Accelerated Application Delivery Installation Configuration Administration v2.2

SAP NetWeaverInstallation &Configuration Guide

Accelerated Application Delivery forSAP NetWeaverInstallation, Configuration, Administration

Software Version 2.2 SP0

March, 2010

Document Version 1.0

© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its

distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,

i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions with

respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify

the product implementation. While specific product

features and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable for

errors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.

Document HistoryDocument Version Description

1.0 First official release of this guide

Typographic ConventionsType Style Description

Example Text Words or characters quotedfrom the screen. Theseinclude field names, screentitles, pushbuttons labels,menu names, menu paths,and menu options.

Cross-references to otherdocumentation

Example text Emphasized words orphrases in body text, graphictitles, and table titles

Example text File and directory names andtheir paths, messages,names of variables andparameters, source text, andnames of installation,upgrade and database tools.

Example text User entry texts. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.

<Exampletext>

Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.

IconsIcon Description

Caution

Note or Important

Example

Recommendation or Tip

Accelerated Application Delivery for SAP NetWeaver March, 2010

Accelerated Application Delivery for SAP NetWeaver 5

Table of Contents

1. Accelerated Application Delivery for SAP NetWeaver ...................................................1

1.1 Overview ..................................................................................................................1

1.2 Glossary ...................................................................................................................2

1.3 Application Delivery Installation Landscape ...............................................................3

1.3.1 Server Side...................................................................................................3

1.3.2 Client Side ....................................................................................................3

1.4 Operational Concept .................................................................................................4

1.4.1 Operational Workflow....................................................................................5

1.4.2 Traffic Flow Minimization Mechanism ............................................................5

1.5 AccAD engine Repository, CFE and SFE Roles ........................................................5

1.6 Overview of the Application Delivery Implementation Process ...................................6

2. Preparing for Installation ................................................................................................7

2.1 Hardware and Software Requirements ......................................................................7

2.1.1 Hardware Requirements ...............................................................................7

2.1.2 Software Requirements ................................................................................8

2.2 Planning your Landscape ..........................................................................................9

2.3 Network Environment Requirements .........................................................................9

2.3.1 IP Addresses ................................................................................................9

2.3.2 Allocating a Device ID ................................................................................. 10

2.3.3 Minimal Test Configuration ......................................................................... 10

2.4 Collecting Required Installation Information ............................................................. 11

3. Installing and Configuring the AccAD Engines............................................................ 12

3.1 Typical Installation Sequence .................................................................................. 12

3.2 Selecting the Installation Mode of the AccAD Landscape ........................................ 13

3.2.1 Selecting the Linux Installation Mode .......................................................... 13

3.2.2 Selecting the AccAD engine Installation Mode ............................................ 13

3.3 Installing the Operating System ............................................................................... 13

3.3.1 Automated Kick-Start/Autoyast Installation .................................................. 14

3.3.2 Default Kick-Start/Autoyast on ADM Installation Server ............................... 16

3.4 Installing the AccAD Engine .................................................................................... 16

3.4.1 Process Summary ...................................................................................... 17

3.4.2 Network Configuration ................................................................................ 17

3.4.3 Mounting the Application Delivery CD ......................................................... 18

3.4.4 Installing the AccAD Engine ........................................................................ 19

3.5 Configuring the AccAD Engine ................................................................................ 20

3.5.1 Manual Configuration of the AccAD Engine ................................................. 20

3.5.2 Automated AccAD Engine Configuration ..................................................... 26

3.6 The ADM Package for Automated Installations ........................................................ 26



3.6.1 Managing the Appliance Landscape............................................................ 26

3.6.2 Adding and Removing AccAD Instances ..................................................... 28

3.6.3 Automatic Installation .................................................................................. 28

3.6.4 Semi-Automatic Installation ......................................................................... 28

3.6.5 Updating Link Certificates ........................................................................... 29

4. Configuring the Delivery Policy .................................................................................... 30

4.1 Accessing AccAD Administrator .............................................................................. 30

4.2 Defining the Policy .................................................................................................. 30

4.2.1 Defining Groups in the Landscape .............................................................. 31

4.2.2 Defining Delivery Locations ......................................................................... 31

4.2.3 Adding Engine Instances ............................................................................ 31

4.2.4 Defining Service Types ............................................................................... 32

4.2.5 Adding Service Instances............................................................................ 32

4.2.6 Adding Delivery Rules................................................................................. 33

4.2.7 Activating the New Delivery Policy .............................................................. 33

4.3 Advanced Configuration - Service Types ................................................................. 34

4.3.1 General Parameters ................................................................................... 34

4.3.2 Transaction Types ...................................................................................... 35

4.3.3 HTTP Processors ....................................................................................... 36

4.4 Exporting and Importing Service Types ................................................................... 39

5. Securing the AccAD Landscape ................................................................................... 40

5.1 Workstation – CFE: Securing Communication Using TLS/SSL Termination ............. 40

5.1.1 Configuring X.509 User Authentication – TLS/SSL Only: ............................. 42

5.1.2 SFE – Application Server: Securing Communication Using Re-Encryption . 42

5.1.3 SFE – CFE (WAN): Securing Communication by Encrypting the Tunnel ...... 43

5.2 Securing the SFE and CFE Hosts ........................................................................... 44

5.2.1 Adding Drive Encryption for Persistent Content ........................................... 45

6. Command Line Interface ............................................................................................... 47

6.1 Using SSH to Connect to the AccAD engines (CFE/SFE) ........................................ 47

6.2 Connecting to the CLI ............................................................................................. 47

6.2.1 Connecting to the CLI from the Appliance ................................................... 47

6.2.2 Connecting to the CLI from Outside the Appliance ...................................... 48

6.3 Command Categorization & Key Mappings ............................................................. 48

6.4 Returning to the Linux Shell .................................................................................... 50

6.5 Using the CLI to Configure the AccAD engine ......................................................... 50

6.6 Using the CLI to Configure a Delivery Policy ........................................................... 50

6.7 Automation ............................................................................................................. 52

7. Configuring the Client Workstation to Work with AccAD ............................................ 53

7.1 DNS Manipulation Using the etc/hosts File ............................................................. 53



7.2 DNS Manipulation Using AccAD DNS Proxy .......................................................... 54

7.3 Configuring DNS Proxy Method .............................................................................. 54

7.3.1 Configuring DNS on a Windows Machine .................................................... 55

7.3.2 Configuring AccAD as DNS on a Linux Machine ......................................... 55

7.3.3 Ensuring Automatic Failover in DNS Proxy Mode ........................................ 55

7.4 HTTP Proxy ............................................................................................................ 55

7.4.1 Configuring the Web Proxy ......................................................................... 56

7.4.2 Configuring Client Workstations to Use the CFE Proxy................................ 57

7.5 Transparent Mode................................................................................................... 58

7.6 Configuring Transparent Proxy Method ................................................................... 58

7.6.1 Example of Applying the Transparent Proxy ................................................ 58

7.6.2 Ensuring Automatic Failover in Transparent Proxy Mode ............................ 59

8. Monitoring the AccAD Engine....................................................................................... 61

8.1 Monitoring the Engine with AccAD Administrator ..................................................... 61

8.1.1 Viewing Performance Data ......................................................................... 61

8.1.2 Viewing Traffic History Records .................................................................. 61

8.1.3 Viewing Cache Statistics ............................................................................. 62

8.1.4 Viewing and Changing Alerts ...................................................................... 62

8.1.5 Viewing Events ........................................................................................... 62

8.2 Using the Application Delivery Monitor .................................................................... 63

8.2.1 Installing the Application Delivery Monitor ................................................... 63

8.2.2 Configuring the Application Delivery Monitor ............................................... 63

8.3 Using the Service Monitor ....................................................................................... 63

8.3.1 How the Monitor Functions ......................................................................... 64

8.3.2 What the Monitor Checks ............................................................................ 64

8.3.3 Recovery Mode .......................................................................................... 64

8.3.4 Bypass Mode .............................................................................................. 64

8.3.5 Notifications ................................................................................................ 65

8.3.6 Installing the Monitor ................................................................................... 65

8.3.7 Configuring the Monitor ............................................................................... 66

8.3.8 Examples ................................................................................................... 66

8.3.9 Start/Stop Monitoring .................................................................................. 67

8.4 Using the CCMS/SLD Systems ............................................................................... 67

8.4.1 CCMS ........................................................................................................ 67

8.4.2 SLD ............................................................................................................ 67

8.4.3 Installing and Uninstalling CCMS and SLD .................................................. 68

9. Troubleshooting ............................................................................................................ 70

9.1 Verifying AccAD Functionality ................................................................................. 70

9.1.1 Prerequisites .............................................................................................. 70

9.1.2 Testing Traffic ............................................................................................. 70



9.2 Restarting the AccAD Engine .................................................................................. 70

9.3 Uninstalling the AccAD Engine ................................................................................ 71

9.4 AD Folder Structure Information .............................................................................. 71

9.5 Importing and Exporting Configuration Settings ....................................................... 71

9.5.1 Archiving Configuration Settings ................................................................. 71

9.5.2 Loading Archived Configuration Settings ..................................................... 72

9.5.3 Exporting Configuration Settings ................................................................. 72

9.5.4 Import Configuration Settings ...................................................................... 72

10. Version Upgrade ............................................................................................................ 73

11. Additional Information................................................................................................... 74

11.1 Changing Time Zone on a Linux Machine ............................................................... 74

11.2 Installing the AccAD Administrator Certificate .......................................................... 74

11.2.1 Downloading and Installing the AccAD CA Public Key ................................. 74

11.3 High Availability with AccAD .................................................................................... 75

11.3.1 High Availability Features............................................................................ 75

11.3.2 Failure Scenarios and Recovery ................................................................. 75



1. Accelerated Application Delivery for SAPNetWeaver

NoteSee SAP Note 1449634. This is the central note for Accelerated Application Delivery forSAP NetWeaver. It contains known issues and limitations.

1.1 OverviewAccelerated Application Delivery for SAP NetWeaver enhances SAP NetWeaver by ensuring reliable,scalable, rapid, monitored, and secure access to enterprise applications in a distributed environment.

A single data center can deliver, at near-LAN speed, application services, and content over WAN tousers at multiple remote offices. The application delivery is performed at speed by employing datacompression and optimization technologies.

The following figure illustrates the high-level architecture of Accelerated Application Delivery for SAPNetWeaver.

https://css.wdf.sap.corp/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=0001449634



1.2 GlossaryThe following table contains basic terms and concepts, listed in alphabetical order, for AcceleratedApplication Delivery for SAP NetWeaver (AccAD).

Glossary:

Term Description

AccAD tunnel The logical communication between CFE and SFE. The tunnel isgenerated over a set of internet connections over WAN, either TCP orTLS/SSL if security is required.

application delivery (AD) A solution for providing access to enterprise applications from remotelocations.

For brevity the abbreviation “AD” is used throughout this document.

application delivery engine(AccAD engine)

The core application delivery software, deployed at the data center andat each remote office.

application server A server at a data center that runs applications and services that may beaccessed by local and remote users.

application service An application resource, such as an enterprise portal, that is requestedby users. In AccAD application services are identified by a host and portcombination.

CFE – Client Front End The AccAD engine instance that resides in the remote office.

data center A central enterprise facility that hosts the applications, data, or servicesof the organization.

delivery policy A set of rules that define the availability of an application service in aremote office, including delivery optimization parameters. The deliverypolicy determines which application service is delivered to whichapplication delivery engine.

remote office Any remote enterprise location from which users need to accessapplications, data, or services that are physically located at a datacenter.

service type A collection of parameters that define delivery optimization for differentapplication service types.

SFE - Server Front End The AccAD engine instance that resides in the data center.

AccAD Repository The AccAD engine instance that resides in the data center and holds allauditing and accounting information, as well as the delivery policy

AccAD Administrator The graphical user interface utility for administration and configuration inSAP NetWeaver Accelerated Application Delivery



1.3 Application Delivery Installation LandscapeAccelerated Application Delivery for SAP NetWeaver is implemented using the components describedin this section.

1.3.1 Server SideOn the server side, where the data center application servers reside, you need the followingcomponents:

Application Delivery Engine – Repository

The core application delivery software, installed at the data center on a dedicated Linux host.The installation of the repository automatically installs a MaxDB server, which stores the AccADdelivery policy as well as audit information and user sessions.

Application Delivery Engine – Server Front-End (SFE)

The core application delivery software, installed at the data center on a dedicated Linux host, oron the same host as the repository

Application Delivery Monitor

A standalone desktop utility installed on any host in the data center network, preferably on anadministrator’s host. The Application Delivery Monitor communicates with the SFE to collectreal-time delivery statistics such as traffic volume, and the number of open and closedconnections. The monitor displays these statistics in graphical form.

1.3.2 Client SideOn the client side, where the users’ client workstations reside, you need the following AD components:

Application Delivery Engine – Client Front-End (CFE)

The core application delivery software installed at each of the remote offices. Each AccADengine is installed on a dedicated Linux host or on a Windows host.

The following figure illustrates the typical installation landscape of AD components.



1.4 Operational ConceptTo deliver remote services to local users, AccA D implements a symmetrical virtual representationconcept:

Virtual services represent the data center’s physical application services at a remote office.

Virtual users represent the actual remote office users at the data center.

Together, the SFE and CFEs maintain an unambiguous mapping of the respective IP addresses of thevirtual and physical users and services. At a remote office the CFE emulates services, requestedlocally by actual users, from the data center. It redirects these requests to the SFE, using a dedicatedoptimized delivery channel over WAN.

At the data center, the SFE communicates with application servers on behalf of the emulated users,representing actual users at the remote office. It requests and receives application services on theirbehalf locally, and then compresses and delivers the received content over the same WAN channel tothe CFE.

This concept is symmetrical, and in the same manner the CFE can communicate with applicationservers on behalf of emulated users representing users at the data center, if such services areavailable in the remote office.



VirtualUsers

Data Center

VirtualApplication

Server

Remote Office

CFE

UsersVirtual ServicesServices

PhysicalApplication

Server

1

62

3

4

5

LANLAN

Compressedcontent over

WAN

SFE

1.4.1 Operational Workflow1. A user at a remote office requests a portal service.

2. The CFE receives the request for the portal service, encodes it and passed it to the SFEthrough an established communication channel over WAN.

3. The SFE emulates the corresponding virtual user, and routes the request to the appropriatephysical service, according to the IP address mapping.

4. The SFE receives a response for the virtual user, encodes, and compresses it for delivery.

5. The compressed content is delivered to the CFE through an established communication channelover WAN.

6. The content is decoded and returned to the actual user.

1.4.2 Traffic Flow Minimization MechanismTraffic is optimized by reducing the amount of data transferred. This is enabled by an efficientcompression mechanism based on message analysis and pattern recognition, learned incrementallyduring previous communications. To this end, the system maintains a dictionary. An encodingprocedure replaces content chunks in the dictionary with short keys, significantly reducing messagesize. After encoding, messages are further compressed by means of a gzip algorithm. Thismechanism is applied by a message sender at both ends of the communication channel regardless ofthe message content. Similarly, the recipient decompresses and decodes the delivered message.

1.5 AccAD engine Repository, CFE and SFE RolesThe following section contains an overview of the features provided by the AccAD engine.

Repository Contains the delivery policy of the landscape

Collect s alerts and events (audit data) for the application server and the delivery process

Collects traffic history

SFE Maintains communication with the repository

Accepts connections from CFE engines



CFE Connects to an SFE engine

In addition, the CFE and SFE have the following common features:

Emulation of application services in the remote office LAN

Delivery of application services over a secured channel according to the delivery policy

Encoding and compression of messages for transmission; decompression and decoding ofmessages received

Emulation of remote office users at the data center network

Maintaining local TCP connections with the application server

Improving traffic from the application server by off-loading encryption, data compression, andhandling slow WAN communication (TCP termination)

Support for TLS/SSL encryption in the remote office network segment

Maintaining an integrated web cache

Maintaining an integrated web proxy

1.6 Overview of the Application DeliveryImplementation Process

The workflow that implements a fully operational Accelerated Application Delivery for SAP NetWeaversolution in your system landscape entails:

Preparing for installation

Prepare the hardware and software requirements

Decide on the best security and application delivery methods for your site

Collect the data necessary for installation based on your decisions

Plan your landscape

Plan the device ID allocation for your landscape

See the section Preparing for Installation.

Installing the AccAD engine in the data center and the remote offices

Install and configure the SFE at the data center

Install and configure the CFE in each remote office using appliance definitions

Configure the communication between the SFE and the CFE, creating the communicationtunnel on which AccAD features are applied

Preparing for Installation March, 2010


2. Preparing for InstallationThis section guides you through the preparations required before implementing AccAD in your systemlandscape. It covers hardware and software requirements, preparing the environment, decisions tomake regarding redirection mode and security methods, and data that you need to collect beforerunning the installation.

2.1 Hardware and Software RequirementsThis section provides information on hardware and software requirements for both test installationsand productive installations of AccAD.

2.1.1 Hardware RequirementsEach application delivery engine host— SFE or CFE—requires a dedicated host if installed on a Linuxmachine. The repository engine can be installed either on a dedicated host, or on the same host asthe SFE.

RecommendationThe recommendation is that the server be used only by AccAD with no other applicationsinstalled on it.

If you choose to install the CFE on a Windows host used mostly for single stations and small officesup to 100 users, refer to the Windows Client Guide on SAP Service Marketplace. Use the aliasinstallnwaccad.

ExampleA data center in London delivering applications to remote offices in New York, Tokyo,and Bangalore, requires at least four dedicated AD hosts: 1 repository in London, 1 SFEin London (possibly on the same host as the repository), and 3 CFEs for each of theremote offices (New York, Tokyo, and Bangalore).

The dedicated hosts must have the specifications detailed below.

Requirements for the SFE, CFE, and Repository

The following table contains the minimal configuration requirements for the CFE, SFE, and repository.If the repository and SFE reside on the same host, make sure to meet the repository requirements.

Minimal configurationfor:

CFESupports up to 30concurrent users with PIII; 300 or morecuncurrent users withgreater CPU

SFESupports up to 25CFEs

RepositorySupports up to 10SFEs

Architecture x86 (i386) or x86-64(AMD64)

x86 (i386) or x86-64(AMD64)

x86 (i386) or x86-64(AMD64)

CPU P III 866 MHz or higher Dual Xeon 1.8 GHz Dual Xeon 1.8 GHz

Memory (minimum) 1 GB RAM 1 GB RAM 1 GB RAM

Hard disk 30 GB 30 GB 60 GB

CD-ROM required required required



Floppy drive (for 1.4MB diskette)

Optional: not required ifthe automated OSinstallation uses HTTP



The basic memory consumption model for the AccAD service depends on the number of servicedeliveries in the landscape.The calculation for the SFE is done as follows:...

1. For each CFE, count the number of delivered services and calculate the sum for all the CFEs.

2. Then, use the formula 500MB + 40 MB*(deliveries-count).

For example, if 4 services are delivered to 5 offices the required memory is 500+40*4*5 = 1.3GB.

For the CFE, the formula is 500MB + 40MB * (# services delivered to the CFE).

We recommend that the swap file size be the same as the memory size. If necessary, you can edit theprovided kick start file.

NoteSupported Linux installers can boot from floppy disk or CD-ROM. The files requiredduring installation could then be fetched from any of the following media types: CD-ROM,HTTP, NFS, FTP, and hard drive.

Verify that the hardware obtained is compatible with the chosen Linux distribution. Thiscan be done either through your OS vendor or directly with Linux distributionmanufacturer.

2.1.2 Software RequirementsThe AccAD engine (repository, SFE or CFE) can run on any of the following:

RHEL (Linux Red Hat Enterprise) 4 i386 with any update above U4

RHEL (Linux Red Hat Enterprise) 5 i386 with any update above U3

RHEL (Linux Red Hat Enterprise) 4 x86-64 with any update above U4

RHEL (Linux Red Hat Enterprise) 5 x86-64 with any update above U3

SLES (SuSE Linux Enterprise Server) 10 i386 with any SP

SLES (SuSE Linux Enterprise Server) 10 x86-64 with any SP

Windows Client CFE can run on any of the following:

Windows XP (32bit)

Windows 2003 (32bit)

You can find the related AccAD information on the SAP Community Network atwww.sdn.sap.com/irj/sdn/nw-accad.

To achieve the best performance, a customized installation of Linux with an AccAD engine Linuxconfiguration specification is provided in the OS-specific installation format:

RHEL distributions use the kick-start format ks.cfg

SLES distributions use the autoyast format autoinst.xml

The installation file is available in the root of the Accelerated Application Delivery CD. This format isreadable for both IT experts and the Linux installer and can be used to automate the installationprocess.

http://www.sdn.sap.com/irj/sdn/nw-accad



An IT expert can review the configuration specification and add, for example, the manual installation ofdrivers not included in the OS CDs.

2.2 Planning your LandscapeEach installation of AccAD engine (aside from the repository) can include multiple instances of theengine, either SFE of CFE. For each instance a service is created.

One SFE can communicate with multiple CFEs. It is possible to apply AccAD with multiple remoteoffices to work with a single SFE instance. This landscape saves hardware resources and simplifiesthe landscape. Up to 25 CFEs can be connected to one SFE instance, depending on the trafficdensity. (Stress tested with up to 20 CFEs).

However, there are some considerations for defining multiple SFE instances.

If you want some of the AccAD tunnels between CFE and SFE to be secured with TLS/SSL andsome without TLS/SSL encryption, you have to define an SFE instance for TLS/SSL and aseparate SFE instance for non-TLS/SSL communication. Both instances can reside on thesame machine.

If you want different maintenance procedures for different CFEs (for examples, when the remoteoffices are located in different time zones) you may find it convenient to use one SFE instanceper procedure.

Plan the landscape:

1. List your data centers and remote office locations.

2. List services to be delivered.

3. Consider security and encryption requirements regarding the communication tunnel. Theseadvanced settings are described in chapter Securing the AccAD Landscape.

...

...

2.3 Network Environment RequirementsThis section describes the network components necessary prior to installing the AccAD landscape.

2.3.1 IP AddressesThe SFE and CFE are configured with static network IP addresses. Each instance of the AccADengine requires a range of IP addresses for virtual hosts.

The SFE instance, which uses this range for virtual clients, can use a single IP address to representall virtual clients; so one IP address is sufficient for a basic configuration. If an L4 load balancer isused, it is recommended that you obtain several IP addresses—as many as there are hosts in thecluster, in order to ensure that the load balancer can distribute the requests properly.

The CFE instance uses its range of IP addresses to distinguish among the virtual servers. A range ofseveral addresses must be defined—one for each data center server you wish to deliver via AccAD. Itis recommended that you define several addresses.

The complete description of the IP address includes the net masks, also referred to as subnet bits.The subnet bit is an integer between 0-32, which represents the subnet.

The net mask is represented internally by a 32-bit number. Two annotations exist and can be usedinterchangeably:

The 4 decimal octets dot-separated format (for example, 255.255.255.0).

The mask length format, using a number between 0-32 to represent the number of set bits.



Example255.255.255.0 in binary is 11111111 11111111 11111111 00000000 and thus could berepresented by the mask length value of 24.

Preparing for the Installation

Network addresses are allotted by the network administrator. Make sure to obtain the IP addressesyou need, including the subnet bits, before installing AccAD.

2.3.2 Allocating a Device IDFor each repository, SFE and CFE instance you need to allocate a device ID. This ID is used as theunique identifier of this entity.

Before installing AccAD on a productive landscape, you must apply to SAP for a range of valid deviceIDs for your organization. Do so by opening an internal message under the component EP-AAD-IDR.

During installation, you are requested to enter device IDs. You can enter any number from the rangeyou received from SAP.

Device ID range 1000-2000 is reserved for trial landscapes. For demo and testing installations, youcan use any number from this range.

ExampleIn a demo landscape, with one SFE and one CFE, you can assign device ID =1000 tothe SFE and device ID = 1001 to the CFE.

NoteMake sure to change the value “0” assigned by the installer upon the creation of a newinstance. Define a unique ID value to SFE and CFE instances from the range discussedin this section.

RecommendationWhen deploying AccAD in a production environment, it is recommended to use thedevice IDs assigned to you by SAP from the beginning, as changing device IDs requiresadditional configuration efforts.

It is important that you keep a record of your system landscape and the device ID of each SFE andCFE in the landscape.

2.3.3 Minimal Test ConfigurationTo try AccAD in a minimal system landscape, you need at least:

PC/workstation for the user browser and administrator desktop

Server for the CFE instance

Server for the SFE instance

An application server with the services intended for delivery



2.4 Collecting Required Installation InformationThe following information is required when installing the SFE and the CFE. It is recommended that youfill in the table before installing.

Parameter Value for SFE Value for CFE Remarks

General Parameters

Instance device ID Any unique numericvalue.Range 1000-2000 fortest systems.Range provided by SAPfor production systems.

Any unique numericvalueRange 1000-2000for test systems.Range provided bySAP for productionsystems.

See Allocating a Device ID.Tip: You need the deviceID of the engines whendefining the delivery policy.

Main IP address ___.___.___.___ ___.___.___.___ The static IP address of theCFE/SFE host. SeePlanning your Landscape.

Main IP subnet mask ___.___.___.___ ___.___.___.___ The associated subnetmask for the main IPaddress.

Default gateway

___.___.___.___ ___.___.___.___

The IP address of thedefault router of the site(remote office or datacenter).

To find the default gateway:

Windows: In the commandline, type route print.

UNIX: type ip route

Range of IP addressesto be used by theSFE/CFE

From IP___.___.___.___

To IP ___.___.___.___

subnet bits ___

From IP___.___.___.___

To IP___.___.___.___

subnet bits ___

For the range of IPaddresses see NetworkEnvironment Requirements.

Redirection Parameters – relevant if you are using the DNS proxy redirection methods

DNS server Not required IP

___.___.___.___

See DNS ManipulationUsing AccAD DNSProxy

TLS/SSL Enabling – relevant if you are using TLS/SSL encryption in the AccAD tunnel

TLS/SSL Encryption Y/N Same as incorresponding SFEinstance

For productioninstallation over publicnetworks, obtain acommercial certificate.

For testing, use thedemo certificates

Installing and Configuring the AccAD Engines March, 2010


3. Installing and Configuring the AccADEngines

Installing and configuring the AccAD engine requires the installation of a Linux operating system.There are three different installation modes:

Semi-Automated Installation...

a. Either the manual or the Installation Server method is used to install the OS.

b. The configuration of the software appliance host, the AccAD engine, and the deliveredservices, are performed from a central administration location. An appliance definitionfile, in XML format, is copied to the host in a secure manner.and used in the AccADinstaller for configuration details. (These tasks are administration responsibilities.)

Automated Installation...

a. The OS installation is done using an automatically generated kick-start/autoyast file, theonly manual step is inserting the first Linux CD and typing the URL for the file.

b. AccAD is installed and configured in the same sequence as the OS installation. The onlymanual step required is entering a password.

Manual Installation

A dedicated secured Linux operating system is installed using a kick-start file for RH andautoyast file for SUSE, provided with the product CD. The user inserts the Linux CDs manually.

The AccAD installer is run in manual mode. The installer is aware of the software applianceconfiguration. Here, two options are available:

Configuring the engine using the AccAD web UI, as described in Installing andConfiguring the SFE and Installing and Configuring the CFE

Configuring the engine after installation, using the AccAD command line interface (CLI),following the instructions described in the section Command Line Interface

The OS installa tion is don e usi ng a n au tom atically gen erat ed Lick-Sta rt file, the only man ual st ep is i nser ting t he fi rst Li nux CD and typin g th e URL f or t he fil eAccAD is installed and confi gur ed in the sam e se que nce a s the OS inst allatio n. T he o nly m anu al ste p r equir ed is ent ering a p asswo rd.

The recommended method is the semi-automatic one, which supports secure communication andenables central administration of the landscape. Select the installation method that best suits yourlandscape needs, taking into account the information described in the following section.

3.1 Typical Installation SequenceThe initial setup of the first AccAD landscape includes installation and configuration steps for the SFEand CFE, as well as the installation of the repository.

The installation sequence for the landscape is as follows:

1. Install the repository, as described in section Installing the AccAD engine.

2. For automated landscape installation (recommended), install the ADM package (moreinformation: The ADM Package for Automated Installations).

3. Define SFE and CFE appliances as described in Adding and Removing AccAD Instances.

4. Add SFE and CFE instances to the landscape using the semi-automatic installation method.Proceed as follows:

i. OS installation (Installing the Operating System)

ii. AccAD engine installation (Installing the AccAD engine)



iii. Semi automatic installation (Semi-Automatic Installation)

5. Update the link certificate on the repository machine as described in Updating Link Certificates

6. Configure the delivery policy.

3.2 Selecting the Installation Mode of the AccADLandscape

To enable AccAD at your site, you install the SFE and repository in the data center and a CFE in eachof the remote offices. The AccAD engine resides on a customized Linux host adapted to AccADrequirements. The CFE can also reside on a Windows machine. For more details, refer to theWindows client guide. (More information on SAP Service Marketplace, adding the alias/installnwaccad).Choosin g an install ation mod e d epe nds o n b oth t he ty pe o f en gine you’r e inst alling (CFE/S FE), yo ur s ecuri ty re quir em ents, and the type of la ndsca pe y ou wish to deplo y.

3.2.1 Selecting the Linux Installation ModeLinux installation can be done either manually or by using an established installation server. The latteris the recommended option if you have sufficient bandwidth and your organization’s securityconfiguration enables such installation. In addition, to use the installation server you should have anADM package installed. For more details refer to section The ADM Package for AutomatedInstallations .This option cannot be deployed for the repository.

To install Linux manually, refer to the section Automated Kick-Start/autoyast Installation (SFE andCFE).

To install Linux from the installation server, refer to section Default Kick-Start/autoyast on ADMinstallation server.

3.2.2 Selecting the AccAD engine Installation ModeThe recommended method of installation is the automated one using one of the following mehods:

Semi-automatic installation, if the operating system is already installed on the appliance

Automatic installation, if no OS is installed yet (assuming sufficient bandwidth and no ITconstraints)

ImportantIf you are installing a secure landscape, make sure to install all appliances using thesemi-automatic/automatic installation modes. If any of the appliances are installedmanually, secure connections are rejected.

3.3 Installing the Operating SystemThis section describes the kick-start/autoyast installation of the Linux operating system.

If you are installing the engine using the automatic method, the OS installation is included; there is noneed to install it separately.

NoteAutomatic installation cannot be performed for the repository.

The installation of the operating system does not necessarily result in the correctsetting of the time zone. Make sure to change the time zone machine.

More information: Changing Time Zone on a Linux Machine.



3.3.1 Automated Kick-Start/Autoyast InstallationAccAD 2.2 can be installed on both Red Hat Enterprise Linux (RHEL) and Suse Linux EnterpriseServer. (See the Product Availability Matrix for specific version requirements.) The installationsequence is similar, though some commands and file names differ between the two operatingsystems. In such cases, the guide includes an explanation for each option. When not mentionedspecifically, the commands apply in both cases.

The installers can boot from either a floppy disk or CD-ROM. To automate the installation, a kick-start/autoyast file can be placed on any of the following media types: floppy disk, HTTP, NFS, or FTPservers.

The files required during installation, such as configuration files and RPM files (Red Hat PackageManagement files, which are also relevant also for Suse) can be retrieved from any of the followingmedia types: CD-ROM, HTTP, NFS, FTP, or hard drive.

In this section we provide information on how to use the boot installation from the CD-ROM usingeither floppy disk or HTTP server for hosting the kick-start/autoyast file. For information on installationusing other means, consult Red Hat / Suse support.

CAUTIONIf you are using a floppy drive, it must be connected directly and not via USB; otherwise itmay not be accessed by the OS installer.

Installing the OS...

1. Prepare the relevant Linux installation CDs (RHEL or SLES):

2. Obtain the application delivery CD.

3. In preparation for the kick-start/autoyast installation, do one of the following:

Copy one of the following automated OS definition file from the Accelerated ApplicationDelivery for SAP NetWeaver CD.

DATA_UNITS/AccAD_ENGINE_2_2/rhel-<version>-<arch>/ks.cfg

Or

DATA_UNITS/AccAD_ENGINE_2_2/sles-10-<arch>/autoinst.xml

Put the copied file onto:

A clean MS-DOS formatted diskette

Or

An HTTP server that is accessible from the dedicated host, on which you areperforming the installation

If you are copying the file onto a diskette, copy it from the relevant path, DATA_UNITS/…, of theCD ROM to the root of the floppy disk.

