cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can't connect to AS Java via HTTPS

Go to solution
Former Member

on ‎08-15-2013 4:05 PM

0 Kudos

All,

We're trying to setup HTTPS in our environment to encrypt traffic between web browsers and our application servers.  Single Sign-On is not a consideration here.

We are running NW 7.0.  Are there any good how-to's related to setting up and configuring AS Java to use https?

Our current situation:

When I visit http://<server>:5xx00/ all is fine.  I get the expected home page which lists NWA, System Information, UDDI Client, etc.  However when I visit https://<server>:5xx01/ things go awry.  If we have the key properly configured and signed, the page just hangs and then Internet Explorer gives up (with a non-descript error, of course):

This problem can be caused by a variety of issues, including: 
  • Internet connectivity has been lost.
  • The website is temporarily unavailable.
  • The Domain Name Server (DNS) is not reachable.
  • The Domain Name Server (DNS) does not have a listing for the website's domain.
  • There might be a typing error in the address.
  • If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

If we don't have a signed certificate configured in the key store/SSL Provider then you get the expected results: a warning screen advising you they key isn't signed and after you bypass the warning the web session just hangs like it did previously and then gives up.

I can verify that:

  • Dispatcher/HTTP Provider is running
  • Server/HTTP Provider is Running
  • Dispatcher/SSL Provider is Running
  • Server/SSL Provider is running

At one point i enabled Dispatcher/HTTP Provider/Properties/HttpTrace/enableHeaders.  When I visited the http port, obviously (since http is working fine -- just https is failing) I got headers that showed up in "/usr/sap/<SID>/<Instance>/j2ee/cluster/dispatcher/log/services/httpservices/http/req_resp".  When I tried to access the same page via https, nothing showed up in the req_resp trace file.  This leads me to believe there is a problem with the "SSL Provider".

Any thoughts/suggestions?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

cris_hansen
Advisor
Advisor
‎08-15-2013 8:31 PM
0 Kudos

Hello Philip,

It is worthy to try checking the defaultTrace and look for SSL-related error messages.

You can check the following SAP Help page:

Configuring the Use of SSL on the J2EE Engine

You can also check whether there is no active sockets configured for SSL. Please check SSL Provider under dispatcher node, services location. In Configuration area select Active sockets and maintain the required port. Under Server identity tab maintain the server credential as well.

You can also check here.

I hope this helps,

Cris

Show replies
Show replies
Former Member
‎08-15-2013 8:49 PM
0 Kudos

Thank you also for the reply and your thoughts.

Cristiano Hansen wrote:
Hello Philip,
It is worthy to try checking the defaultTrace and look for SSL-related error messages.
You can check the following SAP Help page:

The trace file located at /usr/sap/<SID>/<Instance>/j2ee/cluster/server0/log/defaultTrace.0.trc (most recent trace) has these mentions of SSL:

#1.#001517A5E89C00030000005A00006C610004E3FD792DC7DE#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain###  -   sap.com/tc~sec~wssec~app  -  wssproc  -  ssl  -  apply#
#1.#001517A5E89C00030000005B00006C610004E3FD792DC828#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain###  -  sap.com/tc~sec~wssec~app  -  wssproc  -  ssl  -  getKsAliases#
#1.#001517A5E89C00030000005C00006C610004E3FD792DC873#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain###  -  sap.com/tc~sec~wssec~app  -  wssproc  -  ssl  -  getKsViews#
#1.#001517A5E89C00030000005D00006C610004E3FD792DC8BE#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain###  -  sap.com/tc~sec~wssec~app  -  wssproc  -  ssl  -  verify#
#1.#001517A5E89C00030000005E00006C610004E3FD792DC909#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain###  -  sap.com/tc~sec~wssec~app  -  wssproc  -  ssl  -  getKsCertDNs#
ClassLoader name: [com.sapportals.portal.prt.util.ApplicationClassLoader@30c8557a]
 Parent loader name: [com.sapportals.portal.prt.util.ApplicationClassLoader@3d787ad5]
ClassLoader name: [sap.com/com.sap.netweaver.bc.util]
 Parent loader name: [com.sapportals.portal.prt.util.AutoClassLoader@737dd49f]
#1.#001517A5E89C004100000000000048D10004E4017F24A047#1376594986049#com.adobe.service.J2EEPlatformPeerImpl##com.adobe.service.J2EEPlatformPeerImpl#######SAPEngine_System_Thread[impl:5]_79##0#0#Error##Plain###error getting ssl flag, using non-SSL mode: null#
#1.#001517A5E89C004200000000000048D10004E4017F24E7F8#1376594986067#com.adobe.service.J2EEPlatformPeerImpl##com.adobe.service.J2EEPlatformPeerImpl#######SAPEngine_System_Thread[impl:5]_93##0#0#Error##Plain###error getting ssl flag, using non-SSL mode: null#
#1.#001517A5E89C004300000000000048D10004E4017F250C9E#1376594986077#com.adobe.service.J2EEPlatformPeerImpl##com.adobe.service.J2EEPlatformPeerImpl#######SAPEngine_System_Thread[impl:5]_95##0#0#Error##Plain###error getting ssl flag, using non-SSL mode: null#
        at com.sap.jpe.engine.impl.deploy.JarClassLoader.findClass(JarClassLoader.java:82)

Cristiano Hansen wrote:
You can also check whether there is no active sockets configured for SSL. Please check SSL Provider under dispatcher node, services location. In Configuration area select Active sockets and maintain the required port. Under Server identity tab maintain the server credential as well.

