Technical Articles
…Cloud Connector News…
One more time our Development Team delivered a new version of the Cloud Connector with a lot of updates and new features. We recommend updating to 2.15 as soon as possible! If you are already using a master and shadow instance this can be done without downtime (more details on High Availability can be found in the documentation). As usual the new version is here.
What is now new? As in the last updates there are visible and invisible changes. Let’s have a look at some of these – the complete list can be found in the release notes.
Are you using a Kubernetes cluster associated with BTP, or BTP Kyma instance? If so, it is now possible to connect your on-prem installation with a service within the K8s cluster by using a service channel (more Details on Cloud Connector and on Connectivity):
We’ve also added new possibilities to principal propagation. Now it cannot be used only for business user identities but also for technical users. To use this, you must define conditions which are used for setting the subject pattern:
Improving the security for accessing the Cloud Connector UI is now easier as the selection of the allowed cipher suites have been enhanced:
Let’s have a look at some features which are not visible but as important as the visible ones: If you know the prerequisites to install the Cloud Connector you will see that we’ve added here the support of SAPMachine 17 as a runtime. We’ve also added several Operating Systems which can be used for the Cloud Connector: Windows 11, Red Hat Enterprise Linux 9 (for x86_64 and ppc64le).
Additions have been implemented on available APIs. There are now APIs for the ciphers and the trust store and more APIs for getting monitoring data.
Our colleagues from BTP Security have collected recommendations for several services (including Cloud Connector) to harden and to improve your setup: SAP BTP Security Recommendations.
Hi Marco,
thank you for the updates. Especially like the principal propagation for technical user feature.
Can you please check the link to the release notes? It has the parameter state=DRAFT.
Best Regards
Gregor
Hi Gregor,
you're completely right- I've updated the link to the release notes.
Thanks and Best Regards
Marco
Hi Marco,
thank you for the link correction.
I've updated the Cloud Connector in my ABAP Devloper Edition and tried the functionality to decide which X.509 certificate for the Principal Propagation is created based on the condition. But I must say that in it's current state it will not bring new options. What I would need is a pattern matching e.g. for the mail attribute so I can create a different certificate for externals than for employees. Also combining multiple conditions would be great.
Do you have any pointer to details on the Technical User? Is it the user that is propagated when I call e.g. a CAP Service using the Job Scheduling Service and this CAP Service does a call to an on premise destination?
Best Regards
Gregor
Hi Gregor,
your request for pattern support is understandable. As development resources are limited we have to prioritize requests. To do this up to the needs of our customers I am asking you to add this to the influence page (https://influence.sap.com/sap/ino/#/campaign/2282) that we have the possibility to see if there are more customers which need that feature.
For the usage of the technical user documentation has to be updated (and will be- hopefully soon)
Kind Regards
Marco
Hello Marco Ertel
Added the Blog to - next Mystery solved – proper SAC Connection
Best Regards Roland
Hi Marco,
because of the question Principal Propagation - CPIC or System ID by Jeff Rushlow I've checked the documentation details for Authentication Types - Technical User Propagation. This section contains a link:
https://wiki.one.int.sap/wiki/display/NDW/Configuring+Principal+Propagation
which is unfortunately only reachable for SAP Employees and C-Users. Will the details be provided also in a public location?
Best Regards
Gregor
Hi Gregor,
The link https://wiki.one.int.sap/wiki/display/NDW/Configuring+Principal+Propagation is the source of this help page:
https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/c84d4d0b12d34890b334998185f49e88.html
A change request was created to adjust the link to the public help page.
Best regards,
Antal
Hi Antal,
thank you for the update. Would be great if also SAP Cloud Connector could join the Open Documentation Initiative.
CU
Gregor
My connection from BAS with principal propagation no longer seem to be working in 2.15. Apps deployed to BTP can still use the cloud connector and principal propagation, but running the same app from BAS doesn't work anymore. I see the JWT in the cloud connector logs and the message: com.sap.core.connectivity.tunnel.client.sso.InvalidSSOTokenException: No principal is extracted, as the principal type UNKNOWN is invalid.
SAP Support suggested it was a bug and to use an older version until it can be fixed.
Hi Greg,
but how to get an older version of SCC? On https://tools.hana.ondemand.com/#cloud only the latest version of the SCC can be found.
BR, Marco
Good question. It may require an SAP support ticket. My customer was able to do a system restore.
We faced the same problem and opened an OSS case.
Sap responded that there is a bug in BAS and provided a temporary patch to apply in Cloud connector to solve the issue.
That patch solved the problem
I recommend you to open an SAP case to get the patch.
Kind Regards,
Diego
Hello Greg,
with version 2.15.1 of cloud connecter, which is available under SAP Development Tools (ondemand.com) the issue is solved.
KR
Dominic
Yes, I am facing the same error and is not easy to restore from a higher version to a lower version.
We faced the same problem and opened an OSS case.
Sap responded that there is a bug in BAS and provided a temporary patch to apply in Cloud connector to solve the issue.
That patch solved the problem
I recommend you to open an SAP case to get the patch.
Kind Regards,
Diego
Marco Ertel,
When is version 2.15.2 planned for release?
Thank you - John Hormaechea