Overview
SAP BTP Connectivity allows SAP BTP applications to securely access remote services that run on the Internet or on-premise. This component facilitates the following:
- It allows subaccount-specific configuration of application connections using destinations.
- It provides a Java API that application developers can use to consume remote services.
- It allows you to make connections to on-premise systems, using the Cloud Connector.
- It lets you establish a secure tunnel from your on-premise network to applications on SAP BTP, while you keep full control and auditability of what is exposed to the cloud.
- It supports both the Neo and the Cloud Foundry environment for application development on SAP BTP.
A typical scenario for connecting your on-premise network to SAP BTP looks like this:
- Your company owns a global account on SAP BTP and one or more subaccounts that are assigned to this global account.
- Using SAP BTP, you subscribe to or deploy your own applications.
To connect to these applications from your on-premise network, the Cloud Connector administrator sets up a secure tunnel to your company's subaccount on SAP BTP.
The platform ensures that the tunnel can only be used by applications that are assigned to your subaccount.
Applications assigned to other (sub)accounts cannot access the tunnel. It is encrypted using transport layer security (TLS), which guarantees connection privacy.
For inbound connections (calling an application or service on SAP BTP from an external source), you can use Cloud Connector service channels (on-premise connections) or the respective API endpoints of your SAP BTP region (Internet connections).
Features
SAP BTP Connectivity supports the following protocols and scenarios:
Protocols and Scenarios
| Protocol | Scenario |
|---|---|
| HTTP(S) | Exchange data between your cloud application and Internet services or on-premise systems.
|
| RFC | Invoke on-premise ABAP function modules using RFC.
|
| TCP | Access on-premise systems using TCP-based protocols using a SOCKS5 proxy. |
Installation
Choose a procedure to install the Cloud Connector on your operating system.
Portable Version vs. Installer Version
On Microsoft Windows and Linux, two installation modes are available: a portable version and an installer version. On Mac OS X, only the portable version is available.
The portable version can be installed easily, by extracting a compressed archive into an empty directory. It does not require administrator or root privileges for the installation, and you can run multiple instances on the same host.
Restrictions:
You cannot run it in the background as a Windows Service or Linux daemon (with automatic start capabilities at boot time).
The Portable version does not support an automatic upgrade procedure. To update a portable installation, you must delete the current one, extract the new version, and then re-do the configuration.
Portable versions are meant for non-productive scenarios only.
The environment variable JAVA_HOME is relevant when starting the instance, and therefore must be set properly.
The Installer version requires administrator or root permissions for the installation and can be set up to run as a Windows service or Linux daemon in the background. You can upgrade it easily, retaining all the configuration and customizing.
Network Zones
Choose a network zone for your Cloud Connector installation.
A customer network is usually divided into multiple network zones or subnetworks according to the security level of the contained components. For example, the DMZ that contains and exposes the external-facing services of an organization to an untrusted network, usually the Internet, and there are one or more other network zones which contain the components and services provided in the company’s intranet.
You can generally choose the network zone in which to set up the Cloud Connector:
Internet access to the SAP BTP region host, either directly or via HTTPS proxy.
Direct access to the internal systems it provides access to, which means that there is transparent connectivity between the Cloud Connector and the internal system.
The Cloud Connector can be set up either in the DMZ and operated centrally by the IT department or set up in the intranet and operated by the appropriate line of business.
Network Zones
Choose a network zone for your Cloud Connector installation.
A customer network is usually divided into multiple network zones or sub-networks according to the security level of the contained components. For example, the DMZ that contains and exposes the external-facing services of an organization to an untrusted network, usually the Internet, and there are one or more other network zones which contain the components and services provided in the company’s intranet.
You can generally choose the network zone in which to set up the Cloud Connector:
Internet access to the SAP BTP region host, either directly or using HTTPS proxy.
Direct access to the internal systems it provides access to, which means that there is transparent connectivity between the Cloud Connector and the internal system.
The Cloud Connector can be set up either in the DMZ and operated centrally by the IT department or set up in the intranet and operated by the appropriate line of business.
Starting the Cloud Connector
After installation, the Cloud Connector is registered as a Windows service that is configured to be started automatically after a system reboot. You can start and stop the service using shortcuts on the desktop ("Start Cloud Connector" and "Stop Cloud Connector"), or by using the Windows Services manager and look for the service SAP Cloud Connector.
Access the Cloud Connector administration UI at https://localhost:<port>, where the default port is 8443 (but this port might have been modified during the installation).
Open a browser and enter the following: https://<hostname>:8443. <hostname> is the host name of the machine on which you have installed the Cloud Connector. If you access the Cloud Connector locally from the same machine, you can simply enter localhost.
Initial Configuration
After installing and starting the Cloud Connector, log on to the administration UI and perform the required configuration to make your Cloud Connector operational.
Log on to the Cloud Connector
To administer the Cloud Connector, you need a web browser. To check the list of supported browsers, see Prerequisites and Restrictions → section Browser Support.
In a web browser, enter: https://<hostname>:<port>
<hostname> refers to the machine on which the Cloud Connector is installed. If installed on your machine, you can simply enter localhost.
<port> is the Cloud Connector port specified during installation (the default port is 8443).
On the logon screen, enter Administrator / manage (case sensitive) for <User Name> / <Password>.
Change your Password and Choose Installation Type
When you first log in, you must change the password before you continue, regardless of the installation type you have chosen.
Choose between master and shadow installation. Use Master if you are installing a single Cloud Connector instance or a main instance from a pair of Cloud Connector instances.
You can edit the password for the Administrator user from Configuration in the main menu, the User Interface tab, and the section, Authentication:
NoteA username and password cannot be changed at the same time. If you want to change the username, you must enter only the current password in a first step. Do not enter values for <New Password> or <Repeat New Password> when you are changing the username. To change the password in second step, enter the old password, the new one, and the repeated (new) password, but leave the username unchanged.
Set up Connection Parameters and HTTPS Proxy
When you are logging in for the first time, the following screen is displayed every time you choose an option from the main menu that requires a configured subaccount:
If your internal landscape is protected by a firewall that blocks any outgoing TCP traffic, you must specify an HTTPS proxy that the Cloud Connector can use to connect to SAP BTP. Normally, you must use the same proxy settings as those being used by your standard Web browser. The Cloud Connector needs this proxy for two operations:
- Download the correct connection configuration corresponding to your subaccount ID in SAP BTP.
- Establish the SSL tunnel connection from the Cloud Connector user to your SAP BTP subaccount.
NoteIf you want to skip the initial configuration, you can select the icon in the upper-right corner. You might need this in case of connectivity issues shown in your logs.
If you later want to change your proxy settings (for example, because the company firewall rules have changed), choose Configuration from the main menu and go to the Cloud tab, section HTTPS Proxy. Some proxy servers require credentials for authentication. In this case, you must provide the relevant user/password information.
If you want to change the description for your Cloud Connector, choose Configuration from the main menu, go to the Cloud tab, the Connector Info section and edit the description:
Establish Connections to SAP BTP
As soon as the initial setup is complete, the tunnel to the cloud endpoint is open, but no requests are allowed to pass until you have performed the Access Control setup, see Configure Access Control.
To manually close (and reopen) the connection to SAP BTP, choose your subaccount from the main menu and select the Disconnect button (or the Connect button to reconnect to SAP BTP).
The green icon next to Region Host indicates that it is valid and can be reached (as shown in the figure, Subaccount Overview).
If an HTTPS Proxy is configured, its availability is shown the same way. In the figure, Subaccount Overview, the grey diamond icon next to HTTPS Proxy indicates that connectivity is possible without proxy configuration.
In case of a timeout or a connectivity issue, these icons are yellow (warning) or red (error), and a tool-tip shows the cause of the problem. Initiated By refers to the user that has originally established the tunnel. During normal operations, this user is no longer needed. Instead, a certificate is used to open the connection to a subaccount.
The status of the certificate is shown next to Subaccount Certificate. It is shown as valid (green icon), if the expiration date is still far in the future and turns to yellow if expiration approaches according to your alert settings. It turns red as soon as it has expired.
