How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X

Size: px
Start display at page:

Download "How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X"

Transcription

1 How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X Active Global Support North America

2 Document History: Document Version Authored By Description 1.0 Kiran Kola Architect Engineer Document Version Reviewer Description 1.0 Ali Chalhoub Global Architect Support Engineer 2

3 Table of Contents 1. Business Scenarios 4 2. Prerequisites SAP Mobile Platform Configuration OData registration on SMP Platform Testing backend OData Services through SMP Platform SMP jvmroute Configuration SMP 3.0 Architecture and Apache Server Setup Apache HTTP Server Installation Communication protocol scenarios Monitoring settings for Apache Server Exposing SMP OData Services via Relay server Registration with Sybase Hosted relay Server RSOE setup in SMP platform NGINX as the reverse proxy and Load balancer Install Nginx Nginx as Reverse Proxy and Load balancer with HTTP communication Verifying the request is going through Nginx Nginx as Reverse Proxy and Load balancer with HTTPS communication 72

4 1. BUSINESS SCENARIOS SAP supports following third-party reverse proxy solutions: Apache reverse proxy for Native and Hybrid applications Nginx for Agentry applications When adding a reverse proxy, determine the mobile application types you need to support. Application Type Reverse Proxy Native Hybrid Agentry MBO Apache Server: Apache Apache Nginx RelayServer To support HTTP based clients that are designed to consume SAP Mobile Platform Server services, customers can optionally implement an Apache Reverse Proxy instead of a Relay Server in their production environment. When a customer use Apache HTTP Server as the Reverse Proxy and Load Balancer solution for SAP Mobile Platform 3.0, it s necessary to set up an environment containing all the needed resources. In this guide, we will illustrate how to set up an Apache server containing all the needed components for testing the load balancing, failover, http, one-way http and two-way https communication scenarios. Relay Server: Relay is typically used for MBO based applications but it can also be used for OData applications. Section 5 will illustrate on how to expose SAP Mobile Platform OData services using Hosted Relay Server. Nginx: Nginx (pronounced "engine-x") is an open source reverse proxy server for HTTP, HTTPS, WebSockets protocols and as well as a load balancer. NGINX supports WebSockets by allowing a tunnel to be setup between a client and backend servers. Nginx is typically used for SAP Agentry based applications. Difference between Apache and Nginx servers can be found in the following link: 2. PREREQUISITES All the server names used in this documentation are used to demonstrate end-to-end technical scenarios and for mockup purposes only. Following are the prerequisites and software details: SMP To test the load balancing scenarios, we installed 2 Node SMP Cluster with ASE as the Database Node. SMP version: SMP 3. 0, SP 4 Database Node: sp-tivm74.wdf.sap.corp (We tested all the scenarios on ASE and HANA Database) SMP Cluster Node 1: pvs9096.wdf.sap.corp SMP Cluster Node 2: pvs9097.wdf.sap.corp 4

5 Apache server A typical usage of reverse proxy is to provide mobile user access to SMP servers that are behind the corporate firewall so Apache HTTP server is installed in a DMZ area. In addition, Apache HTTP server is used to balance load among several SMP back-end servers. Apache Version: Version 2.4 Apache Server Node: ushplvm1383.phl.sap.corp Notepad++ Relay server Registration with Sybase Hosted Relay Server Nginx Nginx Version: nginx Nginx Server Node: ushplvm1384.phl.sap.corp Notepad++ RestClient OData Testing Tools: Sample SAP OData Gateway service is configured on the SMP Server. To test the OData services, any of the following REST Client tool can be used: Chrome Postman Firefox RESTClient SOAPUI Tool Assumptions: For SSL configuration, self-signed certificates are not used in below examples; we used internal SAP CA for signing all the servers and client certificates SMP 3.0 Cluster Installation is done prior to this setup Relay server installation is done prior to this setup (if hosted solution is not in scope) 3.0 SAP MOBILE PLATFORM CONFIGURATION SMP Platform cluster installation is not covered in this document. Please refer to installation docs for How to install and configure SMP 3.0 in a cluster environment. 5

6 Registering an OData Application 3.1 OData Registration on SMP Platform This section we will cover OData registration on SMP and testing OData with Rest Client in following steps: a) Login to SMP Management Cockpit b) Provide application details c) Provide OData details d) Provide Authentication Profile details e) Provide Authentication Provider details Configuring the odata application 1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e 3. Enter the user ID password. By default: a. userid: smpadmin b. password:s3padmin ( Note: If you change the password during installation, type the new password) 4. Click on Login to log into the cockpit 5. Once logged in successfully, click on APPLICATIONS tab 6. Click on the New button to create a new application for our OData back-end Endpoint as shown below: 7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen 6

7 8. Click Save when you are done 9. Now we should see the following screen 10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication c. Check rewrite NOTE: Test and validate backend OData connections prior to this setup. 7

8 11. The BACK END tab information should look like the screen below 12. Click on AUTHENTICATION tab 8

9 13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using httpsec for our security profile name 14. Click on the New button to associate an authentication provider for our security profile 9

10 15. We should see the authentication provider screen 16. From the Authentication provider, click on the dropdown list and select HTTP/HTTPS Authentication 10

11 17. We should see the following screen 18. All you have to do here is provider the URL address which is the same as the Endpoint that we used 19. Once you are done, click the save button 20. You should see the following success message indicating everything is OK 11

12 21. Click Save again to save now the new security profile as shown below 22. You will be asked to Confirm the update, click Yes 23. You should see the following: 12

13 24. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: 25. Now click on the Ping button as shown below: 26. If the Endpoint is reachable, you will get the following message below: 13

14 Testing OData Application Endpoint 3.2 Testing backend OData Services through SMP Platform For this test as we mentioned in requirements section, we are using POSTMAN Rest Client to onboard the application, to do the onboarding, do the following: 1. Invoke POSTMAN RESTClient, you should see something similar to the screen below, if this is a fresh installation of POSTMAN RESTClient 2. The first thing we need to do is provide the URL of any one of the SMP cluster nodes, the URL should look like this 3. Change the operation method to POST as shown below 4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8, to do that, do the following: a. Click on Headers as shown below: 14

15 b. You should see the following: c. In the header field type Content-Type as shown below: d. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below: 5. Provide OData credentials: a. Click on the Basic Auth, you should see something like the screen below: 15

16 b. Type the OData End-point user ID and password: c. Now click Refresh headers, you should see the following: 6. If you want to associate a custom ID when you register your application, you can add the header X-SMP- APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following: a. Click on the Normal Tab 16

17 7. In the header section as shown below, type the Header, X-SMP-APPCID as shown below: 8. Now we need to provide a body, click on raw tab as shown below: 9. In the body section, paste the following XML code below: <?xml version="1.0" encoding="utf-8"?> <entry xml:base=" xmlns=" xmlns:m=" xmlns:d=" <content type="application/xml"> <m:properties> <d:devicetype>windows</d:devicetype> </m:properties> </content> </entry> 10. You should see something like that: 17

18 NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information. 11. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server. Similarly, now you can test GET operation with following inputs as shown in the below screen: 18

19 URL: Operation = GET Authorization = Basic d2ytbw0tndp3zwxjb21l X-SMP-APPCID = KOLAIDS Click Send button. 200 OK status is displayed with XML output as shown below. To validate the registration completion on SMP, login into SAP Management cockpit and verify registration count. Click Registrations, you should see registration ID with unknown type (browser). 19

20 With this we successfully registered and tested backend OData on SMP. Next we will configure jvmroute configuration on SMP. 20

21 JVMRoute Configuration 3.3 SMP jvmroute Configuration Each SMP instance of the cluster gets an individual name which is added at the end of the session id. When the load balancer sees a session id, it finds the name of the SMP instance and sends the request via the correct member worker. For this to work you must set the name of the SMP instances as the value of the jvmroute attribute in the engine element of each SMP default-server.xml. The name needs to be equal to the name of the corresponding load balancer member. Following are three main steps: 1. Edit default-server.xml of SMP server nodes of the following Location: <dir>\config_master\org.eclipse.gemini.web.tomcat\default-server.xml 2. Specify the jvmroute as a unique string for the node as shown below: For pvs9096, jvmroute=smpservernode96 (make sure there is no space between = ) For pvs9097, jvmroute=smpservernode97 3. Restart the SMP server Next section we will focus on how to use apache as a reverse proxy and load balancer solution for SMP 3.0 Platform. 21

