How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X

(1)

Active Global Support North America

How-to-Guide:

Reverse Proxy and Load Balancing for SAP

Mobile Platform 3.X

(2)

Document History:

Document Version Authored By Description

1.0 Kiran Kola Architect Engineer

Document Version Reviewer Description

(3)

Table of Contents

1. Business Scenarios 4

2. Prerequisites 4

3.0SAP Mobile Platform Configuration 5

3.1 OData registration on SMP Platform 6

3.2 Testing backend OData Services through SMP Platform 14

3.3SMP jvmRoute Configuration 21

4.0 SMP 3.0 Architecture and Apache Server Setup 22

4.1 Apache HTTP Server Installation 23

4.2 Communication protocol scenarios 25

4.3 Monitoring settings for Apache Server 56

5.0 Exposing SMP OData Services via Relay server 59

5.1 Registration with Sybase Hosted relay Server 60

5.2 RSOE setup in SMP platform 62

6.0 NGINX as the reverse proxy and Load balancer 66

6.1 Install Nginx 67

6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication 69

6.3 Verifying the request is going through Nginx 71

(4)

1. BUSINESS SCENARIOS

SAP supports following third-party reverse proxy solutions:  Apache reverse proxy for Native and Hybrid applications  Nginx for Agentry applications

When adding a reverse proxy, determine the mobile application types you need to support. Application Type Reverse Proxy

Native Apache

Hybrid Apache

Agentry Nginx

MBO RelayServer

Apache Server:

To support HTTP based clients that are designed to consume SAP Mobile Platform Server services, customers can optionally implement an Apache Reverse Proxy instead of a Relay Server in their production environment. When a customer use Apache HTTP Server as the Reverse Proxy and Load Balancer solution for SAP Mobile Platform 3.0, it’s necessary to set up an environment containing all the needed resources. In this guide, we will illustrate how to set up an Apache server containing all the needed components for testing the load balancing, failover, http, one-way http and two-way https communication scenarios.

Relay Server:

Relay is typically used for MBO based applications but it can also be used for OData applications. Section 5 will illustrate on how to expose SAP Mobile Platform OData services using Hosted Relay Server.

Nginx:

Nginx (pronounced "engine-x") is an open source reverse proxy server for HTTP, HTTPS, WebSockets protocols and as well as a load balancer. NGINX supports WebSockets by allowing a tunnel to be setup between a client and backend servers. Nginx is typically used for SAP Agentry based applications.

Difference between Apache and Nginx servers can be found in the following link: http://www.wikivs.com/wiki/Apache_vs_nginx

2. PREREQUISITES

All the server names used in this documentation are used to demonstrate end-to-end technical scenarios and for mockup purposes only. Following are the prerequisites and software details:

(5)

Apache server

A typical usage of reverse proxy is to provide mobile user access to SMP servers that are behind the corporate firewall so Apache HTTP server is installed in a DMZ area. In addition, Apache HTTP server is used to balance load among several SMP back-end servers.

 Apache Version: Version 2.4

 Apache Server Node: ushplvm1383.phl.sap.corp  Notepad++ http://notepad-plus-plus.org/

Relay server

 Registration with Sybase Hosted Relay Server Nginx

 Nginx Version: nginx-1.7.2

 Nginx Server Node: ushplvm1384.phl.sap.corp  Notepad++ http://notepad-plus-plus.org/

RestClient

OData Testing Tools: Sample SAP OData Gateway service is configured on the SMP Server. To test the OData services, any of the following REST Client tool can be used:

 Chrome Postman  Firefox RESTClient  SOAPUI Tool Assumptions:

 For SSL configuration, self-signed certificates are not used in below examples; we used internal SAP CA for signing all the servers and client certificates

 SMP 3.0 Cluster Installation is done prior to this setup

 Relay server installation is done prior to this setup (if hosted solution is not in scope)

3.0 SAP MOBILE PLATFORM CONFIGURATION

SMP Platform cluster installation is not covered in this document. Please refer to installation docs for How to install and configure SMP 3.0 in a cluster environment.

(6)

Registering an OData

Application

3.1 OData Registration on SMP Platform

This section we will cover OData registration on SMP and testing OData with Rest Client in following steps: a) Login to SMP Management Cockpit

b) Provide application details c) Provide OData details

d) Provide Authentication Profile details e) Provide Authentication Provider details Configuring the oData application

1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e https://<host-name>:8083/Admin) 3. Enter the user ID password. By default:

a. userID: smpAdmin

b. password:s3pAdmin ( Note: If you change the password during installation, type the new password)

4. Click on Login to log into the cockpit

5. Once logged in successfully, click on APPLICATIONS tab

6. Click on the New button to create a new application for our OData back-end Endpoint as shown below:

7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen

(7)

8. Click Save when you are done

9. Now we should see the following screen

10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint

b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication

c. Check rewrite

(8)

11. The BACK END tab information should look like the screen below

(9)

13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using “httpSec” for our security profile name

(10)

15. We should see the authentication provider screen

(11)

17. We should see the following screen

18. All you have to do here is provider the URL address which is the same as the Endpoint that we used

19. Once you are done, click the save button

(12)

21. Click Save again to save now the new security profile as shown below

22. You will be asked to Confirm the update, click Yes

(13)

24. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it:

25. Now click on the Ping button as shown below:

(14)

Testing OData

Application Endpoint

3.2 Testing backend OData Services through SMP Platform

For this test as we mentioned in requirements section, we are using POSTMAN Rest Client to onboard the application, to do the onboarding, do the following:

1. Invoke POSTMAN RESTClient, you should see something similar to the screen below, if this is a fresh installation of POSTMAN RESTClient

2. The first thing we need to do is provide the URL of any one of the SMP cluster nodes, the URL should look like this

http://<host-name>:8080/odata/applications/latest/odata.flight/Connections

(15)

b. You should see the following:

c. In the header field type Content-Type as shown below:

d. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below:

5. Provide OData credentials:

(16)

b. Type the OData End-point user ID and password:

c. Now click Refresh headers, you should see the following:

6. If you want to associate a custom ID when you register your application, you can add the header X-SMP-APPCID to the header section and provide any value. Or you can leave it blank and SMP will associate a GUID with it. For this test, we are providing a custom ID. Next for registration purpose, provide some value X-SMP-APPCID = KOLAIDS, to do that, do the following:

(17)

7. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:

8. Now we need to provide a body, click on raw tab as shown below:

9. In the body section, paste the following XML code below: <?xml version="1.0" encoding="UTF-8"?>

<entry xml:base="http://pvs9096.wdf.sap.corp:8080/odata/applications/latest/odata.flight/Connections" xmlns="http://www.w3.org/2005/Atom"

xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">

<d:DeviceType>Windows</d:DeviceType> </m:properties>

</content> </entry>

(18)

NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information.

11. Test the service Click Send button, if everything goes well, you should see the following below which indicates the application is successfully registered on SMP server.

(19)

URL: http://pvs9096.wdf.sap.corp:8080/odata.flight/ Operation = GET

Authorization = Basic d2YtbW0tNDp3ZWxjb21l X-SMP-APPCID = KOLAIDS

Click Send button. 200 OK status is displayed with XML output as shown below.

To validate the registration completion on SMP, login into SAP Management cockpit and verify registration count.

(20)

With this we successfully registered and tested backend OData on SMP. Next we will configure jvmRoute configuration on SMP.

(21)

JVMRoute Configuration

3.3 SMP jvmRoute Configuration

Each SMP instance of the cluster gets an individual name which is added at the end of the session id. When the load balancer sees a session id, it finds the name of the SMP instance and sends the request via the correct member worker. For this to work you must set the name of the SMP instances as the value of the jvmRoute attribute in the engine element of each SMP default-server.xml. The name needs to be equal to the name of the corresponding load balancer member. Following are three main steps:

1. Edit default-server.xml of SMP server nodes of the following

Location: <dir>\config_master\org.eclipse.gemini.web.tomcat\default-server.xml 2. Specify the jvmRoute as a unique string for the node as shown below:

For pvs9096, jvmRoute=SMPServerNode96 (make sure there is no space between “=”) For pvs9097, jvmRoute=SMPServerNode97

3. Restart the SMP server

Next section we will focus on how to use apache as a reverse proxy and load balancer solution for SMP 3.0 Platform.

(22)

4.0 SMP 3.0 ARCHITECTURE AND APACHE SERVER SETUP

Below diagram is the sample architecture for SMP cluster and apache server setup. In the following, we will provide configuration steps to setup plain HTTP, one-way HTTPs and mutual authentication.

NOTE: In general, Proxy and Load Balancer solutions are typically adopted in the production environment setup so for this implementation we considered Apache with SMP cluster environment and ignored scenarios for single SMP node.

(23)

Apache Server Installation

4.1 Apache HTTP Server Installation

In this section, Apache server installation and configuration is illustrated in the following steps: 1. Download Apache

2. Configure Apache Server

1. Use the link to download the Apache HTTP Server: http://www.apachelounge.com/download/ Version used: httpd-2.4.9-win64-VC11

Prerequisite:

Download and install the Windows C++ 2012 runtime from Microsoft.com

We installed Apache in C:\\Apache24, so extracted the ZIP file to the root of the C: drive. Apache can be installed anywhere on your system, but you will need to change the configuration file paths accordingly

(24)

2. Configure Apache: a) cd \apache24\bin

Note: httpd.exe -k install -n "Apache2.4" (this installs apache as a service)

Port Conflict scenario: Because Apache cannot share the same port with another TCP/IP application, you may need to stop, uninstall or reconfigure certain other services before running Apache (for example IIS). In default, server listens on port 80 and you can change the port in httpd.conf file.

b) Edit httpd.conf file using Notepad++, located under <Drive>\Apache24\conf\ c) To activate, uncomment following modules in httpd.conf file:

Typical proxy server will need to enable several modules. Those relevant for proxying and load balancing are as follows:

 LoadModule proxy_module modules/mod_proxy.so

o The core module deals with proxy infrastructure and configuration and managing a proxy request.

 LoadModule proxy_http_module modules/mod_proxy_http.so

o This module handles fetching documents with HTTP and HTTPS.  LoadModule proxy_connect_module modules/mod_proxy_connect.so

o This handles the CONNECT method for secure (SSL) tunneling.  LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

o mod_proxy_balancer implements clustering and load-balancing over multiple backends.  LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

o memory provider which provides for creation and access to a shared memory segment  LoadModule proxy_html_module modules/mod_proxy_html.so

o This rewrites HTML links into a proxy's address space.  LoadModule headers_module modules/mod_headers.so

o This modifies HTTP requests and response headers.

 LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so o Distribute the requests among the various workers

 LoadModule ssl_module modules/mod_ssl.so

(25)

Communication Scenarios

4.2 Communication protocol scenarios

In this section, following protocol communication scenarios for Apache Server are covered: 1. HTTP

2. one-way HTTPS 3. two-way HTTPS

Scenario 1: In this section, Apache as reverse proxy and simple load balancing configuration using HTTP communication is covered:

1. Configure httpd.config for plain HTTP communication 2. Restart Apache Server

3. Verify communication

4. Testing SMP OData using Apache Server URL

Proxy can be easily achieved by simply writing the below two rules in your httpd.conf file.  Proxypass: This directive asks the apache server to fetch data from SMP Nodes

 ProxyPassReverse: This directive rewrites the original URL when the traffic is send back.

In this use case we have two SMP server nodes pvs9096 and pvs9097 that both listen on port 8080. The apache load balancer listens on port 80 by default. This sets up a load balance cluster called

balancer://smpcluster that is bound to the two SMP nodes. The stickysession is the session affinity cookie to be used.

1. In the following HTTP examples, http://usphlvm1383.phl.sap.corp:80/ is mapped to following SMP Nodes on port 8080:

 pvs9096.wdf.sap.corp:8080  pvs9097.wdf.sap.corp:8080

On each SMP node we add the unique node name that was set up in the default-server.xml file in SMP configuration (as described in section 3.4). This configuration is necessary so that session affinity works correctly. We can achieve load balancing using two methods: 1) SMP session ID or with 2) Apache Headers; you can choose method based on the type of usage.

Method 1:httpd.conf template using SMP Session ID Listen 80

<VirtualHost *:80> ProxyPreserveHost On

ServerName usphlvm1383.phl.sap.corp <Proxy balancer://smpcluster>

BalancerMember http://pvs9096.wdf.sap.corp:8080 route=SMPServerNode96 BalancerMember http://pvs9097.wdf.sap.corp:8080 route=SMPServerNode97 ProxySet stickysession=X-SMP-SESSID

(26)

ProxySet lbmethod=byrequests </Proxy>

ProxyPass / balancer://smpcluster/

ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"

TransferLog /Apache24/logs/enhancedlog.log </VirtualHost>

Method 2: httpd.conf template using Apache Headers Listen 80

<VirtualHost *:80> ProxyPreserveHost On

ServerName usphlvm1383.phl.sap.corp

Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

BalancerMember http://pvs9096.wdf.sap.corp:8080 route=SMPServerNode96 BalancerMember http://pvs9097.wdf.sap.corp:8080 route=SMPServerNode97 ProxySet stickysession=ROUTEID

ProxyPass / balancer://smpcluster/

ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log"

TransferLog /Apache24/logs/enhancedlog.log </VirtualHost>

NOTE: mod_headers module is required to set headers. Refer http://httpd.apache.org/docs/2.2/mod/mod_headers.html. 2. Restart Apache Server

3. Verify http communication

Validate the configuration by opening a browser and testing these URLs: o http://usphlvm1383.phl.sap.corp:80

(27)

4. Testing POST operation via Apache with HTTP. Port 80 is the default http port. 1. Invoke POSTMAN RESTClient,

2. Provide the Apache host name in the URL with http port (80), the URL should look like this

http://<apach-server-host>:80/odata/applications/latest/odata.flight/Connections

3. Change the operation method to POST as shown below

4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the following:

a. Click on Headers as shown below:

b. In the header field type Content-Type as shown below:

c. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below:

5. Provide OData credentials:

(28)

b. Type the OData End-point user ID and password

a. Click on the Normal Tab

(29)

7. Now we need to provide a body, click on raw tab as shown below:

<entry xml:base="http://pvs9096.wdf.sap.corp:8080/odata/applications/latest/odata.flight/Connections" xmlns="http://www.w3.org/2005/Atom"

</content> </entry>

(30)

NOTE: the Authorization Basic value may vary since the user id and password it may not be the same as our credential information.

Similarly, you can test GET operation with following inputs as shown in the below screen: URL: http://usphlvm1383.phl.sap.corp:80/odata.flight/

X-SMP-APPCID = KOLAIDS

Content-Type = application/atom+xml;charset=utf-8 Authorization = Basic d2YtbW0tNDp3ZWxjb21l

In the above case the Apache proxy server is usphlvm1383 processing HTTP requests. Look at the response below to see if the cookie is formed correctly

(31)

Verify that SMP is configured correctly for Session Stickyness. Note that in the response we have a SMPServerNode96 is appended to the X-SMP-SESSID cookie.

If you are using above log format, then your logs should like something like below in your enchancedlog.log file located under logs folder:

The first request for a user where initial cookies are not set will show: Changed:1 Sticky:- Subsequent requests should show: Changed:- Sticky:X-SMP-SESSID

That means that apache read the X-SMP-SESSID cookie and was able to send the request to the correct server. If you see Changed: 1 Sticky:X-SMP-SESSID that means that session stickyness did not work.

NOTE: For verifying the session stickiness, above strategy is applied to all other Apache communication scenarios.

Scenario 2: In this section, Apache as reverse proxy and simple load balancing configuration using one-way HTTPS communication is covered:

1. SMP Platform SSL Preparation 2. SSL preparation for Apache server 3. Install trusted Certificates

4. Configure httpd.config for one-way HTTPS communication 5. Restart Apache Server

(32)

7. Testing OData using Apache Server URL (Secured)

Reverse proxy, and SAP Mobile Server each use their own certificate; you can create or sign these certificates from one root certificate. In one-way SSL scenario, only the client authenticates the server. This means that the public cert of the Apache server needs to configured in the trust store of the SMP Server.

