accad for sap netweaver

94
SAP NetWeaver Installation & Configuration Guide Accelerated Application Delivery for SAP NetWeaver Installation, Configuration, Administration Software Version 2.2 SP4 June, 2011 Document Version 1.0

Upload: s18238160

Post on 25-Apr-2015

246 views

Category:

Documents


18 download

TRANSCRIPT

Page 1: AccAD for SAP NetWeaver

SAP NetWeaver Installation & Configuration Guide

Accelerated Application Delivery for SAP NetWeaver Installation, Configuration, Administration

Software Version 2.2 SP4

June, 2011

Document Version 1.0

Page 2: AccAD for SAP NetWeaver

© Copyright June, 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP NetWeaver. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

Page 3: AccAD for SAP NetWeaver
Page 4: AccAD for SAP NetWeaver

Typographic Conventions Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text Emphasized words or phrases in body text, graphic titles, and table titles

Example text File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text>

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons Icon Description

Caution

Note or Important

Example

Recommendation or Tip

Page 5: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 5

Table of Contents

1. Accelerated Application Delivery....................................................................................1

1.1 Overview ..................................................................................................................1 1.2 Glossary ...................................................................................................................2 1.3 Installation Workflow .................................................................................................3

1.3.1 Prerequisite ..................................................................................................3 1.4 Application Delivery Installation Landscape ...............................................................3

1.4.1 Server Side...................................................................................................3 1.4.2 Client Side ....................................................................................................4

1.5 Operational Concept .................................................................................................4 1.5.1 Operational Workflow Example .....................................................................5 1.5.2 Traffic Flow Minimization Mechanism ............................................................5

1.6 AccAD Engine Component Roles ..............................................................................6 1.7 Overview of the Application Delivery Implementation Process ...................................6

2. Preparing for Installation ................................................................................................8

2.1 Hardware and Software Requirements ......................................................................8 2.1.1 Hardware Requirements ...............................................................................8 2.1.2 Software Requirements ................................................................................9

2.2 Planning your Landscape ........................................................................................ 10 2.3 Network Environment Requirements ....................................................................... 10

2.3.1 IP Addresses .............................................................................................. 10 2.3.2 Allocating a Device ID ................................................................................. 11 2.3.3 Minimal Test Configuration ......................................................................... 11

2.4 Collecting Required Installation Information ............................................................. 12

3. Installing and Configuring the AccAD Engines............................................................ 13

3.1 Typical Installation Sequence .................................................................................. 13 3.2 Selecting the Installation Mode of the AccAD Landscape ........................................ 14

3.2.1 Selecting the Linux Installation Mode .......................................................... 14 3.2.2 Selecting the AccAD Engine Installation Mode ............................................ 14

3.3 Installing the Operating System ............................................................................... 15 3.3.1 Automated Kick-Start/Autoyast Installation .................................................. 15 3.3.2 Default Kick-Start/Autoyast on ADM Installation Server ............................... 17

3.4 Installing the AccAD Engine .................................................................................... 19 3.4.1 Process Summary ...................................................................................... 19 3.4.2 Network Configuration ................................................................................ 19 3.4.3 Mounting the Application Delivery CD ......................................................... 20 3.4.4 Installing the AccAD Engine ........................................................................ 21

3.5 Configuring the AccAD Engine ................................................................................ 22 3.5.1 Manual Configuration of the AccAD Engine ................................................. 22

Page 6: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 6

3.5.2 Automated AccAD Engine Configuration ..................................................... 30 3.6 The ADM Package for Automated Installations ........................................................ 30

3.6.1 Managing the Appliance Landscape............................................................ 30 3.6.2 Adding and Removing AccAD Instances ..................................................... 32 3.6.3 Automatic Installation .................................................................................. 32 3.6.4 Semi-Automatic Installation ......................................................................... 32 3.6.5 Updating Link Certificates ........................................................................... 33 3.6.6 Installing the AccAD Administrator Certificate .............................................. 33

4. Configuring the Delivery Policy .................................................................................... 35

4.1 Accessing the AccAD Administrator ........................................................................ 35 4.2 Defining the Policy .................................................................................................. 36

4.2.1 Defining Groups in the Landscape .............................................................. 36 4.2.2 Defining Delivery Locations ......................................................................... 36 4.2.3 Adding Engine Instances ............................................................................ 37 4.2.4 Defining Service Types ............................................................................... 37 4.2.5 Adding Service Instances............................................................................ 38 4.2.6 Adding Delivery Rules................................................................................. 39 4.2.7 Activating the New Delivery Policy .............................................................. 40

4.3 Advanced Configuration - Service Types ................................................................. 40 4.3.1 General Parameters ................................................................................... 40 4.3.2 Transaction Types ...................................................................................... 41 4.3.3 HTTP Processors ....................................................................................... 42

4.4 Exporting and Importing Service Types ................................................................... 46

5. Securing the AccAD Landscape ................................................................................... 47

5.1 Workstation – CFE: Securing Communication Using TLS/SSL Termination ............. 48 5.1.1 Configuring X.509 User Authentication – TLS/SSL Only: ............................. 49 5.1.2 SFE – Application Server: Securing Communication Using Re-Encryption . 49 5.1.3 SFE – CFE (WAN): Securing Communication by Encrypting the Tunnel ...... 50

5.2 Securing the SFE and CFE Hosts ........................................................................... 52 5.2.1 Adding Drive Encryption for Persistent Content ........................................... 52

6. Command Line Interface ............................................................................................... 54

6.1 Using SSH to Connect to the AccAD Engines (CFE/SFE) ....................................... 54 6.2 Connecting to the CLI ............................................................................................. 54

6.2.1 Connecting to the CLI from the Appliance ................................................... 54 6.2.2 Connecting to the CLI from Outside the Appliance ...................................... 55

6.3 Command Categorization & Key Mappings ............................................................. 56 6.4 Returning to the Linux Shell .................................................................................... 58 6.5 Using the CLI to Configure the AccAD engine ......................................................... 58 6.6 Using the CLI to Configure a Delivery Policy ........................................................... 58 6.7 Configuring AccAD Automatically ............................................................................ 60

Page 7: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 7

7. Configuring the Client Workstation to Work with AccAD ............................................ 61

7.1 DNS Manipulation Using the etc/hosts File ............................................................. 61 7.2 DNS Manipulation Using AccAD DNS Proxy .......................................................... 63 7.3 Configuring DNS Proxy Method .............................................................................. 63

7.3.1 Configuring DNS on a Windows Machine .................................................... 63 7.3.2 Configuring AccAD as DNS on a Linux Machine ......................................... 63 7.3.3 Ensuring Automatic Failover in DNS Proxy Mode ........................................ 64

7.4 HTTP Proxy ............................................................................................................ 64 7.4.1 Configuring the Web Proxy ......................................................................... 64 7.4.2 Configuring Client Workstations to Use the CFE Proxy................................ 66

7.5 Transparent Mode................................................................................................... 68 7.6 Configuring Transparent Proxy Method ................................................................... 68

7.6.1 Example of Applying the Transparent Proxy ................................................ 68 7.6.2 Ensuring Automatic Failover in Transparent Proxy Mode ............................ 69

8. Monitoring the AccAD Engine....................................................................................... 71

8.1 Monitoring the Engine with AccAD Administrator ..................................................... 71 8.1.1 Viewing Performance Data ......................................................................... 71 8.1.2 Viewing Traffic History Records .................................................................. 71 8.1.3 Viewing Cache Statistics ............................................................................. 72 8.1.4 Viewing and Changing Alerts ...................................................................... 72 8.1.5 Viewing Events ........................................................................................... 73

8.2 Using the Application Delivery Monitor .................................................................... 73 8.2.1 Installing the Application Delivery Monitor ................................................... 73 8.2.2 Configuring the Application Delivery Monitor ............................................... 73

8.3 Using the Service Monitor ....................................................................................... 74 8.3.1 How the Monitor Functions ......................................................................... 74 8.3.2 What the Monitor Checks ............................................................................ 74 8.3.3 Recovery Mode .......................................................................................... 74 8.3.4 Bypass Mode .............................................................................................. 74 8.3.5 Notifications ................................................................................................ 75 8.3.6 Installing the Monitor ................................................................................... 75 8.3.7 Configuring the Monitor ............................................................................... 76 8.3.8 Examples ................................................................................................... 77 8.3.9 Start/Stop Monitoring .................................................................................. 77

8.4 Using the CCMS/SLD Systems ............................................................................... 77 8.4.1 CCMS ........................................................................................................ 77 8.4.2 System Landscape Directory (SLD) ............................................................ 78 8.4.3 Installing and Uninstalling CCMS and SLD .................................................. 78

9. Troubleshooting ............................................................................................................ 80

9.1 Verifying AccAD Functionality ................................................................................. 80

Page 8: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 8

9.1.1 Prerequisites .............................................................................................. 80 9.1.2 Testing Traffic ............................................................................................. 80

9.2 Restarting the AccAD Engine .................................................................................. 80 9.3 Uninstalling the AccAD Engine ................................................................................ 81 9.4 Application Delivery Folder Structure....................................................................... 81 9.5 Importing and Exporting Configuration Settings ....................................................... 81

9.5.1 Archiving Configuration Settings ................................................................. 81 9.5.2 Loading Archived Configuration Settings ..................................................... 82 9.5.3 Exporting Configuration Settings ................................................................. 82 9.5.4 Import Configuration Settings ...................................................................... 82

10. Version Upgrade ............................................................................................................ 83

10.1 Upgrade from 2.1 .................................................................................................... 83 10.2 Upgrade from 2.2 to a new SPS .............................................................................. 83

11. Appendix ........................................................................................................................ 85

11.1 Changing Time Zone on a Linux Machine ............................................................... 85 11.2 High Availability with AccAD .................................................................................... 85

11.2.1 High Availability Features............................................................................ 85 11.2.2 Failure Scenarios and Recovery ................................................................. 86

Page 9: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 1

1. Accelerated Application Delivery Note

See SAP Note 1449634. This is the central note for Accelerated Application Delivery. It may contain useful that is not included in this guide or information that becomes available between documentation releases.

1.1 Overview Accelerated Application Delivery (AccAD) ensures reliable, scalable, rapid, monitored, and secure access to enterprise applications in a distributed organizational landscape.

By employing data compression and optimization technologies, a single data center can deliver, over WAN, content and application services to users at multiple remote offices at near-LAN speed. The application delivery is performed at speed.

Page 10: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 2

1.2 Glossary The following table contains basic AccAD terminology and concepts, listed in alphabetical order.

Glossary:

Term Description

AccAD tunnel The logical communication between CFE and SFE. The tunnel is generated over a set of Internet connections over WAN, which may be TCP or TLS/SSL, if security is required.

AccAD Administrator The graphical user interface utility for administration and configuration in Accelerated Application Delivery

AccAD Repository The AccAD engine instance that resides in the data center and holds all auditing and accounting information, as well as the delivery policy

application delivery (AD) A solution for providing access to enterprise applications from remote locations.

For brevity the abbreviation AD is used often throughout this document.

application delivery engine (AccAD engine)

The core application delivery software, deployed at the data center and at each remote office.

application server A server at a data center that runs applications and services that may be accessed by local and remote users.

application service An application resource, such as an enterprise portal, that is requested by users. AccAD identifies application services by means of a host and port combination.

CFE – Client Front End The AccAD engine instance that resides in the remote office.

data center A central enterprise facility that hosts the applications, data, or services of an organization.

delivery policy A set of rules that defines the availability of an application service in a remote office and the delivery optimization parameters. The delivery policy determines which application service is delivered to which application delivery engine.

remote office Any remote enterprise location from which users need to access applications, data, or services that are physically located at a data center.

service type A collection of parameters that define delivery optimization for different application services.

SFE - Server Front End The AccAD engine instance that resides in the data center.

Page 11: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 3

1.3 Installation Workflow To accelerate the delivery of an application or service in the network, it is necessary to install an AccAD SFE appliance in the organization data center, an AccAD CFE appliance in each remote office, and an AccAD repository component in the data center. The repository stores configurations and statistical information; it can be installed on the same appliance as the SFE, but it may also be installed a different machine (this may be a virtual machine).

1.3.1 Prerequisite Linux is installed on both the SFE and CFE machines as described in Selecting the Installation Mode of the AccAD Landscape. ...

1. Install the SFE and repository at the data center.

2. Install CFE(s) at the remote office(s).

3. Open the AccAD Administrator (web UI) on the repository machine, using the format https://<hostname>:7443.

If a certificate error is returned. Click the link to accept the certificate and continue to the Website.

4. Enter the username and password you configured upon installation.

5. In the AccAD Administrator, go to Appliance Landscape Global Settings.

6. Choose Edit, specify the primary link address, and save.

7. Select Global Time Server and enter the name and time zone of the organization time server.

Note You must specify different location for each appliance. Choose Create and then OK for each.

8. Choose Save and Apply after each import.

9. Go to the Cockpit tab to check that the link is established.

10. With the link established, specify the services you want to accelerate, as follows:

a. On the repository machine, go to the Delivery Policy tab.

b. Select Service Instances and specify a name for the service.

c. You should be able to browse the service using an HTTP proxy.

1.4 Application Delivery Installation Landscape SAP Accelerated Application Delivery is implemented using the components described in this section.

1.4.1 Server Side On the server side, where the data center application servers reside, you need the following components:

Application Delivery Engine – Repository

The core application delivery software, installed at the data center on a dedicated Linux host. The installation of the repository automatically installs a MaxDB database server, which stores the AccAD delivery policy as well as audit information and user sessions.

Page 12: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 4

Application Delivery Engine – Server Front-End (SFE)

The core application delivery software, installed at the data center on a dedicated Linux host, or on the same host as the repository.

Application Delivery Monitor

A standalone desktop utility installed on any host in the data center network, though preferably on an administrator’s host. The application delivery monitor communicates with the SFE to collect real-time delivery statistics, such as traffic volume, and the number of open and closed connections. The monitor displays statistics in graphically.

1.4.2 Client Side On the client side, where the user client workstations reside, you need the following AD components:

Application Delivery Engine – Client Front-End (CFE)

The core application delivery software installed at each of the remote offices. Each AccAD engine is installed on a dedicated Linux or Windows host.

The following figure illustrates the typical installation landscape of AD components.

1.5 Operational Concept To deliver remote services to local users, AccAD implements a symmetrical, virtual representation concept:

Virtual services represent the data center’s physical application services at a remote office.

Virtual users represent the actual remote office users at the data center.

Together, the SFE and CFEs maintain an unambiguous mapping of the respective IP addresses of the virtual and physical users and services. At a remote office, the CFE emulates services, which are requested locally by actual users, from the data center. It redirects these requests to the SFE using a dedicated, optimized delivery channel over WAN.

At the data center, the SFE communicates with application servers on behalf of the emulated users (representing actual users at the remote offices). It requests and receives, locally, application services

Page 13: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 5

on their behalf, and then compresses and delivers the received content over the same WAN channel to the CFE.

This concept is symmetrical and, in the same way, the CFE can communicate with application servers on behalf of emulated users (representing users at the data center), if such services are available in the remote office.

Virtual Users

Data Center

Virtual Application

Server

Remote Office

CFE

UsersVirtual ServicesServices

Physical Application

Server

1

62

3

4

5

LANLAN

Compressed content over

WAN

SFE

1.5.1 Operational Workflow Example ...

1. A user at a remote office requests a portal service.

2. The CFE receives the request for the portal service, encodes it and passed it to the SFE through an established communication channel over WAN.

3. The SFE emulates the corresponding virtual user and routes the request to the appropriate physical service, according to the IP address mapping.

4. The SFE receives a response for the virtual user, encodes, and compresses it for delivery.

5. The compressed content is delivered to the CFE through an established communication channel over WAN.

6. The content is decoded and returned to the actual user.

1.5.2 Traffic Flow Minimization Mechanism Traffic is optimized by reducing the amount of data transferred. This is enabled by an efficient compression mechanism based on message analysis and pattern recognition. AccAD learns the traffic information incrementally, from previous communications, and maintains it in a dictionary. An encoding procedure replaces content chunks in the dictionary with short keys, which significantly reduces message size. After encoding, messages undergo further compression using a gzip algorithm. This mechanism is applied by the message sender at both ends of the communication channel, regardless of the message content. Similarly, the recipient decompresses and decodes the delivered message.

Page 14: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 6

1.6 AccAD Engine Component Roles The following section provides a functional overview of the AccAD engine components.

Repository

Contains the delivery policy of the landscape.

Collects alerts and events (audit data) for the application server and the delivery process.

Collects traffic history.

SFE Maintains communication with the repository.

Accepts connections from CFE engines.

CFE Connects to an SFE engine.

The CFE and SFE have the following common features:

Emulation of application services in the remote office LAN

Delivery of application services over a secured channel, according to the delivery policy

Encoding and compression of messages for transmission; decompression and decoding of messages received

Emulation of remote office users in the data center network

Maintaining local TCP connections with the application server

Improving traffic from the application server by off-loading encryption, data compression, and handling slow WAN communication (TCP termination)

Support for TLS/SSL encryption in the remote office network segment

Maintaining an integrated web cache

Maintaining an integrated web proxy

1.7 Overview of the Application Delivery Implementation Process

The workflow that implements a fully operational AccAD solution in your system landscape entails the following:

Preparing for installation

Prepare the hardware and software requirements.

Decide on the best security and application delivery methods for your site.

Collect the data necessary for installation, based on your decisions.

Plan your landscape.

Plan the device ID allocation for your landscape.

See Preparing for Installation.

