The crucial problem with SAP S/4HANA On-Premise systems is, that they are not exposed to the internet. Typically, they are located within a company's internal network. The SAP CLoud SDK has some useful features that allow you to connect to On-Premise systems.
Since this isolation contradicts to modern requirements of data availability, SAP has introduced the Cloud Connector. The Cloud Connector works like a reverse proxy opening a connection between some white-listed service endpoints of the On-Premise system, and the connected Cloud Foundry account. Only applications running in the connected Cloud Foundry account can access the services. Applications which are supposed to access On-Premise systems need a binding to the connectivity service.
As a first step, the SDK looks up the destination.
Proxy Type of the destination is
OnPremise the SDK will try to establish a connection via the Cloud Connector.
As mentioned above, the application needs a service binding to the connectivity service.
A service binding leads to client credentials in the
VCAP environment variable.
The environment variables are accessible for the application at runtime.
The SDK uses the client credentials and if given the tenant id of the JWT to obtain a client credentials grant.
If multiple connectivity services binding exist, the SDK uses the first entry per default.
The SDK takes the client grant to call the connectivity service and receives the host, password and authorization of the connectivity proxy.
Then the SDK creates an HTTP agent considering this proxy and the necessary
The proxy is the entry point to the Cloud Connector instance connected the account.
The proxy is only reachable from the Cloud Foundry space, so you cannot use that flow for applications running outside of Cloud Foundry.
The final destination containing the proxy information will look like:
and will be used by the HTTP client of the SDK to execute the request. We would like to mention two minor aspects of the SDK.
In case the
Authentication property on the destination is
PrincipalPropagation the SDK adds the
SAP-Connectivity-Authentication header to the request.
The header contains user information included in the
JWT and enables user propagation from the cloud application to the SAP S/4 HANA system.
If you have multiple Cloud Connectors connected to your account, the
LocationId defines which one of these to use for the request.
In case the destination contains a
LocationId property, the SDK adds the
SAP-Connectivity-SCC-Location_ID header to the request.