Skip to Content
Technical Articles
Author's profile photo Marco Ertel

…Cloud Connector News…

One more time our Development Team delivered a new version of the Cloud Connector with a lot of updates and new features. We recommend updating to 2.15 as soon as possible! If you are already using a master and shadow instance this can be done without downtime (more details on High Availability can be found in the documentation). As usual the new version is here.

What is now new? As in the last updates there are visible and invisible changes. Let’s have a look at some of these – the complete list can be found in the release notes.

Are you using a Kubernetes cluster associated with BTP, or BTP Kyma instance? If so, it is now possible to connect your on-prem installation with a service within the K8s cluster by using a service channel (more Details on Cloud Connector and on Connectivity):

We’ve also added new possibilities to principal propagation. Now it cannot be used only for business user identities but also for technical users. To use this, you must define conditions which are used for setting the subject pattern:

Improving the security for accessing the Cloud Connector UI is now easier as the selection of the allowed cipher suites have been enhanced:

Let’s have a look at some features which are not visible but as important as the visible ones: If you know the prerequisites to install the Cloud Connector you will see that we’ve added here the support of SAPMachine 17 as a runtime. We’ve also added several Operating Systems which can be used for the Cloud Connector: Windows 11, Red Hat Enterprise Linux 9 (for x86_64 and ppc64le).

Additions have been implemented on available APIs. There are now APIs for the ciphers and the trust store and more APIs for getting monitoring data.

Our colleagues from BTP Security have collected recommendations for several services (including Cloud Connector) to harden and to improve your setup: SAP BTP Security Recommendations.

Assigned Tags

      15 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Marco,

      thank you for the updates. Especially like the principal propagation for technical user feature.

      Can you please check the link to the release notes? It has the parameter state=DRAFT.

      Best Regards
      Gregor

      Author's profile photo Marco Ertel
      Marco Ertel
      Blog Post Author

      Hi Gregor,

      you're completely right- I've updated the link to the release notes.

       

      Thanks and Best Regards
      Marco

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Marco,

      thank you for the link correction.

      I've updated the Cloud Connector in my ABAP Devloper Edition and tried the functionality to decide which X.509 certificate for the Principal Propagation is created based on the condition. But I must say that in it's current state it will not bring new options. What I would need is a pattern matching e.g. for the mail attribute so I can create a different certificate for externals than for employees. Also combining multiple conditions would be great.

      Do you have any pointer to details on the Technical User? Is it the user that is propagated when I call e.g. a CAP Service using the Job Scheduling Service and this CAP Service does a call to an on premise destination?

      Best Regards
      Gregor

      Author's profile photo Marco Ertel
      Marco Ertel
      Blog Post Author

      Hi Gregor,

      your request for pattern support is understandable. As development resources are limited we have to prioritize requests. To do this up to the needs of our customers I am asking you to add this to the influence page (https://influence.sap.com/sap/ino/#/campaign/2282) that we have the possibility to see if there are more customers which need that feature.

      For the usage of the technical user documentation has to be updated (and will be- hopefully soon)

      Kind Regards
      Marco

      Author's profile photo Roland Kramer
      Roland Kramer

      Hello Marco Ertel

      Added the Blog to - next Mystery solved – proper SAC Connection

      Best Regards Roland

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Marco,

      because of the question Principal Propagation - CPIC or System ID by Jeff Rushlow I've checked the documentation details for Authentication Types - Technical User Propagation. This section contains a link:

      https://wiki.one.int.sap/wiki/display/NDW/Configuring+Principal+Propagation

      which is unfortunately only reachable for SAP Employees and C-Users. Will the details be provided also in a public location?

      Best Regards
      Gregor

      Author's profile photo Antal Perger
      Antal Perger

      Hi Gregor,

       

      The link https://wiki.one.int.sap/wiki/display/NDW/Configuring+Principal+Propagation is the source of this help page:

      https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/c84d4d0b12d34890b334998185f49e88.html

       

      A change request was created to adjust the link to the public help page.

      Best regards,

      Antal

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Antal,

      thank you for the update. Would be great if also SAP Cloud Connector could join the Open Documentation Initiative.

      CU
      Gregor

      Author's profile photo Greg Austin
      Greg Austin

      My connection from BAS with principal propagation no longer seem to be working in 2.15.  Apps deployed to BTP can still use the cloud connector and principal propagation, but running the same app from BAS doesn't work anymore.  I see the JWT in the cloud connector logs and the message: com.sap.core.connectivity.tunnel.client.sso.InvalidSSOTokenException: No principal is extracted, as the principal type UNKNOWN is invalid.

      Author's profile photo Greg Austin
      Greg Austin

      SAP Support suggested it was a bug and to use an older version until it can be fixed.

      Author's profile photo Marco Holzwarth
      Marco Holzwarth

      Hi Greg,

      but how to get an older version of SCC? On https://tools.hana.ondemand.com/#cloud only the latest version of the SCC can be found.

      BR, Marco

      Author's profile photo Greg Austin
      Greg Austin

      Good question.  It may require an SAP support ticket.  My customer was able to do a system restore.

      Author's profile photo Diego Ismael Ibarra
      Diego Ismael Ibarra

      We faced the same problem and opened an OSS case.

      Sap responded that there is a bug in BAS and provided a temporary patch to apply in Cloud connector to solve the issue.

      That patch solved the problem

      I recommend you to open an SAP case to get the patch.

      Kind Regards,

      Diego

      Author's profile photo Middleware PI SDT
      Middleware PI SDT

      Yes, I am facing the same error and is not easy to restore from a higher version to a lower version.

      Author's profile photo Diego Ismael Ibarra
      Diego Ismael Ibarra

      We faced the same problem and opened an OSS case.

      Sap responded that there is a bug in BAS and provided a temporary patch to apply in Cloud connector to solve the issue.

      That patch solved the problem

      I recommend you to open an SAP case to get the patch.

      Kind Regards,

      Diego