How-To Guide For Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x

How-to-Guide:
Reverse Proxy and Load Balancing for SAP

Mobile Platform 3.X
Active Global Support North America
Document History:
Document Version
1.0
Authored By
Kiran Kola
Description
Architect Engineer
Document Version
1.0
Reviewer
Ali Chalhoub
Description
Global Architect Support Engineer
www.sap.com
Table of Contents
1. Business Scenarios
2. Prerequisites
3.0 SAP Mobile Platform Configuration
3.1 OData registration on SMP Platform
3.2 Testing backend OData Services through SMP Platform
14
3.3 SMP jvmRoute Configuration
21
4.0 SMP 3.0 Architecture and Apache Server Setup
22
4.1 Apache HTTP Server Installation
23
4.2 Communication protocol scenarios
25
4.3 Monitoring settings for Apache Server
56
5.0 Exposing SMP OData Services via Relay server
59
5.1 Registration with Sybase Hosted relay Server
60
5.2 RSOE setup in SMP platform
62
6.0 NGINX as the reverse proxy and Load balancer
66
6.1 Install Nginx
67
6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication
69
6.3 Verifying the request is going through Nginx
71
6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication
72
1. BUSINESS SCENARIOS
SAP supports following third-party reverse proxy solutions:
Apache reverse proxy for Native and Hybrid applications
Nginx for Agentry applications
When adding a reverse proxy, determine the mobile application types you need to support.
Application Type
Reverse Proxy
Native
Apache
Hybrid
Apache
Agentry
Nginx
MBO
RelayServer
Apache Server:
To support HTTP based clients that are designed to consume SAP Mobile Platform Server services, customers
can optionally implement an Apache Reverse Proxy instead of a Relay Server in their production environment.
When a customer use Apache HTTP Server as the Reverse Proxy and Load Balancer solution for SAP Mobile
Platform 3.0, its necessary to set up an environment containing all the needed resources. In this guide, we will
illustrate how to set up an Apache server containing all the needed components for testing the load balancing,
failover, http, one-way http and two-way https communication scenarios.
Relay Server:
Relay is typically used for MBO based applications but it can also be used for OData applications. Section 5 will
illustrate on how to expose SAP Mobile Platform OData services using Hosted Relay Server.
Nginx:
Nginx (pronounced "engine-x") is an open source reverse proxy server for HTTP, HTTPS, WebSockets protocols
and as well as a load balancer. NGINX supports WebSockets by allowing a tunnel to be setup between a client
and backend servers. Nginx is typically used for SAP Agentry based applications.
Difference between Apache and Nginx servers can be found in the following link:
http://www.wikivs.com/wiki/Apache_vs_nginx
2. PREREQUISITES
All the server names used in this documentation are used to demonstrate end-to-end technical scenarios and for
mockup purposes only. Following are the prerequisites and software details:
SMP
To test the load balancing scenarios, we installed 2 Node SMP Cluster with ASE as the Database Node.
SMP version: SMP 3. 0, SP 4

Database Node: sp-tivm74.wdf.sap.corp (We tested all the scenarios on ASE and HANA Database)
SMP Cluster Node 1: pvs9096.wdf.sap.corp
SMP Cluster Node 2: pvs9097.wdf.sap.corp
Apache server
A typical usage of reverse proxy is to provide mobile user access to SMP servers that are behind the
corporate firewall so Apache HTTP server is installed in a DMZ area. In addition, Apache HTTP server is
used to balance load among several SMP back-end servers.
Apache Version: Version 2.4

Apache Server Node: ushplvm1383.phl.sap.corp
Notepad++ http://notepad-plus-plus.org/
Relay server
Registration with Sybase Hosted Relay Server
Nginx
Nginx Version: nginx-1.7.2

Nginx Server Node: ushplvm1384.phl.sap.corp
Notepad++ http://notepad-plus-plus.org/
RestClient
OData Testing Tools: Sample SAP OData Gateway service is configured on the SMP Server. To test the OData
services, any of the following REST Client tool can be used:
Chrome Postman
Firefox RESTClient
SOAPUI Tool
Assumptions:
For SSL configuration, self-signed certificates are not used in below examples; we used internal SAP CA
for signing all the servers and client certificates
SMP 3.0 Cluster Installation is done prior to this setup
Relay server installation is done prior to this setup (if hosted solution is not in scope)
3.0 SAP MOBILE PLATFORM CONFIGURATION
SMP Platform cluster installation is not covered in this document. Please refer to installation docs for How
to install and configure SMP 3.0 in a cluster environment.
http://help.sap.com/smp303svr
Registering an OData
Application
3.1 OData Registration on SMP Platform
This section we will cover OData registration on SMP and testing OData with Rest Client in following steps:
a) Login to SMP Management Cockpit
b) Provide application details
c) Provide OData details
d) Provide Authentication Profile details
e) Provide Authentication Provider details
Configuring the oData application
1. Open web browser ( i.e Chrome or any web browser that supports HTML5)
2. Type the cockpit URL address (i.e https://<host-name>:8083/Admin)
3. Enter the user ID password. By default:
a. userID: smpAdmin
b. password:s3pAdmin ( Note: If you change the password during installation, type the new
password)
4. Click on Login to log into the cockpit
5. Once logged in successfully, click on APPLICATIONS tab
6. Click on the New button to create a new application for our OData back-end Endpoint as shown below:
7. Once you click on the New button, you should see the following screen below, fill up with the information
that is shown on the screen
8. Click Save when you are done

9. Now we should see the following screen
10. Provide the gateway Endpoint information under BACK END Tab
a. We need the URL of the Endpoint
b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide
user name and password for backend authentication
c. Check rewrite
NOTE: Test and validate backend OData connections prior to this setup.
11. The BACK END tab information should look like the screen below
12. Click on AUTHENTICATION tab
13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using
httpSec for our security profile name
14. Click on the New button to associate an authentication provider for our security profile
15. We should see the authentication provider screen
16. From the Authentication provider, click on the dropdown list and select HTTP/HTTPS Authentication
10
17. We should see the following screen
18. All you have to do here is provider the URL address which is the same as the Endpoint that we used
19. Once you are done, click the save button

