VOTEC Group

+65-6849 5415
info@votecgroup.com
100M building Tras Street, Singapore 079027

How to Move a Subaccount with Existing Custom Domains to Another Global Account

You can move a subaccount X in global account A to another global account B within the same region if you fulfill the following requirements: 

  • You delete all the custom domains in the source subaccount before the move is implemented. If you don’t fulfill this prerequisite, you’ll continue to be charged on your old global account A

Caution: There is downtime when you remove the old custom domain, and it lasts until you complete the DNS setup of the new one. 

Note: This article covers the subaccount move operation for the  SAP BTP, Neo environment. If you want to learn more about the SAP BTP, Cloud Foundry environment, see  Application Operations in the Cloud Foundry Environment.

Note: If you want to move a custom domain from a subaccount X in global account A to another subaccount Y in global account B within the same region, see How to Migrate a Custom Domain Between Global Accounts.

Example

A company has already configured a custom domain for one of its applications for subaccount X in global account A within the Europe (Rot) region. At some time, the company decides to move subaccount X from the global account A that they’re currently using, to another global account B, both of which are in the same region – Europe (Rot).  

Note: All data used in this article is for testing and demonstration purposes only.

Before the Migration

Here’s an example of what the original subaccount setup might look like before the migration: 

  • Subaccount technical name: ab123c4d5 (part of global account A in the Europe (Rot) region) 
  • SSL host name: beforemigration (accessible on host EU1234.ssl.ondemand.com

If you plan to migrate a custom domain to the global account B, you need to record a snapshot of it so that you can recreate it to the new global account. To get the settings of your custom domains, proceed as follows: 

1. Obtain the SSL host names by listing all SSL hosts: 

neo list-ssl-hosts −−host eu1.hana.ondemand.com −−user <username> −−password <password> −−account ab123c4d5 

See list-ssl-hosts

2. List the attributes of each SSL host to find the certificates: 

neo set-ssl-host −−host eu1.hana.ondemand.com −−user <username> −−password <password> −−account ab123c4d5 −−name beforemigration 

See set-ssl-host

Output Example of set-ssl-host Command for beforemigration SSL Host:

Name : beforemigration 
Host : EU1234.ssl.ondemand.com 
Certificate : before_migration_cert 
Supported protocols : TLSV1_2 

3. List the certificates with their details: 

neo list-domain-certificates −−host eu1.hana.ondemand.com −−user <username> −−password <password> −−account ab123c4d5 

See list-domain-certificates

In fact, the CN value in each certificate is the custom domain you should record for the recreation. 

Output Example of list-domain-certificates Command:

Certificates for subaccount ‘ab123c4d5’: 1. Account quota: 1 
——————————————————————— 
before_migration_cert CSR generated on SAP Cloud Platform: yes 
Subject: CN=www.mycompany.com  
Validity: 08-02-2029 

4. List all custom domain mappings and record them: 

neo list-custom-domain-mappings −−host eu1.hana.ondemand.com −−user <username> −−password <password> −−account ab123c4d5 

See list-custom-domain-mappings.

You need this mapping for the application URL when you recreate the custom domain.  

If you use different applications in the new and old global accounts (myoldapp and mynewapp), the old application URL is ab123c4d5myoldapp.hana.ondemand.com and the new one is ab123c4d5mynewapp.hana.ondemand.com.

If you use the same application in the new global account (myapp), the application URL ab123c4d5myapp.hana.ondemand.com stays the same.

After the Migration

Here’s an example of the desirable state of the new subaccount setup in the new global account: 

  • Subaccount technical name: ab123c4d5 (part of global account B in the Europe (Rot) region) 
  • SSL host name: aftermigration 
  • Certificate name: after_migration_cert 
  • Custom domain mapping:  

– If you use the same application in the new and old global accounts: www.mycompany.com to be mapped to  ab123c4d5myapp.hana.ondemand.com.

– If you use different applications in the new and old global accounts:  www.mycompany.com to be mapped to  ab123c4d5mynewapp.hana.ondemand.com.

Procedure

1. If you plan to keep the custom domain in the new global account B, record its setup as described in Before the Migration.  

