Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy Author: Gopal Baddela, Senior BI Architect Archius Copyright Archius 2016 1
Table of Contents 1. Overview a. Prerequisites.....3 b. What is SAP Cloud for Analytics?...3 c. What is a reverse proxy server?....4 d. Why reverse proxy?....4 2. Installation of Apache HTTP Server..5 3. Configuration of Reverse Proxy.....7 4. Test Connectivity with C4A..9 5. InA configuration in HANA....11 6. Testing HANA Connectivity...13 7. Creating HANA connection in C4A...14 8. Notes..18 9. References..19 Copyright Archius 2016 2
1. Overview 1.1 Prerequisites SAP Cloud for Analytics 1.0.38 SAP HANA SPS 10 revision 102.2 or above SAP HANA InA configured Apache HTTP server 2.4 1.2 Purpose of this document Configure Apache Reverse proxy to access an HANA System via an online connection from Cloud for Analytics. This requires the following steps: 1. Installing and configuring a reverse proxy to access C4A and HANA (via InA). Example URLs which will be configured are shown below: a. C4A URL: http://reverseproxy.archius.com/sap b. HANA URL: https://reverseproxy.archius.com/hana 2. Creating a connection to HANA from C4A Architecture Diagram Copyright Archius 2016 3
1.3 What is SAP Cloud for Analytics? SAP Cloud for Analytics is a native application built on HANA Cloud Platform to deliver powerful analytic capabilities including Business Intelligence, Data Visualization, Planning, Predictive analytics offering Plan, Discover, Visualize and Predict capabilities. 1.4 What is a reverse proxy server? Reverse proxy server acts as an intermediary between the client and server. In short a reverse proxy relays HTTP request and forwards to appropriate server based on configuration. In our current scenario, the reverse proxy relays the http request from Cloud for Analytics (C4A) to local HANA server. Most common use of reverse proxy is to provide load balancing for web applications and API s providing SSL acceleration, intelligent compression, caching, advanced traffic management like application layer security, and page routing, secure remote access in addition to load balancing. When combined with cloud infrastructure, reverse proxy can be used to enable splitting application architecture Cloud Bursting. 1.5 Why reverse proxy? Due to the Same Origin Policy (SOP), the SAP Cloud for Analytics web client cannot connect directly to the remote system. Same Origin Policy is an important security concept which restricts client side programming languages like JavaScript to access resources only from same domain. In our case, prevents C4A from accessing on-premises HANA. Reverse proxy enables C4A connection to on premises or Cloud hosted HANA instances. Options for reverse proxy: - External web servers like Apache, Squid, nginx, lighthttpd, pound - SAP Web Dispatcher Copyright Archius 2016 4
2. Installation of Apache HTTP server: In this scenario, we are using a Red Hat Linux, productive environments need more involved configuration with respect to security, estimated load and other parameters. Environment: OS: RHEL 7.2 Link to documentation on launching AWS instance: http://docs.aws.amazon.com/awsec2/latest/userguide/ec2_getstarted.html Check if Apache HTTP server is installed: [ec2-user@ip-10-0-8-85 ~]$ sudo rpm -q httpd package httpd is not installed Installing Apache HTTP Server Install Apache HTTP server sudo yum install httpd Total download size: 1.5 M Installed size: 4.3 M Is this ok [y/d/n]:y Confirm with y Installation will complete with a message Completed! Installing the required modules. [ec2-user@ip-10-0-8-85 ~]$ sudo rpm -q httpd httpd-2.4.6-40.el7.x86_64 Install mod_ssl mod_ssl is an optional module for Apache HTTP server to provide strong cryptography for the Apache v1.3 and v2 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) cryptographic protocols by the help of the Open Source SSL/TLS toolkit OpenSSL. sudo yum install httpd mod_ssl Confirm with y and installation completes with message Completed Start Apache HTTP server [ec2-user@ip-10-0-8-85 ~]$ sudo service httpd start Redirecting to /bin/systemctl start httpd.service [ec2-user@ip-10-0-8-85 ~]$ ps -ez grep httpd Copyright Archius 2016 5
Check if Apache HTTP server is running system_u:system_r:httpd_t:s0 9387? 00:00:00 httpd system_u:system_r:httpd_t:s0 9388? 00:00:00 httpd system_u:system_r:httpd_t:s0 9389? 00:00:00 httpd system_u:system_r:httpd_t:s0 9390? 00:00:00 httpd system_u:system_r:httpd_t:s0 9391? 00:00:00 httpd system_u:system_r:httpd_t:s0 9392? 00:00:00 httpd To stop use option stop and to restart use restart or reload Get list of listening ports: [ec2-user@ip-10-0-8-85 ~]$ sudo semanage port -l grep -w http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 Copyright Archius 2016 6
3. Configuration of Reverse Proxy Primary configuration file is /etc/httpd/conf/httpd.conf Alternatively separate configuration files can be maintained in the directory /etc/httpd/conf.d This is option is invoked via setting IncludeOptional conf.d/*.conf in the primary configuration file. All the files with extension.conf in directory /etc/httpd/conf.d are loaded when the server is started. It is a good practice to make global configuration settings in httpd.conf file and include module specific configuration in individual.conf files. This makes the configuration manageable, putting configuration lines specific to a module into their own files makes it much easier to enable and disable modules. It also helps managing them, because now you only have a small configuration file to edit. Include the list of modules to load in /etc/httpd/conf/httpd.conf Add the following config at the bottom of the file. Make sure SSL module is configured, this is required to make sure we access the reverse proxy via HTTPS and URL parameters gets passed on to C4A. [root@ip-10-0-8-85 httpd]# sudo vi /etc/httpd/conf/httpd.conf #~~~~~~~~~~~~~~ # Load modules LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule headers_module modules/mod_headers.so LoadModule ssl_module modules/mod_ssl.so # Settings ProxyRequests Off SSLProxyEngine On RequestHeader set Front-End-Https "On" #~~~~~~~~~~~~~ Save and exit from the file Copyright Archius 2016 7
Add reverse proxy configuration in /etc/httpd/conf.d/reverse_proxy. conf All the URLs which start with /sap will re-rerouted to the C4A server. http://reverseproxy.archius.com/s ap will get re-reouted to C4A and http://reverseproxy.archius.com/s ap will get re-reouted to HTTP Where reverproxy.archius.com is the URL for the Apache HTTP Server Restart the Apache HTTP server In this step we configure the Apache HTTP reverse proxy rules. In the example below any URL which starts with https://<reverse proxy>/sap will be re-directed to C4A and the URL starts with https://<reverse proxy>/hana gets re-directed to the HANA system URL defined below. # Settings for C4A ProxyPass /sap/ https://zzzzzzzzz.hana.ondemand.com/sap/ ProxyPassReverse /sap/ https://zzzzzzz.hana.ondemand.com/sap/ <Location /sap/> ProxyPassReverse /sap/ </Location> # Settings for HANA ProxyPass /hana http:// 10-0-8-45:8000/ ProxyPassReverse /hana http:// 10-0-8-45:8000/ ###Replace URL s with ones from your scenario Save and exit from the file [ec2-user@ip-10-0-8-85 ~]$ sudo service httpd restart Redirecting to /bin/systemctl restart httpd.service Copyright Archius 2016 8
4. Test Connectivity with C4A Test Connectivity with C4A. IP or DNS will be the address for Reverse Proxy. URL: https://<your reverse proxy External IP or DNS>/sap/fpa/ui/tenant/<your tenant ID> You may get a warning that the connection is not private since ssl certificate configuration is not done as this is a POC sandbox. In productive instances it is imperative to complete a thorough security configuration. Log on screen should show up Copyright Archius 2016 9
Logged on to C4A Copyright Archius 2016 10
5. InA configuration in HANA Configuration for HANA: Requirements: - HANA Information Access Service is installed and activated in HANA - User ID used to connect has role INA_USER role (sap.bc.ina.service.v2.userrole::ina_user) assigned Check if HANA Information Access Service is installed: INA service is delivered via HANA delivery unit AHCO_INA_SERVICE. If the delivery unit is installed, you should be able to see the following package (Should be installed default in HANA SPS11) If the package structure is not available, it can be installed from the delivery unit available in directory /usr/sap/<sid>/sys/global/hdb/a utocontent/ahco_ina_service.t gz Check SAP Note 2097965 for additional configuration Check if INA service is active (we will use the same to check reverse proxy connectivity for HANA) URL: http://<hana>:<port>sap/bc/ina/service/v2/getserverinfo Copyright Archius 2016 11
Log in with the same user you are planning to use with C4A You should see something like this: Copyright Archius 2016 12
6. Testing HANA Connectivity Connectivityggggggggggggggggggggggggggggggggggggg Testing reverse proxy connectivity with HANA: URL: http://<reverseproxy>:<port>/<path>/sap/bc/ina/service/v2/getserverinfo Copyright Archius 2016 13
7. Creating HANA connection Connection is successful. Please note the <PATH> for C4A was /sap/ and for HANA it is /hana/ Creating Connection to HANA in C4A: Menu: System -> Administration Select Remote Systems Add new connection Copyright Archius 2016 14
Provide Name, Path prefix and log on credentials New connection Arch is created Test to see if HANA information view can be accessed Menu -> Modeler -> Import Model -> Create Model from Remote System Copyright Archius 2016 15
Select Remote System created Copyright Archius 2016 16
Select system and provide log on credentials, You should be able to select information models logged on user has access to New Model successfully created Copyright Archius 2016 17
8. Notes 1. Location of log files a. /var/log/httpd/ b. /var/log/audit/audit.log 2. Error << Apache Mod_proxy '[Error] (13) Permission Denied' >>. This error is usually caused by SELinux (Ships default with RHEL) and default setup prevents httpd from initiating outbound connections. Usual culprit is httpd_can_network_connect OFF Check SE parameters for httpd << getsebool -a grep httpd >> Change httpd_can_network_connect to ON temporarily: << sudo /usr/sbin/setsebool httpd_can_network_connect 1 >> Test and if successful, set the parameter permanently << /usr/sbin/setsebool -P httpd_can_network_connect 1 >> 3. Check errors if httpd fails to start << sudo journalctl xe >> 4. Get list of listening ports << sudo semanage port -l grep -w http_port_t >> 5. Check SELinux << getenforce >> 6. Service Marketplace application components for Cloud for Analytics LOD-ANA Cloud Analytics LOD-ANA-BI - Business intelligence LOD-ANA-BR - Boardroom LOD_ANA_PL Planning Copyright Archius 2016 18
9. References 1. Redhat documentation https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/index.html 2. SAP Cloud for analytics documentation http://help.sap.com/cloud4analytics 3. Apache HTTP Server Documentation https://httpd.apache.org/docs/2.4/ Contact US: http://archius.com/contact-us/ Copyright Archius 2016 19