Communication Scenarios
Scenario 2: In this section, Apache as reverse proxy and simple load balancing configuration using one-way HTTPS communication is covered:
1. SMP Platform SSL Preparation 2. SSL preparation for Apache server 3. Install trusted Certificates
4. Configure httpd.config for one-way HTTPS communication 5. Restart Apache Server
6. Verify communication
7. Testing OData using Apache Server URL (Secured)
Reverse proxy, and SAP Mobile Server each use their own certificate; you can create or sign these certificates from one root certificate. In one-way SSL scenario, only the client authenticates the server. This means that the public cert of the Apache server needs to configured in the trust store of the SMP Server.
1. SMP Platform SSL Preparation
keytool is a java utility that manages a keystore of private keys and associated certificates, as well as certificates from trusted entities. SAP Mobile Platform uses a single keystore file, located at
SMP_HOME\Server\configuration\smp_keystore.jks. This is the file to configure and protect. keytool is in SMP_HOMEsapjvm_7\bin
IMPORTANT: Make sure you backup your smp_keystore.jks a) Create certificate request (CSR file)
keytool.exe -certreq -keyalg RSA -alias smp_crt -file pvs9097.csr -keystore
C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -storepass empass12
NOTE: The certificate request must be signed by an authority or self-signed before importing it into the SMP keystore.
For production environment, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA.
b) Import root certificate of the CA
keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks - file C:\SAP\MobilePlatform3\sapjvm_7\bin\SAPNetCA.crt -alias TCSRootCert
c) Import signed certificate
keytool -import -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks - file C:\SAP\MobilePlatform3\sapjvm_7\bin\pvs9097.crt -alias smp_crt
d) Verify the certificate upload
keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks e) Restart SMP servers after you upload the signed certificates.
Refer following link for more information on keytool:
http://help.sap.com/saphelp_smp303svr/helpdata/en/7c/2eddd970061014ba46b1c4748c229b/content.htm There is no auto synchronization for cluster server's keystore and they need to be maintained manually. Also import all required certificates to all cluster nodes' keystore and be sure to keep all certificates alias consistent. Use keytool to check all certificate in the keystore:
2. SSL Preparation for Apache Server
The OpenSSL is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.
Depending on your operating system, download the OpenSSL software from following link:
https://www.openssl.org/related/binaries.html
a) Generate RSA
openssl genrsa -des3 -out server.key 2048
Enter pass phrase twice to generate server.key: s3pAdmin b) Create CSR file
1. Set the environment variable: set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg 2. Issue this command:
openssl req -sha256 -out ApacheServer.csr -new -newkey rsa:2048 -nodes -keyout server.key
Country Name:CA
State or Province Name:ONTARIO Locality Name:TORONTO
Organization Name:SAP
Organizational Unit Name:COE
Common Name:USPHLVM1383.PHL.SAP.CORP Email Address:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password:
An optional company name:
c) Generate signed Certificate
For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA.
d) Remove Passphrase from Key
Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient so you can remove passphrase from the generated key by following commend:
1. copy server.key server.key.org
2. openssl rsa -in server.key.org -out server.key Result is new RSA server.key is generated.
e) Copy server.key and ApacheServer.crt to Apache conf directory. The location of this directory will differ depending on where Apache is installed.
3. Installing Trusted Certificates SMP Platform:
Using keytool.exe, upload ApacheServer crt into SMP keystore as the trusted certificate
keytool -import -trustcacerts -alias ApacheServer -file ApacheServer.crt -keystore smp_keystore.jks Apache Platform
Install CA cert and SMP server certs (pvs9096, pvs9097) onto the Apache server For example:
Right click on the certificate and add it to trusted Root Certificate as shown below.
4. Configuring SSL properties in httpd.conf
In the following example, https://usphlvm1383.phl.sap.corp:443/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8081 pvs9097.wdf.sap.corp:8081 Listen 443 <VirtualHost *:443> SSLEngine On SSLProxyEngine On
BalancerMember https://pvs9097.wdf.sap.corp:8081 route=SMPServerNode97 ProxySet stickysession=X-SMP-SESSID ProxySet lbmethod=byrequests </Proxy> ProxyPass / balancer://smpcluster/ ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog.log </VirtualHost>
5. Restart apache and test OData connectivity on RestClient. 6. Verify one-way HTTPS Scenario:
Validate the configuration by opening a browser and testing these URLs: 2.0 https:// usphlvm1383.phl.sap.corp:443
URL should return a page with this information:
7. Testing POST operation via Apache with HTTPS. Port 443 is the default https port. URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/
Operation = GET
1. Invoke POSTMAN RESTClient,
2. Provide the Apache host name in the URL with https port (443), the URL should look like this
3. Change the operation method to POST as shown below
4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the following:
a. Click on Headers as shown below:
b. You should see the following:
c. In the header field type Content-Type as shown below:
5. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below:
b. Type the OData End-point user ID and password
c. Now click Refresh headers, you should see the following:
7. If you want to associate a custom ID when you register your application, you can add the header X-SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following:
a. Click on the Normal Tab
8. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:
10. In the body section, paste the following XML code below: <?xml version="1.0" encoding="UTF-8"?> <entry xml:base="https://usphlvm1383.phl.sap.corp:443/odata/applications/latest/odata.flight/Connection s" xmlns="http://www.w3.org/2005/Atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"> <content type="application/xml"> <m:properties> <d:DeviceType>Windows</d:DeviceType> </m:properties> </content> </entry>
12. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server.
