Configure MSFT NDES to work with Afaria

Afaria mobile client can request a client certificate from a corporate CA for the user. This means that the user will get automatically a valid certificate made available for him, without having to go through the complicated process of requesting and installing a certificate. The user won`t even know that a certificate was requested and installed on the device, it`s really a transparent process. For this to work, Afaria needs to be configured to send requests to a CA (using SCEP). The CA needs to be able to act on device requests. This is done by installing the type NDES to a Windows CA. After that, the CA needs to be configured to work together with Afaria.

A possible error message that can occur when this configuration is not done is visible in the Afaria log. The error message will look like: “SCEPcertificateAcquisition Exception: ASN1 bad tag value met

This error message won`t occur out of nothing, it is in the context of the Afaria client requesting a certificate at Microsoft CA/NDES.

Here, a CSR with Subject CN=rds,O=Afaria,OU=Consulting,L=Rio de Janeiro … was sent to the CA by the Android app com.sap.logon.cert. The solution for this problem is given by SAP Note 2193313. The documentation that treats this error can be obtained either from SAP or from Microsoft:

SOLUTION

Basically there are two solutions available:

  1. Deactive the use of a password for NDES or
  2. Activate the use of a password and configure Afaria to send the credentials

Easiest solution: deactivate usage of password when requesting a certificate. This is done by changing a Windows registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword to 0

This change requires a restart of IIS to ensure that the new value is picked up. Afterwards, the Afaria cliente can be used to request a certificate.

This request can be followed in the Afaria log:

RESULT

The client received a certifcate. The certificate can be seen in the CA:

Let the world know

SAP Web Dispatcher as reverse proxy for SMP3

As of SMP3 SP07 you can use SAP Web Dispatcher as a reverse proxy for SMP3. Depending on your landscape, this simplifies A LOT your architecture. And you can reuse your WD knowledge and gain support from SAP. Installing the WD is done as usual, with one caveat: you have to inform the commonlib which TLS to use:

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

With this, WD can connect to SMP3 using TLS. While this may look strange, it actually is necessary as SMP3 uses some high TLS security.

To understand better what these two parameters do, take a look at the Commonlib + WD SAP Note: 510007


A complete sample profile from a WD running on Windows

SAPSYSTEMNAME = WDP

SAPSYSTEM = 00

DIR_INSTANCE = C:\<dir>\SAPWDSMP3

DIR_EXECUTABLE = $(DIR_INSTANCE)

DIR_PROFILE = $(DIR_INSTANCE)

DIR_HOME = $(DIR_INSTANCE)

Autostart = 1

Restart_Program_00 = local $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) pf=$(DIR_PROFILE)/sapwebdisp.pfl

wdisp/ssl_auth=0

wdisp/system_0 = SID=SMP, SSL_ENCRYPT=0, EXTSRV=http://smp3.tobias.de:8080, SRCSRV=*:9080, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=https://smp3.tobias.de:8081, SRCSRV=*:9081, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=http://smp3.tobias.de:8082, SRCSRV=*:9082, SRCURL=/, STICKY=true

icm/server_port_0 = PROT=HTTP,PORT=9080

icm/server_port_1 = PROT=HTTPS,PORT=9081

icm/server_port_2 = PROT=HTTPS,PORT=9082,VCLIENT=2

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

icm/max_conn = 2000

icm/max_sockets = ($(icm/max_conn) * 2)

icm/req_queue_len = 6000

icm/min_threads = 10

icm/max_threads = 500

mpi/total_size_MB = (min(0.06 * $(icm/max_conn) + 50, 2000))

mpi/max_pipes = ($(icm/max_conn))

wdisp/HTTP/max_pooled_con = ($(icm/max_conn))

wdisp/HTTPS/max_pooled_con = ($(icm/max_conn))

icm/server_port_3 = PROT=HTTPS,PORT=4300

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,PORT=4300,DOCROOT=./admin,AUTHFILE=icmauth.txt

Let the world know

Afaria Setup 9: Configuration – SQL Server

Afaria needs a database server to save its data into a database. This data was installed in the previous step. Now the SQL Server Express data needs to be prepared for SAP Afaria installation.

Preparation

Afaria will need a user to log on to SQL Server Express. As Windows is already hosting an Active Directory, an SAP Afaria user can be created to be used to log on to SQL Server. The same user will be used later by Afaria as the Afaria service user. The user is created in the AD using the Active Directory tool.

Create user

  • First name: afauser
  • Last name: n/a
  • Full name: afauser
  • User logon name: afauser@tobias.de

Confirm the user data.

