Installation
Get SAP Cloud Foundry account
Deploying the Link application will require a SAP Cloud Foundry subscription or a SAP Cloud Foundry Trial.
When using a trial the app will shut down after a few hours every day. Create Trial
Access Cloud Foundry
SAP Cloud Foundry Trial or SAP Cloud Foundry
Cloud Foundry Tools can be downloaded at: https://tools.hana.ondemand.com/#cloud
Install and configure SAP Cloud Connector (sapcc) on-premise component
sapcc is an appliance provided by SAP for accessing on-premise SAP servers using secure outbound tunnel to SAP Cloud Platform.
Cloud Connector Security Details from SAP
Important Cloud Connector Notes/Warnings
Cloud Connector Security Certificate Expires Annually
The subaccount certificates in SAP Business Technology Platform expire annually. Renewing them is simple (just a click), but if not done all connectivity through Cloud Connectors in the subaccount will be lost.
This article outlines how to do this:
https://blogs.sap.com/2020/01/11/sap-cloud-connectivity-issues-due-to-expired-certificate
Install
Use the SAP Cloud Connector install guide or use a community provided docker image.
- Install Cloud Connector
- If installing on Windows, it is recommended to use sapjvm - Windows x64 in place of the Oracle JVM/JDK. sapcc needs the JDK, will not run with just the JRE/JVM.
- Extract zip file and copy the whole folder to
C:sap - Create new system environment variable
JAVA_HOME=C:SAPsapjvm_8 - Append
;C:SAPsapjvm_8binto the systemPathenvironment variable
- Extract zip file and copy the whole folder to
- Install sapcc-2.15.1-windows-x64.msi
- Set JDK path to
C:SAPsapjvm_8 - Login to Cloud Connector Administration portal with default credentials. (Assumes default port of 8443)
- User:
Administrator - Password:
manage
- User:
- Set JDK path to
- If installing on Windows, it is recommended to use sapjvm - Windows x64 in place of the Oracle JVM/JDK. sapcc needs the JDK, will not run with just the JRE/JVM.
- Alternative is to use Cloud Connector Docker Image (Community)
Configuration
Add subaccount
- Region: This should match the region of the subaccount in cloud foundry, check your subaccount or trial subaccount and ensure the region listed in the subaccount matches the region selected when adding the subaccount.
- Subaccount: the value is the Id of the subaccount and not the SubDomain. The ID can be obtained using the info hover or the details tab in the SAP Cloud Platform Cockpit.
- Display Name: enter the subdomain Subaccount User & Password: Use an authorized user account in the subdomain. If you started a trial use your trial credentials.
Cloud to on-premise
In the subaccount add a new System Mapping.
- Back-end Type: Other SAP System
- Protocol: HTTP
- Internal Host: dns name or ip of the SAP ECC/S4 HANA system
- Internal Port: port, e.g. http port 8000
- Virtual Host: create a unique name for the virtual host. (e.g. sap-dev)
- Virtual Port: 80
- Principal Type: None
- Host In Request Header: Use Virtual Host
- Description: leave blank or provide the system name.
- In the summary check the checkbox (Check Internal Host) [X]
- Click [Finish]
Under Resources add a Resource
- URL Path:
/enosix/paca - Active: [X]
- Access Policy: (x) Path And All Sub-Paths
Configure Connectivity service in SAP Cloud Foundry
The space Link is deployed to will need to have a connectivity service provisioned with the instance name of connectivity, although it can be configured to use a specific instance. Configuring the connectivity instance
Network connectivity
If your on-premise network requires whitelisting of IP addresses, the correct entries can be found here and here.
Configure Link to match sapcc on-premise configuration
Use the cloud foundry CLI with the following manifest.yaml template.
---
applications:
- name: enosix-link-<company-name> # Add your company name
random-route: true # Remove this line in the production space
memory: 128M
docker:
image: enosix/link:stable
services:
- connectivity
health-check-type: http
health-check-http-endpoint: /health
env:
#Logging__LogLevel__Default: Trace # Used to enable detailed trace logging for submitting issues
Routes__ConnectivityInstance: connectivity
Routes__dev__ConcurrentRequests: 10 # Throttle link to a limited number of requests concurrently, in order to reduce memory constraints.
Routes__dev__Token: 3de65974f59e200ef27e8ecfb84437f7 # Rename to a unique secret token
Routes__dev__Url: http://sap-dev:80/enosix/paca # Should match to the path of a virtual host configured in sapcc
Configuration
- Copy the
manifest.yamlinto a local file. The template should be copied twice into a production and non production versions. - The
<company-name>token on line 4 needs to be replaced with your company name in all lowercase without spaces. - The next line
random-routeneeds to be removed if deploying to a production space. - The environment variable
Routes__ConnectivityInstancemust contain the instance name of the connectivity service to access in the space the Link app will be deployed. - The
manifest.yamltemplate will need to be created and configured to match the virtual systems in cloud foundry. Under the env node of the file, configure the routes entries for each sap virtual host. The format for each route isRoutes__<name>__, with an entry for each Token and Url.
Deploy to Cloud Foundry and verify connectivity
Using the cloud foundry cli, use the command cf push in the directory where the configured manifest.yaml is located to deploy to cloud foundry. After deployment the application will be accessible as a route in cloud foundry, this route plus the configured token parameter can be used to access the connected SAP system.
Note: The path where cf push is executed will have all files bundle up and pushed to cloud foundry. Use an empty directory with only the manifest.yaml file to avoid unnecessary uploads.
Sample output from cf push
Pushing from manifest to org ****** / space ****** as ****************...
Using manifest file /Users/******/link/manifest.yaml
Getting app info...
Updating app with these attributes...
name: enosix-link
docker image: enosix/link:stable
command: /bin/sh -c dotnet link.dll
disk quota: 1G
health check http endpoint: /health
health check type: http
instances: 1
memory: 128M
stack: cflinuxfs3
services:
connectivity
env:
Routes__ConnectivityInstance
Routes__dev__Token
Routes__dev__Url
Updating app link...
Mapping routes...
Stopping app...
Waiting for app to start...
name: link
requested state: started
routes: enosix-link.cfapps.us10.hana.ondemand.com
last uploaded: Mon 1 Jan 12:00:00 EST 2000
stack:
docker image: enosix/link:stable
type: web
instances: 1/1
memory usage: 128M
start command: /bin/sh -c dotnet link.dll
state since cpu memory disk details
#0 running 2020-02-13T21:34:01Z 7.3% 23.3M of 128M 158.9M of 1G
Application logs
To view logs from the application use cli command cf logs link To view detailed logs uncomment the env node Logging__LogLevel__Default: Trace by removing the leading #, the redeploy with cf push.
Routing explained
With template above. With route named dev the token is 3de65974f59e200ef27e8ecfb84437f7, the deployment to cloud foundry assigned route of enosix-link.cfapps.us10.hana.ondemand.com thus the url to access the sap-ecc-dev system will be: https://enosix-link.cfapps.us10.hana.ondemand.com/3de65974f59e200ef27e8ecfb84437f7
https://enosix-link.cfapps.us10.hana.ondemand.com/3de65974f59e200ef27e8ecfb84437f7 - [sapcc] -> http://sap-ecc-dev:80/enosix/paca
Testing & Connectivity Verification
Access the route with the token, it should prompt for authentication. Test using a valid SAP username and password.