Skip to Content
Technical Articles
Author's profile photo Roland Kramer

next Mystery solved – proper SAC Connection

last Update: 21st of April 2022

next Mystery solved – proper SAC Connection

Blog Content

When you look to this Topic from a far Angle, it looks really nice and when you step a bit closer you will see the complexity behind the Task: Connect your SAP Backend (mostly SAP BW and BW/4) to the SAP Analytics Cloud (SAC) were everything is propagated nice and easy.

This Blog is emphasizing the audience for all the option and mandantory connections and pre requisites to ensure the proper Connection between on-premise/Hyperscaler based SAP BW(/4) against SAP Cloud Applications, like SAC, DWC, HANA Cloud and many more.

 


Components, dependencies, relations for SAC Usage

SAC%20Dependencies

SAC Dependencies

This graphic illustrates the dependencies which have to be considered when connecting a SAP BW(/4) Backend to a SAP Analytic Cloud or a SAP Datawarehouse Cloud Instance. If all details are discussed here, the Blog will be as long as the one here – SAP MacGyver – Installing SAP SolMan 7.2. Never the less we will highlight some fundamental settings here.

For an overview of connection types and guidelines for system administrators, see the SAP Analytics Cloud Connection Guide.

SAP Analytics Cloud – Connecting Data live/imported
SAP Answer – Live Data Connection in SAP Analytics Cloud: pros & cons

 


SAP BW(/4) Backend Preparation

To ensure that you can eliminate the SAP Backend as the source of connection error to SAC the correct Setup of TLS/SSL is absolutely crucial.

Blog – demystifying TLS/SSL Settings for NetWeaver
Document – SAP First Guidance – SAP BW on HANA – Edition 2022 => Chapter 2

Since 7.51 (all relevant settings are downport to 7.50) the Cross Origin Resource Settings (CORS) are handled by the System Parameter and the Whitelist Application (tx. UCON_CHW)

icf/cors_enabled = 1

 

Configure your on-premise SAP ABAP system so that it trusts the Cloud Connector. This step is needed if your live connection uses single sign-on (SAML2/SSL).

Set Up Trust Between the Cloud Connector and Your On-Premise ABAP Systems (BW or S/4HANA)

SAP Analytics Cloud – SameSite Cookie Configuration for Live Data Connections
SAP Help – Configure Principal Propagation for HTTPS

icm/HTTP/mod_0 = PREFIX=/,FILE={path_to_cors_rewrite_file}

Please Note that the UCON Whitelist Scenario and the CORS rewrite modus are complementary Settings to do. The Details in the rewrite.txt must match with the “samesite” settings in the DEFAULT.PFL Profile.

icm/HTTP/samesite = None
icm/HTTP/samesite_none_add_secure = ON

Note 2887651 – Issues with SameSite cookie handling
Note 2593926 – Incompatible ICM / SAP Web Dispatcher Parameter Changes in 773 – Deprecated, Obsolete and Changed Parameters
Note 2733879 – ICM: ERROR => IcmReadFromPartner(id=<nr>): No data from server received

Note 3190542 – Obsolete OLAP statistic data in table RSDDSTAT
schedule the Report RSDDSTAT_DATA_DELETE regularly

Keep%20the%20RSDDSTAT%20Tables%20manageable

Keep the RSDDSTAT Tables manageable

 


HTTP Whitelists Configuration with tx. UCON_CHW

Typically I doesn’t look that “clean” in the existing Systems.
This is an Example from a fresh Configured SAP BW/4HANA 2021 System.

SAP Help – Manage HTTP AllowlistsHTTP Allowlists Scenario: Process
SAP Analytics Cloud Help – Live Data Connection to SAP BW Using a Direct CORS Connection

Note 2578665 – How to maintain the table HTTP_WHITELIST
Note 3059669 – Improving the performance of HTTP_CORS_LOG and HTTP_LOG_LIST update
Note 3147762 – Multiple delete in HTTP Allowlists rules
Note 3167465 – Internal system call for method AUTHENTICATION_SEC_SESSION of CL_HTTP_SERVER_NET

Whitelist%20Application%20-%20UCON_CHW

Whitelist Application – UCON_CHW

UCON_CHW%20-%20Details

UCON_CHW – Details

Please Note, that tx. UCON_CHW cannot handle more than one execution when you save the entries in the UI. This can cause constant connection Problems, as your second or third change is not saved. Furthermore, a completely covered Whitelist doesn’t consider missing Exposed Headers!