1. SMP Platform SSL Preparation

keytool is a java utility that manages a keystore of private keys and associated certificates, as well as certificates from trusted entities. SAP Mobile Platform uses a single keystore file, located at

SMP_HOME\Server\configuration\smp_keystore.jks. This is the file to configure and protect. keytool is in SMP_HOMEsapjvm_7\bin

IMPORTANT: Make sure you backup your smp_keystore.jks a) Create certificate request (CSR file)

keytool.exe -certreq -keyalg RSA -alias smp_crt -file pvs9097.csr -keystore

C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -storepass empass12

NOTE: The certificate request must be signed by an authority or self-signed before importing it into the SMP keystore.

For production environment, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA.

b) Import root certificate of the CA

keytool import keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -file C:\SAP\MobilePlatform3\sapjvm_7\bin\SAPNetCA.crt -alias TCSRootCert

c) Import signed certificate

keytool import keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -file C:\SAP\MobilePlatform3\sapjvm_7\bin\pvs9097.crt -alias smp_crt

d) Verify the certificate upload

keytool -list -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks e) Restart SMP servers after you upload the signed certificates.

Refer following link for more information on keytool:

http://help.sap.com/saphelp_smp303svr/helpdata/en/7c/2eddd970061014ba46b1c4748c229b/content.htm There is no auto synchronization for cluster server's keystore and they need to be maintained manually. Also import all required certificates to all cluster nodes' keystore and be sure to keep all certificates alias consistent. Use keytool to check all certificate in the keystore:

(33)

2. SSL Preparation for Apache Server

The OpenSSL is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

Depending on your operating system, download the OpenSSL software from following link:

https://www.openssl.org/related/binaries.html

a) Generate RSA

openssl genrsa -des3 -out server.key 2048

Enter pass phrase twice to generate server.key: s3pAdmin b) Create CSR file

1. Set the environment variable: set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg 2. Issue this command:

openssl req -sha256 -out ApacheServer.csr -new -newkey rsa:2048 -nodes -keyout server.key

Country Name:CA

State or Province Name:ONTARIO Locality Name:TORONTO

Organization Name:SAP

Organizational Unit Name:COE

Common Name:USPHLVM1383.PHL.SAP.CORP Email Address:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password:

An optional company name:

c) Generate signed Certificate

For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA.

d) Remove Passphrase from Key

Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient so you can remove passphrase from the generated key by following commend:

1. copy server.key server.key.org

2. openssl rsa -in server.key.org -out server.key Result is new RSA server.key is generated.

e) Copy server.key and ApacheServer.crt to Apache conf directory. The location of this directory will differ depending on where Apache is installed.

(34)

3. Installing Trusted Certificates SMP Platform:

Using keytool.exe, upload ApacheServer crt into SMP keystore as the trusted certificate

keytool -import -trustcacerts -alias ApacheServer -file ApacheServer.crt -keystore smp_keystore.jks Apache Platform

Install CA cert and SMP server certs (pvs9096, pvs9097) onto the Apache server For example:

Right click on the certificate and add it to trusted Root Certificate as shown below.

4. Configuring SSL properties in httpd.conf

In the following example, https://usphlvm1383.phl.sap.corp:443/ is mapped to following SMP Nodes:  pvs9096.wdf.sap.corp:8081

 pvs9097.wdf.sap.corp:8081 Listen 443

<VirtualHost *:443> SSLEngine On SSLProxyEngine On

(35)

BalancerMember https://pvs9097.wdf.sap.corp:8081 route=SMPServerNode97 ProxySet stickysession=X-SMP-SESSID

ProxyPass / balancer://smpcluster/

ProxyPassReverse / balancer://smpcluster/ ErrorLog "C:/Apache24/logs/error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"

TransferLog /Apache24/logs/enhancedlog.log </VirtualHost>

5. Restart apache and test OData connectivity on RestClient. 6. Verify one-way HTTPS Scenario:

Validate the configuration by opening a browser and testing these URLs: 2.0 https:// usphlvm1383.phl.sap.corp:443

URL should return a page with this information:

7. Testing POST operation via Apache with HTTPS. Port 443 is the default https port. URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/

Operation = GET

1. Invoke POSTMAN RESTClient,

2. Provide the Apache host name in the URL with https port (443), the URL should look like this

(36)

3. Change the operation method to POST as shown below

4. Now we need to set the Content-Type = application/atom+xml;charset=utf-8 , to do that, do the following:

a. Click on Headers as shown below:

b. You should see the following:

c. In the header field type Content-Type as shown below:

5. For the Content-Type value, type application/atom+xml;charset=utf-8, now you should see something like the screen below:

(37)

b. Type the OData End-point user ID and password

a. Click on the Normal Tab

8. In the header section as shown below, type the Header, X-SMP-APPCID as shown below:

(38)

<entry

xml:base="https://usphlvm1383.phl.sap.corp:443/odata/applications/latest/odata.flight/Connection s"

xmlns="http://www.w3.org/2005/Atom"

</content> </entry>

(39)

Similarly, you can test GET operation with following inputs as shown in the below screen: URL: https://usphlvm1383.phl.sap.corp:443/odata.flight/

Operation = GET

X-SMP-APPCID = KOLAIDS

Authorization = Basic d2YtbW0tNDp3ZWxjb21l

In this example, Apache proxy server is usphlvm1383 processing HTTPS requests. Look at the response below to see if the cookie is formed correctly

(40)

(41)

