Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO

To access SAP HANA Cloud on an SAP Business Technology Platform (BTP) system that is running a Cloud Foundry (CF) environment, you can create a live data connection using the SAP HANA Analytics Adapter for Cloud Foundry.

Who does this apply to?
  • Users with any of these permissions for Connections: Create, Read, Update, Delete, and Maintain.
  • Users with Execute permission for Other Data Sources.
  • Users with any of these standard application roles: Admin, Application Creator, BI Content Creator, BI Admin, and Planner Reporter.
  • Setting up a live connection requires working with the SAP Analytics Cloud system owner and different IT and application stakeholders within your organization. Most configuration steps are done on your SAP HANA server before creating the connection in your SAP Analytics Cloud tenant.

Prerequisites

Note
We highly recommend that you use the SAP HANA Cloud connection type (see details here) for Cloud Foundry environments. However, this direct connection type is still available for both Neo and Cloud Foundry environments.
Note
The following SAP Analytics Cloud features are not supported with this connection type at this time:
  • Enriched time dimensions
  • Timestamp dimensions
  • Dynamic image widgets
  • Smart Insights
  • Smart Assist/Changes Over Time in Smart Insights
  • Smart Predict
  • Story scheduling
  • Android/iOS Mobile App:
    • Cloud Connector-based single sign-on
    • Basic Authentication connections
    • Geo maps
  • OEM scenarios through “Extended Live Connections”
Related Information

Install and configure tools

Procedure

  1. Download and install the Cloud Foundry CLI.
  2. Download and install the Cloud Foundry CLI MTA.
    Install the plugin using the command: 
    cf install-plugin mta-plugin-windows.exe -f
  3. Download and install Oracle JDK 8 or SAP JDK 8.
    To verify that the JDK is ready, check the version of the JDK you have installed. For example:
    javac -version
  4. Download and install Apache Maven.
    To verify that Maven is ready, check the version of Maven you have installed. For example:
    mvn --version
  5. Download and install Node.js.
    To verify that Node is ready, check the version of Node you have installed. For example:
    node --version
    Also verify that npm (Node Package Manager) is installed with Node. For example: 
    npm --version
  6. Set npm for the sap registry modules with the command: 
    npm config set @sap:registry https://registry.npmjs.org

Deploy the analytics adapter for SAP HANA

Procedure

  1. Create a local folder. For example: c:\haa.
    This directory is referred to as <HAA_ROOT> in the following steps.
  2. Download or clone the analytics adapter (HAA) project from SAP GitHub.
  3. Unzip the file in the <HAA_ROOT>.

Prepare the Multi-Target Application (MTA)

Context

See this videoInformation published on non-SAP site for details.

Procedure

  1. Download the Cloud MTA Build Tool (MBT) from https://sap.github.io/cloud-mta-build-tool/Information published on non-SAP site.
  2. Create a new folder under <HAA_ROOT>/haa-java and name it target.
  3. Download the latest version of the Analytics adapter for SAP HANA extended application services, advanced model from https://tools.hana.ondemand.com/#hanatools.
    The file to download is named: xsahaa-release-<version>-release.zip.
  4. Extract the zip file into a temporary folder.
  5. Copy the java-xsahaa.war file into the project folder <HAA_ROOT>/haa-java/target.
  6. Edit the YAML file in the folder <HAA_ROOT> using the following example (copy & paste the text below): 
    _schema-version: "2.0.0"
ID: com.sap.xsahaa
version: "1.0"

modules:
  - name: xsahaa-entry
    type: javascript.nodejs
    path: approuter/
    requires:
      - name: xsahaa-java
        group: destinations
        properties:
          name: xsahaa-java
          url: ~{url}
          forwardAuthToken: true
          timeout: 600000
      - name: xsahaa-uaa
    properties:
      CORS: >
        [
          {
            "uriPattern": "^/sap/bc/ina/(.*)$",
            "allowedOrigin": [{"host" : "", "protocol" : "", "port" : ""}],
            "allowedMethods": ["GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE"],
            "allowedHeaders": ["Origin", "Accept", "X-Requested-With", "Content-Type", "Access-Control-Request-Method", "Access-Control-Request-Headers", "Authorization", "X-Sap-Cid", "X-Csrf-Token"],
            "exposeHeaders": ["Accept", "Authorization", "X-Requested-With", "X-Sap-Cid", "Access-Control-Allow-Origin", "Access-Control-Allow-Credentials", "X-Csrf-Token", "Content-Type"]
          }
        ]
      INCOMING_CONNECTION_TIMEOUT: 600000