4. In the BIOS boot sequence of the machine, verify that the CD ROM drive precedes the harddisk. This is typically the default setting.

5. Insert the first Linux CD into the CD ROM drive.

6. Restart the host.

7. To proceed with the kick-start/autoyast installation, perform one of the following procedures:

CAUTIONType the following commands immediately after restart; otherwise, the default installationsequence continues automatically. If this happens, reboot the host since the kick-



start/autoyast installation is required for installing the packages necessary for the AccADinstallation.

Install from diskette:

a. Insert the diskette containing the copied file into the floppy drive.

b. After the boot, type at prompt:

For Red Hat, type:linux ks=floppy

For Suse, go to Installation (the second option in the screen that appears) andtype:autoyast=<autoinst.xml path> install=<installation source>

Exampleautoyast=floppy install=cd

Install from an HTTP server:...

a. For Red Hat, type:linux ks=http://<http-server>/<location>/ks.cfg

b. For Suse, in the menu scroll down to Installation, and type in one line:autoyast=http://<http-server>/<location>/autoinst.xml install=<OSinstallation source files>

Example

autoyast=http://www.example.com/autoinst.xml install=cd

8. Configure network parameters, depending on the operating system, according to one of thefollowing procedures:

Red Hat (rhel4 / rhel5)

a. Wait while the installer obtains an IP address dynamically (via the DHCP protocol).

b. If more than one adapter is present, select the adapter by which the DHCP request is tobe sent.

NoteIf the installer cannot obtain an IP address, the network adapter prompts you with aconfiguration form, in which you must enter the IP address, netmask, gateway, andnameserver.

Suse (sles10)

Choose yes when asked if you want to use the option for Automatic configuration via DHCP.

NoteIf you proceed without using DHCP, you are requested to supply the configurationparameters manually.

9. Insert the additional Linux CDs when prompted as the installation progresses.

10. Remove the final CD and the floppy disk, and restart the computer.

CAUTIONThe server may reboot/restart before you have a chance to remove the CD. If you do notremove the CD, the installation process starts again. If this happens, abort the restartedinstallation process by rebooting the machine and removing the CD when the startupsequence begins.



11. Log on with the username root and password admin.

3.3.2 Default Kick-Start/Autoyast on ADM Installation ServerThe default kick-start/autoyast installation from the installation server can be used during the semi-automatic or manual installation of the OS installation phase. This requires the installation of theAccAD DVD on the ADM installation server.

Install the OS Using the Installation Server...

1. First, make sure you have an ADM server installed. If not, please install one using theinstruction in section The ADM Package for Automated Installations

2. Once the ISO is installed, two files are added to the ADM server:

ks.cfg or autoinst.xml - the default kick-start/autoyast, which requires placingeach CD in the CD-DRIVE during the OS installation

ks-net.cfg - this kick-start/autoyast file downloads the OS components directly fromthe ADM installation server via HTTP

These files are exposed on HTTP (port 80).

Since the installation server supports maintaining the AccAD ISO file from several releases orarchitecture, the kick-start/autoyast can be used as follows:

3. Boot the new AccAD engine with the first RHEL 4 disk:

For the network-based OS installation run:For the netwo rk b ased OS inst allation ru n

For RHEL releaseslinuxks=http://<adm_server>/appliances/appliance_name/ks.cfg

For SuSE releasesautoyast=http://<adm_server>/appliances/appliance_name/autoinst.xml

install=http://<adm_server>/resources/os/<os_version>/extracted/

For the manual OS installation run:

For RHEL 4linux ks=http://<adm_server>/ appliances/appliance_name/ks-net.cfg

For SuSE 10autoyast=http://<adm_server>/ appliances/appliance_name/autoinst.xml install=cd

ImportantMake sure to type the commands on one line.

3.4 Installing the AccAD EngineThis section describes installation of the engine, including a summary of the process and pre-installation procedures.



3.4.1 Process SummaryThis section presents the procedures required for both SFE and CFE installation and configuration. Itis relevant only for the semi-automatic and manual installation modes.

The workflow is:

1. Tailored operating system installation - See OS Installation

2. Network setup - See Network Configuration

3. Mounting the Application Delivery CDs - Mounting the Application Delivery CD

4. Installing the engine using the Application Delivery CDs - See Installing the Engine

3.4.2 Network ConfigurationYou can perform the editing tasks outlined in this section using any UNIX editor.

To configure the repository, SFE or CFE:...

1. Check which network devices exist on the AccAD engine host. The following command displaysthe full list of devices, including those that are not currently configured.

ifconfig -a

To configure the Ethernet device, do the following:

a. Open the Ethernet configuration file using a text editor:

For Red Hat:/etc/sysconfig/network-scripts/ifcfg-eth0

For Suse (before AccAD is installed):/etc/sysconfig/network/ifcfg-eth-id-<MAC Address>

For Suse (after AccAD is installed):

/etc/sysconfig/network/ifcfg-<eth-n> (where eth-n is the device selectedduring installation)

b. Edit the configuration file according to the following example:

TYPE=Ethernet

IPADDR=192.168.1.100

NETMASK=255.255.0.0

GATEWAY=192.168.1.1

ONBOOT=yes

For the Suse installation an additional configuration file is required. Open the file/etc/sysconfig/network/routes to edit and configure the gateway:

default <gateway IP address> - -

ImportantMake sure to add an empty line after the gateway parameter when editing theconfiguration file in Suse.

c. Save your changes and exit the editor.



NoteAll instructions in this section assume the default value, eth0. If your device has adifferent name, substitute eth0 with your device name.

2. Apply the new AccAD engine host network configuration by restarting the network. In theconsole, type:

service network restart

3. Verify that the actual IP address and route settings are correct by executing the followingcommands:

a. In the console, type:

ip addr

The IP address of the Ethernet device is displayed.

b. In the console, type:

ip route

The static route to the default gateway is displayed.

4. Verify that the AccAD engine host has network connectivity to the gateway. In the console type:

ping –c 10 <IP of GATEWAY>

A verification message appears, informing you how long it took for the message to return to yourhost.

If you are not getting a reply, it means that the configuration may not be set correctly. Contactyour Linux IT expert to ensure the correct entries are made. Make sure that you restart thenetwork service each time network configuration files are modified.

NoteThe ping command may not work because you may need to modify the files/etc/sysconfig/network and /etc/hosts and /etc/resolv.conf.

Your network connectivity is now configured. It is no longer necessary to use the physicallyconnected console of the host; operations can be performed remotely using SSH. See UsingSSH to Connect to the AccAD engines (CFE/SFE)

3.4.3 Mounting the Application Delivery CDThe following sections list the related commands using /media/cdrom, which is the default mountpoint for Red Hat Enterprise Linux.

If you are working with Suse, you must first perform the following steps to enable the use of/media/cdrom/:...

1. After the OS installation, at the command prompt of the installation machine, type the followingdmesg | grep -i rom

2. In the output returned by the previous command, find the drive to which you want to mount theCD. It is in the left side of the line, before the colon (:).

For example, in the following output, you would choose the hda to mount the CD-ROM:

hda: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive

hda: ATAPI 1X CD-ROM drive, 32kB Cache, UDMA(33)

Uniform CD-ROM driver Revision: 3.20

3. Execute the following command (in one line):



echo "/dev/<driver> /media/cdrom auto ro,noauto,user,exec 0 0">> /etc/fstab (where <driver> is the one you found in step 2.

To mount the CD:...

1. Make the AD CD available to the host either by inserting the CD-ROM, or by making itaccessible for copying over the network.

2. Mount the physical CD:

If the CD-ROM is inserted, type:mount /media/cdrom

If you have an ISO image, mount as follows:mount –t iso9660 –o loop <iso_name> /media/cdrom

If the CD–ROM is not in the drive, obtain the AD CD image or create an ISO file from theavailable TGZ as follows:

Copy the TGZ file to the local machine on which the installation will be performed.

Create a new directory to open the TGZ in (for example, mkdir AccAD).

Enter the directory you created, and open the TGZ by typing

tar –xzvf <full_path_to_TGZ_file>

When installing the engine in the next section, in the installation command insteadof /media/cdrom/ supply the directory in which you opened the TGZ.

3. Verify the CD mount by typing:ls -ltr /media/cdrom/

The contents of the CD are displayed on screen.

3.4.4 Installing the AccAD EngineThis section explains the installation of the AccAD engine (for the SFE, CFE and repository). Makesure the AccAD DVD is already mounted as described in Mounting the Application Delivery CD.

To install the Engine:...

1. Go to the /root directory by typing:

cd ~

2. Run the AccAD engine installation by typing:/media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl install<engine_type>

Where <OS> is the operating system on which you are running, and <engine_type> isrepository, sfe, or cfe.

ImportantWhen installing a secondary repository (for high availability), perform the installationusing the following command:/media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl -dummy-webui-certificate install <engine_type>

NoteMake sure to type the command on one line.



ImportantYou are asked to provide passwords for the root, admin, and observer users. Make noteof these passwords since you will be required to provide them later.

3. When the installation is complete, log out root and log on again as admin.

ImportantPerform any additional operations using the secured admin account. The observeraccount can be used only to access the web UI in read-only mode; it cannot be used tolog on to the machine.

3.5 Configuring the AccAD EngineThis section explains the configuration process for the AccAD engine and should only be performedafter installation as explained in Installing the Engine.

The AccAD repository does not require configuration. This section relates only to SFE/CFEconfiguration.

Once configured, settings can be saved for back-up and restore purposes. See Importing andExporting Configuration Settings.

3.5.1 Manual Configuration of the AccAD EngineManual configuration is performed using the CLI or the web UI.

If you are setting up a secure link between the CFE and SFE, the update link certificate as describedin Updating Link Certificates.

As a first step, connect to the machine using SSH with the secured admin user. You automaticallyconnect to the command line interface. For configuring the engine using the CLI, see Command LineInterface. Otherwise, type shell to return to the Linux shell, and go to the URLhttps://<machine’s_IP>:7443/ to configure the engine using the web UI exposed at port 7443.

After configuring an appliance manually, add the configuration to the landscape using the buttonCommit to Data Center located in the tree root node Appliance. This sends the applianceconfiguration to the appliance repository....

The configuration consists of a few configuration nodes which depend on the type of engine you aresetting up. Each configuration node is detailed in the following sections.

3.5.1.1 Configuring the Host Node...

1. In the admin UI, go to the tab Local Configuration.

2. In the form on the right, you can change the ID and password for this appliance.

3. Choose the Host entry and enter the parameters for configuration.



The following tables contain parameter descriptions according to type:

Appliance Host Parameters:

Name Value Additional Comments

Type Type of managed host This value is based on thearchitecture of the machine, theOS distribution, and the enginetype (CFE, or SFE). Forrepository enter type SFE.

Operating System List of supported operatingsystems

Contains name of operatingsystem, release number, andmachine version

4. Click Interfaces and then Add to add a new interface.

Interface Parameters:


Description Description

Device Alias of network device The internal adapter name, forexample, eth0, eth1, etc.—depending on the networkadapter being used—on whichthe virtual IP addresses shouldbe created

Gateway IP address of network gateway The IP address of the gatewaycomputer used in your network

IP address

Main IP address of device An IP address on the host to beaccessed by the monitor utility,and the AccAD engine instanceat other locations. Enter the IPaddress of your machine.

Netmask

Netmask for gateway and mainIP

The bitmask used to separatethe bits of the network identifierfrom the bits of the hostidentifier, written in the samenotation used to denote IPaddresses

Type Type of network device e.g. Ethernet

Firewall Rule Parameters (optional)

By default, the AccAD engine will configure the firewall on the installed machine to reject allunrecognized traffic. The firewall is set to accept traffic on the AccAD tunnel, to listen on the portfor client requests, and to listen on all ports for delivered services.

If other services are enabled or disabled on the appliance, you need to configure the firewallaccordingly and add the required rules.

a. Type the name of the new rule and click Add.



b. Add the rule, including the following parameters values:

Action: Accept/Reject

Source IP: IP of incoming traffic; default is all IPs (0.0.0.0)

Source Port: port of incoming traffic

Source Mask: source mask

Destination IP: IP of outgoing traffic; default is all IPs (0.0.0.0)

Destination Port: port of outgoing traffic

Destination Mask: destination mask

Protocol: tcp/udp

Route List Parameters (optional):


Name Description

Bitmask Netmask for gateway andnetwork

Device Alias of network device The internal adapter name, forexample, eth0, eth1, etc.—depending on the networkadapter being used—on whichthe virtual IP addresses shouldbe created

Gateway IP address of gateway for thisroute

Network Network to be routed

Description Purpose of this route

Resolve Parameters:


Hostname DNS name of managed host The unique name of the machinewithin the network

Domain Domain name of host The domain name of the network

Nameserver List Address of primary DNS server Specify the IP address of thereal DNS server that will servicethe SFE’s DNS. You can enter afew DNSs using a space as aseparator.

Search List

Domain that must be added bydefault to name without it

The string that is concatenatedto the hostname when activatingDNS lookup queries, if the querydid not include the domain name

Organization SMTP Server:




Host Name SMTP server hostname The organization SMTP (SimpleMail Transfer Protocol) server

Fully Qualified DomainName

SMTP server FQDN The fully qualified domain nameto be used in message headers

Organization Proxies:

Addresses of proxies that must be used at the host for HTTP, HTTPS, or FTP traffic


HTTP Proxy HTTP proxy IP address The DNS name and port of theHTTP proxy server, in the format<name>:<port>

FTP ProxyFTP proxy IP address The DNS name and port of the

FTP proxy server, in the format<name>:<port>

HTTPS Proxy HTTPS proxy IP address The DNS name and port of theHTTPS proxy server, in theformat <name>:<port>

Proxy Keepalive Interval An interval (in seconds) at whicha keepalive message is sent tothe proxy to keep a connectionopen.

The default is 180.

5. When the network parameters are configured, you can define the Time Synchronization Server,together with appliance time zone, if necessary.


Time Server Hostname of the NTP server Fully qualified domain name

Time Zone Time zone for appliance location

3.5.1.2 Configuring the Audit NodeIf you are interested in observing various events of this appliance, configure the Audit node:...

1. Choose the Audit node and fill in the parameters for configuration.

2. Specify the way you want to deliver/store audit events by adding a target to the Target List.Choose one of the available templates: Mail, Syslog, MaxDB.

3. Configure the new audit target. Leave the default values, except for the following:

By default, reporting is done for info logs, malfunction logs, and security logs.

Clear the checkboxes that don’t interest you.

Navigation – specific method related configuration, for example, mailing list in mailmethod.

Server – host or storage for the audit events, for example, 127.0.0.1 for MaxDB.

Parameter Value

Method MAIL, SYSLOG, MAXDB…



Enabled? Y/N Mails can be sent regarding events and alerts inthe system. To enable this option, change thevalue to Y.

Server The e-mail address to which notifications are to besent.

Navigation This field can be used to determine the location ofthe log on some hierarchical logging systems

NoteMake sure you already configured the parameters SMTP server and Messageheader FQDN in the Host form.

3.5.1.3 Configuring the Engine Node...

This configuration sequence should be performed per engine instance, so if you are installing anengine with more than one instance repeat these steps for each of the instances.

1. Choose the Engine node.

2. If you are configuring an SFE, configure the Admin node with the following parameters:

Name Value Additional comments

Repository IP The IP of the primary repository If the repository is installed onthe same host as the SFE, use127.0.0.1

Repository Port Communication port Keep the default 4777

Secondary Repository IP The IP of the secondaryrepository

If a secondary repository isinstalled in the landscape, supplyits IP

Secondary RepositoryPort

Communication port Keep the default 4777

3. Add at least one instance to the instance list. The next steps are repeated for each addedinstance.

4. Add a new instance and supply an instance ID (see Allocating a Device ID). Configure theinstance with the following parameters:


ID Appliance ID used in deliverypolicy

Enter an instance ID value - thedevice ID you decided to assignto the instance.

ImportantRemember this value for laterdelivery policy configuration.

Description Description The name you wish to give thismachine




Start IP Lower boundary of virtual IPrange

Enter the first IP address in therange of IP addresses to be used,including the number of netmaskbits.

For example, the default value 24represents 255.255.255.0 =24,255.255.254=23, etc.

For more information about IPranges, refer to section IPAddresses.

End IPUpper boundary of virtual IPrange

Enter the last IP address in therange of IP addresses to be usedby AccAD.

Link IP IP of tunnel between SFE &CFEs

Enter the IP address of theprimary SFE in your landscape

Link Port Port of tunnel between SFE &CFEs

Default: 4700

Secondary Link IPIP of tunnel betweensecondary SFE & CFEs

Enter the IP address of thesecondary SFE; if none, keepempty

Secondary Link Port Port of tunnel betweensecondary SFE & CFEs

If you are using a secondary SFE,enter 4700, otherwise keep empty

Stream Limit Amount of connections intunnel

Keep the default value : 16

Netmask Netmask of virtual IPs

Network device

Network device for virtual IPs The internal adapter name, forexample eth0, eth1, etc.—depending on the networkadapter being used—on whichthe virtual IP addresses should becreated

Enable SSL

Specify if tunnel encryptionnecessary

TLS/SSL termination enables theuse of secure communicationbetween the workstation to theCFE.Make sure to choose the sameoption when installing the SFEand CFE.

Verify device ID

Specify to prevent AccADappliances connect withoutverification

Enter 'yes' if you want to verify thedevice ID with the value suppliedin the certificate. This option isonly available when you enableSSL.




Proxy Listening IP

Specify the IP on which theinstance listens to requests ifthe traffic redirection methodis by proxy

For example – 0.0.0.0

Proxy Listening Port The Proxy listening port Default 18080

Proxy ForwardingMethod

Choose the proxy forrwardingmethod:

Use a parent proxy

Directly

No forwarding

Title Injection

AccAD automatically injectstext to the HTTP title ofdelivered services.

The default is Delivered byAccAD. If you wish to change thistext specify the desired textunder.

3.5.2 Automated AccAD Engine ConfigurationWith this configuration method, applicable both for the automatic and the semi-automatic installationmodes, the AccAD appliance is configured using the ADM. A proprietary XML configuration file, theAppliance Definition File (ADF), is created and configuration of the engine is automated using this fileas input.

To enable this configuration method, the ADM package must be installed. The process is explained insections The ADM Package for Automated Installations and Managing the Appliance landscape.

For a detailed description of the automated appliance configuration process, refer to section Addingand Removing AccAD Instances.

3.6 The ADM Package for Automated InstallationsThe AccAD Management Package (ADM) is the central installation repository around which themanaged appliance landscape is built. The ADM package is included in the repository installation; noadditional steps are required.

If the repository has yet to be installed on the machine, install it as described in Installing the Engine.

3.6.1 Managing the Appliance LandscapeThe information required for managing the appliance profiles, and for the setup of the installationserver used for the automatic appliance installation, is the following:IP Address, HTTP port, HTTPS port Used for setting up the ADM installation repository from which

the OS is installed using the HTTP protocol. In the secondphase the AccAD component is installed (using HTTP todownload the ISO and initiate the installation, and HTTPS forthe secure download of the appliance definition file containingcertificates)



ID Start/End Range Used for simplifying the creation of a new appliance instanceUpon instance creation the ID field is filled in using the next validID from the defined range:

First an attempt will be made to find the next ID, whichwas not recently used (and of a higher value than any IDcurrently in use)

If the range end is reached, then an attempt will be madeto find the first vacant ID (for example, an ID used by aninstance that was deleted)

If this also fails, the user must enter an ID manually

To configure the Installation Server:...

1. Access the web UI of the repository, using the URL http://<repository_ip>.

2. Open the Appliance landscape tab, and choose Installation Server.

3. Choose Edit.

4. Enter values for the following fields:

IP Address – the IP of the ADM machine

HTTP Port – 80 by default

HTTPS Port – 443 by default

ID Range Start – Start of available ID range

ID Range End – End of available ID range

5. Choose OK.

6. Choose the Resources node. This screen shows the Resources tree for both OS resources (forall supported distributions) and their relevant AccAD resources.

To upload resources to the ADM server, you need to configure those resources: Each one musthave a path to either the network location of the resource (supported protocols are http, https,and ftp), or the full path to the resource on the SFE machine.

The supported source formats of the files are ISO, TGZ, and DIR (if a path is provided).

Enter the locations of all the resources to support.

7. Save and apply as described in the section Saving and Applying the New Delivery Policy.

8. Create the appliance landscape by pressing on the button Apply Appliance landscape.

This may take several minutes since all resources to the ADM are being uploaded.

An alert is returned for bad AccAD resources; however, there is no OS resources verification.

At this point, kick-start files for the configured appliances are created for future installations.

The AccAD and OS resources can be found at http://adm-hostname-or-ip/resources.

The configured appliances kick-start files can be found at http://adm-hostname-or-ip/appliances.

NoteADM configuration can also be done using the CLI. For more information on the CLI seeCommand Line Interface.

http://adm-hostname-or-ip/resources

http://adm-hostname-or-ip/appliances

http://adm-hostname-or-ip/appliances



3.6.2 Adding and Removing AccAD InstancesAdding, removing and configuring AccAD appliances can be done in the admin UI as follows:

1. Access the web UI of the repository, using the URL http://<repository_ip>.

2. Open the Appliance Landscape tab, and choose Installation Server.

3. Add new appliances by clicking Add and configure them as explained in the section ManualConfiguration of the AccAD engine.

4. After configuring an instance, you can import the ADF file by choosing Import.

3.6.3 Automatic Installation...

1. At the first stage of the Linux installation, connect to the host on which you are installing theAccAD engine and type as follows:

For RH applicances:linuxks=http://<installation_server_ip>/appliances/<appliance_name>/ks.cfg

For Sles appliance:autoyast=http://<installation_server_ip>/appliances/<appliance_name>/autoinst.xml

install=http://<installation_server_ip>/appliances/sles-10-i386/all

Before completing appliance configuration and certificate download you are prompted for theappliance password to verify the appliance identity.

2. After entering the password, choose to set for this instance. The installation finishes.

If a delivery policy has been defined for this appliance it becomes operational.

3.6.4 Semi-Automatic InstallationTo secure the tunnel, the AccAD configuration should use a designated Appliance Definition File, inXML format, that includes certificates.

This file will be generated after adding an AccAD instance. Save the XML file that is created to alocation on your appliance machine.

CAUTIONThe XML file may contain sensitive information and security precautions are recommended.

3.6.4.1 Installing the AccAD EngineIf the AccAD engine is not yet installed on your machine, install it as described in Installing theApplication Delivery Engine.

Use the following command to perform the engine configuration:

appliance-config -b configuration_file

Where <configuration_file> is the XML file you created previously.



3.6.5 Updating Link CertificatesUse the procedure described here for each engine in the following circumstances:

When setting up a secured link between the SFE and CFE

On all manually installed engines in a landscape that also contains engines that are configuredautomatically or semi-automatically

To update link certificates, do as follows:...

1. Log in to the AccAD Administrator of your machine using the URLhttps://<machine_ip>:7443 and choose the Local Configuration tab.

2. In the root node of the navigation tree, choose Appliance Commit to Data Center.

3. Log in to the AccAD Administrator of the repository engine and choose the ApplianceLandscape tab.

4. In the root node, choose Apply.

This action generates the new link certificate. Ignore any error messages that may appear.

5. In the Appliances node, choose the relevant appliance and then Export. An XML file isgenerated that details the appliance configuration on the appliance machine.

6. Save the XML file and follow the procedure described in Semi-Automatic Installation.

Configuring the Delivery Policy March, 2010


4. Configuring the Delivery PolicyOnce the repository is installed and configured, you need to define the rules, or a delivery policy,according to which services are delivered in your landscape.

You can define the delivery policy either by using AccAD Administrator, a graphical user interfaceutility provided by AccAD, or by using the command line interface (CLI) on the repository machine. Ifyou choose to use the CLI, see the configuration instructions in this chapter and to deploy them asdescribed in the section Command Line Interface.

AccAd Administrator provides an administrative toolset with which you set the rules for applicationdelivery supplies auditing information, traffic history, and system status.

Policy ConfigurationA policy defines which service instances are delivered to which engine instances. The followingbuilding blocks should be defined:

Locations – Physical locations at which AccAD engines reside

Engine instances – Separate instances of an engine at a specific location or multiple enginesat a single location

Service types – Services to be delivered, based on the available templates (for example, HTTP,CRM, the NetWeaver portal)

Service instances – Specific instances of service types at a specific location

Groups – Groups of service instances and engine instances enabling easier policy configuration

Each service instance at a location, as well as each engine instance, can belong to one or moregroups.

Delivery rules can then be added, each defining delivery of a source group to a destination group. Allservice instances in the source group are delivered to all the engine instances in the destinationgroup.

ImportantBe aware that delivery is possible only on an established link. If your delivery rulesinclude delivery between sources and destinations that are not connected by an AccADlink (for examply between 2 SFEs), there is no delivery.

4.1 Accessing AccAD AdministratorThe AccAD Administrator UI is exposed on port 7443 on the engine and can be accessed using theURL https://<repository_ip>:7443/. The UI is available after the repository is installed.

ImportantIf the landscape includes more than one repository, choose the primary repository andconfigure the delivery policy there.

4.2 Defining the PolicyThe following sequence of actions comprises the process necessary for defining a delivery pollicy;each numbered action is described in more detail in the subsequent sections....

1. Add groups – Define the groups in your landscape for configuration of delivery.

2. Add locations – Define the physical locations in your landscape.



3. Add engine instances – Specify details of engines (SFEs and CFEs) that deliver and receiveservices.

4. Add service types – Define the service types to deliver. For example, you can define SAPNetWeaver Portal 7.0 as a service type, representing the portal services of SAP NetWeaver.

5. Add service instances – Specify the instances of the services exposed at each location in yourlandscape. You can then attach each service instance to one or more groups.

6. Add delivery rules – Define the deliveries between origin groups and target groups.

CAUTIONAfter configuration, make sure to choose Save to avoid any loss of the data you defined.

4.2.1 Defining Groups in the Landscape...

1. In AccAD Administrator, in the Delivery Policy tab, choose Groups.

2. In the Groups pane, choose Add.

3. Enter the group details:

Name

Description (optional)

4. Choose OK to add the group to the delivery policy.

4.2.2 Defining Delivery Locations...

1. In AccAD Administrator, in the Delivery Policy tab, choose Locations.

2. In the Locations pane, choose Add.

3. Enter the location details:

Name

Description (optional)

4. Choose OK to add the location to the delivery policy.

4.2.3 Adding Engine Instances...

1. In AccAD Administrator, in the Delivery Policy tab, choose Engine Instances.

2. In the Engine Instances pane, choose Add.

3. Enter the engine instance details:

Device Name

Device ID

Enter the value that you specified during the CFE installation. See Allocating a DeviceID.

Description

Groups

Enter the groups to which you want this engine instance to belong.

Location

Enter the physical location of this engine instance.



4. Choose OK to add the engine instance to the delivery policy.

4.2.4 Defining Service TypesThis section explains how to define and configure the parameters of the service types with whichapplications are delivered. Some service types are available out-of-the-box, for example HTTP or SAPNetWeaver Portal. You can create a new service type based on an existing template and modifyparameters to fit your landscape needs....

1. In AccAD Administrator, in the Delivery Policy tab, choose Service Types.

The out-of-the-box services appear in the templates list.

2. Add a new service by selecting one of the existing templates and choosing Add.

3. Create the service type by expanding the Service Types list and choosing the relevant service.

4. Enter values or edit the values in the following fields under General Properties:

Name – Enter a label for the service. This name appears in the administration tree.

Description – Optionally, enter a description of the service.

Main Port – Enter the value of the listening port used by the application server (forexample, port 50000 for the portal).

SSO Method – To deliver a service with single sign-on (SSO), based on a clientcertificate, select an SSO Method. The available methods are:

SAP J2EE Format – for delivering SAP J2EE applications

SSM Format – for delivering SSM application

SSO disabled mode – if no SSO

Additional configuration must be made when enabling SSO with X.509 certificates.Refer to the section Configuring X.509 User Authentication – TLS/SSL Only fordetails.

Further editing is possible and depends on the requirements of your landscape. For moreinformation about the advanced parameters of service types, see the section Service Types.

5. Choose OK to add the service type to the delivery policy

4.2.5 Adding Service InstancesThis section describes how to add service instances based on service types previously defined. Eachservice instance is defined at a specific location and can belong to one or more groups....

1. In AccAD Administrator, in the Delivery Policy tab, choose Service Instances.

2. In the Service Instances pane, choose Add, and select the service template:

SAP Cluster

This template enables the AccAD engine to perform load balancing using the SAPmessage server.

Simple Service

3. Enter the service instance details:

Service Name – the name of your service instance

Description – (optional)



Groups – The groups this service instance should belong to

Location – The physical location this service instance is exposed at

Service Type –The previously defined service type for this service instance

Service fqdn –The fully qualified domain name of this service

Serice Port - The service port

For applications delivered via TLS/SSL, enter a TLS/SSL port number. Otherwise, leavethe default value 0 for the TLS/SSL Port field.

If the selected service template is the SAP Cluster template, configure the followingparameters of the message server by entering the Message Server node:

Host Name – IP/DNS name of the message server

Encrypted – Check this box if the connection to the message server is to beencrypted

Port – Port of the message server

Group – Logon group name

User Session Timeout – Timeout (in minutes).

If a connection is still open after this time period, the client may be routed to adifferent server in the cluster.

Otherwise, configure the service address in the Network Address field.

4. Choose OK to add the service instance to the delivery policy

4.2.6 Adding Delivery RulesYou complete the delivery policy configuration by adding rules to define delivery from an origin group,containing service instances, to a destination group, containing engine instances. All service instancesin the origin group are delivered to all the engine instances in the destination group....

1. In AccAD Administrator, under the Delivery Policy tab, choose Delivery Rules.

2. In the Delivery Rules pane, choose Add and configure the following:

Origin – The origin group from which service instances are to be delivered

Destination – The destination group. The delivered services go to the engineinstances in this group.

3. Choose OK to add the delivery rule to the policy.

4.2.7 Activating the New Delivery PolicyIn the previous sequence you defined and saved a new policy in the repository. However, this policy isstill only held in the repository and the landscape continues to operate with the old policy (if an oldpolicy exists) until you apply the new policy....

1. In AccAD Administrator, go to the root node (Delivery Policy) and choose Apply.

You can save the policy you defined in the archive for backup. For details, see ArchivingConfiguration Settings.

ImportantIf the following conditions are true, you must flush the DNS cache for the new policy totake effect:



You are currently changing the delivery policy

You are using a DNS proxy

Your workstation is a Windows machine

See Configuring DNS on a Windows Machine.

4.3 Advanced Configuration - Service TypesA service type object in the delivery policy consolidates the application-specific information requiredfor high performing delivery of application services. The service type includes the following:

General parameters

Collection of transaction types

A transaction type represents a subset of transactions in the application service. Each servicetype includes at least the default transaction type object. For more information, see TransactionTypes.

Service types are based on predefined templates, each having its specific set of default values. Uponcreation, a new service type acquires the default values from the template on which it is based.

4.3.1 General Parameters Note

The parameters in this section affect system performance significantly and are intended foradvanced users. If you change the default values, make sure that you use values that areappropriate for your system.

The following parameters are common to all the transactions in the service type:

Compression Method – server-to-user

Choose the compression method to be used when delivering applications (server responses).The available methods are:

Adaptive – This method activates the AccAD advanced learning and redundancyelimination algorithm for compression. This enables efficient throughput and reducesresponse time. It is the recommended option in most cases. See Traffic FlowMinimization Mechanism for more details.

Deflate only - Simple gzip-like compression, without applying AccAD features.

None - No compression is applied. Choose this method if, for example, the informationdelivered is already compressed or is encrypted.

Compression Method – user-to-server

Choose the compression method to be used when delivering user requests. The availablemethods are the same as in server-to-user.

Service Monitor Settings

Monitored URL – By default, the monitor downloads a page from the server, using theserver DNS name, as defined in the delivery policy. For a non-default page, enter therelevant value for this parameter, which will be concatenated to the server DNS name,for example, /irj/portal.

Searched String – Specify the string to be used by the Application Delivery Monitor asthe checking parameter, used when validating each page download, for example,portal.



4.3.2 Transaction TypesAn application service can be constructed of different types of transactions, which correspond todifferent components in the integrated application service.

A default transaction type is available for each service type and it can be modified and configuredaccording to the specific needs of the landscape.

