Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Part 1: How to use SAP Cloud Platform Connectivity and Cloud Connector in the Cloud Foundry environment

MatthieuPelatan
Advisor
Advisor
‎07-09-2017 1:39 PM
*********** Updates ************

Last update on 11.12.2017

See details at the end of the blog

**********************************

 

As mentioned in my last blog about the release 2.10. of the Cloud Connector, I would like to take more time to explain in details how to configure the SAP Cloud Platform Connectivity and the Cloud Connector so that you can consume data coming from an on-premise system in a Cloud Foundry based application.

 

As I want to focus more on the connectivity part, I will keep the application very simple. So the Fiori-based web application will just show a table with products and prices coming from an on-premise backend service. Here a visual overview of what I want to achieve:



 

This blog will be structured as follow:

Part 1: Initial setup of SAP Cloud Platform Account and Cloud Connector.

Part 2: Configuration of SAP Cloud Platform Connectivity and deployment of the web application.

Part 3: Update of the configuration to enable principal propagation instead of basic authentication.

 

To demonstrate it, I will use the following setup:

  • SAP Backend system with Fiori Reference applications installed. Odata services have been prepared and configured so that I can add them as resource in the Cloud Connector.

  • Cloud Connector v.2.10.0.1. - portable version (of course, it could be a productive version).

  • SAP Cloud Platform Trial account (Cloud Foundry environment).



Initial setup of SAP Cloud Platform subaccount


Before configuring anything, we need a SAP Cloud Platform Trial subaccount for the Cloud Foundry environment.

Note: If you created already a Cloud Foundry Trial account in the past, please verify that the global account is not a standalone (account created before Mai 2017) as we have at the moment a small bug with standalone accounts. We are working on it and I will update the blog as soon as this is perfectly working. In the meantime, I would suggest you to create a new Trial Account if you want to test it now.



 

So let's go to https://account.hanatrial.ondemand.com/ and register for a trial account.



After the registration a P-user has been created for me: P1942746397. Now I can login and start the Cloud Foundry Trial by clicking in  the breadcrumb on "Home" and then on the button "Start Cloud Foundry Trial.



Select your region and initialize your trial subaccount. An organization and a space will be also automatically created.



In order to establish later on the trust between the SAP Cloud Platform Trial subaccount and the Cloud Connector, we will need the ID of the subaccount. You can find it by clicking on the global account in the breadcrumb and then on the "show more" icon of the subaccount tile.





 

Initial setup of Cloud Connector


Now let's go to the Cloud Connector and configure it. You can use the same Cloud Connector for the NEO and the Cloud Foundry environments. So if you have already one installed, just make sure that you have at least the version 2.10.0.1 and you are good to go. You can verify the version in the top right corner under Administrator / About.



More information about upgrade can be found here.

If you prefer to test with another Cloud Connector or if you don't have one in place, you can download it from here and install it as described in the official documentation. Once it's done, go the the admin UI of the Cloud Connector (https://localhost:8443/), change your password and add your new created Cloud Foundry Trial. Click in the button "Add Subaccount" and insert the details as described below.



Let me emphasize 3 small Cloud Foundry specifications compared to the usual configuration:

  1. The region is not "hanatrial.ondemand.com" like expected but it should be "cf.eu10.hana.ondemand.com" or "cf.us10.hana.ondemand.com" based on the region you have selected during the creation of your Trial account.

  2. By selecting Cloud Foundry region host, the label "Subaccount User" would automatically change to "Login E-Mail". Please use here your email address instead of your P-user.

  3. Please be aware that the user that establishes the trust between the Cloud Connector and the SAP Cloud Platform must be a Global Account member (See Add Global Account Members) or a Security Administrator (See Security Administrators in Your Subaccount). In the trial account, you're per default member of the Global Account, so you don't need to change anything.


Note 1: the configuration for the SAP internal landscape is slightly different. Please drop me an email to get the details.

