How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X

How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X Active Global Support North America

Document History: Document Version Authored By Description 1.0 Kiran Kola Architect Engineer Document Version Reviewer Description 1.0 Ali Chalhoub Global Architect Support Engineer 2

www.sap.com Table of Contents 1. Business Scenarios 4 2. Prerequisites 4 3.0 SAP Mobile Platform Configuration 5 3.1 OData registration on SMP Platform 6 3.2 Testing backend OData Services through SMP Platform 14 3.3 SMP jvmroute Configuration 21 4.0 SMP 3.0 Architecture and Apache Server Setup 22 4.1 Apache HTTP Server Installation 23 4.2 Communication protocol scenarios 25 4.3 Monitoring settings for Apache Server 56 5.0 Exposing SMP OData Services via Relay server 59 5.1 Registration with Sybase Hosted relay Server 60 5.2 RSOE setup in SMP platform 62 6.0 NGINX as the reverse proxy and Load balancer 66 6.1 Install Nginx 67 6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication 69 6.3 Verifying the request is going through Nginx 71 6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication 72

1. BUSINESS SCENARIOS SAP supports following third-party reverse proxy solutions: Apache reverse proxy for Native and Hybrid applications Nginx for Agentry applications When adding a reverse proxy, determine the mobile application types you need to support. Application Type Reverse Proxy Native Hybrid Agentry MBO Apache Server: Apache Apache Nginx RelayServer To support HTTP based clients that are designed to consume SAP Mobile Platform Server services, customers can optionally implement an Apache Reverse Proxy instead of a Relay Server in their production environment. When a customer use Apache HTTP Server as the Reverse Proxy and Load Balancer solution for SAP Mobile Platform 3.0, it s necessary to set up an environment containing all the needed resources. In this guide, we will illustrate how to set up an Apache server containing all the needed components for testing the load balancing, failover, http, one-way http and two-way https communication scenarios. Relay Server: Relay is typically used for MBO based applications but it can also be used for OData applications. Section 5 will illustrate on how to expose SAP Mobile Platform OData services using Hosted Relay Server. Nginx: Nginx (pronounced "engine-x") is an open source reverse proxy server for HTTP, HTTPS, WebSockets protocols and as well as a load balancer. NGINX supports WebSockets by allowing a tunnel to be setup between a client and backend servers. Nginx is typically used for SAP Agentry based applications. Difference between Apache and Nginx servers can be found in the following link: http://www.wikivs.com/wiki/apache_vs_nginx 2. PREREQUISITES All the server names used in this documentation are used to demonstrate end-to-end technical scenarios and for mockup purposes only. Following are the prerequisites and software details: SMP To test the load balancing scenarios, we installed 2 Node SMP Cluster with ASE as the Database Node. SMP version: SMP 3. 0, SP 4 Database Node: sp-tivm74.wdf.sap.corp (We tested all the scenarios on ASE and HANA Database) SMP Cluster Node 1: pvs9096.wdf.sap.corp SMP Cluster Node 2: pvs9097.wdf.sap.corp 4

Apache server A typical usage of reverse proxy is to provide mobile user access to SMP servers that are behind the corporate firewall so Apache HTTP server is installed in a DMZ area. In addition, Apache HTTP server is used to balance load among several SMP back-end servers. Apache Version: Version 2.4 Apache Server Node: ushplvm1383.phl.sap.corp Notepad++ http://notepad-plus-plus.org/ Relay server Registration with Sybase Hosted Relay Server Nginx Nginx Version: nginx-1.7.2 Nginx Server Node: ushplvm1384.phl.sap.corp Notepad++ http://notepad-plus-plus.org/ RestClient OData Testing Tools: Sample SAP OData Gateway service is configured on the SMP Server. To test the OData services, any of the following REST Client tool can be used: Chrome Postman Firefox RESTClient SOAPUI Tool Assumptions: For SSL configuration, self-signed certificates are not used in below examples; we used internal SAP CA for signing all the servers and client certificates SMP 3.0 Cluster Installation is done prior to this setup Relay server installation is done prior to this setup (if hosted solution is not in scope) 3.0 SAP MOBILE PLATFORM CONFIGURATION SMP Platform cluster installation is not covered in this document. Please refer to installation docs for How to install and configure SMP 3.0 in a cluster environment. http://help.sap.com/smp303svr 5

Registering an OData Application 3.1 OData Registration on SMP Platform This section we will cover OData registration on SMP and testing OData with Rest Client in following steps: a) Login to SMP Management Cockpit b) Provide application details c) Provide OData details d) Provide Authentication Profile details e) Provide Authentication Provider details Configuring the odata application 1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e https://<host-name>:8083/admin) 3. Enter the user ID password. By default: a. userid: smpadmin b. password:s3padmin ( Note: If you change the password during installation, type the new password) 4. Click on Login to log into the cockpit 5. Once logged in successfully, click on APPLICATIONS tab 6. Click on the New button to create a new application for our OData back-end Endpoint as shown below: 7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen 6

8. Click Save when you are done 9. Now we should see the following screen 10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication c. Check rewrite NOTE: Test and validate backend OData connections prior to this setup. 7

11. The BACK END tab information should look like the screen below 12. Click on AUTHENTICATION tab 8

13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using httpsec for our security profile name 14. Click on the New button to associate an authentication provider for our security profile 9

15. We should see the authentication provider screen 16. From the Authentication provider, click on the dropdown list and select HTTP/HTTPS Authentication 10

17. We should see the following screen 18. All you have to do here is provider the URL address which is the same as the Endpoint that we used 19. Once you are done, click the save button 20. You should see the following success message indicating everything is OK 11

