sap hana cloud connector 2 - archive.sap.com · sap hana cloud connector – operator’s guide...

SAP HANA Cloud connector ndash Operatorrsquos Guide

SAP HANA Cloud Connector 2x

Operatorrsquos Guide Version 10

February 2014

SAP HANA Cloud connector ndash Operatorrsquos Guide Page 2

1 INTRODUCTION 3

11 TARGET AUDIENCE 4

12 ADDITIONAL INFORMATION 4

2 SYSTEM REQUIREMENTS 5

21 HARDWARE REQUIREMENTS 5

22 SOFTWARE REQUIREMENTS 5

23 SUPPORTED BROWSERS 5

24 CLOUD CONNECTOR SOFTWARE DOWNLOAD 5

25 FREE DISK SPACE 5

251 Installation size 5

252 Additional disk space for log and configuration files 5

3 NETWORK ZONES 6

4 CLOUD CONNECTOR ON MICROSOFT WINDOWS 6

41 INSTALLATION 6

42 UPGRADE 6

43 UNINSTALLATION 7

44 STARTING THE CLOUD CONNECTOR 7

5 CLOUD CONNECTOR ON LINUX 7

51 INSTALLATION 7

52 UPGRADE 7

53 UNINSTALLATION 7


6 CLOUD CONNECTOR ADMINISTRATION 8

61 OPERATING SYSTEM ACCESS AND CONFIGURATION 8

62 CONFIGURING A TRUSTED CERTIFICATE FOR THE ADMINISTRATION UI 8

63 BASIC CONFIGURATION 8

64 CONNECTING AND DISCONNECTING A CLOUD ACCOUNT 8

65 CONFIGURING ACCESSIBLE RESOURCES 9

66 CONFIGURING TRUST BETWEEN CLOUD CONNECTOR AND ON-PREMISE SYSTEMS 11

67 CONFIGURING NAMED CLOUD CONNECTOR ADMINISTRATOR USERS 11

68 USING THE AUDIT LOG 11

69 AUTHENTICATING USERS FOR ON-PREMISE SYSTEMS 12

7 GUIDELINES FOR SECURE OPERATION OF THE CLOUD CONNECTOR 12

8 MONITORING 13

9 SUPPORTABILITY 14

10 RELEASE AND MAINTENANCE STRATEGY 14

11 PROCESS GUIDELINES FOR HYBRID SCENARIOS 15

111 DOCUMENT LANDSCAPE OF HYBRID SOLUTION 15

112 DOCUMENT ADMINISTRATOR ROLES 15

113 DOCUMENT COMMUNICATION CHANNELS 16

114 DEFINE PROJECT AND DEVELOPMENT GUIDELINES 16

115 DEFINE PROCESS OF HOW TO SET A CLOUD APPLICATION LIVE 16


1 Introduction

SAP HANA Cloud connector is an on-premise agent that runs in the customer network and takes care of

securely connecting cloud applications running on SAP HANA Cloud Platform with services and systems of the

customer network It is used to implement hybrid scenarios in which cloud applications require point-to-point

integration with existing services or applications in the customer network The following diagram shows a high-

level picture of the landscape

This document provides a guide for IT administrators how to setup configure securely operate and protect

SAP HANA Cloud connector version 2x in productive scenarios

This Operatorrsquos guide is structured as follows

bull System requirements for the Cloud connector

This section provides an overview on the minimal and recommended system requirements needed to

install and run the Cloud connector

bull Installation upgrade and uninstallation of the Cloud connector (on Windows or Linux operating

systems)

This section describes the lifecycle management operations of the Cloud connector ie how to install

upgrade and uninstall it as well as how to start the Cloud connector process after installation

bull Administration and configuration of the Cloud connector

This section provides an overview on how to administrate and configure the Cloud connector and how

to securely operate it For example how to configure on-premise resources which shall be accessible

to the related cloud account how to configure trust between the Cloud connector and an on-premise

system how to configure named administrator users for the Cloud connector administration and so

on


bull Guidelines for secure operation of the Cloud connector

This section summarizes briefly all guidelines and recommendations for a secure setup of the Cloud

connector as they are relevant for productive scenarios It also provides references to the single

sections of this operatorrsquos guide where the related topics are described in more detail

bull Monitoring

This section provides an overview on how to monitor the Cloud connector-based connectivity to the

cloud and describes high-availability features of the Cloud connector

bull Supportability

This section provides an overview on supportability in case of issues with the Cloud connector

bull Maintenance and release strategy

This section describes the maintenance and release strategy of the Cloud connector how new patches

or new versions are released and where to find information about new releases

bull Process guidelines for hybrid scenarios

This section provides process guidelines which help to manage and operate hybrid scenarios