  - name: xsahaa-java
    type: java.tomee
    path: java-xsahaa.war
    provides:
      - name: xsahaa-java
        properties:
          url: "${default-url}"
    properties:
      TARGET_RUNTIME: tomee7
      JBP_CONFIG_RESOURCE_CONFIGURATION: "['tomee7/webapps/ROOT/WEB-INF/resources.xml': {'xsahaa-hdi-container':'xsahaa-container'}]"
      USE_NAMED_USER: true
      SECONDARY_ROUTING_PERCENT: 0
    requires:
      - name: xsahaa-container
      - name: xsahaa-uaa

resources:
  - name: xsahaa-container
    type: com.sap.xs.hdi-container

  - name: xsahaa-uaa
    type: com.sap.xs.uaa
    parameters:
      config-path: xs-security.json
    Note
    • Replace <customer_hdi> with your own HDI name; for example, sales-hdi.
    • Replace <orca-tenant-host> with the CF SAP Analytics Cloud tenant URL.

      Example: customer.us10.sapanalytics.cloud

    • In the TENANT_HOST_PATTERN line, replace <space> with the CF space name (where the HANA instance is located) in lowercase characters.
    • If the Organization name and the Subdomain name are different, then the TENANT_HOST_PATTERN should follow the format: <org name>-<space>.
    • Replace spaces and underscores in the organization name with hyphens, and use lowercase characters. For example, if the organization name is “AAA_bbbb/123 456”, then change it to “aaa-bbbb-123-456”.
  7. Edit the xs-security.json file in the folder <HAA_ROOT>, and replace “SalesApp” with “HAAApp”.
  8. Edit the xs-app.json file in the folder <HAA_ROOT>/haa-entry and replace this code block: 
    "source": "^/(.*)",
"localDir": "resources",
"authenticationType": "xsuaa",
"scope": "$XSAPPNAME.USER"

    with this one:

    "source": "^/(.*)",
"localDir": "resources",
"authenticationType": "none"

Build and deploy the analytics adapter

Procedure

  1. Start a command prompt window.
  2. Build the mta file with the command: 
    mbt build -p=cf

    This command will generate a new file named <HAA_ROOT>.mtar.

  3. In the SAP BTP Cockpit, in your subaccount overview, find the CF API endpoint.
  4. In the command prompt, set the CLI variable using the command: 
    cf api <api-endpoint>
  5. Log on to CF using the command: 
    cf login
  6. Deploy the mta to CF with the command: 
    cf deploy <HAA_ROOT>.mtar

    After deployment, two new services and three new applications should appear in the SAP BTP Cockpit.

  7. To authenticate with a named user, set USE_NAMED_USER=true.

Grant permissions and set up roles

Procedure

  1. In the BTP Cockpit, go to the subaccount and click Role Collections.
  2. Create a new role collection with the name SACToHAA.
  3. Select SACToHAA, click Add Role, and select SalesApp_User from the list.

Set up trust between XSUAA and the SAP HANA database container

Procedure

  1. Add a JSON Web Token (JWT) identity provider:
    1. In the BTP Cockpit, click Add Identity Provider.
    2. Open a new browser tab, and enter the URL: UAA_URL/sap/trust/jwt. You will see response content.
    3. In the Add Identity Provider dialog, enter the following information:
      1. Identity Provider Name: Enter a name for your IdP; for example, JWTPROVIDER_1.
      2. Issuer URL: Copy the URL from the “Issuer” property in the response content.
      3. JWT Identity Claim: Enter user_name.
    4. Click Add.
  2. Create a certificate:
    1. In the BTP Cockpit, get the UAA_URL value from the deployed application:

    2. Create the certificate based on information from the JWT trust endpoint.

      The basic format of the URL is: UAA_URL/sap/trust/jwt

      Example: https://hcsacorca1.authentication.sap.hana.ondemand.com/sap/trust/jwt

      The following steps need information obtained from this endpoint.