Add user to groups

After the user afauser is created, the user must be prepared for Afaria tasks. This is done by adding him to the right user groups. By default, the user is already part of the domain users. It must be added to domain admins too.

Select group: Domain Admins.

Create Afaria DB

Start SQL Server Management Studio

Open the context menu of the database node of the server and select New Database.

Enter a name for the database (AfariaDb) and give as initial log size 25 MB. The rest of the configuration parameters can be left as is.

Select the Security folder and Login. Open the context menu and select New Login.

Chose as login name the afauser created in section preparation. Set as default database AfariaDb.

  • Login name: afauser@tobias.de
  • Windows authentication: yes
  • Default DB: AfariaDB
  • Default language: <default>

Add db_executor role

Select AfariaDb under SQL Server and Databases. Select New Query.

In the query editor, enter: CREATE ROLE db_executor

Select Execute

The runs the SQL query on the AfariaDb. In the ouput message window the status of the query can be seen.

Next, run the query: GRANT EXECUTE TO db_executor

Select Execute

These 2 queries created a new role and granted the db_executor permission to it.

Assign roles

Next step is to assign to afauser the needed roles. Select Security -> Users under AfariaDb and click on New User.

Select afauser and give the following Database role memberships:

  • db_dataread
  • db_datawriter
  • db_ddladmin
  • db_executor

This concludes preparing Windows 2008 R2 Enterprise for Afaria. The next steps are now installing Afaria server.

Let the world know

Afaria Setup 6: Configure SSL for IIS

To ensure confidentiality of user data, access to SAP Afaria by users needs to be done using SSL. For this to work, IIS must use its own valid SSL certificate. To do so, first a certificate request for IIS must be created. This request will be handled by the CA (installed on same server) and the created certificate must be made available in IIS.

IIS: Create certificate request

  • Start IIS Manager
  • Select default server and sever certificates in IIS section.

  • Create certificate request

  • Inform server information. The CA will include this information in the final certificate.
    • Common name: FQDN of the server
    • Country: BR, or your country

  • Select cryptographic service provider.
    • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit length: 1024

  • Inform file name. This is where the certificate request will be saved to. This file will be later submitted to the CA.

Now the certificate request is done by IIS. Next step is to submit the request to the CA.

CA: Issue certificate

As the CA is on the same server as IIS, it is only to submit the request to the CA. The certificate type is for a web server. In my case, using the CA wizard to submit the CSR did not work, as the web server template was not available. What worked was to use the command line to submit the CSR and inform there the web server template.

Command: certreq.exe –submit –attrib “CertificateTemplate:WebServer” .\certreq.txt

Select the CA to be used.

Specify path to save certificate to.

Certificate is issued and saved in CER format.

Next is to install the certificate into IIS and make it available for usage.

IIS: Install certificate

To install the server certificate, open IIS Manager console. Select Complete Certificate Request.

Inform the path to the certificate and na alias/friendly name. You’ll refer by friendly name to the certificate.

Click OK. This installs the certificate into IIS.

Let the world know

FND – 62 – Create outbound destination for content publisher

The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help.

  1. Maintaining Inbound bgRFC Queue on the Hub System SAP Help
  2. Create outbound destination for content publisher SAP Help

This document explains how to execute step 2.

When a mobile user subscripes for push notification, he/she basically informs SAP Gateway to receive updates on a collection. As Gateway handles subscriptions in a pretty abstract way, the user needs to inform some information during the subscription process. One of these informations is the communication channel. This channel corresponds to a HTTP destination created at the HUB system.
SAP Help

A user subscribing will pass the following channel information to Gateway: urn:sap-com:channel:<CHANNEL_NAME>/<unique_ID_of_device

The first part (urn:sap-com:channel) is used by OData as a keyword to filter and extract the name of the channel. The channel name is a HTTP destination created in SM59. I’ll use SMP_PUSH. This implies that you can have several push destinations for a single SAP Gateway system.

No SPRO activity

All activities are done on the SAP Gateway HUB (FND) system.

  1. Create HTTP Destination
  2. Transaction SM59


  3. New Destination


  • RFC Destination: SMP_PUSH
  • Connection Type: G


  1. Go to tab “Technical Settings”
  • Target host: Host of SMP 3 (smp3.tobias.de)
  • Service No: HTTP Port of SMP 3 (8080, depends on your configuration)
  • Path Prefix: Prefix used by SMP 3 for push notifications (/Notification/)


  1. Go to tab “Logon & Security


  • User: SMP Push user (smppush)
  • Password: password of SMP Push user
  1. Save
  2. Test destination

Let the world know

FND – 61 – Maintaining Inbound bgRFC Queue on the Hub System

The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help.