Similarly, you can test GET operation with following inputs as shown in the below screen: URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/
Operation = GET
X-SMP-APPCID = KOLAIDS
Authorization = Basic d2YtbW0tNDp3ZWxjb21l
In this example, Apache proxy server is usphlvm1383 processing HTTPS requests. Look at the response below to see if the cookie is formed correctly
1. Create OData connection using X.509 certificate authentication 2. Add the impersonator Role in SMP
3. Configure httpd.conf file for mutual authentication 4. Restart Apache Server
5. Load.p12 Client Certificate in to the browser 6. Verify two-way mutual communication
7. Testing OData using Apache Server URL (two-way HTTPS protocol)
In two-way SSL, client authenticates the server & the server also authenticates the client, public cert of the SMP server needs to be configured in the trust store of the Apache server. Also the public cert of the Apache needs to be configured on the SMP server's trust store. SMP Server and the Apache must have SSL certificates issued by an authorized certificate authority. An issued certificate includes a digital signature confirming the identities of the SMP server and the Apache Server. When the Apache's host sends a request to the SMP server, the SMP server will verify that the Apache has an SSL certificate and vice versa. There are six steps to achieve this task: 1. Create OData connection with X.509 Certificates
In this scenario, iwe are using htttps based flight model example as the gateway OData connection. In the following steps, we will create new OData connection with X.509 certificate as authentication::
a) Login to SMP Management Cockpit b) Provide application details
c) Provide OData details
d) Provide Authentication Profile details e) Provide Authentication Provider details
1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e https://<host-name>:8083/Admin) 3. Enter the user ID password. By default:
a. userID: smpAdmin
b. password:s3pAdmin ( Note: If you change the password during installation, type the new password)
4. Click on Login to log into the cockpit
5. Once logged in successfully, click on APPLICATIONS tab
6. Click on the New button to create a new application for our OData back-end Endpoint as shown below:
7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen
8. Click Save when you are done
9. Now we should see the following screen
10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint
b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication
c. Check rewrite
12. Click on AUTHENTICATION tab
13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using “httpsCon” for our security profile name
14. Click on the New button to associate an authentication provider for our security profile
15. From the Authentication provider, click on the dropdown list and select “x.509 Certificate ” and hit Create Button
17. Once you are done, click the save button
18. You should see the following success message indicating everything is OK
19. Click Save again to save now the new security profile as shown below
21. You should see the following:
22. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: and click on the Ping button as shown below:
23. If the Endpoint is reachable, you will get the following message below:
NOTE: In addition to x.509 certificate authentication provider, we successfully tested this scenario with HTTPS Authentication provider. To make HTTPS scenario work, provide backend credentials of the OData service. 2. Add the Impersonator Role:
The Impersonator role establishes the trust relationship between the Apache reverse proxy and SAP Mobile Platform Server allowing SAP Mobile Platform Server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy.
NOTE: The Impersonator role should be granted to the reverse proxy by mapping the Impersonator role to the subjectDN from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to SAP Mobile Platform Server. When doing mutual certificate authentication directly against SMP3 server without relayserver, the client establishes the SSL connection directly with the server and the certificateValidationLoginModule configured in the server validates the client certificate presented to the server. Following are the steps to add the impersonator role:
2) Now click Details Tab as shown below:
3) Click on the Subject and on the details screen, you will find SubjectDN information:
b) Navigate to C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI C) Update the corresponding security role mapping file as shown below:
<DefaultMapping>
<LogicalName>Impersonator</LogicalName>
<MappedName>user:CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE</MappedName> </DefaultMapping>
<DefaultMapping> NOTE:
Mapped Name should be started with user:
File name is created based on the configuration name. httpsCon is my X.509 security configuration name In the above example, ‘httpsCon-role-mapping.xml is the file name located in CSI folder:
Troubleshooting Impersonator role errors:
UserRoleAuthorizer.checkRole method compares the roleName “user:CN=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE” with the string obtained from the certificate using the java APIs
“CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE” and if it does not match it will result in errors. In the following errors, case does not match:
2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.UserRoleAuthorizer##anonymous#http-bio-8082- exec-1###UserRoleAuthorizer.checkRole(roleName=user:CN=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG,
If you have difficulty in finding the SubjectDN for impersonator, enable the server log into debug mode and execute a proxy request HTTPS 8082 port (8443 via Apache Server). In the server log, you see the same the DN that the SAP Mobile Platform CSI records.
