Apache HTTPS Reverse Proxy for SAP Analytics Cloud...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
In this blog you will find the code snippets, some background and additional information together with links to documentation for the tutorial video playlist on YouTube.
When using other cloud providers like Microsoft Azure or AWS, there will be some minimal differences (e.g. configuring firewalls).
As we rely on the local hosts file on the client computer for name resolution (hxehost => 192.145.34.8), using a fixed external IP address is recommended (but not required).
When using a local HANA express version, (VM or Docker), you will need to have registered SUSE Linux to activate the software repositories. For this, see
For production environments, typically a customised Apache is built from source code. For our test and demo environment, we will use the SUSE Linux system tool YaST > Software Management.
# yast sw_single
Alternatively, install Apache from the command line.
# zypper install apache2
In case YaST does not display correctly (e.g. when using PuTTY to connect to SLES), execute the following command and reconnect:
When not running Apache on SLES as a service, you can use the Apache command line tool. With the flag -k start|restartl|stop you can manage the server.
To configure Apache, use YaST or edit the file /etc/sysconfig/apache2. This will update the configuration files in sysconfig,d like loadmodule.conf. For example, adding a module with YaST will automatically generate an new loadmodule.conf file.
Configuration files (*.conf) in the conf.d and vhost.d directories are automatically loaded. Use these directories for customizations.
Do not edit generic conf files as these will be overwritten during upgrades.
Enable (Reverse) Proxy
With YaST, enable the modules
proxy
proxy_connect
proxy_http
Create a file in conf.d with the .conf extension, e.g. proxy.conf. In this example we redirect all traffic to Apache to the Web Dispatcher listening for HANA XS.
For reverse proxy over HTTPS, we need to enable SSL for Apache. The easiest way to do this on SUSE Linux is using YaST > Network Services > HTTP Server: Server Modules.
# yast http-server
This will update systconfig, which in turn will generate a new loadmodule.conf in /etc/apache2/sysconfig.d to include the LoadModule ssl_module directive.
All we need to do is create a copy of the /etc/apache2/vhost.d/vhost.template file and update the ServerName and the SSLCertificateFile and KeyFile parameters.
To generate private key files and certificates we a can use a script (specific to SLES for Apache mod_ssl)
These are self-signed certificates but because there is a chain, when we import the CA certificate on the client and indicate that this CA is to be trusted, the web server certificate will be trusted as well.
For Chrome and Safari on macOS, we need to import the CA.crt file with KeyChain; Firefox keeps its own certificate store. For Internet Explorer (and Chrome) on Windows, we use the Certification utility.
Self-signed root certificate with OU = CA.
Signed server certificate Subject OU = web server, issuer OU = CA.
Of course, we are still printing our own money here but this allows us to test the configuration.
The gensslcert script has copied the certificates and keys to the SSL.* directories under /etc/apache2 and a copy of the CA.crt to the DocumentRoot.
To enable a client download of the CA root certificate, we need to change the properties of the file so that process hosting Apache (wwwrun) can access the file.
# chmod o+r /srv/www/htdocs/CA.crt
And allow directory listing (only to download the certificate)
<Directory "/srv/www/htdocs">
Options +Indexes
Require all granted
</Directory>
Then simple download the CA.crt (Certificate Authority root certificate) file to your client and add to the certificate store.
4. Configure SSL including Subject Alternative Name
The certificate generated with gensslcert provides a secure connection for the Internet Explorer, Firefox, and Safari browsers but not for Chrome. As Chrome is the recommended browser for SAP Analytics cloud, we need to update our certificate with a Subject Alternative Name.
Create a configuration file for the certificate. Below an example. The Common Name (CN) value needs to correspond to URL for the web server. In other words CN = hxehost.localdomain corresponds to https://hxehost.localdomain. The values are not parsed by the browser as we have seen in video 3. C = XY is fine. The gensslcert script uses OU=CA for the CA certificate (ca.crt) and OU=web server for the server certificate (server.crt) for informational purposes.
