SAP Cloud Connector (SCC): integrating SAP Business Technology Platform (SAP BTP) to on‐premise - jkmaeda/workload GitHub Wiki

Introduction

Connecting SAP BTP to the on-premise systems is just a pre-requisite to enable customers’ transformation. Usually, this first step is unclear and details are missed as well. This article aims to provide a real use case scenario that is quite common to many SAP customers and give you an overview of different aspects to quickly get yourself familiar with this topic.

Hybrid Integration Scope

The SAP Cloud Integration Automation Service (CIAS) provides guided workflows for 100+ integration scenarios. However, it is only available for limited regions. Alternatively, the SAP Maintenance Planner could be used as below:

SAP Cloud Connector are usually deployed for three-system landscape: Development, Test and Production, which connects cloud applications to on-premise systems, i.e., SAP BTP and SAP ERP.

SAP BTP Connectivity: Cloud Connector and Principal Propagation SAP BTP Connectivity lets you connect your SAP BTP applications to other Internet resources, or to your on-premise systems running in isolated networks. It provides an extensive set of features to choose different connection types and authentication methods. Using its configuration options, you can tailor access exactly to your needs.

SAP Cloud Connector

  • A single Cloud Connector instance can connect to multiple SAP BTP subaccounts, each connection requiring separate authentication and defining an own set of configuration.
  • Usually, three-system landscape for SAP BTP are implemented according to the Sizing Recommendations and this pilot. The Virtual Machine can be easily and quickly scaled up.
  • You can connect an arbitrary number of SAP and non-SAP systems to a single Cloud Connector instance.
  • The on-premise system does not need to be touched when used with the Cloud Connector, unless you configure trust between the Cloud Connector and your on-premise system. A trust configuration is required, for example, for principal propagation (single sign-on), see Configuring Principal Propagation .
  • Usually, SAP customers need to enable Principal Propagation via the SAP Web Dispatcher.

  • You can operate the Cloud Connector in a high availability mode. To achieve this, you must install a second (redundant) Cloud Connector (shadow instance), which takes over from the master instance in case of a downtime.
  • The Cloud Connector also supports the communication direction from the on-premise network to the SAP BTP subaccount, using a database tunnel that lets you connect common ODBC/JDBC database tools to SAP HANA as well as other available databases in SAP BTP.
  • The figure below shows a system landscape in which the Cloud Connector is used for secure connectivity between SAP BTP applications and on-premise systems.

Principal Propagation

The Connectivity service provides a secure way of forwarding the identity of a cloud user to the Cloud Connector, and from there to an on-premise system. This process is called principal propagation. It uses a SAML token as exchange format for the user information. User mapping is done in the back end. The token is forwarded either directly, or an X.509 certificate is generated, which is then used in the backend.

  1. The user authenticates at the cloud application front end via the IdP (Identity Provider) using a standard SAML Web SSO profile. When the backend connection is established by the cloud application, the destination service (re)uses the received SAML assertion to create the connection to the on-premise backend system (BE1-BEm).
  2. The Cloud Connector validates the received SAML assertion for a second time, extracts the attributes, and uses its STS (Security Token Service) component to issue a new token (an X.509 certificate) with the same or similar attributes to assert the identity to the backend.
  3. The Cloud Connector and the cloud application share the same SAML service provider identity, which means that the trust is only set up once in the IdP. For more information, you can also watch the 5-minute video of SAP BTP Core Services: Principal Propagation from the SAP Business Technology Platform Workshop: Hybrid Security, or more details in the YouTube video below from SAP TechEd: Single-Sign On and Principal Propagation in Multi-Cloud Environments.

Security Considerations

You can find the information we need on security, compliance, privacy, and cloud service performance on SAP Trust Centre. There you can also find and request the right SAP compliance documents for our business needs including ISO/IEC certifications, SOC reports, Bridge letters, and attestations.

Network Considerations

For the SAP Cloud Connector, the internal network must allow access to the required ports; the specific configuration depends on the firewall software used. The default ports are 80 for HTTP and 443 for HTTPS. For RFC communication, you need to open a gateway port (default: 33+instance number and an arbitrary message server port. For a connection to a HANA Database (on SAP BTP) via JDBC, you need to open an arbitrary outbound port in your network. Mail (SMTP) communication is not supported. Application runs under the default domain of SAP BTP, hana.ondemand.com and cloud.sap which must be whitelisted in Zscaler Proxy and allowed in the firewall.

Environment Considerations

  • Environments constitute the actual platform-as-a-service offering of SAP BTP that allows for the development and administration of business applications. Environments are anchored in SAP BTP on subaccount level.
  • Each environment comes equipped with specific tools, technologies, and runtimes that you need to build applications. So a multi-environment subaccount is your single address to host a variety of applications and offer diverse development options. One advantage of using different environments in one subaccount is that you only need to manage users, authorizations, and entitlements once per subaccount, and thus grant more flexibility to your developers.