4.3.2.1 Configuring a Transaction Type...

NoteThe parameters in this section affect system performance significantly and are intended foradvanced users only. The default values should not be changed.

The following can be configured in each transaction type:

Request Aggregation – these parameters appear only in the Default transaction type. Although theaggregation of transaction messages from the communication stream has delay penalty, this isoutweighed by a reduction in the traffic of redundant content. It is recommended, therefore, thatmessages of the same transaction be aggregated to achieve an optimal compression ratio.

Enable Aggregation – Select this checkbox to enable message aggregation. It is checked bydefault.

Volume Threshold - Represents a typical maximal length of a message, in Bytes.

Time From First Chunk – Total time of delaying content for aggregation, in milliseconds.

Time Between Chunks - Maximal pause in transmission, after which it is likely the messagetransmit was completed, in milliseconds.

Response Aggregation – Same as Request Aggregation.

CFE HTTP Processing Sequence – AccAD includes a set of application-aware processors. Eachtransaction type includes a specific processing sequence. The processing sequence is noteditable but It is possible to configure the parameters in an existing sequence. For moreinformation about the available processors, see section HTTP Processors.

Request Context - Each transaction type may have its own context in the compression engine. It ispossible to tailor the size of dictionaries and buffer for best performance, at the cost of footprint.

CAUTIONThe following parameters are AccAD-specific. Do not modify these parameters for out-of-the-boxservice types without expert knowledge of AccAD.

Dictionary - Stores frequently recurring segments of content. To avoid retransmission ofentire segments, references to recurring content can be used in subsequent transmissions.This is part of the traffic flow minimization mechanism. Configurable Dictionary propertiesare:

Memory Quota - The overall space in the main memory (in bytes) used for the dictionary(default - 2000000)

Number of Items - The maximum number items

Message Store – The buffer of previously transmitted messages used by the adaptivelearning mechanism in real-time analysis for the context

Number of Messages Stored - Maximum number of recent messages stored (The higherthe value, the faster the learning, at the cost of CPU consumption.)



Recorded Message Store - The adaptive learning mechanism may record segments ofmessages for future offline analysis, done in parallel to real-time processing. Theconfigurable Recorded Message Store properties are:

Memory Quota - The overall space in the main memory (in bytes) used for the dictionary(When the store is larger, offline learning is more effective, although it takes longer.)

Number of Items - The maximum number of items

Response Context – Just as for the Request Context, each transaction type may have its owncontext in the compression engine. It is possible to tailor the size of dictionaries and buffer for bestperformance, at the cost of footprint.

Classification rule – This parameter only appears in non-default transactions. The classificationrules comprise a pattern applied to the navigation part of a URL, used to classify the transactiontype inside the application service.

4.3.3 HTTP ProcessorsAccAD enables configurable optimization of several HTTP caching and compression processes, asdecribed in this section.

4.3.3.1 Web CacheAccAD 2.2 has a Web cache mechanism designed to enable standard HTTP caching to eliminateperformance penalties, Linux-specific limitations, and enable working with HTTP 1.1. The Web cachemechanism includes both disk and memory cache.

You can configure the remote office to use content from the Web cache instead of sending requestsall the way to the data center and back. This saves significant time and improves applicationperformance.

The cache processor is defined as part of the processing sequence in the default transaction type.You can configure it as described in the next section.

Configuring the cache:

To configure the cache, define or edit processing rules. The rules determine the following:

The type of content to be cached

When the content expires

When content first arrives, it is considered fresh. Upon expiration the content turns stale and needs tobe replaced with fresh content from the data provider.

NoteThese definitions are advanced settings, and require expertise in Web cacheapplications. This document describes the options relevant for AccAD configuration butdoes not drill down to Web cache terminology.

Configuring the cache is done as part of the transaction type configuration. You can configure thecaching rules, which include the following parameters:

Name – Select this checkbox to enable message aggregation. It is checked by default.

Should Cache – Uncheck this box if you want to specify a pattern not to be cached. It is checkedby default.

Overwrite Server Directives – Check this box to overwrite the server’s caching directives and useyour own parameters as a caching policy.

Refresh Pattern – Describes the URL expression to cache



ExampleIf you want to keep JPG images from portal applications, enter:*/irj/portalapps/.*\.jpg.*.

Cache – Uncheck this box if you want to specify a pattern not to be cached. It is checked bydefault.

Minimum Freshness Time (minutes) - The minimum time (in minutes) during which an objectwithout a specified expiration time is considered up-to-date. This field requires a numeric value.

ExampleIf you specified 100 minutes, and if the content is requested within this time frame, it is sent fromthe cache.

NoteIf the content header includes an expiration time, that value overrides the value entered here.

o Maximum Freshness Time (minutes) - The maximum time (in minutes) that an object without apredefined expiration time is considered fresh.

After the time specified for this parameter, the status of the resource is considered stale. When thenext request for this resource arrives, the status of the object in the data provider is checked. If theobject was not modified, its status returns to fresh, and the time count restarts. If it was modified inthe data provider, the cache content is replaced with the modified content.

o Age Percentage - Defines the maximum time that an object, without a predefined expiration time,remains fresh, based on its modification frequency.

This attribute does not change the status of the object to "stale" based solely on a fixed timevalue, such as "Maximum = 1000 minutes"; rather it uses an algorithm that takes into account boththe object age in the cache and the time since its last modification. In objects with highmodification frequency, this attribute may expire sooner than the maximum.

Enter a numeric value from 0 to 100, followed by "%". For example, 20%.

o Negative Caching Duration (minutes) - Provide the caching duration for 404 (Not Found)responses from the server. Choosing a value over 0 means that, for the provided time, a requestfor this resource is not sent to the server; instead, a 404 response is sent to the user by theAccAD engine.

In addition, you can configure the following cache parameters per engine instance:

Parameter Description Additional Comments

Memory Quota The size in the memory (in MB) forthe memory cache

Default – 4

Disk Quota The size in the disk (in GB) for thedisk cache

Default – 32

Max Memory Object Size Maximum size (in KB) of a resourcefor the memory cache

Default – 100

Max Disk Object Size Maximum size (in MB) of a resourcefor the disk cache

Default – 100

Have Persistency Saves the memory cache to apersistency file to enable reloading ofthe cache upon system restart. (Y/N)

Default - Y



4.3.3.2 Remote Caching with Central Authorization (KM)The Knowledge Management application has a central authorization policy with a distributedlandscape in which many users are located in regional offices. Standard Web caching does notprovide the access control policy that Knowledge Management requires.

The AccAD remote caching and central authorization logic supports caching of documents in remoteoffices while the user authorization policy of the central KM system is supported, as well as thepushing of up-to-date or new documents.

Multiple KM services can be supported, each with its own delivery policy rules. Each specific service isidentified by matching different URL patterns, and so a different configuration can be set to each ofthese services.

Configuration of the KM processor is similar to Web cache configuration, since it only enhances thecache to include central authorization, as described in Web Cache.

The KM processor can be found with the following NetWeaver versions:

SAP NetWeaver Portal 7.0 SPS13 and higher

SAP NetWeaver 04 Portal

4.3.3.3 Caching Logical URL for ERP Learning Solutions (LSO)This capability is applicable for ERP learning solutions (LSO), for versions LSOCP 602 SP02(ECC/ERP 6.00 EhP 2 SP 2), LSOCP 600 (ECC/ERP 6.00) SP 13 and above.

LSO uses a logical URL scheme based on user and course details. AccAD enables caching of courseresources for the same user and course, as well as between different users and courses. This is doneby the AccAD engine by resolving the logical model.

SAP NetWeaver Portal already includes the LSO transaction type out of the box with the followingNetWeaver versions:

SAP NetWeaver Portal 7.0 up to SPS13

SAP NetWeaver Portal 7.0 SPS13 and higher

There is no need for specific configuration for the LSO transaction type.

4.3.3.4 HTTP Compression (gzip)This processor handles the HTTP compression of the delivered service.

Web servers may encode the responses to users in a compressed format. To best compress thecontent with AccAD proprietary adaptive compression, the content should arrive at the AccAD enginein an un-compressed format. This is done by the gzip processor by removing the Accept-Encodingheader from the client requests. In addition, the engine may perform the HTTP compression betweenthe CFE and the users by itself.

Configuring the gzip processor:

The gzip processor is configured using an ordered set of rules, each represents a pattern, where thefirst matched pattern is executed....

1. When adding or editing a rule, enter values for the following parameters:

Name – The name that describes the rule

Type - Choose URI or MIME Type, according to the pattern you want this rule to match

Pattern - A regular expression pattern to be matched



For example:

If type is URI, a possible pattern would be *.css.

If type is MIME, a possible pattern would be audio/*

Enable compression – check this box to perform compression between the CFE and theuser’s browser by the AccAD engine

Remove Accept encoding – check this box to disable the server HTTP compression byremoving the Accept Encoding header, to enable AccAD compression

Min Length – if the HTTP compression is enabled, this size represents the minimalmessage length on which to perform compression (in Bytes).

4.4 Exporting and Importing Service TypesService type configuration includes many details to define the behavior of the application server, suchas cache rules, GZIP compression rules, KM configuration parameters, LSO configuration parameters.

Once a service type that suits the requirements of the application server is defined and configured,you can export it and later import it to other delivery policies.

Exporting a Service Type...

1. In the UI, under the Delivery Policy tab, choose Service Types.

2. Expand the Service Types tree and choose the service you want to export.

3. Choose Service Type Definition File.

4. Choose Export Service Type.

5. At the prompt, navigate to the desired location and choose Save.

Import a Service Type...

1. In the UI, under the Delivery Policy tab, choose Import Service Type.

2. Expand the Service Types tree and choose the service that you want to import.

3. Choose Import Service Type.

4. At the prompt, browse to the exported service type XML file.

5. Save the policy. The imported service type is now part of it.

Securing the AccAD Landscape March, 2010


5. Securing the AccAD LandscapeWhen using AccAD, consider securing the communication over the following network segments:

Remote office network segment – communication between remote office workstations and theCFE

Server network segment – communication between the application server and the SFE

WAN network segment – communication between CFE and SFE (An option is to use TLS/SSLencryption for the AccAD tunnel.)

When installing AccAD, your security options for the WAN segment are:

Not to use encryption over the WAN network segment

To use the certificates included in the AccAD installer pack

Additional security methods are described in the configuration steps in this document.

During installation, the system certificates enable secure communication. More information regardingcertificates is provided in the following sections.

5.1 Workstation – CFE: Securing CommunicationUsing TLS/SSL Termination

This section discusses the options for encrypting information between the user workstations and theCFE within the remote office network segment. Usually, communication between remote officeworkstations and the CFE is Web-based, and can be secured using TLS/SSL. TLS/SSL terminationenables client workstation-to-CFE communication using the secure HTTPS protocol. You need toenable it in the delivery policy for each delivered service.

If you choose to use TLS/SSL termination, you require server certificates in P12(PFX) format.



Configuring TLS/SSL termination:Upload the server certificate through Policy configuration as follows:...

1. In the UI, under the Delivery Policy tab, open your service instance for editing, and chooseTermination Certificate.

2. Enter your server certificate and authority certificate in the relevant fields; provide the passwordfor the certificates in the Password field.

3. Specify a non-zero SSL for each of the delivery targets of this server: Below TerminationCertificate, expand the Services tree. For each of the services:

a. Expand the service tree.

b. Expand the Delivery Targets tree.

c. Choose each of the targets, and change the SSL Port to a non-zero value. The defaultport for HTTPS is 443

SAP J2EE allows X.509 authentication (single sign-on) based on the user certificate. If you wish touse this mechanism, the following is required:

The SFE is defined as proxy for client certificate authorization

The DN (Distinguished Name) of the client certificate authority is known

Certificates issued by the Microsoft certificate server may cause problems in SSO scenarios. This isbecause Microsoft's service allows standard attributes that are not standard in distinguished names(for example, ‘EMAIL’ or ‘S’).



5.1.1 Configuring X.509 User Authentication – TLS/SSL Only:This section guides you through the steps required to enable single sign-on in a securecommunication environments. This section is only relevant if you are using TLS/SSL termination.

In SSO mode, the CFE requests from the client a certificate that is issued by a certificate authorityspecified by a Trusted CA. If provided, the certificate is forwarded to portal in the HTTP header.

NoteTo enable certificate-based SSO, the portal must be configured accordingly. Check therelevant configuration guide on http://help.sap.com/.

To enable SSO:

If the re-encryption feature is not used, set AcceptClientCertWithoutSSL to true on the AS Java levelconfiguration (in the Admin Tool or in the SAP NetWeaver Administrator tool for SAP NetWeaverComposition Environment 7.1): In the Visual Administration go to <your server> Services HTTPProvider and select the Properties tab....

1. In the UI, under the Delivery Policy tab, open your service instance for editing.

2. Select the Enable SSO checkbox and, in the Trusted CA field, enter the fully distinguished nameof the CA that issues certificates to clients. The public certificate of this CA should be providedin the Authority Certificate field of the Termination Certificate configuration screen, as describedin the previous section.

5.1.2 SFE – Application Server: Securing CommunicationUsing Re-Encryption

This section discusses the options for encrypting information between the application server and theSFE. It is recommended not to use re-encryption if the SFE is located in the DMZ. In this case, re-encryption consumes additional system resources with only a limited gain in security. If the SFE is notlocated in the DMZ of the application server, or if the server cannot be configured to work in plainHTTP mode, re-encryption can be used.

If you wish the SFE to become a trusted SSL intermediary, a client side certificate is required.



5.1.2.1 Enabling Re-Encryption:This section guides you through the steps required to enable re-encryption on the SFE side to encryptcommunication between the server and the SFE....

1. In the UI, under the Delivery Policy tab, open your service instance for editing.

2. Select the Encrypted checkbox and enter the listening port of the application server. The defaultHTTPS port is 443.

If you choose to become a trusted SSL intermediary, a valid client certificate is required for re-encryption. Install this certificate as follows:

a. Go to Service Instances <your service> Re-encryption certificate.

b. Specify the distinguished name of this certificate in ProxyServersCertificates to make theportal trust the SFE.

3. On the portal server, open the Visual Admin tool, located in the portal installation in the followinglocation:

/usr/sap/<SYS_ID>/JC<xx>/j2ee/admin/go.bat

4. Go to Service Instances HTTP Provider and select the Properties tab.

If verification of the server identity is required, install the certificate of the server CertificateAuthority in Service Instances <your service> Re-encryption certificate.

5.1.3 SFE – CFE (WAN): Securing Communication byEncrypting the Tunnel

This section discusses the options for encrypting information in the CFE and the SFE whentransmitting information through the AccAD tunnel.

By default, the CFE/SFE tunnel passes non-encrypted, clear text information over numerous TCPconnections. Since this information may contain sensitive organizational data, it is recommended toencrypt the tunnel if the communication is done over a public network, such as the Internet.

If CFE-SFE communication takes place over a secure private network, or using a VPN solution, youmay not require additional encryption and the solution described in this section may not be relevant. Ifencryption is not required, it is recommended not to use it because its CPU consumption affectsoverall transmission performance.

When sites are not linked through VPN gateways, or over other private networks, you can use one ofthe Application Delivery tunnel encryption options.

If you choose to secure the AccAD tunnel, you can either perform an automatic/semi-automaticinstallation, in which the certificates are automatically pushed to the engine, or you can perform amanual certificate installation, if you choose to install AccAD manually. More details can be found insection Installing and Configuring the AccAD engines.

You can also use the default certificates that come with the AccAD installation but this method is notrecommended, though it may be used for demo and test purposes.

5.1.3.1 Installing Tunnel Certificates ManuallyTo install valid certificates manually, do the following:...

1. Log on to the root account in the SFE machine.

2. For each instance, type:/root/install_scripts/create-cert.pl dev <instance_ID> <password>



The instance_ID is the ID defined when configuring the instance..

3. Enter a password of your choice.

TipNote that you will need it later in the procedure.

4. For each instance, on both the SFE and the CFE machines, type the following commands:

a. service slot-<slot-ID> stop

b. export VL_ROOT=/usr/local/vl/slot-<slot-ID>

If the port 4900 of the SFE is accessible from the CFE, use the following commands:...

a. /usr/local/vl/base/bin/cert_mgr add ca adow://<SFE-IP>

b. /usr/local/vl/base/bin/cert_mgr add link adow://<SFE-IP>

If the SFE port is other than 4900, use the following procedure to download the certificates:...

a. Go to http://<SFE_IP>:4900/certificates.

i. Download an AccAD CA certificate.

ii. Download the device certificate (select private certificate).

b. Install the CA certificate by typing:/usr/local/vl/base/bin/cert_mgr add ca <ca-certificate-file-name>.der

c. Install the device certificate by typing:/usr/local/vl/base/bin/cert_mgr add link <instance-certificate-file-name>.p12

d. When asked to provide the instance ID and password, use those described in step 2.

