Introduction
SAP Analytics cloud (SAC) is a new generation of Software-as-a-Service (SaaS) that redefines analytics in the cloud by providing all analytical capabilities for all user types in one product. It is built on SAP HANA Cloud Platform. SAC is a public SaaS solution that enables access to both on-premise and cloud data sources. In this blog, I will try to explain how to create direct live data connections to on-premise SAP Business Warehouse system or SAP BW4HANA using the Tunnel connection. This blog is relevant for SAP Analytics cloud (SAC) system owner and different IT and application stakeholders within your organization that consume SAC.
In my previous blog, I covered tunnel connection from SAP Analytics cloud to SAP HANA using SAML 2.0 Single-Sign-on and username password. If you would like to learn about what is a tunnel connection and how it works, or understand the comparison between available connection types, please check out my previous blogs*
*
SAP Analytics Cloud Tunnel Connection to SAP HANA using SAML 2.0 SSO
SAP Analytics Cloud Tunnel Connection to SAP HANA using SAML 2.0 SSO | SAP Blogs
What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection with Password Authentication
What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection with Password Authentication | SAP Blogs
Good to know before you start
Like any other configuration you want to make sure you are using the supported SAP Business Warehouse version. To ensure your Chrome browser allow cross-site access to SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Failing to update these settings, will affect your user authentication, and Story visualizations based on these connections will not render.
If your use case involves setting up single sign-on (SSO), make sure you are using same Identity Provider (IdP) for SAP Analytics Cloud and SAP Business Warehouse or BW4HANA. I have covered this in my previous blog.
Please look at the diagram below, I will try to break it down into three parts. The part 1 shows configuration required in SAP BW or SAP BW4HANA system, 2 shows the configuration required in SAPCP Cloud Connector and finally in step 3 we create a live connection in SAC
Step 1.
Most of the configuration in step 1, is done in SAP BW or BW4HANA system.
1.1 Configure SSL on your SAP BW or BW4HANA
TLS protocol, commonly referred to as SSL, uses public-key technology to provide its protection. Use the Transport Layer Security (TLS) protocol to secure HTTP connections to and from AS ABAP. When using TLS, the data being transferred between the two parties (client and server, in our case SAC and BW4HANA or BW) is encrypted and the two partners can be authenticated.
To setup, see Configuring SAP NetWeaver AS for ABAP to Support SSL, and SAP Note 510007.
1.2 Configure Cross-site cookies
SAP on-premise data source, like SAP BW, and SAP BW/4HANA, issues cookies for authentication and session management. Every cookie has a domain associated with it. These cookies are considered by your browser to be third-party, or cross-site, meaning the domain of the cookie doesn’t match the SAP Analytics Cloud domain in the user’s address bar (ex: sapanalytics.cloud).
As of Google Chrome version 80, Chrome restricts cookies to first-party access by default and requires you to explicitly mark cookies for access in third-party, or cross-site, contexts. Chrome does this by treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure attributes will be available for cross-site access, and require secure HTTPS connections. To overcome this challenge, configure your SAP on-premise data sources to issue cookies with SameSite=None; Secure attributes.
Please follow this blog on how to configure:
Direct Live Connections in SAP Analytics Cloud and SameSite Cookies
1.3 Enable SAP InA on your ABAP Application Server
SAP Information Access (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query your data sources in real time. Confirm that your InA package is enabled and services are running on the ABAP AS for your data source.
To check if the Ina package is enabled, open the following URL in your browser: https://<Your_ABAP_Server>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>. Make sure you are prompted for user credentials, and after login you get a JSON response. Replace <Your_ABAP_Server> with your ABAP system host, and <Your_Client_ID> with your SAP BW client ID.
In transaction code SICF, make sure the required Information Access Services (InA) are active & that the following services are active:
BatchProcessing
GetCatalog
GetResponse
GetServerInfo
Logoff
ValueHelp
1.4 Configure SAP BW or BW4HANA to trust SAPCP Cloud Connector
In order for SAP BW or BW4HANA to trust SAPCP Cloud Connector we need to configure an ABAP system to trust the Cloud Connector’s System Certificate
This step includes two sub-steps:
Configure the ABAP system to trust the Cloud Connector’s system certificate: In Cloud Connector select the ‘configuration’ on left side and then under On-Premise tab generate self-signed system certificate and CA certificate. In this scenario, I will use the self-signed cert to establish the trust with the SAP BW or BW4HANA system. Download the certificate. In live scenario consider using a signed certificate.
