Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO

To access SAP HANA Cloud on an SAP Cloud Platform (SAPCP) system that is running a Cloud Foundry (CF) environment, you can create a live data connection using the SAP HANA Analytics Adapter for Cloud Foundry.

Prerequisites

Note
This connection type works in both Neo and Cloud Foundry environments, but for Cloud Foundry environments, we recommend that you use the SAP HANA Cloud connection type instead (see details here).

Context

Note
The following SAP Analytics Cloud features are not supported with this connection type at this time:
  • Enriched time dimensions
  • Timestamp dimensions
  • Dynamic image widgets
  • Smart Insights
  • Smart Assist/Changes Over Time in Smart Insights
  • Smart Predict
  • Story scheduling
  • Android/iOS Mobile App:
    • SAP Cloud Connector-based single sign-on
    • Basic Authentication connections
    • Geo maps
  • OEM scenarios through “Extended Live Connections”

Procedure

  1. Install and configure tools.
    1. Download and install the Cloud Foundry CLI.
      See this videoInformation published on non-SAP site for details.
      Note
      If you already have the CLI installed, you can skip to the “Set npm for the SAP registry modules” substep below.
    2. Download and install the Cloud Foundry CLI MTA.

      See the preceding video for details.

      Install the plugin using the command:

      cf install-plugin mta-plugin-windows.exe -f
    3. Download and install Oracle JDK 8 or SAP JDK 8.

      To verify that the JDK is ready, check the version of the JDK you have installed. For example:

      javac --version
    4. Download and install Apache Maven.

      To verify that Maven is ready, check the version of Maven you have installed. For example:

      mvn --version
    5. Download and install Node.js.

      To verify that Node is ready, check the version of Node you have installed. For example:

      node --version

      Also verify that npm (Node Package Manager) is installed with Node. For example:

      npm --version

      Note: npm is distributed with Node.js, which means that when you download Node.js, you automatically get npm installed on your computer.

    6. Set npm for the SAP registry modules with the command:
      npm config set @sap:registry https://npm.sap.com
  2. Prepare the Multi-Target Application (MTA) and deploy the analytics adapter for SAP HANA.
    See this videoInformation published on non-SAP site for details.
    1. Create a local folder. For example: c:\haa.
      This directory is referred to as <HAA_ROOT> in the following steps.
    2. Download or clone the analytics adapter (HAA) project from SAP GitHub.
    3. Unzip the file in the <HAA_ROOT> folder.
    4. Download the Cloud MTA Build Tool (MBT) from https://sap.github.io/cloud-mta-build-tool/Information published on non-SAP site.
    5. Create a new folder under <HAA_ROOT>/haa-java and name it target.
    6. Download the latest version of the Analytics adapter for SAP HANA extended application services, advanced model from https://tools.hana.ondemand.com/#hanatools.
      The file to download is named: xsahaa-release-<version>-release.zip.
    7. Extract the zip file into a temporary folder.
    8. Copy the java-xsahaa.war file into the project folder <HAA_ROOT>/haa-java/target.
    9. Edit the yaml file in the folder <HAA_ROOT> using the following example (copy & paste the text below):
       file into the projectID: xsahaa
      _schema-version: '2.0'
      version: 0.0.2
      
      modules:
      
      - name: xsahaa-be
      type: java
      path: haa-java
      parameters:
      memory: 1G
      buildpack: sap_java_buildpack
      properties:
      TARGET_RUNTIME: tomee
      SAP_JWT_TRUST_ACL: '[{"clientid":"sb-xsahaa-be", "identityzone": "*"}]'
      
      JBP_CONFIG_RESOURCE_CONFIGURATION: "['tomee/webapps/ROOT/WEB-INF/resources.xml': {'xsahaa-hdi-container':'<customer_hdi>'}]"
      provides:
      - name: xsahaa-be
      properties:
      url: ${default-url}
      requires:
      - name: xsahaa-uaa
      - name: <customer_hdi>
      
