Tunnel Live Data Connection to SAP BW or S4HANA

Introduction

SAP Analytics cloud (SAC) is a new generation of Software-as-a-Service (SaaS) that redefines analytics in the cloud by providing all analytical capabilities for all user types in one product. It is built on SAP HANA Cloud Platform. SAC is a public SaaS solution that enables access to both on-premise and cloud data sources. In this blog, I will try to explain how tunnel live connections to on-premise SAP Business Warehouse system or SAP S4HANA using the Tunnel connection is configured and functions. The blog is relevant for SAP Analytics cloud (SAC) system owner and different IT and application stakeholders within your organization that consume SAC.

In my previous blog, I covered tunnel connection from SAP Analytics cloud to SAP HANA using SAML 2.0 Single-Sign-on and username password. If you would like to learn about what is a tunnel connection and how it works, or understand the comparison between available connection types, please check out my previous blogs*

*SAP Analytics Cloud Tunnel Connection to SAP HANA using SAML 2.0 SSO
https://blogs.sap.com/2021/03/02/sap-analytics-cloud-tunnel-connection-to-sap-hana-using-saml-2.0-sso/

What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection
https://blogs.sap.com/2020/11/25/what-is-sap-analytics-cloud-tunnel-connection-configure-sac-hana-to-use-tunnel-connection-with-password-authentication/

How does this whole thing work?

The SAP Analytics Cloud and SAP Cloud Connector

The SAP Cloud Connector is configured and paired with SAP Analytics cloud, a secure tunnel is established between the two. All the communication between the SAP Analytics cloud and the backend system now gets routed via the Cloud Connector over the secure Transport Layer Security (TLS).

SAP Cloud Connector and Backend system (SAP BW or S4HANA)

We have, pre-existing trust between the SAP Cloud Connector and the backend system (SAP BW or SAP S4HANA). The backend system trusts the cloud connector via the system certificate. In this section, below, we will see what parameters need to be maintained to activate this service.

How does the authentication happen?

The authentication happens at two levels or there are two levels of trust.

First, Transport Layer Security (TLS) provides Client Certificate Authentication. The communication is encrypted between the client & backend server. Cloud connector is presenting the knowledge of key client certificate authentication.

Second, SAP Cloud Connector forwards short-lived X.509 certificate in an HTTP header named SSL_CLIENT_CERT. Note here we have a pre-existing trust between the backend system and SAP Cloud Connector via the system certificate.

The Cloud Connector has another role to play, it is configured to forward the identity of the real user. The backend system has a rule defined to map the identity contained in an identity certificate received during the authentication with an internal user. The Cloud Connector forwards the real identity in a short-lived X.509 certificate in an HTTP header named SSL_CLIENT_CERT. This requires some work on the backend server side, following parameter needs to be maintained:

login/certificate_mapping_rulebased = 1

This parameter is used to enable/disable (0/1) rule-based X.509 certificate mapping information. This parameter allows the gateway to map, based on a rules defined in CERTRULE, the identity contained in an identity certificate received during the authentication with an internal user.

icm/HTTPS/verify_client = 1

This parameter specifies whether or not a client must produce a certificate.

icm/HTTPS/trust_client_with_issuer = Value corresponding to the Issuer of the SAP Cloud Connector System Certificate.

This parameter contributes to the establishment of a trust between the SAP Cloud Connector and the backend system.

icm/HTTPS/trust_client_with_subject Value corresponding to the subject of the SAP Cloud Connector System Certificate.

This parameter contributes to the establishment of a trust between the SAP Cloud Connector and the backend system.

Please note: The SAP cloud connector should always be installed in corporate network and not in DMZ.

We learned how the whole thing works, below, you will find some configuration steps:

Like any other configuration you want to make sure you are using the supported SAP Business Warehouse version.

Please look at the diagram below, I will try to break it down into three steps. Step 1 shows configuration required in SAP BW or SAP S4HANA system, 2nd step shows the configuration required in SAPCP Cloud Connector and finally in step 3 we create a live connection in SAC

Step 1

In the first step, most of the configuration is done in SAP Cloud Connector.

1.1 Setup Trust Between SAP Cloud Connector and SAP BW or S4HANA

Next, we will setup the SAP Cloud Connector between data source system and SAP Analytics Cloud to establish a live tunnel connection.

The SAP Cloud Connector provides a secure tunnel between SAP Analytics Cloud and SAP BW or S4HANA. It runs as a reverse invoke proxy between the live system/on-premise network and the SAP Cloud Platform.

To use the SAP Cloud Platform cloud connector for data source connections, you’ll need to complete these configuration steps:

Log in to the Cloud Connector Administration application.
In the left-side menu, select Cloud To On-Premise.
In the Subaccount field, choose your SAP Analytics Cloud subaccount.
On the Access Control tab, in the Mapping Virtual To Internal System section, click (Add) to add a new mapping to your live data system.
In the Add System Mapping dialog, use the following values:

	SAP BW or SAP S4HANA
Back-end Type	ABAP system
Protocol	HTTPS
Internal Host Internal Port	<system host> <system port>
Virtual Host Virtual Port	<can use the same host as the internal host> <can use the same port as the internal port>
Principal Type	If using single sign-on, choose X.509 Certificate (General Usage). If using a username and password, choose None. We plan to use SSO in this blog

Once you complete the above step make sure the system is reachable and looks like the image shown below.

