SAP Community - Cloud Connector

Connection between SAP Datasphere and SAP SuccessFactors HXM Suite using OData, OAuth2 and SAML Bearer on Cloud

2023-08-03T13:22:38+02:00

This blog will assist you in setting up the connection between SAP Datasphere and SAP SuccessFactors HXM Suite using OData, Authentication type OAuth2 and Grant type SAML Bearer on cloud.

Before getting into the specifics, let's look at some technical terms.

OAuth 2.0: OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

OData: The Open Data Protocol (OData) is a standardized protocol for creating and consuming data APIs. The SAP SuccessFactors HXM Suite OData API is a Web Service API feature based on the OData protocol. It's intended to enable access to SAP SuccessFactors data in the system.

SAML 2.0: The Security Assertion Markup Language (SAML) version 2.0 provides a standards-based mechanism for Single Sign-On (SSO). It is needed for integrating an enterprise’s existing single sign-on (SSO) with third-party (cloud based) service providers. The two main components of a SAML 2.0 landscape are an identity provider and a service provider. The service provider is a system entity that provide a set of Web applications with a common session management, identity management, and trust management. The identity provider is a system entity that manages identity information for principals and provides authentication services to other trusted service providers. In other words, the service providers outsource the job of authenticating the user to the identity provider. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers.

Here, the following connection type and grant type have been used for making connections.

Connection Type: SAP SuccessFactors

Authentication Type: OAuth 2.0

OAuth Grant Type: SAML Bearer

SAML Assertion: There are two options True and False, here I will explain you both the options. However if you use option “FALSE” you will get the below warning message in the connection, although your connection will be successfully established.

Section 1: How to generate X.509 certificate, API Key, Private Key and Download/Upload SuccessFactors url into Datasphere?

The first step is to create an X.509 certificate from SuccessFactors and store the private key; you will need to utilize this private key later on when setting up a connection in the Datasphere. And register your client application so that you can authenticate API users using OAuth2. After you register an application, you’ll get an exclusive API key for your application to access SAP SuccessFactors OData APIs.

So, let’s start creating X.509 certificate.

Step 1: Login into your SAP SuccessFactors url instance as administrator and then search for oauth2 and create a new OAuth2 Client in “Manage OAuth2 Client Applications” section.

After opening page, Click on Register Client Application

If you need help filling out the information above, see the SAP help portal below.

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/6b3c741483de47b290d075d798163bc1.html

After filling above details, click on Generate X.509 Certificate

After filling above details, click Generate.

Here you must click on Download and save the certificate.

And then click Register

Your entry will be created as shown on the page.

After this, you just click on View and take a note of API Key this will require you to while creating the connection.

From the above API Key and Private Key (In the downloaded certificate), you can create the connection using option SAML Assertion: FALSE, The section on creating connections below will explain how to do so using these keys.

Note: In the downloaded certificate.pem there will be two part (Private Key & Public Key), so you need to copy and paste (from private key) only the enclosed string without the beginning and ending lines (-----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----), otherwise an error occurs.

Caution: The private key must be kept secure under all circumstances. Do not share the private key with others. If you lose the private key, you must create a new certificate.

Certificate.pem looks like as below.

Step 2: In this case will use when SAML Assertion: TRUE. Follow the complete process as mentioned in step 1 and note down the private key. Here I will generate the other key without having to expose your private key to the internet.

Generating a SAML Assertion: Generate a Security Assertion Markup Language (SAML) assertion for requesting an OAuth token. This topic explains how to generate a SAML assertion using the offline tool provided by SAP SuccessFactors.

Prerequisites

You’ve registered your application in Manage OAuth2 Client Applications in the SAP SuccessFactors and obtained the API key and Private key for the application.

Why Deprecation ?

Warning message when you use SAML Assertion: FALSE as shown below.

The /oauth/idp API was provided for API users to generate SAML assertions for authentication. However, this method is considered unsafe because it requires users to pass private keys through an API call. Therefore, we're deprecating this API and encouraging to choose secure ways to generate SAML assertions.

Caution: Do not use the /oauth/idp API to generate SAML assertions. This approach is unsecure and has been deprecated.

Solution: For complete process follow the S-Note 3031657 - How to generate SAML assertion using SAP-provided offline tool – SuccessFactors.

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html

Step 3: The third step would be download the url certificate from the SuccessFactors and upload the certificate into Datasphere.

You can refer the SAP S-Note and blog for this activity.

3138841 - Error when using Remote tables in SAP Datasphere

In Blog: Goto the section Download Certificate

https://blogs.sap.com/2023/04/20/connecting-sap-successfactors-and-sap-datasphere/

Section 2: How to create connections in Success Factors?

Let’s create the connection with option SAML Assertion: TRUE or FALSE

Step 1: With Option SAML Assertion: FALSE

Login into Datasphere -> Connections -> Search for Success Factors -> Local Connections -> Create

Connection Information
Business Name: You can give generic name as you like.

Technical Name: You can give generic name as you like, later you will not be able to change.

Description: You can mention about connection details here.

Connection Details
URL: Enter the OData service provider URL of the SAP SuccessFactors service that you want to access.
Version: Displays the OData version used to implement the SAP SuccessFactors OData service.

Authentication
Authentication Type: OAuth 2.0

OAuth 2.0

Provide SAML Assertion: FALSE

OAuth Token Endpoint: Enter the Token endpoint to use to request an access token: <SAP SuccessFactors API Server>/oauth/token.

OAuth Scope: Optional.

OAuth API Endpoint: Enter the API endpoint: <SAP SuccessFactors API Server>/oauth/idp.

OAuth User ID: This user ID should be existed in your SuccessFactors portal.

OAuth Company ID: Enter the SAP SuccessFactors company ID.

Note: SAP SuccessFactors API Server you can find List of SAP SuccessFactors API Servers & URL from below s-note and link.

2089448 - SuccessFactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/af2b8d5437494b12be88fe374eba75b6.html

Credentials (OAuth 2.0)

Client ID: API Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)

Client Secret: Private Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)

Click on Save

Now test the connection.

Select Business Name or Connection Name and click on Validate. You will see the below success message.

Connection

“Business Name” is valid.

- Data flows are enabled.

- Remote tables are enabled.

Step 2: With Option SAML Assertion: TRUE

Login into Datasphere -> Connections -> Search for Success Factors -> Local Connections -> Create

OAuth 2.0

Provide SAML Assertion: TRUE

OAuth Token Endpoint: Enter the Token endpoint to use to request an access token: <SAP SuccessFactors API Server>/oauth/token.

OAuth Scope: Optional.

OAuth Company ID: Enter the SAP SuccessFactors company ID.

Credentials (OAuth 2.0)

Client ID: API Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)

SAML Assertion: Private Key (Which was generated while X.509 certificate as explained in Section 1 & Step 2)

Now test the connection.

Select Business Name or Connection Name and click on Validate. You will see the below success message.

Connection

“Business Name” is valid.

- Data flows are enabled.

- Remote tables are enabled.

Summary:

In the above Section 1 we have completed following points.

X.509 Certificate

Generated API Key

Generated Private Key

Downloaded/Uploaded the url certificate

In the Section 2 we have completed how to build a connection using OAuth 2.0 and SAML Assertion: TRUE and FALSE.

Troubleshooting:

Error 1: If you are getting below error message.

Resolution:

- Make sure that you are using the Private key generated from the OAuth key in SF, and not the public key that it's the one displaying in the OAuth Key config. The private key is only shared once, which is when you create the OAuth Key initially.

- Make sure no extra spaces are included when you add the private key in the Data Sphere system.

Error 2:

Connection "Business Name" couldn’t be established. - Data flows can't be used because of errors in the connection. - Replication flows are not supported. - Remote tables can't be used because of errors in the connection.

Data Flows: Cause: Invalid odata connection! Getting odata metadata failed because of Excpetion: org.apache.olingo.client.core.http.OAuth2Exception: Failed to fetch OAuth2 token! Token endpoint response HTTP/1.1 400 {"errorHttpCode":"400","errorMessage":"Invalid SAML assertion. For the correct SAML assertion format, see https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html."} Code:1500010
Remote Tables: Unable to connect remote source: Failed to fetch OAuth2 access token: 'HttpClient.request: OAuth2 request failed with error:
Response HTTP code: 400
Response HTTP body: {"errorHttpCode":"400","errorMessage":"Invalid SAML assertion. For the correct SAML assertion format, see https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html."}', Code: 5921, SQL State: HY000

Correlation ID: 08e0739b-cbdc-415a-5b32-2d90e5950b49

Resolution: Follow the below link https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html

Error 3:

Connection "Business Name or Connection_Name" is valid, but not all features are available.

- Data flows are enabled.

- Remote tables can't be used because of errors in the connection.

Remote Tables: Unable to connect remote source: SSL requested, but no trust store configured, Code: 5921, SQL State: HY000

Resolution: Follow the S-Note: 3138841 - Error when using Remote tables in SAP Datasphere

References Link & S-Notes:

SAP SuccessFactors Connections: https://help.sap.com/docs/SAP_DATASPHERE/be5967d099974c69b77f4549425ca4c0/39df02030d4b411487bacecf9afea4e8.html?q=successfactors%20connectivity

3138841 - Error when using Remote tables in SAP Datasphere

3031657 - How to generate SAML assertion using SAP-provided offline tool – SuccessFactors

2850646 - How to register for OAuth 2.0 authentication - SuccessFactors Integrations

2613670 - What are the available APIs for SuccessFactors?

2533915 - SAP SuccessFactors SSL Certificate Renewal Schedule and Public Certificate Repository

2203741 - How to download an SAP SuccessFactors or API SSL Certificate

----------------------------

Thanks for reading this article! Your feedback and suggestions are welcome.

Next release of the Cloud Connector is available: 2.16.0

2023-08-07T12:43:38+02:00

We again have released a new version of the cloud connector with interesting new features. A lot happened under the hood to ensure the highest security levels but that is not all.

Let me start with the installation (which of course can be found here) where we've added two more platforms to give you more flexibility for selecting the best platform:

Oracle Linux 9

macOS aarch64 (native support of the M1/M2 processors)

If you are using an ABAP System in the cloud and need more security for classic RFC endpoints, you should check the new feature to use SNC:

More about that can be found in the documentation.

Not for all users but at least for some it might be helpful that you're able to change now the login procedure from user and password to a client certificate. This works also for the REST APIs. But here we have to say that (in the version 2.16) we unfortunately have the restriction to setups without a shadow instance. This will of course change in the future. If you still want to use it or at least try it out find more here.

On the logging and monitoring we’ve worked on two features:

getting more insights for TCP and TCP SSL connections as you now see them also in the Back-end connections and in the usage statistics.

adding a csv export to the Audit Log to give you more transparency which modifications on the cloud connector setup had been done:

Additionally, under the hood we've updated lots of libraries to the most recent versions, cleaned up features which are no longer needed and improved the performance of the login procedure for some installations.

Therefore: don't wait and update your Cloud Connector as soon as possible (and have a look at the official release notes)!

Exposing On-Premise S/4 Apps to SAP Build Work Zone: A Step-by-Step Guide

2023-08-15T21:57:22+02:00

Introduction

This blog post is your guide to seamlessly exposing Fiori apps from your on-premise system within the dynamic environment of SAP Build Work Zone, leveraging the power of SAP Business Technology Platform (BTP).

SAP Build Work Zone:

SAP Build Work Zone enables business users to create and customize business sites intuitively. By providing secure, centralized access to SAP and non-SAP applications, processes, and data on various devices, it enhances productivity and engagement. The inclusion of interactive workspaces, guided experiences, and knowledge sharing further optimizes team efficiency.

Key capabilities:

Provide a central access to multiple cloud & on-premise systems

Flexible page builder Integrate custom apps and UI cards

Access multiple pages via navigation menu

Customizations and extensions (e.g. branding, translation, shell plug-ins, domains URL)

Prerequisite:

Access to S/4 Hana On-premise system

Active SAP Build Work Zone service within a SAP BTP subaccount

SAP Build work zone service in SAP BTP

Creating secured tunnel between your SAP BTP subaccount and on premise SAP system using cloud connector.

SAP system is connected to the cloud connector, allowing you to selectively expose backend resources.

Make sure your Cloud connector is connected to your SAP BTP Subaccount.

Lets Begin,

Creating Destinations in SAP BTP: Go to SAP BTP sub account where your application instance is running and select destination under connectivity and create destination as shown in the screenshot below.(Append the service details "/sap/bc/ui2/cdm3/entities" after including the virtual host and port details in the URL.)Clone the above destination with additional properties as mentioned below and call this as runtime destination. Its recommended to use technical user with proper authorization. More information on Design time and runtime destination along with authorization details can be found here.

Exposing Roles in the On-Premise System: Log in to your on-premise system and execute the transaction code /UI2/CDM3_EXP_SCOPE. Here, you can select and expose the roles that you intend to make accessible. Ensure that the applications within these roles are activated and organized within Groups/Spaces and Catalogs.

Configuring SAP Build Work Zone: Now, go back to your SAP BTP account and launch SAP Build work zone Application.

Once you are logged in, Go to Channel Manager to add the content provider details.

Add the destination details which were created in BTP and create content provider

Navigate to the Content Manager section and select the content explorer. Select the content channel you established in the previous step (SS4). Upon clicking this channel, you will witness the content exposed from your on-premise system in step 2. Select the roles associated with the content and proceed to add them.