1. Create OData connection using X.509 certificate authentication 2. Add the impersonator Role in SMP

3. Configure httpd.conf file for mutual authentication 4. Restart Apache Server

5. Load.p12 Client Certificate in to the browser 6. Verify two-way mutual communication

7. Testing OData using Apache Server URL (two-way HTTPS protocol)

In two-way SSL, client authenticates the server & the server also authenticates the client, public cert of the SMP server needs to be configured in the trust store of the Apache server. Also the public cert of the Apache needs to be configured on the SMP server's trust store. SMP Server and the Apache must have SSL certificates issued by an authorized certificate authority. An issued certificate includes a digital signature confirming the identities of the SMP server and the Apache Server. When the Apache's host sends a request to the SMP server, the SMP server will verify that the Apache has an SSL certificate and vice versa. There are six steps to achieve this task: 1. Create OData connection with X.509 Certificates

In this scenario, iwe are using htttps based flight model example as the gateway OData connection. In the following steps, we will create new OData connection with X.509 certificate as authentication::

a) Login to SMP Management Cockpit b) Provide application details

c) Provide OData details

d) Provide Authentication Profile details e) Provide Authentication Provider details

1. Open web browser ( i.e Chrome or any web browser that supports HTML5) 2. Type the cockpit URL address (i.e https://<host-name>:8083/Admin) 3. Enter the user ID password. By default:

a. userID: smpAdmin

b. password:s3pAdmin ( Note: If you change the password during installation, type the new password)

4. Click on Login to log into the cockpit

5. Once logged in successfully, click on APPLICATIONS tab

6. Click on the New button to create a new application for our OData back-end Endpoint as shown below:

7. Once you click on the New button, you should see the following screen below, fill up with the information that is shown on the screen

(42)

8. Click Save when you are done

9. Now we should see the following screen

10. Provide the gateway Endpoint information under BACK END Tab a. We need the URL of the Endpoint

b. If the Endpoint requires an authentication, select Allow anonymous access and type and provide user name and password for backend authentication

c. Check rewrite

(43)

12. Click on AUTHENTICATION tab

13. Under SECURITY PROFILE, enter the name of the security profile, in our example we are using “httpsCon” for our security profile name

(44)

14. Click on the New button to associate an authentication provider for our security profile

15. From the Authentication provider, click on the dropdown list and select “x.509 Certificate ” and hit Create Button

(45)

17. Once you are done, click the save button

18. You should see the following success message indicating everything is OK

19. Click Save again to save now the new security profile as shown below

(46)

21. You should see the following:

22. To make sure if our Endpoint is working correctly, select the row as shown below by clicking on it: and click on the Ping button as shown below:

23. If the Endpoint is reachable, you will get the following message below:

NOTE: In addition to x.509 certificate authentication provider, we successfully tested this scenario with HTTPS Authentication provider. To make HTTPS scenario work, provide backend credentials of the OData service. 2. Add the Impersonator Role:

The Impersonator role establishes the trust relationship between the Apache reverse proxy and SAP Mobile Platform Server allowing SAP Mobile Platform Server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy.

NOTE: The Impersonator role should be granted to the reverse proxy by mapping the Impersonator role to the subjectDN from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to SAP Mobile Platform Server. When doing mutual certificate authentication directly against SMP3 server without relayserver, the client establishes the SSL connection directly with the server and the certificateValidationLoginModule configured in the server validates the client certificate presented to the server. Following are the steps to add the impersonator role:

(47)

2) Now click Details Tab as shown below:

3) Click on the Subject and on the details screen, you will find SubjectDN information:

(48)

b) Navigate to C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI C) Update the corresponding security role mapping file as shown below:

<LogicalName>Impersonator</LogicalName>

<MappedName>user:CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE</MappedName> </DefaultMapping>

<DefaultMapping> NOTE:

 Mapped Name should be started with user:

 File name is created based on the configuration name. httpsCon is my X.509 security configuration name  In the above example, ‘httpsCon-role-mapping.xml is the file name located in CSI folder:

Troubleshooting Impersonator role errors:

UserRoleAuthorizer.checkRole method compares the roleName “user:CN=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG, C=DE” with the string obtained from the certificate using the java APIs

“CN=USPHLVM1383.PHL.SAP.CORP, OU=COE, O=SAP-AG, C=DE” and if it does not match it will result in errors. In the following errors, case does not match:

2014 07 09 21:22:45#+0200#DEBUG#com.sybase.security.core.UserRoleAuthorizer##anonymous#http-bio-8082-exec-1###UserRoleAuthorizer.checkRole(roleName=user:CN=usphlvm1383.phl.sap.corp, OU=COE, O=SAP-AG,

(49)

If you have difficulty in finding the SubjectDN for impersonator, enable the server log into debug mode and execute a proxy request HTTPS 8082 port (8443 via Apache Server). In the server log, you see the same the DN that the SAP Mobile Platform CSI records.

Tip>for further debugging SSL handshake issues you can add -Djavax.net.debug=ssl:handshake in your props.ini file.

3. Adjust the httpd.conf file for mutual authentication (Apache Server)

SSLProxyMachineCertificateFile used in httpd.conf MUST be in PEM format. You can use openssl for conversion by running below commends for your server (ApacheServer.crt) and root certificate (SAPNetCA.crt).

a) openssl x509 -in ApacheServer.crt -out ApacheServer.der -outform DER

b) openssl x509 -in ApacheServer.der -inform DER -out ApacheServer.pem -outform PEM c) openssl x509 -in SAPNetCA crt -out SAPNetCA.der -outform DER

d) openssl x509 -in SAPNetCA.der -inform DER -out SAPNetCA.pem -outform PEM

NOTE: If server or root certificate is in the .der format then you can use b) or d) option to convert into PEM format

SSLProxyMachineCertificateFile - point it to a file containing your Apache server certificate which is converted into ApacheServer.pem format and its (unencrypted) private key (server.key) in PEM format. (For example, add server.key to ApacheServer.pem). Apache won’t start if this is not done correctly. Following the same screen:

(50)

Listen 8443 <VirtualHost *:8443> ServerName usphlvm1383.phl.sap.corp SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key SSLCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyCACertificateFile /Apache24/conf/crts/SAPNetCA.pem SSLProxyMachineCertificateFile /Apache24/conf/ApacheServer.pem <Proxy balancer://smpcluster>

BalancerMember https://pvs9096.wdf.sap.corp:8082 route=SMPServerNode96 BalancerMember https://pvs9097.wdf.sap.corp:8082 route=SMPServerNode97 ProxySet stickysession=X-SMP-SESSID

RequestHeader set SSL_CLIENT_CERT ""

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" ProxyPass / balancer://smpcluster/

ProxyPassReverse / balancer://smpcluster/

CustomLog "c:/Apache24/logs/ssl_request__LB_8082.log" "%t %h %r %s %l %p User:%u %{Foobar}i client_cert:%{SSL_CLIENT_CERT}x client_verify:%{SSL_CLIENT_VERIFY}x

client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"

TransferLog /Apache24/logs/enhancedlog_8443.log </VirtualHost>

4. Restart the Apache Server

5. Load .p12 Client Certificate in to the REST client browser

For mutual authentication using client certificates, SMP/Apache needs the private keys to do the signing, and the .p12 file format is the most common for passing around a certificate with its private keys. To test, we need client certificate (.p12 file) which is usually provided by your OS security team who handles Certificate Authority.

1. Load the .p12 client certificate into the personal certificate store. In Chrome, choose Settings > Show Advanced Settings > HTTPS/SSL > Manage certificates as shown below screen:

(51)

2. Click Import button:

(52)

4. Click browse and select the p.12 file

(53)

7. If password exists, provide password and hit next:

(54)

https://www.openssl.org/docs/apps/s_client.html

Example for testing client certificates:

5. Verify two-way HTTPS Scenario

Validate the configuration by opening a browser and testing these URLs: 2.1 https:// usphlvm1383.phl.sap.corp:8443

URL should return a page with this information:

6. Testing SMP OData GET operation using Apache Server URL with port 8443 URL: https://usphlvm1383.phl.sap.corp:8443/odata.flight/

Operation = GET X-SMP-APPCID = kola1

(55)

Apache 8443 result Logs:

10.7.119.233 - - [10/Jul/2014:00:43:27 -0400] "GET /odata.flight/ HTTP/1.1" 200 667

duration:3/3778378 balancer:https://pvs9096.wdf.sap.corp:8082 Changed:- Sticky:X-SMP-SESSID [10/Jul/2014:00:43:27 -0400] 10.7.119.233 GET /odata.flight/ HTTP/1.1 200 - 443 User:- - client_cert:---BEGIN CERTIFICATE--- ---END CERTIFICATE client_verify:SUCCESS client_cert_dn:CN=SUPUSER,OU=SSL Server,O=SAP-AG,C=DE "GET /odata.flight/ HTTP/1.1" 667

(56)

Monitoring Apache Server

4.3 Monitoring settings for Apache Server

In this section, we will cover monitoring and performance tuning aspects. Balancer manager:

This module requires the service of mod_status. Balancer manager enables dynamic update of balancer members. You can use balancer manager to change the balance factor or a particular member. In addition you can enable authentication for administrators. In the following examples, we used basic authentication with HTTPS connection.

NOTE: balance-manger configuration should be part of the load balancer configuration as shown in the below example:

Example for basic authentication:

Example for balancer manager configuration in httpd.conf file: Listen 443 <VirtualHost *:443> SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLCertificateFile /Apache24/conf/ApacheServer.crt SSLCertificateKeyFile /Apache24/conf/server.key

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown ServerName usphlvm1383.phl.sap.corp

ErrorLog "C:/Apache24/logs/error.log" TransferLog "C:/Apache24/logs/access.log" <Proxy balancer://smpcluster>

BalancerMember https://pvs9096.wdf.sap.corp:8081 route=SMPServerNode96 BalancerMember https://pvs9097.wdf.sap.corp:8081 route=SMPServerNode97 ProxySet stickysession=X-SMP-SESSID

(57)

ProxyPass / balancer://smpcluster/

ProxyPassReverse / balancer://smpcluster/

CustomLog "c:/Apache24/logs/ssl_443.log" "%t %h %r %s %l %p User:%u %{Foobar}i

client_cert:%{SSL_CLIENT_CERT}x client_verify:%{SSL_CLIENT_VERIFY}x

client_cert_dn:%{SSL_CLIENT_S_DN}x \"%r\" %b"

LogFormat "%h %l %u %t \"%r\" %>s %b duration:%T/%D balancer:%{BALANCER_WORKER_NAME}e Changed:%{BALANCER_ROUTE_CHANGED}e Sticky:%{BALANCER_SESSION_STICKY}e"

TransferLog /Apache24/logs/enhancedlog.log </VirtualHost>

URL to access: http://hostname:port/balancer-manager

When one of worker URL is clicked, you can dynamically enable member options as show below.