Page 15: AccAD for SAP NetWeaver

Accelerated Application Delivery May, 2011

Accelerated Application Delivery for SAP NetWeaver 7

Installing the AccAD engine in the data center and the remote offices

Install and configure the SFE at the data center.

Install and configure the CFE at each remote office, using appliance definitions.

Configure the communication between the SFE and the CFE to create the communication tunnel, upon which AccAD features are applied.

Page 16: AccAD for SAP NetWeaver

Preparing for Installation May, 2011

Accelerated Application Delivery for SAP NetWeaver 8

2. Preparing for Installation This section guides you through the preparations required before implementing AccAD in your system landscape. It covers hardware and software requirements, preparing the environment, decisions to make regarding redirection mode and security methods, and data that you need to collect before running the installation.

2.1 Hardware and Software Requirements This section provides information on hardware and software requirements for both test installations and productive installations of AccAD.

2.1.1 Hardware Requirements Each application delivery engine host— SFE or CFE—requires a dedicated host if installed on a Linux machine. The repository engine can be installed either on a dedicated host, or on the same host as the SFE.

Recommendation The recommendation is that the server be used only by AccAD with no other applications installed on it.

If you choose to install the CFE on a Windows host, used mostly for single stations and small offices up to 100 users, refer to the Windows Client Guide on SAP Service Marketplace. Use the alias installnwaccad.

Example A data center in London delivering applications to remote offices in New York, Tokyo, and Bangalore, requires at least four dedicated AD hosts: 1 repository in London, 1 SFE in London (possibly on the same host as the repository), and 3 CFEs for each of the remote offices (New York, Tokyo, and Bangalore).

The dedicated hosts must have the specifications detailed below.

Requirements for the SFE, CFE, and Repository

The following table contains the minimal configuration requirements for the CFE, SFE, and repository. If the repository and SFE reside on the same host, make sure to meet the repository requirements.

Minimal configuration for:

CFE Supports up to 30 concurrent users with P III; 300 or more concurrent users with greater CPU

SFE Supports up to 25 CFEs

Repository Supports up to 10 SFEs

Architecture x86 (i386) or x86-64 (AMD64)

x86 (i386) or x86-64 (AMD64)

x86 (i386) or x86-64 (AMD64)

CPU P III 866 MHz or higher Dual Xeon 1.8 GHz Dual Xeon 1.8 GHz

Memory (minimum) 1 GB RAM 1 GB RAM 1 GB RAM

Hard disk 30 GB 30 GB 60 GB

CD-ROM required required required

Page 17: AccAD for SAP NetWeaver

Preparing for Installation May, 2011

Accelerated Application Delivery for SAP NetWeaver 9

Floppy drive (for 1.4 MB diskette)

Optional: not required if the automated OS installation uses HTTP

Optional: not required if the automated OS installation uses HTTP

Optional: not required if the automated OS installation uses HTTP

The basic memory consumption model for the AccAD service depends on the number of service deliveries in the landscape. The calculation for the SFE is done as follows: ...

1. For each CFE, count the number of delivered services and calculate the sum for all the CFEs.

2. Then, use the formula 500MB + 40 MB*(deliveries-count).

For example, if 4 services are delivered to 5 offices the required memory is 500+40*4*5 = 1.3 GB.

For the CFE, the formula is 500MB + 40MB * (# services delivered to the CFE).

We recommend that the swap file size be the same as the memory size. If necessary, you can edit the provided kick-start file.

Note Supported Linux installers can boot from floppy disk or CD-ROM. The files required during installation could then be fetched from any of the following media types: CD-ROM, HTTP, NFS, FTP, and hard drive.

Verify that the hardware obtained is compatible with the chosen Linux distribution. This can be done either through your OS vendor or directly with Linux distribution manufacturer.

2.1.2 Software Requirements The AccAD engine (repository, SFE or CFE) can run on any of the following:

RHEL (Linux Red Hat Enterprise) 4 i386 with any update above U4

RHEL (Linux Red Hat Enterprise) 5 i386 with any update above U3

RHEL (Linux Red Hat Enterprise) 4 x86-64 with any update above U4

RHEL (Linux Red Hat Enterprise) 5 x86-64 with any update above U3

SLES (SuSE Linux Enterprise Server) 10 i386 with any SP

SLES (SuSE Linux Enterprise Server) 10 x86-64 with any SP

Windows Client CFE can run on any of the following:

Windows XP (32bit)

Windows 2003 (32bit)

You can find the related AccAD information on the SAP Community Network at www.sdn.sap.com/irj/sdn/nw-accad.

To achieve the best performance, a customized installation of Linux with an AccAD engine Linux configuration specification is provided in the OS-specific installation format:

RHEL distributions use the kick-start format ks.cfg

SLES distributions use the autoyast format autoinst.xml

The installation file is available in the root node of the Accelerated Application Delivery CD. The format is readable for both IT experts and the Linux installer and can be used to automate the installation process. An IT expert can review the configuration specification and add, for example, the manual installation of drivers not included in the OS CDs.

Page 18: AccAD for SAP NetWeaver

Preparing for Installation May, 2011

Accelerated Application Delivery for SAP NetWeaver 10

2.2 Planning your Landscape Each installation of AccAD engine (except for the repository) can include multiple instances of the engine, either SFE of CFE. For each instance a service is created.

One SFE can communicate with multiple CFEs, so that it is possible to apply AccAD to a landscape with multiple remote offices connected to a single SFE instance. This simplifies the landscape and saves hardware resources. Up to 25 CFEs can be connected to one SFE instance, depending on the traffic density. (Stress has been tested with up to 120 CFEs.)

Before defining multiple SFE instances, consider the following:

If you want some of the AccAD tunnels between CFE and SFE to be secured with TLS/SSL and some without TLS/SSL encryption, you have to define an SFE instance for TLS/SSL communication and a separate SFE instance for non-TLS/SSL communication. Both instances can reside on the same machine.

If you want different maintenance procedures for different CFEs (as when remote offices are in different time zones), it may be convenient to use one SFE instance per procedure.

Plan the landscape:

1. List your data centers and remote office locations.

2. List the services to be delivered.

3. Consider security and encryption requirements. Advanced settings are described in the chapter Securing the AccAD Landscape.

...

...

2.3 Network Environment Requirements This section describes the network components necessary before installing the AccAD landscape.

2.3.1 IP Addresses The SFE and CFE are configured with static network IP addresses. Each instance of the AccAD engine requires a range of IP addresses for virtual hosts.

The SFE instance, which uses this range for virtual clients, can use a single IP address to represent all virtual clients; therefore, one IP address is sufficient for a basic configuration. If you are using an L4 load balancer, we recommend that you obtain several IP addresses (as many as there are hosts in the cluster) to ensure that the load balancer can distribute requests properly.

The CFE instance uses its range of IP addresses to distinguish between virtual servers. A range of addresses must be defined (one for each data center server, whose services you want to deliver using AccAD). It is recommended that you define several addresses.

Important Before installing AccAD, make sure you have the IP addresses and subnet bits you need.

Page 19: AccAD for SAP NetWeaver

Preparing for Installation May, 2011

Accelerated Application Delivery for SAP NetWeaver 11

2.3.2 Allocating a Device ID For each repository, SFE, and CFE instance, you need to allocate a device ID. This ID is used as the unique identifier of this entity.

Before installing AccAD on a productive landscape, apply to SAP for a range of valid device IDs for your organization. You can do so by opening an internal message under the component EP-AAD-IDR.

During installation, you are requested to enter device IDs. You can enter any number from the range you received from SAP.

Device ID range 1000-2000 is reserved for trial landscapes. Use any number in this range for demo and testing installations.

Example In a demo landscape, with one SFE and one CFE, you can assign device ID =1000 to the SFE and device ID = 1001 to the CFE.

Note Make sure to change the value “0” assigned by the installer upon the creation of a new instance. Define a unique ID value to SFE and CFE instances from the range discussed in this section.

Recommendation When deploying AccAD in a production environment, we recommend using the device IDs, assigned to you by SAP, from the beginning, as changing device IDs requires additional configuration efforts.

It is important that you keep a record of your system landscape and the device ID of each SFE and CFE in the landscape.

2.3.3 Minimal Test Configuration To try AccAD in a minimal system landscape, you need at least:

PC/workstation for the user browser and administrator desktop

Server for the CFE instance

Server for the SFE instance

An application server with the services intended for delivery

Page 20: AccAD for SAP NetWeaver

Preparing for Installation May, 2011

Accelerated Application Delivery for SAP NetWeaver 12

2.4 Collecting Required Installation Information You need the information contained in the following table when installing the SFE and the CFE. We recommend that you fill in the table before beginning the installation.

Parameter Value for SFE Value for CFE Remarks

General Parameters

Instance device ID Any unique numeric value. Range 1000-2000 for test systems. Range provided by SAP for production systems.

Any unique numeric value Range 1000-2000 for test systems. Range provided by SAP for production systems.

See Allocating a Device ID.

Tip You need the device ID of the engines when defining the delivery policy.

Main IP address ___.___.___.___ ___.___.___.___ The static IP address of the CFE/SFE host. See Planning your Landscape.

Main IP subnet mask ___.___.___.___ ___.___.___.___ The associated subnet mask for the main IP address.

Default gateway

___.___.___.___

___.___.___.___

The IP address of the default router of the site (remote office or data center).

To find the default gateway:

Windows: In the command line, type route print.

UNIX: type ip route

Range of IP addresses to be used by the SFE/CFE

From IP ___.___.___.___

To IP ___.___.___.___

subnet bits ___

From IP ___.___.___.___

To IP ___.___.___.___

subnet bits ___

For the range of IP addresses see Network Environment Requirements.

Redirection Parameters – relevant if you are using the DNS proxy redirection methods

DNS server Not required IP

___.___.___.___

See DNS Manipulation Using AccAD DNS Proxy

TLS/SSL Enabling – relevant if you are using TLS/SSL encryption in the AccAD tunnel

TLS/SSL Encryption Y/N Same as in corresponding SFE instance

For production installation over public networks, obtain a commercial certificate.

For testing, use the demo certificates

Page 21: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 13

3. Installing and Configuring the AccAD Engines

Installing and configuring the AccAD engine requires the installation of a Linux operating system. There are three installation modes:

Semi-automated installation ...

a. Either the manual or the installation server method is used to install the OS.

b. You can configure the software appliance host, the AccAD engine, and the delivered services, from a central administration location, using an appliance definition file (.adf), in XML format. You can copy this file to the host, in a secure manner, for use by the AccAD installer for configuration details. (These tasks are administration responsibilities.)

Automated installation ...

a. An automatically generated kick-start/autoyast file defines the OS installation process. The only manual step is inserting the first Linux CD and typing the URL that refers the installation to the file.

b. AccAD is installed and configured in the same sequence as the OS installation. The only manual step required is entering a password.

Manual installation

A dedicated, secured Linux operating system is installed using a kick-start file for Red Hat or an autoyast file for SUSE. (The product CDs provide these files.)

The AccAD installer runs in manual mode and the installer is aware of the software appliance configuration, for which two methods are available:

Configuring the engine using the AccAD Administrator UI, as described in Installing and Configuring the SFE and Installing and Configuring the CFE.

Configuring the engine after installation, using the AccAD command line interface (CLI), as described in the section Command Line Interface.

The OS installa tion is don e usi ng a n au tom atically gen erat ed Lick-Sta rt file, the only man ual st ep is i nser ting t he fi rst Li nux CD and typin g th e URL f or t he fil e AccAD is installed and confi gur ed in the sam e se que nce a s the OS inst allatio n. T he o nly m anu al ste p r equir ed is ent ering a p asswo rd.

We recommend the semi-automatic method, which supports secure communication and enables central administration of the landscape. Select the installation method that best suits your landscape, taking into account the information described in the following section about the installation sequence.

3.1 Typical Installation Sequence The initial setup of the first AccAD landscape includes installation and configuration steps for the SFE and CFE, as well as the installation of the repository.

The installation sequence for the landscape is as follows:

1. Install the repository, as described in section Installing the AccAD Engine.

2. For the automated landscape installation (recommended), install the ADM package. (For more information, see The ADM Package for Automated Installations).

3. Define SFE and CFE appliances as described in Adding and Removing AccAD Instances.

4. Add SFE and CFE instances to the landscape using the semi-automatic installation method. Proceed as follows:

a. OS installation (Installing the Operating System)

b. AccAD engine installation (Installing the AccAD Engine)

Page 22: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 14

c. Semi automatic installation (Semi-Automatic Installation)

5. Update the link certificate on the repository machine, as described in Updating Link Certificates

6. Configure the delivery policy.

3.2 Selecting the Installation Mode of the AccAD Landscape

To enable AccAD in your organization, you install the SFE and the repository at the data center and a CFE at each remote office. The AccAD engine resides on a customized Linux host, which is adapted to AccAD requirements. The CFE can also reside on a Windows machine. For more details, refer to the Windows client guide, located on SAP Service Marketplace using the alias /installnwaccad). Choosin g an install ation mod e d epe nds o n b oth t he ty pe o f en gine you’r e inst alling (CFE/S FE), yo ur s ecuri ty re quir em ents, and the type of la ndsca pe y ou wish to deplo y.

3.2.1 Selecting the Linux Installation Mode The Linux installation can be manual or by using an established installation server. The latter is the recommended option if you have sufficient bandwidth and if the security configuration of your organization enables such an installation. In addition to using the installation server, have an ADM package installed. For more details refer to section The ADM Package for Automated Installations. This option cannot be deployed for the repository.

To install Linux manually, refer to the section Automated Kick-Start/autoyast Installation (SFE and CFE).

To install Linux from the installation server, refer to section Default Kick-Start/autoyast on ADM installation server.

3.2.2 Selecting the AccAD Engine Installation Mode The recommended method of installation is the automated one, using one of the following methods:

Semi-automatic installation, if the operating system is already installed on the appliance.

Automatic installation, if no OS is installed yet (assuming sufficient bandwidth and no IT constraints).

Important If you are installing a secure landscape, make sure to install all appliances using the semi-automatic/automatic installation modes. If any of the appliances are installed manually, secure connections are rejected.

Page 23: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 15

3.3 Installing the Operating System This section describes the kick-start/autoyast installation of the Linux operating system.

If you are installing the engine using the automatic method, the OS installation is included; there is no need to install it separately.

Note Automatic installation cannot be performed for the repository.

The installation of the operating system does not necessarily result in the correct setting of the time zone. Make sure to make changes to the time zone machine. For more information, see Changing Time Zone on a Linux Machine.

3.3.1 Automated Kick-Start/Autoyast Installation You can install AccAD 2.2 on both Red Hat Enterprise Linux (RHEL) and Suse Linux Enterprise Server. (See the Product Availability Matrix for specific version requirements.) The installation sequence is similar, though some commands and file names differ between the two operating systems; this guide provides the commands and explanations for both. The commands provided apply for both OSs, if not specified otherwise.

The installers can boot from either a floppy disk or CD-ROM. To automate the installation, a kick-start/autoyast file can be placed on any of the following media types: floppy disk, HTTP, NFS, or FTP servers.

The files required during installation, such as configuration files and RPM files (Red Hat package management files, which are relevant also for Suse) can be retrieved from any of the following media types: CD-ROM, HTTP, NFS, FTP, or hard drive.

In this section we provide information on how to use the boot installation from the CD-ROM, using either floppy disk or HTTP server, to host the kick-start/autoyast file. For installation information using other means, consult Red Hat or Suse support.

CAUTION If you are using a floppy drive, it must be connected directly and not via USB; otherwise it may not be accessed by the OS installer.

Installing the OS ...

1. Prepare the relevant Linux installation CDs (RHEL or SLES).

2. Obtain the application delivery CD.

3. In preparation for the kick-start/autoyast installation, do one of the following:

Copy one of the following automated OS definition files from the Accelerated Application Delivery CD.

DATA_UNITS/AccAD_ENGINE_2_2/rhel-<version>-<arch>/ks.cfg

DATA_UNITS/AccAD_ENGINE_2_2/sles-10-<arch>/autoinst.xml

Put the copied file onto:

A clean MS-DOS formatted diskette

Or

An HTTP server that is accessible from the dedicated host, on which you are performing the installation

Page 24: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 16

If you are copying the file onto a diskette, copy it from the relevant path, DATA_UNITS/…, of the CD ROM to the root of the floppy disk.

4. In the BIOS boot sequence of the machine, verify that the CD ROM drive precedes the hard disk. This is typically the default setting.

5. Insert the first Linux CD into the CD ROM drive.

6. Restart the host.

7. To proceed with the kick-start/autoyast installation, perform one of the following procedures:

CAUTION Type the following commands immediately after restart; otherwise, the default installation sequence continues automatically. If this happens, reboot the host since the kick-start/autoyast installation is required for installing the packages necessary for the AccAD installation.

Installing from diskette:

a. Insert the diskette containing the copied file into the floppy drive.

b. After the boot, type at prompt:

For Red Hat: linux ks=floppy

For Suse, go to Installation (the second option in the screen that appears) and type: autoyast=<autoinst.xml path> install=<installation source>

Example autoyast=floppy install=cd

Installing from an HTTP server: ...

a. For Red Hat, type: linux ks=http://<http-server>/<location>/ks.cfg

b. For Suse, in the menu scroll down to Installation, and type in one line: autoyast=http://<http-server>/<location>/autoinst.xml install=<OS installation source files>

Example

autoyast=http://www.example.com/autoinst.xml install=cd

8. Configure network parameters, depending on the operating system, according to one of the following procedures:

Red Hat (rhel4 / rhel5)

a. Wait while the installer obtains an IP address dynamically (from the DHCP protocol).

b. If more than one adapter is present, select the adapter by which the DHCP request is to be sent.