21. Click Save again to save now the new security profile as shown below 22. You will be asked to Confirm the update, click Yes 23. You should see the following: 12

24. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: 25. Now click on the Ping button as shown below: 26. If the Endpoint is reachable, you will get the following message below: 13

Testing OData Application Endpoint 3.2 Testing backend OData Services through SMP Platform For this test as we mentioned in requirements section, we are using POSTMAN Rest Client to onboard the application, to do the onboarding, do the following: 1. Invoke POSTMAN RESTClient, you should see something similar to the screen below, if this is a fresh installation of POSTMAN RESTClient 2. The first thing we need to do is provide the URL of any one of the SMP cluster nodes, the URL should look like this http://<host-name>:8080/odata/applications/latest/odata.flight/connections 3. Change the operation method to POST as shown below 4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8, to do that, do the following: a. Click on Headers as shown below: 14

b. You should see the following: c. In the header field type Content-Type as shown below: d. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below: 5. Provide OData credentials: a. Click on the Basic Auth, you should see something like the screen below: 15

b. Type the OData End-point user ID and password: c. Now click Refresh headers, you should see the following: 6. If you want to associate a custom ID when you register your application, you can add the header X-SMP- APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following: a. Click on the Normal Tab 16

7. In the header section as shown below, type the Header, X-SMP-APPCID as shown below: 8. Now we need to provide a body, click on raw tab as shown below: 9. In the body section, paste the following XML code below: <?xml version="1.0" encoding="utf-8"?> <entry xml:base="http://pvs9096.wdf.sap.corp:8080/odata/applications/latest/odata.flight/connections" xmlns="http://www.w3.org/2005/atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"> <content type="application/xml"> <m:properties> <d:devicetype>windows</d:devicetype> </m:properties> </content> </entry> 10. You should see something like that: 17

NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information. 11. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server. Similarly, now you can test GET operation with following inputs as shown in the below screen: 18

URL: http://pvs9096.wdf.sap.corp:8080/odata.flight/ Operation = GET Authorization = Basic d2ytbw0tndp3zwxjb21l X-SMP-APPCID = KOLAIDS Click Send button. 200 OK status is displayed with XML output as shown below. To validate the registration completion on SMP, login into SAP Management cockpit and verify registration count. Click Registrations, you should see registration ID with unknown type (browser). 19

With this we successfully registered and tested backend OData on SMP. Next we will configure jvmroute configuration on SMP. 20

JVMRoute Configuration 3.3 SMP jvmroute Configuration Each SMP instance of the cluster gets an individual name which is added at the end of the session id. When the load balancer sees a session id, it finds the name of the SMP instance and sends the request via the correct member worker. For this to work you must set the name of the SMP instances as the value of the jvmroute attribute in the engine element of each SMP default-server.xml. The name needs to be equal to the name of the corresponding load balancer member. Following are three main steps: 1. Edit default-server.xml of SMP server nodes of the following Location: <dir>\config_master\org.eclipse.gemini.web.tomcat\default-server.xml 2. Specify the jvmroute as a unique string for the node as shown below: For pvs9096, jvmroute=smpservernode96 (make sure there is no space between = ) For pvs9097, jvmroute=smpservernode97 3. Restart the SMP server Next section we will focus on how to use apache as a reverse proxy and load balancer solution for SMP 3.0 Platform. 21

4.0 SMP 3.0 ARCHITECTURE AND APACHE SERVER SETUP Below diagram is the sample architecture for SMP cluster and apache server setup. In the following, we will provide configuration steps to setup plain HTTP, one-way HTTPs and mutual authentication. NOTE: In general, Proxy and Load Balancer solutions are typically adopted in the production environment setup so for this implementation we considered Apache with SMP cluster environment and ignored scenarios for single SMP node. 22

Apache Server Installation 4.1 Apache HTTP Server Installation In this section, Apache server installation and configuration is illustrated in the following steps: 1. Download Apache 2. Configure Apache Server 1. Use the link to download the Apache HTTP Server: http://www.apachelounge.com/download/ Version used: httpd-2.4.9-win64-vc11 Prerequisite: Download and install the Windows C++ 2012 runtime from Microsoft.com We installed Apache in C:\\Apache24, so extracted the ZIP file to the root of the C: drive. Apache can be installed anywhere on your system, but you will need to change the configuration file paths accordingly Within the folder, you will see following folder structure: 23

2. Configure Apache: a) cd \apache24\bin Note: httpd.exe -k install -n "Apache2.4" (this installs apache as a service) Port Conflict scenario: Because Apache cannot share the same port with another TCP/IP application, you may need to stop, uninstall or reconfigure certain other services before running Apache (for example IIS). In default, server listens on port 80 and you can change the port in httpd.conf file. b) Edit httpd.conf file using Notepad++, located under <Drive>\Apache24\conf\ c) To activate, uncomment following modules in httpd.conf file: Typical proxy server will need to enable several modules. Those relevant for proxying and load balancing are as follows: LoadModule proxy_module modules/mod_proxy.so o The core module deals with proxy infrastructure and configuration and managing a proxy request. LoadModule proxy_http_module modules/mod_proxy_http.so o This module handles fetching documents with HTTP and HTTPS. LoadModule proxy_connect_module modules/mod_proxy_connect.so o This handles the CONNECT method for secure (SSL) tunneling. LoadModule proxy_balancer_module modules/mod_proxy_balancer.so o mod_proxy_balancer implements clustering and load-balancing over multiple backends. LoadModule slotmem_shm_module modules/mod_slotmem_shm.so o memory provider which provides for creation and access to a shared memory segment LoadModule proxy_html_module modules/mod_proxy_html.so o This rewrites HTML links into a proxy's address space. LoadModule headers_module modules/mod_headers.so o This modifies HTTP requests and response headers. LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so o Distribute the requests among the various workers LoadModule ssl_module modules/mod_ssl.so o This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server 24

Communication Scenarios 4.2 Communication protocol scenarios In this section, following protocol communication scenarios for Apache Server are covered: 1. HTTP 2. one-way HTTPS 3. two-way HTTPS Scenario 1: In this section, Apache as reverse proxy and simple load balancing configuration using HTTP communication is covered: 1. Configure httpd.config for plain HTTP communication 2. Restart Apache Server 3. Verify communication 4. Testing SMP OData using Apache Server URL Proxy can be easily achieved by simply writing the below two rules in your httpd.conf file. Proxypass: This directive asks the apache server to fetch data from SMP Nodes ProxyPassReverse: This directive rewrites the original URL when the traffic is send back. In this use case we have two SMP server nodes pvs9096 and pvs9097 that both listen on port 8080. The apache load balancer listens on port 80 by default. This sets up a load balance cluster called balancer://smpcluster that is bound to the two SMP nodes. The stickysession is the session affinity cookie to be used. 1. In the following HTTP examples, http://usphlvm1383.phl.sap.corp:80/ is mapped to following SMP Nodes on port 8080: pvs9096.wdf.sap.corp:8080 pvs9097.wdf.sap.corp:8080 On each SMP node we add the unique node name that was set up in the default-server.xml file in SMP configuration (as described in section 3.4). This configuration is necessary so that session affinity works correctly. We can achieve load balancing using two methods: 1) SMP session ID or with 2) Apache Headers; you can choose method based on the type of usage. Method 1:httpd.conf template using SMP Session ID Listen 80 <VirtualHost *:80> ProxyPreserveHost On ServerName usphlvm1383.phl.sap.corp <Proxy balancer://smpcluster> BalancerMember http://pvs9096.wdf.sap.corp:8080 route=smpservernode96 BalancerMember http://pvs9097.wdf.sap.corp:8080 route=smpservernode97 ProxySet stickysession=x-smp-sessid 25

ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> Method 2: httpd.conf template using Apache Headers Listen 80 <VirtualHost *:80> ProxyPreserveHost On ServerName usphlvm1383.phl.sap.corp Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=balancer_route_changed <Proxy balancer://smpcluster> BalancerMember http://pvs9096.wdf.sap.corp:8080 route=smpservernode96 BalancerMember http://pvs9097.wdf.sap.corp:8080 route=smpservernode97 ProxySet stickysession=routeid ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> NOTE: mod_headers module is required to set headers. Refer http://httpd.apache.org/docs/2.2/mod/mod_headers.html. 2. Restart Apache Server 3. Verify http communication Validate the configuration by opening a browser and testing these URLs: o http://usphlvm1383.phl.sap.corp:80 URL should return a page with this information: 26

4. Testing POST operation via Apache with HTTP. Port 80 is the default http port. 1. Invoke POSTMAN RESTClient, 2. Provide the Apache host name in the URL with http port (80), the URL should look like this http://<apach-server-host>:80/odata/applications/latest/odata.flight/connections 3. Change the operation method to POST as shown below 4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8, to do that, do the following: a. Click on Headers as shown below: b. In the header field type Content-Type as shown below: c. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below: 5. Provide OData credentials: a. Click on the Basic Auth, you should see something like the screen below: 27

b. Type the OData End-point user ID and password c. Now click Refresh headers, you should see the following: 6. If you want to associate a custom ID when you register your application, you can add the header X- SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following: a. Click on the Normal Tab b. In the header section as shown below, type the Header, X-SMP-APPCID as shown below: 28

7. Now we need to provide a body, click on raw tab as shown below: 8. In the body section, paste the following XML code below: <?xml version="1.0" encoding="utf-8"?> <entry xml:base="http://pvs9096.wdf.sap.corp:8080/odata/applications/latest/odata.flight/connections" xmlns="http://www.w3.org/2005/atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"> <content type="application/xml"> <m:properties> <d:devicetype>windows</d:devicetype> </m:properties> </content> </entry> 9. You should see something like that: 29

NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information. 10. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server. Similarly, you can test GET operation with following inputs as shown in the below screen: URL: http://usphlvm1383.phl.sap.corp:80/odata.flight/ X-SMP-APPCID = KOLAIDS Content-Type = application/atom+xml;charset=utf-8 Authorization = Basic d2ytbw0tndp3zwxjb21l In the above case the Apache proxy server is usphlvm1383 processing HTTP requests. Look at the response below to see if the cookie is formed correctly 30

Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a SMPServerNode96 is appended to the X-SMP-SESSID cookie. If you are using above log format, then your logs should like something like below in your enchancedlog.log file located under logs folder: The first request for a user where initial cookies are not set will show: Changed:1 Sticky:- Subsequent requests should show: Changed:- Sticky:X-SMP-SESSID That means that apache read the X-SMP-SESSID cookie and was able to send the request to the correct server. If you see Changed: 1 Sticky:X-SMP-SESSID that means that session stickyness did not work. NOTE: For verifying the session stickiness, above strategy is applied to all other Apache communication scenarios. Scenario 2: In this section, Apache as reverse proxy and simple load balancing configuration using one-way HTTPS communication is covered: 1. SMP Platform SSL Preparation 2. SSL preparation for Apache server 3. Install trusted Certificates 4. Configure httpd.config for one-way HTTPS communication 5. Restart Apache Server 31

