sap hana cloud platform - development landscape planning
TRANSCRIPT
Internal
SAP HANA Cloud PlatformDevelopment LandscapePlanning and SetupRiley B Rainey, HCP Global Incubation Team, SAP MentorJanuary 2017
Public
PublicPublic
Q1 2017 - SAP HANA CLOUD PLATFORM PARTNER ENABLEMENT SERIES
▸ SAP S/4 HANA Extensions Pre-recorded▸ Introduction including Provisioning and Operations January 19th
▸ User Experience as a Service January 26th
▸ Development Landscape Planning and Setup February 2nd
▸ Security Overview February 9th
▸ Portal & Collaboration February 16th
▸ Virtual Machines in HCP February 23rd
▸ Agile Data Marts March 2nd
▸ SAP SuccessFactors and SAP HANA Cloud Platform March 9th
▸ SAP hybris and SAP HANA Cloud Platform March 16th
▸ SAP HANA Cloud Platform IOT Services March 30th
PublicPublic
TODAY’S TALK
▸ Applicability
▸ Before the Purchase: What to Consider
▸ Setting Up a HCP Hybrid Cloud Landscape
▸ Configuring HCP Account Structure
▸ Continuous Integration / CD supporting HCP
Public
Applicability
This presentation outlines the setup and configuration process for typical Hybrid Cloud and newdevelopment use cases.
SAP SaaS Cloud Extension use cases (e.g., SuccessFactors, Ariba) will be covered separately.
Public
Landscape Planning and Setup - Overview
PlanDevelopment
Lifecycle(Dev, QA, …)
ExploreApplicationResource
Rqmts
Plan IdentityIntegration
Prepare andReview BOM
Install eachrequired SCC
instance;configure
admin login
Create BasicArchitecture
Diagram
Receive HCPWelcome
CloudConnectorNeeded?
Create andConfigure
Global / sub-Accounts
End
Start
No
Yes
Public
Before you BuyPlanning
Public
On Premises
SCC VPN
HCP AccountMobile Apps
Browser
Example HCP Landscape (one account shown)
Java,HANA XS
Apps &Services
MobileServices /
FioriMobile /
API Mgmt
CloudPortal /
FCE
IntegrationServices
Identity ProviderThird party or SCI
SAPCloudConnector
SA
P /
othe
rS
ervi
ces
HybridContainer
Clients
Nat iveClients
Jam
VirtualHostTable
DBaaS
GWaaS
Users
HCPDestination
Public
Outline
Plan development lifecycle — how many tiers?Application Resource Requirements
Which servicesPlan Identity Propagation
What does the application need (B2E? B2C?) — What are the data sources? What is theauthentication method(s) for these data sources? Technical user OK for some?Do the requirements indicate using HCP Authentication Service?Multiple applications? Consider adding further sub-accounts
Construct a BOM
Public
Plan Development Flow
How many tiers does your development team anticipateneeding?
Dev, QA, Prod?
HCP provides Accounts to construct insulatedenvironments
• Your choice here doesn’t not have to exactlymatch your on-premise development, but havingit match isn’t a bad starting point.
• This choice will determine the number of HCPsub-accounts needed.
DEV QA PROD
Cloud Landscape
DEV QA PROD
On-premise Landscape
Public
On Premises
SCC VPN
HCP AccountMobile Apps
Browser
Application Infrastructure Requirements:Fiori Cloud Edition, professional shown (one account shown)
FioriMobile
CloudPortal /
FCE
IntegrationServices
Identity ProviderThird party or SCI
SAPCloudConnector
SA
P /
othe
rS
ervi
ces
HybridContainer
Clients
Nat iveClients
VirtualHostTable
GWaaS
Users
Public
On Premises
SCC VPN
HCP AccountMobile Apps
Browser
What about resource sizing?
Java,HANA XS
Apps &Services
MobileServices /
FioriMobile /
API Mgmt
CloudPortal /
FCE
IntegrationServices
Identity ProviderThird party or SCI
SAPCloudConnector
SA
P /
othe
rS
ervi
ces
HybridContainer
Clients
Nat iveClients
Jam
VirtualHostTable
DBaaS
GWaaS
Users
HCPDestination
Public
Many HCP Resources employ T-shirt Sizing
Size Cores Disk out-bandwidth32 GB 8 320 GB 512 GB/mo.64 GB 12 640 GB 512 GB/mo.
128 GB 24 12 TB 512 GB/mo.256 GB 32 2.5 TB 512 GB/mo.512 GB 40 5.2 TB 1 TB/mo.
1 TB 80 10 TB 1 TB/mo.
Size Cores RAM out-bandwidthsmall 2 4 GB 512 GB/mo.
medium 4 8 GB 512 GB/mo.
large 8 16 GB 512 GB/mo.
HANA DBaaS
Java Compute Units
Size Cores Disk RAMx-small 1 20 GB 2 GBsmall 2 40 GB 4 GB
medium 4 80 GB 8 GBlarge 8 160 GB 16 GB
x-large 16 320 GB 32 GB
HCP Virtual Machines
For illustrationpurposes only;
information may notbe current
Public
Planning Resource Requirements - Sizing
• It is difficult to know ahead of time the optimal production resource sizes for a new application
• This is a challenge for any new application; not specific to HCP
• Make your best estimates; test early; plan to upgrade if needed
• It is possible to share HANA and ASE databases across Accounts (link)
Public
Planning Resource Requirements – SAP Cloud Connectors
A SAP Cloud Connector provides a Secure Tunnel from yourlandscape to one or more HCP Accounts
Supports master / shadow configurations for redundancy
SCC can be either configured with a fixed Admin user /password, or may connect to an LDAP server to authenticateadmin users
Firewall rules must allow for outbound tunnel connections andTCP connections to each back-end service
• Typically installed in your “web zone”
• Your governance may require separating Production fromnon-Production SCC instances; SCC supports bothmultiple VPN Tunnels and single tunnels; your choice
• Consult presentation References for more information
Public
Identity Propagation – User Authentication at the Edge
Who are the users of the application?
Is there an existing user database that can be used for authentication?
Is there more than one user base requiring concurrent login? (i.e., Federated login)
What services are being used in the application? What authentication method(s) are supported for each service?
• Industry standard SSO infrastructure is supported by most HCP components: SAML, SCIM, x.509certificates
• SAP Cloud Identity isn’t always required (e.g., SAML IdPs can be connected directly to HCP Account)
• Multiple user bases in one application? Consider using SAML Federation
• Identity setup local to each HCP Account - Multiple applications with different user bases? Considerfurther subdividing with more subaccounts.
Public
Planning Identity Propagation – Identity Propagation
What authentication techniques are supported by your back-end services?
• AppToApp SSO often easiest for services completely within HCP, but this will require SAMLauthentication at the edge service
• SAP Cloud Connector supports Principal Propagation – mapping cloud user identity to either x.509user certificates or Kerberos Tickets
• Full Identity Propagation isn’t always a requirement -- Many back-end services will only require ashared Technical User – easily supported by HCP
• Mobile Services can generate SAP SSO tickets for on-premise access
• See links at the end of this presentation for more information
Public
Document the Architecture
Diagram it.
Consider maintaining two types of diagrams• Per-Account (one for each)• Overall Landscape
• Plan to add more detail as the implementationprogresses
• Track changes
Public
Map to Bill of Materials
Instance-based components will require one for each accountExamples
• HANA DB, ASE (consider smaller sized instances for non-Production use, see this link for info about sharingDBs)
• Integration Services, DI Ed. or PI Ed.
User-based components – usage tallied across all accountsExamples
• Fiori Cloud Edition• Mobile Services for development & ops
Do your Identity Integration requirements point to SAP Cloud Identity Service?• New user base (B2C, some B2B, complex B2E)• OAuth• Social Identity Integration (Facebook, Twitter, …)
Public
After the OrderGearing up
Public
Outline
Install SAP Cloud Connector(s)The HCP Welcome E-mailCreate sub-Account(s)Configure Global and sub Accounts
Public
Install SAP Cloud Connector(s) – If required
Choose appropriate network zone for installation
Provision Hardware
Install OS and other prerequisites
Install Cloud Connector software; verify login (do not change password yet)
Done with SCC, for now
• “Web Zone” often the logical choice for installation location
• Your governance may mandate separate instance for PROD, non-Prod landscapes
Public
The HCP Welcome E-mail
Delivered once the Global Account isprovisioned.
Contains login URLs and initialcredentials.
You will also receive an OnboardingKit document containing useful tipsand setup information.
Public
Create Sub-accounts
Your landscape is created with a single “Global Account”
All instance-based resources will be “parked” there
Visit the “Overview” panel of your Global Account; create new subAccounts there.
• Enabling Beta Features gives you access to new servicesand service features – consider adding further subAccounts to test these
Public
Configure each Account (Global and sub Accounts)
Connect SCCInstance to
Account
ConfigureSCC Virtual
Hosts
EnableService(s) as
needed
ImplementTrust / Identity
Integration
ConfigureGroup
Mappings inIdP Trust panel
Create HCPGroups as
needed
ConfigureGroup
Mappings ona per user
basis
UsingSAML for
Groupmapping?
Assign JavaCompute
UnitsEnd
Start
No
Yes
Assign DBsand otherinstancebased
resources
Repeat for Global Account and each sub Account
Public
Implement Trust / Identity Integration
SAML� Configure Account SP settings (Security>Trust
>Local Service Provider)� Export SP Metadata; send to your IdP team� Decide on proper SAML NameID to request from
IdP, request standard attributes (e.g., email,firstname, lastname); request groups if applicable
� Receive Federation/Idp metadata� Import metadata, configure attributes (Groups
below)
� SAML allows you to federate (combine) userbases
� If you are planning to use HCP XS or Javaservices, read SCN articles (links needed)
SCIM• Many modern identity systems support SCIM as an
option• Cloud Connector can be a SCIM service for your AD
user base• SCIM can be used for authentication with either a
SAP Cloud Identity instance (globally across theAccount) or within HCP Mobile Services (direct per-mobile-app authentication)
• In many cases SCIM can allow for easier Cloudto Cloud identity propagation, esp. for MobileServices
Public
Connect SCC Instance to Account
Verify your S-user account from Welcome e-mail is usable bylogging into HCP Cockpit
Login to the SCC Admin Console; select a new Administratorpassword
The “Set Up Initial Configuration” panel will be displayed
Select Landscape Host (from Welcome e-mail)
Enter S-user account credentials (these are only used here)
Configure SCC Admin Login (hard-coded shared credentials orLDAP integration)
• Remember, this creates a tunnel to one specific accounton the HCP-side (you can add more tunnels from thisSCC instance later if needed)
Public
Configure SAP Cloud Connector – Expose Virtual Hosts
Login to SCC Admin Cockpit
Add Virtual Hosts via “Access Control” panel – you assign the virtual host name when you create theentry; this is the name that will be visible in the HCP Account
Configure Principal Propagation on each virtual host that needs it (x.509, Kerberos, or pass through(“None”))
Add all permitted URL Resource path(s) – in a pinch, use “/” and select the Access Policy that permitall sub-paths to be accessed
Test Configuration
Public
Enable Required Services
Visit the Services tab
Enable the Services you need
• Many Services will be pre-enabled
Public
Create HCP Groups as Needed
Actual access permissions in HCP services areassociated with Roles.
Roles can be bound into Groups
Groups may be either hard-assigned to specificusers, or may be dynamically assigned based onGroup membership information coming fromyour Identity Provider
Refer to the documentation for each service you’llbe using to understand which Roles will berequired. Create Groups of Roles as required.
General HCP Roles documentation (link)
Portal Roles (link)
Mobile Services Roles (link)
Public
Configure Group Mapping
Groups tab on your IdP configuration canbe used to map SAML Group Claims(Assertions) to HCP GroupMembership
• This permits IdP Group membershipto propagate seamlessly into yourHCP Application
Public
Bind Java Compute Units
Java Compute Units will be initiallyassigned to you Global Account
Reassign as needed
Each Compute Unit runs exactly oneapplication (one Java WAR file)
Public
Bind Instance-based Services
Moving an instance based service requires interaction with SAP Cloud Operations
Submit your request via the HCP Support Portal as a service change request BC-NEO-SVC
Public
On Premises
SCC VPN
HCP AccountMobile Apps
Browser
Example HCP Landscape (one account shown)
Java,HANA XS
Apps &Services
MobileServices /
FioriMobile /
API Mgmt
CloudPortal /
FCE
IntegrationServices
Identity ProviderThird party or SCI
SAP CloudConnector
SA
P /
othe
rS
ervi
ces
HybridContainer
Clients
Nat iveClients
Jam
VirtualHostTable
DBaaS
GWaaS
Users
HCPDestination
WebIDEgit
Public
Other Development Landscape TopicsTesting, CI, and CD
Public
Continuous Integration/ CD in HCP: Your best starting point
An excellent guide is published andmaintained by SAP’s Developer Relationsteam (link)
Plus there are over 200 hands-on SAPPlatform technology tutorials available atthis site – most executable using yourHCP Account.
Run CI infrastructure in HCP VMs, onpremises, or in your own cloud; interfaceto HCP git, github.com, or your own SCMrepositories
Understand the HCP neo command line tool(link)
Explore HCP’s Multi-Target Applicationfunctionality (link)
Public
Testing
HCP is an open development environment
Bring your own best-of-breed practices and tooling• Unit testing (QUnit supported by WebIDE, Junit for Java dev, …)
• Integration testing (OPA5 for SAPUI5)• Mobile App testing (Keynote integrated with Fiori Mobile, other partners coming soon)
• Load Testing• Penetration testing1
1 Requires proper coordination with HCP Ops team
Public
References
Identity Integration• HCP AppToApp SSO -
SAML to XS (link)• Mobile Services Identity
Propagation (link)• Legal HANA username
formatting; list of prohibitedspecial characters (link)
SAP Cloud Connector• Recommended Hardware &
software prerequisites (link)• Supported operating
systems (link)
Public
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliatecompany) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products andservices are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed asconstituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to developor release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any timefor any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.