2. Remove the custom domain setup for subaccount X

Note: If you don’t delete the custom domain artifacts, you’ll be charged for them. 

a. Remove the trusted CA configurations from the old SSL host, if any, with the set-ssl-host command and −−ca−bundle <bundle_name>:none parameter. 

b. Unbind the domain certificate with the unbind-domain-certificate command. 

c. Remove all custom domain mappings with remove-custom-domain command. 

Example:

neo remove-custom-domain −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−custom−domain www.mycompany.com −−ssl−host beforemigration 

d. Remove all certificates with delete-domain-certificates and trusted CAs with remove-ca commands. 

e. Remove the old SSL host with delete-ssl-host command. 

If you encounter any problems, report an issue and assign it to the BC-NEO-INFR component. 

3. Request that your subaccount X be moved from global account A to global account B. See How to section in SAP Note 3246456 – Moving a subaccount to a different global account

4. If you plan to keep the custom domain in the new global account B, set up the custom domain in subaccount X of the new global account B. These steps follow the standard end-to-end process for configuring a custom domain in the SAP BTP, Neo environment

Before you start to set up the custom domain, make sure that you fulfill the following requirements: 

  • The new SSL host name in the new global account must be different from the old SSL host name used in the previous global account. 
  • The new certificate name in the new global account must be different from the old certificate name used in the previous global account.

a. Create the SSL host: 

neo create-ssl-host −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−name aftermigration 

See create-ssl-host

The output should state that the aftermigration SSL host can now be accessed on host EU5678.ssl.ondemand.com. You’ll need this host to update the DNS records later.

b. Generate the certificate signing request (CSR): 

neo generate-csr −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−name after_migration_cert −−certificate−distinguished−name “C=GB,O=MyCompany,CN= www.mycompany.com,E=admin@example.com” 

Don’t forget to add the custom domain as a common name (CN) value of the −−certificate−distinguished−name parameter: CN= www.mycompany.com 

See generate-csr.

c. Send the CSR to your certificate authority (CA) to sign it.

d. Upload the certificate signed by your CA: 

neo upload-domain-certificate −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−name after_migration_cert −−location ./certificate.pub 

When you upload the signed certificate, make sure it is placed at the beginning of the file before any other intermediate certificates, if any. 

See upload-domain-certificate.

e. Bind the after_migration_cert certificate to the aftermigration SSL host: 

neo bind-domain-certificate −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−ssl−host aftermigration −−certificate after_migration_cert

See bind-domain-certificate

f. If the custom domain is mapped to a new application, start the new application in subaccount ab123c4d5 of global account B via the SAP BTP cockpit or the console client and copy the application URL, because you’ll need it in step h. In this example, the application URL is ab123c4d5mynewapp.hana.ondemand.com.  

If the custom domain is mapped to the same application, you just use the old application URL. In our example, ab123c4d5myapp.hana.ondemand.com.

g. Configure the new custom domain mapping: 

– Example when the application URL stays the same: 

neo add-custom-domain −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−custom−domain www.mycompany.com −−application−url ab123c4d5myapp.hana.ondemand.com −−ssl−host aftermigration 

– Example when the application URL differs from the original one: 

neo add-custom-domain −−account ab123c4d5 −−user mymail@example.com −−host eu1.hana.ondemand.com −−custom−domain www.mycompany.com −−application−url ab123c4d5mynewapp.hana.ondemand.com −−ssl−host aftermigration

See add-custom-domain.

h. Navigate to your dashboard for managing DNS records and switch the DNS record to point to the new EU5678.ssl.ondemand.com host. This is the new host that you acquired from the output of the create-ssl-host command. 

According to the DNS record before the migration, the custom domain www.mycompany.com was previously pointing to EU1234.ssl.ondemand.com. After the migration is over, make sure that the new DNS record is pointing to the new SSL host EU5678.ssl.ondemand.com

Conclusion

With this blog post, we focus on the process of deleting or moving the existing custom domains when a subaccount is migrated to another global account. The most important requirement of this process is that you don’t forget to clean up any existing custom domains in the source subaccount before the move. 

We’d appreciate any feedback on this procedure. 

Looking for a First-Class Business Plan Consultant?