Learning about Installation

Objective

After completing this lesson, you will be able to Learn about installation.

SAP BTP Connectivity: Overview and Features

Overview

SAP BTP Connectivity allows SAP BTP applications to securely access remote services that run on the Internet or on-premise. This component facilitates the following:

  • It allows subaccount-specific configuration of application connections using destinations.
  • It provides a Java API that application developers can use to consume remote services.
  • It allows you to make connections to on-premise systems, using the Cloud Connector.
  • It lets you establish a secure tunnel from your on-premise network to applications on SAP BTP, while you keep full control and auditability of what is exposed to the cloud.
  • It supports both the Neo and the Cloud Foundry environment for application development on SAP BTP.

A typical scenario for connecting your on-premise network to SAP BTP looks like this:

  • Your company owns a global account on SAP BTP and one or more subaccounts that are assigned to this global account.
  • Using SAP BTP, you subscribe to or deploy your own applications.

To connect to these applications from your on-premise network, the Cloud Connector administrator sets up a secure tunnel to your company's subaccount on SAP BTP.

The platform ensures that the tunnel can only be used by applications that are assigned to your subaccount.

Applications assigned to other (sub)accounts cannot access the tunnel. It is encrypted using transport layer security (TLS), which guarantees connection privacy.

For inbound connections (calling an application or service on SAP BTP from an external source), you can use Cloud Connector service channels (on-premise connections) or the respective API endpoints of your SAP BTP region (Internet connections).

Features

SAP BTP Connectivity supports the following protocols and scenarios:

Protocols and Scenarios

ProtocolScenario
HTTP(S)Exchange data between your cloud application and Internet services or on-premise systems.
  • Create and configure HTTP destinations to make Web connections.
  • Connect to on-premise systems via HTTP, using the Cloud Connector.
RFCInvoke on-premise ABAP function modules using RFC.
  • Create and configure RFC destinations.
  • Make connections to back-end systems using RFC, using the Cloud Connector.
TCPAccess on-premise systems using TCP-based protocols using a SOCKS5 proxy.

Installation

Choose a procedure to install the Cloud Connector on your operating system.

Portable Version vs. Installer Version

On Microsoft Windows and Linux, two installation modes are available: a portable version and an installer version. On Mac OS X, only the portable version is available.

The portable version can be installed easily, by extracting a compressed archive into an empty directory. It does not require administrator or root privileges for the installation, and you can run multiple instances on the same host.

Restrictions:

You cannot run it in the background as a Windows Service or Linux daemon (with automatic start capabilities at boot time).

The Portable version does not support an automatic upgrade procedure. To update a portable installation, you must delete the current one, extract the new version, and then re-do the configuration.

Portable versions are meant for non-productive scenarios only.

The environment variable JAVA_HOME is relevant when starting the instance, and therefore must be set properly.

The Installer version requires administrator or root permissions for the installation and can be set up to run as a Windows service or Linux daemon in the background. You can upgrade it easily, retaining all the configuration and customizing.

Network Zones

Choose a network zone for your Cloud Connector installation.

A customer network is usually divided into multiple network zones or subnetworks according to the security level of the contained components. For example, the DMZ that contains and exposes the external-facing services of an organization to an untrusted network, usually the Internet, and there are one or more other network zones which contain the components and services provided in the company’s intranet.

You can generally choose the network zone in which to set up the Cloud Connector:

Internet access to the SAP BTP region host, either directly or via HTTPS proxy.

Direct access to the internal systems it provides access to, which means that there is transparent connectivity between the Cloud Connector and the internal system.

The Cloud Connector can be set up either in the DMZ and operated centrally by the IT department or set up in the intranet and operated by the appropriate line of business.

Network Zones

Choose a network zone for your Cloud Connector installation.

A customer network is usually divided into multiple network zones or sub-networks according to the security level of the contained components. For example, the DMZ that contains and exposes the external-facing services of an organization to an untrusted network, usually the Internet, and there are one or more other network zones which contain the components and services provided in the company’s intranet.

You can generally choose the network zone in which to set up the Cloud Connector:

Internet access to the SAP BTP region host, either directly or using HTTPS proxy.

Direct access to the internal systems it provides access to, which means that there is transparent connectivity between the Cloud Connector and the internal system.

The Cloud Connector can be set up either in the DMZ and operated centrally by the IT department or set up in the intranet and operated by the appropriate line of business.

Starting the Cloud Connector

After installation, the Cloud Connector is registered as a Windows service that is configured to be started automatically after a system reboot. You can start and stop the service using shortcuts on the desktop ("Start Cloud Connector" and "Stop Cloud Connector"), or by using the Windows Services manager and look for the service SAP Cloud Connector.

Access the Cloud Connector administration UI at https://localhost:<port>, where the default port is 8443 (but this port might have been modified during the installation).

Open a browser and enter the following: https://<hostname>:8443. <hostname> is the host name of the machine on which you have installed the Cloud Connector. If you access the Cloud Connector locally from the same machine, you can simply enter localhost.

Initial Configuration

After installing and starting the Cloud Connector, log on to the administration UI and perform the required configuration to make your Cloud Connector operational.

Log on to the Cloud Connector

To administer the Cloud Connector, you need a web browser. To check the list of supported browsers, see Prerequisites and Restrictions → section Browser Support.