22 4.0 SMP 3.0 ARCHITECTURE AND APACHE SERVER SETUP Below diagram is the sample architecture for SMP cluster and apache server setup. In the following, we will provide configuration steps to setup plain HTTP, one-way HTTPs and mutual authentication. NOTE: In general, Proxy and Load Balancer solutions are typically adopted in the production environment setup so for this implementation we considered Apache with SMP cluster environment and ignored scenarios for single SMP node. 22

23 Apache Server Installation 4.1 Apache HTTP Server Installation In this section, Apache server installation and configuration is illustrated in the following steps: 1. Download Apache 2. Configure Apache Server 1. Use the link to download the Apache HTTP Server: Version used: httpd win64-vc11 Prerequisite: Download and install the Windows C runtime from Microsoft.com We installed Apache in C:\\Apache24, so extracted the ZIP file to the root of the C: drive. Apache can be installed anywhere on your system, but you will need to change the configuration file paths accordingly Within the folder, you will see following folder structure: 23

24 2. Configure Apache: a) cd \apache24\bin Note: httpd.exe -k install -n "Apache2.4" (this installs apache as a service) Port Conflict scenario: Because Apache cannot share the same port with another TCP/IP application, you may need to stop, uninstall or reconfigure certain other services before running Apache (for example IIS). In default, server listens on port 80 and you can change the port in httpd.conf file. b) Edit httpd.conf file using Notepad++, located under <Drive>\Apache24\conf\ c) To activate, uncomment following modules in httpd.conf file: Typical proxy server will need to enable several modules. Those relevant for proxying and load balancing are as follows: LoadModule proxy_module modules/mod_proxy.so o The core module deals with proxy infrastructure and configuration and managing a proxy request. LoadModule proxy_http_module modules/mod_proxy_http.so o This module handles fetching documents with HTTP and HTTPS. LoadModule proxy_connect_module modules/mod_proxy_connect.so o This handles the CONNECT method for secure (SSL) tunneling. LoadModule proxy_balancer_module modules/mod_proxy_balancer.so o mod_proxy_balancer implements clustering and load-balancing over multiple backends. LoadModule slotmem_shm_module modules/mod_slotmem_shm.so o memory provider which provides for creation and access to a shared memory segment LoadModule proxy_html_module modules/mod_proxy_html.so o This rewrites HTML links into a proxy's address space. LoadModule headers_module modules/mod_headers.so o This modifies HTTP requests and response headers. LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so o Distribute the requests among the various workers LoadModule ssl_module modules/mod_ssl.so o This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server 24

25 Communication Scenarios 4.2 Communication protocol scenarios In this section, following protocol communication scenarios for Apache Server are covered: 1. HTTP 2. one-way HTTPS 3. two-way HTTPS Scenario 1: In this section, Apache as reverse proxy and simple load balancing configuration using HTTP communication is covered: 1. Configure httpd.config for plain HTTP communication 2. Restart Apache Server 3. Verify communication 4. Testing SMP OData using Apache Server URL Proxy can be easily achieved by simply writing the below two rules in your httpd.conf file. Proxypass: This directive asks the apache server to fetch data from SMP Nodes ProxyPassReverse: This directive rewrites the original URL when the traffic is send back. In this use case we have two SMP server nodes pvs9096 and pvs9097 that both listen on port The apache load balancer listens on port 80 by default. This sets up a load balance cluster called balancer://smpcluster that is bound to the two SMP nodes. The stickysession is the session affinity cookie to be used. 1. In the following HTTP examples, is mapped to following SMP Nodes on port 8080: pvs9096.wdf.sap.corp:8080 pvs9097.wdf.sap.corp:8080 On each SMP node we add the unique node name that was set up in the default-server.xml file in SMP configuration (as described in section 3.4). This configuration is necessary so that session affinity works correctly. We can achieve load balancing using two methods: 1) SMP session ID or with 2) Apache Headers; you can choose method based on the type of usage. Method 1:httpd.conf template using SMP Session ID Listen 80 <VirtualHost *:80> ProxyPreserveHost On ServerName usphlvm1383.phl.sap.corp <Proxy balancer://smpcluster> BalancerMember route=smpservernode96 BalancerMember route=smpservernode97 ProxySet stickysession=x-smp-sessid 25

26 ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> Method 2: httpd.conf template using Apache Headers Listen 80 <VirtualHost *:80> ProxyPreserveHost On ServerName usphlvm1383.phl.sap.corp Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=balancer_route_changed <Proxy balancer://smpcluster> BalancerMember route=smpservernode96 BalancerMember route=smpservernode97 ProxySet stickysession=routeid ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> NOTE: mod_headers module is required to set headers. Refer 2. Restart Apache Server 3. Verify http communication Validate the configuration by opening a browser and testing these URLs: o URL should return a page with this information: 26

27 4. Testing POST operation via Apache with HTTP. Port 80 is the default http port. 1. Invoke POSTMAN RESTClient, 2. Provide the Apache host name in the URL with http port (80), the URL should look like this 3. Change the operation method to POST as shown below 4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8, to do that, do the following: a. Click on Headers as shown below: b. In the header field type Content-Type as shown below: c. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below: 5. Provide OData credentials: a. Click on the Basic Auth, you should see something like the screen below: 27

28 b. Type the OData End-point user ID and password c. Now click Refresh headers, you should see the following: 6. If you want to associate a custom ID when you register your application, you can add the header X- SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following: a. Click on the Normal Tab b. In the header section as shown below, type the Header, X-SMP-APPCID as shown below: 28

29 7. Now we need to provide a body, click on raw tab as shown below: 8. In the body section, paste the following XML code below: <?xml version="1.0" encoding="utf-8"?> <entry xml:base=" xmlns=" xmlns:m=" xmlns:d=" <content type="application/xml"> <m:properties> <d:devicetype>windows</d:devicetype> </m:properties> </content> </entry> 9. You should see something like that: 29

30 NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information. 10. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server. Similarly, you can test GET operation with following inputs as shown in the below screen: URL: X-SMP-APPCID = KOLAIDS Content-Type = application/atom+xml;charset=utf-8 Authorization = Basic d2ytbw0tndp3zwxjb21l In the above case the Apache proxy server is usphlvm1383 processing HTTP requests. Look at the response below to see if the cookie is formed correctly 30

31 Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a SMPServerNode96 is appended to the X-SMP-SESSID cookie. If you are using above log format, then your logs should like something like below in your enchancedlog.log file located under logs folder: The first request for a user where initial cookies are not set will show: Changed:1 Sticky:- Subsequent requests should show: Changed:- Sticky:X-SMP-SESSID That means that apache read the X-SMP-SESSID cookie and was able to send the request to the correct server. If you see Changed: 1 Sticky:X-SMP-SESSID that means that session stickyness did not work. NOTE: For verifying the session stickiness, above strategy is applied to all other Apache communication scenarios. Scenario 2: In this section, Apache as reverse proxy and simple load balancing configuration using one-way HTTPS communication is covered: 1. SMP Platform SSL Preparation 2. SSL preparation for Apache server 3. Install trusted Certificates 4. Configure httpd.config for one-way HTTPS communication 5. Restart Apache Server 31