There are three active sockets for SSL (under Dispatcher/Services/SSL Provider) on ports: 55503, 55506, and 55501.

I will review the documentation you referenced.  Thank you for the reading.

Former Member
‎08-15-2013 9:03 PM
0 Kudos 
Cristiano Hansen wrote:
Hello Philip,
It is worthy to try checking the defaultTrace and look for SSL-related error messages.
You can check the following SAP Help page:
Configuring the Use of SSL on the J2EE Engine

I read through the document and this is the exact procedure we have followed.  I followed it once again with the same result.

cris_hansen
Advisor
Advisor
‎08-15-2013 9:12 PM
0 Kudos

Let us try a different approach: SAP note 1019634. You can collect a trace with the Diagtool.

You can check for the content of the diagtool_yymmdd_ttmmss.zip and look for messages like "Missing keystore entry" or "SSL server socket .... NOT OK.".

Former Member
‎08-15-2013 9:49 PM
0 Kudos

Hi Cristiano,

Our SAP America Consultant and I looked at this same tool earlier today.

I've redacted the output and attached it to this reply.  I don't see anything you mentioned.

output2.txt.zip
Former Member
‎08-15-2013 10:11 PM
0 Kudos

What OS and browser are you using? What is the SP level of your SAP_BASIS?

Former Member
‎08-16-2013 4:58 PM
0 Kudos

Sorry, I just realized I had written SAP_BASIS where as I meant of course the SP level of your portal. Let me explain. The client OS, browser and SP level of your portal is relevant because last year there was an issue regarding compatibility of Windows, IE and the SSL implementation of AS JAVA. See SAP note 1663313 and SAP KB 1673448 for details. I had the same issue on couple of client systems, the symptoms are the same (blank screen and eventually timeout).

https://service.sap.com/sap/support/notes/1663313

https://service.sap.com/sap/support/notes/1673448

Answers (2)

Answers (2)

Former Member
‎08-15-2013 10:08 PM
0 Kudos

All,

It seems the error was on our System/Server.  We followed the prescribed setup procedure on another system/SID which resides on another server.

It worked fine there.  Since the system I was working on (and failing) is our sandbox, I'm not that concerned.  The procedure worked on one of our development systems.

Show replies
Show replies
Former Member
‎08-15-2013 7:20 PM
0 Kudos

Hi Philip,

I assume there is no firewall between the client (broswer) and the NW 7.0 application server?

Also, after you have the signed SSL certificate imported and the server restarted, was there any logs generated by the sapcryptolib?

I can't rememer exactly which dev trace in the instance work directory but I am pretty sure there is a dev trace file that has all the logs by the system has SSL enabled.

If this were my problem, I would go in this direction.

Regards,

Verono

Show replies
Show replies
Former Member
‎08-15-2013 7:59 PM
0 Kudos

First off, thanks for the reply.

Verono Kwok wrote:
I assume there is no firewall between the client (broswer) and the NW 7.0 application server?

No firewalls.  The HTTP and HTTPS service are on the same server.  I can telnet to the HTTPS port so the connection is being established, but if I had to guess there is a problem in the SSL handshake.  I'm not sure.

Verono Kwok wrote:
Also, after you have the signed SSL certificate imported and the server restarted, was there any logs generated by the sapcryptolib?
I can't rememer exactly which dev trace in the instance work directory but I am pretty sure there is a dev trace file that has all the logs by the system has SSL enabled.

/usr/sap/<SID>/<Instance>/work contains no logs that are updated when I place my request.

Former Member
‎08-15-2013 8:11 PM
0 Kudos

Hi Philip,

There may not be logs updated when you browser to the URL in HTTPS.  But the dev trace would show whether or not the sapcryptolib was started properly after you have imported signed certifcate.

I am stating this because I had some instances in the past that SSL could not be enabled because of the sapcryptolib compatibility, issue with the port, the profile parameter was not set correctly, and etc.  They will show up in the trace.

If it is possible stop and restart the system without causing interruption, I would do so and go over the dev trace.  If not, you may need to look at the time stamp within the trace file.

Former Member
‎08-15-2013 8:34 PM
0 Kudos

Since this is our sandbox, I restarted it.  After it was running, I executed this:

bash-3.2$ grep -i iaik *

bash-3.2$ grep -i cypto *

bash-3.2$ pwd

/usr/sap/<SID>/<Instance>/work

bash-3.2$

Ask a Question