Note 2: The first time you will map a subaccount to your Cloud Connector, you can see on the right side the settings for the proxy. Don't forget to add your proxy host and your proxy port if you are behind the proxy. If you forget it, you can configure it later on by going to Configuration > CLOUD > HTTPS Proxy.

Note 3: I didn't add any location ID. This is an optional field as I'm connecting only this Cloud Connector to this account. Be aware that the location ID is mandatory as soon as you are using multiple Cloud Connectors. See this blog for more information about it.

Once you clicked on "save", you should see your Subaccount listed to the "Subaccount Dashboard". Navigate to the detail page to verify that the connection has been activated.



If every works fine, you should see on the top the following notification in green:



The notification mentions that "no active resources available". Let's do it and add our odata service of the on-premise backend system (Fiori Reference applications). Click on the tab "Cloud To On-Premise and create an "Access Control" by clicking on the "Add" icon.



Check the official documentation for more details on access control.

Here is my configuration for example:



Important for us are the Virtual Host and the Virtual Port which will be needed later on in the SAP Cloud Platform.

I have also added the needed resources to consume the odata service. Here an overview about the final configuration of the access control:



That's all! Now we have everything in place to continue in the cloud. In the following part of the blog, I will explain how to setup the SAP Cloud Platform Connectivity and consume the data provided by the Cloud Connector in the Fiori application.

I will publish the second part of the blog very soon. In meantime, just try to create your Cloud Foundry Trial Account, upgrade/install your Cloud Connector and connect both together.

 

*********** Updates ************

09.01.2017: Small improvements in the blog for a better understanding.

09.08.2018: Added the link of the 3rd part of the blog series explaining how to use principal propagation.

11.12.2018: Security Administrators (without being a Global Account Member) can now establish the connection between the Cloud Connector and the SAP Cloud Platform. See Prerequisites section here.

**********************************

 

Feedbacks are of course welcome!

Matthieu
56 Comments
nick_scherer3
Participant
‎08-10-2017 3:36 PM
0 Kudos
hello

how i do set up on a trial account to get access to on-premise system s4h ?

kr. Nick and thanks.
MatthieuPelatan
Advisor
Advisor
‎08-10-2017 9:00 PM
0 Kudos
Hi Nick,

not sure to really understand the question...

Getting access to on-premise system like S/4HANA is done via the Cloud Connector. See the blog details for more info. Let me know if you have a more concrete question.

Best,

Matthieu
nick_scherer3
Participant
‎08-11-2017 10:52 AM
0 Kudos
hello Matthieu

I mean, in HCP, destination. Don't i need there a s4h system destination that i can create fiori with access to a s4h system?

So the relevant parameter in HCP --> destination for a latest s4h system is not clear also user and pw then to login.

many thanks. Nick

 
MatthieuPelatan
Advisor
Advisor
‎08-11-2017 11:44 AM
0 Kudos
Hi Nick,

Indeed, there is no destination runtime right now in the Cloud Foundry environment as you may know it from the Neo environment. We are working hard to deliver it as soon as possible. In the meanwhile, you can implement it like proposed in the second part of the blog. For Principal propagation, we will add a new blog to explain in details how to configure it.

BR, Matthieu
nick_scherer3
Participant
‎08-12-2017 6:42 PM
0 Kudos
hello Matthieu

is it not possible, that you could check my HCP and Connector please? Have implemented Connector 2.10 but have doubts i have done all well and it will work.

What i want to achieve is: properly working in WEB IDE for Fiori and IoT.
For sapui5 i need to be connected to the latest s4h system.

I have Team Viewer 12 if you would be so kind and help me. please give me your email Adresse for further communication.
Many thanks for your help.

Nick
Manjunath
Product and Topic Expert
Product and Topic Expert
‎08-24-2017 11:26 AM
0 Kudos

HI Matthieu

Im running CloudConnector (CC) on my location machine and trying to create a new subaccount. have a look at the screenshot.

