SUP landscape involves multiple levels of connections when it comes to giving the access of Internal SAP servers to the External world of Internet. The Relay server which resides in a organisations DMZ, simplifies the process of the securing the connections.
But when it comes to securing the communicating protocol itself then a requirement may come to change the communication methods from http to https.
This document provides a step-by-step procedure to enabling this https protocol in SUP architecture.
Here, the considerations are as-
1. Relay server- Placed in DMZ and running on version 188.8.131.525
2. Apache as a web server installed on same Linux box where the relay server is installed
3. SUP server : SUP 2.3.3 PL01
2. Pre-Checks :
1. Port ennoblement:- The communication traffic flows with port 80 for http and with port 443 for https.
Please check well before with network and Load Balancer team if both the ports are open for external communication.
2. Required certificates : As the https protocol follows a trust relationship between client and server, a valid certificate with exact matching hostnames needs to be made available. These certificates then placed in a specified location to be able to make a successful certificate chain. The path of maintaining the certificates for chain, is managed by httpd-ssl file. if we change the default path, accordingly the path mapped in this file needs to be modified.
In general, the certificate chain is maintained as- Root Certificate -> Corporate Domain Certificate -> Corporate Service Certificate -> Server Certificate
3. Steps to perform on relay Server :
1. Take the backup of /opt/SP /apache
2. In /opt/SP/apache/conf, create directory with name “extra” if it is not present.
3. Copy the contents of “extra” directory from any other relay server in and paste in newly created directory.
Important Files in httpd-ssl.conf inside Extra directory
- SSLCertificateFile “/opt/SP/apache/conf/server.crt” : This is a combination of ‘.pem’ file generated by script and certificate .
- SSLCertificateKeyFile “/opt/SP/apache/conf/server.key” rename the ‘.pem’ file with required naming conventions
- SSLCertificateChainFile “/opt/SP/apache/conf/Corprate Service.cer” –
- SSLCACertificateFile “/opt/SP/apache/conf/Root-R1.cer”
Also, change the server name entry with current server name.
4. Changes to be made in httpd.conf file in directory /opt/SP/apache/conf –
Uncomment the module -:
# Loading SSL module
LoadModule ssl_module modules/mod_ssl.so
5. Changes to be made in rs.config in /opt/SP/apache/conf/modules directory –
Make sure to make client security OFF by doing the changes as-
#client_security = off
Put the port as 443 in the required fields to be able to establish the https protocol,
6. Once all the changes are done, it is mandatory to update the relay server by a command line update. To do that, In /opt/SP/apache/modules directory, run the command as –
./rshost -u -f rs.config
After updating the relay server changes, restart the Apache services.
Once all services started successfully check if Apache and Relay server is running with https.
By doing this, your Relay and Apache servers are now configured with both http and https protocols.
4. Settings on SUP server :
All the SUP side changes are needs to be carried out on SAP Control Center only.
1. Make the required port entries for SUP server.
2. Then in RSOE ( outbound enabler) settings, import the certificate files for desired relay servers.
3. After a successful certificate import check if the relay server status shows running with exact names of the imported certificate.
5. Testing the app with https :
The App connection is made up with a connection string name in SUP. This is to be made with mentioning as “https” to the desired connection entries.
Confirm with the developers that the App is using the connection as mentioned in above screenshot. Thus, it will ensure that the communication is working through “https” protocol.
By doing all these steps, we have successfully implemented the secure socket connections (https) in SUP Architecture.