6. Verify communication 7. Testing OData using Apache Server URL (Secured) Reverse proxy, and SAP Mobile Server each use their own certificate; you can create or sign these certificates from one root certificate. In one-way SSL scenario, only the client authenticates the server. This means that the public cert of the Apache server needs to configured in the trust store of the SMP Server. 1. SMP Platform SSL Preparation keytool is a java utility that manages a keystore of private keys and associated certificates, as well as certificates from trusted entities. SAP Mobile Platform uses a single keystore file, located at SMP_HOME\Server\configuration\smp_keystore.jks. This is the file to configure and protect. keytool is in SMP_HOMEsapjvm_7\bin IMPORTANT: Make sure you backup your smp_keystore.jks a) Create certificate request (CSR file) keytool.exe -certreq -keyalg RSA -alias smp_crt -file pvs9097.csr -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -storepass empass12 NOTE: The certificate request must be signed by an authority or self-signed before importing it into the SMP keystore. For production environment, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. b) Import root certificate of the CA keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks - file C:\SAP\MobilePlatform3\sapjvm_7\bin\SAPNetCA.crt -alias TCSRootCert c) Import signed certificate keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks - file C:\SAP\MobilePlatform3\sapjvm_7\bin\pvs9097.crt -alias smp_crt d) Verify the certificate upload keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks e) Restart SMP servers after you upload the signed certificates. Refer following link for more information on keytool: http://help.sap.com/saphelp_smp303svr/helpdata/en/7c/2eddd970061014ba46b1c4748c229b/content.htm There is no auto synchronization for cluster server's keystore and they need to be maintained manually. Also import all required certificates to all cluster nodes' keystore and be sure to keep all certificates alias consistent. Use keytool to check all certificate in the keystore: keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks 32

2. SSL Preparation for Apache Server The OpenSSL is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. Depending on your operating system, download the OpenSSL software from following link: https://www.openssl.org/related/binaries.html a) Generate RSA openssl genrsa -des3 -out server.key 2048 Enter pass phrase twice to generate server.key: s3padmin b) Create CSR file 1. Set the environment variable: set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg 2. Issue this command: openssl req -sha256 -out ApacheServer.csr -new -newkey rsa:2048 -nodes -keyout server.key Country Name:CA State or Province Name:ONTARIO Locality Name:TORONTO Organization Name:SAP Organizational Unit Name:COE Common Name:USPHLVM1383.PHL.SAP.CORP Email Address: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password: An optional company name: c) Generate signed Certificate For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. d) Remove Passphrase from Key Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient so you can remove passphrase from the generated key by following commend: 1. copy server.key server.key.org 2. openssl rsa -in server.key.org -out server.key Result is new RSA server.key is generated. e) Copy server.key and ApacheServer.crt to Apache conf directory. The location of this directory will differ depending on where Apache is installed. 33

3. Installing Trusted Certificates SMP Platform: Using keytool.exe, upload ApacheServer crt into SMP keystore as the trusted certificate keytool -import -trustcacerts -alias ApacheServer -file ApacheServer.crt -keystore smp_keystore.jks Apache Platform Install CA cert and SMP server certs (pvs9096, pvs9097) onto the Apache server For example: Right click on the certificate and add it to trusted Root Certificate as shown below. 4. Configuring SSL properties in httpd.conf In the following example, https://usphlvm1383.phl.sap.corp:443/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 Listen 443 <VirtualHost *:443> SSLEngine On SSLProxyEngine On ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key ServerName usphlvm1383.phl.sap.corp <Proxy balancer://smpcluster> BalancerMember https://pvs9096.wdf.sap.corp:8081 route=smpservernode96 34

BalancerMember https://pvs9097.wdf.sap.corp:8081 route=smpservernode97 ProxySet stickysession=x-smp-sessid ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> 5. Restart apache and test OData connectivity on RestClient. 6. Verify one-way HTTPS Scenario: Validate the configuration by opening a browser and testing these URLs: 2.0 https:// usphlvm1383.phl.sap.corp:443 URL should return a page with this information: 7. Testing POST operation via Apache with HTTPS. Port 443 is the default https port. URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/ Operation = GET 1. Invoke POSTMAN RESTClient, 2. Provide the Apache host name in the URL with https port (443), the URL should look like this https://<apach-server-host>:443/odata/applications/latest/odata.flight/connections 35

3. Change the operation method to POST as shown below 4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8, to do that, do the following: a. Click on Headers as shown below: b. You should see the following: c. In the header field type Content-Type as shown below: 5. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below: 6. Provide OData credentials: a. Click on the Basic Auth, you should see something like the screen below: 36

b. Type the OData End-point user ID and password c. Now click Refresh headers, you should see the following: 7. If you want to associate a custom ID when you register your application, you can add the header X-SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following: a. Click on the Normal Tab 8. In the header section as shown below, type the Header, X-SMP-APPCID as shown below: 9. Now we need to provide a body, click on raw tab as shown below: 37

10. In the body section, paste the following XML code below: <?xml version="1.0" encoding="utf-8"?> <entry xml:base="https://usphlvm1383.phl.sap.corp:443/odata/applications/latest/odata.flight/connection s" xmlns="http://www.w3.org/2005/atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"> <content type="application/xml"> <m:properties> <d:devicetype>windows</d:devicetype> </m:properties> </content> </entry> 11. You should see something like below: NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information. 38

12. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server. Similarly, you can test GET operation with following inputs as shown in the below screen: URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/ Operation = GET X-SMP-APPCID = KOLAIDS Authorization = Basic d2ytbw0tndp3zwxjb21l In this example, Apache proxy server is usphlvm1383 processing HTTPS requests. Look at the response below to see if the cookie is formed correctly 39

Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a SMPServerNode96 is appended to the X-SMP-SESSID cookie. Scenario 3: In this section, reverse proxy and simple load balancing configuration using two-way HTTPS communication is covered in the following steps: 40

1. Create OData connection using X.509 certificate authentication 2. Add the impersonator Role in SMP 3. Configure httpd.conf file for mutual authentication 4. Restart Apache Server 5. Load.p12 Client Certificate in to the browser 6. Verify two-way mutual communication 7. Testing OData using Apache Server URL (two-way HTTPS protocol) In two-way SSL, client authenticates the server & the server also authenticates the client, public cert of the SMP server needs to be configured in the trust store of the Apache server. Also the public cert of the Apache needs to be configured on the SMP server's trust store. SMP Server and the Apache must have SSL certificates issued by an authorized certificate authority. An issued certificate includes a digital signature confirming the identities of the SMP server and the Apache Server. When the Apache's host sends a request to the SMP server, the SMP server will verify that the Apache has an SSL certificate and vice versa. There are six steps to achieve this task: 1. Create OData connection with X.509 Certificates In this scenario, iwe are using htttps based flight model example as the gateway OData connection. In the following steps, we will create new OData connection with X.509 certificate as authentication:: a) Login to SMP Management Cockpit b) Provide application details c) Provide OData details d) Provide Authentication Profile details e) Provide Authentication Provider details 1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e https://<host-name>:8083/admin) 3. Enter the user ID password. By default: a. userid: smpadmin b. password:s3padmin ( Note: If you change the password during installation, type the new password) 4. Click on Login to log into the cockpit 5. Once logged in successfully, click on APPLICATIONS tab 6. Click on the New button to create a new application for our OData back-end Endpoint as shown below: 7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen 41

8. Click Save when you are done 9. Now we should see the following screen 10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication c. Check rewrite NOTE: Test and validate backend OData connections prior to this setup. 11. The BACK END tab information should look like the screen below 42

12. Click on AUTHENTICATION tab 13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using httpscon for our security profile name 43

14. Click on the New button to associate an authentication provider for our security profile 15. From the Authentication provider, click on the dropdown list and select x.509 Certificate and hit Create Button 16. We should see the following screen. Select Validated Certificate Is Identity and Validate Cert Path options and save as shown below: 44

17. Once you are done, click the save button 18. You should see the following success message indicating everything is OK 19. Click Save again to save now the new security profile as shown below 20. You will be asked to Confirm the update, click Yes 45

21. You should see the following: 22. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: and click on the Ping button as shown below: 23. If the Endpoint is reachable, you will get the following message below: NOTE: In addition to x.509 certificate authentication provider, we successfully tested this scenario with HTTPS Authentication provider. To make HTTPS scenario work, provide backend credentials of the OData service. 2. Add the Impersonator Role: The Impersonator role establishes the trust relationship between the Apache reverse proxy and SAP Mobile Platform Server allowing SAP Mobile Platform Server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy. NOTE: The Impersonator role should be granted to the reverse proxy by mapping the Impersonator role to the subjectdn from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to SAP Mobile Platform Server. When doing mutual certificate authentication directly against SMP3 server without relayserver, the client establishes the SSL connection directly with the server and the certificatevalidationloginmodule configured in the server validates the client certificate presented to the server. Following are the steps to add the impersonator role: a) Find the CN name: 1) You need to have access to Apache Public Certificate 46

2) Now click Details Tab as shown below: 3) Click on the Subject and on the details screen, you will find SubjectDN information: 47

b) Navigate to C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI C) Update the corresponding security role mapping file as shown below: <DefaultMapping> <LogicalName>Impersonator</LogicalName> <MappedName>user:CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE</MappedName> </DefaultMapping> <DefaultMapping> NOTE: Mapped Name should be started with user: File name is created based on the configuration name. httpscon is my X.509 security configuration name In the above example, httpscon-role-mapping.xml is the file name located in CSI folder: Troubleshooting Impersonator role errors: UserRoleAuthorizer.checkRole method compares the rolename user:cn=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE with the string obtained from the certificate using the java APIs CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE and if it does not match it will result in errors. In the following errors, case does not match: 2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.UserRoleAuthorizer##anonymous#http-bio-8082- exec-1###userroleauthorizer.checkrole(rolename=user:cn=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE,subject.getName()=CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE 2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.RoleCheckAuthorizer##anonymous#http-bio-8082- exec-1###rolecheckauthorizer.checkrole(user:cn=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE) 2014 07 09 21:22:45#+0200#WARN#com.sybase.security.integration.tomcat7.CSIRealm##anonymous#http-bio- 8082-exec-1###Authentication failed. SSL_CLIENT_CERT header is specified but the user is not granted "Impersonator" role. 48

If you have difficulty in finding the SubjectDN for impersonator, enable the server log into debug mode and execute a proxy request HTTPS 8082 port (8443 via Apache Server). In the server log, you see the same the DN that the SAP Mobile Platform CSI records. Tip>for further debugging SSL handshake issues you can add -Djavax.net.debug=ssl:handshake in your props.ini file. 3. Adjust the httpd.conf file for mutual authentication (Apache Server) SSLProxyMachineCertificateFile used in httpd.conf MUST be in PEM format. You can use openssl for conversion by running below commends for your server (ApacheServer.crt) and root certificate (SAPNetCA.crt). a) openssl x509 -in ApacheServer.crt -out ApacheServer.der -outform DER b) openssl x509 -in ApacheServer.der -inform DER -out ApacheServer.pem -outform PEM c) openssl x509 -in SAPNetCA crt -out SAPNetCA.der -outform DER d) openssl x509 -in SAPNetCA.der -inform DER -out SAPNetCA.pem -outform PEM NOTE: If server or root certificate is in the.der format then you can use b) or d) option to convert into PEM format SSLProxyMachineCertificateFile - point it to a file containing your Apache server certificate which is converted into ApacheServer.pem format and its (unencrypted) private key (server.key) in PEM format. (For example, add server.key to ApacheServer.pem). Apache won t start if this is not done correctly. Following the same screen: In the following example, https://usphlvm1383.phl.sap.corp:8443/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8082 pvs9097.wdf.sap.corp:8082 49

