PUBLIC
SAP HANA Cloud Integration for process integration 2014-11-26
Operations Guide
Content 1
Understanding the Basic Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1
SAP HANA Cloud Integration Runtime in Detail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.1
Virtual System Landscapes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2
Installing and Configuring the Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3
Monitoring (Integration Operations Feature in Eclipse). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1
Launching the Integration Operations Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
3.2
Overview of Integration Operations Perspective. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
3.3
Node Explorer (View). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4
Message Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.4.1
Message Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.5
Deployed Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.6
Data Store Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.7
Properties View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.7.1
Properties View for Nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
3.7.2
Properties View for Messages - Message Processing Log. . . . . . . . . . . . . . . . . . . . . . . . . 21
3.7.3
Properties View for Deployed Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.8
Aggregated Data View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
3.9
Component Status View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.9.1
Runtime Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.9.2
Component Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.9.3
Monitoring External Reachability of Tenant Management Nodes. . . . . . . . . . . . . . . . . . . . 30
3.9.4
Monitoring External Reachability of Runtime Nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.10
Tail Log View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.11
Tasks View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
3.12
Deploying an Artifact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.12.1
Deploying a Keystore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.12.2
Deploying a Known Hosts Artifact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.12.3
Deploying a PGP Public Keyring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.12.4
Deploying a PGP Secret Keyring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
3.12.5
Deploying an OAuth2 Authentication Artifact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.12.6
Deploying and Editing a User Credentials Artifact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4
Monitoring (SAP HCI Spaces). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1
Launching the SAP HCI Spaces Monitoring UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.2
Displaying the Status of Processed Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.3
Displaying the Status of Integration Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5
Security Artifact Renewal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
Operations Guide Content
5.1
Use Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2
Involved Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.3
Security Artifact Renewal for Transport Level Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.4
5.3.1
Security Artifact Renewal for HTTPS-Based Communication. . . . . . . . . . . . . . . . . . . . . . 51
5.3.2
Security Artifact Renewal for SFTP-Based Communication. . . . . . . . . . . . . . . . . . . . . . . 59
Security Artifact Renewal for Message Encryption/Signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.4.1
Security Artifact Renewal for PKCS#7/CMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.4.2
Security Artifact Renewal for OpenPGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.4.3
Security Artifact Renewal for XML Digital Signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.4.4
Security Artifact Renewal for WS-Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6
Concepts of Secure Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.1
HTTPS-Based Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.2
6.1.1
Technical Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.1.2
How Basic Authentication Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.1.3
How Certificate-Based Authentication Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.1.4
Certificate Chains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.1.5
Requirements for Keystore Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.1.6
Load Balancer Root Certificates Supported by SAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
SFTP-Based Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 6.2.1
6.3
How SFTP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Message-Level Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 6.3.1
How PKCS#7 Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.3.2
How XML Signature Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.3.3
How WS-Security Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.3.4
How OpenPGP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Operations Guide Content
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
3
1
Understanding the Basic Concepts
This section provides an overview of the concepts and terms relevant when operating SAP HANA Cloud Integration.
1.1
SAP HANA Cloud Integration Runtime in Detail
For different participants connected to SAP HCI separate resources (in terms of: memory, CPU, file system) of the cloud-based integration platform are allocated – although all participants might share the same hardware. This concept is also referred to as tenant isolation.
Note A tenant represents the resources of the cloud-based integration platform of SAP HCI allocated for a participant. Typically one tenant is defined for each customer connected to SAP HCI. At runtime, SAP HCI processes the data that is exchanged between the involved participants on a cluster of different virtual machines hosted in the SAP cloud, at which each virtual machine is assigned to the corresponding tenant allocated for the connected participant.
Note A virtual machine (VM) is a software implementation of a machine that executes a program like a physical machine. SAP HCI is designed that way that it always makes sure that the involved virtual machines are strictly separated from each other with regard to the related participants. In addition to that, each tenant uses a separate database schema which guarantees that data of different participants is strictly separated.
Note The architecture of SAP HANA Cloud Integration guarantees that different tenants are unable to interfere and that physical resources of SAP HCI are partitioned per tenant. The runtime environment of SAP HANA Cloud Integration is composed of a cluster of virtual processes, whereby the message processing tasks for a tenant are performed within a dedicated Java Virtual Machine (JVM process or VM process). The individual processes are also referred to as nodes of the cluster. An SAP HANA Cloud Integration cluster is composed of different kinds of nodes. Kind of Node
Purpose
Tenant management node
Performs tenant-specific management tasks like, for example, starting tenant-specific runtime nodes or deployment of artifacts like integration flows or key stores, for example.
4
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
Operations Guide Understanding the Basic Concepts
Kind of Node
Purpose
Runtime node
Processes messages for a tenant. Services required for message processing like, for ex ample, routing or mapping, are implemented as sub systems of the node.
Note There is the option to set up multiple tenant management nodes for a tenant in order to implement failover scenarios and thus to ensure high availability. When one management node fails, one of the additional nodes can take over the tasks. The following figure illustrates the general design of an SAP HANA Cloud Integration cluster.
Operations Guide Understanding the Basic Concepts
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
5
An SAP HANA Cloud Integration cluster for a tenant (shortly referred to as tenant cluster) is composed of one (or more) tenant management nodes and one or more runtime nodes. Tenant clusters of different participants (customers) are strictly separated from each other and are unable to interfere. In the Operations user interface (Node Explorer), the different kinds of nodes are arranged in the following way.