Getting this error while doing initial setup. (Attachemnts: 1 & 2)

417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password — see ”Logs” for details

Seems, I have all the prerequisites on the org and space in CF.

My subaccount is created just 2 days back.

What is that Im missing here.

 

MatthieuPelatan
Advisor
Advisor
‎09-11-2017 1:58 PM
0 Kudos
Hi Manjunath,

is it a trial account? Do you have a proxy?

Best,

Matthieu
Former Member
‎09-28-2017 2:41 PM
0 Kudos
Hi Matthieu,

 

I do have the exact same issue. I've tried with and without Proxy-Settings within "SAP Cloud Connector Settings --> Cloud". When using no proxy I did get 500 error.

 

Where are the log files this error message talks about located?

Thanks in advance for any hint.

 

BR André
Former Member
‎10-09-2017 11:54 AM
0 Kudos
Finally we found the solution on our own.

The user used to create the subaccount in SAP Cloud Connector need to be assigned with Administrator role to the CF account. The assignment to the subaccount only is not sufficient.
Former Member
‎10-09-2017 12:07 PM
0 Kudos
Hi, bro

I also encounter the same issue as you when creating subaccount.

"417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized"

Have you found any solution?
Former Member
‎10-10-2017 7:39 AM
0 Kudos
Hi, Man

You mean to assign the user at subaccount level with "manager" role?

I can only find "manager", "auditor", "billing manger", etc roles there.
Former Member
‎10-10-2017 12:21 PM
0 Kudos
Hi Ming Zhang,

 

assigning the user to the subaccount level is not enough and is not needed.

The user need to be assigned on account level with "Administrator" role.
Former Member
‎10-10-2017 12:22 PM
0 Kudos
Hi Ming Zhang,

as replied to your other post: Your user need to be assigned on Account level not subaccount level. On account level you can assign "Administrator" role.
Former Member
‎10-10-2017 1:23 PM
0 Kudos
Thank you Andre. So you mean to make this user to be assigned with administrator role in application role builder?
Former Member
‎10-11-2017 2:24 PM
0 Kudos

Hi,

I might have explained it very poor. Sorry for this.

When you open the SAP Cloud Platform Cockpit you need to navigate to the Global Account your subaccount belongs to. Once opened you should see on the left hand navigation area the “Members” entry. Open this and add yourself using the “Add Members” button. I guess the only available role is “Administrator” here as I’ve not seen any other.

Hope this helps, sorting you issue.

 

Former Member
‎10-19-2017 1:17 PM
0 Kudos
Hi,

another possible reason for failing could be firewall restrictions.
Please ensure your SAP CloudConnector is able to access this URL: https://connectivitycertsigning.cf.eu10.hana.ondemand.com/certificate/management/v1/trusted/ca/account/<your-sub-account-id>

When accessing this URL for example from your browser given your SAP CloudPlatform credentials you should receive a certificate string.
Former Member
‎10-25-2017 2:50 AM
0 Kudos
Thank you Andre! You point is valid.

I have found the root cause, the subaccount ID here, must be a GUID.

While I my SCP subaccount was provisioned by the command tool xs-security-configuration-0.22.2-jar-with-dependencies.jar, no GUID generated in this way. For all guys, please aware this tool has been deprecated!

So I have requested the SCP platform about how to migrate my SCP subaccount or simply re-provision it...
former_member393658
Explorer
‎11-06-2017 6:09 AM
0 Kudos
Hello,

When I try to connect CF with R3 On Premise, i get the following error

417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized

Any clue on how to solve this?

Regards
Vamsi
former_member242922
Participant
‎11-08-2017 12:08 PM
0 Kudos
Hello,

While Starting my cloud foundry trial, I get the below error



When I tried to manually create organization, I get the below failure



Could someone please help me resolve?