Role Assignment in BTP Subaccount: Once the above step is completed, Go back to BTP subaccount and roles added in the above step will be available in role collection of BTP to add for the user who will be consuming this content.

Configuring and Launching the Site: Navigate back to SAP Build work zone and create the site in site directory, once created, Go into the settings and select the option to edit. Access the assign items section and add the content, subsequently saving your configurations. Now, return to the site directory, where you can launch the site, granting access to the apps.
Launching site as highlighted below

And there you have it! With everything set up, you can now access the apps directly from your On-Premise system.

In Conclusion:

SAP Build Work Zone not only facilitates the consumption of Fiori apps but also serves as a conduit for connecting diverse SAP and non-SAP applications. This synergy creates a unified entry point for all applications, bolstering efficiency and collaboration across your organizational landscape. By following the outlined steps, you're poised to harness the potential of SAP Build Work Zone in amalgamating your on-premise Fiori apps seamlessly.

Certificate-based authentication in the SAP Cloud Connector

2023-08-29T21:21:37+02:00

Introduction

Hello SAP Community,

As this is my first SAP-blog, I would like to briefly introduce the main idea and my goal for the next post, as it will be the same for all future ones.

Without a huge technical background in network or PKI areas, sometimes my comments may seem too obvious for someone. However, my main idea was to save your time configuring new (or relatively new, or too complex that they always look like a new one) features. Let's assume you could save one or two ~~days~~ hours trying to figure out why your newly configured scenario doesn't work, so you could spend these couple of hours enjoying your cup of coffee with colleagues. Sounds good, right?

I have only one wish from my side. Please, in case of mistakes, missed details, or, oh no, mistakes, feel free to point them out in the comments. Otherwise, let's get started!

Feature overview

Just a couple of weeks ago, a new SAP Cloud Connector release was introduced by SAP: Next release of the Cloud Connector is available: 2.16.0 | SAP Blogs. One of the main features is the option to configure certificate-based authentication for the Cloud Connector administrator: Logon to the Cloud Connector via Client Certificate | SAP Help Portal.

From an end user perspective, I liked this feature for the possibility of being smoothly authenticated with no need to remember another password.

As a security specialist, I'm more than happy that my users won't need to keep their another user/password pair on a sticker under their keyboard.

How-to steps

1. Change the Admin name.

Let's briefly summarize the idea of the Cloud Connector's user management approach. Here, you have two options to store your users:

Local store

LDAP

If you have LDAP configured, it means you have an excellent understanding of user maintenance already. Our main goal here is to make it possible for the Cloud Connector to map username from the client certificate to the actual user from the Cloud Connector user store. By default, the Cloud Connector admin has the name Administrator. If you have the option to create and sign the certificate with this name by your corporate Certificate Authority (CA), you may leave it as it is. Otherwise, you could change it by clicking on the Edit button. I will switch it to my I-user.

Local User Store and default authentication method: User/Password

After this Cloud Connector will ask you to be restarted. Type your new username and password on the login screen and continue with the next steps.

2. Find your correct Root CA certificate.

Now it's necessary to understand the basic certificate rule. You will always have a similar certificate chain:

Root CA certificate

Intermediary's certificate (optional)

Your client certificate (I-user in my case)

Usual certificates chain

For certificate-based authentication, the Cloud Connector will ask you for your client certificate, which is stored in your local OS store and provided by your browser. To check the certificate's validity, the Cloud Connector needs the Root CA certificate that was used to sign (or issue) your client certificate. So, you can simply ask your corporate CA to provide you with the Root certificate or copy it to a DER file via the View Certificate button.

Saving the Root CA certificate

3. Choose the required user mapping rule.

For now, you need to have the following prerequisites:

Configured User Name in the User Store, which should be equal to the corresponding certificate field

Root CA certificate (X.509) from your Certificate Authority

Client certificate signed by the root CA certificate

3.1 To enable certificate-based authentication, click on the Switch to... button. The Edit Authentication window will appear.

3.2 Choose the required certificate field from your client certificate, which allows the Cloud Connector to perform user mapping based on the value:

In my case, it's CN = I-user from the certificate is equal to the User Name from the certificate store.

3.3 Import the Root CA X.509-certificate in the Authentication Allowlist:

Edit Authentication

After all the described steps, your User Administration and Authentication parts should look like:

Final configuration

Now, all client certificates of the end users signed by this particular Root CA certificate will be accepted by the Cloud Connector. If the user with the corresponding field (CN in my case) is found and mapped, such an end user will be successfully authenticated based on their certificate.

4. Restart everything and enjoy the smooth authentication.

If everything has been configured correctly, after the restart, you will get a pop-up to choose a required client certificate.

Select a certificate for authentication

…and you are authenticated (hopefully). Well done!

Conclusion

Instead of a conclusion.

It may happen that, for some reason, your certificate-based authentication will not work due to an incorrectly configured certificate chain or allowlist or whatever, and you won't be able to log into the Cloud Connector administrator console. In that case, just open the console and run the bat-file useBasicAuthentication.bat (the Cloud Connector installation folder) to reset the authentication method to user/password again.

I hope this short guide was helpful, and I will be glad to know if it could save a couple of hours for some of you.

Integration of SAP CI(BTP IS) with IBM MQ through AMQP

2023-09-02T08:22:17+02:00

Integration of SAP CI(BTP IS) with IBM MQ through AMQP

Introduction

What is IBM MQ?

IBM MQ is a family of message-oriented middleware products that IBM launched in December 1993. It was originally called MQSeries, and was renamed WebSphere MQ in 2002 to join the suite of WebSphere products. In April 2014, it was renamed IBM MQ. IBM MQ supports the exchange of information between applications, systems, services and files by sending and receiving message data via messaging queues. This simplifies the creation and maintenance of business applications.

What is SAP CI(BTP-IS)?

Cloud Integration(BTP-IS) is a set of services and tools provided by SAP on its cloud-based Business Technology Platform (BTP) to enable integration between different systems, applications, and data sources. The key benefit of CI(BTP IS) is that it enables organizations to quickly and easily integrate their systems, data, and applications without the need for extensive coding or custom development. This helps to streamline business processes, reduce costs, and improve operational efficiency.

How IBM MQ can be integrated?

IBM MQ provides the messaging and queuing capabilities across multiple modes of operation: point-to-point ; publish/subscribe. IBM MQ has the Queue Managers(QM) in which different types of queues will be created. The QM can be connected directly or using client channel definition table or using a intermediate queue manager. All these will be associated with the channels which provides the in and out movement of the data from the Queues. Along with Queues we can have Topics also which can work with pub-sub approach. Rest APIS, JMS and MFTs can also be leveraged with the IBM MQ package installation.

How CI integrates with IBM MQ?

The integration between CI and IBM MQ can be best done using the AMQP 1.0 protocol. There are 7.5,8.0,9.0,9.1,9.2,9.3 versions of IBM MQ installations available in the market today. Out of which only 9.2 and above versions can support the integration between CI and IBM MQ.

The Queues on IBM MQ can be connected from CI and the Topics which can be published can also be subscribed from CI using AMQP protocol.

Note: Among the possible integrations with IBM MQ, Message Queues Integration using the AMQP protocol will be explained in detail.

Integration of SAP CI(BTP IS) with IBM MQ through AMQP

Prerequisites:

Any IBM MQ server with version 9.2 and above. For Demo purpose using the trial IBM MQ from https://www.ibm.biz/ibmmqtrial.

SAP Cloud Connector with required roles to connect IS tenant and IBM MQ

SAP BTP IS Tenant Access with required CI roles.

Step-1: Install the IBM MQ 9.2 from the downloaded setup file

Select all the features and install them along with the MQ Explorer

IBM MQ Setup File

Once installed successfully open the IBM MQ Explorer which should open as below

IBM MQ Explorer

Step-2: Create the new Queue Manager (QM1)under the left side Queue Managers Pane

Queue Manager

Step-3: Create the new Queue (Q2) under the left side Queue Managers (QM1)

New Queue in the Queue Manager

Step-4: Create the new AMQP channel under the left side Queue Manager (QM1)

While Creating the AMQP channel provide the port as 5672 and start the channel. There will be a default AMQP channel which comes along with the installation stop it and use our configured AMQP channel. This is for the reason of handling the queues explicitly.

AMQP Channel

Step-5: Configure the Virtual Mapping to IBM MQ Internal System in Cloud Connector

Make sure the cloud connector is already connected successfully to the SAP BTP subaccount.

The backend type should be “NON-SAP System” and the protocol should be “TCP” only

Use the same port (5672) in system mapping which was given in the AMQP channel in IBM MQ and internal host on which the IBM MQ is installed and remaining virtual details as required.

Cloud Connector Virtual Mapping

Check the result of the reachable status on the internal host and port

Test the Virtual Mapping

Step-6: Test the connectivity from SAP Integration Suite to Cloud Connector.

The location ID (TESTCC) is the same name which was given during the connection between cloud connector and SAP BTP subaccount.

Cloud Connector Connectivity Test from IS

Step-7: Test the connectivity from SAP Integration Suite to IBM MQ through AMQP

The virtual host and virtual port which was given during system mapping in cloud connector should be used along with the same location id.

AMQP Connectivity Test from IS

Step-8: Deploy the SASL username/password of IBM MQ in IS Security Material

SASL Credentials Deployed in Security Material

Step-9: Create an IFLOW to send the message to the IBM MQ queue using AMQP channel

Provide the virtual host and port details along with the Location ID as tested earlier.

The credential name should be from the deployed security material.

To IBM MQ Through AMQP

Provide the destination type as Queue and use the same queue (Q2) created in IBM MQ

Destination and Queue Details

For testing purpose providing the sample message in the Content Modifier as below.

Content Modifier with Message Body

Step-10: Create an IFLOW to read the message from the IBM MQ queue using AMQP channel

Provide the virtual host and port details along with the Location ID as tested earlier.

The credential name should be from the deployed security material.

From IBM MQ through AMQP

For testing purpose storing the payload read from IBM MQ queue (Q2) using groovy script

Queue Details to be processed

Monitoring the Messages in CI

CI Monitoring Dashboard

Payload read from IBM MQ Queue

Monitoring the Messages in IBM MQ

Before Execution:

Before Execution with 0 read and write status

After Execution:

After Execution with 1 received and 1 sent status

Conclusion:

AMQP which is used mostly for Event Broker topics pub-sub can also be used for the exchanging of messaging queues data which provides a tight integration between CI and IBM MQ.

At the time of migration from PI/PO to Integration Suite when the requirement to transfer the JMS scenarios connecting to IBM MQ should be done on CI then this blog provides the detail steps of initial configurations.

If the data in the IBM MQ TOPICS to be stored and retrieved then similar configurations to be done considering the pub-sub approach of the Topics using AMQP protocol itself.

Disclaimer:

This article is only for informational purpose that CI can be integrated with the IBM MQ also.

Only an integration of one method has been shown as an example but no limitations in any perspective.

SAP Remote Access Connectivity (SAP RAC): A Cost-Effective and Flexible Solution which simplifies seamless SAP Integration

2023-09-05T16:44:19+02:00

Discover a World of Possibilities with SAP RAC!

Overview:

SAP RAC is primarily designed for Partners, offering them immediate entry to an expansive collection of SAP-maintained systems through a cloud-based service hosted on IaaS, liberating them from concerns related to system administration.

With SAP RAC, you can say goodbye to complex system setups and costly investments in specialized expertise. SAP RAC revolutionizes the way you access SAP solutions by providing you with the agility to jump-start your integration projects, seamlessly integrating your applications with SAP solutions through open & released SAP APIs and achieving certification from SAP.

Choose from the latest offerings, including SAP S/4HANA and more. The SAP S/4HANA Fully Activated appliance, for instance, equips businesses with a wide range of features and capabilities. These include preconfigured end-to-end business scenarios, best practices, prebuilt master data, sample transactional data, preconfigured reporting and analytics, and guided configuration accelerators. Moreover, the appliance incorporates tools and templates to support data migration and integration with other systems.

SAP BTP’s integration prowess makes it essential for offering on-premise SAP systems, as it allows businesses to seamlessly interlink on-premise systems with cloud-based counterparts.

Partner-Centric Innovation:
Rapid Adoption and Certification with Plug and Play Access

RAC Subscription Offers

Empowering Success: Explore the Latest S/4HANA Version (with Fully Activated Appliance and Sample Data).

Seamless Operations: Enjoy Administration Support, Backup, and Peace of Mind.

Enhance Connectivity: Seamlessly Integrate with Your SAP Systems.

Integration Excellence: SAP BTP's Contribution to On-Premise SAP Systems.

Shedding Traditional On-Premise Troubles

A Stressful Endeavor: Wrestling with Infrastructure and Software Installation.

Strained IT Budgets and Crumbling Administration Support: A Double Blow.

License Management Woes.

Test Data Setup Nightmare: When Plans Collide with Reality.

Key Benefits of SAP RAC

A Glimpse at the Two SAP Environment Options from RAC

Shared Environment

A shared environment is a cost-effective way to access SAP systems. Multiple RAC subscribers can access the same system concurrently, which can save you money on hardware and software costs. Shared environments are also a good way to collaborate with partners on SAP projects. This could save them time and money, and it could also help to ensure that the integration is successful.

