Set Up Trust Between SAP Analytics Cloud and Your On-Premise Systems (Beta)

Configure your on-premise system so that it trusts the cloud connector.

Context

Note

Currently, only selected Beta customers can create live data connections using the cloud connector. If you are interested in the Beta program, please contact your SAP account manager.

Please note that the following conditions apply during the Beta period:

  • Your company acknowledges that the software is a preliminary version and not subject to any productive use license agreement or any other agreement with SAP.
  • SAP has no obligation to include or remove any functionality from the software in any future version or in any SAP standard product.

There are two levels of trust: you need to allow the cloud connector to identify itself with its system certificate for the HTTPS case, and you need to allow this identity to propagate the user accordingly so that the short-living X.509 certificate can be forwarded. Then, you'll need to configure the user mapping in the on-premise system. The X.509 certificate contains information about the cloud user in its subject. You'll use this information to map the identity to the appropriate user in the system.

The following steps are for uploading the certificate that you previously downloaded from the SAPCP cloud connector (see related link) to an SAP BW on-premise system, and configuring the BW system to use principal propagation. For more information, see Configure Principal Propagation to an ABAP System for HTTPS.

Procedure

  1. Establish trust between the ABAP System and the cloud connector by importing the CA-issued system certificate.
    1. Start SAP Logon.
    2. Log on to your on-premise BW system.
    3. Open the Trust Manager.
      You can type strust to find the Trust Manager.
    4. Double-click SSL server Standard.
    5. Switch to Edit mode.
    6. Select the Import certificate icon at the bottom of the screen.
    7. Choose the system certificate file that you previously downloaded from the SAPCP cloud connector (not the sample certificate file).
    8. Select Continue, and then select Allow to grant access to the file.
      The details of the certificate are displayed.
    9. Select Add to Certificate List.
    10. Verify that your system certificate appears in the Certificate List, and then save the configuration.
    11. Select the Back icon to go back to the SAP Easy Access screen.
  2. Configure the Internet Communication Manager (ICM).
    The ICM ensures that communication between the SAP system and external sites via the HTTP, HTTPS, and SMTP protocols works properly. In its role as a server, the ICM processes requests from the Internet that arrive as URLs with the server/port combination that the ICM listens to. The ICM then calls the relevant local handler for the URL in question.
    1. Open the Edit Profiles screen (rz10).
    2. Select the DEFAULT profile.
    3. Select the Extended maintenance option.
    4. Select Change.
    5. Select Parameter (create) and enter this Parameter name: icm/HTTPS/trust_client_with_issuer.
      For the Parameter val field, enter the Issuer of the system certificate, which you can find in the Cloud Connector Administration application, on the Configuration screen, on the On Premise tab, in the System Certificate section.
    6. Select the Back icon and save your changes.
      The new parameter appears in the parameter list.
    7. Create a second parameter, which is the subject of the system certificate.

      Select Parameter (create) and enter this Parameter name: icm/HTTPS/trust_client_with_subject.

      For the Parameter val field, enter the Subject DN of the system certificate, which you can also find in the System Certificate section.
    8. When both parameters appear in the parameter list, select the Back icon, and select Yes to update the profile.
    9. Save the profile, and select Yes to activate the profile
    10. Select the Back icon to go back to the SAP Easy Access screen.
    11. Open the ICM Monitor (smicm).
    12. Select Start of the navigation pathMore Next navigation step Administration Next navigation step ICM Next navigation step Exit Hard Next navigation step GlobalEnd of the navigation path.
    13. Select Start of the navigation pathMore Next navigation step Goto Next navigation step Parameters Next navigation step DisplayEnd of the navigation path.
      The two new parameters are visible under HTTPS (SSL) settings.
    14. Select the Back icon to go back to the SAP Easy Access screen.
  3. Map the short-lived certificate.
    You can do the mapping manually in the system, or make use of an identity management solution. For example, for large numbers of users, rule-based certificate mapping can save time and effort. The following steps describe the second option.
    1. Open the Maintain Profile Parameters screen (rz11).
    2. In the Parameter Name field, type login/certificate_mapping_rulebased, and then select Display.
    3. Select Change Value.
    4. In the New Value field, type 1, and then save the change.
    5. Select the Back icon twice to go back to the SAP Easy Access screen.
    6. Open the Rule based Certificate Mapping - Display screen (certrule).
    7. Select Display/Change.
    8. Select Start of the navigation pathMore Next navigation step Configuration Next navigation step Upload certificateEnd of the navigation path.
    9. Choose the sample certificate file that you previously downloaded from the SAPCP cloud connector (not the system certificate file).
    10. Select Open, and then select Allow to grant access to the file.
    11. Select the Rule button to create a new rule.

      For the Certificate Attr. field, select CN=<valid user identifier>. See Configure Your On-Premise Systems to Use the SAPCP Cloud Connector (Beta) for details.

      For the Login As field, this setting depends on which attribute you configured in your identity provider as your user identifier. If you used a user name or email address, you can select those options from the drop-down list. If you chose any other attribute, select Alias from the list.

    12. Select Continue to create the rule.
    13. In the Rules list, double-click the check box in the Ext. Attributes or Attr column for the new rule, to open the Extended Attributes dialog.
    14. Select the check box Ignore case sensitivity in certificate entries, and select Continue.
    15. Verify that the rule has been added, and then save the change.
    16. Check that the user is mapped in the Certificate Status based on Persistence area.