11-04-2009 12:09 PM
Hi,
I configured a apache reverse proxy for accessing SSL ICF Services.
I want to access as following:
Internet (https)> reverse proxy (https)> SAP ICF Service
On the reverse proxy I implemented a signed certificate. On the SAP System I implemented a self signed certificate.
If I try to open the ICF service via the proxy I get the following error message in the browser:
Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
The error log has following entry:
(OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : proxy: HTTPS: attempt to connect to SAP-BACKEND-IP:443 (*) failed
Connection closed to child 63 with standard shutdown (server mydomain:443)
If I access as following it works:
Internet (https)> reverse proxy (HTTP)> SAP ICF Service
If I open the browser on the reverse proxy and try to open the ICF service it works with https. But before I can input the logon data I got an popup u201Cchoose a digital certificateu201D. Could this be a problem? Could the problem caused that I have implemented a self signed certificate in the SAP system?
Best Regards
Tim
Edited by: Tim Kannegießer on Nov 4, 2009 1:09 PM
11-04-2009 12:48 PM
If Olivier's explanation (param icm/HTTPS/verify_client) is not the guilty one, then please also check the ICM port configuration => icm/server_port_1 = PROT=HTTPS, PORT=x443, VCLIENT = 2 ?
If found, this instance parameter VCLIENT will take precedence over icm/HTTPS/verify_client setting and deny the https request as you have described, unless the client side presents a valid certificate.
Cheers,
Julius
11-04-2009 12:30 PM
Hi,
I use this setup for access to SRM from the internet :
Internet (https)> Apache reverse proxy (https)> SAP Web dispatcher (https)> SAP SRM ICF Service
It works perfectly, so It means that what you want to do is completely possible.
I have also a signed certificate on Apache and Web dispatcher.
The ICM certificate is self signed.
If your abap ICM is configured to ask for a client certificate, it might be a problem.
Check the icm/HTTPS/verify_client profile parameter.
If you still have problems, increase the ICM trace level and check the trace file.
Regards,
Olivier
11-04-2009 12:48 PM
If Olivier's explanation (param icm/HTTPS/verify_client) is not the guilty one, then please also check the ICM port configuration => icm/server_port_1 = PROT=HTTPS, PORT=x443, VCLIENT = 2 ?
If found, this instance parameter VCLIENT will take precedence over icm/HTTPS/verify_client setting and deny the https request as you have described, unless the client side presents a valid certificate.
Cheers,
Julius
11-04-2009 1:01 PM
Hi,
thanks for your answers.
The Parameters are set to the following:
icm/HTTPS/verify_client = 1
icm/server_port_1 PROT=HTTPS, PORT=443,TIMEOUT=900
I checked another SAP System and it has the same settings. But there I don't get the popup for the certificate.
If I understand the Parameter icm/HTTPS/verify_client = 1 right, it is possible to log on with a client certificate. But if you don't have one you can logon with the default settings. Where can I set the default settings? Is this point logon procedure in the TA: SICF under the logon data off the service?`
Best regards,
Tim
11-04-2009 1:14 PM
> Where can I set the default settings? Is this point logon procedure in the TA: SICF under the logon data off the service?`
Yes, please check that as well!
Note that unlike SM59, the SICF logon data is a hierarchy with inheritance to sub-nodes unless these have their own settings. It could be that no entries are made for the service, and a hiigher node on the virtual host is pointing into nirvana.
Sounds reasonable.
Cheers,
Julius
11-04-2009 1:27 PM
I checked all nodes above the service I try to logon. All nodes are set to the standard log in procedure.
Maybe I forgott any parameter in the proxy coniguration.
a little summary of the settings:
ProxyPreserveHost On
SSLEngine on
SSLCertificateKeyFile ...
SSLCertificateFile..
RewriteEngine On
Rewrite Rules....
ProxyRequests Off
ProxyPassReverse....
Do I need the syntax SLProxyEngine on? Is there any missing syntax for my scenario?