20. You should see the following success message indicating everything is OK
11
21. Click Save again to save now the new security profile as shown below
22. You will be asked to Confirm the update, click Yes
23. You should see the following:
12
24. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it:
25. Now click on the Ping button as shown below:
26. If the Endpoint is reachable, you will get the following message below:
13
Testing OData
Application Endpoint
3.2 Testing backend OData Services through SMP Platform
For this test as we mentioned in requirements section, we are using POSTMAN Rest Client to onboard the
application, to do the onboarding, do the following:
1. Invoke POSTMAN RESTClient, you should see something similar to the screen below, if this is a fresh
installation of POSTMAN RESTClient
2. The first thing we need to do is provide the URL of any one of the SMP cluster nodes, the URL should look
like this
http://<host-name>:8080/odata/applications/latest/odata.flight/Connections
3. Change the operation method to POST as shown below
4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the following:

a. Click on Headers as shown below:
14
b. You should see the following:
c.
In the header field type Content-Type as shown below:
d. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see
something like the screen below:
5. Provide OData credentials:

a. Click on the Basic Auth, you should see something like the screen below:
15
b. Type the OData End-point user ID and password:
c.
Now click Refresh headers, you should see the following:
6. If you want to associate a custom ID when you register your application, you can add the header X-SMPAPPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a
GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value
X-SMP-APPCID = KOLAIDS, to do that, do the following:
a. Click on the Normal Tab
16
7. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
8. Now we need to provide a body, click on raw tab as shown below:
9. In the body section, paste the following XML code below:

<?xml version="1.0" encoding="UTF-8"?>
<entry xml:base="http://pvs9096.wdf.sap.corp:8080/odata/applications/latest/odata.flight/Connections"
xmlns="http://www.w3.org/2005/Atom"
xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"
xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">
<content type="application/xml">
<m:properties>
<d:DeviceType>Windows</d:DeviceType>
</m:properties>
</content>
</entry>
10.You should see something like that:
17
NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our
credential information.
11.Test the service Click Send button, if everything goes well, you should see the following below which
indicates the application is successfully registered on SMP server.
Similarly, now you can test GET operation with following inputs as shown in the below screen:
18
URL: http://pvs9096.wdf.sap.corp:8080/odata.flight/
Operation = GET
Authorization = Basic d2YtbW0tNDp3ZWxjb21l
X-SMP-APPCID = KOLAIDS
Click Send button. 200 OK status is displayed with XML output as shown below.
To validate the registration completion on SMP, login into SAP Management cockpit and verify registration
count.
Click Registrations, you should see registration ID with unknown type (browser).
19
With this we successfully registered and tested backend OData on SMP. Next we will configure jvmRoute
configuration on SMP.
20
JVMRoute Configuration
3.3 SMP jvmRoute Configuration
Each SMP instance of the cluster gets an individual name which is added at the end of the session id. When the
load balancer sees a session id, it finds the name of the SMP instance and sends the request via the correct
member worker. For this to work you must set the name of the SMP instances as the value of the jvmRoute
attribute in the engine element of each SMP default-server.xml. The name needs to be equal to the name of the
corresponding load balancer member. Following are three main steps:
1. Edit default-server.xml of SMP server nodes of the following
Location: <dir>\config_master\org.eclipse.gemini.web.tomcat\default-server.xml
2. Specify the jvmRoute as a unique string for the node as shown below:
For pvs9096, jvmRoute=SMPServerNode96 (make sure there is no space between =)

For pvs9097, jvmRoute=SMPServerNode97
3. Restart the SMP server
Next section we will focus on how to use apache as a reverse proxy and load balancer solution for SMP 3.0
Platform.
21
4.0 SMP 3.0 ARCHITECTURE AND APACHE SERVER SETUP

Below diagram is the sample architecture for SMP cluster and apache server setup. In the following, we will
provide configuration steps to setup plain HTTP, one-way HTTPs and mutual authentication.
NOTE: In general, Proxy and Load Balancer solutions are typically adopted in the production environment setup
so for this implementation we considered Apache with SMP cluster environment and ignored scenarios for single
SMP node.
22
Apache Server Installation

4.1 Apache HTTP Server Installation
In this section, Apache server installation and configuration is illustrated in the following steps:
1. Download Apache
2. Configure Apache Server
1. Use the link to download the Apache HTTP Server: http://www.apachelounge.com/download/
Version used: httpd-2.4.9-win64-VC11
Prerequisite:
Download and install the Windows C++ 2012 runtime from Microsoft.com
We installed Apache in C:\\Apache24, so extracted the ZIP file to the root of the C: drive. Apache can be
installed anywhere on your system, but you will need to change the configuration file paths accordingly
Within the folder, you will see following folder structure:
23
2. Configure Apache:
a) cd \apache24\bin
Note: httpd.exe -k install -n "Apache2.4" (this installs apache as a service)
Port Conflict scenario: Because Apache cannot share the same port with another TCP/IP application, you may
need to stop, uninstall or reconfigure certain other services before running Apache (for example IIS). In default,
server listens on port 80 and you can change the port in httpd.conf file.
b) Edit httpd.conf file using Notepad++, located under <Drive>\Apache24\conf\
c) To activate, uncomment following modules in httpd.conf file:
Typical proxy server will need to enable several modules. Those relevant for proxying and load balancing are as
follows:
LoadModule proxy_module modules/mod_proxy.so