32 6. Verify communication 7. Testing OData using Apache Server URL (Secured) Reverse proxy, and SAP Mobile Server each use their own certificate; you can create or sign these certificates from one root certificate. In one-way SSL scenario, only the client authenticates the server. This means that the public cert of the Apache server needs to configured in the trust store of the SMP Server. 1. SMP Platform SSL Preparation keytool is a java utility that manages a keystore of private keys and associated certificates, as well as certificates from trusted entities. SAP Mobile Platform uses a single keystore file, located at SMP_HOME\Server\configuration\smp_keystore.jks. This is the file to configure and protect. keytool is in SMP_HOMEsapjvm_7\bin IMPORTANT: Make sure you backup your smp_keystore.jks a) Create certificate request (CSR file) keytool.exe -certreq -keyalg RSA -alias smp_crt -file pvs9097.csr -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -storepass empass12 NOTE: The certificate request must be signed by an authority or self-signed before importing it into the SMP keystore. For production environment, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. b) Import root certificate of the CA keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks - file C:\SAP\MobilePlatform3\sapjvm_7\bin\SAPNetCA.crt -alias TCSRootCert c) Import signed certificate keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks - file C:\SAP\MobilePlatform3\sapjvm_7\bin\pvs9097.crt -alias smp_crt d) Verify the certificate upload keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks e) Restart SMP servers after you upload the signed certificates. Refer following link for more information on keytool: There is no auto synchronization for cluster server's keystore and they need to be maintained manually. Also import all required certificates to all cluster nodes' keystore and be sure to keep all certificates alias consistent. Use keytool to check all certificate in the keystore: keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks 32

33 2. SSL Preparation for Apache Server The OpenSSL is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. Depending on your operating system, download the OpenSSL software from following link: a) Generate RSA openssl genrsa -des3 -out server.key 2048 Enter pass phrase twice to generate server.key: s3padmin b) Create CSR file 1. Set the environment variable: set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg 2. Issue this command: openssl req -sha256 -out ApacheServer.csr -new -newkey rsa:2048 -nodes -keyout server.key Country Name:CA State or Province Name:ONTARIO Locality Name:TORONTO Organization Name:SAP Organizational Unit Name:COE Common Name:USPHLVM1383.PHL.SAP.CORP Address: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password: An optional company name: c) Generate signed Certificate For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. d) Remove Passphrase from Key Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient so you can remove passphrase from the generated key by following commend: 1. copy server.key server.key.org 2. openssl rsa -in server.key.org -out server.key Result is new RSA server.key is generated. e) Copy server.key and ApacheServer.crt to Apache conf directory. The location of this directory will differ depending on where Apache is installed. 33

34 3. Installing Trusted Certificates SMP Platform: Using keytool.exe, upload ApacheServer crt into SMP keystore as the trusted certificate keytool -import -trustcacerts -alias ApacheServer -file ApacheServer.crt -keystore smp_keystore.jks Apache Platform Install CA cert and SMP server certs (pvs9096, pvs9097) onto the Apache server For example: Right click on the certificate and add it to trusted Root Certificate as shown below. 4. Configuring SSL properties in httpd.conf In the following example, is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 Listen 443 <VirtualHost *:443> SSLEngine On SSLProxyEngine On ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key ServerName usphlvm1383.phl.sap.corp <Proxy balancer://smpcluster> BalancerMember route=smpservernode96 34

35 BalancerMember route=smpservernode97 ProxySet stickysession=x-smp-sessid ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> 5. Restart apache and test OData connectivity on RestClient. 6. Verify one-way HTTPS Scenario: Validate the configuration by opening a browser and testing these URLs: usphlvm1383.phl.sap.corp:443 URL should return a page with this information: 7. Testing POST operation via Apache with HTTPS. Port 443 is the default https port. URL: Operation = GET 1. Invoke POSTMAN RESTClient, 2. Provide the Apache host name in the URL with https port (443), the URL should look like this 35

36 3. Change the operation method to POST as shown below 4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8, to do that, do the following: a. Click on Headers as shown below: b. You should see the following: c. In the header field type Content-Type as shown below: 5. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below: 6. Provide OData credentials: a. Click on the Basic Auth, you should see something like the screen below: 36

37 b. Type the OData End-point user ID and password c. Now click Refresh headers, you should see the following: 7. If you want to associate a custom ID when you register your application, you can add the header X-SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following: a. Click on the Normal Tab 8. In the header section as shown below, type the Header, X-SMP-APPCID as shown below: 9. Now we need to provide a body, click on raw tab as shown below: 37

38 10. In the body section, paste the following XML code below: <?xml version="1.0" encoding="utf-8"?> <entry xml:base=" s" xmlns=" xmlns:m=" xmlns:d=" <content type="application/xml"> <m:properties> <d:devicetype>windows</d:devicetype> </m:properties> </content> </entry> 11. You should see something like below: NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information. 38

39 12. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server. Similarly, you can test GET operation with following inputs as shown in the below screen: URL: Operation = GET X-SMP-APPCID = KOLAIDS Authorization = Basic d2ytbw0tndp3zwxjb21l In this example, Apache proxy server is usphlvm1383 processing HTTPS requests. Look at the response below to see if the cookie is formed correctly 39

40 Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a SMPServerNode96 is appended to the X-SMP-SESSID cookie. Scenario 3: In this section, reverse proxy and simple load balancing configuration using two-way HTTPS communication is covered in the following steps: 40

41 1. Create OData connection using X.509 certificate authentication 2. Add the impersonator Role in SMP 3. Configure httpd.conf file for mutual authentication 4. Restart Apache Server 5. Load.p12 Client Certificate in to the browser 6. Verify two-way mutual communication 7. Testing OData using Apache Server URL (two-way HTTPS protocol) In two-way SSL, client authenticates the server & the server also authenticates the client, public cert of the SMP server needs to be configured in the trust store of the Apache server. Also the public cert of the Apache needs to be configured on the SMP server's trust store. SMP Server and the Apache must have SSL certificates issued by an authorized certificate authority. An issued certificate includes a digital signature confirming the identities of the SMP server and the Apache Server. When the Apache's host sends a request to the SMP server, the SMP server will verify that the Apache has an SSL certificate and vice versa. There are six steps to achieve this task: 1. Create OData connection with X.509 Certificates In this scenario, iwe are using htttps based flight model example as the gateway OData connection. In the following steps, we will create new OData connection with X.509 certificate as authentication:: a) Login to SMP Management Cockpit b) Provide application details c) Provide OData details d) Provide Authentication Profile details e) Provide Authentication Provider details 1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e 3. Enter the user ID password. By default: a. userid: smpadmin b. password:s3padmin ( Note: If you change the password during installation, type the new password) 4. Click on Login to log into the cockpit 5. Once logged in successfully, click on APPLICATIONS tab 6. Click on the New button to create a new application for our OData back-end Endpoint as shown below: 7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen 41

42 8. Click Save when you are done 9. Now we should see the following screen 10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication c. Check rewrite NOTE: Test and validate backend OData connections prior to this setup. 11. The BACK END tab information should look like the screen below 42

43 12. Click on AUTHENTICATION tab 13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using httpscon for our security profile name 43

44 14. Click on the New button to associate an authentication provider for our security profile 15. From the Authentication provider, click on the dropdown list and select x.509 Certificate and hit Create Button 16. We should see the following screen. Select Validated Certificate Is Identity and Validate Cert Path options and save as shown below: 44

45 17. Once you are done, click the save button 18. You should see the following success message indicating everything is OK 19. Click Save again to save now the new security profile as shown below 20. You will be asked to Confirm the update, click Yes 45

46 21. You should see the following: 22. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: and click on the Ping button as shown below: 23. If the Endpoint is reachable, you will get the following message below: NOTE: In addition to x.509 certificate authentication provider, we successfully tested this scenario with HTTPS Authentication provider. To make HTTPS scenario work, provide backend credentials of the OData service. 2. Add the Impersonator Role: The Impersonator role establishes the trust relationship between the Apache reverse proxy and SAP Mobile Platform Server allowing SAP Mobile Platform Server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy. NOTE: The Impersonator role should be granted to the reverse proxy by mapping the Impersonator role to the subjectdn from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to SAP Mobile Platform Server. When doing mutual certificate authentication directly against SMP3 server without relayserver, the client establishes the SSL connection directly with the server and the certificatevalidationloginmodule configured in the server validates the client certificate presented to the server. Following are the steps to add the impersonator role: a) Find the CN name: 1) You need to have access to Apache Public Certificate 46

47 2) Now click Details Tab as shown below: 3) Click on the Subject and on the details screen, you will find SubjectDN information: 47

48 b) Navigate to C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI C) Update the corresponding security role mapping file as shown below: <DefaultMapping> <LogicalName>Impersonator</LogicalName> <MappedName>user:CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE</MappedName> </DefaultMapping> <DefaultMapping> NOTE: Mapped Name should be started with user: File name is created based on the configuration name. httpscon is my X.509 security configuration name In the above example, httpscon-role-mapping.xml is the file name located in CSI folder: Troubleshooting Impersonator role errors: UserRoleAuthorizer.checkRole method compares the rolename user:cn=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE with the string obtained from the certificate using the java APIs CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE and if it does not match it will result in errors. In the following errors, case does not match: :22:45#+0200#DEBUG#com.sybase.security.core.UserRoleAuthorizer##anonymous#http-bio exec-1###userroleauthorizer.checkrole(rolename=user:cn=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE,subject.getName()=CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE :22:45#+0200#DEBUG#com.sybase.security.core.RoleCheckAuthorizer##anonymous#http-bio exec-1###rolecheckauthorizer.checkrole(user:cn=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE) :22:45#+0200#WARN#com.sybase.security.integration.tomcat7.CSIRealm##anonymous#http-bio exec-1###Authentication failed. SSL_CLIENT_CERT header is specified but the user is not granted "Impersonator" role. 48

49 If you have difficulty in finding the SubjectDN for impersonator, enable the server log into debug mode and execute a proxy request HTTPS 8082 port (8443 via Apache Server). In the server log, you see the same the DN that the SAP Mobile Platform CSI records. Tip>for further debugging SSL handshake issues you can add -Djavax.net.debug=ssl:handshake in your props.ini file. 3. Adjust the httpd.conf file for mutual authentication (Apache Server) SSLProxyMachineCertificateFile used in httpd.conf MUST be in PEM format. You can use openssl for conversion by running below commends for your server (ApacheServer.crt) and root certificate (SAPNetCA.crt). a) openssl x509 -in ApacheServer.crt -out ApacheServer.der -outform DER b) openssl x509 -in ApacheServer.der -inform DER -out ApacheServer.pem -outform PEM c) openssl x509 -in SAPNetCA crt -out SAPNetCA.der -outform DER d) openssl x509 -in SAPNetCA.der -inform DER -out SAPNetCA.pem -outform PEM NOTE: If server or root certificate is in the.der format then you can use b) or d) option to convert into PEM format SSLProxyMachineCertificateFile - point it to a file containing your Apache server certificate which is converted into ApacheServer.pem format and its (unencrypted) private key (server.key) in PEM format. (For example, add server.key to ApacheServer.pem). Apache won t start if this is not done correctly. Following the same screen: In the following example, is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8082 pvs9097.wdf.sap.corp:

50 Listen 8443 <VirtualHost *:8443> ServerName usphlvm1383.phl.sap.corp SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key SSLCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyMachineCertificateFile /Apache24/conf/ApacheServer.pem <Proxy balancer://smpcluster> BalancerMember route=smpservernode96 BalancerMember route=smpservernode97 ProxySet stickysession=x-smp-sessid ProxySet lbmethod=byrequests </Proxy> RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ CustomLog "c:/apache24/logs/ssl_request LB_8082.log" "%t %h %r %s %l %p User:%u %{Foobar}i client_cert:%{ssl_client_cert}x client_verify:%{ssl_client_verify}x client_cert_dn:%{ssl_client_s_dn}x \"%r\" %b" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog_8443.log </VirtualHost> 4. Restart the Apache Server 5. Load.p12 Client Certificate in to the REST client browser For mutual authentication using client certificates, SMP/Apache needs the private keys to do the signing, and the.p12 file format is the most common for passing around a certificate with its private keys. To test, we need client certificate (.p12 file) which is usually provided by your OS security team who handles Certificate Authority. 1. Load the.p12 client certificate into the personal certificate store. In Chrome, choose Settings > Show Advanced Settings > HTTPS/SSL > Manage certificates as shown below screen: 50

51 2. Click Import button: 3. Click Next button: 51

52 4. Click browse and select the p.12 file 5. Select All files from dropdown: 6. Select p.12 and hit Next button as shown below: 52

53 7. If password exists, provide password and hit next: NOTE: s_client is a diagnostic tool for OpenSSL. For more information, refer following link 53

54 Example for testing client certificates: 5. Verify two-way HTTPS Scenario Validate the configuration by opening a browser and testing these URLs: usphlvm1383.phl.sap.corp:8443 URL should return a page with this information: 6. Testing SMP OData GET operation using Apache Server URL with port 8443 URL: Operation = GET X-SMP-APPCID = kola1 Request is processed by available SMP cluster node with following results. 54

55 Apache 8443 result Logs: [10/Jul/2014:00:43: ] "GET /odata.flight/ HTTP/1.1" duration:3/ balancer: Changed:- Sticky:X-SMP-SESSID [10/Jul/2014:00:43: ] GET /odata.flight/ HTTP/ User:- - client_cert:-----begin CERTIFICATE END CERTIFICATE client_verify:success client_cert_dn:cn=supuser,ou=ssl Server,O=SAP-AG,C=DE "GET /odata.flight/ HTTP/1.1"

56 Monitoring Apache Server 4.3 Monitoring settings for Apache Server In this section, we will cover monitoring and performance tuning aspects. Balancer manager: This module requires the service of mod_status. Balancer manager enables dynamic update of balancer members. You can use balancer manager to change the balance factor or a particular member. In addition you can enable authentication for administrators. In the following examples, we used basic authentication with HTTPS connection. NOTE: balance-manger configuration should be part of the load balancer configuration as shown in the below example: Example for basic authentication: Example for balancer manager configuration in httpd.conf file: Listen 443 <VirtualHost *:443> SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown ServerName usphlvm1383.phl.sap.corp ErrorLog "C:/Apache24/logs/error.log" TransferLog "C:/Apache24/logs/access.log" <Proxy balancer://smpcluster> BalancerMember route=smpservernode96 BalancerMember route=smpservernode97 ProxySet stickysession=x-smp-sessid ProxySet lbmethod=byrequests </Proxy> <Location /balancer-manager> SetHandler balancer-manager Order Deny,Allow Deny from none Allow from all </Location> 56

57 ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ CustomLog "c:/apache24/logs/ssl_443.log" "%t %h %r %s %l %p User:%u %{Foobar}i client_cert:%{ssl_client_cert}x client_verify:%{ssl_client_verify}x client_cert_dn:%{ssl_client_s_dn}x \"%r\" %b" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> URL to access: When one of worker URL is clicked, you can dynamically enable member options as show below. Server Status: The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to 57

58 automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state. Example for server status configuration in httpd.conf file: <Location /server-status> SetHandler server-status Order Deny,Allow Deny from none Allow from all AuthType basic AuthName "Apache server-status" AuthUserFile /Apache24/conf/passwd-server-status Require valid-user </Location> URL to access: In addition to above features, there are plenty of open source tools available to monitor and manage Apache Servers. Next section we will focus on how to use relay server as a reverse proxy and load balancer solution for SMP 3.0 Platform. 58

59 5.0 EXPOSING SMP ODATA SERVICES VIA RELAY SERVER In this section, we will test SMP 3 OData services using hosted Sybase relay server. Our assumption is you already have relay server installation is in place. For this exercise, we used hosted relay server. Please refer following link for more information on subscription. Subscribing and Connecting to Sybase Hosted Relay Service Below diagram is the sample architecture for SMP cluster and hosted relay server communication setup. In the following, we will provide Sybase hosted relay registration details, RSOE configuration steps to setup plain HTTP and HTTPs communication. 59

60 Sybase Hosted Relay Server Registration 5.1 Registration with Sybase Hosted relay Server For Sybase Hosted relay server setup, we have three main steps: 1. Create subscription ID 2. Maintain FARM details 3. Collect configuration details More information on hosted relay server can obtained from following link: 1. First Create subscription ID with contact details and Accept terms and conditions 2. Maintain FARM details 60

61 Click on the Add New Mobilink Farm as shown below: Provide Farm Name and SMP Server details Farm Name: FARMODATA03 Server Names: pvs9096, pvs9097 Example for SMP server node cluster: 3. Collect configuration details Click configuration instructions for rsoe configuration details. For enabling communication between SMP and relay server, configuration details are used in rsoe.config file (on SMP server). 61

