What is SAP Cloud Connector?

SAP Cloud Connector (SCC) is a lightweight, on-premise component that acts as a secure tunnel between SAP BTP (Business Technology Platform) and an organization’s on-premise systems. It enables controlled and secure access to internal backend services—such as SAP ERP, S/4HANA, BW, Gateway, RFC modules, or HTTP/S services—without exposing the entire network to the internet.
SCC works as a reverse invoke proxy, meaning that the connection is always initiated from the on-premise side toward SAP BTP. Due to this architecture, no inbound traffic or port opening is required in the company’s firewall, making the integration both secure and easy to maintain. With fine-grained control over resources, administrators can expose only specific APIs, paths, or RFC destinations to BTP applications.

Why SAP Cloud Connector is Important

As organizations adopt SAP BTP for application development, extensions, integrations, and automation, secure connectivity becomes essential. SCC ensures encrypted communication using TLS, provides high-availability options, and allows audit-level monitoring. It plays a key role in hybrid landscapes where on-premises systems coexist with cloud solutions.
Whether building CAP applications, integrating with SAP Build Apps, using SAP Integration Suite, or enabling BTP extensions for S/4HANA, the Cloud Connector acts as the central foundation for secure and reliable connectivity.

Prerequisites

Hardware

• Memory: 1 GB RAM (min.), 4 GB recommended
• Hard disk space: 1 GB (min.), recommended 20 GB
• CPU: Single core 3 GHz (min.), dual core 2 GHz
• recommended, x86-64 architecture compatible

Software

• 64-bit operating systems: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, Windows Server 2019, Linux Servers (SUSE)
• Cloud connector installation archive from SAP Development Tools for Eclipse.
• Microsoft Visual Studio C++ 2010 runtime libraries.
• Supported JDKs

How to Implement SAP Cloud Connector

Implementing SAP Cloud Connector is straightforward and does not require complex infrastructure changes. The tool can be installed on Windows or Linux servers, and SAP recommends placing it close to the backend system for optimal performance.

Implementing Cloud Connector can be divided into two parts. 1 is Green Field, and the another is Brown Field.

Green Field Implementation Approach:

1. Install SAP Cloud Connector

• Download the installer from tools.hana.ondemand.com. (Figure 1) https://tools.hana.ondemand.com/#cloud 
• Choose the OS-specific version (Windows MSI or Linux RPM).
• Follow the basic installation steps; SCC runs as a local service.
• After installation, access the UI using:
  https://localhost:8443
  Default admin user: Administrator (you will set the password on first login).

Figure 1:

Launching the Administration UI

Objectives

After completing this lesson, you will be able to:

• Logon to the Cloud Connector
• Exchange the UI certificates

Cloud Connector Logon

Initial Logon

The Cloud Connector is primarily configured and administered using a web interface. To access the Cloud Connector user interface, enter the following URL in a supported web browser:

https://<hostname>:<port>

• <hostname> refers to the machine on which the Cloud Connector is installed. If installed on your machine, you can simply enter localhost.
• <port> is the Cloud Connector port (the default port is 8443).

Figure: 2

On the logon screen, enter the following credentials:

• Username: Administrator
• Password: manage

When you first log in, you must change the password before you continue. The Cloud Connector does not check the strength of your new password. Select a strong password that can’t be guessed easily.

Figure: 3

In the Right side of the above figure 3 you can find the Installation Type (Master/Shadow) for the 1st time implementation use the option called Master (Primary Installation), and to configure it to as HA then chose Shadow (Backup Installation).

Exchanging the UI Certificate

By default, the Cloud Connector uses a self-signed UI certificate. It’s used to encrypt the communication between the Administration UI in the browser and the Cloud Connector. For security reasons, you should replace this certificate with your own one to let the browser accept the certificate without security warnings.

The figure describes how to exchange the UI certificate.

Figure: 4

To exchange the UI certificate of a master instance, perform the following steps:

1. Within the Administration UI, navigate to Configuration, and then to USER INTERFACE.
2. In the UI Certificate section, start a procedure to request certificate signing by choosing the icon Generate a certificate signing request.
3. In the Generate CSR window, specify a key size and a Common Name fitting to the Cloud Connector host name. In the Subject Alternative Names section, you can add other values by pressing the Add button. You can, for example, use the DNS option to specify a virtual hostname or a wildcard name (such as *.sap.com).
4. Choose Generate.
5. You’re prompted to save the certificate signing request (CSR) in a file. The content of the file is the signing request in PEM format.
6. The certificate signing request must be provided to a Certificate Authority (CA) - either one within your company or another one you trust. The CA signs the request and the returned response should be stored in a file using the PEM format.
7. Select Browse to locate that file and then choose the Import button.

Restart the Cloud Connector to activate the new certificate

1. Connect SCC to SAP BTP Subaccount

          Once SCC is up and running:

• Login to the UI.
• Go to Cloud To On-Premises → Subaccount.
• Enter your SAP BTP Subaccount ID, Region, and Authentication details.
• Save and establish the connection.
  If successful, the Subaccount will show as Connected.

1. c.  Add On-Premise Backend Systems

            Now expose on-prem services to BTP:

• Navigate to Cloud To On-Premise → Add System.
• Choose the system type (ABAP, HTTP, RFC, etc.).
• Provide host, port, and protocol details of the backend system.
• Map virtual host/port to internal host/port.
• Select resources (paths, RFC functions, services) you want to expose.

1. d. Assign Access Control

             For each system:

• Enable Access Control.
• Specify the resources BTP apps are allowed to consume.
• Set principal type (none, principal propagation, or basic auth).

       e.Verify the Connection from SAP BTP

            Finally:

• Go to your SAP BTP Cockpit → Connectivity → Cloud Connectors.
• Verify status, system availability, and reachable endpoints.

Configuring Access Control

Objective

After completing this lesson, you will be able to expose an AS ABAP-based SAP System (HTTP)

Supported Protocols

To allow your cloud applications to access a certain on-premise system on the intranet, you must specify this system in the Cloud Connector. The procedure is specific to the protocol that you're using for communication. The following protocols are supported:

HTTP

RFC

LDAP

TCP

Configuring Access Control (HTTP)

In the following, the widely used HTTP protocol is covered as an example in more details. The figure shows the overall workflow to securely use the HTTP protocol.

Initial Configuration: Import or Generate a System Certificate

To set up a mutual authentication between the Cloud Connector and any back-end system it connects to, you can import an X.509 client certificate into the Cloud Connector. The Cloud Connector then uses the so-called system certificate for all HTTPS requests to back ends that request or require a client certificate. The CA that signed the Cloud Connector’s client certificate must be trusted by all back-end systems to which the Cloud Connector is supposed to connect.

There are three options on how to provide the system certificate:

• Upload an existing X.509 certificate
• Upload the signed UI certificate
• Generate a self-signed system certificate (for example: for a demo scenario)

All options are offered in the Cloud Connector Administration UI at Configuration → ON PREMISE → System Certificate.

Initial Configuration: Maintain the Trust Store Using an Allowlist

By default, the Cloud Connector does not trust any on-premise system when connecting to it via HTTPS. To enable secured communication, you must add trusted certificate authorities (CAs) to the allowlist. Any server certificate that has been issued by one of those CAs will be considered trusted.

To maintain the trust store, in the Cloud Connector Administration UI navigate to Configuration → ON PREMISE → Trust Store

Caution

If you do not want to specify explicit CAs you’re going to trust, but rather trust all back ends, you can switch off the handle. In this case, the allowlist is ignored. This option is considered less secure, since all back ends are trusted now.

Exposing an AS ABAP-Based On-Premise SAP System

To allow your cloud applications to access a certain back end system on the intranet via HTTP, you must specify this system in the Cloud Connector.

To do so, start the wizard offered in the Cloud Connector Administration UI at Cloud To On-Premise → ACCESS CONTROL.

To expose an AS ABAP-Based on-premise SAP system, provide the following:

1. Back-end Type: ABAP System.
2. Protocol: HTTP or HTTPS.
3. Internal Host and Internal Port: the actual host and port under which the on-premise SAP system can be reached within your intranet.
4. Virtual Host and Virtual Port: enter the host name exactly as specified in the <URL> property of the HTTP destination configuration in SAP BTP. The virtual host can be a fake name and does not need to exist. The Virtual Port allows you to distinguish between different entry points of your back end system, for example, HTTP/80 and HTTPS/443, and to have different sets of access control settings for them.
5. Allow Principal Propagation: defines if any kind of principal propagation should be allowed over this mapping. If selected, also define what kind of Principal Type is sent to the on-premise SAP system within the HTTP request.
6. System Certificate for Logon: select if the Cloud Connector's system certificate should be used for authentication at the back end.
7. Host In Request Header lets you define which host is used in the host header that is sent to the target server. By choosing Use Internal Host, the actual host name is used. When choosing Use Virtual Host, the virtual host is used.
8. Description: optional description text
9. Check Internal Host: this allows you to make sure the Cloud Connector can indeed access the on-premise SAP system.

Brown Field Implementation Approach:

Back Up and Restore Your Cloud Connector Configuration

This method is very help full for those who doesn’t want to perform all the above-mentioned steps again and again. Specifically in the RISE migration projects this method is very effective. So many of you probably wonder that Cloud Connector doesn't store any data, then how to Backup and Restore it.

Well, it holds all the configuration and customizations, which is performed to its desired state. you should take a backup of its configuration.

To back up or restore your Cloud Connector configuration:

Step 1:

• Choose Connector in the Cloud Connector Administration UI main menu.
• Use the buttons on the upper right to back up or restore the configuration.
• Specify a password for the backup archive.

Set the password and click on the ‘Backup‘ it will create a zip file.

Step 2: Take a screenshot of the existing Proxy

Step 3: Take a backup of the OS level path:

/opt/sap/scc

Step 4: Follow all the above mentioned 3 steps and transfer the Backup Zip file to the target. Restore the backup zip file in the target.

It will ask the path for the zip file, and ask the password which was set while creating the zip file. And it will ask the Source Cloud Connector Console login password.

Step 5: It will automatically restart and configure the LDAP. And then after login the Cloud Connector with the Source Console login password and set the proxy accordingly.

Monitoring Cloud Connector

Monitoring Tools

By monitoring key metrics, such as response times, resource utilization, and throughput, you can optimize your application's performance and troubleshoot problems. Alerts and thresholds for various metrics help you detect issues before they become critical problems. By continuously monitoring key components such as servers, databases, network connectivity, and application services, you can identify any failures or outages and take immediate steps to address them.

Monitoring the Cloud Connector is crucial for maintaining its performance, availability, security, and user experience. It allows you to proactively address issues, optimize resources, and ensure that your application meets the expectations of your users.

In this lesson, you will find the available monitoring tools and you will check the operational state of Cloud Connector. Also, you will learn how to work with hardware metrics, monitor cloud to on-premise connections and vice versa. Finally, you will do alerting and audit logging.

There are three primary tools for monitoring the Cloud Connector:

1. OS Command Line: From the host where the Cloud Connector is running, you can verify the operational state.
2. SAP BTP Cockpit:
• The SAP BTP Cockpit contains a Connectivity section, where users can check the status of the Cloud Connector(s) attached to the current subaccount.
• This section lists the Cloud Connector ID, version, used Java runtime, high availability setup, and the exposed back-end system(s).
3. The Cloud Connector UI
• The primary tool for monitoring the Cloud Connector is the Cloud Connector Administration UI. This is available in a web browser interface.

There are also Cloud Connector monitoring APIs if you wish to include performance information in your own monitoring tool.

Checking the Operational State

The first thing to monitor is whether the Cloud Connector is actually running. You can do it in three ways:

1. From the OS Command Line

In Windows, the Cloud Connector is registered as a Windows service. It’s configured to start after installation, and restart upon host reboot. To check the state of the Cloud Connector, run the command:

sc query "SAP Cloud Connector"

The output would be:

In Linux, the Cloud Connector is set up as a daemon process. It’s configured to start after installation, and restart automatically upon host reboot. To check the state of the Cloud Connector, run one of the following commands (depending on your Linux distribution):

• service scc_daemon status
• systemctl status scc_daemon

The output would be:

1. From the SAP BTP Cockpit

In the Connectivity Section, choose Cloud Connectors. If the Cloud Connector is running, its information is displayed:

If the Cloud Connector isn’t running, the SAP BTP Cockpit displays the message:

1. From the Cloud Connector Administration UI

If the Cloud Connector isn't running, the Cloud Connector Administration UI isn’t accessible and can't be started.

Hardware Metrics

The second aspect to monitor is hardware. To check the current state of critical system resources, use the Cloud Connector Administration UI. Select Hardware Metrics Monitor from the main menu.

The monitor displays key hardware resource usage. The monitor also displays history graphs for various metrics.

CPU Usage:

Physical Memory Usage:

Java Heap Usage:

Disk Usage: