How to set up SAP Connector Architecture
1. Abstract
This article recaps all the options available when we set up the architecture for Board cloud - SAP integrations that require the Board Connector for SAP by Theobald.
In the early implementation stage of projects where Board needs to import SAP data, Board architects – or the implementation partner - and the client’s Network Team need to discuss about the architecture to adopt for the SAP Connector. There are obviously technical considerations to be made depending on the type of hosting and the network security constraints. Board and its technology partner Theobald work hand-in-hand to provide high flexibility and reliability for this crucial data exchange.
2. Context
2.1 The Board Connector for SAP by Theobald
Unlike other Board cloud connectors available on the Data Pipeline portal, the SAP Connector requires a dedicated architecture and setup that are thoroughly described in the Data Integration courses and on Theobald’s online documentation.
There have been recent changes on the technical requirements regarding the connection between Board and the Connector. In this article, we will focus on this half of the Board-SAP connection. The link between the Connector and SAP will not be mentioned as no technical changes have been introduced on that front.
These improvements can make the integration easier to set up and any integration architect or Board developer working with SAP integrations should be aware of these implications.
The standard Connector server ports required are documented by Theobald at this link. In short
- TCP port 8096 is used for the connection from the Designer to the Connector server
- TCP port 8098 exposes extractions metadata
- HTTP port 8097 exposes extractions data (as well as metadata from v5.6). It can be encrypted, which then becomes HTTPS port 8197
3. Content
3.1 Options and Version Compatibility Table
To better understand the changes, here is a recap of the network configuration required for all architecture options available based on Board and Connector versions in use.
VPN is the only viable option when the Connector server is hosted within a private network.
DMZ is the option when the Connector host can be reached from the internet through a public IP address.
3.2 Architectural improvements
With the changes introduced with Board 12.4 (2022 Summer release) and Connector version 5.6.0, as you can see in the table above, the integration can be setup entirely through one port, i.e. 8097 or 8197. This represents an advantage in terms of network security since this is an HTTP (or HTTPS) port whereas 8098 is a TCP port. Network and security engineers are often reluctant to open TCP ports to external applications, even when the communication is channeled into a VPN tunnel.
If the requirements to only use 8097 or 8197 are met, and we want to move away from a pre-existing setup that was using port 8098, it means that the SAP connector source in Board will need to be changed from this URL
to this
In case port 8097 is used, the URL will look like http://<your_connector_hostname>:8097.
3.3 Choosing the architecture
When discussing with the client and implementation partner the architecture to implement for the SAP connector, we always need to consider the network and security constraints that their organization requires.
Architecture types 5 and 6 are the easiest to setup given the fact that the Board server communicates directly with the Connector server. They provide a level of security that is acceptable to most organizations and for these reasons, these are the architectures we normally recommend. The VPN tunnel setup request must be opened to Board CloudOps team. Upon receiving this request, they will provide a form that the customer’s IT Team needs to fill out to start the configuration process.
When VPN setups are not possible because they do not allow any VPN tunnel to reach the private network, then we can suggest architecture 7.
Architecture 4 is the most complex to set up because it involves an intermediate load-balancing layer to handle mutual TLS authentication. Board Professional Services and Support can assist in the setup of the integration between the Board server and this middle layer. The link from this layer to the Connector server, as well as must be owned and managed by the client’s Infrastructure Team.
For all cases where the connector’s web services are exposed via HTTPS, i.e. architectures 2, 3, 4, 6, and 7, we recommend using certificates trusted by a public certificate authority.
4. Resources
Theobald Connector version history
Creating a SAP connection
For more information on Board-SAP integrations, you can consult part 3 of our Data Integration online course.
Comments
-
Thanks @Andrea Duò for the insights on this topic!
2