Many thanks,

Shiny
Srdjan
Product and Topic Expert
Product and Topic Expert
‎12-11-2017 11:11 AM
0 Kudos
Are RFC destinations already available, or when expected to be available?
MatthieuPelatan
Advisor
Advisor
‎12-20-2017 9:51 AM
0 Kudos
Thanks Andre. This info was missing in the blog. I have added it now.

"Please be aware that the user needs the "Administrator" role on the global account and not only on the subaccount level. It's already setup by default for the trial account but if you are using your own account, please keep it in mind."
MatthieuPelatan
Advisor
Advisor
‎12-20-2017 9:54 AM
0 Kudos
Hi Srdjan,

RFC is today not supported in the Cloud Foundry environment but we are working on it to make it available asap.

Best,

Matthieu
MatthieuPelatan
Advisor
Advisor
‎12-20-2017 9:58 AM
0 Kudos
Hi Vamidhar,

do you still have issue by connecting it?

Can you please give more info?

Best,

Matthieu
former_member230714
Explorer
‎12-21-2017 3:49 PM
0 Kudos
Hi Matthieu,

first of all very nice blog with good explanation. I tried to follow the step which you have given.However i am not getting any region host for api.cf.eu10.hana.ondemand.com  in HCC while adding sub-account. I already upgraded my HCC to version 2.10.2.below are the screenshot.

What could be the reason.



 



 

Regards

Shadan
MatthieuPelatan
Advisor
Advisor
‎02-07-2018 9:58 PM
0 Kudos
Hi Shadan,

strange, I've just downloaded the same version from the hana-tools page and I'm able to see all regions in the dropdown list. Which OS do you have and is it the productive or the portable version?

See below my screenshot of the mac version...

former_member3465
Employee
Employee
‎03-13-2018 9:22 PM
0 Kudos
Hi Matthieu - Is RFC support available in CF environment now? Or, what is the timeline for this support? Thanks.
MatthieuPelatan
Advisor
Advisor
‎03-21-2018 10:04 PM
0 Kudos
Hi Sunil,

it's unfortunately still not available in CF. The plan is to have it for the end of Q3 2018.

Best,

Matthieu
Former Member
‎04-04-2018 7:47 AM
0 Kudos
Hi Matthieu,

I'm using my CF trial account, and I'm facing the same issue. (Cloud Connector 2.11.0.3)

417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized

From Cloud Connector trace, I see accessing the following URL got 401 error.

#Executing Http Get request to https://connectivitycertsigning.cf.eu10.hana.ondemand.com:443/certificate/management/v1/trusted/ca/a...

#Returned Http Response with code 401

Is it possible my user (my SAP I number) is not the Administrator of the global account? Per your comments, "...  It’s already setup by default for the trial account ...". But I just cannot check if it is, because there is no ''Members" entry in the left side navigation of the trial global account on the Cockpit.

Thanks,

Jian

 
MatthieuPelatan
Advisor
Advisor
‎04-04-2018 9:09 AM
0 Kudos
Hi Jian,

 

as mentioned in my blog, the configuration for SAP internal landscapes is slightly different. Drop me an email for more details.

Best,

Matthieu
Former Member
‎04-18-2018 10:12 AM
0 Kudos
Hi Matthieu,

I have deployed my HTML 5 on the Neo environment using Destination and Cloud Connector to access my xsjs service etc on the XS Engine. How would I go about by passing the standard HCP login screen or do I need to use Cloud Foundry to this ?

Also if I need to deploy to cloud foundry, will the way I am currently doing my http calls change as it was written to work with the neo environment destination. I am battling a bit to get the existing app to connect to the XS Engine service from the Cloud Foundry.

Kind Regards,

Brenden

 

 
jmattfeld
Participant
‎05-07-2018 10:42 AM
0 Kudos

Hi matthieu.pelatan,

I just completed the tutorial, my tunnel works, and I successfully connected a UI5 app to our on-premise systems.