Note If the installer cannot obtain an IP address, the network adapter prompts you with a configuration form, in which you must enter the IP address, netmask, gateway, and nameserver.

Suse (sles10)

When asked if you want to use the option for Automatic configuration via DHCP, choose yes.

Page 25: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 17

Note If you proceed without using DHCP, you are requested to supply the configuration parameters manually.

9. Insert the additional Linux CDs, when prompted, as the installation progresses.

10. Remove the final CD and the floppy disk, and restart the computer.

CAUTION The server may reboot/restart before you have a chance to remove the CD. If you do not remove the CD, the installation process starts again. If this happens, abort the restarted installation process by rebooting the machine and removing the CD when the startup sequence begins.

11. Log on with the username root and password admin.

3.3.2 Default Kick-Start/Autoyast on ADM Installation Server You can use the default kick-start/autoyast installation from the installation server during the semi-automatic or manual installation of the OS installation phase. This requires the installation of the AccAD DVD on the ADM installation server.

Installing the OS Using the Installation Server Prerequisites ...

1. If an ADM server is not already installed, install one following the instructions in the section The ADM Package for Automated Installations.

2. Once the ISO is installed, two files are added to the ADM server:

ks.cfg or autoinst.xml - the default kick-start/autoyast, which requires placing each CD in the CD-DRIVE during the OS installation

ks-net.cfg - the kick-start/autoyast file that downloads the OS components directly from the ADM installation server via HTTP

These files are exposed on HTTP (port 80).

Since the installation server supports maintaining the AccAD ISO file from several releases or architecture, you can choose how to use the kick-start/autoyast from one of the ways described in the next step.

3. Boot the new AccAD engine with the first RHEL 4 disk.

For the network-based OS installation run: For the netwo rk b ased OS inst allation ru n

For RHEL releases linux ks=http://<adm_server>/appliances/appliance_name/ks.cfg

For SuSE releases autoyast=http://<adm_server>/appliances/appliance_name /autoinst.xml

install=http://<adm_server>/resources/os/<os_version>/extracted/

For the manual OS installation run: For RHEL 4

Page 26: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 18

linux ks=http://<adm_server>/ appliances/appliance_name/ks-net.cfg

For Suse 10 autoyast=http://<adm_server>/ appliances/appliance_name /autoinst.xml install=cd

Important Make sure to type the commands on one line.

Page 27: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 19

3.4 Installing the AccAD Engine This section describes installation of the engine, including a summary of the process and pre-installation procedures.

3.4.1 Process Summary This section presents the procedures required for both SFE and CFE installation and configuration. It is relevant only for the semi-automatic and manual installation modes.

The workflow is:

1. Tailored operating system installation - See OS Installation

2. Network setup - See Network Configuration

3. Mounting the application delivery CDs - Mounting the Application Delivery CD

4. Installing the engine using the application delivery CDs - See Installing the Engine

3.4.2 Network Configuration You can perform the editing tasks outlined in this section using any UNIX editor.

Configuring the repository - SFE or CFE ...

1. Check which network devices exist on the AccAD engine host. The following command displays the full list of devices, including those that are not currently configured.

ifconfig -a

To configure the Ethernet device, do the following:

a. Open the Ethernet configuration file using a text editor:

For Red Hat: /etc/sysconfig/network-scripts/ifcfg-eth0

For Suse (before AccAD is installed): /etc/sysconfig/network/ifcfg-eth-id-<MAC Address>

For Suse (after AccAD is installed):

/etc/sysconfig/network/ifcfg-<eth-n> (where eth-n is the device selected during installation)

b. Edit the configuration file according to the following example:

TYPE=Ethernet IPADDR=192.168.1.100 NETMASK=255.255.0.0 GATEWAY=192.168.1.1

ONBOOT=yes

Page 28: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 20

For the Suse installation an additional configuration file is required. Open the file /etc/sysconfig/network/routes to edit and configure the gateway:

default <gateway IP address> - -

Important Make sure to add an empty line after the gateway parameter when editing the configuration file in Suse.

c. Save your changes and exit the editor.

Note All instructions in this section assume the default value, eth0. If your device has a different name, substitute eth0 with your device name.

2. Apply the new AccAD engine host network configuration by restarting the network. In the console, type:

service network restart

3. Verify that the actual IP address and route settings are correct by executing the following commands:

a. In the console, type:

ip addr

The IP address of the Ethernet device appears.

b. In the console, type:

ip route

The static route to the default gateway appears.

4. Ping to verify that the AccAD engine host has network connectivity to the gateway. ping –c 10 <IP of GATEWAY>

If there is no reply, check that the configuration settings are correct. It may also be necessary to configure the files /etc/sysconfig/network and /etc/hosts and /etc/resolv.conf.

5. Mount the AccAD CD.

3.4.3 Mounting the Application Delivery CD The following sections list the commands related to using /media/cdrom, which is the default mount point for Red Hat Enterprise Linux.

If you are working with Suse, you must first perform the following steps to enable the use of /media/cdrom/: ...

1. After the OS installation, at the command prompt on the installation machine, type the following: dmesg | grep -i rom

2. In the output returned by the previous command, in the left side of the line, before the colon (:), find the drive to which you want to mount the CD.

For example, in the following output, you would choose the hda to mount the CD-ROM:

hda: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive

hda: ATAPI 1X CD-ROM drive, 32kB Cache, UDMA(33)

Page 29: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 21

Uniform CD-ROM driver Revision: 3.20

3. Execute the following command (in one line): echo "/dev/<driver> /media/cdrom auto ro,noauto,user,exec 0 0" >> /etc/fstab (where <driver> is the one you found in step 2).

Mounting the CD ...

1. Make the AccAD CD available to the host, either by inserting the CD-ROM, or by making it accessible for copying over the network.

2. Mount the physical CD:

If the CD-ROM is inserted, type: mount /media/cdrom

If you have an ISO image, mount as follows: mount –t iso9660 –o loop <iso_name> /media/cdrom

If the CD–ROM is not in the drive, obtain the AD CD image or create an ISO file from the available TGZ file as follows:

Copy the TGZ to the local machine, on which the installation is to be performed.

Create a new directory, in which to open the TGZ (for example, mkdir AccAD).

Enter the directory you created, and open the TGZ with the command:

tar –xzvf <full_path_to_TGZ_file>

When installing the engine in the next section, in the installation command, supply the directory in which you opened the TGZ instead of /media/cdrom/.

3. Verify the CD mount: ls -ltr /media/cdrom/

The contents of the CD are displayed on screen.

3.4.4 Installing the AccAD Engine This section explains the installation of the AccAD engine (for the SFE, CFE and repository). Make sure the AccAD DVD is already mounted as described in Mounting the Application Delivery CD.

Installing the Engine ...

1. Go to the /root directory by typing:

cd ~

2. Run the AccAD engine installation: /media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl install <engine_type>

Where <OS> is the operating system on which you are running, and <engine_type> is repository, sfe, or cfe.

Enter the OS according to the following formats:

rhel-4-i386

rhel-4-x86_64

rhel-5-i386

Page 30: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 22

rhel-5-x86_64

sles-10-i386

sles-10-x86_64

sles-11-x86_64 (for AccAD version 2.3 only)

Important When installing a secondary repository (for high availability), perform the installation using the following command: /media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl -dummy-webui-certificate install <engine_type>

Make sure to type the command on one line.

Important You are asked to provide passwords for the root, admin, and observer users. Make note of these passwords. You are required to provide them later.

3. When the installation is complete, log out root and log on again as admin.

Important Perform any additional operations using the secured admin account. You can use the observer account to access the AccAD Administrator web UI (in read-only mode only); the observer user cannot log on to the machine.

3.5 Configuring the AccAD Engine This section explains the configuration process for the AccAD engine and should only be performed after installation as explained in Installing the Engine.

The AccAD repository does not require configuration. This section relates only to SFE/CFE configuration.

Once configured, settings can be saved for back-up and restore purposes. See Importing and Exporting Configuration Settings.

3.5.1 Manual Configuration of the AccAD Engine Manual configuration is performed using the CLI or the AccAD Administrator UI.

If you are setting up a secure link between the CFE and SFE, update the link certificate as described in Updating Link Certificates.

As a first step, connect to the machine using SSH with the secured admin user. You automatically connect to the command line interface. For configuring the engine using the CLI, see Command Line Interface. Otherwise, type shell to return to the Linux shell, and go to the URL https://<machine’s_IP>:7443/ to configure the engine using the AccAD Administrator, which is exposed at port 7443.

After configuring an appliance manually, in the AccAD Administrator, add the configuration to the landscape by choosing Commit to Data Center, located in the Appliance root node. This sends the appliance configuration to the appliance repository. ...

Additional configuration consists entering the appropriate parameter values in a few configuration nodes. Which nodes to configure depends on the type of engine you are setting up. Each configuration node is detailed in the following sections.

Page 31: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 23

3.5.1.1 Configuring the Host Node ...

1. In the AccAD Administrator, go to the Local Configuration tab.

2. In the form on the right, change the ID and password for the current appliance.

3. Choose the Host entry and enter the parameter values for configuration.

The following tables contain the parameter descriptions according to type.

Appliance Host Parameters:

Name Value Additional Comments

Type Type of managed host This value is based on the architecture of the machine, the OS distribution, and the engine type (CFE, or SFE).

For repository enter type SFE.

Operating System List of supported operating systems

Contains name of operating system, release number, and machine version

4. Choose Interfaces and then Create to add a new interface.

Interface Parameters:

Name Value Additional Comments

Description Description

Device Alias of network device The internal adapter name, for example, eth0, eth1, etc.—depending on the network adapter being used—on which the virtual IP addresses are to be created

Gateway IP address of network gateway The IP address of the gateway computer used in your network

IP address

Main IP address of device An IP address on the host to be accessed by the monitoring utility and the AccAD engine instance at other locations.

Enter the IP address of your machine.

Netmask

Netmask for gateway and main IP

The bitmask used to separate the bits of the network identifier from the bits of the host identifier, written in the same notation used to denote IP addresses

Type Type of network device e.g. Ethernet

Page 32: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 24

Firewall Rule Parameters (optional)

By default, the AccAD engine will configure the firewall on the installed machine to reject all unrecognized traffic. The firewall is set to accept traffic on the AccAD tunnel to listen on the port for client requests and to listen on all ports for delivered services.

If other services are enabled or disabled on the appliance, you need to configure the firewall accordingly and add the required rules.

a. Type the name of the new rule and choose Create.

b. Create the rule, including the following parameter values:

Action: Accept/Reject

Source IP: IP of incoming traffic; default is all IPs (0.0.0.0)

Source Port: port of incoming traffic

Source Mask: source mask

Destination IP: IP of outgoing traffic; default is all IPs (0.0.0.0)

Destination Port: port of outgoing traffic

Destination Mask: destination mask

Protocol: tcp/udp

Route List Parameters (optional):

Name Value Additional Comments

Name Description

Bitmask Netmask for gateway and network

Device Alias of network device The internal adapter name, for example, eth0, eth1, etc.—depending on the network adapter being used—on which the virtual IP addresses should be created

Gateway IP address of gateway for this route

Network Network to be routed

Description Purpose of this route

Resolve Parameters:

Name Value Additional Comments

Hostname DNS name of managed host The unique name of the machine within the network

Domain Domain name of host The domain name of the network

Page 33: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 25

Nameserver List Address of primary DNS server Specify the IP address of the real DNS server that will service the SFE’s DNS. You can enter a few DNSs using a space as a separator.

Search List

Domain that must be added by default to name without it

The string that is concatenated to the hostname when activating DNS lookup queries, if the query did not include the domain name

Organization SMTP Server (optional):

The parameters of this node are intended for the configuration of email notifications.

Name Value Additional Comments

Enable SMTP Configuration

Checkbox selection Tell AccAD installer whether or not to perform SMTP configuration. You can perform this configuration manually, without the AccAD mailing system.

Host Name SMTP server hostname The organization SMTP (Simple Mail Transfer Protocol) server

From Email Address Email address Email address that Accad will use to send emails

SMTP server username Username If your organization SMTP server requires authentication, use it, otherwise keep it empty

SMTP server password password If your organization SMTP server requires authentication, use it, otherwise keep it empty

Enable TLS/SSL Checkbox The SMTP client uses Transport Layer Security (TLS) if the SMTP server supports it.

Note If your SMTP server indicates that it supports TLS incorrectly, clear the TLS/SSL check box.

Page 34: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 26

Organization Proxies (optional):

Addresses of proxies that must be used at the host for HTTP, HTTPS, or FTP traffic

Name Value Additional Comments

HTTP Proxy HTTP proxy IP address The DNS name and port of the HTTP proxy server, in the format <name>:<port>

FTP Proxy FTP proxy IP address The DNS name and port of the

FTP proxy server, in the format <name>:<port>

HTTPS Proxy HTTPS proxy IP address The DNS name and port of the HTTPS proxy server, in the format <name>:<port>

Proxy Keepalive Interval An interval (in seconds) at which a keepalive message is sent to the proxy to keep a connection open.

The default is 180.

5. When the network parameters are configured, you can define the Time Synchronization Server, together with appliance time zone, if necessary.

Name Value Additional Comments

Time Server Hostname of the NTP server Fully qualified domain name of the network time protocol server

Time Zone Time zone for appliance location

3.5.1.2 Configuring the Audit Node If you are interested in observing various events of this appliance, configure the Audit node: ...

1. Configure the new audit target. Leave the default values, except for the following:

By default, reporting is done for info logs, malfunction logs, and security logs.

Clear the checkboxes of the log types that don’t interest you.

Subject Prefix – a subject-related configuration specific to the mail method of notification

Recipients – an address-related configuration specific to the mail method of notification

Parameter Value

Method MAIL, SYSLOG, MAXDB…

Enabled? Y/N Mails can be sent regarding events and alerts in the system. To enable this option, change the value to Y.

Subject Prefix A string which is prefixed to the subject of mail audit events; for example, AccAD audit event

Recipients The email addresses to which notifications are to be sent

Page 35: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 27

Note Make sure you already configured the parameters SMTP server and Message header FQDN in the Host form.

3.5.1.3 Configuring the Engine Node ...

This configuration sequence should be performed per engine instance, so if you are installing an engine with more than one instance repeat these steps for each of the instances.

1. Choose the Engine node.

2. If you are configuring an SFE, configure the Admin node with the following parameters:

Name Value Additional comments

Repository IP The IP of the primary repository If the repository is installed on the same host as the SFE, use 127.0.0.1

Repository Port Communication port Keep the default 4777

Secondary Repository IP The IP of the secondary repository

If a secondary repository is installed in the landscape, supply its IP

Secondary Repository Port

Communication port Keep the default 4777

3. Add at least one instance to the instance list. The next steps are repeated for each added instance.

4. Add a new instance and supply an instance ID (see Allocating a Device ID). Configure the instance with the following parameters:

Name Value Additional comments

ID Appliance ID used in delivery policy

Enter an instance ID value - the device ID you decided to assign to the instance.

Important Remember this value for later delivery policy configuration.

Mode CFE/SFE Decide if this instance is to serve as an SFE or CFE.

You can configure multiple instances on the same host in different modes; This enables an AccAD host to be both an SFE and CFE.

Description Descriptive text field

Page 36: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 28

Name Value Additional comments

Start IP Lower boundary of virtual IP range

Enter the first IP address in the range of IP addresses to be used, including the number of netmask bits.

For example, the default value 24 represents 255.255.255.0 =24, 255.255.254=23, etc.

For more information about IP ranges, refer to section IP Addresses.

End IP Upper boundary of virtual IP range

Enter the last IP address in the range of IP addresses to be used by AccAD.

Link IP IP of tunnel between SFE & CFEs

Enter the IP address of the primary SFE in your landscape

Link Port Port of tunnel between SFE & CFEs

Default: 4700

Secondary Link IP IP of tunnel between secondary SFE & CFEs

Enter the IP address of the secondary SFE; if none, keep empty.

Secondary Link Port Port of tunnel between secondary SFE & CFEs

If you are using a secondary SFE, enter 4700, otherwise keep empty

Stream Limit Amount of connections in tunnel

Keep the default value: 16

Netmask Netmask of virtual IPs

Network device Network device for virtual IPs The internal adapter name, for example eth0, eth1, etc.—depending on the network adapter being used—on which the virtual IP addresses should be created.

Enable SSL Specify if tunnel encryption is necessary.

TLS/SSL termination enables the use of secure communication between the workstation to the CFE. Make sure to choose the same option when installing the SFE and CFE.

Verify device ID Specify to prevent AccAD appliances connect without verification.

Enter 'yes' if you want to verify the device ID with the value supplied in the certificate. This option is only available when you enable SSL.

Page 37: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 29

Name Value Additional comments

Title Injection AccAD automatically injects text to the HTTP title of delivered services. .

The default is Delivered by AccAD. If you wish to change this text specify the desired text under.

Compression Context Choose the combination of parameters that define the desired compression context

Per Service Instance, Service Type, Office

Per Service Type, Office

Per Office

The compression context determines the number of dictionaries that contribute to the compression ratio.

The more general the context, the less memory consumed and the lower the compression ratio.

Note If you are using the Per Office option, find the default compression context parameters in the AccAD Administrator UI under the instance node, in both the Named Response and the Request Context nodes.

For more information, see Advanced Configuration - Service Types.

Proxy Listening IP Specify the IP on which the instance listens to requests if the traffic redirection method is by proxy.

For example – 0.0.0.0

Proxy Listening Port The Proxy listening port Default 18080

Proxy Forwarding Method

Choose the proxy forwarding method:

Use a parent proxy

Directly

No forwarding

Web Proxy Auto Discovery Listening Port

The proxy autodiscovery listening port

Default 8083

Make sure to choose a unique port, which is not used for any delivered service.

