Administrator

Configuring Relay Server for HTTPs with SAP Mobile Platform

Configure Relay Server for HTTPS and mutual athentication with SAP Mobile Platform.

Prerequisites

  • Relay Server components have been deployed to your selected platform.

  • IIS is installed.

Context

This procedure assumes the use of Relay Server version 17 or later, and SAP Mobile Platform version 3.0 or later.

Procedure

  1. Install an SSL Certificate on IIS and bind the certificate to a website's HTTPS port and IP address.
  2. Configure the Relay Server website for HTTPS.
    1. In IIS, open IIS Manager and navigate to the level you want to manage.
    2. Select the Relay Server site, and then in the Features View, double-click SSL Settings.
    3. On the SSL Settings page, select Require SSL.
    4. On the SSL Settings page, in the Client certificates area, select Accept.
    5. In the Actions pane, click Apply.
  3. Check the IIS client negotiation certificate status.
    1. From a command line, run the following command to check the SSL certificate status:
      C:\>netsh http show sslcert
      
      SSL Certificate bindings:
      -------------------------
      
          IP:port                      : 0.0.0.0:443
          Certificate Hash             : e3564c44a14c163e0fe7617ab1d54202774b4804
          Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
          Certificate Store Name       : (null)
          Verify Client Certificate Revocation : Enabled
          Verify Revocation Using Cached Client Certificate Only : Disabled
          Usage Check                  : Enabled
          Revocation Freshness Time    : 0
          URL Retrieval Timeout        : 0
          Ctl Identifier               : (null)
          Ctl Store Name               : (null)
          DS Mapper Usage              : Disabled
          Negotiate Client Certificate : Disabled
      
    2. If Negotiate Client Certificate is disabled, delete the entry for HTTPs. For example:
      C:\>netsh http delete sslcert 0.0.0.0:443
      
      SSL Certificate successfully deleted
    3. Manually add it back and change Negotiate Client Certificate to enabled. Without this step, RSOE cannot start properly for mutual SSL. For example:
      C:\Users\RelayServer\Desktop>netsh http add sslcert 0.0.0.0:443 
      e3564c44a14c163e0fe7617ab1d54202774b4804 {4dc3e181-e14b-4a21-b022-59fc669b0914} 
      clientcertnegotiation=enable
      
      SSL Certificate successfully added
      
    4. Check the status again.
      C:\>netsh http show sslcert
      
      C:\Users\RelayServer\Desktop>netsh http show sslcert
      
      SSL Certificate bindings:
      -------------------------
      
          IP:port                      : 0.0.0.0:443
          Certificate Hash             : e3564c44a14c163e0fe7617ab1d54202774b4804
          Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
          Certificate Store Name       : (null)
          Verify Client Certificate Revocation : Enabled
          Verify Revocation Using Cached Client Certificate Only : Disabled
          Usage Check                  : Enabled
          Revocation Freshness Time    : 0
          URL Retrieval Timeout        : 0
          Ctl Identifier               : (null)
          Ctl Store Name               : (null)
          DS Mapper Usage              : Disabled
          Negotiate Client Certificate : Enabled
      

      Negotiate Client Certificate should now be enabled.

  4. Configure the Relay Server.
    1. Open rs.config from the Relay Server folder, and add your back-end farm and back-end server. For example:
      #-------------------------
      # Backend farm - backend_RSfarm_ID, for mutual SSL testing
      #-------------------------
      [backend_farm]
      enable          = yes
      id     = <backend_RSfarm_ID>
      forward_x509_identity= yes
      #---------------------------
      # Backend servers -
      #---------------------------
      [backend_server]
      farm     = <backend_RSfarm_ID>
      id       = <outbound_enabler1_ID>
      max_junction_idle_sec = <15>
      token    = <621ece03-9246-4da7-99e3-c07c7599031c>
    2. Save the rs.config file and restart the Relay Server. Check rs.log to ensure the farm and backend are valid.
    3. In order to test HTTPS and mutual SSL authentication, you need to import all other trusted certificates to the proper certificate store of the Relay Server machine and restart IIS.
  5. Import Relay Server certificates into SAP Mobile Platform Server. In Management Cockpit, select Start of the navigation path Settings Next navigation step Certificates End of the navigation path and import the Shared KeyStore Entries for the correct alias.
  6. Create an Application ID with Mutual Auth for mutual authentication testing.
  7. Specify the back-end connection.
  8. Specify x.509 User Certificate for authentication.
  9. Role mapping is required for mutual authentication.
    1. From Management Cockpit, select Start of the navigation path Settings Next navigation step Security Profiles End of the navigation path.
    2. Select a security profile and click Role Mapping.
    3. On the Security Profile page, click Impersonator.
    4. Click Browse to import the Relay Server certificate.
    5. Click Add to add it as an available role and then select it and add to Mapped Role.
    6. Click Save.
  10. In order to connect to Relay Server with mutual SSL authentication, you need to create an rsoe configuration file that is similar to the following, and then start the RSOE process.
    -id outbound_enabler1_ID -f backend_RSfarm_ID -t smp3mutual-1 "host=cnpvglwssc1060.apj.global.corp.sap;https=1;port=1082;url_suffix=/murs16.5/server/rs.dll;trusted_certificates=C:\RSOE2\cert\SAP_Global_Root_CA.cer;identity=C:\RSOE2\cert\rsoe1060-new.id;identity_password=changeit;skip_certificate_name_check=ON;" 
    -cs "host=cnpvglwssc856.apj.global.corp.sap;https=1;port=8082;skip_certificate_name_check=ON;trusted_certificates=C:\RSOE2\cert\SAP_Global_Root_CA.cer;identity=C:\RSOE2\cert\rsoe1060-new.id;identity_password=changeit;"  -q -v 2 -o "C:\RSOE2\log\node856-8082-SYRS.log"
    
    • trusted_certificates A file containing a list of trusted root certificates. To verify the back-end server, and only the back-end server, set this property to backend_server_public_cert_filename. For example, trusted_certificates=backend_server_public_cert_filename
    • identity Provides the credentials to establish mutually-authenticated TLS between the Outbound Enabler and the back end server. Note that mutual authentication is required for the back-end server.
    • identity_password Provides the credentials to establish mutually-authenticated TLS between the Outbound Enabler and the back-end server. Note that mutual authentication is required for the back-end server.
    • skip_certificate_name_check Controls whether the host name of the database server matches any of the host names in the root certificate. Enabling this option may prevent the client from fully authenticating the server, leaving it vulnerable to attack.
  11. Configure your device client for 2-way HTTPS (Mutual HTTPS) Channel.