Administrator

Configuring Apache as a Load Balancer for the EIS Back End

When you use Apache as a load balancer for the EIS back end, the configuration file settings are different from those for Apache as a load balancer on the front end.

Procedure

Configure the reverse proxy in the Apache httpd.conf file.
The httpd.conf settings must:
  • Create a mutual trust between SAP Mobile Platform and the reverse proxy.
  • Create a mutual trust between the reverse proxy and the ICM of the back-end system.
  • For incoming requests from SAP Mobile Platform, extract the variable SSL_CLIENT_CERT from the HTTP header and re-inject it into the header of the proxy pass requests.
The sample httpd.conf below illustrates the settings required. You must create the two files highlighted in the sample:
  • gd_bundle.crt – The concatenated PEM-encoded CA certificate files, in the same sequence in which they appear in the certificate chain. To use a coupled RSA+DSA certificate pair, both certificates must be in the same certificate chain.
  • SDC_REV_PROXY_WDF.pem – The concatenated PEM-encoded certificate files, in order of preference.
For more information on the structure of these files, go to the Apache Web site, http://httpd.apache.org/Information published on non-SAP site, and search for the file names.
<VirtualHost XXX.XXX.XXX.XXX:44304>
  ServerName odata-XXXXX-XXXXXXX-<server_name>
  DocumentRoot <doc_root>/nothing_here
  RewriteEngine on
  
  SSLEngine On
  SSLProxyEngine On
 
  # server certificate stuff
  SSLCertificateFile <Apache_home>/ssl.crt/<server_name>.crt
  SSLCertificateKeyFile <Apache_home>/ssl.key/<server_name>.key
  SSLCertificateChainFile  <Apache_home>/ssl.crt/gd_bundle.crt
 
  # Root certificate(s) of the CA that signed the client certificate on
  # SAP Mobile Platform
  SSLCACertificateFile <Apache_home>/ssl.crt/odata_bundle.pem
  SSLVerifyClient require
  SSLVerifyDepth  2
  SSLOptions +StdEnvVars +FakeBasicAuth
 
  # Client certificate used for the mutual trust against the ICM of the back end
  SSLProxyMachineCertificateFile <Apache_home>/ssl.cliencrt/SDC_REV_PROXY_WDF.pem
  <Location />
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    # only allow particular client certiifates from the list defined here
    AuthUserFile <Apache_home>/client-certificates-odata
    Require valid-user
    Order Deny,Allow
    Allow from all
  </Location>
 
  # The remote system SMP is also a reverse proxy and already injects the certificate
  # of the initial client request into the HTTP header. The 3 lines below read the 
  # certificate from the incoming http header in case the peer presents the correct
  # client certificate (ODATA_SMP)
  RewriteCond %{SSL:SSL_CLIENT_VERIFY} =SUCCESS
  RewriteCond %{SSL:SSL_CLIENT_S_DN} =<client_cert_subject>
  RewriteRule (.*) $1   [E=HTTP_IF_SSL_CLIENT_CERT:%{HTTP:SSL_CLIENT_CERT},NE]
 
  # Inject extracted certificate into the HTTP header of the reverse proxy request
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CLIENT_CERT "%{HTTP_IF_SSL_CLIENT_CERT}e"
 
  # Allow only a minimal URL name space to be proxied
  RewriteRule ^<SAP_home>/opu/odata/(.*)      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/odata/$1 [P,L,NE]
  ProxyPassReverse <SAP_home>/opu/odata/      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/odata/
  RewriteRule ^<SAP_home>/opu/sdata/(.*)      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/sdata/$1 [P,L,NE]
  ProxyPassReverse <SAP_home>/opu/sdata/      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/sdata/
  # Disallow anthying else that does not match the above URI prefix
  RewriteRule  .*  -  [F]
 
  ErrorLog  <Apache_log_home>/odata-XXXXX-XXXXXXX-<server_name>.error.log
  CustomLog <Apache_log_home>/odata-XXXXX-XXXXXXX-<server_name>.custom.log common
</VirtualHost>