62 RSOE Setup 5.2 RSOE setup in SMP platform This section illustrates RSOE setup on SMP platform in following steps: 1. Download rsoe files 2. Create config file for RSOE setup 3. Verify rsoe.log 4. Verify communication 5. Testing SMP OData using Relay Server URL (plain HTTP) 1. Create rsoe folder under SAP folder as shown below: You need RSOE component, which is part of Sybase SQLAnywhere (based on your OS). From relay server media, copy rsoe.exe, dblgde12.dll, dblgen12.dll, rsoesupp12.dll files to rsoe folder as shown below: 2. Create a config file (pvs9096.config) each SMP Node with following details: -f smp3sp03.farmodata03 -id pvs9096 -t 1bf5b1482ce4a8e23d7a2521eaef -cr "host=relayserver.sybase.com;https=0;port=80;proxy_host=proxy;proxy_port=8080;url_suffix=/ia s_relay_server/server/rs_server.dll" -cs "host=localhost;port=8080" -v 5 -o "C:\rsoe.log" a. t is the Token, value has to match the token specified in your pvs9096.config file on relay server, in our case paste the value from Hosted Relay Server configuration page b. cs Servername and port of the backend server (e.g. Web Server) c. cr Server and port of your relay server. Think about adapting the url_suffix if the relay server is running on Linux: url_suffix=/srv/iarelayserver.the configuration of a proxy is optional, only needed if you have to use the proxy to connect to the relay server. d. v the verbosity level from 0 to 5 (0 = no logging, 5 = all) 62

63 e. o Log output, specify path and file to RSOE log 3. Start the rsoe with the following commend: You can also create a service account for rsoe by following: 4. Verify your configurations by checking rsoe.log: Note: same configuration is applied on other SMP cluster nodes. HTTPS connections are also supported. NOTE: Repeat above steps on all the SMP nodes. 5. Verify SMP OData Services via Relay Server: will be a redirect to your backend server (e.g. pvs9096:8080 or pvs9097:8080) like you defined it in the rsoe.config. Following URL will result following: 6. Testing SMP OData GET service via Hosted Relay Server URL: 63

64 URL = applications/latest/odata.flight/connections Operation = GET Conetent-Type = application/atom+xml;charset=utf-8 Authorization = Basic atgynzu0ntplyxj0adiwmtq= X-SMP-APPCID = ngnixrsoe Similarly, you can test GET operation with following inputs as shown in the below screen: URL: X-SMP-APPCID = kola1 Authorization = Basic atgynzu0ntplyxj0adiwmtq= Result: 64

65 Load balancing between SMP servers and failover scenarios are also tested successfully. In next section, we will focus on how to use Nginx as a reverse proxy and load balancer solution for SMP 3.0 Platform. 65

66 6.0 NGINX AS THE REVERSE PROXY AND LOAD BALANCER Below diagram is the sample architecture for SMP cluster and hosted Nginx server communication setup. In the following sections, we will illustrate how to set up an Nginx server containing all the needed components for testing the reverse proxy, load balancing, http, and https communication scenarios. 66

67 Install Nginx 6.1 Install Nginx This section covers Nginx installation setup steps: 1. Download Nginx software 2. Run Nginx.exe 3. Verify Nginx setup 1. Download Nginx from We are using version. Always download the stable version. 2. Extract the package to a directory, C:\Nginx1.7.3\ Open CMD with administrator and run Nginx.exe We can be control service by invoking the executable with the -s parameter. Use the following syntax: C:\nginx-1.4.4>nginx -s signal Where signal may be one of the following: stop --- fast shutdown quit --- graceful shutdown reload --- reloading the configuration file reopen --- reopening the log files NOTE: Because Nginx cannot share the same port with another TCP/IP application, you may need to stop, uninstall or reconfigure certain other services before running Nginx.exe (for example IIS). In default, server listens on port 80 and you can change the port in nginx.conf file located under: C:\nginx-1.7.2\nginx-1.7.2\conf\ 3. Verify Nginx services are running by following methods: Select Task Manger and verify if Nginx process are running: 67

68 In the web browser, type if it is successfully running you will see as below: 68

69 Nginx HTTP 6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP communication is covered in following steps: 1. Configure nginx.config for http protocol 2. Restart Nginx 3. Verify communication 4. Testing OData services using Nginx URL 1. In order to use Nginx as Reverse Proxy and load balancer for SMP3 server, we need to change the nginx.config file as following. server { listen 80; server_name usphlvm1384.phl.sap.corp; access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_80.log; error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_80.log; location / { proxy_pass proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect default ; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } #paste blow code after server configuration closing braces upstream backend { server pvs9096.wdf.sap.corp:8080; server pvs9097.wdf.sap.corp:8080; } NOTE: location / means all requests go to any of the servers listed under upstream. For information on load balancing and techniques, refer following link: 2. Restart Nginx Server 3. Verify SMP communication via Nginx Server (http based) In the following example, is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8080 pvs9097.wdf.sap.corp:8080 URLhttp://ushphlvm1384.phl.sap.corp:80 will result following: 69

70 3. RestClient testing of SMP OData services using Nginx URL URL: X-SMP-APPCID = kola1 Authorization = Basic atgynzu0ntplyxj0adiwmtq= Result: 70

71 6.3 Verifying the request is going through Nginx To verify if the request is going through Nginx when you registered, open the log access file of Nginx by going to the: 1. Location of the log folder. In our example it is in ( D:/nginx-1.7.2/nginx-1.7.2/logs) 2. Open the following log or whatever you called it. In our case it is called error_80.log 3. You should see a post request for the registration similar to the one below: [04/Aug/2014:10:06: ] "POST /odata/applications/latest/odata.flight/connections HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36" When accessing the odata end point, check in the log and see if you will see a GET request in the Nginx log, like that one below: [04/Aug/2014:10:07: ] "GET /odata.flight HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36" 71

72 Nginx HTTPS 6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP communication is covered in following steps: 1. SMP Platform SSL Preparation 2. SSL preparation for Nginx Server 3. Install Trusted Certificates 4. Configure Nginx.config for https protocol 5. Restart Nginx 6. Verify communication 7. Testing OData services using Nginx URL To configure Nginx server to connect SMP with single SSL support, we need to prepare the certificates for Nginx server via OpenSSL to generate server certificate and key files. In the following example, we will use openssl. 1. SMP Platform SSL Preparation Refer section 4.2> Scenario 2> Point 1 2. SSL Preparation for Nginx Server: Depending on your operating system, download the OpenSSL software from following link: a) Generate RSA openssl genrsa -des3 -out server.key 2048 Result is new RSA server.key is generated. b) Create CSR file. Like the standard SMP server certificate, we have used an RSA 2048 key signed with the sha256 signing algorithm openssl req -sha256 -out NginxServer.csr -new -newkey rsa:2048 -nodes -keyout server.key Country Name:CA State or Province Name:ONTARIO Locality Name:TORONTO Organization Name:SAP Organizational Unit Name:COE Common Name:USPHLVM1384.PHL.SAP.CORP Address: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password: An optional company name: c) Remove Passphrase from Key 72

73 This is an optional step. This is done so that we don t have to enter the password for the private key every time we restart NGINX. copy server.key server.key.org openssl rsa -in server.key.org -out server.key d) Generate signed Certificate For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. Result is the Signed Certificate. e) Copy server.key and NginxServer.crt to Nginx config directory. The location of this directory will differ depending on where Nginx is installed. 3. Installing Trusted Certificates SMP Platform: Upload NginxServer.crt into SMP keystore as the trusted certificate keytool -import -trustcacerts alias NginxServer-file NginxServer.crt -keystore smp_keystore.jks Nginx Platform Install CA cert and SMP server certs (pvs9096, pvs9097) onto the NGINX server. Right click on the certificate and add it to trusted Root Certificate as shown below. 73

