Certificate warning when using HTTPS through rever...

Former Member · ‎11-22-2010

Hi,

We have a SAP Portal 7.01 with 1 CI and 2 App servers. SSL configuration has been done on it and HTTPS is working fine. We have also imported the CA certificate request response as well and it works perfectly.

However, now we have introduced a hardware load balancer (URL: http://eptest01.domain.com) that redirects to one of the app servers of the system. We have also enabled it to direct the requests to HTTPS URLs of the portal's app servers so the following URL works: https://eptest01.domain.com.

Redirection also works fine but the problem is that the browser shows a certificate warning page which says that "the security certificate presented by this website was issued for a different website's address."

I can ignore this and continue to the website and then I can click on the lock icon and see the certificate. In that, it shows the website address as hostname of the app server that it redirects to: appserver.domain.com. I think this might be the problem.

How can I configure for the correct certificate? Can someone please provide the correct steps? I have already created a new view in Key Storage and called it ReverseProxy. Within it, I create a keypair entry with CN=hostname of load balancer (eptest01.domain.com). Exported the CSR and ordered a certificate. Received the CSR response and imported into key storage. But still I get the certificate warning as stated earlier. Why is this certificate not being issued by the server instead of the app server's own cert?

Thanks,

Shitij

mvoros · ‎11-22-2010

Hi,

you are right. The hostname has to match exactly with name on SSL certificate. There are usually two options. The first is is terminating SSL connection on reverse proxy. Hence you need to generate a proper certificate for reverse proxy host name and use it there. The second option is to create another SSL connection between proxy and application server. In this case the proxy has more work because it has to decrypt data and encrypt them again but you don't send data unencrypted over network. Check documentation for SAP web dispatcher. It has a nice description of these use cases.

Cheers

Former Member · ‎11-23-2010

Hi,

Yes, I am aware of the scenarios, but my main question is, how do I generate the certificate? It is a reverseproxy and not a Web Dispatcher. If it were a WDisp, I could still have installed SAP Cryptolib and set parameters and used sapgenpse for the cert generation, but what to do in our case?

Do I need to create an entry in Key Storage in my AS Java system? If yes, where and in which View? Because the ICM_SSL_<instanceid> view already contains a key pair for the SSL of the app server and as far as I know, one view cannot have 2 key pairs.

What exactly should I do?

Thanks,

Shitij

Former Member · ‎11-23-2010

Hi,

How to Installi a signed certificate on your reverse proxy has nothing to do with the SAP java system.

You have to read the reverse proxy documentation to learn how to do it.

By the way, a web dispatcher IS a reverse proxy...

Regards,

Olivier

mvoros · ‎11-23-2010

I just want to add that you can still use sapgenpse to generate certificate. How to import this certificate into your reverse proxy depends on what product you use. But I guess it's documented.

Cheers

Former Member · ‎11-24-2010

Hi Martin,

Is it possible to use sapgenpse to create a separate file for the private key and a separate file for the public key ?

I tried and I only found out how to create a PSE file and a PKCS12 file (p12) which was of no use for me.

I had to install an OpenSSL windows version on my PC to be able to generate a certificate for an Apache reverse proxy.

Regards,

Olivier

mvoros · ‎11-24-2010

Hi,

no I don't know better way than using PKCS#12 and convert it using OpenSSL. I just don't understand why you had to install OpenSSL. You had to have module mod_ssl installed on your reverse proxy which relies on OpenSSL library. Hence you should have already had it on your proxy.

Cheers

Former Member · ‎11-25-2010

Hi Martin,

I just don't understand why you had to install OpenSSL

I understand that you don't understand ! It is because of my company's strange security rules.

I am in charge of the Apache Reverse Proxy but, for security reason, because the Reverse proxy is in a DMZ giving access to the Internet, I am not allowed to connect to the Linux box running Apache !

I have to write a configuration document which will be played by the production team in charge of the DMZ hosts.

So it is much easier for me to use OpenSSL on my Windows PC (I don't even have a Linux box.)

Regards,

Olivier

mvoros · ‎11-25-2010

Hi,

there are some nice live distributions which you can use to avoid installing additional soft on your laptop.

Cheers

mvoros · ‎11-25-2010

Hi,

there are some nice live distributions which you can use to avoid installing additional soft on your laptop.

Cheers

Former Member · ‎11-25-2010

Of course, I have thought about a live distribution but my PC is protected against booting on cdrom or usb key !

I am an administrator of the SAP ECC6 production server but not on my PC !

Cheers

Former Member · ‎11-26-2010

I have solved this problem in another way. I have generated a new keystore entry in ICM_SSL_* view and this time I gave CN=hostname of proxy/load-balancer. Once I got the CSR response imported, then access using proxy started working without the certificate errors since it accepted the new certioficate.

Certificate warning when using HTTPS through reverse proxy