o The core module deals with proxy infrastructure and configuration and managing a proxy
request.
LoadModule proxy_http_module modules/mod_proxy_http.so
o This module handles fetching documents with HTTP and HTTPS.
LoadModule proxy_connect_module modules/mod_proxy_connect.so
o This handles the CONNECT method for secure (SSL) tunneling.
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
o mod_proxy_balancer implements clustering and load-balancing over multiple backends.
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
o
memory provider which provides for creation and access to a shared memory segment
LoadModule proxy_html_module modules/mod_proxy_html.so
o This rewrites HTML links into a proxy's address space.
LoadModule headers_module modules/mod_headers.so
o This modifies HTTP requests and response headers.
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
o Distribute the requests among the various workers
LoadModule ssl_module modules/mod_ssl.so
o This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server
24
Communication Scenarios
4.2 Communication protocol scenarios
In this section, following protocol communication scenarios for Apache Server are covered:
1. HTTP
2. one-way HTTPS
3. two-way HTTPS
Scenario 1: In this section, Apache as reverse proxy and simple load balancing configuration using HTTP
communication is covered:
1. Configure httpd.config for plain HTTP communication
2. Restart Apache Server
3. Verify communication
4. Testing SMP OData using Apache Server URL
Proxy can be easily achieved by simply writing the below two rules in your httpd.conf file.
Proxypass: This directive asks the apache server to fetch data from SMP Nodes
ProxyPassReverse: This directive rewrites the original URL when the traffic is send back.
In this use case we have two SMP server nodes pvs9096 and pvs9097 that both listen on port 8080. The
apache load balancer listens on port 80 by default. This sets up a load balance cluster called
balancer://smpcluster that is bound to the two SMP nodes. The stickysession is the session affinity cookie to be
used.
1. In the following HTTP examples, http://usphlvm1383.phl.sap.corp:80/ is mapped to following SMP Nodes on
port 8080:
pvs9096.wdf.sap.corp:8080
On each SMP node we add the unique node name that was set up in the default-server.xml file in SMP
configuration (as described in section 3.4). This configuration is necessary so that session affinity works
correctly. We can achieve load balancing using two methods: 1) SMP session ID or with 2) Apache Headers;
you can choose method based on the type of usage.
Method 1:httpd.conf template using SMP Session ID
Listen 80
<VirtualHost *:80>
ProxyPreserveHost On
ServerName usphlvm1383.phl.sap.corp
<Proxy balancer://smpcluster>
BalancerMember http://pvs9096.wdf.sap.corp:8080 route=SMPServerNode96
ProxySet stickysession=X-SMP-SESSID
25
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass / balancer://smpcluster/
ProxyPassReverse / balancer://smpcluster/
ErrorLog "C:/Apache24/logs/error.log"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e
Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog.log
</VirtualHost>
Method 2: httpd.conf template using Apache Headers
Listen 80
<VirtualHost *:80>
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
ProxySet stickysession=ROUTEID
</Proxy>
</VirtualHost>
NOTE: mod_headers module is required to set headers.
Refer http://httpd.apache.org/docs/2.2/mod/mod_headers.html.
3. Verify http communication

Validate the configuration by opening a browser and testing these URLs:
o
http://usphlvm1383.phl.sap.corp:80
URL should return a page with this information:
26
4. Testing POST operation via Apache with HTTP. Port 80 is the default http port.
1. Invoke POSTMAN RESTClient,
2. Provide the Apache host name in the URL with http port (80), the URL should look like this
http://<apach-server-host>:80/odata/applications/latest/odata.flight/Connections
4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the

following:
b. In the header field type Content-Type as shown below:
c.
For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see

27
b. Type the OData End-point user ID and password
c.
6. If you want to associate a custom ID when you register your application, you can add the header XSMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will
associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose,
provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following:
b. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
28
8.
In the body section, paste the following XML code below:

<entry xml:base="http://pvs9096.wdf.sap.corp:8080/odata/applications/latest/odata.flight/Connections"
<m:properties>
</m:properties>
</content>
</entry>
9. You should see something like that:
29
10. Test the service Click Send button, if everything goes well, you should see the following below which
indicates the application is successfully registered on SMP server.
Similarly, you can test GET operation with following inputs as shown in the below screen:
URL: http://usphlvm1383.phl.sap.corp:80/odata.flight/
Content-Type = application/atom+xml;charset=utf-8
In the above case the Apache proxy server is usphlvm1383 processing HTTP requests. Look at the response
below to see if the cookie is formed correctly
30
Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a
SMPServerNode96 is appended to the X-SMP-SESSID cookie.
If you are using above log format, then your logs should like something like below in your enchancedlog.log file
located under logs folder:
The first request for a user where initial cookies are not set will show: Changed:1 Sticky:Subsequent requests should show: Changed:- Sticky:X-SMP-SESSID
That means that apache read the X-SMP-SESSID cookie and was able to send the request to the correct server.
If you see Changed: 1 Sticky:X-SMP-SESSID that means that session stickyness did not work.
NOTE: For verifying the session stickiness, above strategy is applied to all other Apache communication
scenarios.
Scenario 2: In this section, Apache as reverse proxy and simple load balancing configuration using one-way
HTTPS communication is covered:
1. SMP Platform SSL Preparation
2. SSL preparation for Apache server
3. Install trusted Certificates
4. Configure httpd.config for one-way HTTPS communication
31
7. Testing OData using Apache Server URL (Secured)
Reverse proxy, and SAP Mobile Server each use their own certificate; you can create or sign these certificates
from one root certificate. In one-way SSL scenario, only the client authenticates the server. This means that the
public cert of the Apache server needs to configured in the trust store of the SMP Server.
keytool is a java utility that manages a keystore of private keys and associated certificates, as well as certificates
from trusted entities. SAP Mobile Platform uses a single keystore file, located at
SMP_HOME\Server\configuration\smp_keystore.jks. This is the file to configure and protect. keytool is in
SMP_HOMEsapjvm_7\bin
IMPORTANT: Make sure you backup your smp_keystore.jks
a) Create certificate request (CSR file)
keytool.exe -certreq -keyalg RSA -alias smp_crt -file pvs9097.csr -keystore
C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -storepass empass12
NOTE: The certificate request must be signed by an authority or self-signed before importing it into the SMP
keystore.
For production environment, the Certificate Signing Request that you generated can be submitted to a CA to
create a certificate signed by the CA.
b) Import root certificate of the CA

keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks file C:\SAP\MobilePlatform3\sapjvm_7\bin\SAPNetCA.crt -alias TCSRootCert
c) Import signed certificate
keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks file C:\SAP\MobilePlatform3\sapjvm_7\bin\pvs9097.crt -alias smp_crt
d) Verify the certificate upload
keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks
e) Restart SMP servers after you upload the signed certificates.
Refer following link for more information on keytool:
http://help.sap.com/saphelp_smp303svr/helpdata/en/7c/2eddd970061014ba46b1c4748c229b/content.htm
There is no auto synchronization for cluster server's keystore and they need to be maintained manually. Also
import all required certificates to all cluster nodes' keystore and be sure to keep all certificates alias consistent.
Use keytool to check all certificate in the keystore:
keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks
32
2. SSL Preparation for Apache Server

The OpenSSL is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be
used to generate self-signed certificates which can be used for testing purposes or internal usage.
Depending on your operating system, download the OpenSSL software from following link:
https://www.openssl.org/related/binaries.html
a) Generate RSA
openssl genrsa -des3 -out server.key 2048
Enter pass phrase twice to generate server.key: s3pAdmin
b) Create CSR file
1. Set the environment variable: set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
2. Issue this command:
openssl req -sha256 -out ApacheServer.csr -new -newkey rsa:2048 -nodes -keyout server.key
Country Name:CA
State or Province Name:ONTARIO
Locality Name:TORONTO
Organization Name:SAP
Organizational Unit Name:COE
Common Name:USPHLVM1383.PHL.SAP.CORP
Email Address:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password:
An optional company name:
c) Generate signed Certificate
For production environments, the Certificate Signing Request that you generated can be submitted to a CA to
d) Remove Passphrase from Key
Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily
convenient so you can remove passphrase from the generated key by following commend:
1. copy server.key server.key.org
2. openssl rsa -in server.key.org -out server.key
Result is new RSA server.key is generated.
e) Copy server.key and ApacheServer.crt to Apache conf directory. The location of this directory will differ
depending on where Apache is installed.
33
3. Installing Trusted Certificates

SMP Platform:
Using keytool.exe, upload ApacheServer crt into SMP keystore as the trusted certificate
keytool -import -trustcacerts -alias ApacheServer -file ApacheServer.crt -keystore smp_keystore.jks
Apache Platform
Install CA cert and SMP server certs (pvs9096, pvs9097) onto the Apache server
For example:
Right click on the certificate and add it to trusted Root Certificate as shown below.
4. Configuring SSL properties in httpd.conf

In the following example, https://usphlvm1383.phl.sap.corp:443/ is mapped to following SMP Nodes:
Listen 443
<VirtualHost *:443>
SSLEngine On
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /Apache24/conf/ApacheServer.crt
SSLCertificateKeyFile /Apache24/conf/server.key
BalancerMember https://pvs9096.wdf.sap.corp:8081 route=SMPServerNode96
34

</Proxy>
</VirtualHost>
5. Restart apache and test OData connectivity on RestClient.
6. Verify one-way HTTPS Scenario:
2.0 https:// usphlvm1383.phl.sap.corp:443
7. Testing POST operation via Apache with HTTPS. Port 443 is the default https port.
URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/
Operation = GET
1. Invoke POSTMAN RESTClient,
2. Provide the Apache host name in the URL with https port (443), the URL should look like this
https://<apach-server-host>:443/odata/applications/latest/odata.flight/Connections
35
4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the

following:
b. You should see the following:
c.
In the header field type Content-Type as shown below:
5. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see

36
b. Type the OData End-point user ID and password
c.
7. If you want to associate a custom ID when you register your application, you can add the header
X-SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP
will associate a GUID with it. For this test, we are providing a custom ID. Next for registration
purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following:
8. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
37
10. In the body section, paste the following XML code below:
<entry
xml:base="https://usphlvm1383.phl.sap.corp:443/odata/applications/latest/odata.flight/Connection
s"
<m:properties>
</m:properties>
</content>
</entry>
11. You should see something like below:
38
12. Test the service Click Send button, if everything goes well, you should see the following below
which indicates the application is successfully registered on SMP server.
Operation = GET
In this example, Apache proxy server is usphlvm1383 processing HTTPS requests. Look at the response below
to see if the cookie is formed correctly
39
Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a
SMPServerNode96 is appended to the X-SMP-SESSID cookie.
Scenario 3: In this section, reverse proxy and simple load balancing configuration using two-way HTTPS
communication is covered in the following steps:
40
1.
2.
3.
4.
5.
6.
7.
Create OData connection using X.509 certificate authentication

Add the impersonator Role in SMP
Configure httpd.conf file for mutual authentication
Restart Apache Server
Load.p12 Client Certificate in to the browser
Verify two-way mutual communication
Testing OData using Apache Server URL (two-way HTTPS protocol)
In two-way SSL, client authenticates the server & the server also authenticates the client, public cert of the SMP
server needs to be configured in the trust store of the Apache server. Also the public cert of the Apache needs to
be configured on the SMP server's trust store. SMP Server and the Apache must have SSL certificates issued
by an authorized certificate authority. An issued certificate includes a digital signature confirming the identities of
the SMP server and the Apache Server. When the Apache's host sends a request to the SMP server, the SMP
server will verify that the Apache has an SSL certificate and vice versa. There are six steps to achieve this task:
1. Create OData connection with X.509 Certificates

In this scenario, iwe are using htttps based flight model example as the gateway OData connection. In the
following steps, we will create new OData connection with X.509 certificate as authentication::
a) Login to SMP Management Cockpit

b) Provide application details
c) Provide OData details
d) Provide Authentication Profile details
e) Provide Authentication Provider details
1. Open web browser ( i.e Chrome or any web browser that supports HTML5)
2. Type the cockpit URL address (i.e https://<host-name>:8083/Admin)
3. Enter the user ID password. By default:
a. userID: smpAdmin
b. password:s3pAdmin ( Note: If you change the password during installation, type the new
password)
4. Click on Login to log into the cockpit
5. Once logged in successfully, click on APPLICATIONS tab
6. Click on the New button to create a new application for our OData back-end Endpoint as shown below:
7. Once you click on the New button, you should see the following screen below, fill up with the information
that is shown on the screen
41
8. Click Save when you are done

9. Now we should see the following screen
10. Provide the gateway Endpoint information under BACK END Tab
a. We need the URL of the Endpoint
b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide
user name and password for backend authentication
c. Check rewrite
NOTE: Test and validate backend OData connections prior to this setup.
11. The BACK END tab information should look like the screen below
42
12. Click on AUTHENTICATION tab
13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using
httpsCon for our security profile name
43
14. Click on the New button to associate an authentication provider for our security profile
15. From the Authentication provider, click on the dropdown list and select x.509 Certificate and hit Create
Button
16. We should see the following screen. Select Validated Certificate Is Identity and Validate Cert Path
options and save as shown below:
44
17. Once you are done, click the save button

18. You should see the following success message indicating everything is OK
19. Click Save again to save now the new security profile as shown below
20. You will be asked to Confirm the update, click Yes
45
21. You should see the following:
22. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: and
click on the Ping button as shown below:
23. If the Endpoint is reachable, you will get the following message below:
NOTE: In addition to x.509 certificate authentication provider, we successfully tested this scenario with HTTPS
Authentication provider. To make HTTPS scenario work, provide backend credentials of the OData service.
2. Add the Impersonator Role:
The Impersonator role establishes the trust relationship between the Apache reverse proxy and SAP Mobile
Platform Server allowing SAP Mobile Platform Server to accept and authenticate the user's public certificate
presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy.
NOTE: The Impersonator role should be granted to the reverse proxy by mapping the Impersonator role to the
subjectDN from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to
SAP Mobile Platform Server. When doing mutual certificate authentication directly against SMP3 server without
relayserver, the client establishes the SSL connection directly with the server and the
certificateValidationLoginModule configured in the server validates the client certificate presented to the server.
Following are the steps to add the impersonator role:
a) Find the CN name:
1) You need to have access to Apache Public Certificate
46
2) Now click Details Tab as shown below:
3) Click on the Subject and on the details screen, you will find SubjectDN information:
47
b) Navigate to C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI
C) Update the corresponding security role mapping file as shown below:
<DefaultMapping>
<LogicalName>Impersonator</LogicalName>
<MappedName>user:CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE</MappedName>
</DefaultMapping>
<DefaultMapping>
NOTE:
Mapped Name should be started with user:
File name is created based on the configuration name. httpsCon is my X.509 security configuration name
In the above example, httpsCon-role-mapping.xml is the file name located in CSI folder:
Troubleshooting Impersonator role errors:
UserRoleAuthorizer.checkRole method compares the roleName user:CN=usphlvm1383.phl.sap.corp, OU=COE,
O=SAP-AG, C=DE with the string obtained from the certificate using the java APIs
CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE and if it does not match it will result in
errors. In the following errors, case does not match:
2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.UserRoleAuthorizer##anonymous#http-bio-8082exec-1###UserRoleAuthorizer.checkRole(roleName=user:CN=usphlvm1383.phl.sap.corp,
OU=COE,
O=SAP-AG,
C=DE,subject.getName()=CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE |
2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.RoleCheckAuthorizer##anonymous#http-bio-8082exec-1###RoleCheckAuthorizer.checkRole(user:CN=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE) |
2014 07 09 21:22:45#+0200#WARN#com.sybase.security.integration.tomcat7.CSIRealm##anonymous#http-bio8082-exec-1###Authentication failed. SSL_CLIENT_CERT header is specified but the user is not granted
"Impersonator" role. |
48
If you have difficulty in finding the SubjectDN for impersonator, enable the server log into debug mode and
execute a proxy request HTTPS 8082 port (8443 via Apache Server). In the server log, you see the same the
DN that the SAP Mobile Platform CSI records.
Tip>for further debugging SSL handshake issues you can add -Djavax.net.debug=ssl:handshake in your
props.ini file.
3. Adjust the httpd.conf file for mutual authentication (Apache Server)
SSLProxyMachineCertificateFile used in httpd.conf MUST be in PEM format. You can use openssl for
conversion by running below commends for your server (ApacheServer.crt) and root certificate (SAPNetCA.crt).
a) openssl x509 -in ApacheServer.crt -out ApacheServer.der -outform DER
b) openssl x509 -in ApacheServer.der -inform DER -out ApacheServer.pem -outform PEM
c) openssl x509 -in SAPNetCA crt -out SAPNetCA.der -outform DER
d) openssl x509 -in SAPNetCA.der -inform DER -out SAPNetCA.pem -outform PEM
NOTE: If server or root certificate is in the .der format then you can use b) or d) option to convert into PEM
format
SSLProxyMachineCertificateFile - point it to a file containing your Apache server certificate which is converted
into ApacheServer.pem format and its (unencrypted) private key (server.key) in PEM format. (For example, add
server.key to ApacheServer.pem). Apache wont start if this is not done correctly. Following the same screen:

49
Listen 8443
<VirtualHost *:8443>
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /Apache24/conf/crts/SAPNetCA.pem
SSLProxyCACertificateFile /Apache24/conf/crts/SAPNetCA.pem
SSLProxyMachineCertificateFile /Apache24/conf/ApacheServer.pem
</Proxy>
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
CustomLog "c:/Apache24/logs/ssl_request__LB_8082.log" "%t %h %r %s %l %p User:%u %{Foobar}i
client_cert:%{SSL_CLIENT_CERT}x client_verify:%{SSL_CLIENT_VERIFY}x
client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"
TransferLog /Apache24/logs/enhancedlog_8443.log
</VirtualHost>
4. Restart the Apache Server
5. Load .p12 Client Certificate in to the REST client browser
For mutual authentication using client certificates, SMP/Apache needs the private keys to do the signing, and the
.p12 file format is the most common for passing around a certificate with its private keys. To test, we need client
certificate (.p12 file) which is usually provided by your OS security team who handles Certificate Authority.
1. Load the .p12 client certificate into the personal certificate store. In Chrome, choose Settings > Show
Advanced Settings > HTTPS/SSL > Manage certificates as shown below screen:
50
2. Click Import button:
3. Click Next button:
51
4. Click browse and select the p.12 file
5. Select All files from dropdown:
6. Select p.12 and hit Next button as shown below:
52
7. If password exists, provide password and hit next:
NOTE: s_client is a diagnostic tool for OpenSSL. For more information, refer following link
53
https://www.openssl.org/docs/apps/s_client.html
Example for testing client certificates:
5. Verify two-way HTTPS Scenario

2.1 https:// usphlvm1383.phl.sap.corp:8443
6. Testing SMP OData GET operation using Apache Server URL with port 8443
Operation = GET
X-SMP-APPCID = kola1
Request is processed by available SMP cluster node with following results.
54
Apache 8443 result Logs:

10.7.119.233 - - [10/Jul/2014:00:43:27 -0400] "GET /odata.flight/ HTTP/1.1" 200 667
duration:3/3778378 balancer:https://pvs9096.wdf.sap.corp:8082 Changed:- Sticky:X-SMP-SESSID
[10/Jul/2014:00:43:27 -0400] 10.7.119.233
GET /odata.flight/ HTTP/1.1 200 - 443 User:- -
client_cert:-----BEGIN CERTIFICATE----- -----END CERTIFICATE
client_verify:SUCCESS
client_cert_dn:CN=SUPUSER,OU=SSL Server,O=SAP-AG,C=DE "GET /odata.flight/ HTTP/1.1" 667
55
Monitoring Apache Server

4.3 Monitoring settings for Apache Server
In this section, we will cover monitoring and performance tuning aspects.
Balancer manager:
This module requires the service of mod_status. Balancer manager enables dynamic update of balancer
members. You can use balancer manager to change the balance factor or a particular member. In addition you
can enable authentication for administrators. In the following examples, we used basic authentication with
HTTPS connection.
NOTE: balance-manger configuration should be part of the load balancer configuration as shown in the below
example:
Example for basic authentication:
Example for balancer manager configuration in httpd.conf file:

Listen 443
<VirtualHost *:443>
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
TransferLog "C:/Apache24/logs/access.log"
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
Order Deny,Allow
Deny from none
Allow from all
</Location>
56
CustomLog "c:/Apache24/logs/ssl_443.log" "%t %h
%r %s %l %p User:%u %{Foobar}i
client_cert:%{SSL_CLIENT_CERT}x
client_verify:%{SSL_CLIENT_VERIFY}x
client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"
</VirtualHost>
URL to access: http://hostname:port/balancer-manager
When one of worker URL is clicked, you can dynamically enable member options as show below.
Server Status:
The Status module allows a server administrator to find out how well their server is performing. A HTML page is
presented that gives the current server statistics in an easily readable form. If required this page can be made to
57
automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the
current server state.
Example for server status configuration in httpd.conf file:
<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from none
Allow from all
AuthType basic
AuthName "Apache server-status"
AuthUserFile /Apache24/conf/passwd-server-status
Require valid-user
</Location>
URL to access: http:://hostname:port/server-status
In addition to above features, there are plenty of open source tools available to monitor and manage Apache
Servers.
Next section we will focus on how to use relay server as a reverse proxy and load balancer solution for SMP 3.0
Platform.
58
5.0 EXPOSING SMP ODATA SERVICES VIA RELAY SERVER

In this section, we will test SMP 3 OData services using hosted Sybase relay server. Our assumption is you
already have relay server installation is in place. For this exercise, we used hosted relay server. Please refer
following link for more information on subscription.
Subscribing and Connecting to Sybase Hosted Relay Service
Below diagram is the sample architecture for SMP cluster and hosted relay server communication setup. In the
following, we will provide Sybase hosted relay registration details, RSOE configuration steps to setup plain HTTP
and HTTPs communication.
59
Sybase Hosted Relay Server

Registration
5.1 Registration with Sybase Hosted relay Server
For Sybase Hosted relay server setup, we have three main steps:
1. Create subscription ID
2. Maintain FARM details
3. Collect configuration details
More information on hosted relay server can obtained from following link:
http://dcx.sybase.com/index.html#1201/en/relayserver/ml-relayserver-s-4994339.html
1. First Create subscription ID with contact details and Accept terms and conditions
2. Maintain FARM details
60
Click on the Add New Mobilink Farm as shown below:
Provide Farm Name and SMP Server details

Farm Name: FARMODATA03
Server Names: pvs9096, pvs9097
Example for SMP server node cluster:
3. Collect configuration details

Click configuration instructions for rsoe configuration details. For enabling communication between SMP and
relay server, configuration details are used in rsoe.config file (on SMP server).
61
RSOE Setup
5.2 RSOE setup in SMP platform
This section illustrates RSOE setup on SMP platform in following steps:
1. Download rsoe files
2. Create config file for RSOE setup
3. Verify rsoe.log
5. Testing SMP OData using Relay Server URL (plain HTTP)
1. Create rsoe folder under SAP folder as shown below:
You need RSOE component, which is part of Sybase SQLAnywhere (based on your OS). From relay server
media, copy rsoe.exe, dblgde12.dll, dblgen12.dll, rsoesupp12.dll files to rsoe folder as shown below:
2. Create a config file (pvs9096.config) each SMP Node with following details:
-f smp3sp03.FARMODATA03
-id pvs9096
-t 1bf5b1482ce4a8e23d7a2521eaef
-cr
"host=RELAYSERVER.sybase.com;https=0;port=80;proxy_host=proxy;proxy_port=8080;url_suffix=/ia
s_relay_server/server/rs_server.dll"
-cs "host=localhost;port=8080"
-v 5
-o "C:\rsoe.log"
a. t is the Token, value has to match the token specified in your pvs9096.config file on relay server, in our case
paste the value from Hosted Relay Server configuration page
b. cs Servername and port of the backend server (e.g. Web Server)
c. cr Server and port of your relay server. Think about adapting the url_suffix if the relay server is running on
Linux: url_suffix=/srv/iarelayserver .The configuration of a proxy is optional, only needed if you have to use the
proxy to connect to the relay server.
d. v the verbosity level from 0 to 5 (0 = no logging, 5 = all)
62
e. o Log output, specify path and file to RSOE log

3. Start the rsoe with the following commend:
You can also create a service account for rsoe by following:
4. Verify your configurations by checking rsoe.log:
Note: same configuration is applied on other SMP cluster nodes. HTTPS connections are also supported.
NOTE: Repeat above steps on all the SMP nodes.
5. Verify SMP OData Services via Relay Server:
http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/<Farm-Name>/
will be a redirect to your backend server (e.g. pvs9096:8080 or pvs9097:8080) like you defined it in the
rsoe.config.
Following URL will result following:
http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/
6. Testing SMP OData GET service via Hosted Relay Server URL:
63
URL =
http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/odata.flight/odata/
applications/latest/odata.flight/Connections
Operation = GET
Conetent-Type = application/atom+xml;charset=utf-8
Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ=
X-SMP-APPCID = ngnixrsoe
URL: http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/odata.flight/
Result:
64
Load balancing between SMP servers and failover scenarios are also tested successfully.
In next section, we will focus on how to use Nginx as a reverse proxy and load balancer solution for SMP 3.0
Platform.
65
6.0 NGINX AS THE REVERSE PROXY AND LOAD BALANCER

Below diagram is the sample architecture for SMP cluster and hosted Nginx server communication setup. In the
following sections, we will illustrate how to set up an Nginx server containing all the needed components for
testing the reverse proxy, load balancing, http, and https communication scenarios.
66
Install Nginx
6.1 Install Nginx
This section covers Nginx installation setup steps:
1. Download Nginx software
2. Run Nginx.exe
3. Verify Nginx setup
1. Download Nginx from http://nginx.org/en/download.html
We are using 1.7.3 version. Always download the stable version.
2. Extract the package to a directory, C:\Nginx1.7.3\
Open CMD with administrator and run Nginx.exe
We can be control service by invoking the executable with the -s parameter. Use the following syntax:
C:\nginx-1.4.4>nginx -s signal
Where signal may be one of the following:
stop --- fast shutdown
quit --- graceful shutdown
reload --- reloading the configuration file
reopen --- reopening the log files
NOTE: Because Nginx cannot share the same port with another TCP/IP application, you may need to stop,
uninstall or reconfigure certain other services before running Nginx.exe (for example IIS). In default, server
listens on port 80 and you can change the port in nginx.conf file located under: C:\nginx-1.7.2\nginx-1.7.2\conf\
3. Verify Nginx services are running by following methods:
Select Task Manger and verify if Nginx process are running:
67
In the web browser, type http://localhost, if it is successfully running you will see as below:
68
Nginx HTTP
6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication
In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP
communication is covered in following steps:
1. Configure nginx.config for http protocol
2. Restart Nginx
4. Testing OData services using Nginx URL
1. In order to use Nginx as Reverse Proxy and load balancer for SMP3 server, we need to change the
nginx.config file as following.
server {
listen 80;
server_name usphlvm1384.phl.sap.corp;
access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_80.log;
error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_80.log;
location / {
proxy_pass http://backend/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect default ;
proxy_buffering off;
proxy_set_header
Host
$host;
proxy_set_header
X-Real-IP
$remote_addr;
proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;
}
#paste blow code after server configuration closing braces
upstream backend {
server pvs9096.wdf.sap.corp:8080;
}
NOTE: location / means all requests go to any of the servers listed under upstream.
For information on load balancing and techniques, refer following link:

http://nginx.org/en/docs/http/load_balancing.html
2. Restart Nginx Server
3. Verify SMP communication via Nginx Server (http based)
In the following example, http://usphlvm1384.phl.sap.corp:80/ is mapped to following SMP Nodes:
URLhttp://ushphlvm1384.phl.sap.corp:80 will result following:
69
3. RestClient testing of SMP OData services using Nginx URL

URL: http://usphlvm1384.phl.sap.corp/odata.flight/
Result:
70
6.3 Verifying the request is going through Nginx

To verify if the request is going through Nginx when you registered, open the log access file of Nginx by going to
the:
1. Location of the log folder. In our example it is in ( D:/nginx-1.7.2/nginx-1.7.2/logs)
2. Open the following log or whatever you called it. In our case it is called error_80.log
3. You should see a post request for the registration similar to the one below:
[04/Aug/2014:10:06:43 -0700] "POST
/odata/applications/latest/odata.flight/Connections HTTP/1.1" 201 3732 "-"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/36.0.1985.125 Safari/537.36"
When accessing the oData end point, check in the log and see if you will see a GET request in the Nginx log,
like that one below:
[04/Aug/2014:10:07:08 -0700] "GET /odata.flight HTTP/1.1" 200 622 "-" "Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36"
71
Nginx HTTPS
6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication
In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP
communication is covered in following steps:
2. SSL preparation for Nginx Server
3. Install Trusted Certificates
4. Configure Nginx.config for https protocol
5. Restart Nginx
7. Testing OData services using Nginx URL
To configure Nginx server to connect SMP with single SSL support, we need to prepare the certificates for Nginx
server via OpenSSL to generate server certificate and key files. In the following example, we will use openSSL.

Refer section 4.2> Scenario 2> Point 1
2. SSL Preparation for Nginx Server:
Depending on your operating system, download the OpenSSL software from following link:
https://www.openssl.org/source/
a) Generate RSA
openssl genrsa -des3 -out server.key 2048
Result is new RSA server.key is generated.
b) Create CSR file. Like the standard SMP server certificate, we have used an RSA 2048 key signed with the
sha256 signing algorithm
openssl req -sha256 -out NginxServer.csr -new -newkey rsa:2048 -nodes -keyout server.key
Country Name:CA
State or Province Name:ONTARIO
Locality Name:TORONTO
Organization Name:SAP
Organizational Unit Name:COE
Common Name:USPHLVM1384.PHL.SAP.CORP
Email Address:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password:
An optional company name:
c) Remove Passphrase from Key
72
This is an optional step. This is done so that we dont have to enter the password for the private key every time
we restart NGINX.
copy server.key server.key.org
openssl rsa -in server.key.org -out server.key
d) Generate signed Certificate
For production environments, the Certificate Signing Request that you generated can be submitted to a CA to
Result is the Signed Certificate.
e) Copy server.key and NginxServer.crt to Nginx config directory. The location of this directory will differ
depending on where Nginx is installed.
3. Installing Trusted Certificates

SMP Platform:
Upload NginxServer.crt into SMP keystore as the trusted certificate
keytool -import -trustcacerts alias NginxServer-file NginxServer.crt -keystore smp_keystore.jks
Nginx Platform
Install CA cert and SMP server certs (pvs9096, pvs9097) onto the NGINX server. Right click on the certificate
and add it to trusted Root Certificate as shown below.
73
4. Configuring SSL properties in Nginx.conf

server {
listen 443 ssl;
server_name usphlvm1384.phl.sap.corp;
ssl_certificate D:/nginx-1.7.2/nginx-1.7.2/cert/NginxServer.crt;
ssl_certificate_key D:/nginx-1.7.2/nginx-1.7.2/cert/server.key;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_443.log;
error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_443.log;
root html;
index index.html index.htm;
location / {
proxy_pass https://backend/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect default ;
proxy_buffering off;
proxy_set_header
Host
$host;
proxy_set_header
X-Real-IP
$remote_addr;
proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#paste blow code after server configuration closing braces
upstream backend {
}
5. Restart Nginx Server
6. Verify communication via Nginx Server (https based)
URL https://ushphlvm1384.phl.sap.corp:443 will result following:
74
7. Testing SMP OData using Ngnix URL (secured)

URL: https://usphlvm1384.phl.sap.corp/odata.flight/
Result:
75
Verify logs for https traffic as described in section 6.3.
In summary, this paper covers reverse proxy and load balancer solutions for SAP Mobile Platform using Apache,
Relayserver, and Nginx servers with http, one-way https and mutual https scenarios.
2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP affiliate
company.
SAP and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP SE (or an SAP
affiliate company) in Germany and other countries. Please see
http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional
trademark information and notices. Some software products marketed by SAP SE and
its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any kind, and SAP
SE or its affiliated companies shall not be liable for errors or omissions with respect to
the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying
such products and services, if any. Nothing herein should be construed as constituting
an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any
course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related
presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to
change and may be changed by SAP SE or its affiliated companies at any time for any
reason without notice. The information in this document is not a commitment, promise,
or legal obligation to deliver any material, code, or functionality. All forward-looking
statements are subject to various risks and uncertainties that could cause actual
results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their
dates, and they should not be relied upon in making purchasing decisions.
76

How-To Guide For Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

How-To Guide For Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x

Hochgeladen von

Copyright:

Verfügbare Formate

How-to-Guide:

Reverse Proxy and Load Balancing for SAP

Active Global Support North America

3.0 SAP Mobile Platform Configuration

3.1 OData registration on SMP Platform

3.2 Testing backend OData Services through SMP Platform

3.3 SMP jvmRoute Configuration

4.0 SMP 3.0 Architecture and Apache Server Setup

4.1 Apache HTTP Server Installation

4.2 Communication protocol scenarios

4.3 Monitoring settings for Apache Server

5.0 Exposing SMP OData Services via Relay server

5.1 Registration with Sybase Hosted relay Server

5.2 RSOE setup in SMP platform

6.0 NGINX as the reverse proxy and Load balancer

6.1 Install Nginx

6.3 Verifying the request is going through Nginx

Apache reverse proxy for Native and Hybrid applications

Nginx for Agentry applications

SMP version: SMP 3. 0, SP 4

Apache Version: Version 2.4

Registration with Sybase Hosted Relay Server

Nginx Version: nginx-1.7.2

3.0 SAP MOBILE PLATFORM CONFIGURATION

8. Click Save when you are done

12. Click on AUTHENTICATION tab

15. We should see the authentication provider screen

17. We should see the following screen

19. Once you are done, click the save button

22. You will be asked to Confirm the update, click Yes

23. You should see the following:

25. Now click on the Ping button as shown below:

3. Change the operation method to POST as shown below

4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the following:

b. You should see the following:

In the header field type Content-Type as shown below:

5. Provide OData credentials:

b. Type the OData End-point user ID and password:

Now click Refresh headers, you should see the following:

8. Now we need to provide a body, click on raw tab as shown below:

9. In the body section, paste the following XML code below:

For pvs9096, jvmRoute=SMPServerNode96 (make sure there is no space between =)

4.0 SMP 3.0 ARCHITECTURE AND APACHE SERVER SETUP

Apache Server Installation

Within the folder, you will see following folder structure:

LoadModule proxy_module modules/mod_proxy.so

3. Verify http communication

URL should return a page with this information:

3. Change the operation method to POST as shown below

4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the

b. In the header field type Content-Type as shown below:

5. Provide OData credentials:

b. Type the OData End-point user ID and password

Now click Refresh headers, you should see the following:

7. Now we need to provide a body, click on raw tab as shown below:

In the body section, paste the following XML code below:

<?xml version="1.0" encoding="UTF-8"?>

b) Import root certificate of the CA

2. SSL Preparation for Apache Server

3. Installing Trusted Certificates

4. Configuring SSL properties in httpd.conf

BalancerMember https://pvs9097.wdf.sap.corp:8081 route=SMPServerNode97

3. Change the operation method to POST as shown below