Skip to Content
Author's profile photo Vanya Maneva

Using a Custom Domain

No more long unreadable URLs for your applications running on SAP HANA Cloud Platform – you can now choose and configure your own recognizable URL.

You can set your custom URL (https://mydomain.com) instead of the default URL on the hana.ondemand.com domain (https://whatiswrongwiththisurla0c06405f.hana.ondemand.com) for any application deployed on the platform.

You just need to have custom domain quota for your account. The custom domain configuration on SAP HANA Cloud Platform is done using console client commands.

But before you start with the actual configuration on the platform, note that you need to take care of some steps that involve service providers external to SAP – domain name registrar and Certificate Authority (CA).

Buy the domain

You first need to buy the custom domain names that you want for your applications. You have a wide choice of registrars selling domain names on the market – GoDaddy.com, Hover.com, Namecheap.com, Register.com, to name a few.

Choose a CA

Another external provider you need to use is the CA that will issue the certificate for your domain. You have to get an appropriate SSL certificate to make sure your domain is trusted and all your application data is protected.

Again, there is a huge number of CAs to choose from. To save money and hassle, before buying a certificate, carefully consider the number and type of domains you want to be protected by this certificate. One certificate can be valid for a number of domains and there are various types of domains (single; wildcard; multiple, etc.).

Set up

With the actual configuration, you set up secure SSL communication and then route the traffic for your custom domain to your application on SAP HANA Cloud Platform.

Custom_Domain_setup.png

The configuration is done in the following sequence of steps:

    1. Create an SSL host.

The host holds the mapping between your chosen custom domain and the application on SAP HANA Cloud Platform as well as the SSL configuration for secure communication through this custom domain.

     2. Upload a domain certificate.

The certificate generation process starts with certificate signing request (CSR) that you generate on SAP HANA Cloud Platform and then send to a CA.

A CSR is an encoded file containing your public key and specific information that identifies your company and domain name.

Then, use the CSR to get a server certificate signed by the CA of your choice.

    • Generate CSR
    • Sign the CSR with a CA
    • Upload the certificate

     3. Bind the certificate to the SSL host.

     4. Add the custom domain

     This maps the custom domain to the application URL.

     6. Configure DNS.

Now you need to route the traffic for the custom domain to your application on SAP HANA Cloud Platform by configuring it in the Domain Name System (DNS) that you use.

The mapping is specific for the domain name provider and usually is done by modifying CNAME records using their administration tools.

You are now ready.

Check if the application is accessible on the new domain.

In your Application Dashboard in the cockpit, the new custom URL should have replaced the default one.

Assigned Tags

      23 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Vanya,

      thank you very much for this very useful article.
      We just also figured that out last week by ourselves without having such a great howto description.

      Please notice that the first step (Create an SSL host) will fail for most of the customers with the following error:

      ERROR: Account does not have remaining quota!

      This is because they do not have a proper custom domain quota assigned to there HCP contract/package - it seems that this custom domain quota has to be bought in addition.

      Best regards,

      Tobias

      Author's profile photo Vanya Maneva
      Vanya Maneva
      Blog Post Author

      Hi Tobias,

      Thank you for your feedback!

      You are right, you do need custom domain quota so I have tried to emphasize on this major prerequisite both in the blog and in the documentation: SAP HANA Cloud Platform

      Best regards,

      Vanya

      Author's profile photo Vikrant Dev
      Vikrant Dev

      Hi Vanya,

      Can you please suggest if we can use the HANA Cloud Trail Account for the SSL host setup and the other steps performed above. I created a site through a template in HCP Cloud Trial version - Portal Services. Would like to align it with one custom domain name now.

      Thanks,

      Vikrant

      Author's profile photo Timothy Rockhill
      Timothy Rockhill

      Hi All,

      I am going to ask some stupid questions so please bear with me. The procedure above speaks in very general terms about "application URL".


      Can the URL for any HCP application be used?

      Is it the full URL or just the "host name" portion of the URL that is mapped to the custom domain?

      Can the portal be aliased? Again, is it just the "host name" portion of the portal URL that is mapped?

      Thank you in advance for your response(s)

      Tim Rockhill

      Author's profile photo Former Member
      Former Member

      Hi Tim,

      it's just the "host name"/"domain" portion of the URL.

      Best regards,

      Tobias

      Author's profile photo Timothy Rockhill
      Timothy Rockhill

      Thanks Tobias. Has anyone set up a custom domain for the Hana Cloud Portal? I assume that it would not behave any differently than any other HCP application.

      Author's profile photo Diyan Yordanov
      Diyan Yordanov

      Hi Tim,

      The application URL that you need to map is the hast name. Something like "myapp.hana.ondemand.com" or "yourapp-mytenant.hana.ondemand.com".

      In case of portal applications you need to provide the host and the alias, i.e. the whole path to your application.

      Regards,

      Diyan

      Author's profile photo Timothy Rockhill
      Timothy Rockhill

      Thanks Diyan. I will try that.

      Author's profile photo Former Member
      Former Member

      Can I use custom domains for HTML5 applications? The official documentation says that it is only for Java application and it doesn't make sense!

      https://help.sap.com/doc/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7ceeaa5e528140c48ae53b68433293ba.html

      Author's profile photo Former Member
      Former Member

      Yes Wagner, you can use custom domains for HTML5. The command looks like:

      neo add-custom-domain --account abc123 --user P123xxxx --host hana.ondemand.com --custom-domain subdomain.domain.com --application-url appname-abc123.dispatcher.hana.ondemand.com --ssl-host domain.com

      I have used a wildcard certificate.

      Author's profile photo Torsten Manhardt
      Torsten Manhardt

      Hello,

      i installed a certificate and configured the binding successfully, all works fine in Chrome, Safari and IE.

      But Firefox does not accept the certicate. It seems the intermediate certificate (here from RapidSSL) is missing.

      Is it possible to install a PEM file with certifiate chain, including the intermediate certificate from CA?

      Kind Regards
      Torsten

      Author's profile photo Dragomir Anachkov
      Dragomir Anachkov

      Hi Torsten,

      Yes, you can add both the SSL and the intermediate certificate to the PEM file. To do that, use the --force parameter when you execute the upload-domain-certificate command. Also, make sure you follow this template for the file that holds the certificate data:

      -----BEGIN CERTIFICATE-----

      Your SSL certificate goes here.

      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----

      Your intermediate certificate goes here.

      -----END CERTIFICATE-----

      For more information, see upload-domain-certificate and Uploading an intermediate certificate.

      Best regards,

      Dragomir

      Author's profile photo Harish Babu Krishna Bharathi
      Harish Babu Krishna Bharathi

      Hi,

      Is it mandatory to avail custom domain slots from SAP Cloud platform and do the above said configurations in order to have a custom domain for my applications hosted on SAP Cloud platform? OR

      Can we achieve it by means of any other 3rd party ?

       

      Regards

      Author's profile photo Dragomir Anachkov
      Dragomir Anachkov

      Hi,

      From a security standpoint, the SAP Cloud Platform custom domain provides encryption thanks to the SSL certificate and ensures that your authentication scenarios will work properly. Therefore, you cannot use a third-party service. An alternative to the SAP Cloud Platform custom domain setup is the reverse proxy option. For more information, see Configuring Application Access via On-Premise Reverse Proxy.

      Best regards,

      Dragomir

      Author's profile photo André Wuttig
      André Wuttig

      Hwo can we achieve redirect from http://mydomain.com to https://mydomain.com to force SSL usage?

      Author's profile photo Dragomir Anachkov
      Dragomir Anachkov

      Hi André,

      By default, the redirect should happen automatically.

      Best regards,

      Dragomir

      Author's profile photo Ravindra PAWAR
      Ravindra PAWAR

      Hi,

      What should be the CNAME record for my custom domain?

      myapp.customdomain.com CNAME api.cf.eu10.hana.ondemand.com

      OR

      myapp.customdomain.com CNAME myapp.cfapps.eu10.hana.ondemand.com

      Thanks,

      Ravindra

      Author's profile photo Former Member
      Former Member

      Hello,

      Thank you very much for this very detailed article.

      I am configuring the “Custom Domains” but I get an error in the next step:

      cf custom-domain-create-key gmao “CN=xxx.com, O=xx, C=FR, ST=xxx, L=xxx, OU=DSI, ” “*.xxx.com”  -verbose

      Command: custom-domain-create-key
      Organisation: xxxx (xxxxx-fc009e08f04e)
      API Endpoint: https://api.cf.eu10.hana.ondemand.com
      Default API Server: https://custom-domain-certificates-api.cf.eu10.hana.ondemand.com
      Key: xxx
      Subject: CN=xxx.com, O=xx, C=FR, ST=xxx, L=xx, OU=DSI,
      Domain Names: *.xxx.com
      Are you sure to generate this key in the system? (y/N)
      y
      DEBUG:2020/11/12 16:13:51 client.go:105: POST to https://custom-domain-certificates-api.cf.eu10.hana.ondemand.com/api/v1/organizations/xxxxx-fc009e08f04e/identities
      DEBUG:2020/11/12 16:13:51 client.go:110: Request: [{ gmao CN=xxxz.com, O=xxx, C=FR, ST=xxx, L=xx, OU=DSI, [*.xxx.com] }]
      DEBUG:2020/11/12 16:13:52 client.go:131: HTTP Status: 409
      DEBUG:2020/11/12 16:13:52 client.go:132: Response: {“code”:16,”message”:”Domain is not registered for this ORG”}
      Domain is not registered for this ORG

      FYI, I deleted my client’s information.
      Can you help me to solve this problem?
      Best regards,

      Author's profile photo Dominik Nehse
      Dominik Nehse

      Hi Maher,

      did you create the domain first that you want to create the CSR for?

      The error message "Domain is not registered for this ORG" indicates that the domain does not exist within your Cloud Foundry org. This issue is covered by our Guided Answers for the Custom Domain service, you can find them here: https://ga.support.sap.com/dtp/viewer/index.html#/tree/2437/actions/32393:34862.

      Best regards
      Dominik

      Author's profile photo Former Member
      Former Member

      Hello,
      Thanks for your feedback.
      I managed to fix the problem.
      To avoid this error, you must create the domain on the command line and not via the cockpit

      Author's profile photo Former Member
      Former Member

      Unfortunately I encountered a new problem related to the upload of the certificate (generated by an authorized authority).

      In the zip sent I find the following files:

      cf custom-domain-upload-certificate-chain key poc.pem

      systematically I have the following answer

      According to SAP blogs I found the following info:

       

      1. Consolidate the certificate files

      Consolidate below three files into one single file as the final certificate file:

      • CSR file of your custom domain – generated by yourself
      • DigiCert Intermediate Certificate – get from Certification Authority
      • DigiCert Global Root CA.pem – get from Certification Authority

      Give the final certificate file a name like “<your-domain-name>-chain.pem”.

      Now you complete the preparation of the certificate of your custom domain. It is time to import and activate the certificate.

       

      Download and unzip the files locally.  You should see the 4 crt files mentioned in the email.

      You’ll need to concatenate these files together before uploading them.

      Exemple 

      cat STAR_conciletime_com/AddTrustExternalCARoot.crt > comodo-conciletime-certchain.pem
      cat STAR_conciletime_com/USERTrustRSAAddTrustCA.crt >> comodo-conciletime-certchain.pem
      cat STAR_conciletime_com/SectigoRSADomainValidationSecureServerCA.crt >> comodo-conciletime-certchain.pem
      cat STAR_conciletime_com/STAR_conciletime_com.crt >> comodo-conciletime-certchain.pem

      Normally I should not use files that have a name that starts with p7.

      Do you have any idea on which files I should concatenate? I have checked the CSR (Command: custom-domain-get-csr) and it is equivalent to the one we sent to the authority which issued the SSL certificate

      Thanks for your help

      Best regards,

      Author's profile photo Dominik Nehse
      Dominik Nehse

      Hi Maher,

      there are a couple of things that you can do:

      • First make sure, that the content of the certificate files is in the pem format, not PKCS7 (this is just an assumption). There is a note how you can convert the content on the SAP Help Portal.
      • Then you need to concatenate the files to have the full certificate chain in one file. Please have a look at this topic of the guided answers.
      • Third, make sure that the key and domain parameters that you used in the upload-certificate command is the same that you've used in the custom-domain-create-key command.

      Generally, you can go through the official documentation of the Custom Domain service on Cloud Foundry here, to see if your procedure was following the documentation.

      Best regards

      Dominik

      Author's profile photo Former Member
      Former Member

      it works.

      Thank you 🙂

      In the archive provided by the authority there is a file pem-1605172388-996590.pem: it is the bundle (= concatenation) of my TLS service certificate (SSL) and of the so-called intermediate issuing CA certificate.

      I concatenated the root + .pem certificate and it works.

      Thank you for your availability.

      Best regards,