Tip>for further debugging SSL handshake issues you can add -Djavax.net.debug=ssl:handshake in your props.ini file.
3. Adjust the httpd.conf file for mutual authentication (Apache Server)
SSLProxyMachineCertificateFile used in httpd.conf MUST be in PEM format. You can use openssl for conversion by running below commends for your server (ApacheServer.crt) and root certificate (SAPNetCA.crt).
a) openssl x509 -in ApacheServer.crt -out ApacheServer.der -outform DER
b) openssl x509 -in ApacheServer.der -inform DER -out ApacheServer.pem -outform PEM c) openssl x509 -in SAPNetCA crt -out SAPNetCA.der -outform DER
d) openssl x509 -in SAPNetCA.der -inform DER -out SAPNetCA.pem -outform PEM
NOTE: If server or root certificate is in the .der format then you can use b) or d) option to convert into PEM format
SSLProxyMachineCertificateFile - point it to a file containing your Apache server certificate which is converted into ApacheServer.pem format and its (unencrypted) private key (server.key) in PEM format. (For example, add server.key to ApacheServer.pem). Apache won’t start if this is not done correctly. Following the same screen:
In the following example, https://usphlvm1383.phl.sap.corp:8443/ is mapped to following SMP Nodes: pvs9096.wdf.sap.corp:8082
Listen 8443 <VirtualHost *:8443> ServerName usphlvm1383.phl.sap.corp SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key SSLCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyMachineCertificateFile /Apache24/conf/ApacheServer.pem <Proxy balancer://smpcluster>
BalancerMember https://pvs9096.wdf.sap.corp:8082 route=SMPServerNode96 BalancerMember https://pvs9097.wdf.sap.corp:8082 route=SMPServerNode97 ProxySet stickysession=X-SMP-SESSID
ProxySet lbmethod=byrequests </Proxy>
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" ProxyPass / balancer://smpcluster/
ProxyPassReverse / balancer://smpcluster/
CustomLog "c:/Apache24/logs/ssl_request__LB_8082.log" "%t %h %r %s %l %p User:%u %{Foobar}i client_cert:%{SSL_CLIENT_CERT}x client_verify:%{SSL_CLIENT_VERIFY}x
client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"
LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"
TransferLog /Apache24/logs/enhancedlog_8443.log </VirtualHost>
4. Restart the Apache Server
5. Load .p12 Client Certificate in to the REST client browser
For mutual authentication using client certificates, SMP/Apache needs the private keys to do the signing, and the .p12 file format is the most common for passing around a certificate with its private keys. To test, we need client certificate (.p12 file) which is usually provided by your OS security team who handles Certificate Authority.
1. Load the .p12 client certificate into the personal certificate store. In Chrome, choose Settings > Show Advanced Settings > HTTPS/SSL > Manage certificates as shown below screen:
2. Click Import button:
4. Click browse and select the p.12 file
7. If password exists, provide password and hit next:
https://www.openssl.org/docs/apps/s_client.html
Example for testing client certificates:
5. Verify two-way HTTPS Scenario
Validate the configuration by opening a browser and testing these URLs: 2.1 https:// usphlvm1383.phl.sap.corp:8443
URL should return a page with this information:
6. Testing SMP OData GET operation using Apache Server URL with port 8443 URL: https://usphlvm1383.phl.sap.corp:8443/odata.flight/
Operation = GET X-SMP-APPCID = kola1
Apache 8443 result Logs:
10.7.119.233 - - [10/Jul/2014:00:43:27 -0400] "GET /odata.flight/ HTTP/1.1" 200 667
duration:3/3778378 balancer:https://pvs9096.wdf.sap.corp:8082 Changed:- Sticky:X-SMP-SESSID [10/Jul/2014:00:43:27 -0400] 10.7.119.233 GET /odata.flight/ HTTP/1.1 200 - 443 User:- - client_cert:---BEGIN CERTIFICATE--- ---END CERTIFICATE client_verify:SUCCESS client_cert_dn:CN=SUPUSER,OU=SSL Server,O=SAP-AG,C=DE "GET /odata.flight/ HTTP/1.1" 667