Install SAP OCB Retail – 5 – Starting the application

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Three types of applications were installed by SAP Omnichannel Retail Banking:

  • business central
  • business banking
  • retail banking

Each one of those is accessed by a URL and browser.

Business Central

Access: https://localhost:8081/bc/servlet/bc/global.jsp

Select your language (most probably, it will be English). In the next screen, enter user name: admin

Enter password Pass1234.

Welcome to business central.

Business Banking

Access: https://localhost:8081/cb/pages/jsp-ns/login-corp.jsp

Inform the user name jtech

Inform the password Pass1234

Retail Banking application

Access: https://localhost:8081/cb/pages/jsp-ns/login-cons.jsp

User: tbowman

Password: Pass1234

Home screen on online banking.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Install SAP OCB Retail – 4 – Validation

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

After enabling OCB features, you should check if folders and files are correctly available in SMP3. In theory, the enablement worked, when OCB files are available in the features, plugins and webapp folder of SMP3.

Features

ls /SAP/MobilePlatform3/Server/features/ | grep "com.sap.banking.omnichannel*"

You should get a list of 5 folders.

  • com.sap.banking.omnichannel.bpw.web_8.3.1.1-v201512150916
  • com.sap.banking.omnichannel.businesscentral.web_8.3.1.1-v201512150916
  • com.sap.banking.omnichannel.onlinebanking.web_8.3.1.1-v201512150916
  • com.sap.banking.omnichannel.platform_8.3.1.1-v201512150916
  • com.sap.banking.omnichannel.provisioning_8.3.1.1-v201512150916

Plugins

ls /SAP/MobilePlatform3/Server/plugins | grep "com.sap.banking"

You should get a huge list of folders

  • […]
  • com.sap.banking.banking-applications_8.3.1.1.jar
  • com.sap.banking.banking-approvalconfig_8.3.1.1.jar
  • com.sap.banking.banking-approvalpluginconfig_8.3.1.1.jar
  • com.sap.banking.banking-bankconfig_8.3.1.1.jar
  • com.sap.banking.banking-bankingconfig_8.3.1.1.jar
  • com.sap.banking.banking-bankingreport-api_8.3.1.1.jar
  • com.sap.banking.banking-bankreport_8.3.1.1.jar
  • com.sap.banking.banking-billpay_8.3.1.1.jar
  • com.sap.banking.banking-billpay-api_8.3.1.1.jar
  • com.sap.banking.banking-billpayconfig_8.3.1.1.jar
  • com.sap.banking.banking-bptw_8.3.1.1.jar
  • […]

Webapps

ls /SAP/MobilePlatform3/Server/webapps/

Three banking-* folders must exist.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Install SAP OCB Retail – 3 – Enable SAP Omnichannel Retail Banking

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

While installing OCB, SMP3 had to be stopped. During the installation, the database was prepared and files that represent the OCB application were copied to SMP3. Those bundles are now available in SMP3 (OSGI bundles), but are not activated. To be able to use OCB, the features must be activated by SMP3 administration in the Admin web interface. First, start SMP3.

Add OCB p2 repository

Log on to the SMP3 admin interface and navigate to settings -> repositories

Add the repository created above by the installer

file://SAP/MobilePlatform3/Server/p2/com.sap.banking.omnichannel.repository

Enable OCB features

After adding the p2 repository containing the OCB features, you can enable them. Navigate to Settings -> Features & Components.

The screen shows the available features for SMP3. With adding the OCB p2 repository, the OCB features are listed. You have to follow a specific order when activating the features.

  1. com.sap.banking.omnichannel.provisioning.feature.group
  2. com.sap.banking.omnichannel.platform.feature.group
  3. com.sap.banking.omnichannel.bpw.web.feature.group
  4. com.sap.banking.omnichannel.businesscentral.web.feature.group
  5. com.sap.banking.omnichannel.onlinebanking.web.feature.group

1 Enable com.sap.banking.omnichannel.provisioning.feature.group

2 Enable com.sap.banking.omnichannel.platform.feature.group

SMP3 server will restart. You can see this on the console.

New bundles and new features are being started.

SMP3 server must start successfully. If not, you have a problem.

Result

3 Enable com.sap.banking.omnichannel.bpw.web.feature.group

4 Enable com.sap.banking.omnichannel.businesscentral.web.feature.group

5 Enable com.sap.banking.omnichannel.onlinebanking.web.feature.group

Start scheduler bundle

cd /SAP/MobilePlatform3/Server/tools/cmdclient/
./ljsc.sh ss banking-core-scheduleruntime

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Install SAP OCB Retail – 2 – Start installation

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Download

Download the installation file from SAP Market place and copy it on the SMP3 server.

tar zxvf ONLRETBANK83001P_1-81000501.TGZ
cd ebf25660/
unzip RetailBanking_8.3_SP01_PL01_LINUX64.zip

This will give you the installation files in the folder.

Start installation

The installer is the folder SAPOnlineRetailBanking8.3.1.1.

cd SAPOnlineRetailBanking8.3.1.1/
sh ./install.sh

Press enter to start the wizard. You’ll have to inform several paramters, like SMP3, Database, etc.

SMP3 configuration

Oracle Database configuration

Inform the path on your system where Oracle is installed. The path contains the DB tools. For Oracle XE, the path is: /u01/app/oracle/product/11.2.0/xe/

Load sample data into database

Installation starts

Database is being created

After a while, the installer should finish

Validation

The folder com.sap.banking.omnichannel.repository must have been created as a p2 repository. Check for it via

ls /SAP/MobilePlatform3/Server/p2/com.sap.banking.omnichannel.repository/

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Install SAP OCB Retail – 1 – SMP3 configuration

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To be able to install SAP Omnichannel retail banking on SMP3 SP8, some adjustments must be done on the SMP3 server configuration.

Avoid memory leak

Add a new parameter in the props.ini file of SMP3 server.

vim /SAP/MobilePlatform3/Server/props.ini

Parameter to add: -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true

DTD validation

Looking at the installation guide from SAP, this configuration is somewhat against SAP’s own security recommendations, but is needed as OCB uses struts, and for those the validation must be done via DTD and not by XSD. Edit the file fixed-sys.properties located at /SAP/MobilePlatform3/Server/configuration/com.sap.mobile.server.launcher.

vim /SAP/MobilePlatform3/Server/configuration/com.sap.mobile.platform.server.launcher/fixed-sys.properties

Comment out the last two properties.

Weak Diffie-Hellman ciphers

New browser don’t like anymore the SMP3 SP8 standard TLS ciphers, therefore these must be changed to be more aligned with latest security expectations.

vim /SAP/MobilePlatform3/Server/config_master/org.eclipse.gemini.web.tomcat/default-server.xml

For each TLS connector, substitute the ciphers by TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA.

JAVA_HOME

Set JAVA_HOME variable to the one used by SMP3.

export JAVA_HOME=/SAP/MobilePlatform3/sapjvm_7/
Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Install SMP3 with Oracle DB

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The following procedure for installing SMP3 with an Oracle DB is for Linux. For tests, you can use Oracle Express. Check your environment/company if you can use that version.

Prerequisites

Ensure that Oracle XE is up and running. It is important that the tnslistener is working! Run the listener and check the status:

/u01/app/oracle/product/11.2.0/xe/bin/lsnrctl status

Configure installation parameters

The steps are documented at SAP Help. You’ll have to edit the SilentInstall_Linux.txt file and adjust the installation parameters.

vim SilentInstall_Linux.txt

For Oracle, you’ll need to change these parameters (at the end, you’ll find a complete example file):

Activate that SMP3 uses an external DB

-V developerInstall="false"
-V productionInstall="true"
-V sqlaEmbeddedDB="false"
-V existDB="true"

Inform the Oracle XE connection parameters

-V existDBType="oracle-sid"
-V dbHostName="localhost"
-V dbPortNumber="1521"
-V dbLogin="gomobile"
-V dbPassword="secret"
-V dbDBName="XE"

Inform the JDBC driver location

-V jdbcDriver="/u01/app/oracle/product/11.2.0/xe/jdbc/lib/ojdbc6.jar"

Prepare Oracle DB

Form the above connection parameters you can see that SMP3 is going to use the user gomobile with the password secret to connect itself to Oracle XE. This means that the user with the password and a schema must be created in the DB. SMP3 comes with a SQL script for Oracle that does exactly that. The script is located at /db_tools/db/oracle/smp3/sql. The file is 001_SMP3_drop_and_create_user.DDL The file contains the SQL statements to create the user with the right permissions:

CREATE ROLE SY365_OBJOWNER;
GRANT CREATE SEQUENCE TO SY365_OBJOWNER;
GRANT CREATE SESSION TO SY365_OBJOWNER;
GRANT CREATE SYNONYM to SY365_OBJOWNER;
GRANT CREATE TABLE TO SY365_OBJOWNER;
GRANT CREATE VIEW TO SY365_OBJOWNER;
GRANT CREATE PROCEDURE TO SY365_OBJOWNER;
GRANT CREATE SEQUENCE TO SY365_OBJOWNER;
GRANT CREATE TRIGGER TO SY365_OBJOWNER;
GRANT CREATE INDEXTYPE TO SY365_OBJOWNER;
DROP USER GOMOBILE CASCADE;
CREATE USER GOMOBILE
IDENTIFIED BY secret
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 2 Roles for GOMOBILE
GRANT SY365_OBJOWNER TO GOMOBILE;
GRANT CREATE SESSION TO GOMOBILE;
GRANT CONNECT TO GOMOBILE;
ALTER USER GOMOBILE DEFAULT ROLE ALL;
-- 1 Tablespace Quota for GOMOBILE
ALTER USER GOMOBILE QUOTA UNLIMITED ON USERS;

You’ll have to add the command EXIT; at the end of the file

To run the SQL script, run:

sqlplus system/Sap123 @001_SMP3_drop_and_create_user.DDL > smp3.log
  • Note: Sap123 is the password for the user system.

Output is written to smp3.log

SQL*Plus: Release 11.2.0.2.0 Production on Wed Aug 24 21:37:08 2016
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Role created.
Grant succeeded.
[…]
DROP USER GOMOBILE CASCADE
ERROR at line 1:
ORA-01918: user 'GOMOBILE' does not exist
User created.
Grant succeeded.
[…]
User altered.
User altered.

The error regarding DROP user is normal, as the user gomobile hasn’t been created before, so there is no user to drop.

Run installer

With the above steps done, SMP3 installer is ready to be run.

./SilentInstall_Linux.sh

The output will contain information regarding the Oracle DB:

dbg, existDBType:oracle-sid
WARNING: Selecting this option confirms SMP database is already created
dbg, jdbcDriver: /u01/app/oracle/product/11.2.0/xe/jdbc/lib/ojdbc6.jar
dbg, jdbcDriver fullFileName: /u01/app/oracle/product/11.2.0/xe/jdbc/lib/ojdbc6.jar
dbg, jdbcDriverFile: /sap/SAP/MobilePlatform3/Util/ojdbc6.jar
dbg, ojdbc6.jar will be renamed to ojdbc.jar in the installation
dbg, queryExit:oracle-sid localhost gomobile [pwd entered] 1521 XE
dbg, Ping succcesful: 0
dbg, smpDataExists:false
dbg, New node install

If everything works fine, you’ll get a confirmation message at the end of the installation.

Installation Successful

Validation

SAP Help contains some information on how to validate the installation. You can search for error message in the installation log, but when an error occurs, normally the installer stops. My preferred way to check SMP3 is to start the server and see if I can log on, create apps, etc. Base test is therefore to start SMP3 and to log on.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Set session timeout for SMP3 admin console

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SMP3 runs on Tomcat, and therefore inherits its basic configuration from Tomcat. One of these is the session timeout parameter. By default, timeout is set to 20 minutes. Depending on your requirements this can be too short or too long. Changing the value is easy as you only have to change one parameter in one file and restart SMP3 to make the change take effect. The procedure is outlined at SAP Help.

The file to be changed is the Tomcat configuration file that can be found at: <SMP_HOME>\Server\config_master\org.eclipse.gemini.web.tomcat\web.xml.

The parameter to change is: session-timeout.

To increase the timeout to 1 hour, change it to 60.

Restart SMP3 to benefit from your change.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Enable TLS in SMP3

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SSL is out, TLS is the new kid in town (although already pretty old) and to keep security high on your SMP3 server, a question remains: how to enable TLS on SMP3? Easy: it is already configured!

By default, SMP3 comes with TLS enabled. The trick is to configure it how you want it to be. For once, there are the ciphers (not part of this blog) and the protocol. The protocol defines if a browser can use TLS v1, v1.1 or v1.2. The configuration is done on the server side, in the default-server.xml file located at:

/<SMP3 installation directory>/Server/config_master/org.eclipse.gemini.web.tomcat/default-server.xml

As SMP3 is using Tomcat as its web server, the usual Tomcat configuration parameters apply. To have a HTTPS connection on port 8081, the XML looks like this:

<Connector SSLEnabled=”true” ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA” clientAuth=”false” keyAlias=”smp3″ maxThreads=”200″ port=”8081″ protocol=”com.sap.mobile.platform.coyote.http11.SapHttp11Protocol” scheme=”https” secure=”true” smpConnectorName=”oneWaySSL” sslEnabledProtocols=”TLSv1″ sslProtocol=”TLS”/>

Parameters

  • Port: defines the port Tomcat will listen on. Here it is 8081
  • sslEnabledProtocols: “The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled.” [1]
  • sslProtocol: “The SSL protocol(s) to use (a single value may enable multiple protocols – see the JVM documentation for details). If not specified, the default is TLS” [1]

Connecting to the port results in a TLSv1 connection:

The parameters that define which protocol can be used are sslEnabledProtocols and sslProtocol. Now, which one does what? I found [2] and [3] explaining this:

  1. setProtocol=”TLS” will enable SSLv3 and TLSv1
  2. setProtocol=”TLSv1.2″ will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
  3. setProtocol=”TLSv1.1″ will enable SSLv3, TLSv1, and TLSv1.1
  4. setProtocol=”TLSv1″ will enable SSLv3 and TLSv1

In the above example, sslProtocol = TLS, therefore TLSv1 and SSLv3 is available. To limit the connection to TLSv1, sslEnabledProtocol must be set to TLSv1. To have a connection that allows for TLSv1, TLSv1.1 and TLSv1.2 (and let the browser decide which one to use), set sslEnabledProtocols to TLSv1,TLSv1.1,TLSv1.2.

Example

<Connector SSLEnabled=”true” ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA” clientAuth=”false” keyAlias=”tobias” maxThreads=”200″ port=”8081″ protocol=”com.sap.mobile.platform.coyote.http11.SapHttp11Protocol” scheme=”https” secure=”true” smpConnectorName=”oneWaySSL” sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″ sslProtocol=”TLS”/>

If I now connect on port 8081, my browser should use the highest protocol available.

[1] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

[2] http://mail-archives.apache.org/mod_mbox/tomcat-users/201303.mbox/%3C13A085B2E018374C813676301AED0EE412D87457C3@BLR0EXC00.us.sonicwall.com%3E

[3] http://wiki.apache.org/tomcat/Security/POODLE

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SAP Web Dispatcher as reverse proxy for SMP3

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

As of SMP3 SP07 you can use SAP Web Dispatcher as a reverse proxy for SMP3. Depending on your landscape, this simplifies A LOT your architecture. And you can reuse your WD knowledge and gain support from SAP. Installing the WD is done as usual, with one caveat: you have to inform the commonlib which TLS to use:

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

With this, WD can connect to SMP3 using TLS. While this may look strange, it actually is necessary as SMP3 uses some high TLS security.