Next, we will allow access to SAP BW or S4HANA system paths:

In the Resources Of section, click (Add).
Enter the URL Path: “/”.
Choose Path and all sub-paths.
Select Save.

Once you complete the above step make sure the system is reachable and looks like the image shown below.

1.2 Setup Trust for Principal Propagation

The Principal Propagation method is very common among customers that have system to system communication and want their users to have seamless SSO experience.

The SAP Cloud Connector recognize and use the SAML attributes to generate the X.509 certificate, this short-lived certificate is then used to authenticate the user in the backend (in our case S4HANA). The X.509 certificate contains information about the cloud user in its subject.

In your SAP Cloud Connector, switch to the Principal Propagation tab, here we will establish trust to an ‘Identity Provider’ to support principal propagation. Here we will be performing following tasks:

Configure Trusted Entities in the Cloud Connector
You perform trust configuration to support principal propagation. By default, your Cloud Connector does not trust any entity that issues tokens for principal propagation. Therefore, the list of trusted identity providers is empty by default. If you decide to use the principal propagation feature, you must establish trust to at least one identity provider. Currently, SAML2 identity providers are supported. You can configure trust to one or more SAML2 IdPs per subaccount. After you’ve configured trust in the cockpit for your subaccount, for example, to your own company’s identity provider(s), you can synchronize this list with your Cloud Connector.

From your subaccount menu, choose Cloud to On-Premise and go to the Principal Propagation tab. Choose the Synchronize button to store the list of existing identity providers locally in your Cloud Connector.

Select an entry to see its details:

Name: the name associated with the identity provider.
Description: descriptive information about this entry.
Type: type of the trusted entity.
Trusted: indicates whether the entry is trusted for principal propagation.
Actions: Choose the Show Certificate Information icon to display detail information for the corresponding entry. The Cloud Connector runtime will use the certificate associated with the entry to verify that the assertion used for principal propagation was issued by a trusted entity.

Note: Whenever you update the SAML IdP configuration for a subaccount on cloud side, you must synchronize the trusted entities in the Cloud Connector.

1.3 SAP Cloud Connector should trust Identity Provider (IdP)

The SAP Cloud Connector needs to trust the identity provider (IdP) that the customer uses (via syncing the IdPs in the cloud connector interface).

Step 2.

Most of the configuration in step 2, is done on SAP BW or S4HANA system.

2.1 Configure SSL on your SAP BW or S4HANA

TLS protocol, commonly referred to as SSL, uses public-key technology to provide its protection. Use the Transport Layer Security (TLS) protocol to secure HTTP connections to and from AS ABAP. When using TLS, the data being transferred between the two parties (client and server, in our case SAC and S4HANA or BW) is encrypted and the two partners can be authenticated.

To setup, see Configuring SAP NetWeaver AS for ABAP to Support SSL, and SAP Note 510007.

2.2 Enable SAP InA on your ABAP Application Server

SAP Information Access (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query your data sources in real time. Confirm that your InA package is enabled and services are running on the ABAP AS for your data source.

2.3 Configure SAP BW or S4HANA to trust SAP Cloud Connector

In order for SAP BW or S4HANA to trust SAP Cloud Connector we need to configure an ABAP system to trust the Cloud Connector’s System Certificate

This step includes two sub-steps:

Configure the ABAP system to trust the Cloud Connector’s system certificate.
Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users.

Configure the ABAP system to trust the Cloud Connector’s system certificate: In Cloud Connector select the ‘configuration’ on left side and then under On-Premise tab generate self-signed system certificate and CA certificate. In this scenario, I will use the self-signed cert to establish the trust with the SAP BW or S4HANA system. Download the certificate. In live scenario consider using a signed certificate.

Import the system certificate in STRUST

Configure the Internet Communication Manager (ICM) to trust the system certificate for principal propagation, and Map Short-Lived Certificates to Users

Maintain 4 profile parameters as shown below in transaction RZ10 transaction

login/certificate_mapping_rulebased=1
icm/HTTPS/verify_client=1
icm/HTTPS/trust_client_with_issuer=Value of Issuer of Cloud Connector System Certificate
icm/HTTPS/trust_client_with_subject=Value of subject of Cloud Connector System Certificate

2.4 Configure to Accept Short-Lived X.509 Certificate from SAP Cloud Connector

Here we will map Short-Lived Certificates to Users in the SAP BW or S4HANA system. In the previous step we update the parameter login/certificate_mapping_rulebased value to ‘1’.

Import your SAP Cloud connector system certificate into SAP BW or S4HANA.
To do this go to TCODE: CERTRULE

Select Rule to define the mapping and click Save.