Listen 8443 <VirtualHost *:8443> ServerName usphlvm1383.phl.sap.corp SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key SSLCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyMachineCertificateFile /Apache24/conf/ApacheServer.pem <Proxy balancer://smpcluster> BalancerMember https://pvs9096.wdf.sap.corp:8082 route=smpservernode96 BalancerMember https://pvs9097.wdf.sap.corp:8082 route=smpservernode97 ProxySet stickysession=x-smp-sessid ProxySet lbmethod=byrequests </Proxy> RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ CustomLog "c:/apache24/logs/ssl_request LB_8082.log" "%t %h %r %s %l %p User:%u %{Foobar}i client_cert:%{ssl_client_cert}x client_verify:%{ssl_client_verify}x client_cert_dn:%{ssl_client_s_dn}x \"%r\" %b" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog_8443.log </VirtualHost> 4. Restart the Apache Server 5. Load.p12 Client Certificate in to the REST client browser For mutual authentication using client certificates, SMP/Apache needs the private keys to do the signing, and the.p12 file format is the most common for passing around a certificate with its private keys. To test, we need client certificate (.p12 file) which is usually provided by your OS security team who handles Certificate Authority. 1. Load the.p12 client certificate into the personal certificate store. In Chrome, choose Settings > Show Advanced Settings > HTTPS/SSL > Manage certificates as shown below screen: 50

2. Click Import button: 3. Click Next button: 51

4. Click browse and select the p.12 file 5. Select All files from dropdown: 6. Select p.12 and hit Next button as shown below: 52

7. If password exists, provide password and hit next: NOTE: s_client is a diagnostic tool for OpenSSL. For more information, refer following link 53

https://www.openssl.org/docs/apps/s_client.html Example for testing client certificates: 5. Verify two-way HTTPS Scenario Validate the configuration by opening a browser and testing these URLs: 2.1 https:// usphlvm1383.phl.sap.corp:8443 URL should return a page with this information: 6. Testing SMP OData GET operation using Apache Server URL with port 8443 URL: https://usphlvm1383.phl.sap.corp:8443/odata.flight/ Operation = GET X-SMP-APPCID = kola1 Request is processed by available SMP cluster node with following results. 54

Apache 8443 result Logs: 10.7.119.233 - - [10/Jul/2014:00:43:27-0400] "GET /odata.flight/ HTTP/1.1" 200 667 duration:3/3778378 balancer:https://pvs9096.wdf.sap.corp:8082 Changed:- Sticky:X-SMP-SESSID [10/Jul/2014:00:43:27-0400] 10.7.119.233 GET /odata.flight/ HTTP/1.1 200-443 User:- - client_cert:-----begin CERTIFICATE----- -----END CERTIFICATE client_verify:success client_cert_dn:cn=supuser,ou=ssl Server,O=SAP-AG,C=DE "GET /odata.flight/ HTTP/1.1" 667 55

Monitoring Apache Server 4.3 Monitoring settings for Apache Server In this section, we will cover monitoring and performance tuning aspects. Balancer manager: This module requires the service of mod_status. Balancer manager enables dynamic update of balancer members. You can use balancer manager to change the balance factor or a particular member. In addition you can enable authentication for administrators. In the following examples, we used basic authentication with HTTPS connection. NOTE: balance-manger configuration should be part of the load balancer configuration as shown in the below example: Example for basic authentication: Example for balancer manager configuration in httpd.conf file: Listen 443 <VirtualHost *:443> SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown ServerName usphlvm1383.phl.sap.corp ErrorLog "C:/Apache24/logs/error.log" TransferLog "C:/Apache24/logs/access.log" <Proxy balancer://smpcluster> BalancerMember https://pvs9096.wdf.sap.corp:8081 route=smpservernode96 BalancerMember https://pvs9097.wdf.sap.corp:8081 route=smpservernode97 ProxySet stickysession=x-smp-sessid ProxySet lbmethod=byrequests </Proxy> <Location /balancer-manager> SetHandler balancer-manager Order Deny,Allow Deny from none Allow from all </Location> 56

ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ CustomLog "c:/apache24/logs/ssl_443.log" "%t %h %r %s %l %p User:%u %{Foobar}i client_cert:%{ssl_client_cert}x client_verify:%{ssl_client_verify}x client_cert_dn:%{ssl_client_s_dn}x \"%r\" %b" LogFormat "%h %l %u %t \"%r\" %>s %b duration:%t/%d balancer:%{balancer_worker_name}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e" TransferLog /Apache24/logs/enhancedlog.log </VirtualHost> URL to access: http://hostname:port/balancer-manager When one of worker URL is clicked, you can dynamically enable member options as show below. Server Status: The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to 57

automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state. Example for server status configuration in httpd.conf file: <Location /server-status> SetHandler server-status Order Deny,Allow Deny from none Allow from all AuthType basic AuthName "Apache server-status" AuthUserFile /Apache24/conf/passwd-server-status Require valid-user </Location> URL to access: http:://hostname:port/server-status In addition to above features, there are plenty of open source tools available to monitor and manage Apache Servers. Next section we will focus on how to use relay server as a reverse proxy and load balancer solution for SMP 3.0 Platform. 58