Server Status:

The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to

(58)

automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state.

Example for server status configuration in httpd.conf file: <Location /server-status>

SetHandler server-status Order Deny,Allow Deny from none Allow from all

AuthType basic

AuthName "Apache server-status"

AuthUserFile /Apache24/conf/passwd-server-status Require valid-user

</Location>

URL to access: http:://hostname:port/server-status

(59)

5.0 EXPOSING SMP ODATA SERVICES VIA RELAY SERVER

In this section, we will test SMP 3 OData services using hosted Sybase relay server. Our assumption is you already have relay server installation is in place. For this exercise, we used hosted relay server. Please refer following link for more information on subscription.

Subscribing and Connecting to Sybase Hosted Relay Service

Below diagram is the sample architecture for SMP cluster and hosted relay server communication setup. In the following, we will provide Sybase hosted relay registration details, RSOE configuration steps to setup plain HTTP and HTTPs communication.

(60)

Sybase Hosted Relay Server

Registration

5.1 Registration with Sybase Hosted relay Server

For Sybase Hosted relay server setup, we have three main steps: 1. Create subscription ID

2. Maintain FARM details 3. Collect configuration details

More information on hosted relay server can obtained from following link:

http://dcx.sybase.com/index.html#1201/en/relayserver/ml-relayserver-s-4994339.html

1. First Create subscription ID with contact details and Accept terms and conditions

(61)

Click on the Add New Mobilink Farm as shown below:

Provide Farm Name and SMP Server details

 Farm Name: FARMODATA03  Server Names: pvs9096, pvs9097 Example for SMP server node cluster:

3. Collect configuration details

Click configuration instructions for rsoe configuration details. For enabling communication between SMP and relay server, configuration details are used in rsoe.config file (on SMP server).

(62)

RSOE Setup

5.2 RSOE setup in SMP platform

This section illustrates RSOE setup on SMP platform in following steps: 1. Download rsoe files

2. Create config file for RSOE setup 3. Verify rsoe.log

5. Testing SMP OData using Relay Server URL (plain HTTP) 1. Create rsoe folder under SAP folder as shown below:

You need RSOE component, which is part of Sybase SQLAnywhere (based on your OS).From relay server media, copy rsoe.exe, dblgde12.dll, dblgen12.dll, rsoesupp12.dll files to rsoe folder as shown below:

2. Create a config file (pvs9096.config) each SMP Node with following details:

-f smp3sp03.FARMODATA03 -id pvs9096 -t 1bf5b1482ce4a8e23d7a2521eaef -cr "host=RELAYSERVER.sybase.com;https=0;port=80;proxy_host=proxy;proxy_port=8080;url_suffix=/ia s_relay_server/server/rs_server.dll" -cs "host=localhost;port=8080" -v 5

-o "C:\rsoe.log"

(63)

e. –o Log output, specify path and file to RSOE log 3. Start the rsoe with the following commend:

You can also create a service account for rsoe by following:

4. Verify your configurations by checking rsoe.log:

Note: same configuration is applied on other SMP cluster nodes. HTTPS connections are also supported. NOTE: Repeat above steps on all the SMP nodes.

5. Verify SMP OData Services via Relay Server:

http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/<Farm-Name>/

will be a redirect to your backend server (e.g. pvs9096:8080 or pvs9097:8080) like you defined it in the rsoe.config.

Following URL will result following:

http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/

(64)

URL =

http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/odata.flight/odata/ applications/latest/odata.flight/Connections

Operation = GET

Conetent-Type = application/atom+xml;charset=utf-8 Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ= X-SMP-APPCID = ngnixrsoe

Similarly, you can test GET operation with following inputs as shown in the below screen:

URL: http://relayserver.sybase.com/ias_relay_server/client/rs_client.dll/smp3sp03.FARMODATA03/odata.flight/

X-SMP-APPCID = kola1

Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ= Result:

(65)

Load balancing between SMP servers and failover scenarios are also tested successfully.

In next section, we will focus on how to use Nginx as a reverse proxy and load balancer solution for SMP 3.0 Platform.

(66)

6.0 NGINX AS THE REVERSE PROXY AND LOAD BALANCER

Below diagram is the sample architecture for SMP cluster and hosted Nginx server communication setup. In the following sections, we will illustrate how to set up an Nginx server containing all the needed components for testing the reverse proxy, load balancing, http, and https communication scenarios.

(67)

Install Nginx

6.1 Install Nginx

This section covers Nginx installation setup steps: 1. Download Nginx software

2. Run Nginx.exe 3. Verify Nginx setup

1. Download Nginx from http://nginx.org/en/download.html We are using 1.7.3 version. Always download the stable version. 2. Extract the package to a directory, C:\Nginx1.7.3\

Open CMD with administrator and run Nginx.exe

We can be control service by invoking the executable with the -s parameter. Use the following syntax: C:\nginx-1.4.4>nginx -s signal

Where signal may be one of the following: •stop --- fast shutdown

•quit --- graceful shutdown

•reload --- reloading the configuration file •reopen --- reopening the log files

NOTE: Because Nginx cannot share the same port with another TCP/IP application, you may need to stop, uninstall or reconfigure certain other services before running Nginx.exe (for example IIS). In default, server listens on port 80 and you can change the port in nginx.conf file located under: C:\nginx-1.7.2\nginx-1.7.2\conf\ 3. Verify Nginx services are running by following methods:

(68)

(69)

Nginx HTTP

6.2 Nginx as Reverse Proxy and Load balancer with HTTP communication

In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP communication is covered in following steps:

1. Configure nginx.config for http protocol 2. Restart Nginx

4. Testing OData services using Nginx URL

1. In order to use Nginx as Reverse Proxy and load balancer for SMP3 server, we need to change the nginx.config file as following.

server {

listen 80;

server_name usphlvm1384.phl.sap.corp;

access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_80.log; error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_80.log;

location / {

proxy_pass http://backend/;

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect default ;

proxy_buffering off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

#paste blow code after server configuration closing braces upstream backend {

server pvs9096.wdf.sap.corp:8080; server pvs9097.wdf.sap.corp:8080; }

NOTE: location / means all requests go to any of the servers listed under upstream. For information on load balancing and techniques, refer following link:

http://nginx.org/en/docs/http/load_balancing.html 2. Restart Nginx Server

3. Verify SMP communication via Nginx Server (http based)

In the following example, http://usphlvm1384.phl.sap.corp:80/ is mapped to following SMP Nodes:  pvs9096.wdf.sap.corp:8080

 pvs9097.wdf.sap.corp:8080

(70)

3. RestClient testing of SMP OData services using Nginx URL URL: http://usphlvm1384.phl.sap.corp/odata.flight/

Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ=

(71)

6.3 Verifying the request is going through Nginx

To verify if the request is going through Nginx when you registered, open the log access file of Nginx by going to the:

1. Location of the log folder. In our example it is in ( D:/nginx-1.7.2/nginx-1.7.2/logs) 2. Open the following log or whatever you called it. In our case it is called “error_80.log” 3. You should see a post request for the registration similar to the one below:

[04/Aug/2014:10:06:43 -0700] "POST

/odata/applications/latest/odata.flight/Connections HTTP/1.1" 201 3732 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"

When accessing the oData end point, check in the log and see if you will see a GET request in the Nginx log, like that one below:

[04/Aug/2014:10:07:08 -0700] "GET /odata.flight HTTP/1.1" 200 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"

(72)

Nginx HTTPS

6.3 Nginx as Reverse Proxy and Load balancer with HTTPS communication

In this section, Nginx is configured as reverse proxy and simple load balancing configuration using plain HTTP communication is covered in following steps:

1. SMP Platform SSL Preparation 2. SSL preparation for Nginx Server 3. Install Trusted Certificates

4. Configure Nginx.config for https protocol 5. Restart Nginx

7. Testing OData services using Nginx URL

To configure Nginx server to connect SMP with single SSL support, we need to prepare the certificates for Nginx server via OpenSSL to generate server certificate and key files. In the following example, we will use openSSL. 1. SMP Platform SSL Preparation

Refer section 4.2> Scenario 2> Point 1 2. SSL Preparation for Nginx Server:

Depending on your operating system, download the OpenSSL software from following link: https://www.openssl.org/source/

a) Generate RSA

openssl genrsa -des3 -out server.key 2048 Result is new RSA server.key is generated.

b) Create CSR file. Like the standard SMP server certificate, we have used an RSA 2048 key signed with the sha256 signing algorithm

openssl req -sha256 -out NginxServer.csr -new -newkey rsa:2048 -nodes -keyout server.key

Country Name:CA

State or Province Name:ONTARIO Locality Name:TORONTO

Organization Name:SAP

Organizational Unit Name:COE

(73)

This is an optional step. This is done so that we don’t have to enter the password for the private key every time we restart NGINX.

 copy server.key server.key.org

 openssl rsa -in server.key.org -out server.key d) Generate signed Certificate

For production environments, the Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA.

Result is the Signed Certificate.

e) Copy server.key and NginxServer.crt to Nginx config directory. The location of this directory will differ depending on where Nginx is installed.

3. Installing Trusted Certificates SMP Platform:

Upload NginxServer.crt into SMP keystore as the trusted certificate

keytool -import -trustcacerts –alias NginxServer-file NginxServer.crt -keystore smp_keystore.jks Nginx Platform

Install CA cert and SMP server certs (pvs9096, pvs9097) onto the NGINX server. Right click on the certificate and add it to trusted Root Certificate as shown below.

(74)

4. Configuring SSL properties in Nginx.conf

 pvs9097.wdf.sap.corp:8081 server {

listen 443 ssl;

server_name usphlvm1384.phl.sap.corp;

ssl_certificate D:/nginx-1.7.2/nginx-1.7.2/cert/NginxServer.crt; ssl_certificate_key D:/nginx-1.7.2/nginx-1.7.2/cert/server.key; ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on; ssl_session_timeout 5m;

access_log D:/nginx-1.7.2/nginx-1.7.2/logs/access_443.log; error_log D:/nginx-1.7.2/nginx-1.7.2/logs/error_443.log; root html;

index index.html index.htm; location / {

proxy_pass https://backend/;

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect default ;

proxy_buffering off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

}

#paste blow code after server configuration closing braces upstream backend {

server pvs9096.wdf.sap.corp:8081; server pvs9097.wdf.sap.corp:8081; }

5. Restart Nginx Server

6. Verify communication via Nginx Server (https based)

(75)

7. Testing SMP OData using Ngnix URL (secured) URL: https://usphlvm1384.phl.sap.corp/odata.flight/

Authorization = Basic aTgyNzU0NTplYXJ0aDIwMTQ=

(76)

Verify logs for https traffic as described in section 6.3.

In summary, this paper covers reverse proxy and load balancer solutions for SAP Mobile Platform using Apache, Relayserver, and Nginx servers with http, one-way https and mutual https scenarios.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.