OpenVPN connection test

After configuring and running both the OpenVPN server and client, it’s a good idea to test if the VPN is working. This involves some tests on both the server and client.

OpenVPN Server

Network Device

After the server is started, a new interface should be created. Run ifconfig to get a list of all available interfaces. In case tun is configured in the conf file as device type, a new interface with name tun0 is created.

ifconfig

Check server log for client connection

In case OpenVPN is started as a service, the log can be found at /var/log/messages. If you start it directly on the command line, the log will be shown on the shell. When a client connects, the log of the server shows the connection information.

tail -f /var/log/messages

The last lines show client1, meaning that the client not only connected, but is also correctly identified as client1. The connection is working.

OpenVPN client

Start OpenVPN and the client will try to connect to the server specified in the client.conf file. Client connecting and receiving IP.

openvpn /etc/openvpn/client.conf
tail -f /var/log/messages

After the connection was established, the client is also creating a new interface named tun0. Here a client named client1 connects and receives the IP 10.8.0.6.

ifconfig

Connection test

Easiest way to test that client and server can talk to each other is to ping both. Just run a ping from the server to the client IP, and from the client to the server IP. For this, the VPN IP address must be used (e.g. 10.8.0.x).

OpenVPN server

Ping client1 from server.

ping 10.8.0.6

OpenVPN client

Ping server from client.

ping 10.8.0.1

SAP Afaria 7 SP6 – Install Afaria Server

Start the Afaria Server update. First agree to the license agreement, of course, only when you have read the license and agree to it.

Afaria server update starts. First the currently running server service is stopped.

The setup program will stop the Afaria services. In case this is not possible, you are asked to do it manually or to restart the computer. In case the services are stopped successfully, the setup will start the Afaria Server installation.

Select DB server type

Select host where the DB server is running on and how to log on to the DB.

At this step, while testing the DB connection, I got an error message. The installer cannot connect to the Afaria DB. In my case, this was solved by starting the MSSQLServer process (for some reasons, SQL Server wasn`t started anymore).

Error: No connection to DB

Solution: Start SQL Server

Select the Afaria DB.

Confirm installation path

Confirm service account credentials

Start installation

This can take a while …

Installation finishes

Select if you want to start the services. If you want to continue with the installation, do not start them now.

Afaria Setup 10.8 – Install Afaria 7 – SCEP Plugin

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 8.

SCEP Plugin-in module

The last component to be installed is the SCEP plug-in. This module is responsible for requesting certificates on behalf of the user. It will make use of the CA and NDE functionality.

Select the version of the module to be installed. On a x64 architecture, the 64-bit version should be selected.

This starts the SCEP installation wizard.

Database

  • Type: Microsoft SQL Server

  • Server: localhost

  • Database: AfariaDb

Location

Start installation

This ends the installation of SAP Afaria 7.00. Now a fully functional SAP Afaria environment is installed and available on the same Windows Server 2008 R2. Be aware that it is a version of Afaria from 2012. Next step is to upgrade this version to the latest version available.

Afaria Setup 10.7 -Install Afaria 7 – Package Server

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 7.

Package Server

Location

Credentials

IIS configuration

The package server is a IIS site, therefore IIS needs to be configured to host the app. This is done by creating a new virtual directory that IIS will use to host the app.

  • Virtual directory name: ps

SAP Afaria Server connection

For the enrollment server to work, it must know the address of the SAP Afaria server. In my case both servers are on the same computer, so I can use localhost.

  • Remote Server context address: localhost

Start installation

Afaria Setup 10.6 -Install Afaria 7 – Enrollment Server

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 6.

Additional installations and resources

Enrollment Server

The entrollment server is a IIS web application. To add it, the installer will create a new IIS site.

Location

Path to where the enrollment server will be installed. Can be left to default values.

Credentials

Use the SAP Afaria service user.

  • Account name: afauser

IIS directory

Specify the virtual directory of IIS to where the enrollment server site will be installed to.

  • Unauthorized virtual directory name: aips
  • Authorized virtual directory name: aips2

  • SSL port: 443

Select the right SSL server certificate.

SAP Afaria Server connection

For the enrollment server to work, it must know the address of the SAP Afaria server. In my case both servers are on the same computer, so I can use localhost.

  • Remote Server context address: localhost

Start installation

Afaria Setup 10.5 – Install Afaria 7 – Self Service Portal

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 5.

Self Service Portal

The next component to be installed is the Self Service Portal. This is a web page hosted by IIS that allows the end user to register themselves to Afaria. Access will be done through HTTP and as users will share confidential data with the server, SSL is a must.

While SSL was installed in IIS, access to the server using HTTP (without SSL) was not blocked. This is why the installer shows a warning message. As always: do not do this in a production environment, secure access to your Afaria server!

IIS configuration

  • Name of virtual directory: SSP

Authentication

Authentication: Active Directory

Active Directory: LDAP://tobias.de

Note: this actually depends on your environment setup. In my case, IIS is configured to authenticate against AD.

SAP Afaria service account credentials

  • Account name: afauser (created earlier)

Database connection

Will be localhost as this is not a cluster installation and every Afaria component runs on the same server.

Remote Server: localhost

SAP Afaria API Server

  • Server: localhost:7982

Enrollment codes

This should be empty as it is a first installation. In upgrades, enrollment codes from client may appear.

Start installation

After the installer ends, the Self Service Portal is installed and configured.

Afaria Setup 10.2 – Install Afaria 7 – Afaria Server

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 2.

Install SAP Afaria Server

Select Install Afaria Server

Agree to the EUL.

The Afaria 7 Server Setup wizard starts.

Database

  • Select: Microsoft SQL Server

Inform SQL Server data. This data must match what was configured earlier on SQL Server!

  • Server: localhost
  • Authentication: Windows Authentication
  • Database: AfariaDB

SAP Afaria server type will be master server.

Location

Installation directory. Leave the value to standard.

Create the directory.

Service Account.

Inform the user data of the afauser created earlier.

Type of authentication

Here you have two options: Windows domain or LDAP based. It depends on where you created the afauser or what your company uses. In my case it does not really matter, as the AD is a LDAP server and Afaria is part of the same domain as the AD, so both options are valid.

  • NT domain based: your domain.

In case you get a warning about the domain: Confirm the domain.

  • Select: Yes

  • NT domain based: ldap

Inform the connection data of LDAP server. The following information is to connect to Active Directory.

  • Server Address: FQDN of LDAP server (Afaria.tobias.de)
  • Port: 389 (standard port LDAP, no security)
  • Server Type: Microsoft Active Directory
  • User DN: cn-administrator,cn-users,dc-tobias,dc=de

Start installation

Afaria Setup 7: Configure SSL for web application

Having a SSL certificate installed and available in IIS, access to web sites / applications can be secured using SSL. Next step is to secure the access to the Afaria Web Application. This will be done by activating SSL for the entire web site, that is: all resources under the default web site can be accessed using SSL. The SAP Afaria web application is not installed yet, but after it is installed, it will be run beneath the default web site by IIS. As the default web site is configured for IIS, all resources underneath it will be too.

Configuration

  1. Open IIS Manager
  2. Select Default Web Site

  1. Select bindings

  1. Select https and click Edit …

  1. Select SSL certificate afaria from list. Afaria is the friendly name / alias given the the IIS certificate in the previous step: installing SSL to IIS.
  • Assign this binding to all IP address and port 443.

Result

IIS default web site now accessible using SSL.

Afaria Setup 6: Configure SSL for IIS

To ensure confidentiality of user data, access to SAP Afaria by users needs to be done using SSL. For this to work, IIS must use its own valid SSL certificate. To do so, first a certificate request for IIS must be created. This request will be handled by the CA (installed on same server) and the created certificate must be made available in IIS.

IIS: Create certificate request

  • Start IIS Manager
  • Select default server and sever certificates in IIS section.

  • Create certificate request

  • Inform server information. The CA will include this information in the final certificate.
    • Common name: FQDN of the server
    • Country: BR, or your country

  • Select cryptographic service provider.
    • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit length: 1024

  • Inform file name. This is where the certificate request will be saved to. This file will be later submitted to the CA.

Now the certificate request is done by IIS. Next step is to submit the request to the CA.

CA: Issue certificate

As the CA is on the same server as IIS, it is only to submit the request to the CA. The certificate type is for a web server. In my case, using the CA wizard to submit the CSR did not work, as the web server template was not available. What worked was to use the command line to submit the CSR and inform there the web server template.

Command: certreq.exe –submit –attrib “CertificateTemplate:WebServer” .\certreq.txt

Select the CA to be used.

Specify path to save certificate to.

Certificate is issued and saved in CER format.

Next is to install the certificate into IIS and make it available for usage.

IIS: Install certificate

To install the server certificate, open IIS Manager console. Select Complete Certificate Request.

Inform the path to the certificate and na alias/friendly name. You’ll refer by friendly name to the certificate.

Click OK. This installs the certificate into IIS.

Afaria Setup 5: Install roles – Application Server

The web interfaces of Afaria run on top of IIS and are ASP applications. To be able to run them, IIS and ASP must be made available on the server. On way to achieve this is to activate the application server role on the Windows server. This is done by adding this role to the sever. Afterwards, IIS and ASP are installed and configured.

To add the application server role, open the server manager and select Add Roles.

In the list of available server roles, the already activated roles are greyed out. Select the role Application Server.

The wizard shows a popup informing that an additional role services is required to fulfill the pre-requisites of the application server role. In the current state of activated roles, these will be two services. For each one of them, select Add Required Role Services.

Keep IIS services as they are

Confirm the installation paramters.

Windows will install and configure IIS.

Confirm the installation results.

This installs the role application server. After the installation finishes, the server is ready to host ASP web pages.