Import the system certificate in STRUST
Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users
Maintain 4 profile parameters as shown below in transaction RZ10 transaction
1.4 Configure to Accept Short-Lived X.509 Certificate from SAPCP Cloud Connector
Here we will map Short-Lived Certificates to Users in the SAP BW or BW4HANA system. In the previous step we update the parameter login/certificate_mapping_rulebased value to ‘1’.
Import your SAP Cloud connector system certificate into SAP BW or BW4HANA.
To do this go to TCODE: CERTRULE
Select Rule to define the mapping and click Save.
You will notice ‘User Status’ turns green, and shows the user found in the system if your mapping is correct.
Step 2
In the second step, most of the configuration is done in SAPCP Cloud Connector.
2.1 Setup Trust Between SAPCP Cloud Connector and SAP BW or BW4HANA
Next, we will setup the SAPCP Cloud Connector between data source system and SAP Analytics Cloud to establish a live tunnel connection.
The SAP Cloud Connector provides a secure tunnel between SAP Analytics Cloud and SAP BW or BW4HANA. It runs as a reverse invoke proxy between the live system/on-premise network and the SAP Cloud Platform.
To use the SAP Cloud Platform cloud connector for data source connections, you’ll need to complete these configuration steps:
Once you complete the above step make sure the system is reachable and looks like the image shown below.
Next, we will allow access to SAP BW or BW4HANA system paths:
Once you complete the above step make sure the system is reachable and looks like the image shown below.
2.2 Setup Trust for Principal Propagation
The Principal Propagation method is very common among customers that have system to system communication and want their users to have seamless SSO experience.
The SAP Cloud Connector recognize and use the SAML attributes to generate the X.509 certificate, this short-lived certificate is then used to authenticate the user in the backend (in our case BW4HANA). The X.509 certificate contains information about the cloud user in its subject.
In your SAPCP Cloud Connector, switch to the Principal Propagation tab, here we will establish trust to an ‘Identity Provider’ to support principal propagation. Here we will be performing following tasks:
From your subaccount menu, choose Cloud to On-Premise and go to the Principal Propagation tab. Choose the Synchronize button to store the list of existing identity providers locally in your Cloud Connector.
Select an entry to see its details:
Note: Whenever you update the SAML IdP configuration for a subaccount on cloud side, you must synchronize the trusted entities in the Cloud Connector.
2.3 SAPCP Cloud Connector should trust Identity Provider (IdP)
Please note SAP Analytics cloud and SAP BW or BW4HANA system should use same Identity Provider. The SAPCP Cloud Connector needs to trust the identity provider (IdP) that the customer uses (via syncing the IdPs in the cloud connector interface).
Step 3
In the final step, step 3, now that you’ve configured your data source, you can finally create the live connection in SAP Analytics Cloud.
Procedure
Once you’ve created your live data connection, test it by creating a model.
Okumaya devam et...
SAP Analytics cloud (SAC) is a new generation of Software-as-a-Service (SaaS) that redefines analytics in the cloud by providing all analytical capabilities for all user types in one product. It is built on SAP HANA Cloud Platform. SAC is a public SaaS solution that enables access to both on-premise and cloud data sources. In this blog, I will try to explain how to create direct live data connections to on-premise SAP Business Warehouse system or SAP BW4HANA using the Tunnel connection. This blog is relevant for SAP Analytics cloud (SAC) system owner and different IT and application stakeholders within your organization that consume SAC.
In my previous blog, I covered tunnel connection from SAP Analytics cloud to SAP HANA using SAML 2.0 Single-Sign-on and username password. If you would like to learn about what is a tunnel connection and how it works, or understand the comparison between available connection types, please check out my previous blogs*
*
SAP Analytics Cloud Tunnel Connection to SAP HANA using SAML 2.0 SSO
SAP Analytics Cloud Tunnel Connection to SAP HANA using SAML 2.0 SSO | SAP Blogs
What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection with Password Authentication
What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection with Password Authentication | SAP Blogs
Good to know before you start
Like any other configuration you want to make sure you are using the supported SAP Business Warehouse version. To ensure your Chrome browser allow cross-site access to SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Failing to update these settings, will affect your user authentication, and Story visualizations based on these connections will not render.
