Skip to Content
Technical Articles

[SAP Business Technology Platform on Alibaba Cloud series] Use custom domain in SAP Business Technology Platform on Alibaba Cloud

Custom Domain Difference on Alibaba Cloud

SAP Business Technology Platform on Alibaba Cloud has difference with SAP Business Technology Platform on public cloud such as AWS, Azure, and the one of the biggest differences is that you need to use custom domain in SAP Business Technology Platform on Alibaba Cloud. See below which refers to the Custom Guide on Help portal:

By default, all applications running on SAP Business Technology Platform are accessed on the default landscape domain. According to your needs, you can change the default application URL by configuring additional application domains.

The URL for an application deployed on SAP Business Technology Platform in the Cloud Foundry environment is https://<application>.cfapps.<region>.hana.ondemand.com. The domain depends on your location, in the European region, for example, the domain is cfapps.eu10.hana.ondemand.com. So, if you’re deploying an application with the name “myapp”, the default application URL is https://myapp.cfapps.eu10.hana.ondemand.com.

Running on the China (Shanghai) region:

There’s no default URL available in China, therefore you can’t deploy an application without configuring a custom domain first. Please refer to the related information link on how to use custom domains.

From above, you realize below two tips for your application running in the SAP Business Technology Platform on Alibaba Cloud:

  • You need a custom domain be ready to use
  • You need to configure an application route for your application in SAP Business Technology Platform on Alibaba Cloud in order to let the application be reached from outside network

Now let us walk into the world of the custom domain in SAP Business Technology Platform on Alibaba Cloud.

 

Set up Custom Domain

Download & Install Clound Foundry Command Line Interface

In order to install Custom Domain plugin, you should have cloud foundry command line interface first. You can refer to https://github.com/cloudfoundry/cli#getting-started for more detail.

 

Download & Install Custom Domain plugin

You can go to https://tools.hana.ondemand.com/#cloud and download the plugin according to your operation system.

You can refer to https://docs.cloudfoundry.org/cf-cli/use-cli-plugins.html#plugin-install to install the plugin.

By running below command to verify the custom domain installed successfully or not:

cf plugins

 

 

Configure Custom Domain

Prerequisites

  • You should have subaccount in the SAP Business Technology Platform on Alibaba Cloud
  • Your subaccount should be assigned with entitlement to have quota for custom domain service

Flow Chart

See below for the flow chart to create & use Custom Domain:

 

Below processes will not be described:

  • buy Custom Domain quota – please go ahead with your own subaccount and buy the custom domian certificate service
  • buy domain name – please go ahead with buying domain name from the Domain Provider

In this article, the sample custom domain is “samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn“.

 

Login to the SAP Business Technology Platform via CLI (Command Line Interface)

In order to use Custom Domain, you need to do the ‘cf login’ first in the cloud foundry commnad line interface.

In order to login to the canary landscape of SAP Business Technology Platform on Alibaba Cloud, you could run command as below:

# Set up the api endpoint to point to the canary landscape of SAP Cloud Platform on AliCloud
cf api https://api.cf.canaryac.vlab-sapcloudplatformdev.cn

# Login to the SAP Cloud Platform
cf login

 

Create Custom Domain service

Before you create custom domain service, your subaccount should have already been assigned with the quota of the custom domain service.

By running below commands to create custom domain service.

# Create custom domain service with service plan 'INFRA'
cf create-service INFRA custom_domains <give-it-a-name-for-your-expected-custom-domain-service-here>

 

Create private domain in selected organization

From above steps you already login into the SAP Business Technology Platform, you already created the custom domain service. Now it is time to create the custom domain.

You need to plan first where the custom domain should be located. The location will be reflected with the organization value in the command.

# Create a domain in an org for later use
# ORG - the organization you set to locate the domain
# DOMAIN - the custom domain name
cf create-domain ORG DOMAIN

 

Share custom domain with other organization

It is a common case that you want to share the owned custom domain with other organizations no matter you own that organization or not. The only constraint of that is the target organization you share the custom domain should be in the same region with your organization where your custom domain locates.

By running below command to share the custom domain.

# Share a private domain with an org
# ORG - the target organization you want to share
# DOMAIN - Your private domain
cf share-private-domain ORG DOMAIN

 

Prepare the Certificate Key & CSR for the custom domain

 

Create Certificate Key for custom domain

By running below command to create key for the custom domain.

# Create custom domain key
# KEY - New key name
# SUBJECT - Subject name of the certificate request
# DOMAIN - Domain to be added as Subject Alternative Name in the certificate signing request
cf custom-domain-create-key KEY SUBJECT DOMAIN [DOMAIN ...] [options]

You can see below as an example for how to create key.

From above you can see the private key of sample domain “samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn” was generated.

 

Generate CSR for custom domain

By running below command to create csr (which is also mean by “certificate signing request”) for the custom domain.

# Create CSR ready for use, the CSR will submit to Certificate Authority
# KEY - the certificate key you generated in last step
# FILE - the name of the target .pem file
cf custom-domain-get-csr KEY [FILE] [options]

Introduction of CSR & CSP

“CSR” is alias of “Certificate Signing Request”, it is the file used to request certificate. “CSP” is alias of “Cryptography Service Provider”. CSP helps to generate private key meanwhile it also helps to generate csr which can be used to request certificate from Certification Authority.

User needs to submit the generated csr file to the Certification Authority. Certification Authority uses the submited csr file along with its own private key signature together to generate the public key. The returned public key is just the certificate.

From below you can see an example of how to generate CSR file.

You should copy the content between “——BEGIN CERTIFICATE REQUEST——” and “——END CERTIFICATE REQUEST” to use later.

 

Verify the generated CSR

By running below command to verify the generated CSR.

openssl req --noout --text -in csr.pem

 

Now you get your CSR file, later you will submit this CSR file to the Certification Authority to get the certificate.

 

Configure DNS for the custom domain

We still need to configure DNS record in order to let the custom domain accessible & available in the internet. Finally the DNS helps to point the request to the target address which you configured in the DNS settings.

Here we use Alibaba Cloud to configure a CNAME record for the sample domain.

 

From above you can see that there is a “CNAME” helps to point the request from “*.samples.canaryac.apps” to the api endpoint of SAP Business Technology Platform on Alibaba Cloud (Canary environment) within which our application shall be run.

 

Check the DNS takes effect

By running below command to check whether the configured DNS record works or not.

nslookup test.samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn
# Or you can also use below
dig *.samples.canaryac.apps.k.vlab-sapcloudplatformdev.cn

 

Purchase the certificate from a Certification Authority

Now it is time to purchase the certificate from the Certification Authority like “DigiCert”.

You can also choose to use open source like “Let’s Encrypt” for free.

If you want to use “Let’s Encrypt” you can follow below links:

Installation:

https://github.com/Neilpang/acme.sh

DNS API:

https://github.com/Neilpang/acme.sh/wiki/dnsapi

Anyway the Certification Authority returns back the certificate pem file to you.

Certificate files returned by Certification Authority

Certification Authority gives below two types of files to you (take DigiCert as an example):

  • DigiCert Intermediate Certificate
  • DigiCert Global Root CA.pem

 

Consolidate the certificate files

Consolidate below three files into one single file as the final certificate file:

  • CSR file of your custom domain – generated by yourself
  • DigiCert Intermediate Certificate – get from Certification Authority
  • DigiCert Global Root CA.pem – get from Certification Authority

Give the final certificate file a name like “<your-domain-name>-chain.pem”.

 

Now you complete the preparation of the certificate of your custom domain. It is time to import and activate the certificate.

 

Upload and activate certificate

Upload the certificate

By running below command to import certificate.

# Upload the certificate
# KEY - the private key of the custom domain
# FILE - the certificate of the custom domain
cf custom-domain-upload-certificate-chain KEY FILE [options]

See below as an example:

You can also list all the domains status and their configuration status

cf custom-domain-list

 

Activate the certificate

By running below command to activate the certificate.

# KEY - the private key of the custom domain
# DOMAIN - your custom domain
cf custom-domain-activate KEY DOMAIN [DOMAIN ...] [options]

See below as an example:

Use “cf custom-domain-list” to list again to check the status of the domain.

 

Now you complete the configuration of the new custom domain. Now you can create new application route to use custom domain, so that your application can be accessed from the internet.

Resources

Custom Domain Service in SAP Cloud Platform

 

6 Comments
You must be Logged on to comment or reply to a post.
  • Hello,

    Thank you very much for this very detailed article.

    I am configuring the “Custom Domains” but I get an error in the next step:

    cf custom-domain-create-key gmao “CN=xxx.com, O=xx, C=FR, ST=xxx, L=xxx, OU=DSI, ” “*.xxx.com”  -verbose

    Command: custom-domain-create-key
    Organisation: xxxx (xxxxx-fc009e08f04e)
    API Endpoint: https://api.cf.eu10.hana.ondemand.com
    Default API Server: https://custom-domain-certificates-api.cf.eu10.hana.ondemand.com
    Key: xxx
    Subject: CN=xxx.com, O=xx, C=FR, ST=xxx, L=xx, OU=DSI,
    Domain Names: *.xxx.com
    Are you sure to generate this key in the system? (y/N)
    y
    DEBUG:2020/11/12 16:13:51 client.go:105: POST to https://custom-domain-certificates-api.cf.eu10.hana.ondemand.com/api/v1/organizations/xxxxx-fc009e08f04e/identities
    DEBUG:2020/11/12 16:13:51 client.go:110: Request: [{ gmao CN=xxxz.com, O=xxx, C=FR, ST=xxx, L=xx, OU=DSI, [*.xxx.com] }]
    DEBUG:2020/11/12 16:13:52 client.go:131: HTTP Status: 409
    DEBUG:2020/11/12 16:13:52 client.go:132: Response: {“code”:16,”message”:”Domain is not registered for this ORG”}
    Domain is not registered for this ORG

    FYI, I deleted my client’s information.
    Can you help me to solve this problem?
    Best regards,

      • /
        • Hi Maher,

          I just tried on eu10 with cf7 cli, first cf create-private-domain and then cf cdck and it worked just fine.

          Can you double-check that the following two domains in red frame are identical?:

          If you find that the issue is on the service or the platform, can you comment under a blog about custom domain certificates in the global environment? -- As the environment you are using is eu10 while this blog is based on cn40 (SAP CP on AliCloud).

          Best,

          /
          • Hello,
            I have found the solution to our problem.
            To solve this problem, the service must be created via command line.
            cf create-service INFRA custom_domains Mydomain
            Thank you for your availability

  • Unfortunately I encountered a new problem related to the upload of the certificate (generated by an authorized authority).

    In the zip sent I find the following files:

    cf custom-domain-upload-certificate-chain key poc.pem

    systematically I have the following answer

    According to SAP blogs I found the following info:

     

    1. Consolidate the certificate files

    Consolidate below three files into one single file as the final certificate file:

    • CSR file of your custom domain – generated by yourself
    • DigiCert Intermediate Certificate – get from Certification Authority
    • DigiCert Global Root CA.pem – get from Certification Authority

    Give the final certificate file a name like “<your-domain-name>-chain.pem”.

    Now you complete the preparation of the certificate of your custom domain. It is time to import and activate the certificate.

     

    Download and unzip the files locally.  You should see the 4 crt files mentioned in the email.

    You’ll need to concatenate these files together before uploading them.

    Exemple 

    cat STAR_conciletime_com/AddTrustExternalCARoot.crt > comodo-conciletime-certchain.pem
    cat STAR_conciletime_com/USERTrustRSAAddTrustCA.crt >> comodo-conciletime-certchain.pem
    cat STAR_conciletime_com/SectigoRSADomainValidationSecureServerCA.crt >> comodo-conciletime-certchain.pem
    cat STAR_conciletime_com/STAR_conciletime_com.crt >> comodo-conciletime-certchain.pem

    Normally I should not use files that have a name that starts with p7.

    Do you have any idea on which files I should concatenate? I have checked the CSR (Command: custom-domain-get-csr) and it is equivalent to the one we sent to the authority which issued the SSL certificate

    Thanks for your help

    Best regards,