INA%20Service%20-%20Details

INA Service – Details

Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud => Chapter 6.6.4

Note 2541557 – SAP Analytics Cloud with BW live connection – Which SP is recommended?
(this Note contains a XML file with SAP Notes which can be applied with Z_SAP_BW_NOTE_ANALYZER)

Please Note that only SAP BW/4 2.0 can use the hybrid scenario. Component BW4-ME-DWC
Note 2943200 – TCI for BW4HANA 2.0 Hybrid
Note 2945277 – BW/4 – Enable DWC “Import from Connection” for BW/4 Query – Revision 0
Note 2989654 – BW/4 – Enable DWC “Import from Connection” for BW/4 Query – Revision 1
Further Components: DWC-DI-CON, HAN-DP-SDI

 


Activate the SAML2 Provider

If you work with the provided Identity Provider (IdP) by SAP it is recommended to activate the SAML2/SSL Provider (tx. SAML2). To authenticate a user with SAC, the system uses assertion tickets based on Security Assertion Markup Language, version 2.0 (SAML2).

SAP Help – Preparing SAML2
SAP Help – SSO with SAML2 Assertion
SAP Help – SAP Gateway Host as the SAML2 Service Provider
SAP Analytics Cloud Help – >Live Data Connection to SAP BW Using a Direct CORS Connection via Unified Connectivity
Blog – Single Sign-on: SAP Reference Architecture for Identity Access Management

If you get the following error message when calling the tx SAML2 then check, if the entry “CSS Style Sheet” is set to “Active Check” or “Logging”. If “Active Check” is applied then make sure, you have maintained the access list to the  UI5 Thema cache as well.

SAML%202.0%20Local%20Provider%20Configuration

SAML 2.0 Local Provider Configuration

Export the MetaData Configuration to share with the SAC Identity Provider (IdP)

SAML2%20-%20Export%20local%20System%20MetaData

SAML2 – Export local System MetaData

Upload the updated IdP MetaData Information to the local SAML2 Provider

SAML2%20-%20Import%20the%20updated%20IdP%20MaterData

SAML2 – Import the updated IdP MasterData

check%20the%20SAML2%20Provider%20with%20the%20Whitelist%20Application

check the SAML2 Provider with the Whitelist Application

 


SAP Cloud Connector Implementation

The Implementation of the SAP Cloud Connector is quite straight forward.

rpm -i com.sap.scc-ui-2.14.0-8.x86_64.rpm

Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud => Chapter 6.6.1

SAP%20Cloud%20Connector%20-%20Details

SAP Cloud Connector – Details

SAP Analytics Cloud Help –  Installing the SAPCP Cloud Connector
SAP BTP Help – Cloud Connector for the Cloud Foundry environment
Note 2958529 – Connection to administration UI of Cloud Connector fails

https://server.domain.ext:8443 (Administrator/manage)

making the HTTPS access secure is again an intensive “Finger work”.

-	sapgenpse gen_pse -p server_scc.pse -x changeit -r server_scc.p10 "CN=server.domain.ext O=Company, C=DE"
-	sapgenpse seclogin -p server_scc.pse -x changeit -O root
-	server_scc.p10  sending to CA  server_scc_cr.p7b
-	sapgenpse import_own_cert -p server_scc.pse -x changeit -c server_scc_cr.p7b
-	sapgenpse get_my_name -p server_scc.pse -x changeit -v
-	sapgenpse export_p12 -p server_scc.pse -x changeit -v server_scc.p12

SAP Help – Recommendations for Secure Setup
SAP Help – Exchange UI Certificates in the Administration UI

SAP Help – Find Your Subaccount ID (Cloud Foundry Environment)
Note 2571763 – Authorization problem in SAP Cloud Conn. when adding Cloud Foundry subaccount
Note 2731253 – Europe Frankfurt regions for subaccounts in SAP Cloud Connector
Note 2987604 – SAP_COM_0200 – Error validating user in HCP (401, Unauthorized)

SAP%20Cloud%20Connector%20-%20Secure%20Settings

SAP Cloud Connector – Secure Settings

 


SAP Cloud Agent Implementation 

as “easy” the Implementation of the SAP Cloud Connector is, are much more complex is the Implementation of the SAP Cloud Agent. SAP recommends to install SAP CC and CA on the same server, and here you already have to consider which “default port” you want to chance.

The SAP Cloud Agent is a *.war file which is deployed to an individual Setup of Tomcat 9
With the Setup of the Tomcat Web Server it is like SAP: Everything is documented, but to find a really useful example can be a challenge … 😉
Please Note that you cannot compare a local Tomcat Installation “quick and dirty” with a server based Installation, there are much more things to consider.

Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud => Chapter 6.6.2.1
SAP Help – Installing SAP Analytics Cloud Agent
Note 3136559 – SAP Analytics Cloud agent 1.0.345

To understand the Configuration of Tomcat see the following graphic:

to create the file setenv.sh in the directory $CATALINA_BASE/bin is suitable for later setup of SSL.

CAROOT=/opt/apache-tomcat-9.0.58/sec
CATALINA_BASE=/opt/apache-tomcat-9.0.58/
CATALINA_HOME=/opt/apache-tomcat-9.0.58/
JAVA_HOME=/opt/sap/sapmachine-jdk-11.0.14.1/
JRE_HOME=/opt/sap/sapmachine-jdk-11.0.14.1/
LD_LIBRARY_PATH=/opt/apache-tomcat-9.0.58/lib:/opt/openssl/lib:/usr/local/apr/lib:$LD_LIBRARY_PATH
PATH=/opt/sap/sapmachine-jdk-11.0.14.1/bin:/opt/openssl/bin:/usr/sap/hostctrl/exe:$PATH
SECUDIR=/opt/apache-tomcat-9.0.58/sec

 

Note 1648573 – How to configure SSL/TLS on Tomcat in BI 4.x
Note 2924641 – Configuring HTTPS or Corba SSL with the SSL Setup Wizard

Create the directory /opt/apache-tomcat-9.0.58/sec

There are different tools you can use here, and you have to make sure that the Tomcat user find’s them accordantly, like keytool, mkcert, openssl, (sapgenpse)

Get the program “mkcert” from – https://github.com/FiloSottile/mkcert
The tool mkcert creates several files automatically, instead of using several other tools for this task.

Create a keystore file to store the server’s private key and self-signed certificate by executing the following command and specify a password value of “changeit”:

Tomcat%209%20-%20Welcome

Tomcat 9 – Welcome

To allow the access via user/password to the Tomcat UI, you have to maintain an addition file (manager.xml) at the following location – Tomcat 9 Help – HTML User-friendly Interface

Tomcat%209%20-%20manager.xml

Tomcat 9 – manager.xml

now you can access the deployed applications on the Tomcat 9 Web Server.

Tomcat%209%20-

Tomcat 9 – Server Status

to check the Version of the C4A_AGENT.war the calling URL is different.

https://server.domain.ext:1443/C4A_AGENT/deploymentInfo

SAP%20Cloud%20Agent%20-%20Version

SAP Cloud Agent – Version

finally, the details for the SAP Cloud Agent can be added to the SAP Cloud Connector.

SAP%20Cloud%20Connector%20and%20Cloud%20Agent%20-%20Details

SAP Cloud Connector and Cloud Agent – Details

SAP Help – Find Your Subaccount ID (Cloud Foundry Environment)
Note 2571763 – Authorization problem in SAP Cloud Conn. when adding Cloud Foundry subaccount
Note 2731253 – Europe Frankfurt regions for subaccounts in SAP Cloud Connector
Note 2987604 – SAP_COM_0200 – Error validating user in HCP (401, Unauthorized)

 


SAP Smart Data Integration Agent or SAP HANA

Additional Functionality for Planning in the SAC requires an additional Agent for SAP HANA. For connecting SAP Data Warehouse Cloud to on-premise systems, the Data Provisioning Agent (DP Agent) is required. Remote Function Call (RFC) acts as the standard interface for communication between SAP systems.

Blog – Connect DWC to SAP Source System using SNC RFC
Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud => Chapter 6.3

Start the SDI Agent Configuration as follows:

h43adm@server:/usr/sap/dataprovagent/bin> ./agentcli.sh --configAgent

Smart%20Data%20Integration%20Agent%20for%20SAP%20HANA

Smart Data Integration Agent for SAP HANA

 


Connecting the SAC or DWC Instances

Now you can logon with SAML2/SSL to your SAP Identity Provider (IdP) and connect to the Backend.

  • create/use a stable connection with SAML2/SSL
  • create/use a model from live data
  • create/use a story and execute

 

If you have a lot of development ongoing, make sure that you freeze stable connections/models/stories and Whitelist Applications to avoid the constant change of these crucial parameters.

SAP Analytics Cloud Help – Live Data Connection to SAP BW Using a Direct CORS Connection via Unified Connectivity

 


SAC Troubleshooting

SAC Troubleshooting is like looking for the “Needell in the Haystack” or “pocking into a Wasp Nest”. The Error can be new or known, mostly limitation of the SAC Application, or Network/Performance Problems from the SAC Application triggered.

Note 2544696 – Failed to connect to system in SAP Analytics Cloud *** Master KBA ***
Note 2589761 – Connecting to Live Data in SAP Analytics Cloud *** Master KBA ***
Note 2832606 – Unsupported Features with SAP Data Warehouse Cloud Live Connections in SAP Analytics Cloud
Note 2887651 – Issues with SameSite cookie handling
Note 2932647 – Supported and unsupported features with SAP BW/4HANA Model Transfer in SAP Data Warehouse Cloud
Note 3004356 – Environment list is blank when creating a model using BPC Live Data Connection in SAP Analytics Cloud (SAC)
Note 3117800 – Information/Restrictions Note for SAP Data Warehouse Cloud, SAP BW Bridge
Note 3123817 – BW/4 integration with SAP Data Warehouse Cloud – Enable model import for remote DAC


 

Roland Kramer, SAP Platform Architect for Intelligent Data & Analytics, SAP SE
@SAPFirstGuidance

 

“I have no special talent, I am only passionately curious.”

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Emmanouil Kouvaritakis
      Emmanouil Kouvaritakis

      great blog and wlc back Roland!!