If your use case involves setting up single sign-on (SSO), make sure you are using same Identity Provider (IdP) for SAP Analytics Cloud and SAP Business Warehouse or BW4HANA. I have covered this in my previous blog.
Please look at the diagram below, I will try to break it down into three parts. The part 1 shows configuration required in SAP BW or SAP BW4HANA system, 2 shows the configuration required in SAPCP Cloud Connector and finally in step 3 we create a live connection in SAC
Step 1.
Most of the configuration in step 1, is done in SAP BW or BW4HANA system.
1.1 Configure SSL on your SAP BW or BW4HANA
TLS protocol, commonly referred to as SSL, uses public-key technology to provide its protection. Use the Transport Layer Security (TLS) protocol to secure HTTP connections to and from AS ABAP. When using TLS, the data being transferred between the two parties (client and server, in our case SAC and BW4HANA or BW) is encrypted and the two partners can be authenticated.
To setup, see Configuring SAP NetWeaver AS for ABAP to Support SSL, and SAP Note 510007.
1.2 Configure Cross-site cookies
SAP on-premise data source, like SAP BW, and SAP BW/4HANA, issues cookies for authentication and session management. Every cookie has a domain associated with it. These cookies are considered by your browser to be third-party, or cross-site, meaning the domain of the cookie doesn’t match the SAP Analytics Cloud domain in the user’s address bar (ex: sapanalytics.cloud).
As of Google Chrome version 80, Chrome restricts cookies to first-party access by default and requires you to explicitly mark cookies for access in third-party, or cross-site, contexts. Chrome does this by treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure attributes will be available for cross-site access, and require secure HTTPS connections. To overcome this challenge, configure your SAP on-premise data sources to issue cookies with SameSite=None; Secure attributes.
Please follow this blog on how to configure:
Direct Live Connections in SAP Analytics Cloud and SameSite Cookies
1.3 Enable SAP InA on your ABAP Application Server
SAP Information Access (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query your data sources in real time. Confirm that your InA package is enabled and services are running on the ABAP AS for your data source.
To check if the Ina package is enabled, open the following URL in your browser: https://<Your_ABAP_Server>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>. Make sure you are prompted for user credentials, and after login you get a JSON response. Replace <Your_ABAP_Server> with your ABAP system host, and <Your_Client_ID> with your SAP BW client ID.
In transaction code SICF, make sure the required Information Access Services (InA) are active & that the following services are active:
BatchProcessing
GetCatalog
GetResponse
GetServerInfo
Logoff
ValueHelp
1.4 Configure SAP BW or BW4HANA to trust SAPCP Cloud Connector
In order for SAP BW or BW4HANA to trust SAPCP Cloud Connector we need to configure an ABAP system to trust the Cloud Connector’s System Certificate
This step includes two sub-steps:
- Configure the ABAP system to trust the Cloud Connector’s system certificate.
- Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users.
Configure the ABAP system to trust the Cloud Connector’s system certificate: In Cloud Connector select the ‘configuration’ on left side and then under On-Premise tab generate self-signed system certificate and CA certificate. In this scenario, I will use the self-signed cert to establish the trust with the SAP BW or BW4HANA system. Download the certificate. In live scenario consider using a signed certificate.
Import the system certificate in STRUST
Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users
Maintain 4 profile parameters as shown below in transaction RZ10 transaction
- login/certificate_mapping_rulebased=1
- icm/HTTPS/verify_client=1
- icm/HTTPS/trust_client_with_issuer=Value of Issuer of Cloud Connector System Certificate
- icm/HTTPS/trust_client_with_subject=Value of Issuer of Cloud Connector System Certificate
1.4 Configure to Accept Short-Lived X.509 Certificate from SAPCP Cloud Connector
Here we will map Short-Lived Certificates to Users in the SAP BW or BW4HANA system. In the previous step we update the parameter login/certificate_mapping_rulebased value to ‘1’.
Import your SAP Cloud connector system certificate into SAP BW or BW4HANA.
To do this go to TCODE: CERTRULE
Select Rule to define the mapping and click Save.
You will notice ‘User Status’ turns green, and shows the user found in the system if your mapping is correct.
Step 2
In the second step, most of the configuration is done in SAPCP Cloud Connector.
2.1 Setup Trust Between SAPCP Cloud Connector and SAP BW or BW4HANA
Next, we will setup the SAPCP Cloud Connector between data source system and SAP Analytics Cloud to establish a live tunnel connection.
The SAP Cloud Connector provides a secure tunnel between SAP Analytics Cloud and SAP BW or BW4HANA. It runs as a reverse invoke proxy between the live system/on-premise network and the SAP Cloud Platform.
To use the SAP Cloud Platform cloud connector for data source connections, you’ll need to complete these configuration steps:
- Log in to the Cloud Connector Administration application.
- In the left-side menu, select Cloud To On-Premise.
- In the Subaccount field, choose your SAP Analytics Cloud subaccount.
- On the Access Control tab, in the Mapping Virtual To Internal System section, click (Add) to add a new mapping to your live data system.
- In the Add System Mapping dialog, use the following values:
| SAP BW or SAP BW4HANA | � |
| Back-end Type | ABAP system |
| Protocol | HTTPS |
| Internal Host Internal Port | <system host> <system port> |
| Virtual Host Virtual Port | <can use the same host as the internal host> <can use the same port as the internal port> |
| Principal Type | If using single sign-on, choose X.509 Certificate (General Usage). If using a username and password, choose None. We plan to use SSO in this blog |
Once you complete the above step make sure the system is reachable and looks like the image shown below.
Next, we will allow access to SAP BW or BW4HANA system paths:
- In the Resources Of section, click (Add).
- Enter the URL Path: “/”.
- Choose Path and all sub-paths.
- Select Save.
Once you complete the above step make sure the system is reachable and looks like the image shown below.
2.2 Setup Trust for Principal Propagation
The Principal Propagation method is very common among customers that have system to system communication and want their users to have seamless SSO experience.
The SAP Cloud Connector recognize and use the SAML attributes to generate the X.509 certificate, this short-lived certificate is then used to authenticate the user in the backend (in our case BW4HANA). The X.509 certificate contains information about the cloud user in its subject.
In your SAPCP Cloud Connector, switch to the Principal Propagation tab, here we will establish trust to an ‘Identity Provider’ to support principal propagation. Here we will be performing following tasks:
- Configure Trusted Entities in the Cloud Connector
You perform trust configuration to support principal propagation. By default, your Cloud Connector does not trust any entity that issues tokens for principal propagation. Therefore, the list of trusted identity providers is empty by default. If you decide to use the principal propagation feature, you must establish trust to at least one identity provider. Currently, SAML2 identity providers are supported. You can configure trust to one or more SAML2 IdPs per subaccount. After you’ve configured trust in the cockpit for your subaccount, for example, to your own company’s identity provider(s), you can synchronize this list with your Cloud Connector.
From your subaccount menu, choose Cloud to On-Premise and go to the Principal Propagation tab. Choose the Synchronize button to store the list of existing identity providers locally in your Cloud Connector.
Select an entry to see its details:
- Name: the name associated with the identity provider.
- Description: descriptive information about this entry.
- Type: type of the trusted entity.
- Trusted: indicates whether the entry is trusted for principal propagation.
- Actions: Choose the Show Certificate Information icon to display detail information for the corresponding entry. The Cloud Connector runtime will use the certificate associated with the entry to verify that the assertion used for principal propagation was issued by a trusted entity.
Note: Whenever you update the SAML IdP configuration for a subaccount on cloud side, you must synchronize the trusted entities in the Cloud Connector.
2.3 SAPCP Cloud Connector should trust Identity Provider (IdP)
Please note SAP Analytics cloud and SAP BW or BW4HANA system should use same Identity Provider. The SAPCP Cloud Connector needs to trust the identity provider (IdP) that the customer uses (via syncing the IdPs in the cloud connector interface).
Step 3
In the final step, step 3, now that you’ve configured your data source, you can finally create the live connection in SAP Analytics Cloud.
Procedure
- From the side navigation, choose ‘Connections’ (Add Connection).
- Expand Connect to Live Data and select SAP BW.
- In the dialog, enter a name and description for your connection.
- Set the connection type to Tunnel.
- Add your data source’s virtual host name, HTTPS port, and Client.
- Under Authentication, select SAML Single Sign On.
Results
Once you’ve created your live data connection, test it by creating a model.
Okumaya devam et...