In a web browser, enter: https://<hostname>:<port>

<hostname> refers to the machine on which the Cloud Connector is installed. If installed on your machine, you can simply enter localhost.

<port> is the Cloud Connector port specified during installation (the default port is 8443).

On the logon screen, enter Administrator / manage (case sensitive) for <User Name> / <Password>.

Change your Password and Choose Installation Type

When you first log in, you must change the password before you continue, regardless of the installation type you have chosen.

Choose between master and shadow installation. Use Master if you are installing a single Cloud Connector instance or a main instance from a pair of Cloud Connector instances.

You can edit the password for the Administrator user from Configuration in the main menu, the User Interface tab, and the section, Authentication:

Note

A username and password cannot be changed at the same time. If you want to change the username, you must enter only the current password in a first step. Do not enter values for <New Password> or <Repeat New Password> when you are changing the username. To change the password in second step, enter the old password, the new one, and the repeated (new) password, but leave the username unchanged.

Set up Connection Parameters and HTTPS Proxy

When you are logging in for the first time, the following screen is displayed every time you choose an option from the main menu that requires a configured subaccount:

If your internal landscape is protected by a firewall that blocks any outgoing TCP traffic, you must specify an HTTPS proxy that the Cloud Connector can use to connect to SAP BTP. Normally, you must use the same proxy settings as those being used by your standard Web browser. The Cloud Connector needs this proxy for two operations:

  • Download the correct connection configuration corresponding to your subaccount ID in SAP BTP.
  • Establish the SSL tunnel connection from the Cloud Connector user to your SAP BTP subaccount.

Note

If you want to skip the initial configuration, you can select the icon in the upper-right corner. You might need this in case of connectivity issues shown in your logs.

If you later want to change your proxy settings (for example, because the company firewall rules have changed), choose Configuration from the main menu and go to the Cloud tab, section HTTPS Proxy. Some proxy servers require credentials for authentication. In this case, you must provide the relevant user/password information.

If you want to change the description for your Cloud Connector, choose Configuration from the main menu, go to the Cloud tab, the Connector Info section and edit the description:

Establish Connections to SAP BTP

As soon as the initial setup is complete, the tunnel to the cloud endpoint is open, but no requests are allowed to pass until you have performed the Access Control setup, see Configure Access Control.

To manually close (and reopen) the connection to SAP BTP, choose your subaccount from the main menu and select the Disconnect button (or the Connect button to reconnect to SAP BTP).

The green icon next to Region Host indicates that it is valid and can be reached (as shown in the figure, Subaccount Overview).

If an HTTPS Proxy is configured, its availability is shown the same way. In the figure, Subaccount Overview, the grey diamond icon next to HTTPS Proxy indicates that connectivity is possible without proxy configuration.

In case of a timeout or a connectivity issue, these icons are yellow (warning) or red (error), and a tool-tip shows the cause of the problem. Initiated By refers to the user that has originally established the tunnel. During normal operations, this user is no longer needed. Instead, a certificate is used to open the connection to a subaccount.

The status of the certificate is shown next to Subaccount Certificate. It is shown as valid (green icon), if the expiration date is still far in the future and turns to yellow if expiration approaches according to your alert settings. It turns red as soon as it has expired.

To Configure the Cloud Connector for HTTP Communication

Installation of a System Certificate for Mutual Authentication

To set up a mutual authentication between the Cloud Connector and any backend system it connects to, you can import an X.509 client certificate into the Cloud Connector. The Cloud Connector then uses the so-called system certificate for all HTTPS requests to backends that request or require a client certificate. The CA that signed the Cloud Connector's client certificate must be trusted by all backend systems to which the Cloud Connector is supposed to connect.

You must provide the system certificate as PKCS#12 file containing the client certificate, the corresponding private key and the CA root certificate that signed the client certificate (plus potentially the certificates of any intermediate CAs, if the certificate chain is longer than 2).

Steps

  1. From the left panel, choose Configuration. On the On Premise tab, choose Import System Certificate (a certificate to upload a certificate and provide its password):

  2. A second option is to start a certificate signing request procedure as described for the UI certificate in Exchange UI Certificates in the Administration UI and upload the resulting signed certificate.

  3. As of version 2.10, there is a third option - generating a self-signed certificate. It might be useful if no CA is needed, for example, in a demo setup or if you want to use a dedicated CA. For this option, choose Create and import a self-signed certificate:

  4. If a system certificate has been imported successfully, its distinguished name, the name of the issuer, and the validity dates are displayed:

SAP BTP Connectivity: Configuration

Initial Configuration (RFC)

Configure a Secure Network Connection (SNC) to set up the Cloud Connector for RFC communication to an ABAP backend system.

SNC Configuration for Mutual Authentication

To set up a mutual authentication between Cloud Connector and an ABAP backend system (connected using RFC), you can configure SNC for the Cloud Connector. It will then use the associated PSE for all RFC SNC requests. This means that the SNC identity, represented by this PSE, should be the following:

  • Be trusted by all backend systems to which the Cloud Connector is supposed to connect.
  • Play the role of a trusted external system by adding the SNC name of the Cloud Connector to the SNCSYSACL table. You can find more details in the SNC configuration documentation for the release of your ABAP system.

Log in to track your progress & complete quizzes