Using a Custom Domain
No more long unreadable URLs for your applications running on SAP HANA Cloud Platform – you can now choose and configure your own recognizable URL.
You can set your custom URL (https://mydomain.com) instead of the default URL on the hana.ondemand.com domain (https://whatiswrongwiththisurla0c06405f.hana.ondemand.com) for any application deployed on the platform.
You just need to have custom domain quota for your account. The custom domain configuration on SAP HANA Cloud Platform is done using console client commands.
But before you start with the actual configuration on the platform, note that you need to take care of some steps that involve service providers external to SAP – domain name registrar and Certificate Authority (CA).
Buy the domain
You first need to buy the custom domain names that you want for your applications. You have a wide choice of registrars selling domain names on the market – GoDaddy.com, Hover.com, Namecheap.com, Register.com, to name a few.
Choose a CA
Another external provider you need to use is the CA that will issue the certificate for your domain. You have to get an appropriate SSL certificate to make sure your domain is trusted and all your application data is protected.
Again, there is a huge number of CAs to choose from. To save money and hassle, before buying a certificate, carefully consider the number and type of domains you want to be protected by this certificate. One certificate can be valid for a number of domains and there are various types of domains (single; wildcard; multiple, etc.).
Set up
With the actual configuration, you set up secure SSL communication and then route the traffic for your custom domain to your application on SAP HANA Cloud Platform.
The configuration is done in the following sequence of steps:
The host holds the mapping between your chosen custom domain and the application on SAP HANA Cloud Platform as well as the SSL configuration for secure communication through this custom domain.
2. Upload a domain certificate.
The certificate generation process starts with certificate signing request (CSR) that you generate on SAP HANA Cloud Platform and then send to a CA.
A CSR is an encoded file containing your public key and specific information that identifies your company and domain name.
Then, use the CSR to get a server certificate signed by the CA of your choice.
- Generate CSR
- Sign the CSR with a CA
- Upload the certificate
3. Bind the certificate to the SSL host.
This maps the custom domain to the application URL.
6. Configure DNS.
Now you need to route the traffic for the custom domain to your application on SAP HANA Cloud Platform by configuring it in the Domain Name System (DNS) that you use.
The mapping is specific for the domain name provider and usually is done by modifying CNAME records using their administration tools.
You are now ready.
Check if the application is accessible on the new domain.
In your Application Dashboard in the cockpit, the new custom URL should have replaced the default one.
Hi Vanya,
thank you very much for this very useful article.
We just also figured that out last week by ourselves without having such a great howto description.
Please notice that the first step (Create an SSL host) will fail for most of the customers with the following error:
ERROR: Account does not have remaining quota!
This is because they do not have a proper custom domain quota assigned to there HCP contract/package - it seems that this custom domain quota has to be bought in addition.
Best regards,
Tobias
Hi Tobias,
Thank you for your feedback!
You are right, you do need custom domain quota so I have tried to emphasize on this major prerequisite both in the blog and in the documentation: SAP HANA Cloud Platform
Best regards,
Vanya
Hi Vanya,
Can you please suggest if we can use the HANA Cloud Trail Account for the SSL host setup and the other steps performed above. I created a site through a template in HCP Cloud Trial version - Portal Services. Would like to align it with one custom domain name now.
Thanks,
Vikrant
Hi All,
I am going to ask some stupid questions so please bear with me. The procedure above speaks in very general terms about "application URL".
Can the URL for any HCP application be used?
Is it the full URL or just the "host name" portion of the URL that is mapped to the custom domain?
Can the portal be aliased? Again, is it just the "host name" portion of the portal URL that is mapped?
Thank you in advance for your response(s)
Tim Rockhill
Hi Tim,
it's just the "host name"/"domain" portion of the URL.
Best regards,
Tobias
Thanks Tobias. Has anyone set up a custom domain for the Hana Cloud Portal? I assume that it would not behave any differently than any other HCP application.
Hi Tim,
The application URL that you need to map is the hast name. Something like "myapp.hana.ondemand.com" or "yourapp-mytenant.hana.ondemand.com".
In case of portal applications you need to provide the host and the alias, i.e. the whole path to your application.
Regards,
Diyan
Thanks Diyan. I will try that.
Can I use custom domains for HTML5 applications? The official documentation says that it is only for Java application and it doesn't make sense!
https://help.sap.com/doc/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7ceeaa5e528140c48ae53b68433293ba.html
Yes Wagner, you can use custom domains for HTML5. The command looks like:
neo add-custom-domain --account abc123 --user P123xxxx --host hana.ondemand.com --custom-domain subdomain.domain.com --application-url appname-abc123.dispatcher.hana.ondemand.com --ssl-host domain.com
I have used a wildcard certificate.
Hello,
i installed a certificate and configured the binding successfully, all works fine in Chrome, Safari and IE.
But Firefox does not accept the certicate. It seems the intermediate certificate (here from RapidSSL) is missing.
Is it possible to install a PEM file with certifiate chain, including the intermediate certificate from CA?
Kind Regards
Torsten
Hi Torsten,
Yes, you can add both the SSL and the intermediate certificate to the PEM file. To do that, use the --force parameter when you execute the upload-domain-certificate command. Also, make sure you follow this template for the file that holds the certificate data:
-----BEGIN CERTIFICATE-----
Your SSL certificate goes here.
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Your intermediate certificate goes here.
-----END CERTIFICATE-----
For more information, see upload-domain-certificate and Uploading an intermediate certificate.
Best regards,
Dragomir
Hi,
Is it mandatory to avail custom domain slots from SAP Cloud platform and do the above said configurations in order to have a custom domain for my applications hosted on SAP Cloud platform? OR
Can we achieve it by means of any other 3rd party ?
Regards
Hi,
From a security standpoint, the SAP Cloud Platform custom domain provides encryption thanks to the SSL certificate and ensures that your authentication scenarios will work properly. Therefore, you cannot use a third-party service. An alternative to the SAP Cloud Platform custom domain setup is the reverse proxy option. For more information, see Configuring Application Access via On-Premise Reverse Proxy.
Best regards,
Dragomir
Hwo can we achieve redirect from http://mydomain.com to https://mydomain.com to force SSL usage?
Hi André,
By default, the redirect should happen automatically.
Best regards,
Dragomir
Hi,
What should be the CNAME record for my custom domain?
myapp.customdomain.com CNAME api.cf.eu10.hana.ondemand.com
OR
myapp.customdomain.com CNAME myapp.cfapps.eu10.hana.ondemand.com
Thanks,
Ravindra
Hello,
Thank you very much for this very detailed article.
I am configuring the “Custom Domains” but I get an error in the next step:
cf custom-domain-create-key gmao “CN=xxx.com, O=xx, C=FR, ST=xxx, L=xxx, OU=DSI, ” “*.xxx.com” -verbose
Command: custom-domain-create-key
Organisation: xxxx (xxxxx-fc009e08f04e)
API Endpoint: https://api.cf.eu10.hana.ondemand.com
Default API Server: https://custom-domain-certificates-api.cf.eu10.hana.ondemand.com
Key: xxx
Subject: CN=xxx.com, O=xx, C=FR, ST=xxx, L=xx, OU=DSI,
Domain Names: *.xxx.com
Are you sure to generate this key in the system? (y/N)
y
DEBUG:2020/11/12 16:13:51 client.go:105: POST to https://custom-domain-certificates-api.cf.eu10.hana.ondemand.com/api/v1/organizations/xxxxx-fc009e08f04e/identities
DEBUG:2020/11/12 16:13:51 client.go:110: Request: [{ gmao CN=xxxz.com, O=xxx, C=FR, ST=xxx, L=xx, OU=DSI, [*.xxx.com] }]
DEBUG:2020/11/12 16:13:52 client.go:131: HTTP Status: 409
DEBUG:2020/11/12 16:13:52 client.go:132: Response: {“code”:16,”message”:”Domain is not registered for this ORG”}
Domain is not registered for this ORG
FYI, I deleted my client’s information.
Can you help me to solve this problem?
Best regards,
Hi Maher,
did you create the domain first that you want to create the CSR for?
The error message "Domain is not registered for this ORG" indicates that the domain does not exist within your Cloud Foundry org. This issue is covered by our Guided Answers for the Custom Domain service, you can find them here: https://ga.support.sap.com/dtp/viewer/index.html#/tree/2437/actions/32393:34862.
Best regards
Dominik
Hello,
Thanks for your feedback.
I managed to fix the problem.
To avoid this error, you must create the domain on the command line and not via the cockpit
Unfortunately I encountered a new problem related to the upload of the certificate (generated by an authorized authority).
In the zip sent I find the following files:
cf custom-domain-upload-certificate-chain key poc.pem
systematically I have the following answer
According to SAP blogs I found the following info:
1. Consolidate the certificate files
Consolidate below three files into one single file as the final certificate file:
Give the final certificate file a name like “<your-domain-name>-chain.pem”.
Now you complete the preparation of the certificate of your custom domain. It is time to import and activate the certificate.
Download and unzip the files locally. You should see the 4 crt files mentioned in the email.
You’ll need to concatenate these files together before uploading them.
Exemple
Normally I should not use files that have a name that starts with p7.
Do you have any idea on which files I should concatenate? I have checked the CSR (Command: custom-domain-get-csr) and it is equivalent to the one we sent to the authority which issued the SSL certificate
Thanks for your help
Best regards,
Hi Maher,
there are a couple of things that you can do:
Generally, you can go through the official documentation of the Custom Domain service on Cloud Foundry here, to see if your procedure was following the documentation.
Best regards
Dominik
it works.
Thank you 🙂
In the archive provided by the authority there is a file pem-1605172388-996590.pem: it is the bundle (= concatenation) of my TLS service certificate (SSL) and of the so-called intermediate issuing CA certificate.
I concatenated the root + .pem certificate and it works.
Thank you for your availability.
Best regards,