11 Target Audience

System administrators IT administrators cloud account administrators

12 Additional Information

This document focuses on the operation aspects of the Cloud connector It does not cover a general overview

of the SAP HANA Cloud Platform and its connectivity service neither does it address development related

questions like how an application which needs connectivity is being implemented

For additional information on specific topics see the following online resources

SAP HANA Cloud Platform documentation

httpshelphanaondemandcom

SAP HANA Cloud Platform connectivity service documentation

httpshelphanaondemandcomhelpframesethtme54cc8fbbb571014beb5caaf6aa31280html

SAP HANA Cloud connector documentation

httpshelphanaondemandcomhelpframesethtme6c7616abb5710148cfcf3e75d96d596html

SAP HANA Cloud Platform release notes httpscnsapcomdocsDOC-28833

SAP Community Network httpscnsapcomcommunitydeveloper-centercloud-platform

SAP security httpsservicesapcomsecurity

SAP security guides network security httpsservicesapcomsecurityguide

SAP HANA Cloud Platform openSAP course

httpsopensapcomcoursehanacloud1 httpscnsapcomcommunitydeveloper-centercloud-platformblog20140108videos-of-opensap-course-introduction-to-sap-hana-cloud-platform

Registration for free SAP HANA Cloud Platform account

httpsaccounthanatrialondemandcom


2 System Requirements

This section describes the hard- and software requirements needed to install and run the Cloud connector

21 Hardware Requirements

Minimum Recommended

CPU Single core 3 GHz x86-64 architecture compatible

Dual core 2 GHz x86-64 architecture compatible

Memory (RAM) 1 GB 4 GB

Free disk space 1 GB 20 GB

22 Software Requirements

Operating System Architecture

Windows 7 Windows Server 2008 R2 x86_64

SUSE Linux Enterprise Server 11 Redhat Enterprise Linux 6 x86_64

23 Supported Browsers

The browsers that can be used for the Cloud connector Administration UI are the ones supported by SAP UI5

Currently these are the following

Internet Explorer 9 or higher

Mozilla Firefox 10 and latest version

Safari 51 and higher

Google Chrome (latest versions)

An up-to-date list of the supported SAP UI5 browsers can be found here

httpshelphanaondemandcomhelpframesethtm91f072cf6f4d1014b6dd926db0e91070html

24 Cloud Connector Software Download

The Cloud connector can be downloaded from the Cloud Tools page

25 Free Disk Space

251 Installation size

To download and install a new Cloud connector server a minimum of free disk space is required as following

Size of downloaded Cloud connector installation file (ZIP TAR MSI files) 50 MB

Newly installed Cloud connector server 70 MB

Total 120 MB as a minimum

252 Additional disk space for log and configuration files

The Cloud connector writes configuration files audit log files and trace files at runtime The recommendation is

to accommodate between 1 and 20 GB of disk space for those files

Trace and log files are written to ltscc_dirgtlog within the Cloud connector root directory

ljs_tracelog contains traces in general communication payload traces are stored in

traffic_trace_trc They are used for support cases to analyze potential issues The default trace level is

set to Information where the amount of written data is in the range of few KB each day You can turn off

these traces to save disk space However it is not recommended to turn off this trace completely but to leave


it with the default settings to allow root cause analysis in case an issue occurs If the trace level is increased to

All the amount of data can easily reach the range of several GB per day We recommend that you only use

trace level All for analyzing a particular issue Payload trace however should be turned off normally and only

in case of certain issues turned on for supporting analysis by SAP support

From operations perspective we recommend that you back up or delete written trace files regularly in order to

clean up the used disk space

Audit log files are written to logauditltaccount-namegtaudit-log_ltaccount-namegt_ltdategtcsv

within the Cloud connector root directory By default only security related events are written within the audit

log The Cloud connector administrator can change the audit log level using the administration UI as described

here httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html

To be compliant with the regulatory requirements of your organization and the regional laws the audit log files

must be persisted for a certain period of time for traceability purposes Therefore it is recommended to back

up the audit log files regularly from the Cloud connector file system and to keep the backup for a certain period

of time fitting to those rules

3 Network Zones

Usually a customer network is divided into multiple network zones or sub-networks according to the security

level of the contained components There is for instance the DMZ that contains and exposes the external-

facing services of an organization to an untrusted network usually the Internet and there is one or multiple

other network zones which contain the components and services provided in the companyrsquos intranet