      1. Import a trusted certificate.
      2. Select “Paste content”.
      3. Open a new browser tab, and enter the URL: UAA_URL/sap/trust/jwt. You will see response content similar to the above screenshot.
      4. Copy the content starting from -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, and paste it into the “Paste content” input field.
      5. Click “OK” to complete the certificate creation.
  3. Create a certificate collection.

    If the certificate collection already exists and you want to edit it, you'll need to restart your SAP HANA instance afterward.

    1. In the Database Overview, click Start of the navigation pathCertificate Collections Next navigation step Add CollectionEnd of the navigation path to create a certificate collection.
    2. Type a name for your certificate collection, and click OK.
    3. Select Add Certificate to open the Select Certificate dialog.
    4. Select the certificate you created earlier, and then click OK.
    5. Click Edit Purpose.
    6. In the Edit Purpose dialog, select JWT in the Purpose field, choose the JWT provider you created earlier in the Providers field, and then click Save.

Set up the IdP

Procedure

  1. In the SAP BTP Cockpit, under Start of the navigation pathSecurity Next navigation step Trust ConfigurationEnd of the navigation path, set the default IDP as inactive.
    This ensures you won't be prompted during a data refresh.
  2. Under Custom, select the name of the Active trust configuration.
  3. Click Role Collection Assignment, and assign the SACToHAA role collection to the user ID for your SAML IdP.

Map SAP HANA users to external SAML IdP users

Context

This step depends on the states of the User-Provided Variables from the HAA service in the preceding section Build and deploy the analytics adapter. If USE_NAMED_USER is true, then follow all the substeps below, down to and including “Click Object Privileges.

Procedure

  1. In the SAP HANA Cockpit, select Manage users.
  2. Create a new user and give it the user ID you used in the preceding section Set up the IdP (“Click Role Collection Assignment).
  3. Scroll through the authentication area, and select the JWT check box.
  4. Click Add JWT Identity.
  5. Map the JWT Provider to match the External SAML IdP UserID attribute.
  6. Click Save.
  7. In the Authorization Mode area for the new user, click Assign Roles.
  8. Click Start of the navigation pathEdit Next navigation step AddEnd of the navigation path.
  9. Search for the access_role and the external_privileges_role defined in your HDI schema.
  10. Click Assign Privileges in the Authorization Mode area for the new user.
  11. Click Object Privileges, then Edit, and add two new objects: EXECUTE_MDS and _SYS_BI.
    Note
    If your HAA version is earlier than 1.5.2, add EXECUTE_MDS_DEV instead of EXECUTE_MDS.

Create a connection to an SAP HANA Cloud system in SAP Analytics Cloud

Procedure

  1. From the side navigation, choose Start of the navigation path Connections Next navigation step  (Add Connection)End of the navigation path.
    The Select a data source dialog will appear.
  2. Expand Connect to Live Data, and select SAP HANA Cloud.
  3. In the dialog, enter a name and description for your connection.
    The connection name cannot be changed later.
  4. Set the connection type to Direct.
  5. Add your SAP HANA host name, and 443 as the port.
    The host should be the haa application route. You can find this information in the SAP BTP Cockpit on the Application: haa – Overview page.
  6. (Optional) Choose a Default Language from the list.
    This language will always be used for this connection and cannot be changed by users without administrator privileges.
    Note
    You must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
  7. Under Authentication Method, select SAML Single Sign On.
  8. Select OK.
    Note
    After creating a connection to a remote system and before creating a model from a remote system, you must log off and log on to SAP Analytics Cloud again.
    Note

    You can schedule a story based on SAP HANA Cloud when the connection type is SAP HANA Cloud. If you’re using a Direct connection and still see the option to enable scheduling under theAdvanced settings, you can't schedule a publication.