the installation shows a risk alert for a service user: "Set up service user specifically for this Cloud Connector" - how can i mitigate this?


      Best regards,


      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Tom,

      sorry for the delay, you might have found a solution in the meantime. This error is typically coursed by changes in a Windows security policy or change in your corporate firewall, and not something due to a change in the Could Connector itself. Therefore please reach out to your Windows admin and/or security people and clarify if they have made any changes.


      Author's profile photo Gergo Timar
      Gergo Timar

      Hi Claus, thank you for the blog, very helpful! I have a question on automating the SCC installation. Time to time there's a new version of the SAP Cloud Connector software released. Installing the new SCC versions manually can be very time consuming. Imagine an enterprise environment with a 4 tier BTP landscape (Sandbox, Dev, QA, Prod) with HA setup having 8 SCC servers. What tools and processes can companies use to automate the SCC software upgrade when a new version comes out? Can you please share any guidance on that?


      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Gergo,

      Glad to hear the blog is useful 🙂

      It is a very good question you raise, unfortunately there are no tools available to automate this, at least not from SAP side. The upgrade is a manual process as described under the link


      Author's profile photo Gergo Timar
      Gergo Timar

      Thanks Claus!

      Author's profile photo Markus Schmidt-Karaca
      Markus Schmidt-Karaca

      My BTP account is being accessed with "default Identity Provider" and my SAP e-mail address. When I log on to BTP no password needs to be given as it is SSO. How do I now find the password to be specified in the settings (the SAP password did not work)?

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Markus,

      Sorry for the late reply. It should for sure be your SAP password, at least thats what I'm using. If it is still an issue, you are welcome to give me a ping internally.



      Author's profile photo AHMAD SHABBIR

      Does it require license to install SAP cloud connector on a non-SAP server. Our use case is to create an API proxy from API management and call an API published by an on-premise application (which is only accessible from within network).

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Ahmad,

      as far as I know, no there is no license for the Cloud Connector



      Author's profile photo Himanshu Mohanty
      Himanshu Mohanty

      Hi Claus,

      Have a Q on the resources list (sicf nodes) you shared.

      any SAP documentation states as these are minimum resources (sicf nodes) which needs to be exposed, also are these explicit nodes to be activated or sub nodes of the ones you mentioned too need to be activated in the backend system.




      Author's profile photo Steven Foo
      Steven Foo



      Is there a way to create additional display only user to access Cloud Connnector ?




      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Steven,

      By default you can only have one user, which is the Administrator. If you need additional users you would need to connect the Cloud Connector to a LDAP, then you can have multiple users with different roles.

      The process is described here


      Author's profile photo Christian Bürger
      Christian Bürger

      Hi Claus,

      how to configure SCC to make the GUI available by HTTPS without the message in the Chrome or Edge browser on my companys notebook "This connection is insecure!"? I generated a CSR and got a CA chain cert and a signed machine cert from my companys CA but the SCC will not accept anyone.

      Thanks in advance for your help


      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Christian, Not sure I fully understand the issue. do you have tiles calling GUI for HTTP tcodes on the Launchpad service? or where does this occur?

      Maybe you can share a screen shot?



      Author's profile photo Smit Badai
      Smit Badai

      Hi Claus, thanks for the informative post. Was any exchange of certificates involved between the cloud connector and the backend ABAP system to set up the HTTPS connection?

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hello Smit,

      Sorry for the late reply, the notification on your question got lost. But yes in a productive setup it is highly recommend to exchange certificates for security reasons. For the principle propagation you only need to import the cloud connector certificate in the backend system.


      Author's profile photo Stefan Bäumler
      Stefan Bäumler

      very good post. Thanks a lot

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Thanks Stefan 🙂

      Author's profile photo Loganathan Chinnasamy
      Loganathan Chinnasamy

      Hi Claus,

      Thank you for the wonderful blog.

      While configuring the set up I got one error. Kindly help me to fix this.


      Unknown region — correct spelling, or provide region host (after region name, separated by '@')

      Thanks & Rageds

      Loganathan Chinnasamy

      Author's profile photo Claus Burgaard
      Claus Burgaard
      Blog Post Author

      Hi Loganathan,

      Thanks for the feedback.

      The error you are facing typically is due to network issues for example a proxy server. Please check that you can reach the Internet on port 443 from the server where the Cloud Connector is installed


      Author's profile photo Ramzi ZMAMLA
      Ramzi ZMAMLA

      I had the same problem ( the problem is on port 443 )

      Claus  thank youuuuuuuuuuuuuuuuuu for your help ^^

      Author's profile photo Luvleen Gorea
      Luvleen Gorea

      Hello Claus,

      Thanks for this bog. Extremely helpful! I created a basic IFlow with RFC adaptor and have done all the steps you showed, I am getting error (156) JCO_ERROR_DATA_PROVIDER_ERROR: Can not get access token for <Destination Name> "

      where destination name is the name set in BTP. Do you have any idea about this?


      Author's profile photo Smit Chhadva
      Smit Chhadva

      Hello Luvleen,

      How did you resolve this issue? Kindly provide solution.


      Author's profile photo Smit Chhadva
      Smit Chhadva

      Hello Claus,


      Do you have any insights on below error

      " (156) JCO_ERROR_DATA_PROVIDER_ERROR: Can not get access token for <Destination Name> "

      where destination name is the name set in BTP. "


      Author's profile photo Arnab Datta
      Arnab Datta

      HI Claus , Thanks for the tutorial. I have created the trial subaccount in US East (VA) - AWS but the URL is

      which is not there in cloud connector list of region. How do I solve this? Please suggest.