Generally customers have the choice in which network zone the Cloud connector should be set-up in their

network Technical prerequisites for the Cloud connector to work properly are

Cloud connector must have internet access to the SAP HANA Cloud Platform landscape host either

directly or via HTTPS proxy

Cloud connector must have direct access to the internal systems it shall provide access to That means

there must be transparent connectivity between the Cloud connector and the internal system

Depending on the needs of the project the Cloud connector can be either set-up in the DMZ and operated

centrally by the IT department or set-up in the intranet and operated by the line-of-business

4 Cloud Connector on Microsoft Windows

Currently the following Windows operating system versions are supported by the Cloud connector Windows 7

64-bit and Windows Server 2008 R2 64-bit This section describes how to install upgrade uninstall and

startstop the Cloud connector process on Windows operating systems

41 Installation

Detailed documentation how to install the Cloud connector on Microsoft Windows can be found here

httpshelphanaondemandcomhelpframesethtm204aaad4270245f3baa0c57c8ab1dd60html

NOTE The Windows MSI installer must be used for productive scenarios as only then the Cloud connector gets

registered as a Windows service

42 Upgrade

Detailed documentation how to upgrade the Cloud connector on Microsoft Windows can be found here

httpshelphanaondemandcomhelpframesethtm7a7cc373019b4b6eaab39b5ab7082b09html


43 Uninstallation

Detailed documentation how to uninstall the Cloud connector on Microsoft Windows can be found here

httpshelphanaondemandcomhelpframesethtmd53395c4692c427881220c161ba51732html

44 Starting the Cloud Connector

After the installation the Cloud connector is registered as Windows service which is configured to be started

automatically With this configuration the Cloud connector process will be started automatically after a reboot

of the system You can start and stop the service via shortcuts created on the desktop (ldquoStart SAP HANA

Cloud connector 20rdquo and ldquoStop SAP HANA Cloud connector 20rdquo) or by using the Windows

Services manager and look for the service SAP HANA Cloud connector 20

Once started the Cloud connector administration UI can be accessed at httpslocalhostltportgt where the

default port is 8443 (this port could have been modified during the installation)

5 Cloud Connector on Linux

Currently the following Linux versions are supported by the Cloud connector SUSE Linux Enterprise Server 11

64-bit and Redhat Enterprise Linux 6 64-bit This section describes how to install upgrade uninstall and

startstop the Cloud connector process on Linux operating systems

51 Installation

Detailed documentation how to install the Cloud connector on Linux can be found here

httpshelphanaondemandcomhelpframesethtmf069840fa34c4196a5858be33a2734eahtml

NOTE For productive scenarios the Cloud connector Linux RPM installer must be used as only then the Cloud

connector will be registered as a daemon process

52 Upgrade

Detailed documentation how to upgrade the Cloud connector on Linux can be found here


53 Uninstallation

Detailed documentation how to uninstall the Cloud connector on Linux can be found here



After installing the Cloud connector via RPM manager the Cloud connector process is started automatically

and registered as a daemon process which takes care of restarting the Cloud connector automatically after a

reboot of the system

To startstoprestart the process explicitly you can open a command shell and use the following commands

which require root permissions

service scc_daemon stop|restart|start|status


6 Cloud Connector Administration

61 Operating System Access and Configuration

As the Cloud connector is a security critical component enabling external access to systems of an isolated

network similar to a reverse proxy in a DMZ we recommend that you restrict the access to the operating

system on which the Cloud connector is installed to the minimal set of users who shall administrate the system

This will minimize the risk of unauthorized people accessing the Cloud connector system and trying to modify

or damage a running Cloud connector instance

We also recommend that you use hard-drive encryption for the Cloud connector system This ensures that the

Cloud connector configuration data cannot be read by unauthorized users even if they obtain access to the

hard drive

62 Configuring a Trusted Certificate for the Administration UI

After a new installation the Cloud connector provides a self-signed X509 certificate used for the SSL

communication between the Cloud connector Administration UI running in a Web browser and the Cloud

connector process itself For security reasons this certificate should be replaced for productive scenarios with a

certificate trusted by your organization To learn in detail how to do this read this page

httpshelphanaondemandcomhelpframesethtmbcd5e113c9164ae8a443325692cd5b12html

63 Basic Configuration

The basic configuration steps for the Cloud connector consist of

Changing the initial password for the built-in Administrator user

Connecting the Cloud connector against a cloud account

A detailed documentation of these two steps can be found here

httpshelphanaondemandcomhelpframesethtmdb9170a7d97610148537d5a84bf79ba2html

You are forced to change the initial password to a specific one immediately after installation The Cloud

connector itself does not check the strength of the password ie the Cloud connector administrators should

voluntarily choose a strong password that cannot be guessed easily

64 Connecting and Disconnecting a Cloud Account

The major principle for the connectivity established by the Cloud connector is that the Cloud connector

administrator should have full control over the connection to the cloud ie they should be able to decide if and

when the Cloud connector need to be connected to the cloud at all to which accounts it shall be connected

and which on-premise systems and resources shall be accessible to applications of the connected account

Using the administration UI the Cloud connector administrator can connect and disconnect the Cloud

connector to the configured cloud account Once disconnected there is no communication possible ndash neither

between the cloud account and the Cloud connector nor to the internal systems The connection state can be

verified and changed by the Cloud connector administrator on the Account Dashboard tab of the UI as

shown in the following screen shot


It is important to note that once the Cloud connector is newly installed and connected to a cloud account still

none of the systems available in the customer network are accessible to the applications of the related cloud

account The systems and resources that shall be made accessible must be configured explicitly in the Cloud

connector one by one as it is described in section 66

Effective Cloud connector version 220 a single Cloud connector instance can be connected to multiple

accounts in the cloud This is useful especially for customers who need multiple accounts to structure their

development or to stage their cloud landscape into development test and production These customers have

the option to use a single Cloud connector instance for multiple accounts of theirs Nevertheless it is

recommended to not use accounts running productive scenarios and accounts used for development or test

purposes within the same Cloud connector A cloud account can be added to or deleted from a Cloud

connector on the Account Dashboard using the Addhellip and Delete buttons (see screenshot above)

A detailed description how to add delete connect or disconnect accounts can be also found here

httpshelphanaondemandcomhelpframesethtmf16df12fab9f4fe1b8a4122f0fd54b6ehtml

65 Configuring Accessible Resources

After a new Cloud connector installation in a network no systems or resources of the network have been

exposed to the cloud yet The Cloud connector administrator must configure each system and resource that

shall be used by applications of the connected cloud account in the Access Control view of the Cloud

connector as shown in the following screenshot


Thereby any type of system that can be called via one of the supported protocols (currently HTTP and RFC)

ie both SAP and non-SAP systems are supported As an example a convenient way to access an ABAP system

in a cloud application is to do this via SAP NetWeaver Gateway as it allows consumption of ABAP content via

HTTP and open standards

Detailed documentation on how HTTP resources are configured can be found here

httpshelphanaondemandcomhelpframesethtme7d4927dbb571014af7ef6ebd6cc3511html

Detailed documentation on how RFC resources are configured can be found here

httpshelphanaondemandcomhelpframesethtmca5868997e48468395cf0ca4882f5783html

We recommend that you narrow the access only to those backend services and resources that are explicitly

needed by the cloud applications Instead of configuring for example a system and granting access to all its

resources we recommend that you only grant access to the concrete resources which are needed by the cloud

application For example define access to an HTTP service by specifying the service URL root path and allowing

access to all its sub-paths

When configuring an on-premise system it is possible to define a virtual host and port for the specified system

as shown in the screenshot below The virtual host name and port represent the fully-qualified domain name of

the related system in the cloud We recommend that you use the virtual host nameport mapping in order to

prevent from leaking information about the physical machine name and port of an on-premise system and thus

ndash of your internal network infrastructure getting published to the cloud


66 Configuring Trust between Cloud Connector and On-Premise Systems

For secure communication between the Cloud connector and the used on-premise systems it is recommended

to use encrypted protocols like HTTPS and RFC over SNC and to set up a trust relationship between the Cloud

connector and the on-premise systems by exchanging certificates

When using HTTPS as protocol a trust relationship can be set-up by configuring the so-called system certificate

in the Cloud connector A system certificate is an X509 certificate which represents the identity of the Cloud

connector instance and is used as a client certificate in the HTTPS communication between the Cloud

connector and the on-premise system The used on-premise system should be configured to validate the

system certificate of the Cloud connector to ensure that only calls from trusted Cloud connectors are accepted

A detailed documentation on how to use and configure the system certificate for a Cloud connector can be

found here httpshelphanaondemandcomhelpframesethtm3f974eae3cba4dafa274ec59f69daba6html

Analogously SNC can be configured for secure RFC communication to an ABAP backend as described here

httpshelphanaondemandcomhelpframesethtmf09eefe71d1e4d4484e1dd4b121585fbhtml

67 Configuring Named Cloud Connector Administrator Users

We recommend that you configure LDAP-based user management for the SAP HANA Cloud Connector

Administration UI so that only named administrator users can log on to the administration UI This is important

to guarantee traceability of the Cloud connector configuration changes via the Cloud connector audit log With

the default and built-in Administrator user it is not possible to identify the physical person who has done a

possibly security-sensitive configuration change in the Cloud connector

If you have an LDAP server in your landscape you can configure the Cloud connector to authenticate Cloud

connector administrator users against the LDAP server Valid administrator users must belong to the user group

named admin or sccadmin Documentation on how to configure an LDAP server can be found here

httpshelphanaondemandcomhelpframesethtm120ceecfd84145a181ac160d588a7a3dhtml

Once an LDAP has been configured for the authentication of the Cloud connector the default Administrator

user will be inactive and canrsquot be used anymore for the log on to the Cloud connector

68 Using the Audit Log

Audit logging is a critical element of an organizationrsquos risk management strategy The Cloud connector provides

audit logging for the complete record of access between cloud and Cloud connector as well as of configuration

changes done in the Cloud connector The written audit log files are digitally signed by the Cloud connector so


that their integrity can be checked by the Cloud connector auditor tool as described here

httpshelphanaondemandcomhelpframesethtm2264c7002f844fe4833186a1d168de66html

The audit log data of the Cloud connector can be used to alert Cloud connector administrators to unusual or

suspicious network and system behavior Additionally the audit log data can provide auditors with information

required to validate security policy enforcement and proper segregation of duties IT staff can use the audit log

data for root-cause analysis following a security incident

Information how to configure and use the audit logging in the Cloud connector administrator UI can be found


We recommend that you switch on audit logging of the Cloud connector permanently in productive scenarios

and to set it to All (the default configuration is Security) By this the audit log files can be used to detect

attacks of for example a malicious cloud application that tries to access on-premise services without

permission or in a forensic analysis of a security incident

It is further recommended to copy the audit log files of the Cloud connector regularly to an external persistent

storage according to your local regulations The audit log files can be found in the Cloud connector root

directory under the following location logauditltaccount-namegtaudit-log_lttimestampgtcsv

69 Authenticating Users for On-Premise Systems

Currently the Cloud connector supports basic authentication and principal propagation as user authentication

types towards internal systems The destination configuration of the used cloud application defines which of

these types is used for the actual communication to an on-premise system through the Cloud connector

Details httpshelphanaondemandcomhelpframesethtme4f1d97cbb571014a247d10f9f9a685dhtml)

In case basic authentication is used the on-premise system must be configured to accept basic authentication

and to provide one or multiple service users There are no additional steps which are needed in the Cloud

connector for this authentication type

In case principal propagation is used the Cloud connector administrator has to explicitly configure trust to

those cloud entities from which user tokens are accepted as valid This can be done in the Trust view of the

Cloud connector and is described in more detail here

httpshelphanaondemandcomhelpframesethtma4ee70f0274248f8bbc7594179ef948dhtml

7 Guidelines for Secure Operation of the Cloud Connector

The following table summarizes the guidelines and recommendations for a secure setup and operation of the

Cloud connector in a productive scenario

Activity Recommendation Reference

1 Restrict OS level access to the Cloud connector

Restrict the access to the Cloud connector operating system to the users who should administrate the Cloud connector

section 61

2 Use hard drive encryption for the Cloud connector operating system

Use hard drive encryption to avoid unauthorized access to the Cloud connector configuration data and credentials in case hard disk gets stolen

section 61

3 Change password of built-in Administrator user immediately after installation and choose a strong password

Cloud connector administrator should change initial password manage to a strong password that cannot be easily guessed

section 63

3 Authenticate with named Configure an LDAP system in the Cloud connector section 67


users to the Cloud connector Administrator UI

and work with named administrator users to have better traceability

4 Change default X509 certificate of Cloud connector Administration UI

The self-signed certificate provided by the Cloud connector after a new installation shall be changed to an own certificate to increase the security of the SSL communication between the Cloud connector administration UI and the Cloud connector server itself and to avoid security warnings of the browser when connecting to the administration UI

section 62

5 Use HTTPS and System Certificate or RFC via SNC for communication from Cloud connector to backend

For communication between Cloud connector and the backend systems as well as to authenticate a Cloud connector against the backend systems we recommend that you use HTTPS and a system certificate or RFC over SNC

section 66

6 Use host name mapping of exposed backend systems

When configuring the access to an internal system in the Access Control configuration of the Cloud connector we recommend that you use the virtual host name mapping in order to not expose physical host names of systems of the on-premise network to the cloud

section 0

7 Narrow access to backend systems to required services

When configuring the access to an internal system in the Access Control view of the Cloud connector we recommend that you restrict the system access to those resources which are required by the cloud applications Do not expose the complete system just to save some configuration work

section 0

8 Switch on audit logging in Cloud connector to All

To recognize attempts of attackers to get unauthorized access to the Cloud connector and to have full traceability of the communication and the configuration changes we recommend that you switch on the audit log to All

section 68

9 Copy and persist audit log files of Cloud connector regularly

The Cloud connector audit log files shall be copied regularly from the Cloud connector machine to an external persistent storage and kept for a certain period of time according to the regulatory requirements

section 68 section 252

10 Clean up Cloud connector traces regularly and set default trace level to Information

Cloud connector trace files should be deleted regularly in order to clean up disk space Unless for error analysis the trace level of the Cloud connector should not be set to a level higher than Information in the regular operation Traces created for analysis of an issue with trace level All should be deleted immediately after the issue has been resolved

section 252

8 Monitoring

To verify that a Cloud connector is up and running the simplest way is to try to access its administration UI If

the UI can be opened in a Web browser the Cloud connector process is running

On Windows operating systems the Cloud connector process is registered as a Windows service which is

configured to start automatically after a new Cloud connector installation In case the machine gets rebooted


the Cloud connector process should then be auto-restarted immediately You can check the state with the

following command sc query SAP HANA Cloud connector 20rdquo The line state shows the state of the

service

On Linux operating systems the Cloud connector is registered as a daemon process and gets restarted

automatically each time the Cloud connector process is down like after a reboot of the whole system The

daemon state can be checked with service Cloud connector_daemon status

To verify if a Cloud connector is connected to a certain cloud account log on to the Cloud connector

Administration UI and go to the Accounts Dashboard where the connection state of the connected

accounts are visible as described in section 64

9 Supportability

In case of issues with the Cloud connector SAP customers and partners can create OSS tickets under the

component BC-MID-SCC The general SAP SLAs in regards of OSS processing time also apply for SAP HANA

Cloud Platform and the Cloud connector To avoid unnecessary answerresponse cycles in the support case we

recommend that you download the logs of the corresponding Cloud connector using the Download button on

the Logs view and to attach the respective log file(s) to the OSS ticket directly when creating it In case the

issue is easily reproducible re-execute it at Log Level lsquoAlllsquo before creating the archive

10 Release and Maintenance Strategy

As for all components of SAP HANA Cloud Platform new releases of the Cloud connector are available on the

Cloud Tools page As SAP HANA Cloud Platform releases in a bi-weekly cycle new releases of the Cloud

connector could occur every other week although the actual releases will be more seldom (new releases are

shipped when new features or important bug fixes shall be delivered)

Cloud connector versions follow the ltmajorgtltminorgtltmicrogt versioning schema Within a major

version the Cloud connector will stay fully compatible Within a minor version the Cloud connector will stay

with the same feature set and higher minor versions usually support additional features compared to lower

minor versions Micro versions are increased to release patches of a ltmastergtltminorgt version in order to

deliver bug fixes

For each supported major version of the Cloud connector only one ltmajorgtltminorgtltmicrogt version

will be provided and supported on the Cloud Tools page This means that users have to upgrade their existing

Cloud connectors in order to get a patch for a bug or to make use of new features

New versions of the Cloud connector are announced in the Release Notes of SAP HANA Cloud Platform We

recommend that Cloud connector administrators check regularly the release notes for Cloud connector

updates New versions of the Cloud connector can be applied by using the Cloud connector upgrade

capabilities as outlined in sections 42 and 52 above We recommend that you apply an upgrade first in the

Cloud connector test landscape to validate that the running applications are working and then continue with

the productive landscape

When updates are applied on the cloud operations continuity of existing Cloud connectors and its connections

are assured by the platform ie users do not have to perform manual actions in the Cloud connector when the

cloud side gets updated


11 Process Guidelines for Hybrid Scenarios

The following chapter provides process guidelines that help you to manage productive hybrid scenarios in

which applications running on SAP HANA Cloud Platform require access to on-premise systems

111 Document Landscape of Hybrid Solution

To have an overview of the cloud and on-premise landscape relevant for your hybrid scenario we recommend

that you document the used cloud accounts their connected Cloud connectors and the used on-premise

backend systems in landscape overview diagrams Document the account names the purpose of the accounts

(dev test prod) information of the Cloud connector machines (host domains) the URLs of the Cloud

connectors in the landscape overview document and possibly more details

An example of landscape overview documentation could look like this

112 Document Administrator Roles

It is recommended to document which users have administrator access to the cloud accounts to the Cloud

connector operating system and to the Cloud connector Administration UI

An example of such administrator role documentation could look like following sample table

Resource

johnacmecom marryacmecom peteacmecom gregacmecom

Cloud Account (CA) Dev1

x

CA Dev2 X

CA Test x X

CA Prod X

Cloud connector Dev 1 + 2

x x


Cloud connector Test x X

Cloud connector Prod X

Cloud connector Dev 1 + 2 file system

Cloud connector Test file system

x X

Cloud connector Prod file system

X

113 Document Communication Channels

It is recommended to create and document separate email distribution lists for both the cloud account

administrators and the Cloud connector administrators

An example of the documented communication channels could look like this

Landscape Distribution List

Cloud Account Administrators DL ACME HCP Account Admins

Cloud connector Administrators DL ACME Cloud connector Admins

114 Define Project and Development Guidelines

It is recommended to define and document mandatory project and development guidelines for your SAP HANA

Cloud Platform projects An example of such a guideline could look like the following

For every SAP HANA Cloud Platform project of your organization the following requirements are mandatory

bull Usage of Maven Nexus Git-amp-Gerrit for the application development

bull Alignment with accountable manager in projects (name Flora Miller)

bull Alignment with accountable security officer in projects (name Pete Johnson)

bull For externally developed source code a hand over to your organization is required

bull Fulfill the connection restrictions in a 3 system landscape ie usage of staged landscape for dev test

and prod and eg dev landscape only connects to dev systems etc

bull Productive accounts do not use the same Cloud connector like a dev or test account

115 Define Process of how to Set a Cloud Application Live

It is recommended to define and document the process of how to set a cloud application live and how to

configure needed connectivity for such an application

For example the following processes could be seen as relevant and shall be defined and document in more

detail

1 Transferring application to production This process defines the steps which are necessary for transferring

an application to the productive status on the SAP HANA Cloud Platform

2 Application Connectivity This process defines the steps which are necessary to add a connectivity

destination to a deployed application for connections to other resources in the test or productive

landscape

3 Cloud Connector Connectivity This process defines the steps which are necessary to add an on-premise

resource to the SAP HANA Cloud connector in the test or productive landscapes to make it available for the

connected cloud accounts


4 On-premise System Connectivity This process defines the steps which are necessary to setup a trust

relationship between an on-premise system and the SAP HANA Cloud connector and to configure user

authentication and authorization in the on-premise system in the test or productive landscapes

5 Application Authorization This process defines the steps which are necessary to request and assign an

authorization which is available inside the SAP HANA Cloud application to a user in the test or productive

landscapes

6 Administrator Permissions This process defines the steps which are necessary to request and assign the

administrator permissions in a cloud account to a user in the test or productive landscape

Copyright

copy Copyright 2014 SAP AG All rights reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG The information contained herein may be changed without prior notice

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors

Microsoft Windows Excel Outlook and PowerPoint are registered trademarks of Microsoft Corporation

IBM DB2 DB2 Universal Database System i System i5 System p System p5 System x System z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVM zOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM Power Architecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPC BatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACF Redbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoli and Informix are trademarks or registered trademarks of IBM Corporation

Linux is the registered trademark of Linus Torvalds in the US and other countries

Adobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States andor other countries

Oracle is a registered trademark of Oracle Corporation

UNIX XOpen OSF1 and Motif are registered trademarks of the Open Group

Citrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin are trademarks or registered trademarks of Citrix Systems Inc

HTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World Wide Web Consortium Massachusetts Institute of Technology

Java is a registered trademark of Sun Microsystems Inc

JavaScript is a registered trademark of Sun Microsystems Inc used under license for technology invented and implemented by Netscape

SAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP Business ByDesign and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries

Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal Decisions Web Intelligence Xcelsius and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects SA in the United States and in other countries Business Objects is an SAP company

All other product and service names mentioned are the trademarks of their respective companies Data contained in this document serves informational purposes only National product specifications may vary

These materials are subject to change without notice These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty


1 INTRODUCTION 3

11 TARGET AUDIENCE 4

12 ADDITIONAL INFORMATION 4

2 SYSTEM REQUIREMENTS 5

21 HARDWARE REQUIREMENTS 5

22 SOFTWARE REQUIREMENTS 5

23 SUPPORTED BROWSERS 5

24 CLOUD CONNECTOR SOFTWARE DOWNLOAD 5

25 FREE DISK SPACE 5

251 Installation size 5

252 Additional disk space for log and configuration files 5

3 NETWORK ZONES 6

4 CLOUD CONNECTOR ON MICROSOFT WINDOWS 6

41 INSTALLATION 6

42 UPGRADE 6

43 UNINSTALLATION 7


5 CLOUD CONNECTOR ON LINUX 7

51 INSTALLATION 7

52 UPGRADE 7

53 UNINSTALLATION 7


6 CLOUD CONNECTOR ADMINISTRATION 8

61 OPERATING SYSTEM ACCESS AND CONFIGURATION 8

62 CONFIGURING A TRUSTED CERTIFICATE FOR THE ADMINISTRATION UI 8

63 BASIC CONFIGURATION 8

64 CONNECTING AND DISCONNECTING A CLOUD ACCOUNT 8

65 CONFIGURING ACCESSIBLE RESOURCES 9

66 CONFIGURING TRUST BETWEEN CLOUD CONNECTOR AND ON-PREMISE SYSTEMS 11

67 CONFIGURING NAMED CLOUD CONNECTOR ADMINISTRATOR USERS 11

68 USING THE AUDIT LOG 11

69 AUTHENTICATING USERS FOR ON-PREMISE SYSTEMS 12

7 GUIDELINES FOR SECURE OPERATION OF THE CLOUD CONNECTOR 12

8 MONITORING 13

9 SUPPORTABILITY 14

10 RELEASE AND MAINTENANCE STRATEGY 14

11 PROCESS GUIDELINES FOR HYBRID SCENARIOS 15

111 DOCUMENT LANDSCAPE OF HYBRID SOLUTION 15

112 DOCUMENT ADMINISTRATOR ROLES 15

113 DOCUMENT COMMUNICATION CHANNELS 16

114 DEFINE PROJECT AND DEVELOPMENT GUIDELINES 16

115 DEFINE PROCESS OF HOW TO SET A CLOUD APPLICATION LIVE 16


1 Introduction













systems)








on






bull Monitoring



bull Supportability







11 Target Audience

























Minimum Recommended




















25 Free Disk Space





























3 Network Zones

















41 Installation





42 Upgrade




43 Uninstallation















51 Installation





52 Upgrade



53 Uninstallation




















hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright



















1 Introduction













systems)








on






bull Monitoring



bull Supportability







11 Target Audience

























Minimum Recommended




















25 Free Disk Space





























3 Network Zones

















41 Installation





42 Upgrade




43 Uninstallation















51 Installation





52 Upgrade



53 Uninstallation




















hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright























bull Monitoring



bull Supportability







11 Target Audience

























Minimum Recommended




















25 Free Disk Space





























3 Network Zones

















41 Installation





42 Upgrade




43 Uninstallation















51 Installation





52 Upgrade



53 Uninstallation




















hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright






















Minimum Recommended




















25 Free Disk Space





























3 Network Zones

















41 Installation





42 Upgrade




43 Uninstallation















51 Installation





52 Upgrade



53 Uninstallation




















hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright

































3 Network Zones

















41 Installation





42 Upgrade




43 Uninstallation















51 Installation





52 Upgrade



53 Uninstallation




















hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright



















43 Uninstallation















51 Installation





52 Upgrade



53 Uninstallation




















hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright




























hard drive
































































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright
























































































































section 61



section 61



section 63







section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright























section 62



section 66



section 0



section 0



section 68






section 252

8 Monitoring








service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright





















service







9 Supportability
















deliver bug fixes




























Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright

































Resource



x

CA Dev2 X

CA Test x X

CA Prod X


x x






x X


X























detail





landscape










landscapes



Copyright























x X


X























detail





landscape










landscapes



Copyright
























landscapes



Copyright


















Copyright


















sap hana cloud connector 2 - archive.sap.com · sap hana cloud connector – operator’s guide...

Documents