Creating Direct Live Data Connections Secured by SAP Web Dispatcher

So, what else can do you do when some users are on the internet and don’t have direct access to the backend systems? For example, if the browser accessing the system is in the public domain and can't directly access the data sources or the SAML IdP.

To allow the browser to connect to the backend systems, you must publish the systems to the internet. Various infrastructure options can be used, such as port mapping, but the most commonly used approach is to deploy a reverse proxy in your DMZ. In this case, the sole purpose of the reverse proxy is to publish the backend system to the internet. If SSO is used, then the SAML endpoints must also be accessible using the reverse proxy.

Let's take a closer look at using a reverse proxy, such as the SAP Web Dispatcher, when creating direct live data connections to on-premise data sources.

Let's explore the standard process for creating live reverse proxy data connections to on-premise data sources using SAP Web Dispatcher to secure the data. Creating live data connections to on-premise data sources can be broken down into three key steps:

1. Configure SAP Web Dispatcher as a reverse proxy.
2. Update the SAML2 service provider endpoints.
3. Create the live data connection in SAP Analytics Cloud.

We'll use SAP HANA as the example on-premise data source in this lesson. In this scenario, users need to create stories in SAP Analytics Cloud using data that is held in SAP HANA, so a live connection will be created.

This step is completed by the SAP NetWeaver administrator. This step is completed in the SAP Web Dispatcher admin UI.

SAP Web Dispatcher is always delivered as part of another SAP product and the release notes are part of that product. The installation files and documentation can be found by searching for SAP Web Dispatcher on https://me.sap.com/ (account required).

While the detailed instructions are found in the documentation, a summary of the steps include:

1. Install and start the SAP Web Dispatcher.
2. Establish SSL trust between SAP Web Dispatcher and the backend system.

   SSL trust can be established using the SAP Web Dispatcher admin UI, which can be accessed using https://<host>:<https_port>/sap/wdisp/admin, the user webadm, and the installation master password.

   Export the SAP HANA certificate (as a base-64 encoded X.509 .cer file) and then import it to SAPSSLC.pse in PSE Management in SAP Web Dispatcher.

3. Add a routing rule to the sapwebdisp.pfl file that is located in the SAP Web Dispatcher's installation directory.

   To # Backend System, add a routing rule so that all web requests to SAP Web Dispatcher on the HTTPS Port are routed to SAP HANA. All incoming requests received on SAP Web Dispatcher port 4310 are routed to SAP HANA port 4302.

   wdisp/system_0= SID=HDB, EXTSRV=https://<host>:4302, SRCURL=/, SRCVHOST=<host>:<https_port>
4. Restart SAP Web Dispatcher.
5. Validate that the routing rule is working correctly using https://<host>:<https_port>/sap/public/icman/ping.

Once the SAP Web Dispatcher is configured, they provide you with the Host and HTTPS Port as you will need them when creating the connection in SAP Analytics Cloud.

This step is completed by the SAP NetWeaver administrator. This step is completed in the SAP NetWeaver admin UI.

The SAP NetWeaver administrator will:

1. Access the SAP HANA A4HDB entry in the SAP NetWeaver IdP.
2. Update the Assertion Consumer Endpoints .

   HTTP Post: https://<host>:<https_port>/sap/hana/xs/saml/login.xscfunc

3. Update the Single Log-Out Endpoints.

   HTTP Redirect: https://<host>:<https_port>/sap/hana/xs/saml/logout.xscfunc

This step is completed by you, the SAP Analytics Cloud administrator. A new connection is created in SAP Analytics Cloud.

Data modelers can then use data from this live connection by creating new live models in SAP Analytics Cloud.

We will cover the steps in detail in the practice exercise for this lesson, however, using SAP HANA as an on-premise data source, let's take a look at the summary of the process flow.

1. In the side navigation menu, go to Connections.
2. Select Add Connection and select SAP HANA from the Connect to Live Data options.
3. In the New HANA Live Connection dialog, enter a connection Name and Description.
4. Enter the following information, as provided by the SAP NetWeaver administrator:
   • Enter the Host.
   • Enter the HTTPS Port.
5. Select the Authentication Method that will be used for the connection.
6. Select OK. The new connection is added to the list of connections in the Connections area in SAP Analytics Cloud.