1.1.1
Virtual System Landscapes
There are different virtual system landscapes within SAP HANA Cloud. The runtime components can be operated on the following of these landscapes. Table 1: Virtual System Landscapes Landscape
Description
Virtual Server Name
IP Addresses
factory
Externally available land scape for productive us age. Depending on the re lated data center, there are different URLs for Eu rope, the US and Asia-Pa cific.
For data center Rot (Eu rope): https:// hana.ondemand.com
155.56.128.0/17 (min 155.56.128.1, max 155.56.255.254)
For data center Ashburn (USA): https:// us1.hana.ondemand.com
65.221.12.0/24 (min 65.221.12.1, max 65.221.12.254), 206.112.73.0/24 (min 206.112.73.1, max 206.112.73.254)
For data center Sydney (Asia-Pacific): https:// ap1.hana.ondemand.com
210.80.140.0/24
https:// hanatrial.ondemand.com
same as for factory, data center Rot
trial
Externally available land scape for testing and demo purposes
Note The IP addresses are required by the customers to configure the firewall settings (IP whitelisting) to enable their system to connect to SAP HCI. Note that the table lists ranges of supported IP addresses rather than fixed IP addresses. This has the following advantage: In case hardware problems at SAP HCI side, the
6
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
Operations Guide Understanding the Basic Concepts
customer can quickly switch to another machine (with another IP address) without the need to change the configuration in the back-end system.
Operations Guide Understanding the Basic Concepts
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
7
2
Installing and Configuring the Tool
You need to install the Eclipse feature locally and then connect your locally installed Eclipse to SAP HANA Cloud Integration. In particular, you connect to the tenant cluster, which is that set of virtual machines allocated for your organization or company in SAP HANA Cloud.
Prerequisites Your SAP contact has provided you with the URL of the tenant management node.
Context The tenant management node is that virtual process of your tenant cluster that is responsible for the operation and management of your tenant cluster. It is the connection point for your organization or company to SAP HANA Cloud Integration.
Procedure 1.
Install the features by following the instructions provided at: SAP HANA Cloud Integration Tools
2.
Start Eclipse.
3.
In the operation subsystem preferences (
Window
Preferences
SAP HANA Cloud Integration
Operations Server ) specify the URL provided to you by SAP. 4.
To start working with the Integration Operations tooling, open the Integration Operations perspective in Eclipse (under
8
Window
Open Perspective ).
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
Operations Guide Installing and Configuring the Tool
3 Monitoring (Integration Operations Feature in Eclipse) The Integration Operations feature provides functions for performing administrative tasks related to SAP HANA Cloud Integration (SAP HCI) runtime clusters and to message monitoring. This section provides information on the editors and the views of the Integration Operations perspective.
Note You can also find the documentation of this feature at: http://help.sap.com/cloudintegration under System Administration and Maintenance Information.
3.1
Launching the Integration Operations Feature
To launch the Integration Operations, you start the locally installed Eclipse application.
Context
Procedure 1.
Install Eclipse and the dependent plug-ins (features) as described in the section referred to below.
2.
Specify the connection to the management node as described in the section referred to below.
3.
Start Eclipse. Depending on the version of your Integration Operations feature, the following information is displayed in a popup window during Eclipse startup and connection to the management node. Option
Description
Your Eclipse client is newer than Your (local) Eclipse client connects to a management node (Operations Server) the connected Operations with an older software version. In that case, not all functions might work as Server. expected. Your Eclipse client is older than the connected Operations Server.
Your (local) Eclipse client connects to a management node (Operations Server) with an newer software version. In that case, the client should be updated by installing a newer version of the feature. The popup window offers a link to the update function of Eclipse.
Operations Guide Monitoring (Integration Operations Feature in Eclipse)
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
9
Related Information Installing and Configuring the Tool [page 8]
3.2
Overview of Integration Operations Perspective
The following table summarizes the available elements of the Integration Operations perspective. The editors and views are explained in detail in the corresponding sections. Element
Description
Node Explorer (view)
Displays the tenant cluster (tenant management node and assigned runtime nodes)
Message Monitoring (editor tab)
Displays all messages processed by the tenant clus ter.
Deployed Artifacts (editor tab)
Displays deployed content
Aggregated Data (view)
Displays statistical data related to message process ing for a participant or runtime node (as selected in the Node Explorer).
Properties (view)
Displays: ●
Message processing log (for a message selected in Message Monitoring editor)
●
Properties for nodes selected in Node Explorer or Node History
●
Log information for deployed artifacts (if the De ployed Artifacts editor is opened and an artifact is selected)
Component Status (view)
Displays the status of the components (for example, of deployed artifacts) on a specific runtime node of a participant.
Tasks View
Displays the status of the recent user tasks per formed on the cluster.
TailLog (view)
Displays the newest entries of the log of a runtime node or of a management node.
Most editors and views provide information on the cluster or on the message processing in table format. Note that you can sort the content of a table in different ways by simply clicking ion the header of the column by which you want to sort.
10
PUBLIC © 2014 SAP SE or an SAP affiliate company. All rights reserved.
Operations Guide Monitoring (Integration Operations Feature in Eclipse)
When you select an entry in a view or an editor (for example, a message in the Message Monitoring editor), you can select the following functions in the context menu: ●
Refresh
●
Copy
name Copies the name of the selected object (for example, the selected message in the Message Monitoring editor) to the clipboard. attribute to TENANT_ALL in the Deployed Artifacts editor. [Range: Last hour] [Range: Last hour]- (for example: CXF-endpoint-IFLMAP-intaas) The component displays an error status in one of the following cases: ●] - Task related to single project deployment 