74 4. Configuring SSL properties in Nginx.conf In the following example, is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 server { listen 443 ssl; server_name usphlvm1384.phl.sap.corp; ssl_certificate D:/nginx-1.7.2/nginx-1.7.2/cert/NginxServer.crt; ssl_certificate_key D:/nginx-1.7.2/nginx-1.7.2/cert/server.key; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_443.log; error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_443.log; root html; index index.html index.htm; location / { proxy_pass proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect default ; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } #paste blow code after server configuration closing braces upstream backend { server pvs9096.wdf.sap.corp:8081; server pvs9097.wdf.sap.corp:8081; } 5. Restart Nginx Server 6. Verify communication via Nginx Server (https based) In the following example, is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 URL will result following: 74

75 7. Testing SMP OData using Ngnix URL (secured) URL: X-SMP-APPCID = kola1 Authorization = Basic atgynzu0ntplyxj0adiwmtq= Result: 75

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

How-to-Guide: Apache as Reverse Proxy for Fiori Applications How-to-Guide: Apache as Reverse Proxy for Fiori Applications Active Global Support North America Document History: Document Version Authored By Description 1.0 Kiran Kola Architect Engineer 2 www.sap.com

More information

How to setup HTTP & HTTPS Load balancer for Mediator

How to setup HTTP & HTTPS Load balancer for Mediator How to setup HTTP & HTTPS Load balancer for Mediator Setting up the Apache HTTP Load Balancer for Mediator This guide would help you to setup mediator product to run via the Apache Load Balancer in HTTP

More information

How-to-Guide: SAP Web Dispatcher for Fiori Applications

How-to-Guide: SAP Web Dispatcher for Fiori Applications How-to-Guide: SAP Web Dispatcher for Fiori Applications Active Global Support North America Document History: Document Version Authored By Description 1.0 Kiran Kola Architect Engineer 2 www.sap.com Table

More information

Configure Security for SAP Mobile Platform (MP5)

Configure Security for SAP Mobile Platform (MP5) Building Block Guide SAP Mobile Platform 3.0 June 2015 English Typographic Conventions Type Style Example Example EXAMPLE Example Example EXAMPLE Description Words or characters quoted from the

More information

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server Technical Note Dated: 23 June 2015 Page 1 of 8 Overview This document describes how by installing an Apache HTTP

More information

CentraSite SSO with Trusted Reverse Proxy

CentraSite SSO with Trusted Reverse Proxy CentraSite SSO with Trusted Reverse Proxy Introduction Single-sign-on (SSO) via reverse proxy is the preferred SSO method for CentraSite. Due to its flexibility the reverse proxy approach allows to apply

More information

HP ALM. Software Version: 12.50. External Authentication Configuration Guide

HP ALM. Software Version: 12.50. External Authentication Configuration Guide HP ALM Software Version: 12.50 External Authentication Configuration Guide Document Release Date: December 2015 Software Release Date: December 2015 Legal Notices Warranty The only warranties for HP products

More information

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER White Paper CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER Abstract This white paper explains the process of integrating CA SiteMinder with My Documentum

More information

Setting Up B2B Data Exchange for High Availability in an Active/Active Configuration

Setting Up B2B Data Exchange for High Availability in an Active/Active Configuration Setting Up B2B Data Exchange for High Availability in an Active/Active Configuration 2010 Informatica Abstract This document explains how to install multiple copies of B2B Data Exchange on a single computer.

More information

How to: Install an SSL certificate

How to: Install an SSL certificate How to: Install an SSL certificate Introduction This document will talk you through the process of installing an SSL certificate on your server. Once you have approved the request for your certificate

More information

User s guide. APACHE 2.0 + SSL Linux. Using non-qualified certificates with APACHE 2.0 + SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

User s guide. APACHE 2.0 + SSL Linux. Using non-qualified certificates with APACHE 2.0 + SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A. User s guide APACHE 2.0 + SSL Linux Using non-qualified certificates with APACHE 2.0 + SSL Linux version 1.3 Table of contents 1. PREFACE... 3 2. GENERATING CERTIFICATE... 3 2.1. GENERATING REQUEST FOR

More information

White Paper DEPLOYING WDK APPLICATIONS ON WEBLOGIC AND APACHE WEBSERVER CLUSTER CONFIGURED FOR HIGH AVAILABILITY AND LOAD BALANCE

White Paper DEPLOYING WDK APPLICATIONS ON WEBLOGIC AND APACHE WEBSERVER CLUSTER CONFIGURED FOR HIGH AVAILABILITY AND LOAD BALANCE White Paper DEPLOYING WDK APPLICATIONS ON WEBLOGIC AND APACHE WEBSERVER CLUSTER CONFIGURED FOR HIGH AVAILABILITY AND LOAD BALANCE Abstract This White Paper provides information to deploy WDK based applications

More information

Enterprise SSL Support

Enterprise SSL Support 01 Enterprise SSL Support This document describes the setup of SSL (Secure Sockets Layer) over HTTP for Enterprise clients, servers and integrations. 1. Overview Since the release of Enterprise version

More information

esync - Receiving data over HTTPS

esync - Receiving data over HTTPS esync - Receiving data over HTTPS 1 Introduction Natively, the data transfer between ewon and esync is done over an HTTP link. However when esync is hosted on Internet, security must be taken in account

More information

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy Author: Gopal Baddela, Senior BI Architect Archius Copyright Archius 2016 1 Table of Contents

More information

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server University of Split, FESB, Croatia Laboratory Exercises VI: SSL/TLS - Configuring Apache Server Keywords: digital signatures, public-key certificates, managing certificates M. Čagalj, T. Perković {mcagalj,

More information

EQUELLA. Clustering Configuration Guide. Version 6.2

EQUELLA. Clustering Configuration Guide. Version 6.2 EQUELLA Clustering Configuration Guide Version 6.2 Document History Document No. Reviewed Finalised Published 1 18/03/2014 18/03/2014 18/03/2014 March 2014 edition. Information in this document may change

More information

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

This section describes how to use SSL Certificates with SOA Gateway running on Linux. This section describes how to use with SOA Gateway running on Linux. Setup Introduction Step 1: Set up your own CA Step 2: SOA Gateway Server key and certificate Server Configuration Setup To enable the

More information

SecuritySpy Setting Up SecuritySpy Over SSL

SecuritySpy Setting Up SecuritySpy Over SSL SecuritySpy Setting Up SecuritySpy Over SSL Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet. It uses two keys to encrypt data: a public key and

More information

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite Abstract This white paper outlines the deployment and configuration of a Single Sign-On solution for EMC Documentum

More information

Introduction to Mobile Access Gateway Installation

Introduction to Mobile Access Gateway Installation Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure

More information

xcp Application Deployment On Tomcat Cluster

xcp Application Deployment On Tomcat Cluster xcp Application Deployment On Tomcat Cluster Abstract This white paper explains how to install and configure tomcat cluster to support High Availability and Load Balancing and enable one way SSL with xcp.

More information

GlobalSign Enterprise Solutions Google Apps Authentication User Guide

GlobalSign Enterprise Solutions Google Apps Authentication User Guide GlobalSign Enterprise Solutions Google Apps Authentication User Guide Using EPKI for Google Apps for Business Single Sign-on and Secure Document Sharing v.1.1 1 Table of Contents Table of Contents... 2

More information

HP Cloud Service Automation Deployment Architectures

HP Cloud Service Automation Deployment Architectures Technical white paper HP Cloud Service Automation Deployment Architectures Details of the content Table of contents Purpose... 2 Enterprise Deployment... 2 All-in-One CSA... 3 All-in-One CSA with remote

More information

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1 Installing Digital Certificates for Server Authentication SSL on BEA WebLogic 8.1 Installing Digital Certificates for Server Authentication SSL You use utilities provided with the BEA WebLogic server software

More information

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM White Paper PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM Abstract This white paper explains how to setup Proxy

More information

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9

More information

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10. Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.3 Table of Contents Overview... 1 Configuring One-Way Secure Socket

More information

HP Business Service Management

HP Business Service Management HP Business Service Management for the Windows and Linux operating systems Software Version: 9.10 Hardening Guide Document Release Date: August 2011 Software Release Date: August 2011 Legal Notices Warranty

