sap hana cloud platform - development landscape planning

39
SAP HANA Cloud Platform Development Landscape Planning and Setup Riley B Rainey, HCP Global Incubation Team, SAP Mentor January 2017 Public

Upload: nagesh-cr

Post on 14-Feb-2017

174 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: SAP Hana Cloud Platform - Development Landscape Planning

Internal

SAP HANA Cloud PlatformDevelopment LandscapePlanning and SetupRiley B Rainey, HCP Global Incubation Team, SAP MentorJanuary 2017

Public

Page 2: SAP Hana Cloud Platform - Development Landscape Planning

PublicPublic

Q1 2017 - SAP HANA CLOUD PLATFORM PARTNER ENABLEMENT SERIES

▸ SAP S/4 HANA Extensions Pre-recorded▸ Introduction including Provisioning and Operations January 19th

▸ User Experience as a Service January 26th

▸ Development Landscape Planning and Setup February 2nd

▸ Security Overview February 9th

▸ Portal & Collaboration February 16th

▸ Virtual Machines in HCP February 23rd

▸ Agile Data Marts March 2nd

▸ SAP SuccessFactors and SAP HANA Cloud Platform March 9th

▸ SAP hybris and SAP HANA Cloud Platform March 16th

▸ SAP HANA Cloud Platform IOT Services March 30th

Page 3: SAP Hana Cloud Platform - Development Landscape Planning

PublicPublic

TODAY’S TALK

▸ Applicability

▸ Before the Purchase: What to Consider

▸ Setting Up a HCP Hybrid Cloud Landscape

▸ Configuring HCP Account Structure

▸ Continuous Integration / CD supporting HCP

Page 4: SAP Hana Cloud Platform - Development Landscape Planning

Public

Applicability

This presentation outlines the setup and configuration process for typical Hybrid Cloud and newdevelopment use cases.

SAP SaaS Cloud Extension use cases (e.g., SuccessFactors, Ariba) will be covered separately.

Page 5: SAP Hana Cloud Platform - Development Landscape Planning

Public

Landscape Planning and Setup - Overview

PlanDevelopment

Lifecycle(Dev, QA, …)

ExploreApplicationResource

Rqmts

Plan IdentityIntegration

Prepare andReview BOM

Install eachrequired SCC

instance;configure

admin login

Create BasicArchitecture

Diagram

Receive HCPWelcome

E-mail

CloudConnectorNeeded?

Create andConfigure

Global / sub-Accounts

End

Start

No

Yes

Page 6: SAP Hana Cloud Platform - Development Landscape Planning

Public

Before you BuyPlanning

Page 7: SAP Hana Cloud Platform - Development Landscape Planning

Public

On Premises

SCC VPN

HCP AccountMobile Apps

Browser

Example HCP Landscape (one account shown)

Java,HANA XS

Apps &Services

MobileServices /

FioriMobile /

API Mgmt

CloudPortal /

FCE

IntegrationServices

Identity ProviderThird party or SCI

SAPCloudConnector

SA

P /

othe

rS

ervi

ces

HybridContainer

Clients

Nat iveClients

Jam

VirtualHostTable

DBaaS

GWaaS

Users

HCPDestination

Page 8: SAP Hana Cloud Platform - Development Landscape Planning

Public

Outline

Plan development lifecycle — how many tiers?Application Resource Requirements

Which servicesPlan Identity Propagation

What does the application need (B2E? B2C?) — What are the data sources? What is theauthentication method(s) for these data sources? Technical user OK for some?Do the requirements indicate using HCP Authentication Service?Multiple applications? Consider adding further sub-accounts

Construct a BOM

Page 9: SAP Hana Cloud Platform - Development Landscape Planning

Public

Plan Development Flow

How many tiers does your development team anticipateneeding?

Dev, QA, Prod?

HCP provides Accounts to construct insulatedenvironments

• Your choice here doesn’t not have to exactlymatch your on-premise development, but havingit match isn’t a bad starting point.

• This choice will determine the number of HCPsub-accounts needed.

