In this blog, I will explore the connectivity options to expose SAP Business One Service Layer to SAP Business Technology Platform (BTP) and provide a step-by-step guide to install and configure the SAP Cloud Connector for SAP Business One. 

Exploring Connectivity options to expose SAP Business One Service Layer to SAP BTP 

When deploying SAP Business One, Web client and related web services, such as the Service Layer, ensuring secure exposure to requesting services is critical. Unsecure deployment, such as using self-signed certificates or direct public network exposure can increase vulnerability to attacks and data breaches. 

Options for Exposing the Service Layer to SAP BTP 

There are 2 options to expose the Service Layer to SAP BTP in production. 

• Option 1: Expose the Service Layer over the internet using a reverse proxy 

• Option 2: Expose the Service Layer through the SAP Cloud Connector 

Option 1: Expose the Service Layer over the internet using a reverse proxy 

When the Service Layer needs to be exposed to SAP BTP as well as 3rd party cloud services, using a reverse proxy is recommended. This setup enables SAP BTP to access the Service Layer API securely through the SAP BTP Destination service. Detailed instructions for configuring a reverse proxy for SAP Business One using NGINX or AWS Network Load Balancer can be found in the blog: Best Practices for Technical Implementation of SAP Business One Web Client 

Option 2: Expose the Service Layer through the SAP Cloud Connector 

When the Service Layer needs to be securely exposed to SAP BTP without being accessible over the public internet, the SAP Cloud Connector offers an ideal solution. As part of the SAP Connectivity service within SAP BTP, the Cloud Connector establishes an encrypted tunnel between SAP BTP and on-premise systems, such as SAP Business One, using a reverse invoke mechanism. This allows the Cloud Connector to be installed within the internal network, ensuring that only SAP BTP applications can access the on-premise services securely via defined destinations, while blocking access from other external services. 

Installing the Cloud Connector 

Prerequisites and sizing 

To successfully install the Cloud Connector, ensure you meet the hardware and software requirements as outlined in the prerequisites in the SAP Help documentation.   

For successful operation, properly size the hardware according to the sizing recommendations in the SAP Help documentation. 

Installing the Cloud Connector 

The Cloud Connector is available for Windows, Linux and macOS, with both installer and portable versions. I will use the installer version on windows in this blog. Download the MSI installer from the SAP Development Tools for Eclipse page under Cloud Connector section and start the installation by executing the downloaded file.  

The installer guides you through the installation. During the installation, you can choose the port (default 8443) on which the administration UI is reachable. If another application, such as the Integration Framework for SAP Business One, is already using port 8443, choose a different port.  

After installation, the Cloud Connector is registered as a Windows service that is configured to be started automatically after a system reboot. You can start and stop the service via shortcuts on the desktop ("Start Cloud Connector" and "Stop Cloud Connector"), or by using the Windows Services manager. 

Configuring the Cloud Connector 

Initial Setup 

Access the Cloud Connector administration UI at https://localhost:<port>, where the default port is 8443. 

On the login screen, enter the following initial credentials:   

• User Name: Administrator 

• Password: manage 

After login, you must change the initial password and choose installation type. Choose “Master”. 

Note that you can operate the Cloud Connector in high availability mode using master and shadow instances. For configuration details, refer to the High Availability Setup in the SAP Help documentation. 

Set up connection parameters 

The Cloud Connector establishes a connection to SAP BTP at the subaccount level. Therefore you need to add a subaccount in the Cloud Connector and provide details about the SAP BTP subaccount.  

Choose Add Subaccount. This will open a dialog of wizard through which the Cloud Connector collects the following optional and required information: 

1. (Optional) Enter an HTTPS proxy: This is only necessary if the customer’s network requires a proxy. 

2. choose between a manual configuration and a file-based configuration.  

2-1. When you select the manual configuration, provide the following details from the SAP BTP subaccount: 

2-2. When you select the File-based configuration, you can download an authentication data file from your SAP BTP subaccount and import it in the next step. This is to simplify and accelerate subaccount configuration in the Cloud Connector. 

As soon as the connection parameters setup is complete, the tunnel to the SAP BTP subaccount endpoint is open, but no requests are allowed to pass until the Access Control setup has been configured. 

Configure Access Control

To allow SAP BTP applications to access a SAP Business One Service Layer on the intranet, specify the Service Layer information in the Cloud Connector.  

Navigate to Cloud To On-Premise from the left menu, and choose + (Add) under Access control tab. The wizard for adding system mapping opens and asks for the required values. 

Choose the line corresponding to that backend system and choose + (Add) in section Resources Of... below. A dialog appears prompting you to enter the specific URL path that you want to allow to be invoked. 

Note: 

When using the principal propagation, you should choose HTTPS protocol. 

• The upcoming SAP Business One Developer learning journey will cover the topic about the principal propagation for SAP Business One in detail. Stay tuned. 

If you choose HTTPS protocol and the Service Layer doesn’t use a certificate from the trusted certificate authority, you need to import the Service Layer’s certificate into the Cloud Connector.  

• Open the Service Layer in the web browser and open the certificate viewer. Export the certificate with default format.
  
• Return to the Cloud Connector administration UI and navigate to Configuration → ON PREMISE tab → Allowlist, click the + button to upload the certificate to the allow list. after the upload, it should look like the following.
  

Once all the configurations are done, you should be able to see “Reachable” for Check Result when you click the  icon. 

Return to the SAP BTP subaccount and navigate to the Connectivity → Cloud Connectors. You can see the details of the Cloud Connector configuration. 

Configure the destination 

Now you can set up SAP BTP destination using the virtual host and virtual port.  

Navigate to the Connectivity → Destinations and create a new destination as follows. Note that I used the virtual host and port in the URL field and selected OnPremise for the Proxy Type. 

Summary 

In this blog post, you learned about two options for exposing the Service Layer to SAP BTP in a secure way and how to install and configure the SAP Cloud Connector for on-premise SAP Business One in the intranet. This setup establishes a secure tunnel to your SAP BTP subaccount, enabling the creation of a destination for the on-premise SAP Business One Service Layer in the SAP BTP subaccount. 

Please note: If you deploy the Service Layer in an unsecure way (not using any of the recommended options above), such as using self-signed certificates or exposing servers directly to the public network, the system is more vulnerable to attacks and data breaches.