Dedicated Environment

A dedicated environment is ideal for partners who need to customize SAP systems to a significant extent or who require 24/7 access to a system. Dedicated environments offers the flexibility to configure the system specific to the needs and to have full control over the environment.

SAP RAC Subscription: Pricing & Extensive Offerings

Tailored SAP RAC Subscriptions and Pricing Options:

SAP RAC offers a varied range of subscription options to meet the unique needs of different partners. Whether you need a shared environment for integration testing or a dedicated environment for development and extensive customization, SAP RAC has a solution that can help you achieve your business goals.

SAP RAC Subscriptions

SAP RAC offers a variety of subscription variants to meet your specific needs.

SAP Standard RAC Subscription:

The Standard SAP RAC subscription comes in 3 variants to cater to the diverse needs of the partners:

SAP RAC Basic: This variant provides one user access to a system shared with multiple partners for a subscription term of one year or two years. The subscription renews automatically at the end of the term, if not cancelled.

SAP RAC: The standard variant of SAP RAC provides two users access to two systems shared with other partners for a subscription term of 3 months, one year, or two years. The one-year and 2-year subscriptions renew automatically at the end of the term, if not canceled.

SAP RAC Advanced: The advanced variant of SAP RAC provides up to three users access to three systems shared with other partners, for a subscription term of 3 months, one year, or two years. The one-year and two-year subscriptions renew automatically at the end of the term, if not canceled.

Partners accessing the shared system will have controlled privileges, complemented by purposefully designated roles that facilitate the smooth execution of SAP system integration scenarios and completion of SAP ICC certifications.

SAP RAC Premium Subscription

The premium subscription includes 2 variants:

SAP RAC Premium:

The SAP RAC Premium variant offers a dedicated and meticulously managed SAP environment, catering to exceptional remote testing and landscape support. This option is particularly suitable for software vendors requiring extensive system customizations that might not be feasible in a shared environment. The Premium variant of SAP RAC grants up to ten users access to a dedicated system for subscription terms of 6 months or one year. Subscription renewal is required explicitly at the end of the term. The subscribed system is available for use 24 hours a day, making it well-suited for distributed teams.

SAP RAC Premium Flexi:

The SAP RAC Premium Flexi variant provides a dedicated SAP environment without additional application or database support. It's an excellent choice for extensive customizations that may not be practical within a shared environment. Similar to the Premium variant, the Premium Flexi option grants up to ten users access to a dedicated system for subscription terms of 6 months or one year. Subscription renewal is necessary at the end of each term. The Premium Flexi system is designed for use 12 hours a day, as chosen by the partner at the start of the subscription. It's ideal for co-located teams.

Additionally, technical support is available as an add-on for the SAP RAC Premium Flexi variant.
Please contact the SAP RAC team for more details about the support, which covers various tasks such as availability monitoring, troubleshooting, kernel upgrades, patch management, backups, networking, infrastructure lifecycle activities, and capacity planning.

To inquire about the availability and fee for systems with non-HANA DB, or for longer SAP RAC Subscriptions, please contact the RAC team or write to SAP RAC Support.

Pricing

The pricing for SAP RAC subscriptions is based on the subscription variant, the number of systems, and the level of support.

Choosing the Right Subscription Model

The best subscription model for your business will depend on your specific needs. If you need a shared environment to collaborate with partners, then a standard subscription variant may be the best option for you. If you need to customize SAP systems to a significant extent or require 24/7 access to a system, then a premium subscription variant may be the best option for you.

It is strongly advised that partners discuss their proposed usage with SAP ICC for the respective RAC variant prior to the subscription.

Popular Use Cases

Integrate partner applications through SAP Integration Suite, from SAP BTP, with SAP systems as backend utilizing the APIs released by SAP.

Integrate partner applications using Java or .Net connectors with SAP solutions utilizing the released APIs.

Develop custom add-ons in-stack with SAP solutions for creating own function modules, reports, transactions, user exits, or own remote APIs.

Utilize pre-loaded data for testing or create own data or customize the system settings or develop config settings.

Optimize Your Benefits through Enhanced Technical Assistance

Technical support is also available as an add-on for the SAP RAC Premium Flexi variant. You can contact the SAP RAC team for details to cover various tasks including availability monitoring, troubleshooting, kernel upgrades, patch management, backups, networking, infrastructure lifecycle activities, and capacity planning. Contact the SAP RAC team for more details.

A Thoughtful Approach to Your Needs

We understand that every partner’s requirement is different, and we offer a variety of subscription variants to meet them. Whether you need a shared environment for integration testing or a dedicated environment for extensive customization, SAP RAC has a solution that can help you achieve your business goals.

Contact Us Today

If you're looking for a powerful and flexible way to access SAP solutions, then SAP RAC is the perfect solution for you. Contact us today to learn more about how SAP RAC can help you achieve your business goals. For further information or inquiries, please reach out to the SAP ICC at rac-support@sap.com.

I hope you found this blog post helpful. Please like and share if you did. I'd love to hear your feedback in the comments below.

Thank you.

Setup SAP S/4HANA On Premise and SAP Business Application Studio (BAS)

2023-10-24T10:31:11+02:00

Recently I had some discussions about the SAP Business Application Studio (BAS) and SAP S/4HANA On Premise. Therefore, I have compiled all the sources we looked at during the discussions into one blog post here. This blog post is interesting for you if you are using Web IDE now, and you are thinking about to switch to the SAP BAS. This blog post is also interesting if you have a hybrid IT landscape, i.e. a mixture of cloud and on premise solutions. In this example, you have a S/4HANA On Premise and want to use the SAP BTP to develop Fiori Apps or a SAPUI5 App.

First things first. What is the SAP Application Studio? The SAP Business Application Studio (the next generation of SAP Web IDE) is a powerful and modern development environment, tailored for efficient development of business applications for the Intelligent Enterprise. Available as a cloud service, it provides developers a desktop-like experience like market leading IDEs, while accelerating time-to-market with high-productivity development tools such as wizards and templates, graphical editors, quick deployment, and more. --> Link to the Discovery Center

Deep dive into the functions of the SAP BAS --> SAP Business Application Studio – Info Blog I & SAP Business Application Studio- Info Blog II

What is the difference between SAP BAS and Web IDE? --> Link

A very important fact:

SAP BAS is available on the Cloud Foundry environment on SAP BTP

SAP Web IDE is available on the Neo environment on SAP BTP and the Neo environment will be sunset on December 31 2028 --> Link.

That’s why we also talked about how to migrate SAP Fiori projects from Web IDE to SAP BAS --> Link

How to Migrate an SAP Web IDE Project to SAP Business Application Studio --> Link to a video

If you want to use a S/4HANA On Premise and the SAP BAS, the connection between the two solutions is as follows:

S/4HANA On Premise Backend ->SAP Cloud Connector ->Cloud Destination in the SAP BTP Cockpit -> BAS CAP Project -> External Service ->Service Entity -> Fiori App or MDK App to consume the services ->deploy to Cloud Foundry

Now we will look in more detail at the implementation of the individual points of the connection.

Consume SAP S/4HANA or SAP S/4HANA Cloud Events Using SAP Business Application Studio --> Link

Connecting to SAP S/4HANA (On Premise) --> Instructions

SAP Cloud Connector --> Here is an explanation of the Cloud Connector. You need the Cloud Connector to connect a On Premise solution with the SAP BTP. The Cloud connector is providing a secure tunnel between the two environments.

How to connect On Premise SAP to BTP using SAP Cloud Connector. This is a guide on how to install the Cloud Connector and connect the On Premise environment and SAP BTP. --> Link

If you want to consume Remote Function Calls (RFC --> Documentation) here is a guide on how to set up your SAP Cloud Connector.

Link to a developer mission on how to create a destination in the SAP BTP cockpit --> Link

You never developed a SAPUI5 Web App on Cloud Foundry? Here is a guide for you 😊 Along the way, you also learn how to use the BTP and the SAP Build Work Zone.

You want to develop a MDK app (Mobile Development Kit) --> Link

Additional informations:

Of course, you want to work in a team on a BAS project, so you must share it. Git is here the best option you have. A guide: Sharing the Project via Git

A lot of persons want to use (existing) CDS views. When it comes to Core Data Services (CDS) views and the SAP BAS:

SAP Developer Mission --> Create Calculation View and Expose via CAP (SAP HANA Cloud)

Deploy End to End FIORI Consuming CDS Views from ADT(On-Premise) using BTP ( Business Application Studio). --> Link

When it comes to Core Data Services (CDS) views and SAP ABAP you can use the ABAP environment on the SAP BTP:

Link to the Discovery Center for a explanation about the ABAP environment.

Here you have a very recent presentation where where you see how to build a Fiori app on the SAP BTP with the ABAP environment. --> SAP BTP ABAP Environment – How to Build a Multitenancy SaaS Application

For more insights feel free to join the SAP Business Application Studio Community

I would like to take this moment to thank all my colleagues for the great blog posts and SAP missions they created.

How can I connect SAP BTP applications and on-premise systems using the Cloud Connector?

2023-10-30T11:40:40.522000+01:00

You can build the skills you need, for free and at your own pace with our Digital Learning Journey.
on our SAP Learning Site

I recommend to access our Connecting SAP BTP and On-Premise Systems using the Cloud Connector learning journey

Overview
In this Learning Journey, you will learn how to connect SAP BTP applications and on-premise systems using the Cloud Connector.

Learning objectives
After completing this Learning Journey, you will be able to install, configure, and securely operate the Cloud Connector.

In the context of this Learning Journey, you will first gain an overview of the key features of the Cloud Connector. Afterwards, you will discover installation and initial configuration. You will continue to be presented with an exemplary use case. Moreover, you will learn how to monitor the Cloud Connector and how to set up a High Availability environment using a shadow instance.

Prerequisites

Knowledge of SAP BTP or Discovering SAP Business Technology Platform

I hope this is helpful

Please ask a question related to the digital learning journey in the Q&A area

Our SAP Learning Experts will get back to you as soon as possible! We are here to support you.

We appreciate your feedback and we will make sure to continue sharing interesting topics.

Kind regards
Margit

Connectivity between SAP Business Application Studio and XS Advanced

2023-11-02T16:18:00+01:00

Introduction:

In this blog post, we will walk through the process of establishing a connection between the SAP Business Application Studio, a powerful cloud service, and the on-premise backend systems. This setup will allow you to develop, test, and deploy applications seamlessly, leveraging the best of both cloud and on-premise capabilities.

Before we dive into the steps, it's important to ensure you have a few things in place.

Pre-requisites:

SAP HANA Platform: You should have an instance of the SAP HANA Platform already set up and available in your on-premise environment.
SAP HANA Extended Application Services Advanced (XS Advanced): The XS Advanced platform should be set up and ready to go. This is crucial for developing and deploying web applications on the SAP HANA Platform.
Cloud Connector: The Cloud Connector should be installed. This software acts as a link between your on-premise systems and the cloud services.
Familiarity with Cloud Connector Setup: While we will cover the basic setup, it's crucial to have a basic understanding of setting up the Cloud Connector.
Connection to SAP BTP Sub account in Cloud Connector: Ensure you're connected to your SAP Business Technology Platform (BTP) Sub account through the Cloud Connector. This connection is essential for linking your cloud and on-premise services.

Now that we have the prerequisites covered, let's dive into the step-by-step process of setting up the connectivity.

To expose on-premise backend systems, we need to collect the endpoints for those systems.

Here's a breakdown of the required endpoints:

XS advanced controller (controllerEndpoint): This endpoint is needed to connect to the XS advanced controller. You can find the endpoint URL by using the command "xs -v" in your command line interface.
XS advanced User Account and Authentication (XSUAA) (authorizationEndpoint): The XSUAA endpoint is necessary for user account and authentication purposes. You can obtain the endpoint URL using the same "xs -v" command.
SAP HANA cockpit (hana-cockpit) service: The endpoint URL for the SAP HANA cockpit service is also required. You can find this URL using the "xs -v" command.
The Multitarget Application(MTA) Archive deployer service (deploy-service): The endpoint URL for the MTA deployer service is needed as well. You can obtain this URL by using the "xs -v" command.
SAP HANA run-time-tools service (hrtt-service): To find the endpoint URL for the SAP HANA run-time-tools service, you can use the command "xs app hrtt-service".
The SID and instance number of the SAP HANA database that is mapped to XS advanced: To find the SID and instance number, use the command "xs tenant-databases" and copy the value of the sql-port. The second and third digits of the port number represent the instance number.

In case of doubt, refer to the following screenshots:

Collect endpoints for controllerEndpoint, authorizationEndpoint, hana-cockpit, and deploy-service

Collect endpoints for hrtt-service

Collect endpoints SAP HANA SID and sql-port

Cloud Connector

The Cloud Connector is a vital tool that allows the SAP Business Technology Platform (BTP) to connect with XS Advanced and the underlying on-premise system(s). The Cloud Connector can be installed and set up on any host that can access the system hosting the backend system.

To connect SAP BTP to XS Advanced, it's important to know the default HOST and HTTP/TCP ports:

For SAP HANA (both the system database and the default tenant database), the required TCP port range is 3<HANA_INST_#>13 - 3<HANA_INST_#>17. For instance, if the instance number of the SAP HANA database is "00", the range would be 30013 - 30017.

Note: In this blog, we'll use 06 as the instance number. This might be different for you.

For additional tenant databases, three ports per tenant are required, with the range being 3<HANA_INST_#>40 - 3<HANA_INST_#>42.

Configuring SAP Cloud Connector

Connect your BTP Sub-account(see the screenshot)

Click on Cloud To On-Premise to expose your backend systems(or services)

For all backend systems except SAP HANA, expose a new system by clicking the + icon and providing the following details:

In case of doubt, refer to the following screenshots:

Choose Back-end Type

Choose Protocol

Choose Internal Host and Internal Port

Choose Virtual Host and Virtual Port

Choose Principal Type

Choose Host In Request Header

Provide optional description

Check Internal Host

After exposing the systems, add resources for each system

Add Resource

For SAP HANA, click the + icon and provide the following details

For SAP HANA, click the + icon and provide the following details

Your exposed systems list should be like the list in the screenshot below:

Exposed Systems list in Cloud connector

If all the systems are reachable then you're good to go for the next step i.e. destinations configuration in your SAP BTP Sub-account

SAP BTP Destinations

Login to SAP BTP
Navigate to your sub-account
Click Connectivity > Destinations

Select Destinations in SAP BTP Sub-account

Create XS Controller Destination

Click Create Destination and fill in the following values:

Name: SAP_XS_Advanced_Runtime
Type: HTTP
Description: Optional text
URL: http://<virtual-host-for-controller-endpoint>:<virtual port>. Example: http://my.acme.com:30630
Proxy Type: OnPremise
Authentication: NoAuthentication
For additional properties, click "New Property Button" and choose the following key values

HTML5.DynamicDestination : True

WebIDEEnabled : True

XsApiEndpoint : http\://<virtual host for controller endpoint>\:<virtual port>. Example: http\://my.acme.com\:30630

8. Click Save button

Create Destination

XS Controller Destination

Create XSUAA Destination

Click Create Destination and fill in the following values:

Name: SAP_XS_Advanced_UAA
Type: HTTP
Description: Optional text
URL: http://<virtual host for controller endpoint>:<virtual port>. Example: http://my.acme.com:30632
Proxy Type: OnPremise
Authentication: NoAuthentication
For additional properties, click "New Property Button" and choose the following key values

HTML5.DynamicDestination : True

WebIDEEnabled : True

WebIDEUsage : xsuaa

XsApiEndpoint : http\://<virtual host for controller endpoint>\:<virtual port>. Example: http\://my.acme.com\:30630

8. Click Save button

9. Check connection. If the connection fails, then recheck the provided values or contact your System Administrator

XSUAA Destination

Create HRTT Destination

Click Create Destination and fill in the following values:

Name: SAP_XS_Advanced_HRTT_Service
Type: HTTP
Description: Optional text
URL: http://<virtual host for controller endpoint>:<virtual port>. Example: http://my.acme.com:51064
Proxy Type: OnPremise
Authentication: NoAuthentication
For additional properties, click "New Property Button" and choose the following key values

HTML5.DynamicDestination : True

WebIDEEnabled : True

WebIDEUsage : xs_hrtt

XsApiEndpoint : http\://<virtual host for controller endpoint>\:<virtual port>. Example: http\://my.acme.com\:30630

8. Click Save button

9. Check connection. If the connection fails, then recheck the provided values or contact your System Administrator

HRTT Destination

Create XS Deployer Destination

Click Create Destination and fill in the following values:

Name: SAP_XS_Advanced_Deploy_Service
Type: HTTP
Description: Optional text
URL: http://<virtual host for controller endpoint>:<virtual port>. Example: http://my.acme.com:51041
Proxy Type: OnPremise
Authentication: NoAuthentication
For additional properties, click "New Property Button" and choose the following key values

HTML5.DynamicDestination : True

WebIDEEnabled : True

WebIDESystem : True

XsApiEndpoint : http\://<virtual host for controller endpoint>\:<virtual port>. Example: http\://my.acme.com\:30630

8. Click Save button

9. Check connection. If the connection fails, then recheck the provided values or contact your System Administrator

XS Deployer Destination

Create SAP HANA Cockpit Destination

Click Create Destination and fill in the following values:

Name: SAP_XS_Advanced_HANA_Cockpit
Type: HTTP
Description: Optional text
URL: http://<virtual host for controller endpoint>:<virtual port>. Example: http://my.acme.com:51041
Proxy Type: OnPremise
Authentication: NoAuthentication
For additional properties, click "New Property Button" and choose the following key values

HTML5.DynamicDestination : True

WebIDEUsage : xs_cpt

WebIDEEnabled : True

XsApiEndpoint : http\://<virtual host for controller endpoint>\:<virtual port>. Example: http\://my.acme.com\:30630

8. Click Save button

9. Check connection. If the connection fails, then recheck the provided values or contact your System Administrator

SAP HANA Cockpit Destination

Create HANA Database Destination

Click Create Destination and fill in the following values:

Name: SAP_HANA_Database
Type: HTTP
Description: Optional text
URL: http://<virtual host for controller endpoint>:<virtual port>. Example: http://my:30615
Proxy Type: OnPremise
Authentication: NoAuthentication
For additional properties, click "New Property Button" and choose the following key values

HTML5.DynamicDestination : True

WebIDEEnabled : True

WebIDEUsage: xs_hdb

8. Click Save button

9. Check connection. If the connection fails, then recheck the provided values or contact your System Administrator

SAP HANA Database Destination

If the connection is successful for all the added destinations, that is the indication of successful connectivity setup for communication between SAP Business Application Studio and XS Advanced System.

SAP Cloud Connector System Mappings configuration and SAP BTP Destination generation can be automatically handled using this btp-cloud-connector-setup-automation generator. You may read this blog to know more about it.

Should you want to run an application in SAP Business Application Studio that connects to your on-premise SAP HANA Platform Database, then you must pass the proxy credentials to your database connection.
Proxy credentials depend on the "Location ID" in the SAP Cloud Connector. The credentials will be as follows:

"proxy_host": "127.0.0.1", //always same

"proxy_port": "20004", // always same

"proxy_userid": "", // always empty string

"proxy_password": "" // if location ID is set in SAP Cloud Connector then base64 of the location ID else empty string

You may now set up a Development Space in SAP Business Application Studio [Documentation].

Detailed documentation about the setup is available here.

Connect SAP HANA On-Premise to SAP HANA Cloud and Database with Cloud Connector

2023-11-10T16:13:34+01:00

Introduction

Welcome to our blog where we will dive into the world of Connectivity between SAP HANA On-Premise and SAP HANA Cloud and Database . If you're navigating the journey of transitioning from an on-premise database to a cloud-based solution, this tutorial is tailored for you. We'll explore how to connect an SAP HANA on-premise database to an SAP HANA Cloud database using SAP BTP Connectivity, and this connectivity is crucial if you want to set up data replication.

The method we will discuss involves setting up the cloud connector on your on-premise database. The cloud connector is a robust tool that allows you to establish a connection with a remote source, without the necessity of installing and configuring the Data Provisioning Agent, making it an optimal choice for those seeking to quickly replicate data to an SAP HANA Cloud database.

Throughout this tutorial, we will guide you step by step on how to:

Enable the cloud connector for your SAP HANA Cloud database.

Install and configure the cloud connector.

By the end of this blog post, you'll be equipped with the knowledge and skills to set up and manage a seamless connection between your SAP HANA databases on-premise and in the cloud. Let's get started on this exciting journey!

Cloud Connector

The Cloud Connector is a pivotal component designed for on-premise systems, acting as a bridging link between SAP Business Technology Platform (BTP) applications & services and on-premise systems. It provides a streamlined path to connect and expose specific portions of an on-premise landscape without the need to reveal the entire on-premise infrastructure. This ensures a layer of security and confidentiality while maintaining operational efficiency and connectivity.

The Cloud Connector comes with a high degree of control, enabling you to manage your connections in a more refined manner. It is equipped with a number of useful features specifically designed for business-critical scenarios. One of its key features includes the ability to recover broken connections automatically. This is crucial in maintaining business continuity, reducing downtime, and ensuring that your operations are running smoothly. It also provides a high-availability setup, ensuring that your system stays operational and accessible, thereby minimizing disruptions to your business operations.

There are several advantages to using the Cloud Connector. For starters, its installation and configuration are straightforward and hassle-free. One of the key benefits it offers is that it eliminates the need to configure an on-premise firewall to allow access to an on-premise system. This not only simplifies the setup process but also reduces the potential security risks associated with opening firewall ports.

By simplifying the process of connecting your on-premise databases with SAP HANA Cloud and other SAP BTP applications, the Cloud Connector effectively bridges the gap between your on-premise and cloud-based operations. With its advanced features and easy-to-use interface, it provides a robust and secure solution for managing and optimizing your database connections.

In summary, the Cloud Connector is not just a mere link between your on-premise systems and SAP BTP, but a comprehensive tool that offers you control, flexibility, and security, all while simplifying your operations.

Enable the cloud connector for SAP HANA Cloud, SAP HANA database

You can enable the cloud connector either during provisioning or editing an existing instance. Click on “Provisioning” or “Edit instance” below the title of this step. Here we'll discuss "edit an existing instance"

First, you need to enable SAP BTP Connectivity in the SAP HANA Cloud, SAP HANA database you want to connect to an on-premise database.

Open SAP BTP cockpit and enter your (trial) account.

Enter your Global Account, Subaccount, and then space.

Navigate to the tile of the instance you want to connect to an SAP HANA on-premise database.

Click on Actions in the bottom right corner of the tile.

Select Open in SAP HANA Cloud Central to monitor landscape, which will then open in a new tab.

There, click on the three dots in the Actions column on the right side of the screen

Select Manage Configuration.

Click Edit.

In the wizard that opens, scroll down to the section Connections.

For this instance, the cloud connector is now enabled, and it is ready to be used.

And, click Save button

Now that you've activated the cloud connector, it's time to proceed with its installation and configuration.

Install the cloud connector

You can access the cloud connector for download at this location. Ensure you review the system prerequisites for varying operating systems and further setup suggestions as provided in the technical guide available here.

After the cloud connector has been downloaded and installed successfully, use a web browser to manage it.

1. Navigate to https://hostname:8443 on your web browser.

2. Take note, 8443 is the default port designated during the installation process. If the cloud connector was installed on a machine other than your local one, you will need to input its hostname in place of the default port.

3. At the login prompt that appears, use the following format to input your details:
Administrator / manage (case sensitive) for <User Name> / <Password>

Cloud connector login page

Remember that you will be required to modify the password at your initial login.

Configure SAP BTP Subaccount

Within the administration interface of the Cloud Connector, you'll note at the screen's top that functionality will not commence until a subaccount is specified. This step is crucial as it aligns the Cloud Connector with the respective subaccount where your desired SAP HANA Cloud or SAP HANA database instance is situated.

Click the Add Subaccount Button and it will open the form for you.

Click the value help icon for Region and select the region of the subaccount.

In the field Subaccount, you need to enter the subaccount ID. To acquire it, access the SAP BTP cockpit and locate your subaccount.

Copy the subaccount ID and enter it in the field Subaccount in the cloud connector.

Provide an optional display name.

Sign into the SAP BTP Cockpit using the subaccount's credentials. Note: If your subaccount is not based on Cloud Foundry, the steps will differ slightly. In this case, you will need to provide the technical Subaccount name, as well as the subaccount username and password.

If desired, you can input a location ID. This will be necessary if you plan to establish a remote source.

To finalize your changes, click on the Save button located in the top right corner of your screen.

Expose your on-premise SAP HANA system

Click on Cloud To On-Premise to expose your backend systems(or services). Then click the + icon and provide the following details

Back-end Type: SAP HANA

Protocol: TCP SSL(or TCP depending on your SAP HANA installation)

Internal Host: endpoint without port

Internal Port: Your SAP HANA sql-port

Virtual Host: choose any valid virtual host name

Virtual Port: choose any valid virtual port

Description: Provide a description, it is optional

Check Internal Host

Click Finish

For additional information on setting up the cloud connector, kindly consult the technical manual.

To expand your knowledge about the cloud connector, consider visiting this community blog.

It has never been easier! Connecting cloud apps to Internet and on-premises systems using SAP BTP Connectivity

2023-11-14T21:29:59+01:00

It is a common scenario that cloud applications need to connect to remote systems to fulfil the business goals of their creators and those of their end users. This is essential for enterprise applications, which are generally complex and consume data from and/or push data to a variety of sources or destinations – systems that are directly accessible, systems hosted in public or private cloud, or such that are hosted in the customer premises. This use case is called hybrid connectivity.

Sounds complex, right?! With this blog post, I show you that it has never been easier to solve this problem. Let’s get started and see how SAP BTP Connectivity can help with this challenge, more specifically, in SAP BTP Kyma environment.

Prerequisites

Well, complex things cannot be made simple without proper preparation work. Therefore, I need to setup the environment. For the purposes of this blog post, I don’t get into details on how each step is done, if interested, you can follow the links:

Setup the cloud environment:
1. Create a SAP BTP subaccount - the PaaS context in the domain of SAP BTP, i.e., an account enabled to instantiate cloud application development environments, create and manage service instances, etc.
2. Enable Kyma environment - the cloud-native application hosting environment
  1. Enable Connectivity Proxy for cloud to premise technical connectivity, an integrated component in Kyma environment
  2. Enable Transparent Proxy for unified, virtually transparent technical connectivity to any destination or data source, an integrated module in Kyma environment

Setup the local environment
1. Install Kubectl - the command line interface for connecting to and interacting with the Kyma instance
2. Install Cloud Connector for controlled and secure exposure concrete systems or resources, hosted in a VPC on Hyperscalers or on-premises - in my case, on my PC.

For each scenario use case, create the relevant destinations in SAP Destination service using SAP BTP cockpit.

Overview of the scenario

Image: Scenario Schematic Overview

This solution diagram depicts the high-level architecture and layout of the SAP BTP tools, software components, services listed above in the Prerequisites section. The focus on the scenario is on the Application side. The rest is depicted for completeness and better end-to-end understanding.

In this blog, I showcase how I can connect my cloud application to the following target systems. I start with the trivial and then continue with the more advanced use cases:

Google - direct connectivity without using any of the SAP BTP Connectivity software and services

Google via destination - direct connectivity with usage of SAP BTP Connectivity software and services

Google via destination and Cloud Connector - indirect cloud to premise connectivity - in my setup Google is directly accessible via my local Cloud Connector
- Note: this use case is presented only for the purpose of showcase and ease the perception of the reader, it is not expected to be done in production

SAP Authorization and Trust Management Service (XSUAA) via destination - OAuth based REST API

An HTTP system hosted on-premises via destination and Cloud Connector - indirect cloud to premise connectivity

An HTTPS system hosted on-premises via destination and Cloud Connector - indirect cloud to premise connectivity with Principal Propagation enabled, i.e., end-to-end secure user context propagation, a.k.a Single Sign On (SSO).

I pick those systems to showcase what I claimed in the begging of this blog - It has never been easier!

Note: For the creation of the destination pointing to XSUAA in step 4 of the scenario, I followed these two simple steps in BTP cockpit:

Create a service instance of service "xsuaa", plan "apiaccess"

Create a destination pointing to the service instance via destinations UI - just a few clicks job!

Configure the scenario

To get the scenario in action, at first I need to configure the target systems as technical connection configurations, a.k.a. destinations. In this way I control to which systems the application has access to and can switch the used technical authentication and authorisation mechanisms on the fly – changing the destination attributes without affecting the experience of the end user, and without affecting the lifecycle of the application.

Expose the on-premises system to the cloud

For the destinations pointing to systems hosted in the customer premises (points 5 and 6 of the scenario overview), I need to securely expose those to the cloud.

You guessed it, for this I configure the respective Access Controls in my SAP Cloud Connector:

Image: Access Control entries in Cloud Connector

In this example, the two systems hosted in the on-premises are simple HTTP and HTTPS servers:

System #1: localhost:8000 - serves HTTP, returns status code: 200 with the received HTTP request line as a message.

System #2: localhost:9000 - serves HTTPS, returns status code: 200 with the received HTTP request line as a message, and the subject common name (CN) of the received X.509 client certificate as part of the HTTP request - the user context propagated from the cloud, achieving Single Sign-On (SSO).

Manage the technical connection configurations

One of the best practices for cloud-native applications is to externalise any configuration and avoid coupling it with the lifecycle of the application, e.g. via hard-coding it. I use Destination service for managing the technical connection configurations (a.k.a. destinations), as guided by the Golden Path defined in Cloud Application Programming model of SAP BTP.

In the context of my SAP BTP subaccount, I create the following destinations, pointing to the variety of systems I’ll connect my cloud app workload running in my Kyma instance.

Image: Destinations in BTP cockpit

Expose the destinations in the Kyma instance

To allow an application to consume the defined destinations, I declaratively expose only those I'm interested in, and are specific for this particular use case. For this, I create specific Destination Custom Resources, a common practice for cloud-native applications based on Kubernetes. In Kyma environment, I can do this either via Kyma Dashboard, or via command-line using Kubectl.

Image: Creation of a Destination CR in Kyma Dashboard

Shortly after the Destination CR is created, Transparent Proxy process it and updates the status of the Destination CR with a message that the technical connectivity is successfully configured, and this destination is ready to be consumed.

Image: Status of a Destination CR in Kyma Dashboard

Using the same approach, I expose all the destinations required specifically for this use case.

Image: Destination CRs in Kyma Dashboard

It's all set now, let's play with the application.

Scenario in action: Connect the application to the remote systems

As described in the status message of the Destination CR, the Transparent Proxy exposed the referenced destination via the specified name in the form of locally accessible host, leveraging the concept of Kubernetes Service.

As a result, it’s trivial for the application to connect to those local hosts, and this is the only task needed to be performed. It’s that easy!

For simplicity and versatility reasons, my application is represented by a local terminal attached to a container running in a Kubernetes Pod in the Kyma Instance. Then I use cURL command-line tool for executing HTTP requests towards the target systems.

How it’s done? Once connected to the Kyma instance via Kubectl, I run a sample cURL image as a Kuberenetes Pod and open a terminal session via the following command:

kubectl run mycurlpod -n sap-transp-proxy-system --image=curlimages/curl -i --tty -- sh

Executing request to Google:

This is a trivial direct invocation of the public web page of Google:

~ $ curl www.google.com -v

*   Trying 142.250.179.164:80...

* Connected to www.google.com (142.250.179.164) port 80

> GET / HTTP/1.1

> Host: www.google.com

> User-Agent: curl/8.4.0

> Accept: */*

> 

< HTTP/1.1 200 OK

...

< 

<!doctype html><html...<title>Google</title><script...

Executing request to Google via destination:

This is an example reaching the same public web page of Google, but this time via destination, locally exposed and served by Transparent Proxy, and centrally managed via Destination service:

~ $ curl google -v

*   Trying 10.111.255.220:80...

* Connected to google (10.111.255.220) port 80

> GET / HTTP/1.1

> Host: google

> User-Agent: curl/8.4.0

> Accept: */*

> 

< HTTP/1.1 200 OK

...

< 

<!doctype html><html...<title>Google</title><script...

Executing request to Google via destination via Cloud Connector:

This is an example of reaching the same public web page of Google via destination, locally exposed and served by Transparent Proxy, Connectivity Proxy, and centrally managed via Destination service. The destination is configured to point to an on-premises system, exposed to the cloud via Cloud Connector:

~ $ curl mypremisegoogle -v

*   Trying 10.111.159.5:80...

* Connected to mypremisegoogle (10.111.159.5) port 80

> GET / HTTP/1.1

> Host: mypremisegoogle

> User-Agent: curl/8.4.0

> Accept: */*

> 

< HTTP/1.1 200 OK

...

< 

<!doctype html><html...<title>Google</title><script...

Executing request to XSUAA API via destination:

This is an example for getting the registered service instances of the current subaccount via destination, locally exposed and served by Transparent Proxy, and centrally managed via Destination service.

~ $ curl xsuaa-api/sap/rest/authorization/v2/apps -v

*   Trying 10.106.192.162:80...

* Connected to xsuaa-api (10.106.192.162) port 80

> GET /sap/rest/authorization/v2/apps HTTP/1.1

> Host: xsuaa-api

> User-Agent: curl/8.4.0

> Accept: */*

> 

< HTTP/1.1 200 OK

< cache-control: no-cache, no-store, max-age=0, must-revalidate

< content-length: 10621

...

< 

[{"appid":"app123!b13","serviceinstanceid":"15442f82-7d82-11ee-b26d-ab53f17d39a5","planId":"HWEgt9/213f90b0+/7d82-11ee=","planName":"broker"...

Executing request to an on-premises HTTP server via destination via Cloud Connector:

This is an example of connecting to a simple on-premises HTTP server via destination, locally exposed and served by Transparent Proxy, Connectivity Proxy, and centrally managed via Destination service. The destination is configured to point to an on-premises system, exposed to the cloud via Cloud Connector:

~ $ curl mypremserver/test-path -v

*   Trying 10.110.23.19:80...

* Connected to mypremserver (10.110.23.19) port 80

> GET /test-path HTTP/1.1

> Host: mypremserver

> User-Agent: curl/8.4.0

> Accept: */*

> 

< HTTP/1.1 200 OK

...

< 

Response generated by HTTP server: 

GET /test-path HTTP/1.1

Executing request to an on-premises HTTPS server via destination via Cloud Connector with Single Sign-On enabled:

This is an example of connecting to an on-premises HTTPS server via destination, locally exposed and served by Transparent Proxy, Connectivity Proxy, and centrally managed via Destination service. The HTTPS server requires the cloud user identity to be propagated. The destination is configured with PrincipalPropagation as authentication type, and to point to an on-premises system, exposed to the cloud via Cloud Connector:

~ $ curl myppserver -H 'Authorization: Bearer eyJhbGciOiJSUzI1Ni...bwKMpAGKbhECqvkyibC7Q' -v

*   Trying 10.105.101.106:80...

* Connected to myppserver (10.105.101.106) port 80

> GET / HTTP/1.1

> Host: myppserver

> User-Agent: curl/8.4.0

> Accept: */*

> Authorization: Bearer yJhbGciOiJSUzI1Ni...bwKMpAGKbhECqvkyibC7Q

> 

< HTTP/1.1 200 OK

< server: envoy

< date: Tue, 07 Nov 2023 15:17:47 GMT

< content-type: text/plain; charset=utf-8

< content-length: 1956

< x-envoy-upstream-service-time: 657

< 

>>>>>>>>>

Response generated by HTTPS server: 

GET / HTTP/1.1

=========

Received X.509 client certificate with Subject: <Name(CN=manol.valchev@sap.com)>

Summary

As you can see, it’s that simple! No matter of the type and hosting location of the target system, from the application development perspective the user experience is the same – simple, unified, virtually transparent, and the technical complexity is handled by the usage of software components and services part of SAP BTP Connectivity product portfolio:

Destination service for managing the technical connection configurations (a.k.a. destinations)

Transparent Proxy for unified, virtually transparent technical connectivity to any destination or data source, an integrated module in Kyma environment, also available in Docker Hub.

Connectivity Proxy for cloud to premise technical connectivity, an integrated component in Kyma environment, also available in Docker Hub.

Cloud Connector for controlled and secure exposure concrete systems or resources, hosted in a VPC on Hyperscalers or on-premises.

Connectivity service as the backbone for the multitude of Connectivity Proxy and Cloud Connector instances serving thousands of SAP BTP customers

Тhis simple yet powerful approach enables application developers to focus more on their business goals and delegate the technical complexity to SAP BTP Connectivity, and at the same time the application administrators can manage the outbound technical connections (via destinations) without affecting the lifecycle and availability of the application itself.

Stay tuned and subscribe to What's New for SAP BTP Connectivity page.

Utilizing SAP Cloud SDK for JavaScript in a BTP Proxy App for non-Web-Apps to access onpremise SAP Systems

2023-12-31T03:44:52+01:00

Introduction

Oftern there is a need for Apps running outside of the corporate network to access SAP onpremise systems. Using a Proxy App running in the BTP (Business Technology Platform) Cloud Foundry Environment utilizing the SAP Cloud Connector is a well known pattern for such requirements.

However using the destination and connectivity service to get access to the tunnel to the onpremise systems is not trivial and is best done with the help of libraries.The approuter (cf. https://www.npmjs.com/package/@sap/approuter) is a well known and proven solution for this. However approuter is aimed at web applications. Using it for eg native applicatios is a bit troublesome.

Since March 2019 there is also the SAP Cloud SDK for JavaScript (in the beginning known as the SAP S/4HANA Cloud SDK for JavaScript and also going by SAP Cloud SDK for Node.js) available. The http-client of this SDK completly handles the interaction with the destination and connectivity service, you just have to provide the destination name (please check out other features of this SDK, there is a lot of other useful stuff there!). This blog intends to give you some guidance for using this SDK for this porpose.

Basics

The SDK is availabe in the public npm repository. Add the line

"@sap-cloud-sdk/http-client": "^3.9.0",

to the dependencies section in your package.json. Use at least version 3.9.0 to avoid being hit by the xssec security vulnerability (cf. Security Note 3411067).

In your JavaScript file to be run add

const httpclient = require('@sap-cloud-sdk/http-client');

The object thus obtained follows the axios HTTP client API with an added first object parameter (second parameter is compatible to RawAxiosRequestConfig), eg to make a POST call to an onpremise destination use this code

await httpclient.executeHttpRequest(

        {

            destinationName: 'MYDESTINATION'

        },

        { 

            method: 'POST',

            url: "/sap/opu/odata/sap/ZMY_SERV_SRV/MyEntitySet",

            headers: {

                "Content-Type":"application/json; charset=utf-8",

                "Accept":"application/json"

            },

            data: body

        }

    ).then(response => {

        // use eg response.status and response.data 

    }).catch(err => {

        // use eg err.code or message

    });

(Note: All code examples in this blog are just examples, do not use in your productive code, eg consider adding logging and a more robust coding)

CSRF handling is done by default.

Proxy with Basic Authentication

For a first simple proxy example we will use Basic Authentication from Outside and also Basic Authentication to the onpremise system. The latter is an easy brainer: Just use Basic Authentication as Authentication Type when defining the destination in the BTP cockpit:

(Do yourself a favor and pay attention to the warning in the picture!)

With such a destination you need merely give the destinationName in the example above.

In the mta.yaml define the depencies to the destination and connectivity service:

...

modules:

- name: myproxy

  type: nodejs

  requires:

  - name: myproxy-destination-service

    parameters:

      content-target: true

  - name: myproxy-connectivity-service

  parameters:

    health-check-type: process

...

resources:

- name: myproxy-destination-service

  type: org.cloudfoundry.managed-service

  parameters:

    config:

      version: 1.0.0

    service: destination

    service-name: myproxy-destination-service

    service-plan: lite

- name: myproxy-connectivity-service

  type: org.cloudfoundry.managed-service

  parameters:

    service: connectivity

    service-plan: lite

Health check is set to process because otherwise health check uses an unauthenticated HTTP access to / which won't work with our basic authentication requirement and thus would give constant app restarts.

For the proxy function we use express and passport, ie in the package.json

      "express": "^4.17.3",

      "body-parser": "^1.20.2",

      "passport": "^0.6.0",

      "passport-http": "^0.3.0"

Preperation in the JavaScript file

const express = require('express');

const bodyParser = require('body-parser')

const passport = require('passport');

const passportHTTP = require('passport-http');



const auth_env = {login: process.env['AUTH_LOGIN'], password: process.env['AUTH_PASSWORD']};

const app = express();

passport.use(new passportHTTP.BasicStrategy(

    function(username, password, done) {

        if (username === auth_env.login && password === auth_env.password) {

            return done(null, username);

        } else {

            return done(null, false);

        }

    }

));

app.use(passport.initialize());

app.use(passport.authenticate('basic', { session: false }));

app.use(bodyParser.text({ type: 'application/json' }));

...

app.listen(process.env.PORT || 5000, function () {

    console.log('Proxy app started');

});

and code for proxying a POST call

app.post('/MyEntitySet', async (req, res) => {

    if (!req.user) { res.sendStatus(403); return; }

    await httpclient.executeHttpRequest(

        {

            destinationName: 'MY_DESTINATION'

        },

        { 

            method: 'POST',

            url: "/sap/opu/odata/sap/ZMY_SERV_SRV/MyEntitySet",

            headers: {

                "Content-Type":"application/json; charset=utf-8",

                "Accept":"application/json"

            },

            data: req.body

        }

    ).then(response => {

        res.send(response.data);

    }).catch(err => {

        res.status(500).send('Backend Error');

    });    

});

(in real life you might want to use wildcards and parse req.url)

Proxy with Principal Propagation

Principal Propagation means the client needs to authenticate the user aka principal against the BTP and obtain tokens which need to be stored securely. When accessing the proxy the token needs to be presented. The token is then forwared to the cloud connector which generates authorization info using the principal for the onpremise system (configuring cloud connector and onpremise systems to achieve this is beyond the scope of this blog).

In this example the native client needs to obtain a JWT token and send it along with request to the proxy. The JWT token will eg be obtained and renewed by utilizing SAML 2.0 and OAuth 2 protocols with the XSUAA service, cf. https://sap.github.io/cloud-sdk/docs/java/guides/cloud-foundry-xsuaa-service . The native client should use libraries for this tasks (this is however beyond the scope of this blog). After deploying the proxy app to the BTP go to the deployed app in the BTP cockpit, select "Service Bindings" on the left and click on "Show sensitive data" to obtain the data for the libraries. You need

token_service_url : Add /oauth/authorize for the SAML 2.0 login endpoint, /oauth/token for the OAuth 2.0 endpoint and /logout.do for the SAML 2.0 logout endpoint

clientid and clientsecret for the OAuth 2 protocol

Also go to "Scopes" on the left and use the displayed scope name in the OAuth 2 protocol.

The configuration for xsuaa in the xs-security.json file is needed (add scopes and role-templates as needed):

{

    "scopes": [

      {

        "name": "$XSAPPNAME.access",

        "description": "Access"

      }

    ],

    "role-templates": [

      {

        "name": "Access",

        "default-role-name": "My Proxy Access Authorization",

        "scope-references": [

          "$XSAPPNAME.access"

        ]

      }

    ],

    "oauth2-configuration": {

        "redirect-uris": [

            "http://localhost:9999/success"

        ]

    }

  }

Use Redirect-URIs as needed by the native libraries (can also use different schemes than http oder https as commonly used on mobile OS).

In the mta.yaml there is now a depedency to the xsuaa service (add role-collections as needed):

  requires:

  - name: my_proxy-uaa

...

resources:

- name: my_proxy-uaa

  type: org.cloudfoundry.managed-service

  parameters:

    path: ./xs-security.json

    service-plan: application

    service: xsuaa

    config:

      xsappname: my_proxy-${space}

      tenant-mode: dedicated

      role-collections:

        - name: 'my_proxy-Access-${space}'

          role-template-references:

            - $XSAPPNAME.Access

The xsappname and the role collections name thus contains the space name in order to be able to deploy the proxy app to multiple spaces in the same subacount (eg for three-tier development, test, production spaces). In this case the destination need to be defined at app-level in the respective destination service instance instead of subaccount level to have identical named destinations pointing to development, test, production onpremise systems respectivly (destination can't be defined at space level). Assign the role collection to users, either individually or via groups or via IdP configuration.

The destination is defined with Principal Propagation:

In the package.json we need now additional dependencies to xsenv and xssec:

       "@sap/xsenv": "^4.2.0",

       "@sap/xssec": "^3.6.0",

(Use at least version 3.6.0 of xssec because of mentioned security issue)

In the JavaScript file the preperation now includes verification of the JWT token with the xsuaa service:

const httpclient = require('@sap-cloud-sdk/http-client');

const express = require('express');

const bodyParser = require('body-parser')

const xsenv = require('@sap/xsenv');

const passport = require('passport');

const xssec = require('@sap/xssec');



xsenv.loadEnv();

const app = express();

const services = xsenv.getServices({ uaa: 'my_proxy-uaa' });

passport.use(new xssec.JWTStrategy(services.uaa));

app.use(passport.initialize());

app.use(passport.authenticate('JWT', { session: false }));

app.use(bodyParser.text({ type: 'application/json' }));

The code for proxying a call now contains code for checking the scope and for fowarding the JWT token for principal propagation:

app.post('/MyEntitySet', async (req, res) => {

    if (!req.authInfo.checkLocalScope('access')) {

        return res.status(403).send('Forbidden');

    }

    await httpclient.executeHttpRequest( 

        {

            destinationName: 'MY_DESTINATION'

            jwt: req.authInfo.getAppToken()

        },

        { 

            method: 'POST',

            url: "/sap/opu/odata/sap/ZMY_SERV_SRV/MyEntitySet",

            headers: {

                "Content-Type":"application/json; charset=utf-8",

                "Accept":"application/json"

            },

            data: req.body

        }

    )

Conclusion

The SAP Cloud SDK for JavaScript makes it easy to use onpremise destinations with principal propagation in a BTP proxy app and hides the complexity in dealing with the destination, connectivity and xsuaa service. Happy Coding and have a succesful and peaceful new year!

SAP Intelligent Clinical Supply Management : Setup & Configuration

2024-01-09T10:43:36+01:00

Introduction:

SAP Intelligent Clinical Supply Management is an advanced solution that helps life sciences companies improve and automate the supply process for clinical trial materials and gain increased visibility into the status of supplies worldwide.

SAP Intelligent Clinical Supply Management allows you to manage the planning, sourcing, manufacturing, distribution, and reconciliation of supplies for clinical studies, and addresses specific blinding and randomization needs.

Prerequisites:

You have set up your global account and subaccount.

You are assigned the Administrator role for the global account.

SAP Intelligent Clinical Supply Management is properly entitled to your subaccount.

Subscribe your subaccount to the service SAP Intelligent Clinical Supply Management. Select the appropriate plan:

The ICSM standard plan is for a production instance.

The ICSM preprod plan is for preproduction/staging, such as for dry-running the system.

Need to install SAP ICSM Add-on in the backend S/4 HANA system

Install the Cloud Connector : To connect your application to an on-premise system, you need to have installed and configured the Cloud Connector.

Create an Instance of the Integration Broker:

Through an oauth2 authorized channel, the integration service broker facilitates communication between external systems and the SAP Intelligent Clinical Supply Management planning APIs.

SAP ICSM offer six separate subscription plans that can be used to generate tokens with different authorization scopes:

Plan	Purpose and Scope
Standard	Any kind of integration (has all authorizations for all SAP Intelligent Clinical Supply Management planning APIs)
irt-actuals-api	Actuals (IRT) integration (has read/write authorization for IRT Master Data and IRT Actual Visits APIs)
ctms-api	Integration with CTMS systems (has read/write authorization for CTMS Update APIs)
study-api	Read/Create Study (has read/create authorization for Study APIs)
config-api:	Integration of configuration data (has read/write authorization for Configuration Data APIs)
pushtosupply-api	Use the Push to Supply Planning API

Create a Service Key:

Now we will Create a Service Key for Each Service Instance and note down the below values that will be use when we will create OAuth 2.0 Client-

Client ID

Client secret

URL of the authorization endpoint

Activate Application-Specific OData Services:

Run transaction Activate and maintain services (/IWFND/MAINT_SERVICE) and add and activate OData services mentioned in the below guide-

Activate Application-Specific OData Services | SAP Help Portal

Set Up Cloud Integration to Enable Synchronization of Study Data:

Now we will setup cloud integration to enable synchronization of study data below are the steps to setup this-

Create an RFC Destination

Create Your OAuth 2.0 Client

Configure Connection Parameters

With this procedure, we enable synchronization with SAP Intelligent Clinical Supply Management for planning to retrieve the latest study data.

1.Create an RFC Destination:

To connect our system to the OData service used to get study data from SAP Intelligent Clinical Supply Management for planning, you have to create an RFC destination that points towards this OData service.

Maintain the RFC with “core-icsm-provider-gxp.cfapps.eu10-004.hana.ondemand.com” as it for sap hard coded to SAP tenant not our tenant.

Check connection and response should be 404 and it is not an error.

2. Create Your OAuth 2.0 Client:

The OAuth 2.0 client is used in combination with the configuration profile /CTCO/OAUTH_CLIENT_PROFILE and an RFC destination to allow access to SAP Intelligent Clinical Supply Management for planning.

Prerequisites:

To create your OAuth. 2.0 Client, you need the following information:

OAuth Client ID

Client secret

URL of the authorization endpoint

Procedure:

Start transaction OA2C_CONFIG and choose Create.

Create a new OAuth 2.0 configuration:

Enter the OAuth 2.0 profile /CTCO/OAUTH_CLIENT_PROFILE.

Enter other values according to your system setup. Choose any meaningful name for the configuration.

3. Configure Connection Parameters:

In Customizing for SAP Intelligent Clinical Supply Management go to Interfaces Cloud Configure Connection Parameters for Synchronizing Study Master Data.

Enter the RFC destination name and the OAuth 2.0 configuration name.

Go to SPRO T-Code => Configure Connection Parameters for Synchronizing Study Master Data

Configure cloud connector:

To connect SAP ICSM application to an on-premise system, we need to install and configure the Cloud Connector.

Add ICSM Subaccount in the cloud connector and add backend S/4 HANA system which you want to connect.

Create destination on SAP BTP:

Hard code the destination on BTP for the ICSM solution setup, with basis configuration. It enable the connection to all SAP S/4HANA services accessed by end users and by technical users, respectively.

SAP S/4 HANA Service	Destination	Destination URL	Authorization Type
All services accessed by end users	ICSM_S4_API	http://<virtual_host>:<virtual_port>;	Principal propagation
All services accessed by technical users (validation jobs, recalculation jobs, and study API)	ICSM_S4_API_BasicAuth	http://<virtual_host>:<virtual_port>;	Basic authentication

Add additional properties in the destination-

The configuration is completed and now we will create users in BTP and assign required roles.

Data flow in SAP ICSM:

Bi-directional dataflow as below –

S/4 HANA System to ICSM Application (On-premise to cloud)

ICSM Application to S/4 HANA System (Cloud to on-premise)

S/4 HANA to ICSM: In ICSM we will use O-Data services from the on-premise S4HANA System

ICSM to S/4 HANA: When we create a study in ICSM we can see it in the table “/CTCO/ST_STATUS” in S4HANA on-premise system.

Study Created In ICSM:

The study types are pushed to S/4 Hana system we can see in table /CTCO/STUDYT:

In this way we can Setup & Configure SAP Intelligent Clinical Supply Management BTP Application.

SAP Cloud Connector Upgrade and High Availability Configuration #ATR

2024-01-09T11:36:57+01:00

#ATR blog (4)

Informative Note: Created this blog to provide information on how to upgrade SAP Cloud Connector (SCC) and do High Availability Configuration (Windows)

Prerequisites - Knowledge on SCC Installation.

Cloud connector serves as a link between SAP BTP applications and on-premise systems. Eg: Business users will use SAP BTP BAS Application and fetch ABAP ODATA services to create new Fiori UI5 Apps.

General Knowledge Link: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/cloud-connector.

Pre-requisites for HA Configuration:

Upgrade Cloud connector to latest version. Although HA supports with different cloud connector version, there can be inconsistencies between primary and secondary SCC due to version mismatch. We won't have much impact technically.

To avoid this scenario, we can update primary cloud connector to latest version before proceeding HA configuration.

Download Link for SAP JVM and Cloud Connector: https://tools.hana.ondemand.com/#cloud -> Cloud Connector

Current Scenario: Cloud Connector version: 2.13.2. Planned upgrade version: 2.15.2. Post which HA Configuration needs to be done.

2. Take backup of your cloud connector.

3) Check in browser whether shadow cloud connector VM(shadow) fetches right certificate for your Region (Europe Rot Neo, Frankfurt CF, etc.,.) If you are using proxy, make sure whether Cloud connector ports allowed in proxy. Cloud connector will redirect and fetch right certificate while adding/configuring subaccounts if ports are allowed in proxy.

You can find ports information in below link

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/prerequisites.

If cloud connector fetches wrong certificate, ask security team to unblock SCC Region Ip and disable https inspection for all Ips - port 443.

4) Telnet and check whether cloud connector ports are reachable or not - In Shadow SCC VM(Windows) - command - telnet IP(port) 443. If it fails, we can't able to add subaccount/HA works but connectivity to subaccount will fail.

Eg: telnet 155.56.210.83 443

Also check whether master SCC port accessible from Shadow. If it fails, HA configuration won't work.

Command: telnet masterscchostname 8443

5) If you want to maintain secure SSL, renew shadow server VM(Windows) certificate with right domain name prior. We can apply certificate(in UI/System) post installation. Make sure to upload same certificate in On-Premises ABAP System - STRUST. This will avoid SSL communication issues post installation.

Below image captured post installation (UI & System Certificate)

6) We might face below error after configuring HA. If Master and Shadow state collapsed and lost, we can simply use reset (button) -> stop SCC then set Master/Shadow state via java.jar command accordingly. Once Master/Shadow role set, start SCC and recover using backup file.

" SWITCH ROLE FAILED IN FIRST ATTEMPT. ROLE EXCHANGE OK BUT CONNECTION CHECK NOT SUCCESSFUL”

java -jar configurator.jar -be master

FYI - https://me.sap.com/notes/0002899832 - Detailed Explanation

UPGRADE SCC FROM 2.13.2 to 2.15.2:

Make sure whether you have downloaded updated JVM and set JVM path in JAVA_HOME & PATH Environment variable. It will help SCC to detect SAP JVM files and use for connectivity purposes.

2. Stop Cloud Connector before upgrading - Windows Service - SAP Cloud Connector

3. Uninstall Cloud Connector. PFA - https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/upgrade.

Retain files so that it will fetch all connected subaccounts automatically. If you want to install upgraded version in any other preferred path, you can install fresh in your preferred path and use backup to recover your account. Make sure to take backup of scc config folder and files for safer side.

4. Once uninstalled, reinstall cloud connector with latest version (Current scenario - 2.15.2)

Choose SCC installation path. If you choose old path with retained files, SCC will fetch and connect all subaccounts as well as set whether SCC should act as Master/Shadow Role.

Prefer to use default port 8443

Choose SAP JVM path and start Cloud connector.

5. Before accessing SCC link, clear browser cache to avoid any unpredictable behavior due to the upgraded UI.

Check upgraded version details in ABOUT.

https://hostname:8443

HA CONFIGURATION:

Install Shadow Server - Use same upgrade steps to install Shadow server. Start Shadow Cloud Connector.

Initial Configuration: Administrator user and Password 'manage' and set "Shadow" role.

Initial Configuration completed.

3. Replace default UI certificate with your renewed shadow hostname certificate.

Restart SCC to reflect newer certificate.

..................

Note:

1) UI certificate: Certificate matching corresponding CN name needed since UI certificate is server specific. If not updated, SCC link will be unsecure SSL state.

2) System certificate can be common certificate which used for connecting On-Premises systems. It can be Master/Shadow, but Master server certificate is recommended. You can use same UI certificate as System Certificate.

.................

4. Once shadow server installed and configuration completed, Enable high availability in Primary Master SCC.

5. Login into shadow SCC and use "Connect" option. Enter Master SCC password.

Check connectivity as well as mirrored subaccounts.

Connection to Master from Shadow successful.

6. Login into Master and check connectivity.

HA Configuration completed.

Switch Roles - Takeover:

Switch roles and test HA takeover. Also, set automatic takeover delay accordingly.

On-Premise Connection Check:

Check ABAP System connection as well once takeover done. Make sure to upload both Master/Shadow System Certificate in ABAP STRUST.

Mail Config:

You can also set E-Mail Configuration for Alerts - Connectivity loss/timeout, Automatic Takeover,etc.,.

INFO:

If you are having old SAP SCC version and business SCC downtime not possible, you can download latest SCC for shadow and configure HA directly irrespective of their version mismatch. It might be incompatible but it won't impact much technically. You can switch roles once HA Configured and update old SCC version. This will avoid SCC downtime.

Thanks for visiting!

SAP BTP for your home lab

2024-02-03T19:21:11.143000+01:00

Some time ago I presented how to install an S/4HANA-like system in a home lab. This was met with a lot of interest, so I assume there is demand for testing new technologies and having an environment completely independent of your employer. I know that many consultants are looking for a way to develop, prepare for exams or test new ideas.

At a time when we are surrounded on all sides by new technologies, platforms, integration opportunities, it is even more important to be able to run tests on a completely isolated environment. One should be aware that many experiments will be abandoned, and it is not always easy to fully clean up the system. Being able to experiment at home has always been invaluable to me, so I encourage everyone to do so.

And just such a unique opportunity is provided by ABAP Platform Trial, which comes in the form of a Docker container. While it uses your system's resources, you can find that you need a fresh environment at any time. Then you run the container from the image once again and you have a completely fresh system. Fantastic feature!

However, not everyone is aware that the ABAP Platform Trial image comes with Cloud Connector. This makes it very easy to connect your own SAP sandbox to the Business Technology Platform. If you add to that the ability to create a free trial account on SAP BTP, it gets really exciting.

Watch a tutorial on how to easily prepare such a setup completely free of charge. And start learning this important technology.

Unleash the Power of Real-Time Business Insights with SAP Advanced Event Mesh

2024-03-26T03:57:44.968000+01:00

Unleash the Power of Real-Time Business Insights with SAP Advanced Event Mesh

In today's ever-changing business landscape, being able to respond quickly is crucial. SAP Business Technology Platform (BTP) lays the groundwork for this agility by providing a comprehensive integration platform. But what if you could harness the power of instant reactions to every customer interaction? That's where SAP Advanced Event Mesh (AEM) comes in - a revolutionary tool that unlocks the true potential of SAP BTP. By utilizing the event-driven architecture championed by SAP BTP, AEM empowers businesses to make real-time, data-driven decisions - a vital capability in today's fast-paced environment.

Imagine a world where every customer interaction triggers an immediate response, enabling businesses to make informed choices in real-time. This is the power of SAP Advanced Event Mesh (AEM), a revolutionary tool that transforms how businesses react to events and unlock hidden opportunities .

(Image Source: SAP)

The Grocery Store Scenario: A Glimpse into the Future of Inventory Management

Consider a grocery store where every purchase instantly triggers an event that is relayed to a central system. This eliminates the need for traditional end-of-day reports, allowing for immediate insights into:

Product popularity: Identify fast-selling items and ensure they are always in stock.
Inventory optimization: Replenish stock as soon as it runs low, preventing lost sales and customer frustration.

This is just one example of how AEM streamlines business processes and enables proactive decision-making across various industries.

Key Features of SAP AEM:

Event-driven communication: Respond to events as they happen, creating a dynamic and responsive system.
Scalability and flexibility: Easily adapt to changing business needs and data volumes.
Unified event management: Gain centralized control and visibility over all events within your SAP landscape.
Seamless integration: Integrate seamlessly with SAP and Non-SAP solutions.

Components of SAP AEM:

Mission Control: Easily deploy and manage event brokers, monitor their performance, and visualize your event-driven architecture.

Event Portal: Design your event-driven setup using a full set of tools, including an overview, designer, catalog, and event manager for running events.

Insights: Get real-time insights into the health and performance of your event network, ensuring your applications work well.

Deployment Options:

You can choose from different deployment options for SAP AEM:

Public Regions: This allows you to use the infrastructure managed by SAP, which is simple and easy to use.
Dedicated Regions: This gives you more control and isolation within a dedicated SAP cloud environment.
Customer-Controlled Regions: This lets you deploy AEM on your own Kubernetes cluster, giving you ultimate customization and control

Security:

SAP AEM takes security very seriously at every level, with features like:

Secure cloud architecture with various deployment options.
VPC/VNet isolation for keeping data segregated securely.
Multi-factor authentication and authorization to have comprehensive access control.

Migration of SAP Hana On-Premise Database to SAP HANA Cloud

2024-04-01T10:15:35.049000+02:00

SAP provides a tool called Self-Service Migration to assist migration to SAP HANA Cloud.

This tool checks the compatibility of your SAP HANA database with SAP HANA Cloud and identifies which features, database objects, and SQL statements can be migrated seamlessly, and which need to be adapted before use.

Self-Service Migration tool also includes information about the features that cannot be automatically migrated and offers suggestions about how to adapt your current implementation to work in SAP HANA Cloud where possible.

Pre-requisites

Supported for SAP HANA Database Revision 53 or greater.
Connectivity Service Entitlement with the service plan “connectivity_proxy” must be enabled for your subaccount using the SAP BTP cockpit.
Create the migration user in the source HANA database and assign necessary privileges.
Establish a connection to the source database using Cloud Connector.

Procedure

1. Open SAP HANA Cloud Central, navigate to “Migrations”.

2. Choose “Create Migration”, specify the migration information, and then “Create”.

3. In the PLAN phase,

a. Select the source database system that you want to migrate.

Enter the virtual host and port that you specified in the cloud connector configuration.

b. Specify the cloud connector details.

Enable Cloud Connector and specify the Cloud Connector Location ID.

c. Enter the credentials of the migration user that was created in the tenant database of the source system.

d. Check Compatibility with SAP HANA Cloud.

e. Once the Self-Service Migration tool finishes checking your database, it lists any incompatibilities found. The list is grouped by Database Objects and SQL Statements.

f. It provides information on the compatibility of the database objects and executed statements with SAP HANA Cloud.

g. Only checks with the severity 'CRITICAL' and 'UNKNOWN' will forbid the migration. Checks with the severity 'ERROR' or below will allow the migration; however, it is possible that some functionality may not work as expected in the target database.

h. Review and resolve the incompatibilities where possible. Choose Proceed to Preparation Phase.

4. In the PREPARATION phase, you specify what to migrate, where to migrate it to, and which user credentials are required to perform the migration. (XS advanced service instances is not included in this migration)

a. Specify the credentials of the migration user and choose “Save and Proceed to Select Target”.

b. Choose the target database for the migration. Enter the credentials of the DBADMIN user on the target database and “Proceed to Execution Phase”.

5. In the EXECUTION phase, choose “Start Migration” to trigger the migration process and monitor progress in the status bars.

After the migration, a summary is displayed, and you can proceed to the VALIDATION phase.

6. In the VALIDATION phase, the metadata and data of the migrated content are checked for consistency, also the record count of the tables to be migrated can be checked.

Choose “Proceed to Finalization Phase”.

7. In the FINALIZATION phase, the finalization process removes all artifacts that were temporarily stored by the migration service.

a. Choose “Deactivate migration user” to disable the DMUSER after the migration in the target SAP HANA database and “Finalize Migration” to complete the migration and start the post-migration clean-up.

b. The SAP HANA database is migrated to SAP HANA Cloud. A summary screen is displayed, containing information about the completed migration, including statistics about the migrated database, migration step durations, and validation statuses.

c. “Clean Up Process” will archive the completed migration. Once the migration is archived, it serves as a reference and cannot be altered. Up to 20 migrations can be archived.

Conclusion

In this blog, we have learnt on how to migration SAP Hana On-Premise to SAP HANA Cloud using Self Service Tool.

Consuming CAPM Application's OData service into SAP Fiori Application in Business Application Studio

2024-04-16T12:50:31.978000+02:00

OBJECTIVE-:

Consuming OData Service of CAPM Application into SAP Fiori Application in Business Application Studio.

CAPM (Cloud Application Programming Model)-:

It is an open-source framework that uses tools, libraries, and languages to create applications that can be used across multiple SAP products. CAPM is a multi-target application that runs at different times, with the persistence layer running in the HANA DB run time, the server layer running in the Node.js run time, and the UI/UX layer running in the browser run time.

CAPM is one of the approaches to developing cloud applications using the BTP platform. CAPM offers a more structured and seamless framework for data modelling and enhancing integration with services.

Advantage of CAPM over other approaches-:

It enables full-stack development in the same environment. (BAS), eliminating the need to switch between different environments for the backend and frontend development.
It offers flexibility in language selection, allowing developers to work with multiple languages according to their needs. BAS provides easy connectivity to required extensions for this purpose.
Seamless integration with git and other applications via APIs facilitating extension or development of the application.
Automatically handling dependencies to a certain extent, reducing frustration, and improving development speed. For example, handling the OData after exposing all entities and making it easier to consume in the UI.

Prerequisites-:

Create a CAPM project.
Log in to Cloud Foundry Credentials.
Ensure the HANA Database is created and running (I Used it for storage and data creation).

Set up a Dev Space.
Create a SAP Build Work Zone instance to act as a Fiori Launchpad for the CAPM Application

You Have to create a new Destination in BTP (Connectivity -> Destination)-:

This destination will be used for passing system information when creating a Fiori Application.

For the URL, DEPLOY YOUR APPLICATION IN CLOUD FOUNDRY (Cloud Foundry ->Spaces ->Dev (Space Name)->Your Service (here it is CAPMChetan-srv) and copy Application Routes).

This URL will be shown only when you deploy your CAPM Application in Cloud Foundry-> A new blog will be there to deploy the CAPM Application.

For Authorization, use the same authorization as created in the package.json -> a new blog will create a security configuration.

Now that the destination for the service is configured, proceed to create a FIORI APP: -

Open SAP BAS (Business Application Studio).
Open DEV Space where you want to create a Fiori Application.
Go to File -> New Project From template.
Choose a project from the Template (SAP Fiori Application).

Choose any Template of your choice.

In Data Source choose to connect to a system.

Specify the Destination created earlier.

In the service path, specify the service path of the OData service that can be obtained by running the command “cds watch –profile hybrid” in your CAPM Project.

Click on next.

Select any entity from the given list of entities you created in your project.

Customize the project attributes.

Choose the target as Cloud Foundry and select the Destination name among the list of destination names (You can go with either Local CAPM Project API and the name of your destination too).

Now, your FIORI project is created and is ready to use.

Go to run configuration and start the project as usual.

You can now run this Fiori Application which is the result of an Application created from CAPM.

Import Data Connection to SAP S/4HANA in SAP Analytics Cloud : Technical Configuration

2024-05-10T12:04:30.942000+02:00

In this blog we’ll discuss complete steps for Import data connection from S/4 hana on-premise system to SAP Analytics Cloud . The Operating system we are using on which S/4 Hana system is installed is SUSE Linux SP 15.

Here, Our Data source is S/4 Hana from which the SAP Analytics Cloud is connected using the SAP Analytics Cloud Agent and SAP Cloud Connector.

It is recommended that the Cloud Connector, SAP Analytics Cloud agent, and the SAP Java Connector (JCo) are installed together on a dedicated server, and not a personal computer. This helps to ensure that multiple users can use an import data connection without experiencing slowness or downtime.

The SAP Analytics Cloud Agent Simple Deployment Kit allows you to quickly get your import data connections working.

The simple deployment kit is only supported on Windows 64-bit operating systems. If you have a different server, such as Linux, you'll need to install and configure the agent manually.

If we have windows Environment, then the SAP Analytics Cloud Agent Simple Deployment Kit is preferred. More details can be found in the below link.

SAP Analytics Cloud Agent Simple Deployment Kit | SAP Help Portal

For Linux Environment we have to install SAP JVM, SAP Cloud Connector, Tomcat Apache server, SAC Agent, Java Connector.

Below are the steps for Import Data connection for On-premise S/4 HANA systems -

SAP JVM 8.1 and JDK installation on the linux server
Install SAP Cloud Connector on the same linux server.
Installing Tomcat Apache server
Installing and configuring Java connector (Jco)in Tomcat .
Installing and configuring SAP Analytics Cloud Agent .
Configuration and Connection steps in SAC portal

1. SAP JVM 8.1 installation on the same linux server

Download the SAP JVM from the below link:

https://tools.hana.ondemand.com/#cloud

Download the rpm file compatible for linux 86x64 -
sapjvm-8.1.095-linux-x64.rpm (sha1)

Move the file to the server and run the below command to install SAP JVM

rpm -i <file_name>.rpm

Also it is recommended to install the openjdk packages on SUSE linux .

Run command ‘zypper install java’

To check the verison of openjdk installed.

Run command 'java –version'

2. Install SAP Cloud Connector on the same linux server.

To download the SAP Cloud Connector go to the below link :

https://tools.hana.ondemand.com/#cloud

Download the zip file for Linux x86_64 Architechture and move the downloaded file to the server.

Now, unzip the file and install the rpm package for cloud connector as below.

Cloud connector is installed now.

To open the SCC, enter: https://<hostname>:8443 in a browser, where the <hostname> is the hostname of the machine on which the connector is installed, and the port number is the one configured during installation. The default port number is 8443

By default Login Credentials are :

Username : Administrator

Password : manage

After the fist login , It prompts you to change password for the Administrator User.

Now Add the SAC subaccount to the cloud connector:

Click on “Add subaccount” and enter the details SAC subaccount , which you can find on SAP Analytics Cloud.

To find the Subaccount details of SAP Analytics Cloud :

You must use a System Owner account to perform the following steps. If you don't know who the system owner is, log on to SAP Analytics Cloud and from the side navigation, choose Security > Users.

Log on to SAP Analytics Cloud.
From the side navigation, choose System > Administration.
Switch to the Data Source Configuration tab.

3.Installing Tomcat Apache Server :

Create a directory named tomcat in the /opt folder:
Go to the Apache Tomcat 8 Download page by clicking this https://tomcat.apache.org/download-80.cgi Place your cursor under 8.5.65 Binary Distributions, right-click on the tar file and select the copy link address from the menu that appears (as shown in the picture below). At the time of writing, Tomcat 8 is the most recent edition, but you are free to use whatever version is most current.

Download the file from wget

Extract the tar.gz file

Starting Tomcat apache server

4.Installing and configuring Java connector (Jco)in Tomcat .

Download SAP Java connector from SAP support portal -> Software downloads

On a Linux server, put the sapjco3.jar and libsapjco3.so in the lib folder of Apache Tomcat.

5. Installing and configuring SAP Analytics Cloud Agent .

It is recommended, but not mandatory, that the Cloud Connector, SAP Analytics Cloud agent, and the SAP JCO are installed together on a dedicated server, and not a personal computer. This helps to ensure that multiple users can use an import data connection without experiencing slowness or downtime.

Modifying the Cloud Connector’s embedded web application and deploying the agent to it is not supported.

Download the SAP Analytics Cloud agent from the SAP Support Portal.

The agent is available on the SAP Software Downloads page. Expand By Category, select SAP Cloud Solutions > SAP ANALYTICS CLOUD CONN > SAP ANALYTICS CLOUD CONN 1.0 > SAP ANALYTICS CLOUD AGENT 1.0 and download the latest version.

Unzip the downloaded file and rename the WAR file to C4A_AGENT.war.
Extract the package and copy the file C4A_AGENT.war to your Tomcat webapps directory.

The agent will automatically deploy when Tomcat is restarted.

Create a user for the SAP Analytics Cloud agent and assign the Services role to the user.

The user credentials will be needed later for setting up the connection to SAP Analytics Cloud.

Restart the Tomcat application server for the settings to take effect.
Test if the installation was successful, by opening the following URL in your browser: http://<Host>:<Port>/C4A_AGENT/deploymentInfo

The version of the SAP Analytics Cloud agent installed is displayed.

6. Configuration and Connection steps in SAC portal

Add the Data source in System > Administration > on-premise data sources

Check connection configuration , It should be green.

From the side navigation, choose

Connections > (Add Connection).

The Select a data source dialog will appear.

Expand Acquire Data and select SAP S/4HANA.
In the New SAP S/4HANA Connection dialog, do the following:

In the Connection Information section, add a Connection Name and Description.
If you are connecting to an SAP S/4HANA on-premise system, select Connect to an On-Premise OData service, and then select the Location of your Cloud Connector from the list.
Enter the Data Service URL published during your configuration

Select the authentication type.
Enter the User Name and Password of the user you want to import data from.
Choose Create.

The new connection is added to the list of connections on the Connections screen.

Conclusion :

Import Data Connection to S/4Hana on-premise system in SAP Analytics Cloud has been established successfully.

New Release Available: SAP Cloud Connector 2.17.0

2024-05-10T14:33:54.505000+02:00

We are happy to announce that the fresh version of the SAP Cloud Connector is now available for download. It is (as usual) packed with a host of new features and improvements. From bug fixes to enhancements, we've worked diligently to deliver an updated connector that addresses critical issues while also enhancing usability and functionality, which you can find more detailed in the release notes.
Moving onto enhancements, we've made changes to the underlying architecture and features of the Cloud Connector. One of the major changes is the switch from JavaWeb 3.x runtime on Tomcat 8.5 to JavaWeb 4.x, which operates on Tomcat 9. This new runtime container facilitates better performance and stability.
In addition, Cloud Connector 2.17 now supports the use of SapMachine 21 as Java runtime. This change can provide increased efficiency and flexibility for your operations.
One of the significant enhancements in this release is the addition of support for up to 3 LDAP servers for authentication.

This feature is essential for setups where the user base is spread across multiple LDAP user stores or multiple user bases in a single LDAP user store (find more in the documentation).
We've also introduced the option to configure a separate port for the HA-related communication between the master and shadow instances.

This new feature enables you to use HA in conjunction with certificate-based authentication to overcome the limitation from 2.16 (find more here)
Additional hardware monitoring REST APIs have been provided for disk and CPU status, allowing for more comprehensive system insights. Plus, you can now use the hardware monitor on the shadow instance as well.
To improve your operations, we’ve introduced for the access control settings a creation timestamp, providing more detailed and useful information for your operations:

Finally, we've improved the Cloud Connector UI by adding a session expiration progress bar. This new addition helps you keep track of your active session and alerts you when you need to log in again.

In summary, with this release, we've not only ensured the highest security levels but also worked on improving the overall user experience and functionality. Don't hesitate to upgrade your Cloud Connector to version 2.17.0 today (by downloading it from here) and explore these new features and improvements. For more detailed information, make sure to check out the official release notes. Enjoy the enhanced performance and functionality of the new SAP Cloud Connector!Happy Connecting!

SAP Community - Cloud Connector

Connection between SAP Datasphere and SAP SuccessFactors HXM Suite using OData, OAuth2 and SAML Bearer on Cloud

Section 1: How to generate X.509 certificate, API Key, Private Key and Download/Upload SuccessFactors url into Datasphere?

Section 2: How to create connections in Success Factors?

Summary:

Troubleshooting:

References Link & S-Notes:

Next release of the Cloud Connector is available: 2.16.0

Exposing On-Premise S/4 Apps to SAP Build Work Zone: A Step-by-Step Guide

Prerequisite:

Certificate-based authentication in the SAP Cloud Connector

Introduction

Feature overview

How-to steps

Conclusion

Integration of SAP CI(BTP IS) with IBM MQ through AMQP

SAP Remote Access Connectivity (SAP RAC): A Cost-Effective and Flexible Solution which simplifies seamless SAP Integration

Discover a World of Possibilities with SAP RAC!

Overview:

Partner-Centric Innovation: Rapid Adoption and Certification with Plug and Play Access

RAC Subscription Offers

Shedding Traditional On-Premise Troubles

Key Benefits of SAP RAC

A Glimpse at the Two SAP Environment Options from RAC

Shared Environment

Dedicated Environment

SAP RAC Subscription: Pricing & Extensive Offerings

Tailored SAP RAC Subscriptions and Pricing Options:

SAP RAC Subscriptions

SAP Standard RAC Subscription:

SAP RAC Premium Subscription

Pricing

Choosing the Right Subscription Model

Popular Use Cases

Optimize Your Benefits through Enhanced Technical Assistance

A Thoughtful Approach to Your Needs

Contact Us Today

Setup SAP S/4HANA On Premise and SAP Business Application Studio (BAS)

How can I connect SAP BTP applications and on-premise systems using the Cloud Connector?

Connectivity between SAP Business Application Studio and XS Advanced

Introduction:

Pre-requisites:

Here's a breakdown of the required endpoints:

Cloud Connector

Configuring SAP Cloud Connector

SAP BTP Destinations

Create XS Controller Destination

Create XSUAA Destination

Create HRTT Destination

Create XS Deployer Destination

Create SAP HANA Cockpit Destination

Create HANA Database Destination

Connect SAP HANA On-Premise to SAP HANA Cloud and Database with Cloud Connector

Introduction

Cloud Connector

Enable the cloud connector for SAP HANA Cloud, SAP HANA database

Install the cloud connector

Configure SAP BTP Subaccount

Expose your on-premise SAP HANA system

Click on Cloud To On-Premise to expose your backend systems(or services). Then click the + icon and provide the following details

It has never been easier! Connecting cloud apps to Internet and on-premises systems using SAP BTP Connectivity

Prerequisites

Overview of the scenario

Configure the scenario

Expose the on-premises system to the cloud

Manage the technical connection configurations

Expose the destinations in the Kyma instance

Scenario in action: Connect the application to the remote systems

Executing request to Google:

Executing request to Google via destination:

Executing request to Google via destination via Cloud Connector:

Executing request to XSUAA API via destination:

Executing request to an on-premises HTTP server via destination via Cloud Connector:

Executing request to an on-premises HTTPS server via destination via Cloud Connector with Single Sign-On enabled:

Summary

Utilizing SAP Cloud SDK for JavaScript in a BTP Proxy App for non-Web-Apps to access onpremise SAP Systems

Introduction

Basics

Proxy with Basic Authentication

Proxy with Principal Propagation

Partner-Centric Innovation:
Rapid Adoption and Certification with Plug and Play Access