5.0 EXPOSING SMP ODATA SERVICES VIA RELAY SERVER In this section, we will test SMP 3 OData services using hosted Sybase relay server. Our assumption is you already have relay server installation is in place. For this exercise, we used hosted relay server. Please refer following link for more information on subscription. Subscribing and Connecting to Sybase Hosted Relay Service Below diagram is the sample architecture for SMP cluster and hosted relay server communication setup. In the following, we will provide Sybase hosted relay registration details, RSOE configuration steps to setup plain HTTP and HTTPs communication. 59

Sybase Hosted Relay Server Registration 5.1 Registration with Sybase Hosted relay Server For Sybase Hosted relay server setup, we have three main steps: 1. Create subscription ID 2. Maintain FARM details 3. Collect configuration details More information on hosted relay server can obtained from following link: http://dcx.sybase.com/index.html#1201/en/relayserver/ml-relayserver-s-4994339.html 1. First Create subscription ID with contact details and Accept terms and conditions 2. Maintain FARM details 60

Click on the Add New Mobilink Farm as shown below: Provide Farm Name and SMP Server details Farm Name: FARMODATA03 Server Names: pvs9096, pvs9097 Example for SMP server node cluster: 3. Collect configuration details Click configuration instructions for rsoe configuration details. For enabling communication between SMP and relay server, configuration details are used in rsoe.config file (on SMP server). 61

RSOE Setup 5.2 RSOE setup in SMP platform This section illustrates RSOE setup on SMP platform in following steps: 1. Download rsoe files 2. Create config file for RSOE setup 3. Verify rsoe.log 4. Verify communication 5. Testing SMP OData using Relay Server URL (plain HTTP) 1. Create rsoe folder under SAP folder as shown below: You need RSOE component, which is part of Sybase SQLAnywhere (based on your OS). From relay server media, copy rsoe.exe, dblgde12.dll, dblgen12.dll, rsoesupp12.dll files to rsoe folder as shown below: 2. Create a config file (pvs9096.config) each SMP Node with following details: -f smp3sp03.farmodata03 -id pvs9096 -t 1bf5b1482ce4a8e23d7a2521eaef -cr "host=relayserver.sybase.com;https=0;port=80;proxy_host=proxy;proxy_port=8080;url_suffix=/ia s_relay_server/server/rs_server.dll" -cs "host=localhost;port=8080" -v 5 -o "C:\rsoe.log" a. t is the Token, value has to match the token specified in your pvs9096.config file on relay server, in our case paste the value from Hosted Relay Server configuration page b. cs Servername and port of the backend server (e.g. Web Server) c. cr Server and port of your relay server. Think about adapting the url_suffix if the relay server is running on Linux: url_suffix=/srv/iarelayserver.the configuration of a proxy is optional, only needed if you have to use the proxy to connect to the relay server. d. v the verbosity level from 0 to 5 (0 = no logging, 5 = all) 62

e. o Log output, specify path and file to RSOE log 3. Start the rsoe with the following commend: You can also create a service account for rsoe by following: 4. Verify your configurations by checking rsoe.log: Note: same configuration is applied on other SMP cluster nodes. HTTPS connections are also supported. NOTE: Repeat above steps on all the SMP nodes. 5. Verify SMP OData Services via Relay Server: http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/<farm-name>/ will be a redirect to your backend server (e.g. pvs9096:8080 or pvs9097:8080) like you defined it in the rsoe.config. Following URL will result following: http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.farmodata03/ 6. Testing SMP OData GET service via Hosted Relay Server URL: 63

URL = http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.farmodata03/odata.flight/odata/ applications/latest/odata.flight/connections Operation = GET Conetent-Type = application/atom+xml;charset=utf-8 Authorization = Basic atgynzu0ntplyxj0adiwmtq= X-SMP-APPCID = ngnixrsoe Similarly, you can test GET operation with following inputs as shown in the below screen: URL: http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.farmodata03/odata.flight/ X-SMP-APPCID = kola1 Authorization = Basic atgynzu0ntplyxj0adiwmtq= Result: 64

Load balancing between SMP servers and failover scenarios are also tested successfully. In next section, we will focus on how to use Nginx as a reverse proxy and load balancer solution for SMP 3.0 Platform. 65

6.0 NGINX AS THE REVERSE PROXY AND LOAD BALANCER Below diagram is the sample architecture for SMP cluster and hosted Nginx server communication setup. In the following sections, we will illustrate how to set up an Nginx server containing all the needed components for testing the reverse proxy, load balancing, http, and https communication scenarios. 66

Install Nginx 6.1 Install Nginx This section covers Nginx installation setup steps: 1. Download Nginx software 2. Run Nginx.exe 3. Verify Nginx setup 1. Download Nginx from http://nginx.org/en/download.html We are using 1.7.3 version. Always download the stable version. 2. Extract the package to a directory, C:\Nginx1.7.3\ Open CMD with administrator and run Nginx.exe We can be control service by invoking the executable with the -s parameter. Use the following syntax: C:\nginx-1.4.4>nginx -s signal Where signal may be one of the following: stop --- fast shutdown quit --- graceful shutdown reload --- reloading the configuration file reopen --- reopening the log files NOTE: Because Nginx cannot share the same port with another TCP/IP application, you may need to stop, uninstall or reconfigure certain other services before running Nginx.exe (for example IIS). In default, server listens on port 80 and you can change the port in nginx.conf file located under: C:\nginx-1.7.2\nginx-1.7.2\conf\ 3. Verify Nginx services are running by following methods: Select Task Manger and verify if Nginx process are running: 67

In the web browser, type http://localhost, if it is successfully running you will see as below: 68

Nginx HTTP 6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP communication is covered in following steps: 1. Configure nginx.config for http protocol 2. Restart Nginx 3. Verify communication 4. Testing OData services using Nginx URL 1. In order to use Nginx as Reverse Proxy and load balancer for SMP3 server, we need to change the nginx.config file as following. server { listen 80; server_name usphlvm1384.phl.sap.corp; access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_80.log; error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_80.log; location / { proxy_pass http://backend/; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect default ; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } #paste blow code after server configuration closing braces upstream backend { server pvs9096.wdf.sap.corp:8080; server pvs9097.wdf.sap.corp:8080; } NOTE: location / means all requests go to any of the servers listed under upstream. For information on load balancing and techniques, refer following link: http://nginx.org/en/docs/http/load_balancing.html 2. Restart Nginx Server 3. Verify SMP communication via Nginx Server (http based) In the following example, http://usphlvm1384.phl.sap.corp:80/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8080 pvs9097.wdf.sap.corp:8080 URLhttp://ushphlvm1384.phl.sap.corp:80 will result following: 69

3. RestClient testing of SMP OData services using Nginx URL URL: http://usphlvm1384.phl.sap.corp/odata.flight/ X-SMP-APPCID = kola1 Authorization = Basic atgynzu0ntplyxj0adiwmtq= Result: 70

6.3 Verifying the request is going through Nginx To verify if the request is going through Nginx when you registered, open the log access file of Nginx by going to the: 1. Location of the log folder. In our example it is in ( D:/nginx-1.7.2/nginx-1.7.2/logs) 2. Open the following log or whatever you called it. In our case it is called error_80.log 3. You should see a post request for the registration similar to the one below: [04/Aug/2014:10:06:43-0700] "POST /odata/applications/latest/odata.flight/connections HTTP/1.1" 201 3732 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" When accessing the odata end point, check in the log and see if you will see a GET request in the Nginx log, like that one below: [04/Aug/2014:10:07:08-0700] "GET /odata.flight HTTP/1.1" 200 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" 71

Nginx HTTPS 6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP communication is covered in following steps: 1. SMP Platform SSL Preparation 2. SSL preparation for Nginx Server 3. Install Trusted Certificates 4. Configure Nginx.config for https protocol 5. Restart Nginx 6. Verify communication 7. Testing OData services using Nginx URL To configure Nginx server to connect SMP with single SSL support, we need to prepare the certificates for Nginx server via OpenSSL to generate server certificate and key files. In the following example, we will use openssl. 1. SMP Platform SSL Preparation Refer section 4.2> Scenario 2> Point 1 2. SSL Preparation for Nginx Server: Depending on your operating system, download the OpenSSL software from following link: https://www.openssl.org/source/ a) Generate RSA openssl genrsa -des3 -out server.key 2048 Result is new RSA server.key is generated. b) Create CSR file. Like the standard SMP server certificate, we have used an RSA 2048 key signed with the sha256 signing algorithm openssl req -sha256 -out NginxServer.csr -new -newkey rsa:2048 -nodes -keyout server.key Country Name:CA State or Province Name:ONTARIO Locality Name:TORONTO Organization Name:SAP Organizational Unit Name:COE Common Name:USPHLVM1384.PHL.SAP.CORP Email Address: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password: An optional company name: c) Remove Passphrase from Key 72

This is an optional step. This is done so that we don t have to enter the password for the private key every time we restart NGINX. copy server.key server.key.org openssl rsa -in server.key.org -out server.key d) Generate signed Certificate For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. Result is the Signed Certificate. e) Copy server.key and NginxServer.crt to Nginx config directory. The location of this directory will differ depending on where Nginx is installed. 3. Installing Trusted Certificates SMP Platform: Upload NginxServer.crt into SMP keystore as the trusted certificate keytool -import -trustcacerts alias NginxServer-file NginxServer.crt -keystore smp_keystore.jks Nginx Platform Install CA cert and SMP server certs (pvs9096, pvs9097) onto the NGINX server. Right click on the certificate and add it to trusted Root Certificate as shown below. 73

4. Configuring SSL properties in Nginx.conf In the following example, https://usphlvm1384.phl.sap.corp:443/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 server { listen 443 ssl; server_name usphlvm1384.phl.sap.corp; ssl_certificate D:/nginx-1.7.2/nginx-1.7.2/cert/NginxServer.crt; ssl_certificate_key D:/nginx-1.7.2/nginx-1.7.2/cert/server.key; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_443.log; error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_443.log; root html; index index.html index.htm; location / { proxy_pass https://backend/; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect default ; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } #paste blow code after server configuration closing braces upstream backend { server pvs9096.wdf.sap.corp:8081; server pvs9097.wdf.sap.corp:8081; } 5. Restart Nginx Server 6. Verify communication via Nginx Server (https based) In the following example, https://usphlvm1384.phl.sap.corp:443/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 URL https://ushphlvm1384.phl.sap.corp:443 will result following: 74

7. Testing SMP OData using Ngnix URL (secured) URL: https://usphlvm1384.phl.sap.corp/odata.flight/ X-SMP-APPCID = kola1 Authorization = Basic atgynzu0ntplyxj0adiwmtq= Result: 75

Verify logs for https traffic as described in section 6.3. In summary, this paper covers reverse proxy and load balancer solutions for SAP Mobile Platform using Apache, Relayserver, and Nginx servers with http, one-way https and mutual https scenarios. 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 76