  1. Maintaining Inbound bgRFC Queue on the Hub System SAP Help
  2. Create outbound destination for content publisher SAP Help

This document explains how to execute step 1.

“SAP NetWeaver Gateway uses inbound queues to reliably send information to a consumer (Such queues are used by various services. For example, the Notification Content Publisher). These inbound queues use bgRFC (Background Remote Function Call) technology.”
SAP Help

No SPRO activity

All activities are done on the SAP Gateway HUB (FND) system.

  1. Creating RFC Destination for Inbound Queue
    1. Transaction SM59


    2. Create new connection


  • RFC Destination: IWFND_ODATA_PUSH.
  • Connection Type: 3


  1. Go to tab “Special Options
  • Transfer Protocol: Classic with bgRFC.


  1. Save
  2. Test RFC destination


    Result


     

  1. Registering RFC Destinations for Inbound Queue
    1. Transaction: SBGRFCCONF


    2. Go to tab “Define Inbound Dest.
    3. Create


  • Inb. Dest. Name: IWFND_ODATA_PUSH


  1. Save.


     

  2. Go to tab: “Scheduler: Destination
  3. Create


  • Type: Inbound


  • Destination: IWFND_ODATA_PUSH


  1. Save

Let the world know

FND – 5 – Activate SAP NetWeaver Gateway

The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help. The steps are for the OData Channel Service for backend system.

  1. Basic configuration activities: SAP Help
    • Set profile parameters to support SSO2 SAP Help
    • Activate ICF Services Blog / SAP Help
  2. User & Authorization SAP Help
  3. SAP Gateway to Consumer (FND to SMP3) SAP Help
    1. Creating a bgRFC destination for outbound queues Blog SAP Help
    2. Registering bgRFC destination for the oubound queue Blog SAP Help
    3. Creating bgRFC supervisor destination Blog SAP Help
  4. SAP Gateway to SAP Backend (FND to BEP) SAP Help
    1. Create RFC on SAP Gateway (FND) to SAP backend (BEP) Blog SAP Help
    2. Define trust between SAP Gateway and SAP backend (FND <-> BEP) Blog SAP Help
    3. Configure SAP backend system (BEP) to accept assertion ticket from SAP Gateway Blog SAP Help
    4. Configure SAP Gateway (FND) to accept assertion ticket from SAP backend (BEP) BlogSAP Help
    5. Configure SAP system alias for applications BlogSAP Help
  5. Activate SAP NetWeaver Gateway SAP Help

This document explains how to execute step 5.

The final step is to activate the SAP Gateway functionality. SAP Help

SPRO: SAP Reference IMG and navigate to:  SAP NetWeaver Gateway OData Channel Configuration Activate or Deactivate SAP NetWeaver Gateway


  1. Execute the activity. Confirm the dialog to activate SAP Gateway
  2. Result:

Let the world know

FND – 45 – Configure SAP system alias for applications

The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help. The steps are for the OData Channel Service for backend system.

  1. Basic configuration activities: SAP Help
    • Set profile parameters to support SSO2 SAP Help
    • Activate ICF Services SAP Help
  2. User & Authorization SAP Help
  3. SAP Gateway to Consumer (FND to SMP3) SAP Help
    1. Creating a bgRFC destination for outbound queues SAP Help
    2. Registering bgRFC destination for the oubound queue SAP Help
    3. Creating bgRFC supervisor destination SAP Help
  4. SAP Gateway to SAP Backend (FND to BEP) SAP Help
    1. Create RFC on SAP Gateway (FND) to SAP backend (BEP) SAP Help
    2. Define trust between SAP Gateway and SAP backend (FND <-> BEP) SAP Help
    3. Configure SAP backend system (BEP) to accept assertion ticket from SAP Gateway SAP Help
    4. Configure SAP Gateway (FND) to accept assertion ticket from SAP backend (BEP) SAP Help
    5. Configure SAP system alias for applications SAP Help
  5. Activate SAP NetWeaver Gateway SAP Help

This document explains how to execute step 4.5.

Incoming OData request can be handled locally by the Gateway system or redirected to an SAP Backend. In a HUB installation, the OData service backend is a diferente SAP system (BEP), therefore an alias is needed to define to which backend a OData service should be redirected to.
SAP Help

The alias defined here will be used in the maintain odata services transaction to assign a backend to a service.