Alternative Route in Case of Proxy Failure

Specify the route to be used in case of proxy failure.

Default – DIRECT

If a proxy is used, enter the following in this field:

PROXY – followed by the IP address or FQDN of the proxy

Page 38: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 30

Name Value Additional comments

Default Route Specify the route for requests that do not match any defined rules.

Default – DIRECT

If a proxy is used, enter the following in this field:

PROXY – followed by the IP address or FQDN of the proxy

3.5.2 Automated AccAD Engine Configuration With this configuration method, applicable both for the automatic and the semi-automatic installation modes, the AccAD appliance is configured using the ADM. A proprietary XML configuration file, the Appliance Definition File (ADF), is created and configuration of the engine is automated using this file as input.

To enable this configuration method, the ADM package must be installed. The process is explained in sections The ADM Package for Automated Installations and Managing the Appliance landscape.

For a detailed description of the automated appliance configuration process, refer to section Adding and Removing AccAD Instances.

3.6 The ADM Package for Automated Installations The AccAD Management package (ADM) acts as an installation server from which the appliance landscape is built. The installation of the AccAD repository includes the ADM package.

If the repository is not yet installed, install it as described in Installing the Engine.

3.6.1 Managing the Appliance Landscape The information required for managing the appliance profiles, and for the setup of the installation server used for the automatic appliance installation, is the following: IP Address, HTTP port, HTTPS port Used for setting up the ADM installation repository from which

the OS is installed using the HTTP protocol. In the second phase the AccAD component is installed (using HTTP to download the ISO and initiate the installation, and HTTPS for the secure download of the appliance definition file containing certificates)

ID Start/End Range Used for simplifying the creation of a new appliance instance Upon instance creation the ID field is filled in using the next valid ID from the defined range:

First an attempt will be made to find the next ID, which was not recently used (and of a higher value than any ID currently in use)

If the range end is reached, then an attempt will be made to find the first vacant ID (for example, an ID used by an instance that was deleted)

If this also fails, the user must enter an ID manually

Page 39: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 31

To configure the installation server: ...

1. Access the AccAD Administrator UI of the repository, using the URL http://<repository_ip>:<port>.

2. Open the Appliance Landscape tab, and choose Installation Server.

3. Choose Edit.

4. Enter values for the following fields:

IP Address – the IP of the ADM machine

HTTP Port – 80 by default

HTTPS Port – 443 by default

ID Range Start – Start of available ID range

ID Range End – End of available ID range

5. Choose OK.

6. Choose the Resources node. This screen shows the Resources tree for both OS resources (for all supported distributions) and their relevant AccAD resources.

To upload resources to the ADM server, you need to configure those resources: Each one must have a path to either the network location of the resource (supported protocols are http, https, and ftp), or the full path to the resource on the SFE machine.

The supported source formats of the files are ISO, TGZ, and DIR (if a path is provided).

Enter the locations of all the resources to support.

Example Example paths for resources (applies both to an AccAD resource and an OS resource):

ISO

http://www.example.com/My-Resource.iso

https://www.example.com/My-Resource.iso

ftp://www.example.com/My-Resource.iso

TGZ

http://www.example.com/My-Resource.tgz

https://www.example.com/My-Resource.tgz

ftp://www.example.com/My-Resource.tgz

If you have downloaded My-Resource.iso or My-Resource.tgz to /my/downloads/folder/, you can give the path as the resource path:

/my/downloads/folder/My-Resource.iso

/my/downloads/folder/My-Resource.tgz

If you have mounted the resource ISO on /my/mount/folder/, or have extracted the resource TGZ to /my/extraction/folder/, you can give the folder path as the resource path:

/my/mount/folder/

/my/extraction/folder/

7. Save and apply as described in the section Saving and Applying the New Delivery Policy.

Page 40: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 32

8. Create the appliance landscape by pressing on the button Apply Appliance landscape.

This may take several minutes since all resources to the ADM are being uploaded.

An alert is returned for bad AccAD resources; however, there is no OS resources verification.

At this point, kick-start files for the configured appliances are created for future installations.

The AccAD and OS resources can be found at http://adm-hostname-or-ip/resources.

The configured appliances kick-start files can be found at http://adm-hostname-or-ip/appliances.

Note ADM configuration can also be done using the CLI. For more information on the CLI see Command Line Interface.

3.6.2 Adding and Removing AccAD Instances Adding, removing and configuring AccAD appliances can be done in the admin UI as follows:

1. Access the AccAD Administrator of the repository, using the URL http://<repository_ip>.

2. Open the Appliance Landscape tab, and choose Installation Server.

3. Add new appliances by clicking Create and configure them as explained in the section Manual Configuration of the AccAD engine.

4. After configuring an instance, you can import the ADF file by choosing Import.

3.6.3 Automatic Installation ...

1. At the first stage of the Linux installation, connect to the host on which you are installing the AccAD engine and type as follows:

For RH appliances: linux ks=http://<installation_server_ip>/appliances/<appliance_name>/ks.cfg

For Sles appliance: autoyast=http://<installation_server_ip>/appliances/<appliance_name>/autoinst.xml

install=http://<installation_server_ip>/appliances/sles-10-i386/all

Before completing appliance configuration and certificate download you are prompted for the appliance password to verify the appliance identity.

2. After entering the password, choose to set for this instance. The installation finishes.

If a delivery policy has been defined for this appliance it becomes operational.

3.6.4 Semi-Automatic Installation To secure the tunnel, the AccAD configuration should use a designated appliance definition file (adf), in XML format that includes certificates.

This file will be generated after adding an AccAD instance. Save the XML file that is created to a location on your appliance machine.

CAUTION The XML file may contain sensitive information and security precautions are recommended.

Page 41: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 33

3.6.4.1 Installing the AccAD Engine If the AccAD engine is not yet installed on your machine, install it as described in Installing the Application Delivery Engine.

Use the following command to perform the engine configuration:

appliance-config -b configuration_file

Where <configuration_file> is the XML file (adf) you created previously.

3.6.5 Updating Link Certificates Use the procedure described here for each engine in the following circumstances:

When setting up a secured link between the SFE and CFE

On all manually installed engines in a landscape that also contains engines that are configured automatically or semi-automatically

To update link certificates, do as follows: ...

1. Log in to the AccAD Administrator of your machine using the URL http://<repository_ip> and choose the Local Configuration tab.

2. In the root node of the navigation tree, choose Appliance Commit to Data Center.

3. Log in to the AccAD Administrator of the repository engine and choose the Appliance Landscape tab.

4. In the root node, choose Apply.

This action generates the new link certificate. Ignore any error messages that may appear.

5. In the Appliances node, choose the relevant appliance and then Export. An XML file is generated that details the appliance configuration on the appliance machine.

6. Save the XML file and follow the procedure described in Semi-Automatic Installation

3.6.6 Installing the AccAD Administrator Certificate To avoid the appearance of a certificate error when accessing the AccAD Administrator in your browser, install the AccAD CA (Certificate Authority) public key on the machine. This adds the AccAD CA to the list of trusted certification authorities on your computer.

Note An AccAD repository must be installed as a prerequisite to this procedure.

3.6.6.1 Downloading and Installing the AccAD CA Public Key Download the CA public key in one of the following two ways:

Download the public key from the URL https://repository-hostname-or-ip:7443/AccAD_CA_Public_Key.der

Use the AccAD Administrator as follows:

a. Log in to the AccAD Administrator. When the certificate error is displayed, choose the option to continue to the website.

b. Choose the Local Configuration tab.

Page 42: AccAD for SAP NetWeaver

Installing and Configuring the AccAD Engines May, 2011

Accelerated Application Delivery for SAP NetWeaver 34

c. In the root node of the navigation tree, choose Appliance Download AccAD CA Public Key.

Important Since the CA is on the repository, if you are downloading the certificate for an AccAD engine type that is not the repository (an SFE or CFE), you must verify that the link between the engine and the repository is available before downloading the public key.

If you are installing a secure landscape, make sure to install all appliances using the semi-automatic/automatic installation modes. If any of the appliances are installed manually, secure connections are rejected.

Install the AccAD CA public key as follows:

Run the AccAD_CA_Public_Key.der file that you downloaded. The certificate error will not be displayed when entering the AccAD Administrator of this AccAD engine.

When installing new appliances in manual or semi-automatic mode, create and apply the ADF file for the appliance, as described in sections Semi-Automatic Installation and Manual Configuration of the AccAD Engine.

For the changes to take effect, run the command service adui restart from the engine.

Page 43: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 35

4. Configuring the Delivery Policy Once the repository is installed and configured, you need to define the rules, or a delivery policy, according to which services are delivered in your landscape.

You can define the delivery policy either by using AccAD Administrator, a graphical user interface utility provided by AccAD, or by using the command line interface (CLI) on the repository machine. If you choose to use the CLI, see the configuration instructions in this chapter and deploy them as described in the section Command Line Interface.

AccAd Administrator provides an administrative toolset with which you set the rules for application delivery supplies auditing information, traffic history, and system status.

Policy Configuration A policy defines which service instances are delivered to which engine instances. The following building blocks should be defined:

Locations – Physical locations at which AccAD engines reside

Engine instances – Separate instances of an engine at a specific location or multiple engines at a single location

Service types – Services to be delivered, based on the available templates (for example, HTTP, CRM, SAP NetWeaver Portal)

Service instances – Specific instances of service types at a specific location

Groups – Groups of service instances and engine instances enabling easier policy configuration

Each service instance at a location, as well as each engine instance, can belong to one or more groups.

Delivery rules can then be added, each defining delivery of a source group to a destination group. All service instances in the source group are delivered to all the engine instances in the destination group.

Important Be aware that delivery is possible only on an established link. If your delivery rules include delivery between sources and destinations that are not connected by an AccAD link (for example, between 2 SFEs), there is no delivery.

4.1 Accessing the AccAD Administrator The AccAD Administrator is a graphical user interface that facilitates configuration of AccAD parameters. It is exposed on the engine at port 7443 and can be accessed using the URL https://<repository_ip>:7443/. The AccAD Administrator is available after the installation of the repository.

Important If the landscape includes more than one repository, choose the primary repository and configure the delivery policy there.

Page 44: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 36

4.2 Defining the Policy The following sequence of actions comprises the process necessary for defining a delivery policy; each numbered action is described in more detail in the subsequent sections. ...

1. Add groups – Define the groups in your landscape for configuration of delivery.

2. Add locations – Define the physical locations in your landscape.

3. Add engine instances – Specify details of engines (SFEs and CFEs) that deliver and receive services.

4. Add service types – Define the service types to deliver. For example, you can define SAP NetWeaver Portal 7.0 as a service type, representing the portal services of SAP NetWeaver.

5. Add service instances – Specify the instances of the services exposed at each location in your landscape. You can then attach each service instance to one or more groups.

6. Add delivery rules – Define the deliveries between origin groups and target groups.

Important To avoid loss of the data you that you defined, make sure to choose Save after each configuration before moving to another node.

Note In some of the pages described in the following procedures, a table appears that allows you to delete existing nodes.

4.2.1 Defining Groups in the Landscape ...

1. In AccAD Administrator, in the Delivery Policy tab, expand the Delivery Policy node and choose Groups.

2. In the Groups pane, choose Create. The new group is added to the list.

3. Enter a name and, optionally, a description, for the new group.

4. Choose OK to add the group to the delivery policy under the Groups node. The new group is selected automatically.

When you select a group, two buttons appear next to it:

Edit – allows you to add or change the description

Delete – removes the node from the list and discards it

4.2.2 Defining Delivery Locations ...

1. In AccAD Administrator, in the Delivery Policy tab, choose Locations.

2. In the Locations pane, enter a name for the new location and choose Create.

3. Choose OK to add the location to the delivery policy under the Locations node. The new group is selected automatically.

When you select a group, two buttons appear next to it:

Edit – allows you to add or change the description

Delete – removes the node from the list and discards it

Page 45: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 37

4.2.3 Adding Engine Instances ...

1. In AccAD Administrator, in the Delivery Policy tab, choose Engine Instances.

2. In the Engine Instances pane, enter an instance name and choose Create.

3. Enter the engine instance details:

Name

The device name appears by default.

ID

Enter the value that you specified for the device ID during the CFE installation. See Allocating a Device ID.

Description

Groups

Select the group to which you want this engine instance to belong.

Location

Select the physical location of this engine instance from the Location dropdown list.

Consume Services from Other Engines

Select this checkbox if this engine instance is to consume services from other locations --acting as a CFE.

Provide Services to Other Engines

Select this checkbox if you want this engine instance to provide services to other engine instances -- acting as an SFE.

Enable Local Delivery

Select this checkbox to enable local delivery through this engine instance. This means that services delivered using this instance are also available for consumption to local users directly from the SFE. The advantages of enabling local delivery include lightening the load on the application server and providing load balancing, if implemented.

4. Choose OK to add the engine instance to the delivery policy.

4.2.4 Defining Service Types This section explains how to define and configure the parameters of the service types with which applications are delivered. Some service types are available out-of-the-box, for example HTTP or SAP NetWeaver Portal. You can create a new service type based on an existing template and modify parameters to fit your landscape needs. ...

1. In AccAD Administrator, in the Delivery Policy tab, choose Service Types.

The out-of-the-box services appear in the templates list.

2. Add a new service by selecting one of the existing templates and choosing Create.

3. Create the service type by expanding the Service Types list and choosing the relevant service.

4. Enter values or edit the values in the following fields.

General Properties:

Name – Enter a label for the service. This name appears in the administration tree.

Description – Optionally, enter a description of the service.

Page 46: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 38

Default Port Value

SSO Method – To deliver a service with single sign-on (SSO), based on a client certificate, select an SSO Method. The available methods are:

SAP J2EE Format – for delivering SAP J2EE applications

SSM Format – for delivering SSM application

Disabled – if no SSO

Additional configuration must be made when enabling SSO with X.509 certificates. Refer to the section Configuring X.509 User Authentication – TLS/SSL Only for details.

Further editing is possible and depends on the requirements of your landscape. For more information about the advanced parameters of service types, see the section Advanced Configuration - Service Types.

5. Choose OK to add the service type to the delivery policy and then choose Save.

4.2.5 Adding Service Instances This section describes how to add service instances based on service types previously defined. Each service instance is defined at a specific location and can belong to one or more groups. ...

1. In AccAD Administrator, in the Delivery Policy tab, choose Service Instances.

2. In the Service Instances pane, enter a name for the service, select Basic Service or SAP Cluster from the dropdown list, and choose Create, and select the service template:

SAP Cluster

This template enables the AccAD engine to perform load balancing using the SAP message server.

Basic Service

3. Enter the service instance details:

Name – the name of your service instance

Service Type – The previously defined service type for this service instance

Description – Optional

Expose as FQDN – The fully qualified domain name of this service

Port – The port of this service

By default, this value is taken from the port of the service type. If you want to expose the service instance at a different port, set the value here.

Is Encrypted – Choose HTTP or HTTPS from the dropdown list

Location – The physical location at which this service instance is exposed

Groups – The group to which this service instance belongs

If the selected service template is the SAP Cluster template, configure the following parameters of the message server by entering the Message Server node:

Host Name – IP/DNS name of the message server

Encrypted – Check this box if the connection to the message server is to be encrypted

Port – Port of the message server

Page 47: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 39

Group – Logon group name

Back End Service Type – Choose the type of back-end service you are delivering (either ABAP or AS Java)

User Session Timeout – Timeout (in minutes).

If a connection is still open after this time period, the client may be routed to a different server in the cluster.

Otherwise, configure the service address in the Network Address field.

4. Choose OK to add the service instance to the delivery policy and then choose Save.

4.2.6 Adding Delivery Rules You complete the delivery policy configuration by adding rules to define delivery from an origin group, which contains service instances, to a destination group, which contains engine instances. All service instances in the origin group are delivered to all the engine instances in the destination group. ...

1. In AccAD Administrator, under the Delivery Policy tab, choose Delivery Rules.

2. In the Delivery Rules pane, enter a name in the Name field, choose Create, and configure the following:

Description – Optional

Origin – The origin group from which service instances are to be delivered

Destination – The destination group.

The delivered services go to the engine instances in this group.

3. Choose OK to add the delivery rule to the policy.

If you want the rule to override parameters in the service instances it exposes, choose Edit and configure the subnode Delivery Rule Modifier as follows:

Port – The port at which service instances in the source group are to be exposed

Choose 0 to keep default ports that are defined in the service instances.

Is Encrypted – Choose whether or not to encrypt the services, using one of the following values:

Yes – Encrypt all deliveries

No – Do not encrypt

Keep Original Value – Do not override the value defined in the service instances.

Allocate Virtual IP and expose in DNS – Select this checkbox if:

You want the engine to allocate virtual IPs for the services to be delivered (that is, the services defined in this rule)

You want these services, to which the engine allocated virtual IPs, to be exposed in the DNS.

If not selected, the services will only be accessible by way of the proxy.

4. Choose Save.

Note This only applies for HTTP and HTTPS services. Other services (for example, TCP, UDP) require the allocation of virtual IPs.

Page 48: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 40

Important The delivery rule modifier applies the values you configure to all the service instances that it defines. This means that if more than one service instance is included in the source group, the delivery rule modifier changes the settings of all the service instances to have the same values as you configure by implementing this procedure.

4.2.7 Activating the New Delivery Policy In the previous sequence you defined and saved a new policy in the repository. However, this policy is still only held in the repository and the landscape continues to operate with the old policy (if an old policy exists) until you apply the new policy. ...

In AccAD Administrator, go to the root node (Delivery Policy) and choose Apply.

You can save the policy you defined in the archive for backup. For details, see Archiving Configuration Settings.

Important If the following conditions are true, you must flush the DNS cache for the new policy to take effect:

You are currently changing the delivery policy

You are using a DNS proxy

Your workstation is a Windows machine

See Configuring DNS on a Windows Machine.

4.3 Advanced Configuration - Service Types A service type object in the delivery policy consolidates the application-specific information required for high performing delivery of application services. The service type includes the following:

General parameters

Collection of transaction types

A transaction type represents a subset of transactions in the application service. Each service type includes at least the default transaction type object. For more information, see Transaction Types.

Service types are based on predefined templates, each having its specific set of default values. Upon creation, a new service type acquires the default values from the template on which it is based.

4.3.1 General Parameters Note

The parameters in this section affect system performance significantly and are intended for advanced users. If you change the default values, make sure that you use values that are appropriate for your system.

The following parameters are common to all the transactions in the service type:

Compression Method – server-to-user

Choose the compression method to be used when delivering applications (server responses). The available methods are:

Adaptive – This method activates the AccAD advanced learning and redundancy elimination algorithm for compression. This enables efficient throughput and reduces

Page 49: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 41

response time. It is the recommended option in most cases. See Traffic Flow Minimization Mechanism for more details.

Deflate only – Simple gzip-like compression, without applying AccAD features.

None – No compression is applied. Choose this method if, for example, the information delivered is already compressed or is encrypted.

Compression Method – user-to-server

Choose the compression method to be used when delivering user requests. The available methods are the same as in server-to-user.

Service Monitor Settings

URL path – By default, the monitor downloads a page from the server, using the server DNS name, as defined in the delivery policy. For a non-default page, enter the relevant value for this parameter, which will be concatenated to the server DNS name, for example, /irj/portal.

Searched String – Specify the string to be used by the Application Delivery Monitor as the checking parameter, used when validating each page download, for example, portal.

4.3.2 Transaction Types An application service can be constructed of different types of transactions, which correspond to different components in the integrated application service.

A default transaction type is available for each service type and it can be modified and configured according to the specific needs of the landscape.

4.3.2.1 Configuring a Transaction Type ...

Note The parameters in this section affect system performance significantly and are intended for advanced users only. The default values should not be changed.

The following can be configured in each transaction type:

Request Aggregation – these parameters appear only in the Default transaction type. Although the aggregation of transaction messages from the communication stream has delay penalty, this is outweighed by a reduction in the traffic of redundant content. It is recommended, therefore, that messages of the same transaction be aggregated to achieve an optimal compression ratio.

Enable Aggregation – Select this checkbox to enable message aggregation. It is checked by default.

Volume Threshold - Represents a typical maximal length of a message, in Bytes.

Time From First Chunk – Total time of delaying content for aggregation, in milliseconds.

Time Between Chunks - Maximal pause in transmission, after which it is likely the message transmit was completed, in milliseconds.

Response Aggregation – Same as Request Aggregation.

CFE HTTP Processing Sequence – AccAD includes a set of application-aware processors. Each transaction type includes a specific processing sequence. The processing sequence is not editable but it is possible to configure the parameters in an existing sequence. For more information about the available processors, see section HTTP Processors.

Page 50: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 42

Request Context - Each transaction type may have its own context in the compression engine. It is possible to tailor the size of dictionaries and buffer for best performance, at the cost of footprint.

CAUTION The following parameters are AccAD-specific. Do not modify these parameters for out-of-the-box service types without expert knowledge of AccAD.

Dictionary - Stores frequently recurring segments of content. To avoid retransmission of entire segments, references to recurring content can be used in subsequent transmissions. This is part of the traffic flow minimization mechanism. Configurable Dictionary properties are:

Memory Quota - The overall space in the main memory (in bytes) used for the dictionary (default - 2000000)

Number of Items - The maximum number items

Message Store – The buffer of previously transmitted messages used by the adaptive learning mechanism in real-time analysis for the context

Number of Messages Stored - Maximum number of recent messages stored (The higher the value, the faster the learning, at the cost of CPU consumption.)

Recorded Message Store - The adaptive learning mechanism may record segments of messages for future offline analysis, done in parallel to real-time processing. The configurable Recorded Message Store properties are:

Memory Quota - The overall space in the main memory (in bytes) used for the dictionary (When the store is larger, offline learning is more effective, although it takes longer.)

Number of Items - The maximum number of items

Response Context – Just as for the Request Context, each transaction type may have its own context in the compression engine. It is possible to tailor the size of dictionaries and buffer for best performance, at the cost of footprint.

Classification rule – This parameter only appears in non-default transactions. The classification rules comprise a pattern applied to the navigation part of a URL, used to classify the transaction type inside the application service.

4.3.3 HTTP Processors AccAD enables configurable optimization of several HTTP caching and compression processes, as described in this section.

4.3.3.1 Web Cache From version AccAD 2.2, there is a Web cache mechanism designed to enable standard HTTP caching to eliminate performance penalties, Linux-specific limitations, and to enable working with HTTP 1.1. The Web cache mechanism includes both disk and memory cache.

You can configure the remote office to use content from the Web cache instead of having requests to the data center and back. This saves significant time and improves application performance.

The cache processor is defined as part of the processing sequence in the default transaction type. You can configure it as described in the next section.

Page 51: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 43

Configuring the cache:

To configure the cache, define or edit processing rules. The rules determine the following:

The type of content to be cached

When the content expires

When content first arrives, it is considered fresh. Upon expiration the content turns stale and needs to be replaced with fresh content from the data provider.

Note These definitions are advanced settings, and require expertise in Web cache applications. This document describes the options relevant for AccAD configuration but does not drill down to Web cache terminology.

Configuring the cache is done as part of the transaction type configuration. You can configure the caching rules, which include the following parameters:

Name – Select this checkbox to enable message aggregation. It is checked by default.

Should Cache – Uncheck this box if you want to specify a pattern not to be cached. It is checked by default.

Overwrite Server Directives – Check this box to overwrite the server’s caching directives and use your own parameters as a caching policy.

Refresh Pattern – Describes the URL expression to cache.

Example If you want to keep JPG images from portal applications, enter: */irj/portalapps/.*\.jpg.*.

Cache – Uncheck this box if you want to specify a pattern not to be cached. It is checked by default.

Minimum Freshness Time (minutes) - The minimum time (in minutes) during which an object without a specified expiration time is considered up-to-date. This field requires a numeric value.

Example If you specified 100 minutes, and if the content is requested within this time frame, it is sent from the cache.

Note If the content header includes an expiration time, that value overrides the value entered here.

Maximum Freshness Time (minutes) - The maximum time (in minutes) that an object without a predefined expiration time is considered fresh.

After the time specified for this parameter, the status of the resource is considered stale. When the next request for this resource arrives, the status of the object in the data provider is checked. If the object was not modified, its status returns to fresh, and the time count restarts. If it was modified in the data provider, the cache content is replaced with the modified content.

Age Percentage - Defines the maximum time that an object, without a predefined expiration time, remains fresh, based on its modification frequency.

This attribute does not change the status of the object to "stale" based solely on a fixed time value, such as "Maximum = 1000 minutes"; rather it uses an algorithm that takes into account both the object age in the cache and the time since its last modification. In objects with high modification frequency, this attribute may expire sooner than the maximum.

Enter a numeric value from 0 to 100, followed by "%". For example, 20%.

Page 52: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 44

Negative Caching Duration (minutes) - Provide the caching duration for 404 (Not Found) responses from the server. Choosing a value over 0 means that, for the provided time, a request for this resource is not sent to the server; instead, a 404 response is sent to the user by the AccAD engine.

In addition, you can configure the following cache parameters per engine instance:

Parameter Description Additional Comments

Memory Quota The size in the memory (in MB) for the memory cache

Default – 4

Disk Quota The size in the disk (in GB) for the disk cache

Default – 32

Max Memory Object Size Maximum size (in KB) of a resource for the memory cache

Default – 100

Max Disk Object Size Maximum size (in MB) of a resource for the disk cache

Default – 100

Have Persistency Saves the memory cache to a persistency file to enable reloading of the cache upon system restart. (Y/N)

Default - Y

4.3.3.2 Remote Caching with Central Authorization (KM) The Knowledge Management application has a central authorization policy with a distributed landscape in which many users are located in regional offices. Standard Web caching does not provide the access control policy that Knowledge Management requires.

The AccAD remote caching and central authorization logic supports caching of documents in remote offices while the user authorization policy of the central KM system is supported, as well as the pushing of up-to-date or new documents.

Multiple KM services can be supported, each with its own delivery policy rules. Each specific service is identified by matching different URL patterns, and so a different configuration can be set to each of these services.

Configuration of the KM processor is similar to Web cache configuration, since it only enhances the cache to include central authorization, as described in Web Cache.

The KM processor can be found with the following NetWeaver versions:

SAP NetWeaver Portal 7.0 SPS13 and higher

SAP NetWeaver 04 Portal

Page 53: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 45

4.3.3.3 Caching Logical URL for ERP Learning Solutions (LSO) This capability is applicable for ERP learning solutions (LSO), for versions LSOCP 602 SP02 (ECC/ERP 6.00 EhP 2 SP 2), LSOCP 600 (ECC/ERP 6.00) SP 13 and above.

LSO uses a logical URL scheme based on user and course details. AccAD enables caching of course resources for the same user and course, as well as between different users and courses. This is done by the AccAD engine by resolving the logical model.

SAP NetWeaver Portal already includes the LSO transaction type out of the box with the following NetWeaver versions:

SAP NetWeaver Portal 7.0 up to SPS13

SAP NetWeaver Portal 7.0 SPS13 and higher

There is no need for specific configuration for the LSO transaction type.

4.3.3.4 HTTP Compression (gzip) This processor handles the HTTP compression of the delivered service. Web servers may encode the responses to users in a compressed format. To best compress the content with AccAD proprietary adaptive compression, the content should arrive at the AccAD engine in an un-compressed format. This is done by the gzip processor by removing the Accept-Encoding header from the client requests. In addition, the engine may perform the HTTP compression between the CFE and the users by itself.

Configuring the gzip processor:

The gzip processor is configured using an ordered set of rules, each represents a pattern, where the first matched pattern is executed. ...

1. When adding or editing a rule, enter values for the following parameters:

Name – The name that describes the rule

Type - Choose URI or MIME Type, according to the pattern you want this rule to match

Pattern - A regular expression pattern to be matched, for example:

If type is URI, a possible pattern would be *.css.

If type is MIME, a possible pattern would be audio/*

Enable compression – check this box to perform compression between the CFE and the user’s browser by the AccAD engine

Remove Accept encoding – check this box to disable the server HTTP compression by removing the Accept Encoding header, to enable AccAD compression

Min Length – if the HTTP compression is enabled, this size represents the minimal message length on which to perform compression (in Bytes).

Page 54: AccAD for SAP NetWeaver

Configuring the Delivery Policy May, 2011

Accelerated Application Delivery for SAP NetWeaver 46

4.4 Exporting and Importing Service Types Service type configuration includes many details to define the behavior of the application server, such as cache rules, GZIP compression rules, KM configuration parameters, LSO configuration parameters.

Once a service type that suits the requirements of the application server is defined and configured, you can export it and later import it to other delivery policies.

Exporting a Service Type ...

1. In the AccAD Administrator, under the Delivery Policy tab, choose Service Types.

2. Expand the Service Types tree and choose the service you want to export, or in the Service Types table, select the checkbox of a service type.

You can also

3. Choose Export.

4. At the prompt, choose Save and navigate to the desired location.

Import a Service Type ...

1. In the AccAD Administrator, under the Delivery Policy tab, choose Service Types.

2. Choose Import and at the prompt, browse to the service type XML file.

3. Save the policy. The imported service type is now part of it.

Page 55: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 47

5. Securing the AccAD Landscape When using AccAD, consider securing the communication over the following network segments:

Remote office network segment – communication between remote office workstations and the CFE

Server network segment – communication between the application server and the SFE

WAN network segment – communication between CFE and SFE (An option is to use TLS/SSL encryption for the AccAD tunnel.)

When installing AccAD, your security options for the WAN segment are:

Not to use encryption over the WAN network segment

To use the certificates included in the AccAD installer pack

Additional security methods are described in the configuration steps in this document.

During installation, the system certificates enable secure communication. More information regarding certificates is provided in the following sections.

Page 56: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 48

5.1 Workstation – CFE: Securing Communication Using TLS/SSL Termination

This section discusses the options for encrypting information between the user workstations and the CFE within the remote office network segment. Usually, communication between remote office workstations and the CFE is Web-based, and can be secured using TLS/SSL. TLS/SSL termination enables client workstation-to-CFE communication using the secure HTTPS protocol. You need to enable it in the delivery policy for each delivered service.

If you choose to use TLS/SSL termination, you require server certificates in P12(PFX) format.

Configuring TLS/SSL termination: Upload the server certificate through Policy configuration as follows: ...

1. In the AccAD Administrator, under the Delivery Policy tab, open a service instance for editing, choose Termination Certificate, and choose Edit.

2. Enter the server certificate and certificate authority in the relevant fields; provide the password for the certificates in the Password field.

You can browse to the certificate and to the certificate authority.

SAP J2EE allows X.509 authentication (single sign-on) based on the user certificate. If you wish to use this mechanism, the following is required:

The SFE is defined as proxy for client certificate authorization

The DN (Distinguished Name) of the client certificate authority is known

Page 57: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 49

Certificates issued by the Microsoft certificate server may cause problems in SSO scenarios. This is because Microsoft's service allows standard attributes that are not standard in distinguished names (for example, ‘EMAIL’ or ‘S’).

5.1.1 Configuring X.509 User Authentication – TLS/SSL Only: This section guides you through the steps required to enable single sign-on in a secure communication environments. This section is only relevant if you are using TLS/SSL termination.

In SSO mode, the CFE requests from the client a certificate that is issued by a certificate authority specified by a Trusted CA. If provided, the certificate is forwarded to portal in the HTTP header.

Note To enable certificate-based SSO, the portal must be configured accordingly. Check the relevant configuration guide on http://help.sap.com/.

To enable SSO:

If the re-encryption feature is not used, set AcceptClientCertWithoutSSL to true on the AS Java level configuration (in the Admin Tool or in the SAP NetWeaver Administrator tool for SAP NetWeaver Composition Environment 7.1): In the Visual Administration go to <your server> Services HTTP Provider and select the Properties tab. ...

1. In the AccAD Administrator, under the Delivery Policy tab, and select service instance SSO.

2. Choose Edit and select the checkbox Serialize client X509 cerificate to header; in the Trusted Client CA field, upload the public certificate of the CA that issues certificates to clients.

5.1.2 SFE – Application Server: Securing Communication Using Re-Encryption

This section discusses the options for encrypting information between the application server and the SFE. It is recommended not to use re-encryption if the SFE is located in the DMZ. In this case, re-encryption consumes additional system resources with only a limited gain in security. If the SFE is not located in the DMZ of the application server, or if the server cannot be configured to work in plain HTTP mode, re-encryption can be used.

If you wish the SFE to become a trusted SSL intermediary, a client side certificate is required.

Page 58: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 50

5.1.2.1 Enabling Re-Encryption: This section guides you through the steps required to enable re-encryption on the SFE side to encrypt communication between the server and the SFE. ...

1. In the AccAD Administrator, under the Delivery Policy tab, open the service instance .

2. In the Is Encrypted field, select HTTPS; enter the listening port of the application server. The default HTTPS port is 443.

If you choose to become a trusted SSL intermediary, a valid client certificate is required for re-encryption. Install this certificate as follows:

a. Go to Service Instances <your service> Re-encryption certificate.

b. Specify the distinguished name of this certificate in ProxyServersCertificates to make the portal trust the SFE.

3. On the portal server, open the Visual Admin tool, located in the portal installation in the following location:

/usr/sap/<SYS_ID>/JC<xx>/j2ee/admin/go.bat

4. Go to Service Instances HTTP Provider and select the Properties tab.

If verification of the server identity is required, install the certificate of the server Certificate Authority in Service Instances <your service> Re-encryption certificate.

5.1.3 SFE – CFE (WAN): Securing Communication by Encrypting the Tunnel

This section discusses the options for encrypting information in the CFE and the SFE when transmitting information through the AccAD tunnel.

By default, the CFE/SFE tunnel passes non-encrypted, clear text information over numerous TCP connections. Since this information may contain sensitive organizational data, it is recommended to encrypt the tunnel if the communication is done over a public network, such as the Internet.

If CFE-SFE communication takes place over a secure private network, or using a VPN solution, you may not require additional encryption and the solution described in this section may not be relevant. If encryption is not required, it is recommended not to use it because its CPU consumption affects overall transmission performance.

When sites are not linked through VPN gateways, or over other private networks, you can use one of the Application Delivery tunnel encryption options.

If you choose to secure the AccAD tunnel, you can either perform an automatic/semi-automatic installation, in which the certificates are automatically pushed to the engine, or you can perform a manual certificate installation, if you choose to install AccAD manually. More details can be found in section Installing and Configuring the AccAD engines.

You can also use the default certificates that come with the AccAD installation but this method is not recommended, though it may be used for demo and test purposes.

Page 59: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 51

5.1.3.1 Installing Tunnel Certificates Manually To install valid certificates manually, do the following: ...

1. Log on to the root account in the SFE machine.

2. For each instance, type: /root/install_scripts/create-cert.pl dev <instance_ID> <password>

The instance_ID is the ID defined when configuring the instance..

3. Enter a password of your choice.

Tip Note that you will need it later in the procedure.

4. For each instance, on both the SFE and the CFE machines, type the following commands:

a. service slot-<slot-ID> stop

b. export VL_ROOT=/usr/local/vl/slot-<slot-ID>

If the port 4900 of the SFE is accessible from the CFE, use the following commands: ...

a. /usr/local/vl/base/bin/cert_mgr add ca adow://<SFE-IP>

b. /usr/local/vl/base/bin/cert_mgr add link adow://<SFE-IP>

If the SFE port is other than 4900, use the following procedure to download the certificates: ...

a. Go to http://<SFE_IP>:4900/certificates.

i. Download an AccAD CA certificate.

ii. Download the device certificate (select private certificate).

b. Install the CA certificate by typing: /usr/local/vl/base/bin/cert_mgr add ca <ca-certificate-file-name>.der

c. Install the device certificate by typing: /usr/local/vl/base/bin/cert_mgr add link <instance-certificate-file-name>.p12

d. When asked to provide the instance ID and password, use those described in step 2.

5. From both the CFE and the SFE, run the appliance-config tool and go to the instance configuration screen.

6. For each instance, enable SSL and verify the instance ID as follows: Enable SSL? Y/N Y

Verify device id? Y/N Y

Page 60: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 52

5.2 Securing the SFE and CFE Hosts The AccAD engine includes a security pack that implements an end-to-end security model. It is installed automatically during CFE and SFE installation.

AccAD engine Protection:

The AccAD engines have a default firewall setting that blocks all unauthorized traffic.

The engines are prompted during installation for a secure non-default password (for both root and admin accounts).

After installation, all engine operations are done via the restricted admin account - which has no access to restricted information cached on the engine.

The engines can have an encrypted drive, used for persistency files.

Note Placing the engines in a physically secure location is recommended, so as to protect the hard disk, which may have sensitive information cached on it.

5.2.1 Adding Drive Encryption for Persistent Content The AccAD engine has persistency files, such as cache resources, to improve performance upon system restart. These files are saved on the disk, unencrypted, and may be considered a security risk. This issue can be resolved by encrypting the drive used for persistent content.

Drive encryption requires at least one of the following:

A device (or partition) of at least 8 GB (/dev/sda<n>), which is dedicated to the encrypted drive, in addition to the root partition

A hard drive of at least 20 GB, split into at least 2 partitions of at least 8 GB each – one for the root partition, and one for the encrypted drive

Note The encrypted drive is formatted with each reboot. Thus, data stored on this drive is deleted with each reboot.

5.2.1.1 Preparing for Drive Encryption Before encrypting a device, the following conditions must be met:

The device is removed from the linux file /etc/fstab.

The device is not mounted.

Removing the Encrypted Device from /etc/fstab ...

1. Discover the label under which the device can be found in the file.

Note that the device may not appear in the file explicitly as /dev/sda<n>, but rather under some label.

To find out which label, if any, is attached to /dev/sda<n>, run the command:

e2label /dev/sda<n>

If /dev/sda<n> has a label attached to it, this command returns it as output.

Page 61: AccAD for SAP NetWeaver

Securing the AccAD Landscape May, 2011

Accelerated Application Delivery for SAP NetWeaver 53

2. From the file /tec/fstab, delete the line that includes the label you found – either the label or the device name itself, as the case may be.

CAUTION Before making deletions, make sure you have the information you need to unmount the device, as described in the following section, Unmounting the Device.

Unmounting the Device ...

1. Discover which device is attached to the label you found in the previous section.

Look for the line in the /etc/fstab file with the relevant label. The next element in that line, following the label name, represents the mount point.

2. If the device is mounted, unmount it with the following command:

unmount /my_mount_point

5.2.1.2 Encrypting the Drive

1. Select or create a partition.

If you already have AccAD installed, you must supply a new device of at least 8GB (/dev/sda<n>) dedicated to the encrypted drive. Once you have the new device ready, continue to step 2.

New users, or existing users who want to split their current root partition into two partitions, using the second one for drive encryption, must do the following:

i. Use the relevant kick-start file to reinstall your system. (The kick-start file has drv-enc in its name.

ii. Change the name, making sure to remove drv-enc.

This will split your hard drive into two partitions. The second partition is mounted on /logical until use. After the OS installation is complete, install the AccAD engine.

2. Enable drive encryption.

CAUTION Before using /dev/sda<n> for the drive encryption, remove it from /etc/fstab; as described in the section Removing the Encrypted Device from /etc/fstab. Failing to do so causes problems during the next reboot.

Run the command:

/opt/accad/install_scripts/setup_drive_encryption.pl enable /dev/sda<n>

Disabling Drive Encryption To disable the drive encryption, run the following command:

/opt/accad/install_scripts/setup_drive_encryption.pl disable

Page 62: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 54

6. Command Line Interface The AccAD engine has a command line interface (CLI) as an additional mean of configuring the engine and its delivery policy. The AccAD CLI follows general industry standards regarding look & feel. The general features are:

User prompt (indicating mode of work and level in configuration tree)

Built-in commands (for example, help, quit, configure terminal)

Special keys

Auto completion of commands

Expert users can take advantage of the following CLI capabilities to automate AccAD configuration.

6.1 Using SSH to Connect to the AccAD Engines (CFE/SFE)

The SSH protocol provides a secure means of accessing the AccAD engine’s console from a remote location. Most Linux machines should have an SSH client installed. For Windows machines, you can use the PuTTY shareware.

To connect to an AccAD engine:

In the following procedure, we use the IP address 192.168.1.1 as example. ...

1. Invoke SSH from any Linux machine: ssh [email protected]

2. Type the password defined for the root user. password: <password>

The console prompt appears.

6.2 Connecting to the CLI The admin user credentials are set during the installation phase. These credentials are used to connect to the CLI in one of two ways:

Accessing the CLI from the AccAD appliance itself, after connecting to it via SSH

Accessing the CLI from outside the AccAD appliance (This option requires firewall settings to be changed.)

6.2.1 Connecting to the CLI from the Appliance ...

1. Connect to the AccAD appliance using SSH.

2. At the prompt, type the command telnet localhost.

3. If you are under the root user, you are asked to provide login details: use the admin account and the password you defined for it during the installation stage.

Page 63: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 55

6.2.2 Connecting to the CLI from Outside the Appliance 1. Connect to the AccAD appliance using SSH.

2. At login, provide the login information for user ‘admin’.

The session is now that of the AccAD CLI. To return to Linux shell, see the section Returning to the Linux Shell.

6.2.2.1 Changing Firewall Settings on the Appliance Machine ...

1. Connect to the AccAD appliance machine using SSH.

2. Open the file /etc/sysconfig/adow-iptables for editing.

3. After the line :accad-input - [0:0], add the following line:

-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT

4. Apply the change by executing the following command: service iptables restart

You can now connect to the CLI using any standard telnet client (such as the native Windows and Linux telnet clients, or PuTTY on Windows).

6.2.2.2 Connecting to the CLI ...

1. Open a telnet client and connect to the AccAD machine.

2. Enter the user and password set during the installation.

Once you have logged in, you are guided by the integrated context sensitive help system. To find the available commands are, type ‘?’ followed by pressing the <Enter>.

Page 64: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 56

6.3 Command Categorization & Key Mappings

Generic CLI Commands

Command Description

Help Retrieve list of available commands

Quit Quit CLI session

Exit Exit current CLI level and returns to previous context

History Return list of previously typed commands

Commands for Changing Configuration Settings

Command Description

configure terminal Start configuring the engine

configure import <URL or absolute local path>

Configure according to text file, calling a specified URL (http, https, ftp), or an absolute path to a local file

configure export <ftp/file> <arguments>

Export the current configuration to a local file, or to remote file (via ftp)

write memory Save

show configuration Show current configuration

apply-configuration Apply configuration changes to system

get-links-info Show activated links

Diagnostic Commands

Command Name Description

ping <host> Send ICMP echo-request message to host

traceroute <host> Send traceroute message to host

Page 65: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 57

Key Mapping / Special keys

One of the important aspects of the CLI is support for standard special keys that enable easy navigation and quick access to the most useful functionality.

Some of the more useful special keys are:

Name Action Description

Tabautocomp TAB Complete the command or suggest alternatives

Clearline Ctrl Clear the written line of text

Up Up Arrow Go up (starting from the most recent) history command and display it on the current line

Down Down Arrow Go down (starting from the least recent) history command and display it on the line.

EOL Ctrl + E Go to end of current line

SOL Ctrl + A Go to start of current line

Delete Delete Move the cursor one character left, deleting the first character to the left.

CR/NL Enter Execute the command

Redraw Ctrl-L Retype the last line including both prompt and content.

EOT Ctrl-D Quit CLI session

Esc Esc Do nothing

Terminate Ctrl-C Terminate session

Right Right-Arrow / Ctrl-F Move cursor right one character

Left Left-Arrow / Ctrl-B Move cursor left one character

Startline Ctrl-A Move cursor to start of line

Endline Ctrl-E Move cursor to end of line

Backspace Backspace / Ctrl-H Go back and delete one character

Page 66: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 58

6.4 Returning to the Linux Shell To return to the Linux shell, type the command shell from the CLI. You will be routed to the path /bin/bash/ with the user admin.

Type exit to return to the CLI.

6.5 Using the CLI to Configure the AccAD engine ...

1. Log in to the CLI as explained in Connecting to the CLI.

Upon entering the CLI, you are automatically in local mode.

2. Use show configuration to view the current configuration. (Optional)

3. Type configure terminal to change engine configuration values. Configure the parameters described in section Manual Configuration of the AccAD engine

4. Save and apply the configuration using write memory and apply-configuration.

The new configuration is now set. You can view it immediately using show configuration.

Use the diagnostic commands to check your system.

get-links-info – to obtain the status of the engine

ping and traceroute – for network diagnostics

6.6 Using the CLI to Configure a Delivery Policy This section describes the commands required to configure a delivery policy. For more information about delivery policies, see Policy Configuration. ...

1. From the repository machine, log on to the CLI as described in Connecting to the CLI.

2. Type mode delivery-policy to switch to the policy context.

3. Type configure terminal to change configuration and then configure the policy, including groups, locations, engine instances, service types, and service instances.

Important A name or template containing spaces must be typed within single quotation marks.

a. Define your landscape groups:

i. Type groups <group_name>. Once the group is created, you are automatically within its context.

ii. To leave the group context, type exit.

b. Define your landscape locations:

i. Type location <location_name>. Once the location is created, you are automatically within its context.

ii. To leave the location context type exit.

c. Add engine instances:

i. Type engine-instances <engine_name>. Once the engine instance is created, you are automatically within its context.

Configure the engine instance:

Page 67: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 59

a. Type ei-id <ENGINE ID>, entering the same value specified during the engine installation

b. Type ei-groups <GROUP_LIST>, where GROUP_LIST contains all the groups this engine instance belongs to, using the groups you defined previously, separated by spaces.

To view all available groups type groups ?.

c. Type ei-location <LOCATION>, to define physical location on which this engine instance resides, using one of the locations previously defined.

ii. To leave the engine-instance context, type exit.

d. Define service types:

i. To see the available templates, type service-types <service_type_name> ? t.

ii. Choose a template and type service-types <service_type_name> <template>.

Once the service type is created, you are automatically in its context. You can configure this service type. To learn about the service type parameters refer to section Configuring Service Types.

iii. To leave the service type context, type exit.

e. Add service instances:

i. Type service-instances <service_instance_name> ? to see the available templates.

ii. Choose a template and type service-instances <service_instance_name> <template>. Once the service type is created, you are automatically placed in its context.

Configure the service instance:

d. Type service-fqdn <SERVICE_FQDN> to enter the fully qualified domain name of this service.

e. Type service-port <PORT> to enter the service port.

f. Type service-type-att <service_type_name> to enter the service type of this service instance, as defined previously.

g. Type groups <GROUP_LIST>, where GROUP_LIST contains all the groups this service instance should belong to, using the groups you defined previously, separated by spaces.

To view all available groups, type groups ?.

h. Type location-att <LOCATION>, to define on which physical location this service instance is exposed, using one of the locations previously defined.

iii. If you chose the SAP_Cluster template, configure the message server:

i. Type message-server to enter the message server context.

j. Type ms-network-address <MS_IP> to enter the message server’s address.

k. Type ms-group <GROUP> and enter the group for this service.

Page 68: AccAD for SAP NetWeaver

Command Line Interface May, 2011

Accelerated Application Delivery for SAP NetWeaver 60

To view all available groups type groups ?.

l. Type ms-port <MS_PORT> to enter the message server’s port.

iv. Otherwise, configure the service address in simpser-network-address

v. To leave the service instance context type exit.

f. Complete the policy configuration by adding delivery rules:

i. Type delivery-rules <rule_name>. Once the delivery rule is created, you are automatically placed in its context. Configure the origin of the service and the destination to which it will be delivered. Each is a group defined in previous steps:

To view all available groups, type groups ?.

ii. Type delivery-origin <ORIGIN_GROUP>, and enter the origin group from which service instances will be delivered.

To view all available groups, type groups ?.

iii. Type delivery-destination <DESTINATION_GROUP>, and enter the destination group, so all engine instances in that group will get delivery of the defined service instances.

iv. To leave the delivery rule context type exit.

4. Save and apply the configuration using write memory and apply-configuration.

The new configuration is now set. You can view it immediately using show configuration command.

6.7 Configuring AccAD Automatically The CLI enables automation of the configuration process. The following procedure demonstrates a way to upload a full configuration file using the CLI: ..

1. Log on to the CLI as explained in Connecting to the CLI.

2. View configuration using show configuration to verify that the configuration is empty. If the configuration is not empty, use clear configuration.

3. Upload a prepared configuration file by typing the following: configure import <URL or absolute local path>

4. Save and apply the configuration using write memory and apply-configuration.

Page 69: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 61

7. Configuring the Client Workstation to Work with AccAD

After setting up the AD link between the remote office and the data center, you need to redirect the workstations, which currently access the application server directly, to use the AD link as their means of data transport.

Plan the method by which the traffic from the clients’ workstations is redirected to the AccAD engine instance to ensure that application services are delivered by AccAD. The following sections describe methods that supply the means for redirecting only the requests for applications delivered over AccAD, while allowing other services to operate as usual.

You can select one or more of the options described in this section. Make sure that you prepare the necessary data for the selected method.

7.1 DNS Manipulation Using the etc/hosts File With this method, the DNS mechanism first checks the local /etc/hosts file before requesting the actual DNS server to resolve the logical server name to its IP address.

Note This method requires you to update /etc/hosts on each workstation whenever a new server is added to the list of reflected servers, making it suitable for small-scale trials only.

Preparing for Integration You need the following permissions on the remote office workstations these locations:

UNIX workstation The hosts file location is: /etc/hosts. Make sure that you have the root permissions required to modify this file.

Windows workstation The file location is <OS drive>:\Windows\System32\drivers\etc\hosts. Make sure that you have the local administrator privileges required to modify this file.

Configuring DNS Manipulation Using the etc/hosts File Redirection is enabled by adding entries to the hosts file, which resolves the application server's DNS names to the local AD virtual server's IP addresses. This method is suited for test and demonstration purposes.

First you need to determine the address mapping between the application server and the virtual server, that is, which virtual IP address on the AccAD engine represents a specific server.

To check the DNS proxy: ...

1. Run the following command in the engine for information about reflected servers in a format suitable to the hosts file:

service ad_dns_proxy hosts

2. Copy the output of this command directly to the hosts file on the client workstation.

Page 70: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 62

To configure the correct mapping information statically in each workstation: ...

1. On the user workstation, open the hosts file (for Windows XP) by navigating in Microsoft Windows Explorer to c:\WINDOWS\system32\drivers\etc\hosts, or by entering the following commands:

a. Click Start Run.

b. Enter the following in the command box: notepad c:\WINDOWS\system32\drivers\etc\hosts

2. For each server, add a line defining the DNS resolution:

At the end of the hosts file, add the entry: <virtual IP address> <DNS name of application server>

Example 192.168.100.51 litlvh74.tlv.sap.corp

Check setup correctness:

You can check the correctness of the setup by using one of the following methods:

Ping the server and verify that the ping succeeded. Run th e followi ng in a co mm and wi ndow:

Example ping –c 10 <name of server>

Use telnet and verify that it does not exit immediately. This indicates that the virtual server is listening on the port.

Run th e followi ng in a co mm and wi ndow:

telnet <name of server> <service port>

Example telnet iltlvh74.tlv.sap.corp 50000

Page 71: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 63

7.2 DNS Manipulation Using AccAD DNS Proxy Whether CFE or SFE, the AccAD engine can act as a DNS proxy. When this capability is enabled and the IP address of the machine is configured as the primary DNS in the remote office workstations, the engine answers DNS requests from the workstations. When the requests are intended for servers that are part of a delivery rule, the engine manipulates the response and returns the virtual IP that represents the delivered service. Thus delivery to the data center takes place through the engine. Other requests are forwarded to the DNS server. Prerequisites The DNS server IP address is required during installation. You obtain it as follows: UNIX: Open the file /etc/resolv.conf for viewing; you can use, for example, the

command less /etc/resolv.conf

Windows In the CMD line, type nslookup.

7.3 Configuring DNS Proxy Method When the engine is configured as the DNS server, any of the engine IP addresses can be used for the DNS server settings on the client-side workstation.

7.3.1 Configuring DNS on a Windows Machine Define the CFE as the primary DNS: ...

1. Go to Start Settings Network Connections Local Area Connection.

2. Click Properties, select Internet Protocol (TCP/IP), and click Properties.

3. In the General tab, select Use the following DNS server and enter the main IP address of the engine machine.

Refresh the workstation DNS proxy:

In Microsoft Windows, the DNS proxy caches DNS requests. To prevent delays in DNS modification execution, flush the cache of the DNS proxy. ...

1. Open the command line (cmd).

2. Type: ipconfig /flushdns

Note Use this command after each update to the delivery policy or after stopping/starting the AccAD service in the engine.

7.3.2 Configuring AccAD as DNS on a Linux Machine ...

1. Using an editor application, access the file: /etc/resolv.conf

2. Add the following line: nameserver <CFE machine IP>

3. Save and exit.

Page 72: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 64

7.3.3 Ensuring Automatic Failover in DNS Proxy Mode To ensure automatic failover, you must configure the secondary DNS server of the workstation to the same values as of the primary DNS server. This way, when the AccAD DNS proxy service is down for any reason, an automatic failover to direct access through the DNS server takes place.

When AccAD is up and running, redirection resumes within 30 minutes (according to the expiration time you defined in the workstation registry).

If AccAD is running on Windows, you must flush the DNS proxy as explained in Configuring DNS on a Windows Machine.

For more details on automatic failover, refer to the section High Availability with AccAD.

7.4 HTTP Proxy The engine can act as a web proxy.

Requests for services not configured for delivery with AccAD are forwarded, either to the proxy of the organization, if one is configured, or directly to the server itself. It is also possible to configure the engine not to forward such requests.

In the remote office workstation, the browser settings must be set to use the HTTP proxy running on the engine. No special configuration is required in the DNS settings of the workstation.

Preparing for Installation If another HTTP proxy is being used in the organization, you need to supply its IP address and port number. The IT administrator can supply this information. Configuring the HTTP Proxy Method

The HTTP proxy server runs on the CFE IP port 18080.

Configuration of AccAD as the HTTP Proxy should also include configuration of a parent proxy. Following are two examples of such configurations.

Note By default, the Internet Explorer browser is set to use the HTTP 1.0 protocol through proxy connections. HTTP 1.0 doesn't support gzip, chunked messages, or connection reuse. This results in performance degradation when configuring the AccAD engine as the workstation web proxy. When configuring the AccAD engine as the client workstation web proxy, make the following change: In the browser, go to Tools Internet Options Advanced and select the Use HTTP 1.1 through proxy connections checkbox.

7.4.1 Configuring the Web Proxy When configuring the AccAD engine to act as a web proxy, configure the listening IP and port as part of the instance configuration. More details can be found at Configuring the Engine Node

In addition, a forwarding method should be configured so that, when receiving a request for services not delivered with AccAD, the proxy does one of the following:

Forward the request to an organizational proxy, if one is configured

Forward the request directly to the server

Close the connection

Page 73: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 65

7.4.1.1 Configuring the Proxy When configuring the engine instance, enter values for the following:

Name Value Additional comments

Proxy Listening IP Specify the IP on which the instance listens to requests if the traffic redirection method is by proxy.

For example – 0.0.0.0

Recommendation We strongly recommend using the default value.

Proxy Listening Port The Proxy listening port Default 18080

Proxy Forwarding Method Choose the proxy forwarding method:

Use a parent proxy

Directly

No forwarding

Web Proxy Auto Discovery Listening Port

The proxy autodiscovery listening port

Default 8083

Make sure to choose a unique port, which is not used for any delivered service.

Alternative Route in Case of Proxy Failure

Specify the route to be used in case of proxy failure.

Default – DIRECT

If a proxy is used, enter the following in this field:

PROXY – followed by the IP address or FQDN of the proxy

Default Route Specify the route for requests that do not match any defined rules.

Default – DIRECT

If a proxy is used, enter the following in this field:

PROXY – followed by the IP address or FQDN of the proxy

Page 74: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 66

7.4.2 Configuring Client Workstations to Use the CFE Proxy You can configure the CFE proxy as a traffic interception method in a number of ways. The following sections describe the configuration options.

7.4.2.1 Configuring the HTTP Proxy Using a PAC File If you use a PAC file (proxy auto config) to configure the proxy in your organization, modify the file to forward requests for delivered services to the AccAD engine. To enable high availability, provide an alternative to the engine proxy in case it fails to answer requests.

function FindProxyForURL(url, host) {

if (shExpMatch(url,"*<delivered_service_1>/*"))

{return "PROXY < Proxy_Listening_IP>:Proxy_Listening_Port; <fallback_option>";}

if (shExpMatch(url,"*<delivered_service_2>/*"))

{return "PROXY <CFE hostname>:18080; <fallback_option>";}

return "<fallback_option>";

}

Where <fallback_option> enables high availability, and represents one of the following:

DIRECT – If there is no organization proxy, direct access is used.

PROXY <organization proxy>:<organization proxy port> – configures the organization proxy.

To configure proxy settings with standard browsers, see the procedures in the Appendix.

7.4.2.2 Configuring an HTTP Proxy with Automatically Generated Files

After configuring the proxy parameters in your instance configuration as described in the section Configuring the Proxy, the AccAD engine automatically generates PAC files that contain a variety of possibilties, including routing information for delivered services, as well as alternative default routes. These files can then be used to configure the proxy automatically.

File Options When using the automatically generated PAC file, choose from the following options the file that best suits the needs of your organization:

full_pac.pac – A full PAC file containing all AccAD delivered services, including those exposed in the DNS, having individual virtual IPs, and those exposed only on the proxy

proxy_only_pac.pac – A full PAC file containing only AccAD services that are exposed on the proxy

all_services_conditions – PAC file conditions only, which can be added to an existing PAC file. It contains all services delivered by AccAD, including those exposed in the DNS with individual virtual IPs and those exposed only on the proxy

proxy_only_conditions – PAC file conditions only, which can be added to an existing PAC file, containing only AccAD services that are exposed on the proxy

Page 75: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 67

All files can be accessed with the URL <machine IP>:<Web Proxy Auto Discovery Listening Port>/<file name>. Where the port is the one configured in the instance and the file names are exactly as listed here.

To use the HTTP Proxy with Microsoft Internet Explorer: ...

1. In Microsoft Internet Explorer, go to Tools Internet Options.

2. In the Connections tab, choose LAN Settings.

3. Select the Use automatic configuration script checkbox.

4. Enter the URL of the file.

To use the HTTP proxy with Netscape/Mozilla:

Enter the proxy settings by means of Edit Preferences Advanced.

7.4.2.3 Configuring the HTTP Proxy for all Traffic You can choose to use the AccAD engine proxy as the proxy for all communication for the client workstation.

7.4.2.4 Configuring the HTTP Proxy on a Common Web Proxy If you use a common web proxy, its forwarding rules should be edited so that delivered services are forwarded to the engine. For example, the following lines would be added to a Squid web proxy configuration file (squid.conf) to set it for forwarding services to the engine:

acl DeliveredByAccAD dstdomain <delivered_HTTP_Service_1_hostname>

acl DeliveredByAccAD dstdomain <delivered_HTTP_Service_2_hostname>

cache_peer parent <AccAD CFE hostname> 18080 7 proxy-only

cache_peer_access <AccAD CFE hostname> allow DeliveredByAccAD

never_direct allow DeliveredByAccAD

Page 76: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 68

7.5 Transparent Mode When you use this method, the DNS server performs name resolution. AccAD catches packets sent to the data center server and redirects them to the virtual services using DNAT (Destination Network Address Translation). To enable AccAD, your network administrator should set routing rules in the remote office router. For more information, see section Configuring Transparent Proxy Method. Preparing for Integration

The network administrator has to edit the redirecting rules in the router.

7.6 Configuring Transparent Proxy Method This method requires that the engine is defined in the routing path for the delivered service either by setting it as the default gateway on each client-side workstation or by adding explicit routing rules in the remote office router. Relevant traffic is redirected using DNAT manipulation to the virtual server address on the engine.

Recommendation Use the explicit routing rules in the remote office router only when you are ready to go live with the entire remote office. For testing purposes, modify the default gateway in a specific workstation to the main engine IP address.

7.6.1 Example of Applying the Transparent Proxy The remote office of an organization in London has 20 workstations.

The remote office subnet is 192.168.200.0 mask 255.255.255.0.

The remote office router IP is 192.168.200.1

The CFE virtual IP is 192.168.200.143

The data center includes an intranet server at IP address 192.168.100.143.

Based on this information, the administrator types the following commands on the router (The example uses CISCO-based commands):

!

interface Ethernet0

description To office Ethernet

ip 192.168.100.1 255.255.255.0

no ip directed-broadcast

no ip mroute-cache

ip policy route-map proxy-redir

!

access-list 110 deny tcp host 192.168.100.143 any eq www

access-list 110 permit tcp any eq www

route-map proxy-redir permit 10

match ip address 110

set ip next-hop 192.168.200.143

Page 77: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 69

7.6.2 Ensuring Automatic Failover in Transparent Proxy Mode

When the delivery policy is not active, packets arriving at the engine are forwarded to the default gateway. However, after implementing the proxy transparent method as described above in this section, the packets are forwarded back to the engine. As a result, the packages are forwarded back and forth between the engine and the default gateway. When this happens, the delivery service is not available at all.

To prevent this lack of service and ensure failover, do the following:

Modify the source address of packets forwarded via the engine.

Exclude packets whose source address is the engine from the forwarding list in the gateway.

Note The procedures described in this section are not for redirection in case of engine shutdown, but in case the delivery policy is not active.

7.6.2.1 Modifications in the Engine Routing Rules To ensure failover: ...

1. Stop all instances, for example for slot-0 type: # service slot-0 stop

2. Clear all iptables rules on the machine: # iptables -F

# iptables -t nat -F

# service iptables save

3. Verify that no rules exist by typing: # iptables -L

# iptables -t nat -L

No rules should appear.

4. Add the iptables rules on the machine:

For each service port, add the following: # iptables -t nat -A POSTROUTING \

-p tcp --dport <service.port> \

-j SNAT \

--to-source <cfe.main.ip>

Example If eth0 is the machine’s main interface and you plan on delivering via ports 80, 50000:

# iptables -t nat -A POSTROUTING \

-p tcp --dport 80 \

-j SNAT \

--to-source <cfe.main.ip>

# iptables -t nat -A POSTROUTING \

Page 78: AccAD for SAP NetWeaver

Configuring the Client Workstation to Work with AccAD May, 2011

Accelerated Application Delivery for SAP NetWeaver 70

-p tcp --dport 50000 \

-j SNAT \

--to-source <cfe.main.ip>

5. Save to the iptables persistent configuration file:

# service iptables save

6. Start all instances. For example for slot-0 type: # service slot-0 start

7.6.2.2 Modifications in the Default Gateway The following example is for Cisco IOS. In the example, it is assumed that delivery is by means of ports 80, 50000.

Example In the gateway, add: router(config)# access-list 110 deny tcp host <cfe.main.ip> any eq 80

router(config)# access-list 110 deny tcp host <cfe.main.ip> any eq 50000

router(config)# access-list 110 permit tcp any eq 80

router(config)# access-list 110 permit tcp any eq 50000

router(config)# access-list 110 deny any

router(config)# route-map proxy-redir permit 10

router(config-route-map)# match ip address 110

router(config-route-map)# set ip next-hop <cfe.main.ip>

Page 79: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 71

8. Monitoring the AccAD Engine Once AccAD is up and running, you can monitor it using the following tools:

AccAD Administrator web UI

Application Delivery Monitor

Service Monitor

CCMS / SLD

This section describes the use of each tool.

8.1 Monitoring the Engine with AccAD Administrator The AccAD Administrator web UI can be used to:

View performance data

View traffic history records

View cache statistics

Monitor events and alerts

The traffic information auditing capability exposed in the UI can be used for tracking AccAD usage and performance over time. This tool gives a fine-grained view of system performance at the connection level, supplying IP and port information which can help distinguish between the various delivered services.

8.1.1 Viewing Performance Data In the UI, navigate to Traffic History. You can view:

Services Performance - For each of the services, you can examine the volume of data delivered over a certain period of time to all remote offices. Each service has its own group of bars representing performance according to the legend.

Use the dropdown list to define the time period.

Engine Instance Performance – You can examine the volume of aggregated data delivered by all services over a certain period of time to a certain remote office. Each remote office has its own group of bars representing performance according to the legend.

Use the dropdown list to define the time period.

8.1.2 Viewing Traffic History Records ...

1. In the UI, navigate to Traffic History. A table displaying traffic history is displayed.

2. If no traffic history appears, refresh the portal page using the Options icon at the upper-right of the page.

3. To obtain the full details associated with the connection, click the radio button to select the desired entry in the table. The information is then displayed in the Session Details in the lower part of the screen.

Page 80: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 72

8.1.3 Viewing Cache Statistics Select the components for which you want to obtain statistics (such as the server or remote office) and choose Generate.

Data is returned about:

cache hits and misses

volume of data from the cache

transaction count

8.1.4 Viewing and Changing Alerts Alerts are defined as events of high severity that require corrective action to be taken.

To view alerts: ...

1. In the AccAD Administrator application, navigate to Audit.

2. Choose Alerts.

To change the alerts table display settings:

You can change the Alerts table layout, sort order, and appearance. ...

1. Click the pencil icon in the top right side of the table.

a. To modify the column layout, choose the Column Layout pane.

i. Change the position of a column by choosing the desired number in the Position column.

ii. Define whether or not a column is visible by selecting or deselecting its checkbox in the Visible column.

iii. For the alert source ID, you can choose the calculation method from the dropdown list in the Calculate column.

b. To define sort order and subtotals, choose the Sort and Subtotals tab.

i. From the dropdown list, choose the fields that you want to use for sorting, in ascending or descending order.

ii. Choose the Subtotals checkbox to display subtotals.

c. In the General Settings tab, define the following:

i. From the Background dropdown list, choose the table background.

ii. Define the number of rows to display in one page or select the Display all rows on one page.

2. Choose Apply to save your changes, Cancel to ignore them, or Default Settings to restore default values.

Page 81: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 73

8.1.5 Viewing Events Events are created during typical operation of the system. Events do not constitute an erroneous situation requiring corrective action, but rather provide indications regarding events that occurred over time. ...

1. In the UI, navigate to Audit.

2. Click Events.

8.2 Using the Application Delivery Monitor This section describes how to install the Application Delivery Monitor and how to use it to monitor application delivery activities.

The Application Delivery Monitor tracks online link activity on both the uplink and the downlink, including comparative graphs depicting real compressed volume against the uncompressed data volumes, as seen by the client and server end points.

The Application Delivery Monitor can also help detect that traffic is flowing via the AD link setup between the CFE and the SFE.

Note that the monitor does not show traffic to data center servers that have not been directed to flow via the AD link.

8.2.1 Installing the Application Delivery Monitor ...

1. Insert the Accelerated Application Delivery CD, or make it available on the administrator’s PC.

2. Copy the folder DATA_UNITS/AccAD_MONITOR_2_2 to the administrator’s machine.

3. Verify that all files were copied:

bwmonitor.sh – Unix / Linux invocation script

bwmonitor.bat – Windows invocation script

bwmonitor.jar – Java implementation

4. Activate the Application Delivery Monitor by clicking on the launch script:

On Windows machines, click bwmonitor.bat

On Unix and Linux machines, click bwmonitor.sh

8.2.2 Configuring the Application Delivery Monitor ...

1. Run the Application Delivery Monitor.

2. Click Set.

A dialog box appears displaying IP and port values. Enter the IP address of the SFE or CFE device and keep the default port value of 1600.

3. Click OK to save the configured parameters.

4. Click the Play icon.

After several seconds two rows appear in the table view.

Page 82: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 74

8.3 Using the Service Monitor This section describes the use the service monitor. The service monitor checks availability of each of the delivered services and enables bypassing AccAD in the event of delivered service failure.

8.3.1 How the Monitor Functions The monitor tests each delivered service every minute by downloading a page from the services and checking if the page meets the requirements of the check pattern. The Check Pattern is defined in the Service Type of the delivered service. For more configuration details refer to the section Advanced Configuration - Service Types.

Note If Check Pattern in the Service Type is empty for the delivered service the monitor skips the check for this delivered service.

8.3.2 What the Monitor Checks For each delivered service, the monitor performs the following:

A DNS check to verify that the service DNS name exists in the AccAD DNS server

If the DNS check fails, the monitor sends notification and the AccAD bypass for the delivered service is activated.

A page download from the delivered service via the AccAD CFE tunnel

If downloading the page fails, the monitor tries three more times at intervals of 10 seconds. If it fails the third check, bypass for the specific delivered service is activated and a notification message is sent, either by e-mail or a report to the Syslog server. See Notifications.

8.3.3 Recovery Mode Recovery mode for specific delivered service is turned on automatically if the delivered service check fails.

If a service check fails, the monitor continues to check the service for availability. If the service becomes available again, the monitor removes the bypass and sends a recovery notification. See Notifications.

If a service check fails a second time within one hour, the monitor stops checking the service, and then it resumes checking after one hour.

This behavior prevents a flood of notifications in the event of network or service maintenance problems.

8.3.4 Bypass Mode In the case of a delivered service failure, there are two bypass modes, which can be configured during the monitor installation.

Redirection mode – Redirecting the traffic to the service IP address instead to the virtual one

Reject mode – Rejecting any traffic to the delivered service by means of the AccAD CFE.

Note Use this mode if other monitoring tools that check service availability are active.

Page 83: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 75

Bypass mode is activated automatically if the delivered service check failed or if it can be done manually.

8.3.5 Notifications The monitor can send notifications using email and report to the Syslog Server. Notification configuration is performed for each CFE when configuring the Service Monitor, as detailed in the section Configuring the Monitor.

The default Syslog Server IP points to 127.0.0.1 (/usr/local/vl/base/scripts/vl_monitor.pl –syslog <Syslog Server IP Address>)

8.3.6 Installing the Monitor The monitor installation is done per CFE, as part of its local configuration. To configure the monitor, do the following:

1. In the AccAD Administrator, under Local Administration Engine, go to the instance that you want to monitor and choose the Monitor node.

2. Configure the following parameters (or keep the set default values):

Field Name Description

Enable Monitoring Check this checkbox to enable the monitor on this CFE appliance. If it is not checked, the monitor is not installed and not started

E-mail List Notification email recipient list, separated by semicolon

Send Mails via Program Choose between Telnet and Sendmail: Telnet connects directly to the SMTP Server and Sendmail from the address configured in the From Mail Address field. Sendmail uses the local mail program

Syslog Server Syslog Server IP

Times to Retry on Failure After a page download has failed, how many times to perform the check again before activating a bypass

Waiting Time Between Retries How long to wait between checks of page download in case the check failed (in seconds)

Recovery Time Frame The time frame (in seconds) in which two failed checks (each consisting of the number of page download checks specified in Times to Retry on Failure) causes the monitor to stop checking the delivered service

Stop Monitoring For The time (in seconds) period for which the monitor stops checking the service

Use Reject Rule on Bypass Check this checkbox to reject traffic in bypass mode. By default it is unchecked, which redirects traffic to the real service IP address

Page 84: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 76

Client Certificate (PEM format) Deploy client certificate for HTTPS communication. The client certificate is used in each monitor check, the certificate should be in PEM format.

Client Certificate Password Provide the client certificate password

Make sure you configured the parameters for SMTP and FQDN for this appliance, as explained in Configuring the Engine Node.

3. Save and apply the configured parameters.

4. Create the appliance definition file and configure the appliance using it, as described in Semi-Automatic Installation.

8.3.7 Configuring the Monitor On the engine machine, run the monitoring script as follows:

/usr/local/vl/base/scripts/vl_monitor.pl [Remote Office/Data Center name] [-help]

[-bypass <add | rem> ] [-start] [-stop] [-install]

[-uninstall] [-mailtest] [-e-mail <list | add | rem>]

[-syslog list | <ip address>]

-mailtest - Sends mail test mail to all registered e-mails

-bypass

add - Add iptable rules to bypass

rem - Remove iptable rules

-start - Start portal check

-stop - Stop monitoring check

-status - check status

-install - Create the bash file in /etc/cron.minutely/

-uninstall - Remove the bash file from /etc/cron.minutely/

-syslog - list or change syslog server

-e-mail

list - list all notification e-mails

add - add e-mail address to list of notifications

rem - remove e-mail from the list

Page 85: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 77

8.3.8 Examples

Adding and removing the AccAD bypass to delivered services Add or remove the bypass by running one of the following scripts.

To add:

/usr/local/vl/base/scripts/vl_monitor.pl –bypass add www.example.com

To remove:

/usr/local/vl/base/scripts/vl_monitor.pl –bypass rem www.example.com

Adding and removing an email address to the notification list To add:

/usr/local/vl/base/scripts/vl_monitor.pl –e-mail add [email protected]

To remove:

/usr/local/vl/base/scripts/vl_monitor.pl –e-mail rem [email protected]

To list all notification e-mail addresses:

/usr/local/vl/base/scripts/vl_monitor.pl –e-mail list

8.3.9 Start/Stop Monitoring To start monitoring:

/usr/local/vl/base/scripts/vl_monitor.pl -start

To stop monitoring:

/usr/local/vl/base/scripts/vl_monitor.pl -stop

8.4 Using the CCMS/SLD Systems AccAD, as a standard SAP component, is visible in the standard NetWeaver monitoring and system management tools, CCMS and SLD, by means of an SFE component supports registration to these two systems.

8.4.1 CCMS CCMS provides the framework to centrally store, display, analyze and react to alerts, including a performance database and an external interface. All components must deliver data to this infrastructure.

The basic architecture includes:

Data suppliers - programs that deliver data to the monitoring architecture

Data consumers - programs that read data from the monitoring architecture

Monitoring objects and attributes - objects to be monitored

In AccAD 2.2 we report to the central system general host / OS level status information regarding usage of CPU and memory resources.

Page 86: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 78

8.4.2 System Landscape Directory (SLD) The SAP System Landscape Directory (SLD) is the central information provider in a system landscape.

The SLD contains two types of information:

Component information: Information about all available SAP products and components, including their versions. If there are any third-party products in the system landscape, they are also registered here.

Landscape description: Contains all installed systems in a system landscape. When a collaborative business process is configured, the landscape descriptions are needed to determine the system information of the business partners involved.

In AccAD we report name type (AccAD) and version (2.2) parameters to the central J2EE SLD system, so the AccAD SFE is visible as part of the landscape of SAP components.

8.4.3 Installing and Uninstalling CCMS and SLD For installing CCMS/SLD, follow the SAP notes explaining how to connect to the central systems. Once all parameters are prepared, you may proceed with the installation.

Note Perform this installation sequence only on the repository machine.

To install the component: ...

1. Install both CCMS and SLD support clients on the repository machine by running the following command: /media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl install ccms

Where <OS> is the operating system you are running:

Note Make sure to type the command on one line.

2. For the CCMS installation, enter an interactive SAPCCMSR session. Be prepared with the following information:

SAP system ID

Additional central system

Logon information for the admin user

Client number

User name

Interface language?

Hostname of the message server

If load balancing is being used, the hostname of the application server

System number

Route string

Trace level

User password

Page 87: AccAD for SAP NetWeaver

Monitoring the AccAD Engine May, 2011

Accelerated Application Delivery for SAP NetWeaver 79

3. For the SLD installation, enter an interactive SLDREG session. Be prepared with the following HTTP connection information:

User name

Password

Server hostname

Port used

Protocol (HTTPS rather than HTTP?)

When asked if you want to write this information to a secure file, answer 'y'.

To uninstall: ...

1. Run the following command from the repository machine: /media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl uninstall ccms

Where <OS> is the operating system you are running:

Note Make sure to type the command on one line.

2. To uninstall CCMS, enter an interactive SAPCCMSR session. You are asked to supply the logon information for the admin user as was entered during the install stage. SLD is uninstalled automatically.

Page 88: AccAD for SAP NetWeaver

Troubleshooting May, 2011

Accelerated Application Delivery for SAP NetWeaver 80

9. Troubleshooting

9.1 Verifying AccAD Functionality This section provides you with a minimal operation test. You can run it when installation and configuration are over to verify that AccAD is operational.

9.1.1 Prerequisites Verify that you have completed the full installation sequence:

The AccAD engine is installed and activated on the repository, SFE and CFE

A delivery policy is activated

At least one user workstation is configured to work with AccAD

The Application Delivery Monitor is installed and configured (optional)

9.1.2 Testing Traffic This test verifies that the delivered services flow via AccAD.

To test the traffic: ...

1. Open a browser and access the application server of the service delivered using the regular URL.

Note If you are using TLS/SSL termination, use the HTTPS prefix in the URL.

If the port is not the default TLS/SSL port (443), edit explicitly the port number. For example, https://server21.abc.sap.corp:1443/irj/portal

2. Perform a number of actions and then close the browser.

3. Watch the traffic using one of the following tools:

In the Application Delivery Monitor, observe the traffic volume. Refer to Using the Application Delivery Monitor for usage details.

Using the repository UI, refresh the traffic history page and observe the record. Refer to Using the Web UI to Monitor the AccAD engine for more details.

Note Traffic history records only appear a few minutes after closing the session.

9.2 Restarting the AccAD Engine To restart the AccAD engine in either the SFE or CFE machine, connect to the machine and type the following command:

service <slot-ID> restart

Page 89: AccAD for SAP NetWeaver

Troubleshooting May, 2011

Accelerated Application Delivery for SAP NetWeaver 81

9.3 Uninstalling the AccAD Engine To uninstall the SFE or the CFE: ...

1. Verify that you are in the /root directory by typing:

cd

2. Run the AccAD engine uninstaller by typing the following: /opt/accad/install.pl uninstall <ENGINE_TYPE>

Note Make sure to type the command on one line.

If you installed the repository and SFE on the same host, uninstall the repository first and only then perform the SFE uninstall.

9.4 Application Delivery Folder Structure The structure of the Application Delivery folders, on the repository, SFE and CFE host, is as follows:

Configuration files are located at /etc/sysconfig/vl

Service files are located at /etc/rc.d/init.d

Binaries, scripts, and internal configuration files are located at /usr/local/vl

CAUTION The files listed above are intended for advanced users only for purposes of maintenance and support. Do not edit these files without explicit instructions from SAP development support engineers. Log files created to monitor the system are intended for use by SAP development support engineers only.

9.5 Importing and Exporting Configuration Settings The AccAD engine enables backup and restore of all configurable components:

Local engine configuration

Delivery policy

Appliance landscape

The backup can be saved either to a local folder in the file system of the engine host or exported to any workstation. You can use the archived configuration settings for additional engine instances and in the event of data or hardware loss.

9.5.1 Archiving Configuration Settings You can save and archive your configuration settings on the AccAD machine. To encrypt the settings, refer to the section Adding Drive Encryption for Persistent Content. ...

1. In AccAD Administrator, on the relevant machine, go to the tab you want to archive (Local Configuration, Delivery Policy, or Appliances Landscape).

2. In the root node of the navigation tree, choose Save to Archive.

3. Enter an archive name to create the archive and choose OK.

In the archive pane you can enter a description.

4. Choose OK.

Page 90: AccAD for SAP NetWeaver

Troubleshooting May, 2011

Accelerated Application Delivery for SAP NetWeaver 82

You can now perform the following actions:

Edit – Allows you to enter a description

Delete

Load – Allows you to apply an archived configuration instead of the current configuration

Export

9.5.2 Loading Archived Configuration Settings ...

1. Log on to the AccAD Administrator of the relevant machine as the ‘root’ user, and choose one of the following the tabs:

Local Configuration

Delivery Policy

Appliance Landscape

2. In the navigation tree, choose the Archive node.

3. Select the configuration you want choose Load.

9.5.3 Exporting Configuration Settings Configurations can be exported to your workstation.

Note For security reasons, only the ‘root’ user has the authorization to perform this action.

...

1. Log on to the AccAD Administrator of the relevant machine as ‘root’ user and go to the tab you want to export (Local Configuration, Delivery Policy, or Appliance Landscape).

2. In the root node of the navigation tree, choose Export.

3. Choose a location to which to export the configuration and save.

9.5.4 Import Configuration Settings ...

1. In the AccAD Administrator of the relevant machine, go to the tab you want to import (Local Configuration, Delivery Policy, or Appliances Landscape).

2. In the root node of the navigation tree, choose Import.

3. Browse and select the XML file to import. The configuration is uploaded.

Page 91: AccAD for SAP NetWeaver

Version Upgrade May, 2011

Accelerated Application Delivery for SAP NetWeaver 83

10. Version Upgrade Upgrade can be executed on heterogeneous landscapes, including both Suse and RedHat machines.

Note This upgrade procedure does not affect Windows clients. For more information, see the guide Accelerated Application Delivery for SAP NetWeaver Client for Windows.

10.1 Upgrade from 2.1 To upgrade the AccAD version automatically, do the following: ... ...

1. Log in to the SFE machine as root user.

2. Download the latest AccAD resources to the SFE host machine

This next step depends on the type of resource downloaded.

a. If you are upgrading to AccAD 2.2 SPS00, shipment is in the form of an ISO file.

i. Mount the new ISO file (more information: Mounting the Application Delivery CD).

ii. Type the command: /media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<SFE’s OS>/upgrade.pl

b. If you are upgrading to AccAD 2.2 SPS01 and higher, shipment is in a TGZ package.

i. Download the package and place it under /root/.

ii. Create a new folder using the command mkdir /root/accad/

iii. Type cd /root/accad/

iv. Unpack the TGZ package using the command tar -xzvf /root/<package>.tgz

The contents of the package are now under /root/accad/DATA_UNITS/…

v. Type the command: /root/accad/DATA_UNITS/AccAD_ENGINE_2_2/<SFE’s OS>/upgrade.pl

The upgrade process affects the SFE and all CFEs connected to it at the time of execution. CFEs not connected to the SFE must be upgraded manually by performing steps 1-4 on each CFE machine.

After an upgrade, the SFE machine will also act as an AccAD repository.

10.2 Upgrade from 2.2 to a new SPS To upgrade the AccAD version automatically, do the following: ... ...

1. Log in to the repository machine as root user.

2. Download the latest AccAD resources to the SFE host machine

This next step depends on the type of resource downloaded.

a. If you are upgrading to AccAD 2.2 SPS00, shipment is in the form of an ISO file.

i. Mount the new ISO file (more information: Mounting the Application Delivery CD).

ii. Type the command: /media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<SFE’s OS>/upgrade.pl

Page 92: AccAD for SAP NetWeaver

Version Upgrade May, 2011

Accelerated Application Delivery for SAP NetWeaver 84

b. If you are upgrading to AccAD 2.2 SPS01 and higher, shipment is in a TGZ package.

i. Download the package and place it under /root/.

ii. Create a new folder using the command mkdir /root/accad/

iii. Type cd /root/accad/

iv. Unpack the TGZ package using the command tar -xzvf /root/<package>.tgz

The contents of the package are now under /root/accad/DATA_UNITS/…

v. Type the command: /root/accad/DATA_UNITS/AccAD_ENGINE_2_2/<SFE’s OS>/upgrade.pl

The upgrade process affects all SFEs and CFEs connected at the time of execution. Engines not connected to the repository must be upgraded manually by performing steps 1-4 on each engine machine.

Page 93: AccAD for SAP NetWeaver

Appendix May, 2011

Accelerated Application Delivery for SAP NetWeaver 85

11. Appendix This section contains information that may be useful when installing and maintaining Accelerated Application Delivery.

11.1 Changing Time Zone on a Linux Machine To change the time zone of the machine after OS installation to your local time zone, perform the steps described in the following procedure: ...

1. View all available time zones choose the one you wish to configure after typing the following two lines in the machine console: cd /usr/share/zoneinfo find . -name "*" -type f | sed -e s#./##

2. Open the /etc/sysconfig/clock file for editing and set the ZONE field to the time zone you chose.

3. Create a symbolic link from the selected time zone to /etc/localtime: mv /etc/localtime /etc/localtime.old

ln -s /usr/share/zoneinfo/<selected time zone> /etc/localtime

11.2 High Availability with AccAD An Accelerated Application Delivery (AccAD) landscape provides high service availability by enabling failover communication directly with the data center or by switching to redundant components in the landscape failover system. Each organization can select the approach that best suits its system landscape.

11.2.1 High Availability Features The following AccAD features support high availability:

Central delivery policy – Traffic redirection to the virtual service starts only when the service is delivered correctly and stops when delivery stops.

Central alerting – The following events generate alerts by the SFE, notified via e-mail / report to the Syslog server/ alerts displayed in the repository AccAD Administrator :

Tunnel with a CFE goes down

Tunnel with a CFE is established

Service on host is not functional

Service monitor [Linux CFE only] – Each delivered service is sampled periodically, end-to-end, for the existence of a given string. Monitoring tasks are derived automatically from the services defined in the central delivery policy, although the monitor itself is a separate service. Actions which are taken upon detecting a failed service are:

Alert (e-mail notification, report to Syslog)

Stopping traffic redirection for the specific service

Activation of an additional independent mechanism, such as:

DNAT rules to force bypass

Page 94: AccAD for SAP NetWeaver

Appendix May, 2011

Accelerated Application Delivery for SAP NetWeaver 86

IP filter reject rule – to inform of the reject status to external monitors, if any – such as Cisco Distributed Director.

Failover to a secondary SFE - Whenever a tunnel with an SFE breaks, the CFE attempts to connect again. After four failures it connects the secondary SFE, if such is defined, and the service is resumed.

Note Reconnection to the primary SFE is only attempted in the event of a failure of the secondary SFE

Support of Multiple DNS servers in the CFE DNS proxy - Enables a practice of defining a few DNS servers. If one goes down the next is used. At varying intervals, the engine checks for the recovery of the primary DNS.

11.2.2 Failure Scenarios and Recovery This section discusses the failure scenarios that benefit from the high availability features described above. It discusses failures both in the CFE and the SFE, and relates to software as well as hardware problems.

CFE Failures: DNS proxy failure – When a DNS failure is detected by the user workstation, the support of

multiple DNS servers allows immediate recover by using the secondary DNS.

If the secondary DNS is an office DNS (not specific to AccAD), the failover results in AccAD bypass and the traffic isn’t accelerated.

If the secondary DNS is that of an additional CFE, the accelerated traffic through AccAD continues.

Service Problems – The Service Monitor detects problems in the service, stops traffic redirection, and activates an additional bypass mechanism. For more information, see Bypass Mode.

CFE Failure – If a secondary CFE is configured as the DNS of the primary CFE, users are redirected to an accelerated service.

SFE Failures: Hardware failure – Resulting in the tunnel break, causes CFE redirection to stop. If a secondary

SFE is configured, the CFE establishes a tunnel with it and after a few minutes of non accelerated service delivery, the acceleration resumes.

Software failure – Stop of end-to-end service is detected by the CFE service monitor, which stops traffic redirection and activates DNAT bypass rules, as explained in the section Bypass Mode, so the user isn’t affected by the failure and non-accelerated traffic continues.

Repository Failures: Hardware/Software failure – Resulting in the tunnel break between the SFE and the repository. If a secondary repository is configured, the SFE establishes a tunnel with it, auditing and accounting can again be written to the repository database, and the delivery policy is again available.