DEV QA PROD

Cloud Landscape

DEV QA PROD

On-premise Landscape

Page 10: SAP Hana Cloud Platform - Development Landscape Planning

Public

On Premises

SCC VPN

HCP AccountMobile Apps

Browser

Application Infrastructure Requirements:Fiori Cloud Edition, professional shown (one account shown)

FioriMobile

CloudPortal /

FCE

IntegrationServices

Identity ProviderThird party or SCI

SAPCloudConnector

SA

P /

othe

rS

ervi

ces

HybridContainer

Clients

Nat iveClients

VirtualHostTable

GWaaS

Users

Page 11: SAP Hana Cloud Platform - Development Landscape Planning

Public

On Premises

SCC VPN

HCP AccountMobile Apps

Browser

What about resource sizing?

Java,HANA XS

Apps &Services

MobileServices /

FioriMobile /

API Mgmt

CloudPortal /

FCE

IntegrationServices

Identity ProviderThird party or SCI

SAPCloudConnector

SA

P /

othe

rS

ervi

ces

HybridContainer

Clients

Nat iveClients

Jam

VirtualHostTable

DBaaS

GWaaS

Users

HCPDestination

Page 12: SAP Hana Cloud Platform - Development Landscape Planning

Public

Many HCP Resources employ T-shirt Sizing

Size Cores Disk out-bandwidth32 GB 8 320 GB 512 GB/mo.64 GB 12 640 GB 512 GB/mo.

128 GB 24 12 TB 512 GB/mo.256 GB 32 2.5 TB 512 GB/mo.512 GB 40 5.2 TB 1 TB/mo.

1 TB 80 10 TB 1 TB/mo.

Size Cores RAM out-bandwidthsmall 2 4 GB 512 GB/mo.

medium 4 8 GB 512 GB/mo.

large 8 16 GB 512 GB/mo.

HANA DBaaS

Java Compute Units

Size Cores Disk RAMx-small 1 20 GB 2 GBsmall 2 40 GB 4 GB

medium 4 80 GB 8 GBlarge 8 160 GB 16 GB

x-large 16 320 GB 32 GB

HCP Virtual Machines

For illustrationpurposes only;

information may notbe current

Page 13: SAP Hana Cloud Platform - Development Landscape Planning

Public

Planning Resource Requirements - Sizing

• It is difficult to know ahead of time the optimal production resource sizes for a new application

• This is a challenge for any new application; not specific to HCP

• Make your best estimates; test early; plan to upgrade if needed

• It is possible to share HANA and ASE databases across Accounts (link)

Page 14: SAP Hana Cloud Platform - Development Landscape Planning

Public

Planning Resource Requirements – SAP Cloud Connectors

A SAP Cloud Connector provides a Secure Tunnel from yourlandscape to one or more HCP Accounts

Supports master / shadow configurations for redundancy

SCC can be either configured with a fixed Admin user /password, or may connect to an LDAP server to authenticateadmin users

Firewall rules must allow for outbound tunnel connections andTCP connections to each back-end service

• Typically installed in your “web zone”

• Your governance may require separating Production fromnon-Production SCC instances; SCC supports bothmultiple VPN Tunnels and single tunnels; your choice

• Consult presentation References for more information

Page 15: SAP Hana Cloud Platform - Development Landscape Planning

Public

Identity Propagation – User Authentication at the Edge

Who are the users of the application?

Is there an existing user database that can be used for authentication?

Is there more than one user base requiring concurrent login? (i.e., Federated login)

What services are being used in the application? What authentication method(s) are supported for each service?

• Industry standard SSO infrastructure is supported by most HCP components: SAML, SCIM, x.509certificates

• SAP Cloud Identity isn’t always required (e.g., SAML IdPs can be connected directly to HCP Account)

• Multiple user bases in one application? Consider using SAML Federation

• Identity setup local to each HCP Account - Multiple applications with different user bases? Considerfurther subdividing with more subaccounts.

Page 16: SAP Hana Cloud Platform - Development Landscape Planning

Public

Planning Identity Propagation – Identity Propagation

What authentication techniques are supported by your back-end services?

• AppToApp SSO often easiest for services completely within HCP, but this will require SAMLauthentication at the edge service

• SAP Cloud Connector supports Principal Propagation – mapping cloud user identity to either x.509user certificates or Kerberos Tickets

• Full Identity Propagation isn’t always a requirement -- Many back-end services will only require ashared Technical User – easily supported by HCP

• Mobile Services can generate SAP SSO tickets for on-premise access

• See links at the end of this presentation for more information

Page 17: SAP Hana Cloud Platform - Development Landscape Planning

Public

Document the Architecture

Diagram it.