[ req_distinguished_name ]
C = DE
ST = Baden-Wuerttemberg
L = Walldorf
O = SAP
OU = Digital Partner Engineering
CN = hxehost.localdomain
emailAddress = digitalenablement@sap.com
[ req_attributes ]
challengePassword = 1234
EOT
Generate a CA root authority certificate valid for 1 year using the CA private key.
Add the following section to the virtual host configuration file (default is 403), e.g. /etc/apache2/vhosts.d/hxehost-ssl.conf
<Directory "/srv/www/htdocs">
Options +Indexes
Require all granted
</Directory>
5. Configure InA Service
Tutorial Video
Server Time Out
Change the session timeout for the Web Dispatcher (as documented)
hdbsql -i 90 -d SYSTEMDB -u system
"ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE')
SET ('httpserver', 'sessiontimeout') ='43200'
WITH RECONFIGURE"
Create InA User
Create a user with the INA_USER role. The example below uses INA_USER but you can use any name you want.
You can create a user store key to avoid entering connection information on the command line:
hdbuserstore -i set HXESYSTEMKEY hxehost:39015@HXE SYSTEM
hdbsql -i 90 -U HXESYSTEMKEY -m <<EOF
CREATE USER ina_user PASSWORD Initial1 NO FORCE_FIRST_PASSWORD_CHANGE;
CALL GRANT_ACTIVATED_ROLE('sap.bc.ina.service.v2.userRole::INA_USER','INA_USER');
EOF
Create XS Admin User
In addition, create a user for XS runtime configuration. The example below uses XS_ADMIN but this can any name you want; alternatively you can grant the roles to an existing users.
hdbsql -i 90 -U HXESYSTEMKEY -m <<EOF
CREATE USER xs_admin PASSWORD Initial1 NO FORCE_FIRST_PASSWORD_CHANGE;
CALL GRANT_ACTIVATED_ROLE('sap.hana.xs.admin.roles::RuntimeConfAdministrator','XS_ADMIN');
CALL GRANT_ACTIVATED_ROLE('sap.hana.xs.admin.roles::SAMLViewer','XS_ADMIN');
EOF
CORS
Configure the runtime configuration for the SAP.BC.INA.SERVICE.V2 package in the XS Admin tool (connect as XS_ADMIN):
Add the Header parameters to the virtual host configuration file. Using a variable, e.g. SAC, is advisable for multiple connections.
Define SAC mytenant.myregion.sapanalytics.cloud"
<If "req_novary('ORIGIN') == 'https://${SAC}'">
Header set Access-Control-Allow-Origin "https://${SAC}"
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Methods "GET, POST, PUT"
Header set Access-Control-Allow-Headers "X-Csrf-Token, x-csrf-token, x-sap-cid, Content-Type, Authorization"
Header set Access-Control-Expose-Headers "x-csrf-token"
</If>
Create Web Dispatcher Admin User and Configure Public URL (Optional)
Create a user for Web Dispatcher administration (or grant the roles to an existing user) in case you want to change the existing configuration, e.g. to install a valid certificate.
This is only required if you want to make changes to the default self-signed server certificate of the web dispatcher. When using Apache Reverse Proxy, this is not required.
hdbsql -i 90 -U HXESYSTEMKEY -m <<EOF
CREATE USER wdisp_admin PASSWORD Initial1 NO FORCE_FIRST_PASSWORD_CHANGE ;
CALL GRANT_ACTIVATED_ROLE('sap.hana.xs.wdisp.admin::WebDispatcherAdmin','WDISP_ADMIN');
EOF
In this case, you need to configure the public URL to point to the tenant to access the Web Dispatcher:
hdbsql -i 90 -d SYSTEMDB -u system
"ALTER SYSTEM ALTER CONFIGURATION ('xsengine.ini', 'database', 'HXE')
SET ('public_urls', 'https_url') = 'https://hxehost.localdomain:4390'
WITH RECONFIGURE;"
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.