5. From both the CFE and the SFE, run the appliance-config tool and go to the instanceconfiguration screen.

6. For each instance, enable SSL and verify the instance ID as follows:Enable SSL? Y/N Y

Verify device id? Y/N Y

5.2 Securing the SFE and CFE HostsThe AccAD engine includes a security pack that implements an end-to-end security model. It isinstalled automatically during CFE and SFE installation.

AccAD engine Protection:

The AccAD engines have a default firewall setting that blocks all unauthorized traffic.

The engines are prompted during installation for a secure non-default password (for both rootand admin accounts).

After installation, all engine operations are done via the restricted admin account - which has noaccess to restricted information cached on the engine.

The engines can have an encrypted drive, used for persistency files.

NotePlacing the engines in a physically secure location is recommended, so as to protect thehard disk, which may have sensitive information cached on it.



5.2.1 Adding Drive Encryption for Persistent ContentThe AccAD engine has persistency files, such as cache resources, to improve performance uponsystem restart. These files are saved on the disk, unencrypted, and may be considered a security risk.This issue can be resolved by encrypting the drive used for persistent content.

Drive encryption requires at least one of the following:

A device (or partition) of at least 8 GB (/dev/sda<n>), which is dedicated to the encrypteddrive, in addition to the root partition

A hard drive of at least 20 GB, split into at least 2 partitions of at least 8 GB each – one for theroot partition, and one for the encrypted drive

NoteThe encrypted drive is formatted with each reboot. Thus, data stored on this drive isdeleted with each reboot.

5.2.1.1 Preparing for Drive EncryptionBefore encrypting a device, the following conditions must be met:

The device is removed from the linux file /etc/fstab

It is unmounted

Removing the Encrypted Device from /etc/fstab...

1. Discover the label under which the device can be found in the file.

Note that the device may not appear in the file explicitly as /dev/sda<n>, but rather undersome label.

To find out which label, if any, is attached to /dev/sda<n>, run the command:

e2label /dev/sda<n>

If /dev/sda<n> has a label attached to it, this command returns it as output.

2. From the file /tec/fstab, delete the line that includes the label you found – either the label orthe device name itself, as the case may be.

CAUTIONBefore making deletions, make sure you have the information you need to unmount thedevice, as described in the following section, Unmounting the Device.

Unmounting the Device...

1. Discover which device is attached to the label you found in the previous section.

Look for the line in the /etc/fstab file with the relevant label. The next element in that line,following the label name, represents the mount point.

2. If the device is mounted, unmount it with the following command:

umount /my_mount_point

5.2.1.2 Encrypting the Drive...

1. Select or create a partition.



If you already have AccAD installed, you must supply a new device of at least 8GB(/dev/sda<n>) dedicated to the encrypted drive. Once you have the new device ready,continue to step 2.

New users, or existing users who want to split their current root partition into twopartitions, using the second one for drive encryption, must do the following:

i. Use the relevant kick-start file to reinstall your system. (The kick-start file hasdrv-enc in its name.

ii. Change the name, making sure to remove drv-enc.

This will split your hard drive into two partitions. The second partition is mounted on/logical until use. After the OS installation is complete, install the AccAD engine.

2. Enable drive encryption.

CAUTIONBefore using /dev/sda<n> for the drive encryption, remove it from /etc/fstab; asdescribed in the section Removing the Encrypted Device from /etc/fstab. Failing to do socauses problems during the next reboot.

Run the command:/root/install_scripts/setup_drive_encryption.pl enable /dev/sda<n>

Disabling Drive EncryptionTo disable the drive encryption run the following command:

/root/install_scripts/setup_drive_encryption.pl disable

Command Line Interface March, 2010


6. Command Line InterfaceThe AccAD engine has a command line interface (CLI) as an additional mean of configuringthe engine and its delivery policy. The AccAD CLI follows general industry standardsregarding look & feel. The general features are:

User prompt (indicating mode of work and level in configuration tree)

Built-in commands (for example, help, quit, configure terminal)

Special keys

Auto completion of commands

Expert users can take advantage of the following CLI capabilities:

Configuring the AccAD engine and policy without an admistration UI

Automation

6.1 Using SSH to Connect to the AccAD engines(CFE/SFE)

The SSH protocol provides a secure means of accessing the AccAD engine’s console from a remotelocation. Most Linux machines should have an SSH client installed. For Windows machines, you canuse the PuTTY shareware.

To connect to an AccAD engine:

In the following procedure, we use the IP address 192.168.1.1 as example....

1. Invoke SSH from any Linux machine:ssh [email protected]

2. Type the password defined for the root user.password: <password>

The console prompt appears.

6.2 Connecting to the CLIThe admin user credentials are set during the installation phase. These credentials are usedto connect to the CLI in one of two ways:

Accessing the CLI from the AccAD appliance itself, after connecting to it via SSH

Accessing the CLI from outside the AccAD appliance (This option requires firewall settings to bechanged.)

6.2.1 Connecting to the CLI from the Appliance...

1. Connect to the AccAD appliance using SSH.

2. At the prompt, type the command telnet localhost.

3. If you are under the ‘root’ user, you are asked to provide login details: use the admin accountand the password you defined for it during the installation stage.



6.2.2 Connecting to the CLI from Outside the Appliance5. Connect to the AccAD appliance using SSH.

6. At login, provide the login information for user ‘admin’.

The session is now that of the AccAD CLI. To return to Linux shell, see the section Returning tothe Linux Shell.

6.2.2.1 Changing Firewall Settings on the AccAD Appliance Machine...

1. Connect to the AccAD appliance machine using SSH.

2. Open the file /etc/sysconfig/adow-iptables for editing.

3. After the line :accad-input - [0:0], add the following line:

-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT

4. Apply the change by executing the following command:service iptables restart

You can now connect to the CLI using any standard telnet client (such as the native Windowsand Linux telnet clients, or PuTTY on Windows).

6.2.2.2 Connecting to the CLI...

1. Open a telnet client and connect to the AccAD machine.

2. Enter the user and password set during the installation.

Once you have logged in, you are guided by the integrated context sensitive help system. Tofind the available commands are, type ‘?’ followed by pressing the <Enter>.

6.3 Command Categorization & Key Mappings

Generic CLI Commands

Command Description

Help Retrieve list of available commands

Quit Quit CLI session

Exit Exit current CLI level and returns toprevious context

History Return list of previously typedcommands

Commands for Changing Configuration Settings

Command Description

configure terminal Start configuring the engine

configure upload <URL> Configure according to text file, calling aspecified URL (http, https, ftp)

write memory Save



show configuration Show current configuration

apply-configuration Apply configuration changes to system

get-links-info Show activated links

Diagnostic Commands

Command Name Description

ping <host> Send ICMP echo-request message tohost

traceroute <host> Send traceroute message to host

Key Mapping / Special keys

One of the important aspects of the CLI is support for standard special keys that enableeasy navigation and quick access to the most useful functionality.

Some of the more useful special keys are:

Name Action Description

Tabautocomp TAB Complete the command orsuggest alternatives

Clearline Ctrl Clear the written line of text

Up Up Arrow Go up (starting from the mostrecent) history command anddisplay it on the current line

Down Down Arrow Go down (starting from the leastrecent) history command anddisplay it on the line.

EOL Ctrl + E Go to end of current line

SOL Ctrl + A Go to start of current line

Delete Delete Move the cursor one characterleft, deleting the first character tothe left.

CR/NL Enter Execute the command

Redraw Ctrl-L Retype the last line includingboth prompt and content.

EOT Ctrl-D Quit CLI session

Esc Esc Do nothing

Terminate Ctrl-C Terminate session

Right Right-Arrow / Ctrl-F Move cursor right one character

Left Left-Arrow / Ctrl-B Move cursor left one character

Startline Ctrl-A Move cursor to start of line

Endline Ctrl-E Move cursor to end of line



Backspace Backspace / Ctrl-H Go back and delete onecharacter

6.4 Returning to the Linux ShellTo return to the Linux shell, type the command shell from the CLI. You will be routed to the path/bin/bash/ with the user admin.

Typing the command exit will get you back to the AccAD CLI.

6.5 Using the CLI to Configure the AccAD engine...

1. Log in to the CLI as explained in Connecting to the CLI.

Upon entering the CLI, you are automatically in local mode.

2. Use show configuration to view the current configuration. (Optional)

3. Type configure terminal to change engine configuration values. Configure the parametersdescribed in section Manual Configuration of the AccAD engine

4. Save and apply the configuration using write memory and apply-configuration.

The new configuration is now set. You can view it immediately using show configuration.

Use the diagnostic commands to check your system.

get-links-info – to obtain the status of the engine

ping and traceroute – for network diagnostics

6.6 Using the CLI to Configure a Delivery PolicyAn additional use of the CLI is to define and edit delivery. This section details the needed commandsto configure a delivery policy. For more information on the AccAD delivery policy, refer to sectionPolicy Configuration....

1. From the repository machine, logon to the CLI as in Connecting to the CLI.

2. Type mode delivery-policy to switch to the policy context.

3. Type configure terminal to change configuration and then configure the policy, includinggroups, locations, engine instances, service types, and service instances.

ImportantA name or template containing spaces must be typed within single quotation marks.

a. Define your landscape groups:

i. Type groups <group_name>. Once the group is created, you are automaticallyplaced in its context.

ii. To leave the group context type exit.

b. Define your landscape locations:

i. Type location <location_name>. Once the location is created, you areautomatically placed in its context.

ii. To leave the location context type exit.

c. Add engine instances:



i. Type engine-instances <engine_name>. Once the engine instance iscreated, you are automatically placed in its context.

Configure the engine instance:

a. Type ei-id <ENGINE ID>, entering the same value specified duringthe engine installation

b. Type ei-groups <GROUP_LIST>, where GROUP_LIST contains all thegroups this engine instance should belong to, using the groups youdefined previously, separated by spaces.

To view all available groups type groups ?.

c. Type ei-location <LOCATION>, to define on which physical locationthis engine instance resides, using one of the locations previouslydefined.

ii. To leave the engine-instance context type exit.

d. Define service types:

i. Type service-types <service_type_name> ? to see the availabletemplates.

ii. Choose a template and type service-types <service_type_name><template>. Once the service type is created, you are automatically placed inits context. You can configure this service type. To learn about the service typeparameters refer to section Configuring Service Types.

iii. To leave the service type context type exit.

e. Add service instances:

i. Type service-instances <service_instance_name> ? to see theavailable templates.

ii. Choose a template and type service-instances<service_instance_name> <template>. Once the service type is created,you are automatically placed in its context.

Configure the service instance:

d. Type service-fqdn <SERVICE_FQDN> to enter the fully qualifieddomain name of this service.

e. Type service-port <PORT> to enter the service port.

f. Type service-type-att <service_type_name> to enter theservice type of this service instance, as defined previously.

g. Type groups <GROUP_LIST>, where GROUP_LIST contains all thegroups this service instance should belong to, using the groups youdefined previously, separated by spaces.


h. Type location-att <LOCATION>, to define on which physicallocation this service instance is exposed, using one of the locationspreviously defined.

iii. If you chose the SAP_Cluster template, configure the message server:

i. Type message-server to enter the message server context.



j. Type ms-network-address <MS_IP> to enter the message server’saddress.

k. Type ms-group <GROUP> and enter the group for this service.


l. Type ms-port <MS_PORT> to enter the message server’s port.

iv. Otherwise, configure the service address in simpser-network-address

v. To leave the service instance context type exit.

f. Complete the policy configuration by adding delivery rules:

i. Type delivery-rules <rule_name>. Once the delivery rule is created, youare automatically placed in its context. Configure the origin of the service and thedestination to which it will be delivered. Each is a group defined in previous steps:


ii. Type delivery-origin <ORIGIN_GROUP>, and enter the origin group fromwhich service instances will be delivered.


iii. Type delivery-destination <DESTINATION_GROUP>, and enter thedestination group, so all engine instances in that group will get delivery of thedefined service instances.

iv. To leave the delivery rule context type exit.


The new configuration is now set. You can view it immediately using show configurationcommand.

6.7 AutomationThe CLI enables automation of the configuration process. The following scenario demonstrates aneasy way to upload a full configuration file using the CLI:..

1. Log on to the CLI as explained in Connecting to the CLI.

2. View configuration using show configuration to verify that the configuration is empty. If theconfiguration is not empty, use clear configuration.

3. Upload a prepared configuration file by typing the following:configure upload < {http,ftp}://<server>/<path>>


Configuring the Client Workstation to Work with AccAD March, 2010


7. Configuring the Client Workstation to Workwith AccAD

After setting up the AD link between the remote office and the data center, you need to redirect theworkstations, which currently access the application server directly, to use the AD link as their meansof data transport.

Plan the method by which the traffic from the clients’ workstations is redirected to the AccAD engineinstance to ensure that application services are delivered by AccAD. The following sections describemethods that supply the means for redirecting only the requests for applications delivered overAccAD, while allowing other services to operate as usual.

You can select one or more of the options described in this section. Make sure that you prepare thenecessary data for the selected method.

7.1 DNS Manipulation Using the etc/hosts FileWith this method, the DNS mechanism first checks the local /etc/hosts file before requesting theactual DNS server to resolve the logical server name to its IP address.

NoteThis method requires you to update /etc/hosts on each workstation whenever a newserver is added to the list of reflected servers, making it suitable for small-scale trialsonly.

Preparing for IntegrationYou need the following permissions on the remote office workstations these locations:

UNIX workstation The hosts file location is: /etc/hosts. Make sure that you have theroot permissions required to modify this file.

Windows workstation The file location is <OSdrive>:\Windows\System32\drivers\etc\hosts. Make surethat you have the local administrator privileges required to modify thisfile.

Configuring DNS Manipulation Using the etc/hosts FileRedirection is enabled by adding entries to the hosts file, which resolves the application server'sDNS names to the local AD virtual server's IP addresses. This method is suited for test anddemonstration purposes.

First you need to determine the address mapping between the application server and the virtualserver, that is, which virtual IP address on the AccAD engine represents a specific server.

To check the DNS proxy:...

1. Run the following command in the engine for information about reflected servers in a formatsuitable to the hosts file:

service ad_dns_proxy hosts

2. Copy the output of this command directly to the hosts file on the client workstation.



To configure the correct mapping information statically in each workstation:...

1. On the user workstation, open the hosts file (for Windows XP) by navigating in MicrosoftWindows Explorer to c:\WINDOWS\system32\drivers\etc\hosts, or by entering thefollowing commands:

a. Click Start Run.

b. Enter the following in the command box:notepad c:\WINDOWS\system32\drivers\etc\hosts

2. For each server, add a line defining the DNS resolution:

At the end of the hosts file, add the entry:<virtual IP address> <DNS name of application server>

Example192.168.100.51 litlvh74.tlv.sap.corp

Check setup correctness:

You can check the correctness of the setup by using one of the following methods:

Ping the server and verify that the ping succeeded.Run th e followi ng in a co mm and wi ndow:

Exampleping –c 10 <name of server>

Use telnet and verify that it does not exit immediately. This indicates that the virtual server islistening on the port.

Run th e followi ng in a co mm and wi ndow:

telnet <name of server> <service port>

Exampletelnet iltlvh74.tlv.sap.corp 50000

7.2 DNS Manipulation Using AccAD DNS ProxyThe engine, whether CFE or SFE, can act as a DNS proxy. When this capability is enabled and the IPaddress of the machine is configured as the primary DNS in the remote office workstations, the engineanswers DNS requests from the workstations.When the requests are intended for servers that are part of a delivery rule, the engine manipulates theresponse and returns the virtual IP that represents the delivered service. Thus delivery to the datacenter takes place through the engine. Other requests are forwarded to the DNS server.PrerequisitesThe DNS server IP address is required during installation. You obtain it as follows:UNIX: Open the file /etc/resolv.conf for viewing; you can use, for example, the

command less /etc/resolv.conf

Windows In the CMD line, type nslookup.

