Beruflich Dokumente
Kultur Dokumente
Document History:
Document Version
1.0
Authored By
Kiran Kola
Description
Architect Engineer
Document Version
1.0
Reviewer
Ali Chalhoub
Description
Global Architect Support Engineer
www.sap.com
Table of Contents
1. Business Scenarios
2. Prerequisites
14
21
22
23
25
56
59
60
62
66
67
6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication
69
71
6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication
72
1. BUSINESS SCENARIOS
SAP supports following third-party reverse proxy solutions:
When adding a reverse proxy, determine the mobile application types you need to support.
Application Type
Reverse Proxy
Native
Apache
Hybrid
Apache
Agentry
Nginx
MBO
RelayServer
Apache Server:
To support HTTP based clients that are designed to consume SAP Mobile Platform Server services, customers
can optionally implement an Apache Reverse Proxy instead of a Relay Server in their production environment.
When a customer use Apache HTTP Server as the Reverse Proxy and Load Balancer solution for SAP Mobile
Platform 3.0, its necessary to set up an environment containing all the needed resources. In this guide, we will
illustrate how to set up an Apache server containing all the needed components for testing the load balancing,
failover, http, one-way http and two-way https communication scenarios.
Relay Server:
Relay is typically used for MBO based applications but it can also be used for OData applications. Section 5 will
illustrate on how to expose SAP Mobile Platform OData services using Hosted Relay Server.
Nginx:
Nginx (pronounced "engine-x") is an open source reverse proxy server for HTTP, HTTPS, WebSockets protocols
and as well as a load balancer. NGINX supports WebSockets by allowing a tunnel to be setup between a client
and backend servers. Nginx is typically used for SAP Agentry based applications.
Difference between Apache and Nginx servers can be found in the following link:
http://www.wikivs.com/wiki/Apache_vs_nginx
2. PREREQUISITES
All the server names used in this documentation are used to demonstrate end-to-end technical scenarios and for
mockup purposes only. Following are the prerequisites and software details:
SMP
To test the load balancing scenarios, we installed 2 Node SMP Cluster with ASE as the Database Node.
Apache server
A typical usage of reverse proxy is to provide mobile user access to SMP servers that are behind the
corporate firewall so Apache HTTP server is installed in a DMZ area. In addition, Apache HTTP server is
used to balance load among several SMP back-end servers.
Relay server
Nginx
RestClient
OData Testing Tools: Sample SAP OData Gateway service is configured on the SMP Server. To test the OData
services, any of the following REST Client tool can be used:
Chrome Postman
Firefox RESTClient
SOAPUI Tool
Assumptions:
For SSL configuration, self-signed certificates are not used in below examples; we used internal SAP CA
for signing all the servers and client certificates
SMP 3.0 Cluster Installation is done prior to this setup
Relay server installation is done prior to this setup (if hosted solution is not in scope)
SMP Platform cluster installation is not covered in this document. Please refer to installation docs for How
to install and configure SMP 3.0 in a cluster environment.
http://help.sap.com/smp303svr
Registering an OData
Application
3.1 OData Registration on SMP Platform
This section we will cover OData registration on SMP and testing OData with Rest Client in following steps:
a) Login to SMP Management Cockpit
b) Provide application details
c) Provide OData details
d) Provide Authentication Profile details
e) Provide Authentication Provider details
Configuring the oData application
1. Open web browser ( i.e Chrome or any web browser that supports HTML5)
2. Type the cockpit URL address (i.e https://<host-name>:8083/Admin)
3. Enter the user ID password. By default:
a. userID: smpAdmin
b. password:s3pAdmin ( Note: If you change the password during installation, type the new
password)
4. Click on Login to log into the cockpit
5. Once logged in successfully, click on APPLICATIONS tab
6. Click on the New button to create a new application for our OData back-end Endpoint as shown below:
7. Once you click on the New button, you should see the following screen below, fill up with the information
that is shown on the screen
10. Provide the gateway Endpoint information under BACK END Tab
a. We need the URL of the Endpoint
b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide
user name and password for backend authentication
c. Check rewrite
NOTE: Test and validate backend OData connections prior to this setup.
11. The BACK END tab information should look like the screen below
13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using
httpSec for our security profile name
14. Click on the New button to associate an authentication provider for our security profile
16. From the Authentication provider, click on the dropdown list and select HTTP/HTTPS Authentication
10
18. All you have to do here is provider the URL address which is the same as the Endpoint that we used
11
21. Click Save again to save now the new security profile as shown below
12
24. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it:
26. If the Endpoint is reachable, you will get the following message below:
13
Testing OData
Application Endpoint
3.2 Testing backend OData Services through SMP Platform
For this test as we mentioned in requirements section, we are using POSTMAN Rest Client to onboard the
application, to do the onboarding, do the following:
1. Invoke POSTMAN RESTClient, you should see something similar to the screen below, if this is a fresh
installation of POSTMAN RESTClient
2. The first thing we need to do is provide the URL of any one of the SMP cluster nodes, the URL should look
like this
http://<host-name>:8080/odata/applications/latest/odata.flight/Connections
14
c.
d. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see
something like the screen below:
15
c.
6. If you want to associate a custom ID when you register your application, you can add the header X-SMPAPPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a
GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value
X-SMP-APPCID = KOLAIDS, to do that, do the following:
a. Click on the Normal Tab
16
7. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
17
NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our
credential information.
11.Test the service Click Send button, if everything goes well, you should see the following below which
indicates the application is successfully registered on SMP server.
Similarly, now you can test GET operation with following inputs as shown in the below screen:
18
URL: http://pvs9096.wdf.sap.corp:8080/odata.flight/
Operation = GET
Authorization = Basic d2YtbW0tNDp3ZWxjb21l
X-SMP-APPCID = KOLAIDS
Click Send button. 200 OK status is displayed with XML output as shown below.
To validate the registration completion on SMP, login into SAP Management cockpit and verify registration
count.
Click Registrations, you should see registration ID with unknown type (browser).
19
With this we successfully registered and tested backend OData on SMP. Next we will configure jvmRoute
configuration on SMP.
20
JVMRoute Configuration
3.3 SMP jvmRoute Configuration
Each SMP instance of the cluster gets an individual name which is added at the end of the session id. When the
load balancer sees a session id, it finds the name of the SMP instance and sends the request via the correct
member worker. For this to work you must set the name of the SMP instances as the value of the jvmRoute
attribute in the engine element of each SMP default-server.xml. The name needs to be equal to the name of the
corresponding load balancer member. Following are three main steps:
1. Edit default-server.xml of SMP server nodes of the following
Location: <dir>\config_master\org.eclipse.gemini.web.tomcat\default-server.xml
2. Specify the jvmRoute as a unique string for the node as shown below:
21
NOTE: In general, Proxy and Load Balancer solutions are typically adopted in the production environment setup
so for this implementation we considered Apache with SMP cluster environment and ignored scenarios for single
SMP node.
22
23
2. Configure Apache:
a) cd \apache24\bin
Note: httpd.exe -k install -n "Apache2.4" (this installs apache as a service)
Port Conflict scenario: Because Apache cannot share the same port with another TCP/IP application, you may
need to stop, uninstall or reconfigure certain other services before running Apache (for example IIS). In default,
server listens on port 80 and you can change the port in httpd.conf file.
b) Edit httpd.conf file using Notepad++, located under <Drive>\Apache24\conf\
c) To activate, uncomment following modules in httpd.conf file:
Typical proxy server will need to enable several modules. Those relevant for proxying and load balancing are as
follows:
24
Communication Scenarios
4.2 Communication protocol scenarios
In this section, following protocol communication scenarios for Apache Server are covered:
1. HTTP
2. one-way HTTPS
3. two-way HTTPS
Scenario 1: In this section, Apache as reverse proxy and simple load balancing configuration using HTTP
communication is covered:
1. Configure httpd.config for plain HTTP communication
2. Restart Apache Server
3. Verify communication
4. Testing SMP OData using Apache Server URL
Proxy can be easily achieved by simply writing the below two rules in your httpd.conf file.
Proxypass: This directive asks the apache server to fetch data from SMP Nodes
ProxyPassReverse: This directive rewrites the original URL when the traffic is send back.
In this use case we have two SMP server nodes pvs9096 and pvs9097 that both listen on port 8080. The
apache load balancer listens on port 80 by default. This sets up a load balance cluster called
balancer://smpcluster that is bound to the two SMP nodes. The stickysession is the session affinity cookie to be
used.
1. In the following HTTP examples, http://usphlvm1383.phl.sap.corp:80/ is mapped to following SMP Nodes on
port 8080:
pvs9096.wdf.sap.corp:8080
pvs9097.wdf.sap.corp:8080
On each SMP node we add the unique node name that was set up in the default-server.xml file in SMP
configuration (as described in section 3.4). This configuration is necessary so that session affinity works
correctly. We can achieve load balancing using two methods: 1) SMP session ID or with 2) Apache Headers;
you can choose method based on the type of usage.
Method 1:httpd.conf template using SMP Session ID
Listen 80
<VirtualHost *:80>
ProxyPreserveHost On
ServerName usphlvm1383.phl.sap.corp
<Proxy balancer://smpcluster>
BalancerMember http://pvs9096.wdf.sap.corp:8080 route=SMPServerNode96
BalancerMember http://pvs9097.wdf.sap.corp:8080 route=SMPServerNode97
ProxySet stickysession=X-SMP-SESSID
25
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass / balancer://smpcluster/
ProxyPassReverse / balancer://smpcluster/
ErrorLog "C:/Apache24/logs/error.log"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e
Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog.log
</VirtualHost>
Method 2: httpd.conf template using Apache Headers
Listen 80
<VirtualHost *:80>
ProxyPreserveHost On
ServerName usphlvm1383.phl.sap.corp
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
<Proxy balancer://smpcluster>
BalancerMember http://pvs9096.wdf.sap.corp:8080 route=SMPServerNode96
BalancerMember http://pvs9097.wdf.sap.corp:8080 route=SMPServerNode97
ProxySet stickysession=ROUTEID
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass / balancer://smpcluster/
ProxyPassReverse / balancer://smpcluster/
ErrorLog "C:/Apache24/logs/error.log"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e
Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog.log
</VirtualHost>
NOTE: mod_headers module is required to set headers.
Refer http://httpd.apache.org/docs/2.2/mod/mod_headers.html.
2. Restart Apache Server
http://usphlvm1383.phl.sap.corp:80
26
4. Testing POST operation via Apache with HTTP. Port 80 is the default http port.
1. Invoke POSTMAN RESTClient,
2. Provide the Apache host name in the URL with http port (80), the URL should look like this
http://<apach-server-host>:80/odata/applications/latest/odata.flight/Connections
c.
For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see
something like the screen below:
27
c.
6. If you want to associate a custom ID when you register your application, you can add the header XSMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will
associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose,
provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following:
a. Click on the Normal Tab
b. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
28
8.
29
NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our
credential information.
10. Test the service Click Send button, if everything goes well, you should see the following below which
indicates the application is successfully registered on SMP server.
Similarly, you can test GET operation with following inputs as shown in the below screen:
URL: http://usphlvm1383.phl.sap.corp:80/odata.flight/
X-SMP-APPCID = KOLAIDS
Content-Type = application/atom+xml;charset=utf-8
Authorization = Basic d2YtbW0tNDp3ZWxjb21l
In the above case the Apache proxy server is usphlvm1383 processing HTTP requests. Look at the response
below to see if the cookie is formed correctly
30
Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a
SMPServerNode96 is appended to the X-SMP-SESSID cookie.
If you are using above log format, then your logs should like something like below in your enchancedlog.log file
located under logs folder:
The first request for a user where initial cookies are not set will show: Changed:1 Sticky:Subsequent requests should show: Changed:- Sticky:X-SMP-SESSID
That means that apache read the X-SMP-SESSID cookie and was able to send the request to the correct server.
If you see Changed: 1 Sticky:X-SMP-SESSID that means that session stickyness did not work.
NOTE: For verifying the session stickiness, above strategy is applied to all other Apache communication
scenarios.
Scenario 2: In this section, Apache as reverse proxy and simple load balancing configuration using one-way
HTTPS communication is covered:
1. SMP Platform SSL Preparation
2. SSL preparation for Apache server
3. Install trusted Certificates
4. Configure httpd.config for one-way HTTPS communication
5. Restart Apache Server
31
6. Verify communication
7. Testing OData using Apache Server URL (Secured)
Reverse proxy, and SAP Mobile Server each use their own certificate; you can create or sign these certificates
from one root certificate. In one-way SSL scenario, only the client authenticates the server. This means that the
public cert of the Apache server needs to configured in the trust store of the SMP Server.
1. SMP Platform SSL Preparation
keytool is a java utility that manages a keystore of private keys and associated certificates, as well as certificates
from trusted entities. SAP Mobile Platform uses a single keystore file, located at
SMP_HOME\Server\configuration\smp_keystore.jks. This is the file to configure and protect. keytool is in
SMP_HOMEsapjvm_7\bin
IMPORTANT: Make sure you backup your smp_keystore.jks
a) Create certificate request (CSR file)
keytool.exe -certreq -keyalg RSA -alias smp_crt -file pvs9097.csr -keystore
C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -storepass empass12
NOTE: The certificate request must be signed by an authority or self-signed before importing it into the SMP
keystore.
For production environment, the Certificate Signing Request that you generated can be submitted to a CA to
create a certificate signed by the CA.
32
For production environments, the Certificate Signing Request that you generated can be submitted to a CA to
create a certificate signed by the CA.
d) Remove Passphrase from Key
Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily
convenient so you can remove passphrase from the generated key by following commend:
1. copy server.key server.key.org
2. openssl rsa -in server.key.org -out server.key
Result is new RSA server.key is generated.
e) Copy server.key and ApacheServer.crt to Apache conf directory. The location of this directory will differ
depending on where Apache is installed.
33
34
7. Testing POST operation via Apache with HTTPS. Port 443 is the default https port.
URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/
Operation = GET
1. Invoke POSTMAN RESTClient,
2. Provide the Apache host name in the URL with https port (443), the URL should look like this
https://<apach-server-host>:443/odata/applications/latest/odata.flight/Connections
35
c.
5. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see
something like the screen below:
36
c.
7. If you want to associate a custom ID when you register your application, you can add the header
X-SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP
will associate a GUID with it. For this test, we are providing a custom ID. Next for registration
purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following:
a. Click on the Normal Tab
8. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
37
10. In the body section, paste the following XML code below:
<?xml version="1.0" encoding="UTF-8"?>
<entry
xml:base="https://usphlvm1383.phl.sap.corp:443/odata/applications/latest/odata.flight/Connection
s"
xmlns="http://www.w3.org/2005/Atom"
xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"
xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">
<content type="application/xml">
<m:properties>
<d:DeviceType>Windows</d:DeviceType>
</m:properties>
</content>
</entry>
NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our
credential information.
38
12. Test the service Click Send button, if everything goes well, you should see the following below
which indicates the application is successfully registered on SMP server.
Similarly, you can test GET operation with following inputs as shown in the below screen:
URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/
Operation = GET
X-SMP-APPCID = KOLAIDS
Authorization = Basic d2YtbW0tNDp3ZWxjb21l
In this example, Apache proxy server is usphlvm1383 processing HTTPS requests. Look at the response below
to see if the cookie is formed correctly
39
Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a
SMPServerNode96 is appended to the X-SMP-SESSID cookie.
Scenario 3: In this section, reverse proxy and simple load balancing configuration using two-way HTTPS
communication is covered in the following steps:
40
1.
2.
3.
4.
5.
6.
7.
In two-way SSL, client authenticates the server & the server also authenticates the client, public cert of the SMP
server needs to be configured in the trust store of the Apache server. Also the public cert of the Apache needs to
be configured on the SMP server's trust store. SMP Server and the Apache must have SSL certificates issued
by an authorized certificate authority. An issued certificate includes a digital signature confirming the identities of
the SMP server and the Apache Server. When the Apache's host sends a request to the SMP server, the SMP
server will verify that the Apache has an SSL certificate and vice versa. There are six steps to achieve this task:
7. Once you click on the New button, you should see the following screen below, fill up with the information
that is shown on the screen
41
10. Provide the gateway Endpoint information under BACK END Tab
a. We need the URL of the Endpoint
b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide
user name and password for backend authentication
c. Check rewrite
NOTE: Test and validate backend OData connections prior to this setup.
11. The BACK END tab information should look like the screen below
42
13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using
httpsCon for our security profile name
43
14. Click on the New button to associate an authentication provider for our security profile
15. From the Authentication provider, click on the dropdown list and select x.509 Certificate and hit Create
Button
16. We should see the following screen. Select Validated Certificate Is Identity and Validate Cert Path
options and save as shown below:
44
19. Click Save again to save now the new security profile as shown below
45
22. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: and
click on the Ping button as shown below:
23. If the Endpoint is reachable, you will get the following message below:
NOTE: In addition to x.509 certificate authentication provider, we successfully tested this scenario with HTTPS
Authentication provider. To make HTTPS scenario work, provide backend credentials of the OData service.
2. Add the Impersonator Role:
The Impersonator role establishes the trust relationship between the Apache reverse proxy and SAP Mobile
Platform Server allowing SAP Mobile Platform Server to accept and authenticate the user's public certificate
presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy.
NOTE: The Impersonator role should be granted to the reverse proxy by mapping the Impersonator role to the
subjectDN from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to
SAP Mobile Platform Server. When doing mutual certificate authentication directly against SMP3 server without
relayserver, the client establishes the SSL connection directly with the server and the
certificateValidationLoginModule configured in the server validates the client certificate presented to the server.
Following are the steps to add the impersonator role:
a) Find the CN name:
1) You need to have access to Apache Public Certificate
46
3) Click on the Subject and on the details screen, you will find SubjectDN information:
47
b) Navigate to C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
C) Update the corresponding security role mapping file as shown below:
<DefaultMapping>
<LogicalName>Impersonator</LogicalName>
<MappedName>user:CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE</MappedName>
</DefaultMapping>
<DefaultMapping>
NOTE:
Mapped Name should be started with user:
File name is created based on the configuration name. httpsCon is my X.509 security configuration name
In the above example, httpsCon-role-mapping.xml is the file name located in CSI folder:
Troubleshooting Impersonator role errors:
UserRoleAuthorizer.checkRole method compares the roleName user:CN=usphlvm1383.phl.sap.corp, OU=COE,
O=SAP-AG, C=DE with the string obtained from the certificate using the java APIs
CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE and if it does not match it will result in
errors. In the following errors, case does not match:
2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.UserRoleAuthorizer##anonymous#http-bio-8082exec-1###UserRoleAuthorizer.checkRole(roleName=user:CN=usphlvm1383.phl.sap.corp,
OU=COE,
O=SAP-AG,
C=DE,subject.getName()=CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE |
2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.RoleCheckAuthorizer##anonymous#http-bio-8082exec-1###RoleCheckAuthorizer.checkRole(user:CN=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE) |
2014 07 09 21:22:45#+0200#WARN#com.sybase.security.integration.tomcat7.CSIRealm##anonymous#http-bio8082-exec-1###Authentication failed. SSL_CLIENT_CERT header is specified but the user is not granted
"Impersonator" role. |
48
If you have difficulty in finding the SubjectDN for impersonator, enable the server log into debug mode and
execute a proxy request HTTPS 8082 port (8443 via Apache Server). In the server log, you see the same the
DN that the SAP Mobile Platform CSI records.
Tip>for further debugging SSL handshake issues you can add -Djavax.net.debug=ssl:handshake in your
props.ini file.
3. Adjust the httpd.conf file for mutual authentication (Apache Server)
SSLProxyMachineCertificateFile used in httpd.conf MUST be in PEM format. You can use openssl for
conversion by running below commends for your server (ApacheServer.crt) and root certificate (SAPNetCA.crt).
a) openssl x509 -in ApacheServer.crt -out ApacheServer.der -outform DER
b) openssl x509 -in ApacheServer.der -inform DER -out ApacheServer.pem -outform PEM
c) openssl x509 -in SAPNetCA crt -out SAPNetCA.der -outform DER
d) openssl x509 -in SAPNetCA.der -inform DER -out SAPNetCA.pem -outform PEM
NOTE: If server or root certificate is in the .der format then you can use b) or d) option to convert into PEM
format
SSLProxyMachineCertificateFile - point it to a file containing your Apache server certificate which is converted
into ApacheServer.pem format and its (unencrypted) private key (server.key) in PEM format. (For example, add
server.key to ApacheServer.pem). Apache wont start if this is not done correctly. Following the same screen:
49
Listen 8443
<VirtualHost *:8443>
ServerName usphlvm1383.phl.sap.corp
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /Apache24/conf/ApacheServer.crt
SSLCertificateKeyFile /Apache24/conf/server.key
SSLCACertificateFile /Apache24/conf/crts/SAPNetCA.pem
SSLProxyCACertificateFile /Apache24/conf/crts/SAPNetCA.pem
SSLProxyMachineCertificateFile /Apache24/conf/ApacheServer.pem
<Proxy balancer://smpcluster>
BalancerMember https://pvs9096.wdf.sap.corp:8082 route=SMPServerNode96
BalancerMember https://pvs9097.wdf.sap.corp:8082 route=SMPServerNode97
ProxySet stickysession=X-SMP-SESSID
ProxySet lbmethod=byrequests
</Proxy>
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
ProxyPass / balancer://smpcluster/
ProxyPassReverse / balancer://smpcluster/
CustomLog "c:/Apache24/logs/ssl_request__LB_8082.log" "%t %h %r %s %l %p User:%u %{Foobar}i
client_cert:%{SSL_CLIENT_CERT}x client_verify:%{SSL_CLIENT_VERIFY}x
client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e
Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog_8443.log
</VirtualHost>
4. Restart the Apache Server
5. Load .p12 Client Certificate in to the REST client browser
For mutual authentication using client certificates, SMP/Apache needs the private keys to do the signing, and the
.p12 file format is the most common for passing around a certificate with its private keys. To test, we need client
certificate (.p12 file) which is usually provided by your OS security team who handles Certificate Authority.
1. Load the .p12 client certificate into the personal certificate store. In Chrome, choose Settings > Show
Advanced Settings > HTTPS/SSL > Manage certificates as shown below screen:
50
51
52
NOTE: s_client is a diagnostic tool for OpenSSL. For more information, refer following link
53
https://www.openssl.org/docs/apps/s_client.html
Example for testing client certificates:
6. Testing SMP OData GET operation using Apache Server URL with port 8443
URL: https://usphlvm1383.phl.sap.corp:8443/odata.flight/
Operation = GET
X-SMP-APPCID = kola1
54
client_verify:SUCCESS
55
Balancer manager:
This module requires the service of mod_status. Balancer manager enables dynamic update of balancer
members. You can use balancer manager to change the balance factor or a particular member. In addition you
can enable authentication for administrators. In the following examples, we used basic authentication with
HTTPS connection.
NOTE: balance-manger configuration should be part of the load balancer configuration as shown in the below
example:
Example for basic authentication:
56
ProxyPass / balancer://smpcluster/
ProxyPassReverse / balancer://smpcluster/
CustomLog "c:/Apache24/logs/ssl_443.log" "%t %h
%r %s %l %p User:%u %{Foobar}i
client_cert:%{SSL_CLIENT_CERT}x
client_verify:%{SSL_CLIENT_VERIFY}x
client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e
Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog.log
</VirtualHost>
URL to access: http://hostname:port/balancer-manager
When one of worker URL is clicked, you can dynamically enable member options as show below.
Server Status:
The Status module allows a server administrator to find out how well their server is performing. A HTML page is
presented that gives the current server statistics in an easily readable form. If required this page can be made to
57
automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the
current server state.
Example for server status configuration in httpd.conf file:
<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from none
Allow from all
AuthType basic
AuthName "Apache server-status"
AuthUserFile /Apache24/conf/passwd-server-status
Require valid-user
</Location>
URL to access: http:://hostname:port/server-status
In addition to above features, there are plenty of open source tools available to monitor and manage Apache
Servers.
Next section we will focus on how to use relay server as a reverse proxy and load balancer solution for SMP 3.0
Platform.
58
Below diagram is the sample architecture for SMP cluster and hosted relay server communication setup. In the
following, we will provide Sybase hosted relay registration details, RSOE configuration steps to setup plain HTTP
and HTTPs communication.
59
60
61
RSOE Setup
5.2 RSOE setup in SMP platform
This section illustrates RSOE setup on SMP platform in following steps:
1. Download rsoe files
2. Create config file for RSOE setup
3. Verify rsoe.log
4. Verify communication
5. Testing SMP OData using Relay Server URL (plain HTTP)
1. Create rsoe folder under SAP folder as shown below:
You need RSOE component, which is part of Sybase SQLAnywhere (based on your OS). From relay server
media, copy rsoe.exe, dblgde12.dll, dblgen12.dll, rsoesupp12.dll files to rsoe folder as shown below:
2. Create a config file (pvs9096.config) each SMP Node with following details:
-f smp3sp03.FARMODATA03
-id pvs9096
-t 1bf5b1482ce4a8e23d7a2521eaef
-cr
"host=RELAYSERVER.sybase.com;https=0;port=80;proxy_host=proxy;proxy_port=8080;url_suffix=/ia
s_relay_server/server/rs_server.dll"
-cs "host=localhost;port=8080"
-v 5
-o "C:\rsoe.log"
a. t is the Token, value has to match the token specified in your pvs9096.config file on relay server, in our case
paste the value from Hosted Relay Server configuration page
b. cs Servername and port of the backend server (e.g. Web Server)
c. cr Server and port of your relay server. Think about adapting the url_suffix if the relay server is running on
Linux: url_suffix=/srv/iarelayserver .The configuration of a proxy is optional, only needed if you have to use the
proxy to connect to the relay server.
d. v the verbosity level from 0 to 5 (0 = no logging, 5 = all)
62
Note: same configuration is applied on other SMP cluster nodes. HTTPS connections are also supported.
NOTE: Repeat above steps on all the SMP nodes.
5. Verify SMP OData Services via Relay Server:
http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/<Farm-Name>/
will be a redirect to your backend server (e.g. pvs9096:8080 or pvs9097:8080) like you defined it in the
rsoe.config.
Following URL will result following:
http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/
6. Testing SMP OData GET service via Hosted Relay Server URL:
63
URL =
http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/odata.flight/odata/
applications/latest/odata.flight/Connections
Operation = GET
Conetent-Type = application/atom+xml;charset=utf-8
Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ=
X-SMP-APPCID = ngnixrsoe
Similarly, you can test GET operation with following inputs as shown in the below screen:
URL: http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/odata.flight/
X-SMP-APPCID = kola1
Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ=
Result:
64
Load balancing between SMP servers and failover scenarios are also tested successfully.
In next section, we will focus on how to use Nginx as a reverse proxy and load balancer solution for SMP 3.0
Platform.
65
66
Install Nginx
6.1 Install Nginx
This section covers Nginx installation setup steps:
1. Download Nginx software
2. Run Nginx.exe
3. Verify Nginx setup
1. Download Nginx from http://nginx.org/en/download.html
We are using 1.7.3 version. Always download the stable version.
2. Extract the package to a directory, C:\Nginx1.7.3\
Open CMD with administrator and run Nginx.exe
We can be control service by invoking the executable with the -s parameter. Use the following syntax:
C:\nginx-1.4.4>nginx -s signal
Where signal may be one of the following:
stop --- fast shutdown
quit --- graceful shutdown
reload --- reloading the configuration file
reopen --- reopening the log files
NOTE: Because Nginx cannot share the same port with another TCP/IP application, you may need to stop,
uninstall or reconfigure certain other services before running Nginx.exe (for example IIS). In default, server
listens on port 80 and you can change the port in nginx.conf file located under: C:\nginx-1.7.2\nginx-1.7.2\conf\
3. Verify Nginx services are running by following methods:
Select Task Manger and verify if Nginx process are running:
67
In the web browser, type http://localhost, if it is successfully running you will see as below:
68
Nginx HTTP
6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication
In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP
communication is covered in following steps:
1. Configure nginx.config for http protocol
2. Restart Nginx
3. Verify communication
4. Testing OData services using Nginx URL
1. In order to use Nginx as Reverse Proxy and load balancer for SMP3 server, we need to change the
nginx.config file as following.
server {
listen 80;
server_name usphlvm1384.phl.sap.corp;
access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_80.log;
error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_80.log;
location / {
proxy_pass http://backend/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect default ;
proxy_buffering off;
proxy_set_header
Host
$host;
proxy_set_header
X-Real-IP
$remote_addr;
proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;
}
#paste blow code after server configuration closing braces
upstream backend {
server pvs9096.wdf.sap.corp:8080;
server pvs9097.wdf.sap.corp:8080;
}
NOTE: location / means all requests go to any of the servers listed under upstream.
69
Result:
70
When accessing the oData end point, check in the log and see if you will see a GET request in the Nginx log,
like that one below:
[04/Aug/2014:10:07:08 -0700] "GET /odata.flight HTTP/1.1" 200 622 "-" "Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36"
71
Nginx HTTPS
6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication
In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP
communication is covered in following steps:
1. SMP Platform SSL Preparation
2. SSL preparation for Nginx Server
3. Install Trusted Certificates
4. Configure Nginx.config for https protocol
5. Restart Nginx
6. Verify communication
7. Testing OData services using Nginx URL
To configure Nginx server to connect SMP with single SSL support, we need to prepare the certificates for Nginx
server via OpenSSL to generate server certificate and key files. In the following example, we will use openSSL.
72
This is an optional step. This is done so that we dont have to enter the password for the private key every time
we restart NGINX.
copy server.key server.key.org
openssl rsa -in server.key.org -out server.key
d) Generate signed Certificate
For production environments, the Certificate Signing Request that you generated can be submitted to a CA to
create a certificate signed by the CA.
Result is the Signed Certificate.
e) Copy server.key and NginxServer.crt to Nginx config directory. The location of this directory will differ
depending on where Nginx is installed.
73
access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_443.log;
error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_443.log;
root html;
index index.html index.htm;
location / {
proxy_pass https://backend/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect default ;
proxy_buffering off;
proxy_set_header
Host
$host;
proxy_set_header
X-Real-IP
$remote_addr;
proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#paste blow code after server configuration closing braces
upstream backend {
server pvs9096.wdf.sap.corp:8081;
server pvs9097.wdf.sap.corp:8081;
}
5. Restart Nginx Server
6. Verify communication via Nginx Server (https based)
In the following example, https://usphlvm1384.phl.sap.corp:443/ is mapped to following SMP Nodes:
pvs9096.wdf.sap.corp:8081
pvs9097.wdf.sap.corp:8081
URL https://ushphlvm1384.phl.sap.corp:443 will result following:
74
Result:
75
In summary, this paper covers reverse proxy and load balancer solutions for SAP Mobile Platform using Apache,
Relayserver, and Nginx servers with http, one-way https and mutual https scenarios.
76