      - name: xsahaa-rt
      type: nodejs
      path: haa-entry
      parameters:
      memory: 1G
      buildpack: nodejs_buildpack
      requires:
      - name: xsahaa-uaa
      - name: xsahaa-be
      group: destinations
      properties:
      name: xsahaa-be
      url: ~{url}
      forwardAuthToken: true
      timeout: 600000
      properties:
      CORS: >
      [
      {
      "uriPattern": "^/sap/bc/ina/(.*)$",
      "allowedOrigin": [
      {"host":"<orca-tenant-host>", "protocol":"https"}
      ],
      "allowedMethods": ["GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE"],
      "allowedHeaders": ["Origin", "Accept", "X-Requested-With", "Content-Type", "Access-Control-Request-Method", "Access-Control-Request-Headers", "Authorization", "X-Sap-Cid", "X-Csrf-Token"],
      "exposeHeaders": ["Accept", "Authorization", "X-Requested-With", "X-Sap-Cid", "Access-Control-Allow-Origin", "Access-Control-Allow-Credentials", "X-Csrf-Token", "Content-Type"]
      }
      ]
      COOKIES: '{"SameSite": "None"}'
      TENANT_HOST_PATTERN: '^(.*)-<space>-xsahaa-rt.cfapps.(.*).hana.ondemand.com'
      INCOMING_CONNECTION_TIMEOUT: 600000
      
      resources:
      - name: <customer_hdi>
      type: org.cloudfoundry.existing-service
      - name: xsahaa-uaa
      type: com.sap.xs.uaa
      parameters:
      path: ./xs-security.json
      Note
      • Replace <customer_hdi> with your own HDI name; for example, sales-hdi.
      • Replace <orca-tenant-host> with the CF SAP Analytics Cloud tenant URL.

        Example: customer.us10.sapanalytics.cloud

      • In the TENANT_HOST_PATTERN line, replace <space> with the CF space name (where the HANA instance is located) in lowercase characters.
      • If the Organization name and the Subdomain name are different, then the TENANT_HOST_PATTERN should follow the format: <org name>-<space>.
      • Replace spaces and underscores in the organization name with hyphens, and use lowercase characters. For example, if the organization name is “AAA_bbbb/123 456”, then change it to “aaa-bbbb-123-456”.
    10. Edit the xs-security.json file in the folder <HAA_ROOT>, and replace “SalesApp” with “HAAApp”.
    11. Edit the xs-app.json file in the folder <HAA_ROOT>/haa-entry and replace this code block:
      "source": "^/(.*)",
      "localDir": "resources",
      "authenticationType": "xsuaa",
      "scope": "$XSAPPNAME.USER"

      with this one:

      "source": "^/(.*)",
      "localDir": "resources",
      "authenticationType": "none"
  3. Build and deploy the analytics adapter.
    1. Start a command prompt window.
    2. Build the mta file with the command:
      java -jar mta.jar --build-target=CF build

      This command will generate a new file named <HAA_ROOT>.mtar.

    3. In the SAPCP Cockpit, in your subaccount overview, find the CF API endpoint.
    4. In the command prompt, set the CLI variable using the command:
      cf api <api-endpoint>
    5. Log on to CF using the command:
      cf login
    6. Deploy the mta to CF with the command:
      cf deploy <HAA_ROOT>.mtar

      After deployment, two new services and two new applications should appear in the SAPCP Cockpit.

    7. To authenticate with a named user, set USE_NAMED_USER=true.
  4. Grant permissions and set up roles.
    1. In the SAPCP Cockpit, go to the subaccount and click Role Collections.
    2. Create a new role collection with the name SACToHAA.
    3. Select SACToHAA, click Add Role, and select SalesApp_User from the list.
  5. Set up trust between XSUAA and the SAP HANA database container.
    1. Add a JSON Web Token (JWT) identity provider:
      1. In the SAPCP Cockpit, click Add Identity Provider.
      2. Open a new browser tab, and enter the URL: UAA_URL/sap/trust/jwt. You will see response content.
      3. In the Add Identity Provider dialog, enter the following information:
        1. Identity Provider Name: Enter a name for your IdP; for example, JWTPROVIDER_1.
        2. Issuer URL: Copy the URL from the “Issuer” property in the response content.
        3. JWT Identity Claim: Enter user_name.
      4. Click Add.
    2. Create a certificate:
      1. In the SAPCP Cockpit, get the UAA_URL value from the deployed application:

      2. Create the certificate based on information from the JWT trust endpoint.

        The basic format of the URL is: UAA_URL/sap/trust/jwt

        Example: https://hcsacorca1.authentication.sap.hana.ondemand.com/sap/trust/jwt

        The following steps need information obtained from this endpoint.