SPRO: SAP Reference IMG and navigate to:  SAP NetWeaver Gateway OData Channel Configuration Connection Settings SAP NetWeaver Gateway to SAP System Manage SAP System Aliases


The program to manage SAP system alises opens.


  1. Create a new entry

  1. Enter the corresponding data for the SAP backend
  • SAP System Alias: ECC
  • Description: BEP backend
  • Local GW: No
  • For Local App: No
  • RFC Destination: ECCCLNT001
  • Software Version: DEFAULT
  • System ID: ECC
  • Client: 001
  • WS Provider system: empty

  1. Save
Let the world know

FND – 44 – Configure SAP Gateway (FND) to accept assertion ticket from SAP backend (BEP)

Yes, this item should be under BEP and not HUB, but I am following SAP Help here, so sorry for the confusion!

The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help. The steps are for the OData Channel Service for backend system.

  1. Basic configuration activities: SAP Help
    • Set profile parameters to support SSO2 SAP Help
    • Activate ICF Services SAP Help
  2. User & Authorization SAP Help
  3. SAP Gateway to Consumer (FND to SMP3) SAP Help
    1. Creating a bgRFC destination for outbound queues SAP Help
    2. Registering bgRFC destination for the oubound queue SAP Help
    3. Creating bgRFC supervisor destination SAP Help
  4. SAP Gateway to SAP Backend (FND to BEP) SAP Help
    1. Create RFC on SAP Gateway (FND) to SAP backend (BEP) SAP Help
    2. Define trust between SAP Gateway and SAP backend (FND <-> BEP) SAP Help
    3. Configure SAP backend system (BEP) to accept assertion ticket from SAP Gateway SAP Help
    4. Configure SAP Gateway (FND) to accept assertion ticket from SAP backend (BEP) SAP Help
    5. Configure SAP system alias for applications SAP Help
  5. Activate SAP NetWeaver Gateway SAP Help

This document explains how to execute step 4.4.

Allow SAP backend (BEP) to logon via SSO to SAP Gateway HUB (FND).
SAP Help

No SPRO activity.

System: BEP

Transaction SSO2

To configure SSO by installing the system certificates, go to transaction SSO2

  • Destination: Give RFC destination: ECCCLNT001

  • Host name: DNS name of backend (BEP): nwecc.tobias.de
  • Instance Number: Instance number of backend (BEP): 01

Run the program. In case the tool finds some problems, it allows you to let it solve them for you.

Result when everything is OK:

Let the world know

FND – 43 – Configure SAP backend system (BEP) to accept assertion ticket from SAP Gateway

Yes, this item should be under BEP and not HUB, but I am following SAP Help here, so sorry for the confusion!

The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help. The steps are for the OData Channel Service for backend system.

  1. Basic configuration activities: SAP Help
    • Set profile parameters to support SSO2 SAP Help
    • Activate ICF Services SAP Help
  2. User & Authorization SAP Help
  3. SAP Gateway to Consumer (FND to SMP3) SAP Help
    1. Creating a bgRFC destination for outbound queues SAP Help
    2. Registering bgRFC destination for the oubound queue SAP Help
    3. Creating bgRFC supervisor destination SAP Help
  4. SAP Gateway to SAP Backend (FND to BEP) SAP Help
    1. Create RFC on SAP Gateway (FND) to SAP backend (BEP) SAP Help
    2. Define trust between SAP Gateway and SAP backend (FND <-> BEP) SAP Help
    3. Configure SAP backend system (BEP) to accept assertion ticket from SAP Gateway SAP Help
    4. Configure SAP Gateway (FND) to accept assertion ticket from SAP backend (BEP) SAP Help
    5. Configure SAP system alias for applications SAP Help
  5. Activate SAP NetWeaver Gateway SAP Help

This document explains how to execute step 4.3.

Allow SAP Gateway HUB (IWNFD) to logon via SSO to SAP backend (BEP).
SAP Help

No SPRO activity.

System: BEP

Transaction SSO2

  1. To configure SSO by installing the system certificates, go to transaction SSO2

  • Destination: Give RFC destination: GWDCLNT001 (IMPORTANT: must have been created earlier on the BEP system)

  • Host name: DNS name of SAP Gateway HUB: nwgw74.tobias.de
  • Instance Number: Instance number of SAP Gateway HUB: 01

Run the program. In case the tool finds some problems, it allows you to let it solve them for you.

Result when everything is OK:

Let the world know