To actually use an environment in a subaccount, you need to enable it by creating an instance of that environment:

  • Cloud Foundry: The Cloud Foundry environment allows you to create polyglot cloud applications in Cloud Foundry. It contains the SAP BTP, Cloud Foundry runtime service, which is based on the open-source application platform managed by the Cloud Foundry Foundation.
  • ABAP Environment: Within the Cloud Foundry environment, you can create a new space for ABAP development. This is what we refer to as the ABAP environment. It allows you to create extensions for ABAP-based products, such as SAP S/4HANA Cloud, and develop new cloud applications. You can transform existing ABAP-based custom code or extensions to the cloud.
  • Kyma Environment: SAP BTP, Kyma runtime provides a fully managed cloud-native Kubernetes application runtime based on the open-source project “Kyma”. Based on modular building blocks, Kyma runtime includes all the necessary capabilities to simplify the development and to run enterprise-grade cloud-native applications.
  • Neo Environment: Available in SAP’s data centres that are being migrated to multi-cloud instances, so it is irrelevant for now.

Operational Considerations

Y* ou can manage the account and monitor the SAP BTP services from the SAP BTP cockpit. When using cloud management tools feature set B, choose https://cockpit.btp.cloud.sap/ to access the cockpit. Depending on your own geo location this URL will redirect you to the closest regional Cockpit URL.

  • SAP BTP offers various native tools for monitoring and operating the application, optionally complemented by third-party offerings, in case you need deep monitoring of cloud-native applications.
  • For hybrid scenarios across the SAP portfolio, or if we already have an operations process in place, customers can also integrate operation aspects of SAP BTP into strategic operation platforms (such as SAP Solution Manager, and SAP Cloud ALM).
  • If we want to monitor the Cloud Connector with the SAP Solution Manager, we can install a host agent on the machine of the Cloud Connector and register the Cloud Connector on our system by configuring the solution management integration.

Backup & Recovery

Backup and recovery of data stored in the following services are performed by SAP. For other services, we can follow SAP best practices to back up our configurations . SAP maintains backups of the data for disaster recovery. If customer account is deleted, SAP may have our data in our backup system for the length of our backup cycle.

Performance Management

You can find the information we need on security, compliance, privacy, and cloud service performance on SAP Trust Centre. There you can gain insights on current availability and performance history of SAP cloud services worldwide.

Reliability

You can find the information we need on security, compliance, privacy, and cloud service performance on SAP Trust Centre. There you can find various agreement documents for cloud, software, and service offerings from SAP. Cloud Service Agreement comprises an Order Form, Supplemental Terms and Conditions, Support Schedule, Service Level Agreement, Data Processing Agreement and General Terms and Conditions. You can also follow the availability of the platform at SAP Trust Center. You can check:

  • the availability by service on the SAP BTP tile of the Cloud Status tab page;
  • the availability by region on the Data Center tab page. In addition, you can get a personalised, at-a-glance view of additional SAP BTP offerings with SAP Cloud Availability Center in SAP for Me , such as SAP BTP Integration.

User Access Management

First of all, it is important to understand that there are two different types of users when working with and on the SAP BTP: platform users and business users.

  • Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. For platform users, the default identity provider is SAP ID service.
  • Business users use the applications that are deployed to SAP BTP. For example, the users of your deployed application or users of subscribed apps or services, such as SAP Business Application Studio are business users.

  • Platform Users: Member on Global — and subaccount, members on space level. Authentication configuration at Platform IDP, on Global Account level.
  • Application Developer/Users: User that use Subscriptions and/or Market Place Services. Developers or Business developer. Authentication configuration at IDP on subaccount level.
  • Business User: User that use business apps. Authentication configuration at IDP on subaccount level.
  • Member management refers to managing permissions for platform users. A member is a user who is assigned to an SAP BTP global account or subaccount. Administrators can add users to global accounts and subaccounts and assign roles to them as needed. You can use predefined roles, for example the administrator role for managing subaccount members.
  • User management refers to managing authentication and authorization for your business users.
  • No user identities are held on the SAP BTP. However, domain-dependent system and service role and groups are used.
  • These roles and groups are either created directly on the SAP BTP, for example, or existing ones are imported and mapped to the Platform Roles or Groups. This is done with the SAP Cloud Identity Provisioning Service.
  • You can identify the following user types. A developer can also be a business user.

Implementation Considerations

Future Recommendations

  • Define enterprise technology strategy and guidance, and review the SAP’s product roadmap and future direction to ensure sustainable solutions and access to the latest innovations like SAP Business AI.
  • In order to protect the investment, build business continuity and resilience, SAP customers should also consider the investment in SAP latest solutions and technologies, i.e., SAP S/4HANA, SAP BTP, SAP CAR, SAP Fiori.
  • Holistic approach required to establish an enterprise ommnichannel offer platform.

References