To understand better what these two parameters do, take a look at the Commonlib + WD SAP Note: 510007


A complete sample profile from a WD running on Windows

SAPSYSTEMNAME = WDP

SAPSYSTEM = 00

DIR_INSTANCE = C:\<dir>\SAPWDSMP3

DIR_EXECUTABLE = $(DIR_INSTANCE)

DIR_PROFILE = $(DIR_INSTANCE)

DIR_HOME = $(DIR_INSTANCE)

Autostart = 1

Restart_Program_00 = local $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) pf=$(DIR_PROFILE)/sapwebdisp.pfl

wdisp/ssl_auth=0

wdisp/system_0 = SID=SMP, SSL_ENCRYPT=0, EXTSRV=http://smp3.tobias.de:8080, SRCSRV=*:9080, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=https://smp3.tobias.de:8081, SRCSRV=*:9081, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=http://smp3.tobias.de:8082, SRCSRV=*:9082, SRCURL=/, STICKY=true

icm/server_port_0 = PROT=HTTP,PORT=9080

icm/server_port_1 = PROT=HTTPS,PORT=9081

icm/server_port_2 = PROT=HTTPS,PORT=9082,VCLIENT=2

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

icm/max_conn = 2000

icm/max_sockets = ($(icm/max_conn) * 2)

icm/req_queue_len = 6000

icm/min_threads = 10

icm/max_threads = 500

mpi/total_size_MB = (min(0.06 * $(icm/max_conn) + 50, 2000))

mpi/max_pipes = ($(icm/max_conn))

wdisp/HTTP/max_pooled_con = ($(icm/max_conn))

wdisp/HTTPS/max_pooled_con = ($(icm/max_conn))

icm/server_port_3 = PROT=HTTPS,PORT=4300

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,PORT=4300,DOCROOT=./admin,AUTHFILE=icmauth.txt

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SMP 3 – Configuring Strong Encryption for JVM Security

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

SMP 3 is a Java application running inside Virgo. To not have to worry about Java versions and installation, the installer even installs SAP JVM together with the server. So you have a SMP 3 installation and a Java installation at hand. This means that you get automatically Java security features … and some legacy problems that come from the dark ages of Internet. One is that you have to enable Strong encryption for SMP3’s Java. This is needed at least when you are going to use SAML2 with ADFS as authentication provider. SAML 2 allows the IdP to encrypt the SAML response to make sure only the SP can decrypt it. The encryption algorithm used there is using Strong encryption methods. These are not available by default to Java. They need to be activated manually.

Procedure

The procedure for how to do this can be found at SAP Help. To enable Strong encryption, a policy file must be downloaded from Oracle and placed into a Java folder.

  1. Download policy file.

    URL: http://help.sap.com/disclaimer?site=http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

  2. Click on accept to enable the download link.

  3. Click on the link: UnlimitedJCEPolicyJDK7.zip. This will download a ZIP file. The content of the ZIP file are 2 JAR files. These 2 files must be copied to the SMP 3 Java JVM.

  4. Stop SMP 3 server.
  5. Copy the 2 JAR files to:

    Folder: <SMP3 installation dir>/sapjvm_7/jre/lib/security

  6. The installation path is outlined in the Readme that is part of the downloaded policy file:

    3) Install the unlimited strength policy JAR files.

     

    In case you later decide to revert to the original “strong” but

    limited policy versions, first make a copy of the original JCE

    policy files (US_export_policy.jar and local_policy.jar). Then

    replace the strong policy files with the unlimited strength

    versions extracted in the previous step.

     

    The standard place for JCE jurisdiction policy JAR files is:

     

    <java-home>/lib/security [Unix]

    <java-home>\lib\security [Windows]

  7. Restart SMP 3

    Command: go.bat

     

Result

After installing the pocliy file, Java JVM has strong encryption enabled.

Test

If you want to test if it worked: there is a code snippet available on SO.

Just run it as a Java program.

  • Compile: /sap/MobilePlatform3/sapjvm_7/bin/javac TestUCE.java
  • Run: /sap/MobilePlatform3/sapjvm_7/bin/java TestUCE
  • Result:

     

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn