Operating Cloud Connector

How does the Cloud Connector work? Watch the video to learn more.​

The Cloud Connector also supports service channels. In the video you will find out more about it.

The Cloud Connector provides a secure means of connecting cloud applications to on-premise applications. Service channels can allow on-premise database tools to access specific SAP BTP services.

Cloud Connector on SAP Help Portal

Before installing the SAP Cloud Connector, ensure your system meets the necessary prerequisites, such as supported operating systems and the appropriate version of the Java Development Kit (JDK). Allocate between 1 and 20 GB of disk space for configuration, audit logs, and trace files. The Cloud Connector Administration UI, built with SAPUI5, can be accessed via any supported web browser. It’s crucial to understand the typical network topology and determine the optimal placement of the Cloud Connector within various network zones. Lastly, adhere to the hardware sizing recommendations for small, medium, and large installations, taking into account CPU, RAM, and disk space requirements.

Cloud Connector prerequisites on SAP Help Portal

As a prerequisite for the installation of Cloud Connector on Linux, first make sure that you:

• Use the supported 64-bit operating systems,
• Prepared a supported JDK,
• Downloaded the portable version (as tar.gz archive) or the installer version (as compressed RPM installer).

1. Extract the tar.gz file to an arbitrary directory on your local file system using the command:

   tar -xzof sapcc-<version>-linux-<platform>.tar.gz.

2. Go to this directory and start the Cloud Connector using the go.sh script.

1. Extract the sapcc-<version>-linux-<platform>.zip archive to an arbitrary directory by using the command unzip sapcc-<version>-linux-<platform>.zip
2. Go to this directory and install the extracted RPM using the following command as the root user:

   rpm -i com.sap.scc-ui-<version>.<arch>.rpm

In the demonstration below you will see how to install the Cloud Connector on Linux.

After installation via the RPM manager, the Cloud Connector process is started automatically and registered as a daemon process, which ensures the automatic restart of the Cloud Connector after a system reboot.

To start, stop, or restart the process explicitly, open a command shell and use the following commands, which require root permissions:

• service scc_daemon start|stop|restart (on System V distributions)

• systemctl start|stop|restart scc_daemon (on systemd distributions)

As a prerequisite for the installation of Cloud Connector on Windows, first make sure that you:

• Use the supported 64-bit operating systems.
• Installed Microsoft Visual Studio C++ 2013 and Microsoft Visual Studio C++ 2019 runtime libraries (required for SAP JVM).
• Prepared a supported JDK.
• Downloaded the portable version (as ZIP archive) or the installer version (as MSI package).

1. Extract the <sapcc-<version>-windows-x64.zip> ZIP file to an arbitrary directory on your local file system.
2. Set the environment variable JAVA_HOME to the installation directory of the JDK that you want to use to run the Cloud Connector. Alternatively, you can add the bin subdirectory of the JDK installation directory to the PATH environment variable.
3. Go to the Cloud Connector installation directory and start it using the go.bat batch file.

1. Start the installer by double-clicking it.
2. The installer guides you through the installation. Some of the dialogs are:
   1. The desired installation directory
   2. The port of the Administration UI (default value is 8443)
   3. The JDK

The Cloud Connector is started as a Windows service in the productive use case. Therefore, installation requires administration permissions. After installation, manage this service under Control Panel → Administrative Tools → Services. The service name is Cloud Connector. Make sure that the service is executed with a user that has limited privileges. Typically, the privileges allowed for service users are defined by your company policy. Adjust the folder and file permissions to be manageable by only this user and system administrators.

As a prerequisite for the installation of Cloud Connector on macOS, first ensure that you:

• Use the supported 64-bit operating systems.
• Have prepared a supported JDK.
• You've downloaded the tar.gz archive for the developer use case on macOS.

1. Extract the tar.gz file to an arbitrary directory on your local file system using the command tar -xzof sapcc-<version>-macosx-x64.tar.gz
2. Go to this directory and start Cloud Connector using the go.sh script.

Now, you're able to install the Cloud Connector.

• Installation on Linux OS on SAP Help Portal.
• Installation on Microsoft Windows OS on SAP Help Portal
• Installation on macOS X on SAP Help Portal

The Cloud Connector is primarily configured and administered using a web interface. To access the Cloud Connector user interface, enter the following URL in a supported web browser:

https://<hostname>:<port>

• <hostname> refers to the machine on which the Cloud Connector is installed. If installed on your machine, you can simply enter localhost.
• <port> is the Cloud Connector port (the default port is 8443).

On the logon screen, enter the following credentials:

When you first log in, you must change the password before you continue. The Cloud Connector does not check the strength of your new password. Select a strong password that can’t be guessed easily.

Now, you’re able to exchange UI certificates.

Exchange UI Certificates in the Administration UI on the SAP Help Portal

Within your SAP BTP Cockpit, navigate to the Account Explorer and note the fields Provider and Region of your respective subaccount. To determine the Subaccount ID, select the tile representing your respective subaccount.

Within the Administration UI for your Cloud Connector, navigate to Define Subaccount and enter this data. After you saved your input, the secure tunnel between your Cloud Connector and your SAP BTP subaccount has been established.

Within your SAP BTP Cockpit, you can check the status of Cloud Connectors connected to a subaccount at Connectivity → Cloud Connectors.

The demonstration below shows you how to configure the first subaccount.

You can connect to several subaccounts within a single Cloud Connector installation. Those subaccounts can use the Cloud Connector concurrently with different configurations. By selecting a subaccount from the dropdown box, all tab entries show the configuration, audit, and state, specific to this subaccount. In the case of audit and traces, the cross-subaccount info is merged with the subaccount-specific parts of the UI.

If you want to connect an additional subaccount with your on-premise landscape, simply press the Add Subaccount button, which opens a dialog that is similar to the initial configuration operation when establishing the first connection.

Now, you’re able to configure subaccounts in your Cloud Connector.

Managing Subaccounts on SAP Help Portal

In the following, the widely used HTTP protocol is covered as an example in more details. The figure shows the overall workflow to securely use the HTTP protocol.

To set up a mutual authentication between the Cloud Connector and any back-end system it connects to, you can import an X.509 client certificate into the Cloud Connector. The Cloud Connector then uses the so-called system certificate for all HTTPS requests to back ends that request or require a client certificate. The CA that signed the Cloud Connector’s client certificate must be trusted by all back-end systems to which the Cloud Connector is supposed to connect.

There are three options on how to provide the system certificate:

• Upload an existing X.509 certificate
• Upload the signed UI certificate
• Generate a self-signed system certificate (for example: for a demo scenario)

All options are offered in the Cloud Connector Administration UI at Configuration → ON PREMISE → System Certificate.

By default, the Cloud Connector does not trust any on-premise system when connecting to it via HTTPS. To enable secured communication, you must add trusted certificate authorities (CAs) to the allowlist. Any server certificate that has been issued by one of those CAs will be considered trusted.

To maintain the trust store, in the Cloud Connector Administration UI navigate to Configuration → ON PREMISE → Trust Store.

To allow your cloud applications to access a certain back end system on the intranet via HTTP, you must specify this system in the Cloud Connector.

To do so, start the wizard offered in the Cloud Connector Administration UI at Cloud To On-Premise → ACCESS CONTROL.

To expose an AS ABAP-Based on-premise SAP system, provide the following:

1. Back-end Type: ABAP System.
2. Protocol: HTTP or HTTPS.
3. Internal Host and Internal Port: the actual host and port under which the on-premise SAP system can be reached within your intranet.
4. Virtual Host and Virtual Port: enter the host name exactly as specified in the <URL> property of the HTTP destination configuration in SAP BTP. The virtual host can be a fake name and does not need to exist. The Virtual Port allows you to distinguish between different entry points of your back end system, for example, HTTP/80 and HTTPS/443, and to have different sets of access control settings for them.
5. Allow Principal Propagation: defines if any kind of principal propagation should be allowed over this mapping. If selected, also define what kind of Principal Type is sent to the on-premise SAP system within the HTTP request.
6. System Certificate for Logon: select if the Cloud Connector's system certificate should be used for authentication at the back end.
7. Host In Request Header lets you define which host is used in the host header that is sent to the target server. By choosing Use Internal Host, the actual host name is used. When choosing Use Virtual Host, the virtual host is used.
8. Description: optional description text
9. Check Internal Host: this allows you to make sure the Cloud Connector can indeed access the on-premise SAP system.

In addition to allowing access to a particular host and port, you also must specify which Resources (URL paths, also known as Internet Communication (ICF) Services) are allowed to be invoked on that host. The Cloud Connector uses strict allowlists for its access control. Only those ICF services for which you explicitly granted access are allowed. All other HTTP(S) requests are denied by the Cloud Connector.

In the simulation below you will configure access control.

Now, you’re able to expose an AS ABAP-based SAP system for HTTP(S) access.

Configure Access Control on the SAP Help Portal

Now you’re able to outline how to connect an On-Premise application to SAP BTP.