Consider maintaining two types of diagrams• Per-Account (one for each)• Overall Landscape

• Plan to add more detail as the implementationprogresses

• Track changes

Page 18: SAP Hana Cloud Platform - Development Landscape Planning

Public

Map to Bill of Materials

Instance-based components will require one for each accountExamples

• HANA DB, ASE (consider smaller sized instances for non-Production use, see this link for info about sharingDBs)

• Integration Services, DI Ed. or PI Ed.

User-based components – usage tallied across all accountsExamples

• Fiori Cloud Edition• Mobile Services for development & ops

Do your Identity Integration requirements point to SAP Cloud Identity Service?• New user base (B2C, some B2B, complex B2E)• OAuth• Social Identity Integration (Facebook, Twitter, …)

Page 19: SAP Hana Cloud Platform - Development Landscape Planning

Public

After the OrderGearing up

Page 20: SAP Hana Cloud Platform - Development Landscape Planning

Public

Outline

Install SAP Cloud Connector(s)The HCP Welcome E-mailCreate sub-Account(s)Configure Global and sub Accounts

Page 21: SAP Hana Cloud Platform - Development Landscape Planning

Public

Install SAP Cloud Connector(s) – If required

Choose appropriate network zone for installation

Provision Hardware

Install OS and other prerequisites

Install Cloud Connector software; verify login (do not change password yet)

Done with SCC, for now

• “Web Zone” often the logical choice for installation location

• Your governance may mandate separate instance for PROD, non-Prod landscapes

Page 22: SAP Hana Cloud Platform - Development Landscape Planning

Public

The HCP Welcome E-mail

Delivered once the Global Account isprovisioned.

Contains login URLs and initialcredentials.

You will also receive an OnboardingKit document containing useful tipsand setup information.

Page 23: SAP Hana Cloud Platform - Development Landscape Planning

Public

Create Sub-accounts

Your landscape is created with a single “Global Account”

All instance-based resources will be “parked” there

Visit the “Overview” panel of your Global Account; create new subAccounts there.

• Enabling Beta Features gives you access to new servicesand service features – consider adding further subAccounts to test these

Page 24: SAP Hana Cloud Platform - Development Landscape Planning

Public

Configure each Account (Global and sub Accounts)

Connect SCCInstance to

Account

ConfigureSCC Virtual

Hosts

EnableService(s) as

needed

ImplementTrust / Identity

Integration

ConfigureGroup

Mappings inIdP Trust panel

Create HCPGroups as

needed

ConfigureGroup

Mappings ona per user

basis

UsingSAML for

Groupmapping?

Assign JavaCompute

UnitsEnd

Start

No

Yes

Assign DBsand otherinstancebased

resources

Repeat for Global Account and each sub Account

Page 25: SAP Hana Cloud Platform - Development Landscape Planning

Public

Implement Trust / Identity Integration

SAML� Configure Account SP settings (Security>Trust

>Local Service Provider)� Export SP Metadata; send to your IdP team� Decide on proper SAML NameID to request from

IdP, request standard attributes (e.g., email,firstname, lastname); request groups if applicable

� Receive Federation/Idp metadata� Import metadata, configure attributes (Groups

below)

� SAML allows you to federate (combine) userbases

� If you are planning to use HCP XS or Javaservices, read SCN articles (links needed)

SCIM• Many modern identity systems support SCIM as an

option• Cloud Connector can be a SCIM service for your AD

user base• SCIM can be used for authentication with either a

SAP Cloud Identity instance (globally across theAccount) or within HCP Mobile Services (direct per-mobile-app authentication)

• In many cases SCIM can allow for easier Cloudto Cloud identity propagation, esp. for MobileServices

Page 26: SAP Hana Cloud Platform - Development Landscape Planning

Public

Connect SCC Instance to Account

Verify your S-user account from Welcome e-mail is usable bylogging into HCP Cockpit

Login to the SCC Admin Console; select a new Administratorpassword

The “Set Up Initial Configuration” panel will be displayed

Select Landscape Host (from Welcome e-mail)

Enter S-user account credentials (these are only used here)

Configure SCC Admin Login (hard-coded shared credentials orLDAP integration)

• Remember, this creates a tunnel to one specific accounton the HCP-side (you can add more tunnels from thisSCC instance later if needed)

Page 27: SAP Hana Cloud Platform - Development Landscape Planning

Public

Configure SAP Cloud Connector – Expose Virtual Hosts

Login to SCC Admin Cockpit

Add Virtual Hosts via “Access Control” panel – you assign the virtual host name when you create theentry; this is the name that will be visible in the HCP Account

