Setting a reverse proxy in a complex scenario (big network) can be frustrating.
My advice is that first you meet with the different actors: infra team (Do we need to deploy a new host?, is it a VM, a docker image,etc.), network team (make new DNS entries, is the host accessible by the users ?, who will generate the SSL certificate?), network security specialists (where to put the new host? Is there a need for it to be in DMZ?), OS specialist (linux or windows depending of the preferences), BASIS (Enable required services inside BW, check SP, notes, etc.) and explain what you are going to do, so they can understand who is responsible for what. One common mistake is to think this is a task for SAP Basis, but as you can see it's a multiple team effort.
For experimenting with this kind of setup, you can try doing this with a BW/4 deployed in Azure cloud. This will help also when doing the planning for the real environment.This is what this blog is about: Connecting SAP analytics cloud live to Bex queries in a BW/4 deployed in Azure.
Note that there is also a new way of connecting that does not require the reverse proxy, this is explained here.
See also the Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud
To be able to follow this steps you should have the following:
If you don't have these 4 things, then you can refer to this steps, but you wont be able to follow them.
From this point on all the steps that I will perform are not in My PC but in the remote desktop from the Azure BW/4, except point 1, that is connecting to the remote desktop ;).
Copy the .PEM file that you should have downloaded when deploying your BW/4 Hana from CAL.SAP.COM to Azure to that remote desktop. I just sent it to my email, and opened the email in the browser in the remote desktop. (If you do not have this file you cannot continue!)
3.1 Download an install PuTTY (64-bit version) in the remote host.
3.2 Follow the instructions from here: https://wiki.scn.sap.com/wiki/display/SAPCAL/FAQ+-+General+technical+questions
The ones in this section:
How to connect to a running instance via the secure shell protocol (SSH)?
Use the following steps to generate the private key from PuTTYgen:
Now you should see:
The version of SuSE that is deployed to azure already contains an Apache httpd 2.x server installed, we just need to generate some certificates:
Using this guide I came up with this command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/vhcala4hcs.key -out /etc/apache2/vhcala4hcs.crt
(the command is just one line)
This will generate the two files needed in folder /etc/apache2
I replied like this to the questions:
We need to modify the configuration of the Apache web server, based on this instructions:
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/ba05acfb66d8410097cef5d134b7...
in the putty terminal type: vi /etc/apache2/httpd.conf
This will open the VIM editor with the configuration file:
Using the down cursor key go to the end of the file:
Your file should end where the purple arrow is, press I, in the lower screen you will see -- INSERT --
5.1 Copy the text from the Appendix A of this document to a notepad (always in the remote host), change your SAC hosts, then go back to putty, and right click, that will PASTE the text to the end of the configuration file.
5.2 Save the configuration file. Press ESC, then wq and Enter. (all this are VI / VIM commands that you can google if you are interested or not familiar)
5.3 now we should start the apached httpd server, type the following into putty terminal:
service apache2 start
and the you can type:
tail /var/log/messages
to confirm that the service has started
Open Firefox in the remote desktop and go to this URL:
https://vhcala4hci.dummy.nodomain/sac/sap/bw/ina/GetServerInfo
Add the security exception, since we used a self signed certificate in point 4.
You should see (it will ask for the BW password, user: developer, password: the master password you set).
Download and install chrome on the remote desktop.
Starting from step 8 all steps are carried out in the SAC webpage, using chrome running inside the remote desktop connection.
Open chrome, go to https://vhcala4hci.dummy.nodomain
Confirm the security exception. Close chrome.
Go to: https://vhcala4hci.dummy.nodomain again it will take you the SAP Analytics clouds logon page, login, then you will see:
(Notice that you have in the URL https://vhcala4hci.dummy.nodomain, but you are seeing the Analytics cloud page, the reverse proxy is working!)
8.1 Create a connection
Click:
The connection page, will appear click +
Set this parameters for the connection:
Query: 2CRVCOLAPSTATUC/2CRVCOLAPSTATUQ is included an it contains the usage statistics of the system, let's use that one.
9.1 Create a model based on query:
2CRVCOLAPSTATUQ
You will see the next screen , just press save
9.2 Create a story.
Create a story using that model, you will see the prompt of the query.
In the image is the prompt of the query in RSRT and in SAC, and then the results in both.
Prompts:
Output:
And now we have successfully setup the reverse proxy, and set up a connection to SAC.
IMPORTANT: Whenever you suspend your Azure instance, the Apache httpd service will stop.
Please execute the following command every time your instance is activated: service apache2 start from the PuTTY, like described in 5.3.
This is the piece of text you need to add the end of the file cd /etc/apache2/httpd.conf
Remember to replace the value of:
Define SAP_ANALYTICS_CLOUD u999999.eu1.sapanalytics.cloud with yours for example:
Define SAP_ANALYTICS_CLOUD u123456.eu1.sapanalytics.cloud
Copy below this line:
My advice is that first you meet with the different actors: infra team (Do we need to deploy a new host?, is it a VM, a docker image,etc.), network team (make new DNS entries, is the host accessible by the users ?, who will generate the SSL certificate?), network security specialists (where to put the new host? Is there a need for it to be in DMZ?), OS specialist (linux or windows depending of the preferences), BASIS (Enable required services inside BW, check SP, notes, etc.) and explain what you are going to do, so they can understand who is responsible for what. One common mistake is to think this is a task for SAP Basis, but as you can see it's a multiple team effort.
For experimenting with this kind of setup, you can try doing this with a BW/4 deployed in Azure cloud. This will help also when doing the planning for the real environment.This is what this blog is about: Connecting SAP analytics cloud live to Bex queries in a BW/4 deployed in Azure.
Note that there is also a new way of connecting that does not require the reverse proxy, this is explained here.
See also the Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud
To be able to follow this steps you should have the following:
- SAP BW/4HANA 1.0 SP05 and BPC 11 SP01 including BW/4 Content SP02 deployed to Azure from cal.sap.com
- Be able to connect via RDP (Remote Desktop) to that host
- Have saved the .PEM file that is generated when you deploy the BW/4 to Azure
- A paid account in SAP analytics cloud (The free one (TRIAL) does not allow connections to BW)
If you don't have these 4 things, then you can refer to this steps, but you wont be able to follow them.
From this point on all the steps that I will perform are not in My PC but in the remote desktop from the Azure BW/4, except point 1, that is connecting to the remote desktop ;).
Connect to the remote desktop
2. Copy the .PEM file
Copy the .PEM file that you should have downloaded when deploying your BW/4 Hana from CAL.SAP.COM to Azure to that remote desktop. I just sent it to my email, and opened the email in the browser in the remote desktop. (If you do not have this file you cannot continue!)
3. Connect via SSH to the Linux server.
3.1 Download an install PuTTY (64-bit version) in the remote host.
3.2 Follow the instructions from here: https://wiki.scn.sap.com/wiki/display/SAPCAL/FAQ+-+General+technical+questions
The ones in this section:
How to connect to a running instance via the secure shell protocol (SSH)?
Use the following steps to generate the private key from PuTTYgen:
a. Log into your Windows operating system.
b. Run the puttygen.exe key generator file.
c. Choose Load to load the downloaded private key (.PEM file) from SAP Cloud Appliance Library.
d. Choose Save private key to save the file locally in PuTTY’s native format (*.PPK)
e. Choose Save.
3external. Log into your instance via a PuTTY client or a SSH client:
If you use the PuTTY client, use the following steps to log into your instance:
- Log into your Windows operating system.
- Run the putty.exe client file.
- From the Category tree in the PuTTY Configuration dialog box, navigate to Connection -> SSH.
- Choose Auth and then choose Browse... to select the generated PuTTY private key from your local computer (see step 3).
- Choose Open.
- In the Category tree, navigate to Session.
- In the Host Name (use this name:vhcala4hcs ) field, specify the address of your instance created in SAP Cloud Appliance Library.
- Choose Open. When the log on prompt screen is displayed, enter root.
Now you should see:
4. Generate the certificate
The version of SuSE that is deployed to azure already contains an Apache httpd 2.x server installed, we just need to generate some certificates:
Using this guide I came up with this command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/vhcala4hcs.key -out /etc/apache2/vhcala4hcs.crt
(the command is just one line)
This will generate the two files needed in folder /etc/apache2
I replied like this to the questions:
5.Change the configuration file
We need to modify the configuration of the Apache web server, based on this instructions:
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/ba05acfb66d8410097cef5d134b7...
in the putty terminal type: vi /etc/apache2/httpd.conf
This will open the VIM editor with the configuration file:
Using the down cursor key go to the end of the file:
Your file should end where the purple arrow is, press I, in the lower screen you will see -- INSERT --
5.1 Copy the text from the Appendix A of this document to a notepad (always in the remote host), change your SAC hosts, then go back to putty, and right click, that will PASTE the text to the end of the configuration file.
5.2 Save the configuration file. Press ESC, then wq and Enter. (all this are VI / VIM commands that you can google if you are interested or not familiar)
5.3 now we should start the apached httpd server, type the following into putty terminal:
service apache2 start
and the you can type:
tail /var/log/messages
to confirm that the service has started
6. Test the configuration
Open Firefox in the remote desktop and go to this URL:
https://vhcala4hci.dummy.nodomain/sac/sap/bw/ina/GetServerInfo
Add the security exception, since we used a self signed certificate in point 4.
You should see (it will ask for the BW password, user: developer, password: the master password you set).
7. Download and install chrome
Download and install chrome on the remote desktop.
Starting from step 8 all steps are carried out in the SAC webpage, using chrome running inside the remote desktop connection.
8. Create the connection
Open chrome, go to https://vhcala4hci.dummy.nodomain
Confirm the security exception. Close chrome.
Go to: https://vhcala4hci.dummy.nodomain again it will take you the SAP Analytics clouds logon page, login, then you will see:
(Notice that you have in the URL https://vhcala4hci.dummy.nodomain, but you are seeing the Analytics cloud page, the reverse proxy is working!)
8.1 Create a connection
Click:
The connection page, will appear click +
Set this parameters for the connection:
9. Run a query
Query: 2CRVCOLAPSTATUC/2CRVCOLAPSTATUQ is included an it contains the usage statistics of the system, let's use that one.
9.1 Create a model based on query:
2CRVCOLAPSTATUQ
You will see the next screen , just press save
9.2 Create a story.
Create a story using that model, you will see the prompt of the query.
In the image is the prompt of the query in RSRT and in SAC, and then the results in both.
Prompts:
Output:
And now we have successfully setup the reverse proxy, and set up a connection to SAC.
IMPORTANT: Whenever you suspend your Azure instance, the Apache httpd service will stop.
Please execute the following command every time your instance is activated: service apache2 start from the PuTTY, like described in 5.3.
Appendix A
This is the piece of text you need to add the end of the file cd /etc/apache2/httpd.conf
Remember to replace the value of:
Define SAP_ANALYTICS_CLOUD u999999.eu1.sapanalytics.cloud with yours for example:
Define SAP_ANALYTICS_CLOUD u123456.eu1.sapanalytics.cloud
Copy below this line:
ServerName vhcala4hci.dummy.nodomain
LoadModule ssl_module /usr/lib64/apache2-prefork/mod_ssl.so
Listen 443
SSLEngine On
SSLCertificateFile "/etc/apache2/vhcala4hcs.crt"
SSLCertificateKeyFile "/etc/apache2/vhcala4hcs.key"
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# Second part
LoadModule proxy_module /usr/lib64/apache2-prefork/mod_proxy.so
LoadModule proxy_http_module /usr/lib64/apache2-prefork/mod_proxy_http.so
LoadModule headers_module /usr/lib64/apache2-prefork/mod_headers.so
LoadModule xml2enc_module /usr/lib64/apache2-prefork/mod_xml2enc.so
Define SAP_ANALYTICS_CLOUD u999999.eu1.sapanalytics.cloud
ProxyRequests off
ProxyPreserveHost on
RequestHeader append X-Custom-Host ${SAP_ANALYTICS_CLOUD}
# Third Part
ProxyPass /sac http://vhcala4hci:50000
ProxyPassReverse /sac http://vhcala4hci:50000
<Location /sac>
ProxyPassReverseCookiePath /sap/bw/ina/GetResponse /sac/sap/bw/ina/GetResponse
#` Header unset www-authenticate
</Location>
ProxyPass / https://${SAP_ANALYTICS_CLOUD}/
ProxyPassReverse / https://${SAP_ANALYTICS_CLOUD}/
DO NOT COPY THIS LINE
- SAP Managed Tags:
2 Comments