Now, let's explore a second scenario for creating live data connections to on-premise data sources.

Let's take a closer look at creating a live data connection to SAP BW/4HANA, as the process is a little different to other data sources.

This step is completed by the SAP NetWeaver administrator. This step is completed in the SAP Web Dispatcher admin UI and is the same as the standard process, however, the routing rule is set up so that all web requests to SAP Web Dispatcher on the HTTPS Port are routed to SAP BW/4HANA. All incoming requests received on SAP Web Dispatcher port 5310 are routed to SAP BW/4HANA port 50001.

The following line, when added under the # SAP Web Dispatcher Ports area of the file, enables SAP Web Dispatcher to listen on the HTTPS Port:

Once the SAP Web Dispatcher is configured, they provide you with the Host, HTTPS Port, and Client as you will need them when creating the connection in SAP Analytics Cloud.

This step is completed by the SAP NetWeaver administrator. This step is completed in the SAP NetWeaver admin UI.

The SAP NetWeaver administrator will:

1. Access the SAP BW/4HANA BW4A4H entry in the SAP NetWeaver IdP.
2. Update the Assertion Consumer Endpoints.

   HTTP Post: https://<host>:<https_port>/sap/saml2/sp/acs/001

3. Update the Single Log-Out Endpoints.

   HTTP Redirect: https://<host>:<https_port>/sap/saml2/sp/slo/001

This step is completed by you, the SAP Analytics Cloud administrator. A new connection is created in SAP Analytics Cloud.

Data modelers can then use data from this live connection by creating new live models in SAP Analytics Cloud.

We will cover the steps in detail in the practice exercise for this lesson, however, using SAP HANA as an on-premise data source, let's take a look at the summary of the process flow.

1. In the side navigation menu, go to Connections.
2. Select Add Connection and select SAP BW from the Connect to Live Data options.
3. In the New BW Live Connection dialog, enter a connection Name and Description.
4. Enter the following information, as provided by the SAP NetWeaver administrator:
   • Enter the Host.
   • Enter the HTTPS Port.
   • Enter the Client.
5. Select the Authentication Method that will be used for the connection.
6. Select OK. The new connection is added to the list of connections in the Connections area in SAP Analytics Cloud.

While SSO using SAML 2.0 is the recommended approach for live data connections, you can choose None as your authentication option in certain scenarios.

This would be the case if your data source already has a different mechanism configured for authentication or SAML SSO is not supported in the system to which you are connecting.

There are some things to consider when you are evaluating the use of None authentication option:

• The data source has to be configured with an automated authentication option, if it's not done already.
• Although providing an SSO user experience, identities on SAP Analytics Cloud and data source are not centrally managed. The user logged on to SAP Analytics Cloud may not necessarily be the same user logged on to your on-premise data source.
• The authentication option may not work in all use cases. For example, X.509 Client Certificate authentication requires that an existing PKI infrastructure must be in place in the corporate network, and that the user’s browser has access to the user’s certificate.
• Kerberos authentication only works in the intranet scenario, as Kerberos is an intranet authentication protocol.
• SAP Logon Ticket authentication can only be used in embedding scenarios, and the portal that embeds the SAP Analytics Cloud content must be able to issue SAP Logon Ticket beforehand. Additionally, the portal and the data source must be in the same DNS sub-domain.

Remember, the connection is not tested until you create a model. To test your live data connection, you can create an SAP Analytics Cloud model using the newly created connection. In this lesson, we'll use SAP Business Warehouse as an example.

The process is the same for all live models, so, if you have previously covered testing the connection and are familiar with creating live models, then continue to the next section.

1. From the Modeler start page, select Live Data Model from the two Create New options.
2. Select system type SAP BW.

   If you're creating a model from an SAP S/4HANA live data connection, you also select the SAP BW system type.

3. Select your newly created connection.
4. Select the Input Help icon to search for a data source or choose one from a list.
5. The model must be created based on a query or view that contains a measure. Drag data from the Available Data list to the Selected Data and Filters areas to build a query.
6. Select OK.

   If the data appears in the data integration view, then you successfully created the connection.

You can find detailed information on creating a model from a live connection here: Create a Model from a Live Data Connection | SAP Help Portal.