Configure Principal Propagation on each virtual host that needs it (x.509, Kerberos, or pass through(“None”))

Add all permitted URL Resource path(s) – in a pinch, use “/” and select the Access Policy that permitall sub-paths to be accessed

Test Configuration

Page 28: SAP Hana Cloud Platform - Development Landscape Planning

Public

Enable Required Services

Visit the Services tab

Enable the Services you need

• Many Services will be pre-enabled

Page 29: SAP Hana Cloud Platform - Development Landscape Planning

Public

Create HCP Groups as Needed

Actual access permissions in HCP services areassociated with Roles.

Roles can be bound into Groups

Groups may be either hard-assigned to specificusers, or may be dynamically assigned based onGroup membership information coming fromyour Identity Provider

Refer to the documentation for each service you’llbe using to understand which Roles will berequired. Create Groups of Roles as required.

General HCP Roles documentation (link)

Portal Roles (link)

Mobile Services Roles (link)

Page 30: SAP Hana Cloud Platform - Development Landscape Planning

Public

Configure Group Mapping

Groups tab on your IdP configuration canbe used to map SAML Group Claims(Assertions) to HCP GroupMembership

• This permits IdP Group membershipto propagate seamlessly into yourHCP Application

Page 31: SAP Hana Cloud Platform - Development Landscape Planning

Public

Bind Java Compute Units

Java Compute Units will be initiallyassigned to you Global Account

Reassign as needed

Each Compute Unit runs exactly oneapplication (one Java WAR file)

Page 32: SAP Hana Cloud Platform - Development Landscape Planning

Public

Bind Instance-based Services

Moving an instance based service requires interaction with SAP Cloud Operations

Submit your request via the HCP Support Portal as a service change request BC-NEO-SVC

Page 33: SAP Hana Cloud Platform - Development Landscape Planning

Public

On Premises

SCC VPN

HCP AccountMobile Apps

Browser

Example HCP Landscape (one account shown)

Java,HANA XS

Apps &Services

MobileServices /

FioriMobile /

API Mgmt

CloudPortal /

FCE

IntegrationServices

Identity ProviderThird party or SCI

SAP CloudConnector

SA

P /

othe

rS

ervi

ces

HybridContainer

Clients

Nat iveClients

Jam

VirtualHostTable

DBaaS

GWaaS

Users

HCPDestination

WebIDEgit

Page 34: SAP Hana Cloud Platform - Development Landscape Planning

Public

Other Development Landscape TopicsTesting, CI, and CD

Page 35: SAP Hana Cloud Platform - Development Landscape Planning

Public

Continuous Integration/ CD in HCP: Your best starting point

An excellent guide is published andmaintained by SAP’s Developer Relationsteam (link)

Plus there are over 200 hands-on SAPPlatform technology tutorials available atthis site – most executable using yourHCP Account.

Run CI infrastructure in HCP VMs, onpremises, or in your own cloud; interfaceto HCP git, github.com, or your own SCMrepositories

Understand the HCP neo command line tool(link)

Explore HCP’s Multi-Target Applicationfunctionality (link)

Page 36: SAP Hana Cloud Platform - Development Landscape Planning

Public

Testing

HCP is an open development environment

Bring your own best-of-breed practices and tooling• Unit testing (QUnit supported by WebIDE, Junit for Java dev, …)

• Integration testing (OPA5 for SAPUI5)• Mobile App testing (Keynote integrated with Fiori Mobile, other partners coming soon)

• Load Testing• Penetration testing1

1 Requires proper coordination with HCP Ops team

Page 37: SAP Hana Cloud Platform - Development Landscape Planning

Public

References

Identity Integration• HCP AppToApp SSO -

SAML to XS (link)• Mobile Services Identity

Propagation (link)• Legal HANA username

formatting; list of prohibitedspecial characters (link)

SAP Cloud Connector• Recommended Hardware &

software prerequisites (link)• Supported operating

systems (link)

Page 38: SAP Hana Cloud Platform - Development Landscape Planning

Public

Thank you Contact information:

Riley RaineyEmail: [email protected]: @RileyRainey

Page 39: SAP Hana Cloud Platform - Development Landscape Planning

Public

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliatecompany) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products andservices are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed asconstituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to developor release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any timefor any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.