11-22-2010 11:56 AM
Hi,
We have a SAP Portal 7.01 with 1 CI and 2 App servers. SSL configuration has been done on it and HTTPS is working fine. We have also imported the CA certificate request response as well and it works perfectly.
However, now we have introduced a hardware load balancer (URL: http://eptest01.domain.com) that redirects to one of the app servers of the system. We have also enabled it to direct the requests to HTTPS URLs of the portal's app servers so the following URL works: https://eptest01.domain.com.
Redirection also works fine but the problem is that the browser shows a certificate warning page which says that "the security certificate presented by this website was issued for a different website's address."
I can ignore this and continue to the website and then I can click on the lock icon and see the certificate. In that, it shows the website address as hostname of the app server that it redirects to: appserver.domain.com. I think this might be the problem.
How can I configure for the correct certificate? Can someone please provide the correct steps? I have already created a new view in Key Storage and called it ReverseProxy. Within it, I create a keypair entry with CN=hostname of load balancer (eptest01.domain.com). Exported the CSR and ordered a certificate. Received the CSR response and imported into key storage. But still I get the certificate warning as stated earlier. Why is this certificate not being issued by the server instead of the app server's own cert?
Thanks,
Shitij
11-22-2010 8:04 PM
Hi,
you are right. The hostname has to match exactly with name on SSL certificate. There are usually two options. The first is is terminating SSL connection on reverse proxy. Hence you need to generate a proper certificate for reverse proxy host name and use it there. The second option is to create another SSL connection between proxy and application server. In this case the proxy has more work because it has to decrypt data and encrypt them again but you don't send data unencrypted over network. Check documentation for SAP web dispatcher. It has a nice description of these use cases.
Cheers
11-23-2010 6:19 AM
Hi,
Yes, I am aware of the scenarios, but my main question is, how do I generate the certificate? It is a reverseproxy and not a Web Dispatcher. If it were a WDisp, I could still have installed SAP Cryptolib and set parameters and used sapgenpse for the cert generation, but what to do in our case?
Do I need to create an entry in Key Storage in my AS Java system? If yes, where and in which View? Because the ICM_SSL_<instanceid> view already contains a key pair for the SSL of the app server and as far as I know, one view cannot have 2 key pairs.
What exactly should I do?
Thanks,
Shitij
11-23-2010 12:23 PM
Hi,
How to Installi a signed certificate on your reverse proxy has nothing to do with the SAP java system.
You have to read the reverse proxy documentation to learn how to do it.
By the way, a web dispatcher IS a reverse proxy...
Regards,
Olivier
11-23-2010 8:48 PM
I just want to add that you can still use sapgenpse to generate certificate. How to import this certificate into your reverse proxy depends on what product you use. But I guess it's documented.
Cheers
11-24-2010 9:05 AM
Hi Martin,
Is it possible to use sapgenpse to create a separate file for the private key and a separate file for the public key ?
I tried and I only found out how to create a PSE file and a PKCS12 file (p12) which was of no use for me.
I had to install an OpenSSL windows version on my PC to be able to generate a certificate for an Apache reverse proxy.
Regards,
Olivier
11-24-2010 10:30 PM
Hi,
no I don't know better way than using PKCS#12 and convert it using OpenSSL. I just don't understand why you had to install OpenSSL. You had to have module mod_ssl installed on your reverse proxy which relies on OpenSSL library. Hence you should have already had it on your proxy.
Cheers
11-25-2010 8:32 AM
Hi Martin,
I just don't understand why you had to install OpenSSL
I understand that you don't understand ! It is because of my company's strange security rules.
I am in charge of the Apache Reverse Proxy but, for security reason, because the Reverse proxy is in a DMZ giving access to the Internet, I am not allowed to connect to the Linux box running Apache !
I have to write a configuration document which will be played by the production team in charge of the DMZ hosts.
So it is much easier for me to use OpenSSL on my Windows PC (I don't even have a Linux box.)
Regards,
Olivier
11-25-2010 9:21 AM
Hi,
there are some nice live distributions which you can use to avoid installing additional soft on your laptop.
Cheers
11-25-2010 9:25 AM
Hi,
there are some nice live distributions which you can use to avoid installing additional soft on your laptop.
Cheers
11-25-2010 11:57 AM
Of course, I have thought about a live distribution but my PC is protected against booting on cdrom or usb key !
I am an administrator of the SAP ECC6 production server but not on my PC !
Cheers
11-26-2010 6:46 AM
I have solved this problem in another way. I have generated a new keystore entry in ICM_SSL_* view and this time I gave CN=hostname of proxy/load-balancer. Once I got the CSR response imported, then access using proxy started working without the certificate errors since it accepted the new certioficate.