However, the region host is still displayed in red (Region host cannot be reached), which doesn’t seem to make much sense.

Is this the standalone account bug you were talking about?

Thanks,
Jan

MatthieuPelatan
Advisor
Advisor
‎05-07-2018 3:09 PM
Hi Jan,

thanks for the info. I will need more info from your side. Let's take it offline. I will contact you.

Best,

Matthieu
jmattfeld
Participant
‎05-25-2018 1:07 PM
0 Kudos
An update to the current SAP JVM 8 fixed the display bug.
arviii
Discoverer
‎07-10-2018 12:16 PM
0 Kudos
Hi matthieu.pelatan,

very interesting blog!

I deployed a Node.js app on Cloud Foundry and i'm trying to allow the app reach an on-premise Hana via TCP (for direct SQL connection,e.g. calling stored procedures) but i can't figure how through CF connectivity.

 

Is TCP connection available in cloud foundry or we only have HTTP at the moment?

 

Thanks a lot,

Valerio

 

 
MatthieuPelatan
Advisor
Advisor
‎07-10-2018 12:18 PM
0 Kudos
Hi Valerio,

 

TCP is today not available in the Cloud Foundry environment.

Best,

Matthieu
madhav_kunapareddy2
Explorer
‎08-06-2018 12:33 PM
0 Kudos
Hi Mattieu,

 

Greetings. Thanks for writing this blog. We are trying to use a trial account and trying to connect on-premise system using SCC 2.11.1 and HCP - Neo environment using a trial account.

 

Though we are able to create Access control and the resources, the cloud connector in HCP shows as NOT CONNECTED. There is no cloud connector connected to this subaccount.

We tried all possible solutions mentioned but missing the Administrator role on Global account part of this blog.

 

During registration, the region we have opted is Europe (Frankfurt) and hence the region we have used in scc is Europe (Frankfurt)

Any suggestions are highly appreciated

 

Thanks and Regards

Maddhav

 

 
madhav_kunapareddy2
Explorer
‎08-06-2018 12:47 PM
0 Kudos
Hi Matthieu,

 

Further to this, we tried this link

https://connectivitycertsigning.cf.eu10.hana.ondemand.com/certificate/management/v1/trusted/ca/accou...; (we use this subaccount to create the initial configuration in scc)

 

It says access denied

 

Would this be an issue of cloud connector not connecting with HCP

 

Thanks and Regards

Maddhav
former_member237427
Explorer
‎08-28-2018 6:31 AM
0 Kudos
Hi Matthieu,

Thanks for this blog. I also suffered from the authorization problem which says "417 An authorization problem occurred when downloading the configuration. Check the spelling of the subaccount name, user, and password: 401 — Unauthorized". So I tried the link:

https://connectivitycertsigning.hana.ondemand.com/certificate/management/v1/trusted/ca/account/8b3e9...

Since the global account is on Europe(Rot), I changed the URL a little bit. But when trying to logon, the access was always denied. I'd like to ask, is the url modification correct? If yes, why I can't logon with the user and password which I use to log on windows everyday?

Best Regards,

George

 
waelkensd
Explorer
‎09-05-2018 7:59 AM
Salut Mathieu,

we're setting up SCP combined with SAC and connections to internal systems (BO, SAP HANA, SAP BW) with the method you describe abvoe.

One particularity though is that we want the links to the on premise systems to work both from inside the company network as well as outside of the company network.

We did this for SAC by using a split DNS for the live connections to our BW systems and this seems to work.

So now the question rises what we need to specify in the virtual host name field in this particular case? A Fully Qualified Hostname which points to a public IP which resolves to an internal IP when used internally? If yes, then I guess we'll need to set up a web dispatcher to transfer the requests to the appropriate systems.

Regards,

Dieter

 
former_member319865
Explorer
‎09-07-2018 8:03 PM
0 Kudos
Hi Matthieu,

As suggested, I dropped you an email asking for more details about the configuration for SAP internal landscapes.

While I can connect from SCC to my CF trial sub-account, I keep getting 403-Forbidden when trying to connect to a CF canary sub-account (even though I have administrator permissions at the global account level and OrgManager rights at the sub-account level).

Please let me know how the configuration to SAP Internal landscapes (e.g. Canary in this case) is different from trial.

Thanks,

Diego
former_member536670
Discoverer
‎10-02-2018 9:49 PM
0 Kudos
Hi George,

Under Europe(Rot),  you can choose Cloud Foundry Trial Europe(Frankfurt). I think subaccount under Neo will not work.  Since I tried with Neo env and it didn't work firstly but with Cloud Foundry env worked well.

Hope this helps.

Best regards,

Shuai
hernangcardoso
Member
‎10-11-2018 10:53 PM
0 Kudos

Hello matthieu.pelatan,
Hope you’re doing fine,

We’re currently facing this issue, checking if there’s any workaround to avoid using a custom connector. It might be possible to deploy the whole app in CF, and setup in a Neo environment the Jco + Connectivity service in order to consume RFCs destinations. Still wonder if it’s the best choice later in production.

Do you know if there’s any other known alternative for this? Maybe connectivity/destination handling at the Jco level?

Thanks.

philipp_seiler
Discoverer
‎11-22-2018 1:49 PM
0 Kudos
Hi Matthieu,

thanks for this blog! I've just set up our existing Cloud Connector to connect to our two Cloud Foundry subaccounts but the Cloud Connector can't connect as it gets the error "Invalid status of handshake response: 400 Bad Request".

In the "Connector State" the region host can be reached and the "Refresh subaccount certificate" button works without an error message when putting in my user/password.

Do you have any idea what could be wrong here?

Best regards,

Philipp
philipp_seiler
Discoverer
‎11-30-2018 12:20 PM
0 Kudos
Has been fixed with updating the Cloud Connector from 2.11.1 to 2.11.2 🙂
former_member599186
Member
‎12-28-2018 9:10 AM
0 Kudos
Hi Mathieu,

 

I am trying to connect to ldap through connectivity service  in java but  i am  not able to connect due to it is a ldap protocol not Http .Please suggest solution

 

Regards,

Himesh Dubey
former_member269587
Explorer
‎03-11-2019 6:21 AM
0 Kudos
Hi matthieu.pelatan

 

Great Blog - It did help us with configuration for CF with Back-end system for OData.

 

Now we trying out the S4HANA SDK to consume a RFC enabled FM in CF using the Connectivity Service and destination Service.

Is RFC destination is supported end to end now in SCP CF ?

 

Regards,

John
MatthieuPelatan
Advisor
Advisor
‎03-14-2019 11:10 AM
0 Kudos

Update: Tutorial on how to call a function module in an on-premise ABAP system via RFC: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/bfcb54ca058f4b1dafd26e438ff...

MatthieuPelatan
Advisor
Advisor
‎04-04-2019 5:15 PM
0 Kudos
Yes, see the official documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/bfcb54ca058f4b1dafd26e438ff...

Best,

Matthieu
zakzhang
Employee
Employee
‎04-24-2019 9:50 AM
0 Kudos

Hi matthieu.pelatan

TEMPThank you very much for you're blog.

i has a issue when i try to rebuild teh connectivity-app-demo, some sap dependency can’t be download from teh https://repo.maven.apache.org repo. so i guess you are useing another repo , can you share you used repo.

 

Br,

Zak.

ArcherZhang
Advisor
Advisor
‎07-12-2019 11:00 AM
0 Kudos
Hi matthieu.pelatan

Cloud you please take a look at this:https://answers.sap.com/questions/12730099/issue-while-connecting-on-premise-system-to-scp-ab.html

BRs,

Archer
Labels in this area
Popular Blog Posts