How does eG Enterprise Monitor SAP Cloud Connector?

eG Enterprise can monitor SAP Cloud Connector in an agent-based or an agentless manner. In case of the agentless approach, the remote agent should be deployed on a remote host in the environment. Regardless of the approach (agent-based or agentless), the eG agent connects to a Cloud Connector and runs monitoring API commands to pull the metrics of interest from Cloud Connector.

Pre-requisites

In highly secure environments, access controls are enabled on the target SAP Cloud Connector deployments. Such deployments enforce authentication, which requires users to identify themselves while accessing the Cloud Connector. The SAP Cloud Connector supports file based authentication as well as LDAP authentication. While file based authentication is sufficient for smaller installations, LDAP is highly recommended for medium or larger installations.

In case of file based authentication, users are stored in the users.xml file in the config subdirectory of the cloud connector. Passwords are encrypted with a keystore certificate located in the same directory. With LDAP authentication, users are authenticated against your company’s LDAP directory service.

Validated users or user groups must be assigned to one of the following roles to monitor the SAP Cloud Connector:

 

Role

Technical Role Name

Authorization

Administrator

admin or sccadmin

Has privilege to administer the Cloud Connector. This role has access to perform all CRUD operations.

Monitoring

sccmonitoring

This role provides monitoring access to APIs, and can be used by any application looking to monitor cloud connector.

Note that the role sccmonitoring provides access to the monitoring APIs and is particularly used by the SAP Solution Manager infrastructure.

By default, file based authentication is enabled, to switch from file based authentication to LDAP authentication, follow the steps below:

  1. On the cloud connector administration console, navigate to Connector > Configuration.

  2. Under the USER INTERFACE tab, switch to the Authentication.

  3. To update the authentication method, click the icon, as shown in the Figure 1.

  4. A configuration dialog box opens where you can set the parameters for LDAP authentication. Maintain the Host field and other credentials for your connection. Select the Secure Host option to use the Lightweight Directory Access Protocol over SSL (LDAPS).

Figure 1 : SAP Cloud Connector configuration

  1. In the Configuration field, enter the rest of the LDAP configuration, namely, the default user path and search pattern (userBase and userSearch) and the group path including search pattern (roleBase and roleSearch), as shown in Figure 2.

Figure 2 : Editing SCC configuration

  1. Use the Test LDAP Configuration icon in the upper-right corner to test your settings. We recommend clicking this icon before saving the configuration.

  2. Activate the LDAP authentication via the Activate.

REST APIs are exposed on the same host and port that you use to access to the Cloud Connector and all the REST APIs used for monitoring are relevant to master instance only.