Show TOC

Configuring Apache as a Load Balancer for the EIS Back EndLocate this document in the navigation structure

When you use Apache as a load balancer for the EIS back end, the configuration file settings are different from those for Apache as a load balancer on the front end.

Procedure

Configure the reverse proxy in the Apache httpd.conf file.
The httpd.conf settings must:
  • Create a mutual trust between SAP Mobile Platform and the reverse proxy.
  • Create a mutual trust between the reverse proxy and the ICM of the back-end system.
  • For incoming requests from SAP Mobile Platform, extract the variable SSL_CLIENT_CERT from the HTTP header and re-inject it into the header of the proxy pass requests.
    Caution Do this only for requests from SAP Mobile Platform.
The sample httpd.conf below illustrates the settings required. You must create the two files highlighted in the sample:
  • gd_bundle.crt – The concatenated PEM-encoded CA certificate files, in the same sequence in which they appear in the certificate chain. To use a coupled RSA+DSA certificate pair, both certificates must be in the same certificate chain.
  • SDC_REV_PROXY_WDF.pem – The concatenated PEM-encoded certificate files, in order of preference.
For more information on the structure of these files, go to the Apache Web site, http://httpd.apache.org/Information published on non-SAP site, and search for the file names.
<VirtualHost XXX.XXX.XXX.XXX:44304>
  ServerName odata-XXXXX-XXXXXXX-<server_name>
  DocumentRoot <doc_root>/nothing_here
  RewriteEngine on
  
  SSLEngine On
  SSLProxyEngine On
 
  # server certificate stuff
  SSLCertificateFile <Apache_home>/ssl.crt/<server_name>.crt
  SSLCertificateKeyFile <Apache_home>/ssl.key/<server_name>.key
  SSLCertificateChainFile  <Apache_home>/ssl.crt/gd_bundle.crt
 
  # Root certificate(s) of the CA that signed the client certificate on
  # SAP Mobile Platform
  SSLCACertificateFile <Apache_home>/ssl.crt/odata_bundle.pem
  SSLVerifyClient require
  SSLVerifyDepth  2
  SSLOptions +StdEnvVars +FakeBasicAuth
 
  # Client certificate used for the mutual trust against the ICM of the back end
  SSLProxyMachineCertificateFile <Apache_home>/ssl.cliencrt/SDC_REV_PROXY_WDF.pem
  <Location />
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    # only allow particular client certiifates from the list defined here
    AuthUserFile <Apache_home>/client-certificates-odata
    Require valid-user
    Order Deny,Allow
    Allow from all
  </Location>
 
  # The remote system SMP is also a reverse proxy and already injects the certificate
  # of the initial client request into the HTTP header. The 3 lines below read the 
  # certificate from the incoming http header in case the peer presents the correct
  # client certificate (ODATA_SMP)
  RewriteCond %{SSL:SSL_CLIENT_VERIFY} =SUCCESS
  RewriteCond %{SSL:SSL_CLIENT_S_DN} =<client_cert_subject>
  RewriteRule (.*) $1   [E=HTTP_IF_SSL_CLIENT_CERT:%{HTTP:SSL_CLIENT_CERT},NE]
 
  # Inject extracted certificate into the HTTP header of the reverse proxy request
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CLIENT_CERT "%{HTTP_IF_SSL_CLIENT_CERT}e"
 
  # Allow only a minimal URL name space to be proxied
  RewriteRule ^<SAP_home>/opu/odata/(.*)      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/odata/$1 [P,L,NE]
  ProxyPassReverse <SAP_home>/opu/odata/      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/odata/
  RewriteRule ^<SAP_home>/opu/sdata/(.*)      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/sdata/$1 [P,L,NE]
  ProxyPassReverse <SAP_home>/opu/sdata/      https://YYY.YYY.YYY.YYY:61017/<SAP_home>/opu/sdata/
  # Disallow anthying else that does not match the above URI prefix
  RewriteRule  .*  -  [F]
 
  ErrorLog  <Apache_log_home>/odata-XXXXX-XXXXXXX-<server_name>.error.log
  CustomLog <Apache_log_home>/odata-XXXXX-XXXXXXX-<server_name>.custom.log common
</VirtualHost>