More information

HP Business Service Management

HP Business Service Management HP Business Service Management for the Windows and Linux operating systems Software Version: 9.13 Hardening Guide Document Release Date: May 2012 Software Release Date: May 2012 Legal Notices Warranty

More information

Setup Guide Access Manager Appliance 3.2 SP3

Setup Guide Access Manager Appliance 3.2 SP3 Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS

More information

HTTPS Configuration for SAP Connector

HTTPS Configuration for SAP Connector HTTPS Configuration for SAP Connector 1993-2015 Informatica LLC. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without

More information

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Installing an SSL certificate on the InfoVaultz Cloud Appliance Installing an SSL certificate on the InfoVaultz Cloud Appliance This document reviews the prerequisites and installation of an SSL certificate for the InfoVaultz Cloud Appliance. Please note that the installation

More information

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH ViMP 3.0 SSL Configuration in Apache 2.2 Author: ViMP GmbH Table of Contents Requirements...3 Create your own certificates with OpenSSL...4 Generate a self-signed certificate...4 Generate a certificate

More information

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.2 Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining

More information

KMIP installation Guide. DataSecure and KeySecure Version 6.1.2. 2012 SafeNet, Inc. 007-012120-001

KMIP installation Guide. DataSecure and KeySecure Version 6.1.2. 2012 SafeNet, Inc. 007-012120-001 KMIP installation Guide DataSecure and KeySecure Version 6.1.2 2012 SafeNet, Inc. 007-012120-001 Introduction This guide provides you with the information necessary to configure the KMIP server on the

More information

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command: C2Net Stronghold Cisco Adaptive Security Appliance (ASA) 5500 Cobalt RaQ4/XTR F5 BIG IP (version 9) F5 BIG IP (pre-version 9) F5 FirePass VPS HSphere Web Server IBM HTTP Server Java-based web server (generic)

More information

To enable https for appliance

To enable https for appliance To enable https for appliance We have used openssl command to generate a key pair. The below image shows on how to generate key using the openssl command. SSH into appliance and login as root. Copy all

More information

Developer Guide: REST API Applications. SAP Mobile Platform 2.3

Developer Guide: REST API Applications. SAP Mobile Platform 2.3 Developer Guide: REST API Applications SAP Mobile Platform 2.3 DOCUMENT ID: DC01926-01-0230-01 LAST REVISED: February 2013 Copyright 2013 by Sybase, Inc. All rights reserved. This publication pertains

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Setup Guide Access Manager 3.2 SP3

Setup Guide Access Manager 3.2 SP3 Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE

More information

CHAPTER 7 SSL CONFIGURATION AND TESTING

CHAPTER 7 SSL CONFIGURATION AND TESTING CHAPTER 7 SSL CONFIGURATION AND TESTING 7.1 Configuration and Testing of SSL Nowadays, it s very big challenge to handle the enterprise applications as they are much complex and it is a very sensitive

More information

WHITE PAPER Citrix Secure Gateway Startup Guide

WHITE PAPER Citrix Secure Gateway Startup Guide WHITE PAPER Citrix Secure Gateway Startup Guide www.citrix.com Contents Introduction... 2 What you will need... 2 Preparing the environment for Secure Gateway... 2 Installing a CA using Windows Server

More information

Example Apache Server Installation for Centricity Electronic Medical Record browser & mobile access

Example Apache Server Installation for Centricity Electronic Medical Record browser & mobile access GE Healthcare Introduction Example Apache Server Installation for Centricity Electronic Medical Record rowser & moile access These instructions descrie how to install and configure an Apache server to

More information

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release 12.0.87.01.0 [August] [2014]

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release 12.0.87.01.0 [August] [2014] SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release 12.0.87.01.0 [August] [2014] Table of Contents 1. CONFIGURING SSL ON ORACLE WEBLOGIC... 1-1 1.1 INTRODUCTION... 1-1 1.2 SETTING UP

More information

CA Nimsoft Unified Management Portal

CA Nimsoft Unified Management Portal CA Nimsoft Unified Management Portal HTTPS Implementation Guide 7.6 Document Revision History Document Version Date Changes 1.0 June 2014 Initial version for UMP 7.6. CA Nimsoft Monitor Copyright Notice

More information

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion 1. Introduction... 1 1.1. Non-Replicated Cluster... 1 1.2. Replicated Cluster... 2 1.3. Mixing Both Options... 3 2. Getting Started... 5 3. Scenario 1 - Non-Replicated Cluster... 6 3.1. JOSSO Agent Configuration...

More information

Technical specification

Technical specification Technical specification Load balancing configuration Koaly EXP Page : 1 / 8 Table of contents Introduction... 3 I.Overview... 3 II.The Apache load balancer... 3 III.Limitations... 3 Prerequisites... 4

More information

Developer Guide: REST API Applications. SAP Mobile Platform 2.3 SP03

Developer Guide: REST API Applications. SAP Mobile Platform 2.3 SP03 Developer Guide: REST API Applications SAP Mobile Platform 2.3 SP03 DOCUMENT ID: DC01926-01-0233-01 LAST REVISED: September 2013 Copyright 2013 by Sybase, Inc. All rights reserved. This publication pertains

More information

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0 Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...

More information

Configuration Guide BES12. Version 12.1

Configuration Guide BES12. Version 12.1 Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...

More information

CA MDM MOBILE DEVICE MANAGEMENT

CA MDM MOBILE DEVICE MANAGEMENT CA MDM MOBILE DEVICE MANAGEMENT Introduction, Setup and Troubleshooting of the Relay server and RSOE CAMDM Versions: 2014Q1, 2014Q1 SP1 Introduction to Relay Server and RSOE (relay server outbound enabler)

More information

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

More information

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate In this example we are using apnictraining.net as domain name. # super user command. $ normal user command. X replace with your group

More information

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate In this example we are using df-h.net as domain name. # super user command. $ normal user command. X replace with your group no.

More information

PowerChute TM Network Shutdown Security Features & Deployment

PowerChute TM Network Shutdown Security Features & Deployment PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network

More information

PUBLIC Installation: SAP Mobile Platform Server for Linux

PUBLIC Installation: SAP Mobile Platform Server for Linux SAP Mobile Platform 3.0 SP11 Document Version: 1.0 2016-06-09 PUBLIC Content 1.... 4 2 Planning the Landscape....5 2.1 Installation Worksheets....6 3 Installing SAP Mobile Platform Server....9 3.1 Acquiring

More information

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server Table of Contents Table of Contents Deploying the BIG-IP LTM with Tomcat application servers and Apache web

More information

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC joshua.penton@geocent.com.

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC joshua.penton@geocent.com. HOWTO Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3 Joshua Penton Geocent, LLC joshua.penton@geocent.com March 2013 Table of Contents Overview... 1 Prerequisites... 2 Install OpenSSL...

More information

Use Enterprise SSO as the Credential Server for Protected Sites

Use Enterprise SSO as the Credential Server for Protected Sites Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.3 Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing

More information

Deploying F5 with Microsoft Active Directory Federation Services

Deploying F5 with Microsoft Active Directory Federation Services F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services

More information

Real Vision Software, Inc.

Real Vision Software, Inc. Real Vision Software, Inc. Configuring an IBM i host for SSL These steps take you through configuring an IBM i host to run Secure Sockets Layer (SSL) as a self-signed Certificate Authority (CA). The Digital

More information

Copyright 2011, Sybase, Inc. Relay Server

Copyright 2011, Sybase, Inc. Relay Server Copyright 2011, Sybase, Inc. Relay Server Copyright 2011 by Sybase, Inc. All rights reserved. This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new

More information

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway Unifying Information Security Implementing TLS on the CLEARSWIFT SECURE Email Gateway Contents 1 Introduction... 3 2 Understanding TLS... 4 3 Clearswift s Application of TLS... 5 3.1 Opportunistic TLS...

More information

Configuring HTTPS support. Overview. Certificates

Configuring HTTPS support. Overview. Certificates Configuring HTTPS support Overview Destiny provides the option to configure secure access when password information is transmitted between the client browser and the server. Destiny can switch from HTTP

More information

RHEV 2.2: REST API INSTALLATION

RHEV 2.2: REST API INSTALLATION RHEV 2.2: REST API INSTALLATION BY JAMES RANKIN REVISED 02/14/11 RHEV 2.2: REST API INSTALLATION 1 TABLE OF CONTENTS OVERVIEW PAGE 3 JAVA AND ENVIRONMENT VARIABLES PAGE 3 JBOSS INSTALLATION PAGE 5 REST

More information

VMware Identity Manager Connector Installation and Configuration

VMware Identity Manager Connector Installation and Configuration VMware Identity Manager Connector Installation and Configuration VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document

More information

EQUELLA. Clustering Configuration Guide. Version 6.0

EQUELLA. Clustering Configuration Guide. Version 6.0 EQUELLA Clustering Configuration Guide Version 6.0 Document History Document No. Reviewed Finalised Published 1 17/10/2012 17/10/2012 17/10/2012 October 2012 edition. Information in this document may change

More information

UNICORE GATEWAY. UNICORE Team. Document Version: 1.0.1 Component Version: 1.4.0 Date: 19 Apr 2011

UNICORE GATEWAY. UNICORE Team. Document Version: 1.0.1 Component Version: 1.4.0 Date: 19 Apr 2011 UNICORE Gateway UNICORE GATEWAY UNICORE Team Document Version: 1.0.1 Component Version: 1.4.0 Date: 19 Apr 2011 This work is co-funded by the EC EMI project under the FP7 Collaborative Projects Grant Agreement

More information

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server November 6, 2008 Group Logic, Inc. 1100 North Glebe Road, Suite 800 Arlington, VA 22201 Phone: 703-528-1555 Fax: 703-528-3296 E-mail:

More information

Exchange Reporter Plus SSL Configuration Guide

Exchange Reporter Plus SSL Configuration Guide Exchange Reporter Plus SSL Configuration Guide Table of contents Necessity of a SSL guide 3 Exchange Reporter Plus Overview 3 Why is SSL certification needed? 3 Steps for enabling SSL 4 Certificate Request

More information

SITEMINDER SSO FOR EMC DOCUMENTUM REST

SITEMINDER SSO FOR EMC DOCUMENTUM REST SITEMINDER SSO FOR EMC DOCUMENTUM REST ABSTRACT This white paper provides a detailed review of SiteMinder SSO integration with EMC Documentum REST Services by exploring the architecture,consumption workflow,

More information

Implementing HTTPS in CONTENTdm 6 September 5, 2012

Implementing HTTPS in CONTENTdm 6 September 5, 2012 Implementing HTTPS in CONTENTdm 6 This is an overview for CONTENTdm server administrators who want to configure their CONTENTdm Server and Website to make use of HTTPS. While the CONTENTdm Server has supported

More information

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service Paper SAS1541-2015 SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service Heesun Park and Jerome Hughes, SAS Institute Inc., Cary, NC ABSTRACT

More information

SafeNet KMIP and Google Cloud Storage Integration Guide

SafeNet KMIP and Google Cloud Storage Integration Guide SafeNet KMIP and Google Cloud Storage Integration Guide Documentation Version: 20130719 Table of Contents CHAPTER 1 GOOGLE CLOUD STORAGE................................. 2 Introduction...............................................................

More information

Lotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC23-8760-00

Lotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC23-8760-00 Lotus Sametime Version 8.0 FIPS Support for IBM Lotus Sametime 8.0 SC23-8760-00 Disclaimer THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE

More information

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features Dirk Olderdissen Solution Expert, Regional Presales EMEA SAP Brought to you by the Customer Experience Group 2014 SAP

More information

Spectrum Technology Platform Version 8.0.0. Tutorial: Load Balancing Spectrum Spatial Services. Contents:

Spectrum Technology Platform Version 8.0.0. Tutorial: Load Balancing Spectrum Spatial Services. Contents: Spectrum Technology Platform Version 8.0.0 Tutorial: Load Balancing Spectrum Spatial Services UNITED STATES www.pb.com/software Technical Support: www.pbinsight.com/support CANADA www.pb.com/software Technical

More information

Browser-based Support Console

Browser-based Support Console TECHNICAL PAPER Browser-based Support Console Mass deployment of certificate Netop develops and sells software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data

More information

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer This guide describes the options and process for adding and configuring a Server Load Balancer (SLB) Virtual Appliance. About the

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Load balancing Microsoft IAG

Load balancing Microsoft IAG Load balancing Microsoft IAG Using ZXTM with Microsoft IAG (Intelligent Application Gateway) Server Zeus Technology Limited Zeus Technology UK: +44 (0)1223 525000 The Jeffreys Building 1955 Landings Drive

More information

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2 Security Workshop Apache + SSL exercises in Ubuntu Contents 1 Install apache2 and enable SSL 2 2 Generate a Local Certificate 2 3 Configure Apache to use the new certificate 4 4 Verify that http and https

More information

Sophos Mobile Control Installation guide. Product version: 3.5

Sophos Mobile Control Installation guide. Product version: 3.5 Sophos Mobile Control Installation guide Product version: 3.5 Document date: July 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...10 4 External

More information

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate APACHE MODSSL Generate CSR 1. Type this command to generate key: $ openssl genrsa -out www.virtualhost.com.key 2048

More information

Installing Rails 2.3 Under Windows XP and Apache 2.2

Installing Rails 2.3 Under Windows XP and Apache 2.2 Installing Rails 2.3 Under Windows XP and Apache 2.2 Scott Taylor Tailor Made Software August 9, 2011 Version 1.0 1.0 Introduction Ruby On Rails (aka just Rails ) is a modern scripting system that allows

More information

Application Note AN1502

Application Note AN1502 Application Note AN1502 Generate SSL Certificates PowerPanel Business Edition User s Manual Rev. 1 2015/08/21 Rev. 13 2013/07/26 Content Generating SSL Certificates Overview... 3 Obtain a SSL Certificate

More information

TIBCO Spotfire Platform IT Brief

TIBCO Spotfire Platform IT Brief Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily

More information

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x Configuring Secure Socket Layer (SSL) communication for a standalone environment... 2 Import the Process Server WAS root SSL certificate into

More information

ADFS Integration Guidelines

ADFS Integration Guidelines ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS

More information

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g DEPLOYMENT GUIDE Version 1.1 Deploying F5 with Oracle Application Server 10g Table of Contents Table of Contents Introducing the F5 and Oracle 10g configuration Prerequisites and configuration notes...1-1

More information

UNICORE GATEWAY. UNICORE Team. Document Version: 1.0.3 Component Version: 6.4.2 Date: 19 12 2011

UNICORE GATEWAY. UNICORE Team. Document Version: 1.0.3 Component Version: 6.4.2 Date: 19 12 2011 UNICORE Gateway UNICORE GATEWAY UNICORE Team Document Version: 1.0.3 Component Version: 6.4.2 Date: 19 12 2011 This work is co-funded by the EC EMI project under the FP7 Collaborative Projects Grant Agreement

More information

Installing and Configuring vcenter Multi-Hypervisor Manager

Installing and Configuring vcenter Multi-Hypervisor Manager Installing and Configuring vcenter Multi-Hypervisor Manager vcenter Server 5.1 vcenter Multi-Hypervisor Manager 1.1 This document supports the version of each product listed and supports all subsequent

More information

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Microsoft Exchange Server 2007

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Microsoft Exchange Server 2007 DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Microsoft Exchange Server 2007 Table of Contents Table of Contents Deploying F5 devices with Microsoft Exchange Server 2007 Client Access Servers Prerequisites

More information

Introduction to the Mobile Access Gateway

Introduction to the Mobile Access Gateway Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch

More information

Forward proxy server vs reverse proxy server

Forward proxy server vs reverse proxy server Using a reverse proxy server for TAD4D/LMT Intended audience The intended recipient of this document is a TAD4D/LMT administrator and the staff responsible for the configuration of TAD4D/LMT agents. Purpose

More information

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS White Paper TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS Abstract This white paper explains how to diagnose and troubleshoot issues in the RSA Access Manager single sign-on

More information