7.3 Configuring DNS Proxy MethodWhen the engine is configured as the DNS server, any of the engine IP addresses can be used for theDNS server settings on the client-side workstation.



7.3.1 Configuring DNS on a Windows MachineDefine the CFE as the primary DNS:...

1. Go to Start Settings Network Connections Local Area Connection.

2. Click Properties, select Internet Protocol (TCP/IP), and click Properties.

3. In the General tab, select Use the following DNS server addresses and enter the main IPaddress of the engine machine.

Refresh the workstation DNS proxy:

In Microsoft Windows, the DNS proxy caches DNS requests. To prevent delays in DNS modificationexecution, flush the cache of the DNS proxy....

1. Open the command line (cmd).

2. Type: ipconfig /flushdns

NoteUse this command after each update to the delivery policy or after stopping/starting theAccAD service in the engine.

7.3.2 Configuring AccAD as DNS on a Linux Machine...

1. Using an editor application, access the file: /etc/resolv.conf

2. Add the following line:nameserver <CFE machine IP>

3. Save and exit.

7.3.3 Ensuring Automatic Failover in DNS Proxy ModeTo ensure automatic failover, you must configure the secondary DNS server of the workstation to thesame values as of the primary DNS server. This way, when the AccAD DNS proxy service is down forany reason, an automatic failover to direct access through the DNS server takes place.

When AccAD is up and running, the redirection resumes within 30 minutes (according to the expirationtime you defined in the workstation registry).

If AccAD is running on Windows, you must flush the DNS proxy as explained in Configuring DNS on aWindows Machine.

For more details on automatic failover, refer to the section High Availability with AccAD.

7.4 HTTP ProxyThe engine can act as a web proxy.

Requests for services not configured for delivery with AccAD are forwarded, either to the proxy of theorganization, if one is configured, or directly to the server itself. It is also possible to configure theengine not to forward such requests.

In the remote office workstation, the browser settings must be set to use the HTTP proxy running onthe engine. No special configuration is required in the DNS settings of the workstation.



Preparing for InstallationIf another HTTP proxy is being used in the organization, you need to supply its IP address and portnumber. The IT administrator can supply this information.Configuring the HTTP Proxy Method

The HTTP proxy server runs on the CFE IP port 18080.

Configuration of AccAD as the HTTP Proxy should also include configuration of a parent proxy.Following are two examples of such configurations.

NoteBy default, the Internet Explorer browser is set to use the HTTP 1.0 protocol throughproxy connections. HTTP 1.0 doesn't support gzip, chunked messages, or connectionreuse, this results in performance degradation when configuring the AccAD engine asthe workstation web proxy.When configuring the AccAD engine as the client workstation web proxy, make thefollowing change:In the browser, go to Tools Internet Options Advanced and select the UseHTTP 1.1 through proxy connections checkbox.

7.4.1 Configuring the Web ProxyWhen configuring the AccAD engine to act as a web proxy, configure the listening IP and port as partof the instance configuration. More details can be found at Configuring the Engine Node

In addition, a forwarding method should be configured so that, when receiving a request for servicesnot delivered with AccAD, the proxy does one of the following:

Forward the request to an organizational proxy, if one is configured

Forward the request directly to the server

Close the connection

7.4.1.1 Configuring the Proxy...

When configuring the engine instance, enter values for the following:


Proxy Listening IP

If the traffic redirection method isby proxy, specify the IP on whichthe instance listens to requests.

Default value – 0.0.0.0

RecommendationIt is strongly recommended touse the default value.

Proxy Listening Port The proxy listening port on thelistening proxy

Default 18080

Proxy ForwardingMethod

Choose the proxy forwardingmethod:

Through a parent proxy

Directly to the server

no forwarding

By default – direct forwarding



7.4.2 Configuring Client Workstations to Use the CFE ProxyYou can configure the CFE proxy as a traffic interception method in a number of ways. The followingsections describe the configuration options.

7.4.2.1 Configuring the HTTP Proxy Using a PAC FileIf you use a PAC file (proxy auto config) to configure the proxy in your organization, modify the file toforward requests for delivered services to the AccAD engine. To enable high-availability, provide analternative to the engine proxy in case it fails to answer requests.

function FindProxyForURL(url, host) {

if (shExpMatch(url,"*<delivered_service_1>/*"))

{return "PROXY < Proxy_Listening_IP>:Proxy_Listening_Port;<fallback_option>";}

if (shExpMatch(url,"*<delivered_service_2>/*"))

{return "PROXY <CFE hostname>:18080; <fallback_option>";}

…

return "<fallback_option>";

}

Where <fallback_option> enables high availability, and represents one of the following:

DIRECT – If there is no organization proxy, direct access is used.

PROXY <organization proxy>:<organization proxy port> – configures theorganization proxy.

To use the HTTP Proxy with Microsoft Internet Explorer:...

1. In Microsoft Internet Explorer, go to Tools Internet Options.

2. In the Connections tab, choose LAN Settings.

3. Select the Use a proxy server checkbox.

4. Enter the proxy listening IP and port.

To use the HTTP proxy with Netscape/Mozilla:Enter the proxy settings by means of Edit Preferences Advanced.

7.4.2.2 Configuring the HTTP Proxy for all TrafficYou can choose to use the AccAD engine proxy as the proxy for all communication for the clientworkstation.

7.4.2.3 Configuring the HTTP Proxy on a Common Web ProxyIf you use a common web proxy, its forwarding rules should be edited so that delivered services areforwarded to the engine. For example, the following lines would be added to a Squid web proxyconfiguration file (squid.conf) to set it for forwarding services to the engine:

acl DeliveredByAccAD dstdomain <delivered_HTTP_Service_1_hostname>

acl DeliveredByAccAD dstdomain <delivered_HTTP_Service_2_hostname>



…

cache_peer parent <AccAD CFE hostname> 18080 7 proxy-only

cache_peer_access <AccAD CFE hostname> allow DeliveredByAccAD

never_direct allow DeliveredByAccAD

7.5 Transparent ModeWhen you use this method, the DNS server performs name resolution. AccAD catches packets sent tothe data center server and redirects them to the virtual services using DNAT (Destination NetworkAddress Translation). To enable AccAD, your network administrator should set routing rules in theremote office router. For more information, see section Configuring Transparent Proxy Method.Preparing for Integration

The network administrator has to edit the redirecting rules in the router.

7.6 Configuring Transparent Proxy MethodThis method requires that the engine is defined in the routing path for the delivered service either bysetting it as the default gateway on each client-side workstation or by adding explicit routing rules inthe remote office router. Relevant traffic is redirected using DNAT manipulation to the virtual serveraddress on the engine.

RecommendationUse the explicit routing rules in the remote office router only when you are ready to golive with the entire remote office. For testing purposes, modify the default gateway in aspecific workstation to the main engine IP address.

7.6.1 Example of Applying the Transparent Proxy An organization’s remote office in London has 20 workstations.

The remote office subnet is 192.168.200.0 mask 255.255.255.0.

The remote office router IP is 192.168.200.1

The CFE virtual IP is 192.168.200.143

The data center includes an Intranet server on address 192.168.100.143.

Based on this information, the administrator types the following commands on the (CISCO based)router:

!

interface Ethernet0

description To office Ethernet

ip 192.168.100.1 255.255.255.0

no ip directed-broadcast

no ip mroute-cache

ip policy route-map proxy-redir

!

access-list 110 deny tcp host 192.168.100.143 any eq www



access-list 110 permit tcp any any eq www

route-map proxy-redir permit 10

match ip address 110

set ip next-hop 192.168.200.143

7.6.2 Ensuring Automatic Failover in Transparent ProxyMode

When the delivery policy is not active, packets arriving at the engine are forwarded to the defaultgateway. However, after implementing the proxy transparent method as described above in thissection, the packets are forwarded back to the engine. As a result, the packages are forwarded backand forth between the engine and the default gateway. When this happens, the delivery service is notavailable at all.

To prevent this lack of service and ensure failover, do the following:

Modify the source address of packets forwarded via the engine.

Exclude packets whose source address is the engine from the forwarding list in the gateway.

NoteThe procedures described in this section are not for redirection in case of engineshutdown, but in case the delivery policy is not active.

7.6.2.1 Modifications in the Engine Routing RulesTo ensure failover:...

1. Stop all instances, for example for slot-0 type:# service slot-0 stop

2. Clear all iptables rules on the machine:# iptables -F

# iptables -t nat -F

# service iptables save

3. Verify that no rules exist by typing:# iptables -L

# iptables -t nat -L

No rules should appear.

4. Add the iptables rules on the machine:

For each service port, add the following:# iptables -t nat -A POSTROUTING \

-p tcp --dport <service.port> \

-j SNAT \

--to-source <cfe.main.ip>

ExampleIf eth0 is the machine’s main interface and you plan on delivering via ports 80, 50000:

# iptables -t nat -A POSTROUTING \



-p tcp --dport 80 \

-j SNAT \


# iptables -t nat -A POSTROUTING \

-p tcp --dport 50000 \

-j SNAT \


5. Save to the iptables persistent configuration file:# service iptables save

6. Start all instances. For example for slot-0 type:# service slot-0 start

7.6.2.2 Modifications in the Default GatewayThe following example is for Cisco IOS. In the example, it is assumed that delivery is by means ofports 80, 50000.

ExampleIn the gateway, add:router(config)# access-list 110 deny tcp host <cfe.main.ip> anyeq 80

router(config)# access-list 110 deny tcp host <cfe.main.ip> anyeq 50000

router(config)# access-list 110 permit tcp any any eq 80

router(config)# access-list 110 permit tcp any any eq 50000

router(config)# access-list 110 deny any

router(config)# route-map proxy-redir permit 10

router(config-route-map)# match ip address 110

router(config-route-map)# set ip next-hop <cfe.main.ip>

Monitoring the AccAD Engine March, 2010


8. Monitoring the AccAD EngineOnce AccAD is up and running, you can monitor it using the following tools:

Web UI

Application Delivery Monitor

Service Monitor

CCMS / SLD

This section describes the use of each tool.

8.1 Monitoring the Engine with AccAD AdministratorThe web UI can be used to:

View performance data

View traffic history records

View cache statistics

Monitor events and alerts

The traffic information auditing capability exposed in the UI can be used for tracking AccAD usage andperformance over time. This tool gives a fine-grained view of system performance at the connectionlevel, supplying IP and port information which can help distinguish between the various deliveredservices.

8.1.1 Viewing Performance DataIn the UI, navigate to Traffic History. You can view:

Services Performance - For each of the services, you can examine the volume of datadelivered over a certain period of time to all remote offices. Each service has its owngroup of bars representing performance according to the legend.

Use the dropdown list to define the time period.

Engine Instance Performance – You can examine the volume of aggregated datadelivered by all services over a certain period of time to a certain remote office. Eachremote office has its own group of bars representing performance according to thelegend.

Use the dropdown list to define the time period.

8.1.2 Viewing Traffic History Records...

1. In the UI, navigate to Traffic History. A table displaying traffic history is displayed.

2. If no traffic history appears, refresh the portal page using the Options icon at the upper-right ofthe page.

3. To obtain the full details associated with the connection, click the radio button to select thedesired entry in the table. The information is then displayed in the Session Details in the lowerpart of the screen.



8.1.3 Viewing Cache StatisticsSelect the components for which you want to obtain statistics (such as the server or remote office) andchoose Generate.

Data is returned about:

cache hits and misses

volume of data from the cache

transaction count

8.1.4 Viewing and Changing AlertsAlerts are defined as events of high severity that require corrective action to be taken.

To view alerts:

1. In the UI, navigate to Audit.

4. Click Alerts.

To change the Alert table display settings:

You can optionally change the Alerts table layout, sort order, and appearance....

1. Click the pencil icon in the top right side of the table.

a. To modify the column layout, choose the Column Layout pane.

i. Change the position of a column by choosing the desired number in the Positioncolumn.

ii. Define whether or not a column is visible by selecting or deselecting its checkboxin the Visible column.

iii. For the alert source ID, you can choose the calculation method from thedropdown list in the Calculate column.

b. To define sort order and subtotals, choose the Sort and Subtotals tab.

i. From the dropdown list, choose the fields that you want to use for sorting, inascending or descending order.

ii. Choose the Subtotals checkbox to display subtotals.

c. In the General Settings tab, define the following:

i. From the Background dropdown list, choose the table background.

ii. Define the number of rows to display in one page or select the Display all rows onone page.

2. Choose Apply to save your changes, Cancel to ignore them, or Default Settings to restoredefault values.

8.1.5 Viewing EventsEvents are created during typical operation of the system. Events do not constitute an erroneoussituation requiring corrective action, but rather provide indications regarding events that occurred overtime....

1. In the UI, navigate to Audit.



2. Click Events.

8.2 Using the Application Delivery MonitorThis section describes how to install the Application Delivery Monitor and how to use it to monitorapplication delivery activities.

The Application Delivery Monitor tracks online link activity on both the uplink and the downlink,including comparative graphs depicting real compressed volume against the uncompressed datavolumes, as seen by the client and server end points.

The Application Delivery Monitor can also help detect that traffic is flowing via the AD link setupbetween the CFE and the SFE.

Note that the monitor does not show traffic to data center servers that have not been directed to flowvia the AD link.

8.2.1 Installing the Application Delivery Monitor...

1. Insert the Accelerated Application Delivery for SAP NetWeaver CD, or make it available on theadministrator’s PC.

2. Copy the folder DATA_UNITS/AccAD_MONITOR_2_2 to the administrator’s machine.

3. Verify that all files were copied:

bwmonitor.sh – Unix / Linux invocation script

bwmonitor.bat – Windows invocation script

bwmonitor.jar – Java implementation

4. Activate the Application Delivery Monitor by clicking on the launch script:

On Windows machines, click bwmonitor.bat

On Unix and Linux machines, click bwmonitor.sh

8.2.2 Configuring the Application Delivery Monitor...

1. Run the Application Delivery Monitor.

2. Click Set.

A dialog box appears displaying IP and port values. Enter the IP address of the SFE or CFEdevice and keep the default port value of 1600.

3. Click OK to save the configured parameters.

4. Click the Play icon.

After several seconds two rows appear in the table view.

8.3 Using the Service MonitorThis section describes the use the Service Monitor. The Service Monitor checks availability of each ofthe delivered services and enables bypassing AccAD in the event of delivered service failure.



8.3.1 How the Monitor FunctionsThe monitor tests each delivered service every minute by downloading a page from the services andchecking if the page meets the requirements of the check pattern. The Check Pattern is defined in theService Type of the delivered service. For more configuration details refer to the section ServiceTypes.

NoteIf Check Pattern in the Service Type is empty for the delivered service the monitor skipsthe check for this delivered service.

8.3.2 What the Monitor ChecksFor each delivered service, the monitor performs the following:

A DNS check to verify that the service DNS name exists in the AccAD DNS server

If the DNS check fails, the monitor sends notification and the AccAD bypass for the deliveredservice is activated.

A page download from the delivered service via the AccAD CFE tunnel

If downloading the page fails, the monitor tries three more times at intervals of 10 seconds. If itfails the third check, bypass for the specific delivered service is activated and a notificationmessage is sent, either by e-mail or a report to the Syslog server. See Notifications.

8.3.3 Recovery ModeRecovery mode for specific delivered service is turned on automatically if the delivered service checkfails.

If a service check fails, the monitor continues to check the service for availability. If the servicebecomes available again, the monitor removes the bypass and sends a recovery notification. SeeNotifications.

If a service check fails a second time within one hour, the monitor stops checking the service, andthen it resumes checking after one hour.

This behavior prevents a flood of notifications in the event of network or service maintenanceproblems.

8.3.4 Bypass ModeIn the case of a delivered service failure, there are two bypass modes, which can be configured duringthe monitor installation.

Redirection mode – Redirecting the traffic to the service IP address instead to the virtual one

Reject mode – Rejecting any traffic to the delivered service by means of the AccAD CFE.

NoteUse this mode if other monitoring tools that check service availability are active.

Bypass mode is activated automatically if the delivered service check failed or if it can be donemanually.



8.3.5 NotificationsThe monitor can send notifications using e-mail and report to the Syslog Server. Notificationconfiguration is performed for each CFE when configuring the Service Monitor, as detailed in thesection Configuring the Monitor.

The default Syslog Server IP points to 127.0.0.1(/usr/local/vl/base/scripts/vl_monitor.pl –syslog <Syslog Server IPAddress>)

8.3.6 Installing the MonitorThe monitor installation is done from the repository, as part of the policy configuration explained insection Configuring the Delivery Policy....

In the UI of the instance that you want to monitor, open the node.

1. Go to the Monitor node to configure the monitor.

2. Configure the following parameters (or keep the set default values) :

Field Name Description

Monitor Off Check this checkbox to disable the monitor on thisCFE appliance. If it is not checked the monitor isinstalled and started

From Mail Address The e-mail address from which to send e-mailnotifications

E-mail List Notification e-mail recipient list, separated bysemicolon

Send Mails via Program Choose between Telnet and Sendmail: Telnetconnects directly to the SMTP Server andSendmail from the address configured in the FromMail Address field. Sendmail uses the local mailprogram

Syslog Server Syslog Server IP

Times to Retry on Failure After a page download has failed, how many timesto perform the check again before activating abypass

Waiting Time Between Retries How long to wait between checks of pagedownload in case the check failed (in seconds)

Recovery Time Frame The time frame (in seconds) in which two failedchecks (each consisting of the number of pagedownload checks specified in Times to Retry onFailure) causes the monitor to stop checking thedelivered service

Stop Monitoring For The time (in seconds) period for which the monitorstops checking the service

Use Reject Rule on Bypass Check this checkbox to reject traffic in bypassmode. By default it is unchecked, which redirectstraffic to the real service IP address



Client Certificate (PEM format) Deploy client certificate for HTTPS communication.The client certificate is used on each monitorcheck, the certificate should be in PEM format.

Client Certificate Password Provide the client certificate password

Make sure you configured the parameters for SMTP and FQDN for this appliance, as explainedin Configuring the Engine Node.

3. Save and apply the configured parameters.

4. Create the appliance definition file and configure the appliance using it, as described in Semi-Automatic Installation.

8.3.7 Configuring the MonitorOn the engine machine, run the monitoring script as follows:

/usr/local/vl/base/scripts/vl_monitor.pl [Remote Office/Data Center name][-help]

[-bypass <add | rem> ] [-start] [-stop] [-install]

[-uninstall] [-mailtest] [-e-mail <list | add | rem>]

[-syslog list | <ip address>]

-mailtest - Sends mail test mail to all registered e-mails

-bypass

add - Add iptable rules to bypass

rem - Remove iptable rules

-start - Start portal check

-stop - Stop monitoring check

-status - check status

-install - Create the bash file in /etc/cron.minutely/

-uninstall - Remove the bash file from /etc/cron.minutely/

-syslog - list or change syslog server

-e-mail

list - list all notification e-mails

add - add e-mail address to list of notifications

rem - remove e-mail from the list

8.3.8 Examples

Adding and removing the AccAD bypass to delivered servicesAdd or remove the bypass by running one of the following scripts.

To add:

/usr/local/vl/base/scripts/vl_monitor.pl –bypass add www.example.com

http://www.example.com/



To remove:

/usr/local/vl/base/scripts/vl_monitor.pl –bypass rem www.example.com

Adding and Removing an e-mail address to the notification listTo add:

/usr/local/vl/base/scripts/vl_monitor.pl –e-mail add [email protected]

To remove:

/usr/local/vl/base/scripts/vl_monitor.pl –e-mail rem [email protected]

To list all notification e-mail addresses:

/usr/local/vl/base/scripts/vl_monitor.pl –e-mail list

8.3.9 Start/Stop MonitoringTo start monitoring:

/usr/local/vl/base/scripts/vl_monitor.pl -start

To stop monitoring:

/usr/local/vl/base/scripts/vl_monitor.pl -stop

8.4 Using the CCMS/SLD SystemsAccAD, as a standard SAP component, is visible in the standard NetWeaver monitoring and systemmanagement tools, CCMS and SLD, by means of an SFE component supports registration to thesetwo systems.

8.4.1 CCMSCCMS provides the framework to centrally store, display, analyze and react to alerts, including aperformance database and an external interface. All components must deliver data to thisinfrastructure.

The basic architecture includes:

Data suppliers - programs that deliver data to the monitoring architecture

Data consumers - programs that read data from the monitoring architecture

Monitoring objects and attributes - objects to be monitored

In AccAD 2.2 we report to the central system general host / OS level status information regardingusage of CPU and memory resources.

8.4.2 SLDThe SAP System Landscape Directory (SLD) is the central information provider in a systemlandscape.

The SLD contains two types of information:

Component information: Information about all available SAP products and components,including their versions. If there are any third-party products in the system landscape, they arealso registered here.

http://www.example.com/

mailto:[email protected]

mailto:[email protected]



Landscape description: Contains all installed systems in a system landscape. When acollaborative business process is configured, the landscape descriptions are needed todetermine the system information of the business partners involved.

In AccAD we report name type (AccAD) and version (2.2) parameters to the central J2EE SLD system,so the AccAD SFE is visible as part of the landscape of SAP components.

8.4.3 Installing and Uninstalling CCMS and SLDFor installing CCMS/SLD, follow the SAP notes explaining how to connect to the central systems.Once all parameters are prepared, you may proceed with the installation.

NotePerform this installation sequence only on the repository machine.

To install the component:...

1. Install both CCMS and SLD support clients on the repository machine by running the followingcommand:/media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl install ccms

Where <OS> is the operating system you are running:


2. For the CCMS installation, enter an interactive SAPCCMSR session. Be prepared with thefollowing information:

SAP system ID

Additional central system

Logon information for the admin user

Client number

User name

Interface language?

Hostname of the message server

If load balancing is being used, the hostname of the application server

System number

Route string

Trace level

User password

3. For the SLD installation, enter an interactive SLDREG session. Be prepared with the followingHTTP connection information:

User name

Password

Server hostname

Port used

Protocol (HTTPS rather than HTTP?)



When asked if you want to write this information to a secure file, answer 'y'.

To uninstall:...

1. Run the following command from the repository machine:/media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<OS>/install.pl uninstallccms

Where <OS> is the operating system you are running:


2. To uninstall CCMS, enter an interactive SAPCCMSR session. You are asked to supply thelogon information for the admin user as was entered during the install stage. SLD is uninstalledautomatically.

Troubleshooting March, 2010


9. Troubleshooting

9.1 Verifying AccAD FunctionalityThis section provides you with a minimal operation test. You can run it when installation andconfiguration are over to verify that AccAD is operational.

9.1.1 PrerequisitesVerify that you have completed the full installation sequence:

The AccAD engine is installed and activated on the repository, SFE and CFE

A delivery policy is activated

At least one user workstation is configured to work with AccAD

The Application Delivery Monitor is installed and configured (optional)

9.1.2 Testing TrafficThis test verifies that the delivered services flow via AccAD.

To test the traffic:...

1. Open a browser and access the application server of the service delivered using the regularURL.

NoteIf you are using TLS/SSL termination, use the HTTPS prefix in the URL.

If the port is not the default TLS/SSL port (443), edit explicitly the port number. Forexample, https://server21.abc.sap.corp:1443/irj/portal

2. Perform a number of actions and then close the browser.

3. Watch the traffic using one of the following tools:

In the Application Delivery Monitor, observe the traffic volume. Refer to Using theApplication Delivery Monitor for usage details.

Using the repository UI, refresh the traffic history page and observe the record. Refer toUsing the Web UI to Monitor the AccAD engine for more details.

NoteTraffic history records only appear a few minutes after closing the session.

9.2 Restarting the AccAD EngineTo restart the AccAD engine in either the SFE or CFE machine, connect to the machine and type thefollowing command:

service <slot-ID> restart



9.3 Uninstalling the AccAD EngineTo uninstall the SFE or the CFE:...

1. Verify that you are in the /root directory by typing:

cd

2. Run the AccAD engine uninstaller by typing the following:/opt/accad/install.pl uninstall <ENGINE_TYPE>


If you installed the repository and SFE on the same host, uninstall the repository first and onlythen perform the SFE uninstall.

9.4 AD Folder Structure InformationThe structure of the Application Delivery folders, on the repository, SFE and CFE host, is as follows:

Configuration files are located at /etc/sysconfig/vl

Service files are located at /etc/rc.d/init.d

Binaries, scripts, and internal configuration files are located at /usr/local/vl

CAUTIONThe files listed above are intended for advanced users only for purposes of maintenanceand support. Do not edit these files without explicit instructions from SAP developmentsupport engineers. Log files created to monitor the system are intended for use by SAPdevelopment support engineers only.

9.5 Importing and Exporting Configuration SettingsThe AccAD engine enables backup and restore of all configurable components:

Local engine configuration

Delivery policy

Appliance landscape

The backup can be saved either to a local folder in the file system of the engine host or exported toany workstation. You can use the archived configuration settings for additional engine instances and inthe event of data or hardware loss.

9.5.1 Archiving Configuration SettingsYou can save and archive your configuration settings on the AccAD machine. To encrypt the settings,refer to the section Adding Drive Encryption for Persistent Content....

1. In AccAD Administrator, on the relevant machine, go to the tab you want to archive (LocalConfiguration, Delivery Policy, or Appliances Landscape).

2. In the root node of the navigation tree, choose Save to Archive.

3. In the respective fields, enter a name and description for the archived configuration.

4. Choose OK.



9.5.2 Loading Archived Configuration Settings...

1. Log on to the AccAD Administrator of the relevant machine as the ‘root’ user, and choose oneof the following the tabs:

Local Configuration

Delivery Policy

Appliance Landscape

2. In the navigation tree, choose the Archive node.

3. Select the configuration you want choose Load.

9.5.3 Exporting Configuration SettingsConfigurations can be exported to your workstation.

NoteFor security reasons, only the ‘root’ user has the authorization to perform this action.

...

1. Log on to the AccAD Administrator of the relevant machine as ‘root’ user and go to the tab youwant to export (Local Configuration, Delivery Policy, or Appliance Landscape).

2. In the root node of the navigation tree, choose Export.

3. Choose a location to which to export the configuration and save.

9.5.4 Import Configuration Settings...

1. In the AccAD Administrator of the relevant machine, go to the tab you want to import (LocalConfiguration, Delivery Policy, or Appliances Landscape).

2. In the root node of the navigation tree, choose Import.

3. Browse and select the XML file to import. The configuration is uploaded.

Version Upgrade March, 2010


10. Version UpgradeUpgrade can be executed on heterogeneous landscapes, including both Suse and RedHat machines.

To upgrade the AccAD version automatically, do the following:......

1. Log in to the SFE machine as root user.

2. Download the latest AccAD ISO file to the SFE host machine

3. Mount the new ISO file (more information: Mounting the Application Delivery CD)

4. Type the command:/media/cdrom/DATA_UNITS/AccAD_ENGINE_2_2/<SFE’s OS>/upgrade.pl

The upgrade process affects the SFE and all CFEs connected to it at the time of execution.CFEs not connected to the SFE must be upgraded manually by performing steps 1-4 on eachCFE machine.

After an upgrade, the SFE machine will also act as an AccAD repository.

NoteThis upgrade procedure does not affect Windows clients. For more information, see theguide Accelerated Application Delivery for SAP NetWeaver Client for Windows.

Additional Information March, 2010


11. Additional InformationThis section contains information that may be useful when installing and maintaining AcceleratedApplication Delivery for SAP NetWeaver.

11.1Changing Time Zone on a Linux MachineTo change the time zone of the machine after OS installation to your local time zone, perform thesteps described in the following procedure:...

1. View all available time zones choose the one you wish to configure after typing the following twolines in the machine console:cd /usr/share/zoneinfofind . -name "*" -type f | sed -e s#./##

2. Open the /etc/sysconfig/clock file for editing and set the ZONE field to the time zone youchose.

3. Create a symbolic link from the selected time zone to /etc/localtime:mv /etc/localtime /etc/localtime.old

ln -s /usr/share/zoneinfo/<selected time zone> /etc/localtime

11.2Installing the AccAD Administrator CertificateTo avoid the appearance of a certificate error when accessing the AccAD Administrator in yourbrowser, install the AccAD CA (Certificate Authority) public key on the machine. This adds the AccADCA to the list of trusted certification authorities on your computer.

NoteAn AccAD repository must be installed as a prerequisite to this procedure.

11.2.1 Downloading and Installing the AccAD CA Public KeyDownload the CA public key in one of the following two ways:

Download the public key from the URLhttps://repository-hostname-or-ip:7443/AccAD_CA_Public_Key.der

Use the AccAD Administrator as follows:

a. Log in to the AccAD Administrator. When the certificate error is displayed, choose theoption to continue to the website.

b. Choose the Local Configuration tab.

c. In the root node of the navigation tree, choose Appliance Download AccAD CAPublic Key.

Install the AccAD CA public key as follows:

Run the AccAD_CA_Public_Key.der file that you downloaded. The certificate error will not bedisplayed when entering the AccAD Administrator of this AccAD engine.

When installing new appliances in manual or semi-automatic mode, create and apply the ADF file forthe appliance, as described in sections Semi-Automatic Installation and Manual Configuration of theAccAD Engine.

https://repository-hostname-or-ip:7443/AccAD_CA_Public_Key.der



For the changes to take affect, run the command service adui restart from the engine.

11.3High Availability with AccADAn Accelerated Application Delivery for SAP NetWeaver (AccAD) landscape provides high serviceavailability by enabling failover communication directly with the data center or by switching toredundant components in the landscape failover system. Each organization can select the approachthat best suits its system landscape.

11.3.1 High Availability FeaturesThe following AccAD features support high availability:

Central delivery policy – Traffic redirection to the virtual service starts only when the service isdelivered correctly and stops when delivery stops.

Central alerting – The following events generate alerts by the SFE, notified via e-mail / report tothe Syslog server/ alerts displayed in the repository web UI:

Tunnel with a CFE goes down

Tunnel with a CFE is established

Service on host is not functional

Service monitor [Linux CFE only] – Each delivered service is sampled periodically, end-to-end,for the existence of a given string. Monitoring tasks are derived automatically from theservices defined in the central delivery policy, although the monitor itself is a separate service.Actions which are taken upon detecting a failed service are:

Alert (e-mail notification, report to Syslog)

Stopping traffic redirection for the specific service

Activation of an additional independent mechanism, such as:

DNAT rules to force bypass

IP filter reject rule – to inform of the reject status to external monitors, if any –such as Cisco Distributed Director.

Failover to a secondary SFE - Whenever a tunnel with an SFE breaks, the CFE attempts toconnect again. After four failures it connects the secondary SFE, if such is defined, and theservice is resumed.

NoteReconnection to the primary SFE is only attempted in the event of a failure of thesecondary SFE

Support of Multiple DNS servers in the CFE DNS proxy - Enables a practice of defining a fewDNS servers. If one goes down the next is used. At varying intervals, the engine checks for therecovery of the primary DNS.

11.3.2 Failure Scenarios and RecoveryThis section discusses the failure scenarios that benefit from the high availability features describedabove. It discusses failures both in the CFE and the SFE, and relates to software as well as hardwareproblems.



CFE Failures: DNS proxy failure – When a DNS failure is detected by the user workstation, the support of

multiple DNS servers allows immediate recover by using the secondary DNS.

If the secondary DNS is an office DNS (not specific to AccAD), the failover results inAccAD bypass and the traffic isn’t accelerated.

If the secondary DNS is that of an additional CFE, the accelerated traffic through AccADcontinues.

Service Problems – The Service Monitor detects problems in the service, stops trafficredirection, and activates an additional bypass mechanism. For more details, see Bypass Mode.

CFE Failure – If a secondary CFE is configured as the DNS of the primary CFE, then users areredirected to an accelerated service.

SFE Failures: Hardware failure – Resulting in the tunnel break, causes CFE redirection to stop. If a secondary

SFE is configured, the CFE establishes a tunnel with it and after a few minutes of nonaccelerated service delivery, the acceleration resumes.

Software failure – Stop of end-to-end service is detected by the CFE service monitor, whichstops traffic redirection and activates DNAT bypass rules, as explained in the section BypassMode, so the user isn’t affected by the failure and non-accelerated traffic continues.

Repository Failures: Hardware/Software failure – Resulting in the tunnel break between the SFE and the repository.

If a secondary repository is configured, the SFE establishes a tunnel with it and auditing andaccounting can be again written to the repository database, and the delivery policy is againavailable.

Accelerated Application Delivery Installation Configuration Administration v2.2

Documents

Transcript of Accelerated Application Delivery Installation Configuration Administration v2.2