BR
Tim
Edited by: Tim Kannegießer on Nov 4, 2009 2:27 PM
11-04-2009 1:28 PM
11-04-2009 1:30 PM
Tim,
Could you please reformat your last message in order for us to be able to read it ?
You may have to split it in 2 messages because the forum software is broken...
Regards,
Olivier
11-04-2009 1:31 PM
of course sorry.
[Thr 1048] Wed Nov 04 14:25:36 2009
[Thr 1048] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 1048] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 1048] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 1048] SiSelNFCSelect: start select (timeout=10000)
[Thr 2940] Wed Nov 04 14:25:42 2009
[Thr 2940] SiSelNSelect: of 1 sockets 0 selected
[Thr 2940] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 2940] SiSelNSelect: start select (timeout=10000)
[Thr 1048] Wed Nov 04 14:25:46 2009
[Thr 1048] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 1048] IcmQueueAppend: queuelen: 1
[Thr 1048] IcmCreateRequest: Appended request 326
[Thr 1048] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 1048] SiSelNFCSelect: start select (timeout=10000)
[Thr 3876] IcmWorkerThread: worker 7 got the semaphore
[Thr 3876] REQUEST:
Type: SCHEDULER Index = 325
[Thr 3876] IcmGetSchedule: found slot 0
[Thr 3876] IcmAlReportData: Reporting data to CCMS Alerting Infrastruct
[Thr 3876] NiIGetServNo: servicename '8000' = port 1F.40/8000
[Thr 3876] IcmConnCheckStoredClientConn: check for client conn timeout
[Thr 3876] IcmConnCheckStoredClientConn: next client timeout check in 6
[Thr 3876] NiIGetServNo: servicename '8000' = port 1F.40/8000
[Thr 3876] IcmGetServicePtr: new serv_ref_count: 2
11-04-2009 1:32 PM
PlugInHandleAdmMessage: request received:
PlugInHandleAdmMessage: opcode: 136, len: 528, dest_type: 2, subh
HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, heade
HttpCacheHandler: 4 0 0000000000969AB0 0000000000000000
SCACHE: opcode: 136, len: 528, dest_type: 2, dest:
MTX_LOCK 3038 0000000001591630
MTX_UNLOCK 3051 0000000001591630
IcmNetBufWrapBuf: allocated netbuf: 0000000001563650, blocks used
IcmNetBufWrapBuf: allocated netbuf: 0000000001563650
IcmNetBufFree: free netbuf: 0000000001563650 out of 1 used
IcmConnFreeContext: context 3 released
IcmServDecrRefCount: mydomain.de:8000 - serv_ref_count
IcmGetSchedule: next schedule in 30 secs
IcmWorkerThread: Thread 7: Waiting for event
SiSelNSelect: of 1 sockets 0 selected
IcmProxyWatchDog: check sockets (timeout=10000)
SiSelNSelect: start select (timeout=10000)
Edited by: Tim Kannegießer on Nov 4, 2009 2:33 PM
11-04-2009 2:17 PM
Hi,
I changed the paramter icm/HTTPS/verify_client to 0. Now the popup don't appear. But the connection via proxy work not yet.
Best regards,
Tim
11-04-2009 2:46 PM
Tim,
I think that the problem may be in your Apache configuration file.
Did you increase the ICM trace level during a test ?
You should also set these Apache directives to debug.
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 9
Regards,
Olivier
11-05-2009 7:55 AM
Hi,
I checked the firewall again with the network guys. And now we solved the basic communication problem.
But now I get the following error:
[client XXX] SSL library error 1 in handshake (server sapserver:443)
[Thu Nov 05 08:47:33 2009] [info] SSL Library Error: 336151574 error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
[Thu Nov 05 08:47:33 2009] [info] [client XXX] Connection closed to child 63 with abortive shutdown (server sapserver:443)
Do I have to implement the certificate from the SAP System in the Apache? If yes how can I do this? It seems that the apache don't trust this certificate.
BR
Tim