        1. Import a trusted certificate.
        2. Select “Paste content”.
        3. Open a new browser tab, and enter the URL: UAA_URL/sap/trust/jwt. You will see response content similar to the above screenshot.
        4. Copy the content starting from -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, and paste it into the “Paste content” input field.
        5. Click “OK” to complete the certificate creation.
    3. Create a certificate collection.

      If the certificate collection already exists and you want to edit it, you'll need to restart your SAP HANA instance afterward.

      1. In the Database Overview, click Start of the navigation pathCertificate Collections Next navigation step Add CollectionEnd of the navigation path to create a certificate collection.
      2. Type a name for your certificate collection, and click OK.
      3. Select Add Certificate to open the Select Certificate dialog.
      4. Select the certificate you created earlier, and then click OK.
      5. Click Edit Purpose.
      6. In the Edit Purpose dialog, select JWT in the Purpose field, choose the JWT provider you created earlier in the Providers field, and then click Save.
  6. Set up the IdP.
    1. In the SAPCP cockpit, under Start of the navigation pathSecurity Next navigation step Trust ConfigurationEnd of the navigation path, set the default IdP as inactive.
      This ensures you won't be prompted during a data refresh.
    2. Under Custom, select the name of the Active trust configuration.
    3. Click Role Collection Assignment, and assign the SACToHAA role collection to the user ID for your SAML IdP.
  7. Map SAP HANA users to external SAML IdP users.
    This step depends on the states of the User-Provided Variables from the HAA service in step 3. If USE_NAMED_USER is true, then follow all the substeps below, down to and including “Click Object Privileges.
    1. In the SAP HANA Cockpit, select Manage users.
    2. Create a new user and give it the user ID you used in the previous step (“Click Role Collection Assignment).
    3. Scroll through the authentication area, and select the JWT check box.
    4. Click Add JWT Identity.
    5. Map the JWT Provider to match the External SAML IdP UserID attribute.
    6. Click Save.
    7. In the Authorization Mode area for the new user, click Assign Roles.
    8. Click Start of the navigation pathEdit Next navigation step AddEnd of the navigation path.
    9. Search for the access_role and the external_privileges_role defined in your HDI schema.
    10. Click Assign Privileges in the Authorization Mode area for the new user.
    11. Click Object Privileges, then Edit, and add two new objects: EXECUTE_MDS and _SYS_BI.
      Note
      If your HAA version is earlier than 1.5.2, add EXECUTE_MDS_DEV instead of EXECUTE_MDS.
  8. Create a connection to an SAP HANA Cloud system in SAP Analytics Cloud:
    1. Go to Start of the navigation path (Main Menu) Next navigation step  Connection Next navigation step Connections Next navigation step  (Add Connection)End of the navigation path.
    2. In the Select a data source dialog, expand Connect to Live Data, and select SAP HANA Cloud.
    3. In the dialog, enter a name and description for your connection.
      The connection name cannot be changed later.
    4. Set the connection type to Direct.
    5. Add your SAP HANA Cloud host name, and the port number 443.
      The host should be the haa application route. You can find this information in the SAPCP Cockpit on the Application: haa – Overview page.
    6. (Optional) Choose a Default Language from the list.

      This language will always be used for this connection and cannot be changed by users without administrator privileges.

      Note
      You must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
    7. Under Authentication Method, select SAML Single Sign On.
    8. Select OK.
      Note
      After creating a connection, and before creating a model using that connection, you'll need to log off and log back on to SAP Analytics Cloud.
    Note
    (Beta) Select the Enable users to schedule for story publishing option if you want to let your users schedule the publishing of stories. For details on scheduling, see Schedule a Publication.