Afaria Setup 10.8 – Install Afaria 7 – SCEP Plugin

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 8.

SCEP Plugin-in module

The last component to be installed is the SCEP plug-in. This module is responsible for requesting certificates on behalf of the user. It will make use of the CA and NDE functionality.

Select the version of the module to be installed. On a x64 architecture, the 64-bit version should be selected.

This starts the SCEP installation wizard.

Database

  • Type: Microsoft SQL Server

  • Server: localhost

  • Database: AfariaDb

Location

Start installation

This ends the installation of SAP Afaria 7.00. Now a fully functional SAP Afaria environment is installed and available on the same Windows Server 2008 R2. Be aware that it is a version of Afaria from 2012. Next step is to upgrade this version to the latest version available.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SAP Web Dispatcher as reverse proxy for SMP3

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

As of SMP3 SP07 you can use SAP Web Dispatcher as a reverse proxy for SMP3. Depending on your landscape, this simplifies A LOT your architecture. And you can reuse your WD knowledge and gain support from SAP. Installing the WD is done as usual, with one caveat: you have to inform the commonlib which TLS to use:

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

With this, WD can connect to SMP3 using TLS. While this may look strange, it actually is necessary as SMP3 uses some high TLS security.

To understand better what these two parameters do, take a look at the Commonlib + WD SAP Note: 510007


A complete sample profile from a WD running on Windows

SAPSYSTEMNAME = WDP

SAPSYSTEM = 00

DIR_INSTANCE = C:\<dir>\SAPWDSMP3

DIR_EXECUTABLE = $(DIR_INSTANCE)

DIR_PROFILE = $(DIR_INSTANCE)

DIR_HOME = $(DIR_INSTANCE)

Autostart = 1

Restart_Program_00 = local $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) pf=$(DIR_PROFILE)/sapwebdisp.pfl

wdisp/ssl_auth=0

wdisp/system_0 = SID=SMP, SSL_ENCRYPT=0, EXTSRV=http://smp3.tobias.de:8080, SRCSRV=*:9080, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=https://smp3.tobias.de:8081, SRCSRV=*:9081, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=http://smp3.tobias.de:8082, SRCSRV=*:9082, SRCURL=/, STICKY=true

icm/server_port_0 = PROT=HTTP,PORT=9080

icm/server_port_1 = PROT=HTTPS,PORT=9081

icm/server_port_2 = PROT=HTTPS,PORT=9082,VCLIENT=2

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

icm/max_conn = 2000

icm/max_sockets = ($(icm/max_conn) * 2)

icm/req_queue_len = 6000

icm/min_threads = 10

icm/max_threads = 500

mpi/total_size_MB = (min(0.06 * $(icm/max_conn) + 50, 2000))

mpi/max_pipes = ($(icm/max_conn))

wdisp/HTTP/max_pooled_con = ($(icm/max_conn))

wdisp/HTTPS/max_pooled_con = ($(icm/max_conn))

icm/server_port_3 = PROT=HTTPS,PORT=4300

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,PORT=4300,DOCROOT=./admin,AUTHFILE=icmauth.txt

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.7 -Install Afaria 7 – Package Server

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 7.

Package Server

Location

Credentials

IIS configuration

The package server is a IIS site, therefore IIS needs to be configured to host the app. This is done by creating a new virtual directory that IIS will use to host the app.

  • Virtual directory name: ps

SAP Afaria Server connection

For the enrollment server to work, it must know the address of the SAP Afaria server. In my case both servers are on the same computer, so I can use localhost.

  • Remote Server context address: localhost

Start installation

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.6 -Install Afaria 7 – Enrollment Server

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 6.

Additional installations and resources

Enrollment Server

The entrollment server is a IIS web application. To add it, the installer will create a new IIS site.

Location

Path to where the enrollment server will be installed. Can be left to default values.

Credentials

Use the SAP Afaria service user.

  • Account name: afauser

IIS directory

Specify the virtual directory of IIS to where the enrollment server site will be installed to.

  • Unauthorized virtual directory name: aips
  • Authorized virtual directory name: aips2

  • SSL port: 443

Select the right SSL server certificate.

SAP Afaria Server connection

For the enrollment server to work, it must know the address of the SAP Afaria server. In my case both servers are on the same computer, so I can use localhost.

  • Remote Server context address: localhost

Start installation

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.5 – Install Afaria 7 – Self Service Portal

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 5.

Self Service Portal

The next component to be installed is the Self Service Portal. This is a web page hosted by IIS that allows the end user to register themselves to Afaria. Access will be done through HTTP and as users will share confidential data with the server, SSL is a must.

While SSL was installed in IIS, access to the server using HTTP (without SSL) was not blocked. This is why the installer shows a warning message. As always: do not do this in a production environment, secure access to your Afaria server!

IIS configuration

  • Name of virtual directory: SSP

Authentication

Authentication: Active Directory

Active Directory: LDAP://tobias.de

Note: this actually depends on your environment setup. In my case, IIS is configured to authenticate against AD.

SAP Afaria service account credentials

  • Account name: afauser (created earlier)

Database connection

Will be localhost as this is not a cluster installation and every Afaria component runs on the same server.

Remote Server: localhost

SAP Afaria API Server

  • Server: localhost:7982

Enrollment codes

This should be empty as it is a first installation. In upgrades, enrollment codes from client may appear.

Start installation

After the installer ends, the Self Service Portal is installed and configured.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.4 – Install Afaria 7 – Afaria Admin

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 4.

Afaria Server

Select Install Afaria Server

Agree to the EUL.

The Afaria 7 Server Setup wizard starts.

Database

  • Select: Microsoft SQL Server

Inform SQL Server data. This data must match what was configured earlier on SQL Server!

  • Server: localhost
  • Authentication: Windows Authentication
  • Database: AfariaDB

SAP Afaria server type will be master server.

Location

Installation directory. Leave the value to standard.

Create the directory.

Service Account.

Inform the user data of the afauser created earlier.

Type of authentication

Here you have two options: Windows domain or LDAP based. It depends on where you created the afauser or what your company uses. In my case it does not really matter, as the AD is a LDAP server and Afaria is part of the same domain as the AD, so both options are valid.

  • NT domain based: your domain.

In case you get a warning about the domain: Confirm the domain.

  • Select: Yes

  • NT domain based: ldap

Inform the connection data of LDAP server. The following information is to connect to Active Directory.

  • Server Address: FQDN of LDAP server (Afaria.tobias.de)
  • Port: 389 (standard port LDAP, no security)
  • Server Type: Microsoft Active Directory
  • User DN: cn-administrator,cn-users,dc-tobias,dc=de

Start installation

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.3 – Install Afaria 7 – SAP Afaria API Service and Administrator

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 3.

Afaria API Service and Administrator

After SAP Afaria Server is installed, additional components must be installed. All will be installed on the same server, as I am using this as a test environment.

SAP Afaria API Service Setup wizard starts

Database

Inform database used by Afaria.

Inform connection data to database

Location

Confirm installation path of API server.

Service Account

Inform service account going to be used by Afaria.

Start installation

During start of SAP Afaria API service, a warning message may appear, informing you that the API service can be accessed without SSL. This is true as in the IIS SSL configuration step, HTTP access was not forbidden. Again, in a production environment, you’ll have to make sure the API service is accessed in a secure manner.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.2 – Install Afaria 7 – Afaria Server

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 2.

Install SAP Afaria Server

Select Install Afaria Server

Agree to the EUL.

The Afaria 7 Server Setup wizard starts.

Database

  • Select: Microsoft SQL Server

Inform SQL Server data. This data must match what was configured earlier on SQL Server!

  • Server: localhost
  • Authentication: Windows Authentication
  • Database: AfariaDB

SAP Afaria server type will be master server.

Location

Installation directory. Leave the value to standard.

Create the directory.

Service Account.

Inform the user data of the afauser created earlier.

Type of authentication

Here you have two options: Windows domain or LDAP based. It depends on where you created the afauser or what your company uses. In my case it does not really matter, as the AD is a LDAP server and Afaria is part of the same domain as the AD, so both options are valid.

  • NT domain based: your domain.

In case you get a warning about the domain: Confirm the domain.

  • Select: Yes

  • NT domain based: ldap

Inform the connection data of LDAP server. The following information is to connect to Active Directory.

  • Server Address: FQDN of LDAP server (Afaria.tobias.de)
  • Port: 389 (standard port LDAP, no security)
  • Server Type: Microsoft Active Directory
  • User DN: cn-administrator,cn-users,dc-tobias,dc=de

Start installation

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 10.1 – Install Afaria 7 – Download installation package and install license

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 1.

Download installation package

You can download the SAP Afaria installer from SAP Market Place. In the download section, it can be found under Sybase Products:

The installer available there is for SAP Afaria 7.0, made available on 5. 11. 2012.

Some newer version of Afaria (7.0 PL5) can be installed directly using the patch file, other versions need to have above version (7.0,PL0) installed. I am going to use the official installation package for showing the installation procedure.

Install license

Download the installer, unpack it on Windows Server 2008 R2. Open the Afaria folder and run setup.exe

The SAP Afaria installation setup start screen is shown.

License key

Enter license key

Click Apply and you will return to the start screen. In case the license is valid, you can now start the installation.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 9: Configuration – SQL Server

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria needs a database server to save its data into a database. This data was installed in the previous step. Now the SQL Server Express data needs to be prepared for SAP Afaria installation.

Preparation

Afaria will need a user to log on to SQL Server Express. As Windows is already hosting an Active Directory, an SAP Afaria user can be created to be used to log on to SQL Server. The same user will be used later by Afaria as the Afaria service user. The user is created in the AD using the Active Directory tool.

Create user

  • First name: afauser
  • Last name: n/a
  • Full name: afauser
  • User logon name: afauser@tobias.de

Confirm the user data.

Add user to groups

After the user afauser is created, the user must be prepared for Afaria tasks. This is done by adding him to the right user groups. By default, the user is already part of the domain users. It must be added to domain admins too.

Select group: Domain Admins.

Create Afaria DB

Start SQL Server Management Studio

Open the context menu of the database node of the server and select New Database.

Enter a name for the database (AfariaDb) and give as initial log size 25 MB. The rest of the configuration parameters can be left as is.

Select the Security folder and Login. Open the context menu and select New Login.

Chose as login name the afauser created in section preparation. Set as default database AfariaDb.

  • Login name: afauser@tobias.de
  • Windows authentication: yes
  • Default DB: AfariaDB
  • Default language: <default>

Add db_executor role

Select AfariaDb under SQL Server and Databases. Select New Query.

In the query editor, enter: CREATE ROLE db_executor

Select Execute

The runs the SQL query on the AfariaDb. In the ouput message window the status of the query can be seen.

Next, run the query: GRANT EXECUTE TO db_executor

Select Execute

These 2 queries created a new role and granted the db_executor permission to it.

Assign roles

Next step is to assign to afauser the needed roles. Select Security -> Users under AfariaDb and click on New User.

Select afauser and give the following Database role memberships:

  • db_dataread
  • db_datawriter
  • db_ddladmin
  • db_executor

This concludes preparing Windows 2008 R2 Enterprise for Afaria. The next steps are now installing Afaria server.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn