[SAP Cloud Platform on AliCloud series] Use custom domain in SAP Cloud Platform on AliCloud
Custom Domain Difference on AliCloud
SAP Cloud Platform on AliCloud has difference with SAP Cloud Platform on public cloud such as AWS, Azure, and the one of the biggest differences is that you need to use custom domain in SAP Cloud Platform on AliCloud. See below which refers to the Custom Guide on Help portal:
By default, all applications running on SAP Cloud Platform are accessed on the default landscape domain. According to your needs, you can change the default application URL by configuring additional application domains.
The URL for an application deployed on SAP Cloud Platform in the Cloud Foundry environment is https://<application>.cfapps.<region>.hana.ondemand.com. The domain depends on your location, in the European region, for example, the domain is cfapps.eu10.hana.ondemand.com. So, if you’re deploying an application with the name “myapp”, the default application URL is https://myapp.cfapps.eu10.hana.ondemand.com.
Running on the China (Shanghai) region:
There’s no default URL available in China, therefore you can’t deploy an application without configuring a custom domain first. Please refer to the related information link on how to use custom domains.
From above, you realize below two tips for your application running in the SAP Cloud Platform on AliCloud:
- You need a custom domain be ready to use
- You need to configure an application route for your application in SAP Cloud Platform on AliCloud in order to let the application be reached from outside network
Now let us walk into the world of the custom domain in SAP Cloud Platform on AliCloud.
Set up Custom Domain
Download & Install Clound Foundry Command Line Interface
In order to install Custom Domain plugin, you should have cloud foundry command line interface first. You can refer to https://github.com/cloudfoundry/cli#getting-started for more detail.
Download & Install Custom Domain plugin
You can go to https://tools.hana.ondemand.com/#cloud and download the plugin according to your operation system.
You can refer to https://docs.cloudfoundry.org/cf-cli/use-cli-plugins.html#plugin-install to install the plugin.
By running below command to verify the custom domain installed successfully or not:
Configure Custom Domain
- You should have subaccount in the SAP Cloud Platform on AliCloud
- Your subaccount should be assigned with entitlement to have quota for custom domain service
See below for the flow chart to create & use Custom Domain:
- buy Custom Domain quota – please go ahead with your own subaccount and buy the custom domian certificate service
- buy domain name – please go ahead with buying domain name from the Domain Provider
In this article, the sample custom domain is “samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn“.
Login to the SAP Cloud Platform via CLI (Command Line Interface)
In order to use Custom Domain, you need to do the ‘cf login’ first in the cloud foundry commnad line interface.
In order to login to the canary landscape of SAP Cloud Platform on AliCloud, you could run command as below:
# Set up the api endpoint to point to the canary landscape of SAP Cloud Platform on AliCloud cf api https://api.cf.canaryac.vlab-sapcloudplatformdev.cn # Login to the SAP Cloud Platform cf login
Create Custom Domain service
Before you create custom domain service, your subaccount should have already been assigned with the quota of the custom domain service.
By running below commands to create custom domain service.
# Create custom domain service with service plan 'INFRA' cf create-service INFRA custom_domains <give-it-a-name-for-your-expected-custom-domain-service-here>
Create private domain in selected organization
From above steps you already login into the SAP Cloud Platform, you already created the custom domain service. Now it is time to create the custom domain.
You need to plan first where the custom domain should be located. The location will be reflected with the organization value in the command.
# Create a domain in an org for later use # ORG - the organization you set to locate the domain # DOMAIN - the custom domain name cf create-domain ORG DOMAIN
Share custom domain with other organization
It is a common case that you want to share the owned custom domain with other organizations no matter you own that organization or not. The only constraint of that is the target organization you share the custom domain should be in the same region with your organization where your custom domain locates.
By running below command to share the custom domain.
# Share a private domain with an org # ORG - the target organization you want to share # DOMAIN - Your private domain cf share-private-domain ORG DOMAIN
Prepare the Certificate Key & CSR for the custom domain
Create Certificate Key for custom domain
By running below command to create key for the custom domain.
# Create custom domain key # KEY - New key name # SUBJECT - Subject name of the certificate request # DOMAIN - Domain to be added as Subject Alternative Name in the certificate signing request cf custom-domain-create-key KEY SUBJECT DOMAIN [DOMAIN ...] [options]
You can see below as an example for how to create key.
From above you can see the private key of sample domain “samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn” was generated.
Generate CSR for custom domain
By running below command to create csr (which is also mean by “certificate signing request”) for the custom domain.
# Create CSR ready for use, the CSR will submit to Certificate Authority # KEY - the certificate key you generated in last step # FILE - the name of the target .pem file cf custom-domain-get-csr KEY [FILE] [options]
Introduction of CSR & CSP
“CSR” is alias of “Certificate Signing Request”, it is the file used to request certificate. “CSP” is alias of “Cryptography Service Provider”. CSP helps to generate private key meanwhile it also helps to generate csr which can be used to request certificate from Certification Authority.
User needs to submit the generated csr file to the Certification Authority. Certification Authority uses the submited csr file along with its own private key signature together to generate the public key. The returned public key is just the certificate.
From below you can see an example of how to generate CSR file.
You should copy the content between “——BEGIN CERTIFICATE REQUEST——” and “——END CERTIFICATE REQUEST” to use later.
Verify the generated CSR
By running below command to verify the generated CSR.
openssl req --noout --text -in csr.pem
Now you get your CSR file, later you will submit this CSR file to the Certification Authority to get the certificate.
Configure DNS for the custom domain
We still need to configure DNS record in order to let the custom domain accessible & available in the internet. Finally the DNS helps to point the request to the target address which you configured in the DNS settings.
Here we use AliCloud to configure a CNAME record for the sample domain.
From above you can see that there is a “CNAME” helps to point the request from “*.samples.canaryac.apps” to the api endpoint of SAP Cloud Platform on AliCloud (Canary environment) within which our application shall be run.
Check the DNS takes effect
By running below command to check whether the configured DNS record works or not.
nslookup test.samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn # Or you can also use below dig *.samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn
Purchase the certificate from a Certification Authority
Now it is time to purchase the certificate from the Certification Authority like “DigiCert”.
You can also choose to use open source like “Let’s Encrypt” for free.
If you want to use “Let’s Encrypt” you can follow below links:
Anyway the Certification Authority returns back the certificate pem file to you.
Certificate files returned by Certification Authority
Certification Authority gives below two types of files to you (take DigiCert as an example):
- DigiCert Intermediate Certificate
- DigiCert Global Root CA.pem
Consolidate the certificate files
Consolidate below three files into one single file as the final certificate file:
- CSR file of your custom domain – generated by yourself
- DigiCert Intermediate Certificate – get from Certification Authority
- DigiCert Global Root CA.pem – get from Certification Authority
Give the final certificate file a name like “<your-domain-name>-chain.pem”.
Now you complete the preparation of the certificate of your custom domain. It is time to import and activate the certificate.
Upload and activate certificate
Upload the certificate
By running below command to import certificate.
# Upload the certificate # KEY - the private key of the custom domain # FILE - the certificate of the custom domain cf custom-domain-upload-certificate-chain KEY FILE [options]
See below as an example:
You can also list all the domains status and their configuration status
Activate the certificate
By running below command to activate the certificate.
# KEY - the private key of the custom domain # DOMAIN - your custom domain cf custom-domain-activate KEY DOMAIN [DOMAIN ...] [options]
See below as an example:
Use “cf custom-domain-list” to list again to check the status of the domain.
Now you complete the configuration of the new custom domain. Now you can create new application route to use custom domain, so that your application can be accessed from the internet.