On-Premise Connectivity
Why On-Premise Systems Are Different
SAP S/4HANA On-Premise systems are located within a company's internal network. They are not exposed to the internet. The SAP Cloud SDK provides helpful features to allow connecting to on-premise systems.
Since this isolation contradicts modern requirements of data availability, SAP has introduced the Cloud Connector. The Cloud Connector works like a reverse proxy, opening a connection between some allowlisted service endpoints of the on-premise system and the connected Cloud Foundry account. Only applications running in the connected Cloud Foundry account can access the services. Applications that are supposed to access on-premise systems need a binding to the connectivity service.
Implementation Details
Connectivity Service
As a first step, the SAP Cloud SDK looks up the destination.
If the Proxy Type of the destination is OnPremise the SAP Cloud SDK will try to establish a connection via the Cloud Connector.
As mentioned above, the application needs a service binding to the connectivity service.
A service binding leads to client credentials in the VCAP environment variable.
The environment variables are accessible for the application at runtime.
The SAP Cloud SDK uses the client credentials and if given the tenant id of the JWT to obtain a client credentials grant.
If multiple connectivity services bindings exist, the SAP Cloud SDK uses the first entry per default.
The SAP Cloud SDK takes the client grant to call the connectivity service and receives the host, password, and authorization of the connectivity proxy.
Then the SAP Cloud SDK creates an HTTP agent considering this proxy and the necessary Proxy-Authorization headers.
The proxy is the entry point to the Cloud Connector instance connected to the account.
The proxy is only reachable from the Cloud Foundry space, so you cannot use that flow for applications running outside of Cloud Foundry.
For quick local test purposes, a deployment to Cloud Foundry is tedious and the following workarounds are possible:
- SAP Business Application Studio has some built-in functionality to connect to Cloud Foundry.
- If you are in a VPN from where the on-premise system is reachable, use an environment destination to access the system directly.
- You can also use an existing application with a bound connectivity service as an ssh tunnel:
- Enable ssh for the application as described here
- Open an ssh tunnel with forwarding via the
cf ssh MY-APP -L LOCAL-HOST:LOCAL-PORT:REMOTE-HOST:REMOTE-HOST-PORTcommand. Use as remote host and port theonpremise_proxy_hostandonpremise_proxy_portvalues from the VCAP service variables e.g.connectivityproxy.internal.cf.eu10.hana.ondemand.comand20003. For the localhost and port use the localhost and some free port e.g.localhost:8081. - Replace the
onpremise_proxy_hostandonpremise_proxy_portin your locally usedVCAP_SERVICEvariables withlocalhostand the free port you choose.
The final destination in the productive scenario containing the proxy information will look like this:
{
url: "https://my.onPremise.System.url.com",
headers: {...}, //contains authorization headers for the SAP S/4HANA system
proxyConfiguration?: {
host: "connectivity.service.proxy.host"
port: 1234
protocol: "http"
headers?: {
Proxy-Authorization: "AuthHeaderForTheProxy"
};,
}
}
It will be used by the HTTP client of the SAP Cloud SDK to execute the request.
Principal Propagation
In case the Authentication property on the destination is PrincipalPropagation the SAP Cloud SDK adds the SAP-Connectivity-Authentication header to the request.
The header contains user information included in the JWT and enables user propagation from the cloud application to the SAP S/4HANA system.
Multiple Cloud Connectors
If you have multiple Cloud Connectors connected to your account, the LocationId defines which one of these to use for the request.
In case the destination contains a LocationId property, the SAP Cloud SDK adds the SAP-Connectivity-SCC-Location_ID header to the request.