on 08-15-2013 4:05 PM
All,
We're trying to setup HTTPS in our environment to encrypt traffic between web browsers and our application servers. Single Sign-On is not a consideration here.
We are running NW 7.0. Are there any good how-to's related to setting up and configuring AS Java to use https?
Our current situation:
When I visit http://<server>:5xx00/ all is fine. I get the expected home page which lists NWA, System Information, UDDI Client, etc. However when I visit https://<server>:5xx01/ things go awry. If we have the key properly configured and signed, the page just hangs and then Internet Explorer gives up (with a non-descript error, of course):
This problem can be caused by a variety of issues, including:
- Internet connectivity has been lost.
- The website is temporarily unavailable.
- The Domain Name Server (DNS) is not reachable.
- The Domain Name Server (DNS) does not have a listing for the website's domain.
- There might be a typing error in the address.
- If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.
If we don't have a signed certificate configured in the key store/SSL Provider then you get the expected results: a warning screen advising you they key isn't signed and after you bypass the warning the web session just hangs like it did previously and then gives up.
I can verify that:
At one point i enabled Dispatcher/HTTP Provider/Properties/HttpTrace/enableHeaders. When I visited the http port, obviously (since http is working fine -- just https is failing) I got headers that showed up in "/usr/sap/<SID>/<Instance>/j2ee/cluster/dispatcher/log/services/httpservices/http/req_resp". When I tried to access the same page via https, nothing showed up in the req_resp trace file. This leads me to believe there is a problem with the "SSL Provider".
Any thoughts/suggestions?
Hello Philip,
It is worthy to try checking the defaultTrace and look for SSL-related error messages.
You can check the following SAP Help page:
Configuring the Use of SSL on the J2EE Engine
You can also check whether there is no active sockets configured for SSL. Please check SSL Provider under dispatcher node, services location. In Configuration area select Active sockets and maintain the required port. Under Server identity tab maintain the server credential as well.
You can also check here.
I hope this helps,
Cris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you also for the reply and your thoughts.
Cristiano Hansen wrote:
Hello Philip,
It is worthy to try checking the defaultTrace and look for SSL-related error messages.
You can check the following SAP Help page:
The trace file located at /usr/sap/<SID>/<Instance>/j2ee/cluster/server0/log/defaultTrace.0.trc (most recent trace) has these mentions of SSL:
#1.#001517A5E89C00030000005A00006C610004E3FD792DC7DE#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain### - sap.com/tc~sec~wssec~app - wssproc - ssl - apply#
#1.#001517A5E89C00030000005B00006C610004E3FD792DC828#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain### - sap.com/tc~sec~wssec~app - wssproc - ssl - getKsAliases#
#1.#001517A5E89C00030000005C00006C610004E3FD792DC873#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain### - sap.com/tc~sec~wssec~app - wssproc - ssl - getKsViews#
#1.#001517A5E89C00030000005D00006C610004E3FD792DC8BE#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain### - sap.com/tc~sec~wssec~app - wssproc - ssl - verify#
#1.#001517A5E89C00030000005E00006C610004E3FD792DC909#1376577706117#com.sap.engine.services.monitor.common.Template##com.sap.engine.services.monitor.common.Template####n/a##42c7fec005b811e3b72300002100bb96#Timeout Service Synchronous Internal Thread##0#0#Info##Plain### - sap.com/tc~sec~wssec~app - wssproc - ssl - getKsCertDNs#
ClassLoader name: [com.sapportals.portal.prt.util.ApplicationClassLoader@30c8557a]
Parent loader name: [com.sapportals.portal.prt.util.ApplicationClassLoader@3d787ad5]
ClassLoader name: [sap.com/com.sap.netweaver.bc.util]
Parent loader name: [com.sapportals.portal.prt.util.AutoClassLoader@737dd49f]
#1.#001517A5E89C004100000000000048D10004E4017F24A047#1376594986049#com.adobe.service.J2EEPlatformPeerImpl##com.adobe.service.J2EEPlatformPeerImpl#######SAPEngine_System_Thread[impl:5]_79##0#0#Error##Plain###error getting ssl flag, using non-SSL mode: null#
#1.#001517A5E89C004200000000000048D10004E4017F24E7F8#1376594986067#com.adobe.service.J2EEPlatformPeerImpl##com.adobe.service.J2EEPlatformPeerImpl#######SAPEngine_System_Thread[impl:5]_93##0#0#Error##Plain###error getting ssl flag, using non-SSL mode: null#
#1.#001517A5E89C004300000000000048D10004E4017F250C9E#1376594986077#com.adobe.service.J2EEPlatformPeerImpl##com.adobe.service.J2EEPlatformPeerImpl#######SAPEngine_System_Thread[impl:5]_95##0#0#Error##Plain###error getting ssl flag, using non-SSL mode: null#
at com.sap.jpe.engine.impl.deploy.JarClassLoader.findClass(JarClassLoader.java:82)
Cristiano Hansen wrote:
You can also check whether there is no active sockets configured for SSL. Please check SSL Provider under dispatcher node, services location. In Configuration area select Active sockets and maintain the required port. Under Server identity tab maintain the server credential as well.
There are three active sockets for SSL (under Dispatcher/Services/SSL Provider) on ports: 55503, 55506, and 55501.
I will review the documentation you referenced. Thank you for the reading.
Cristiano Hansen wrote:
Hello Philip,
It is worthy to try checking the defaultTrace and look for SSL-related error messages.
You can check the following SAP Help page:
I read through the document and this is the exact procedure we have followed. I followed it once again with the same result.
Sorry, I just realized I had written SAP_BASIS where as I meant of course the SP level of your portal. Let me explain. The client OS, browser and SP level of your portal is relevant because last year there was an issue regarding compatibility of Windows, IE and the SSL implementation of AS JAVA. See SAP note 1663313 and SAP KB 1673448 for details. I had the same issue on couple of client systems, the symptoms are the same (blank screen and eventually timeout).
All,
It seems the error was on our System/Server. We followed the prescribed setup procedure on another system/SID which resides on another server.
It worked fine there. Since the system I was working on (and failing) is our sandbox, I'm not that concerned. The procedure worked on one of our development systems.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Philip,
I assume there is no firewall between the client (broswer) and the NW 7.0 application server?
Also, after you have the signed SSL certificate imported and the server restarted, was there any logs generated by the sapcryptolib?
I can't rememer exactly which dev trace in the instance work directory but I am pretty sure there is a dev trace file that has all the logs by the system has SSL enabled.
If this were my problem, I would go in this direction.
Regards,
Verono
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
First off, thanks for the reply.
Verono Kwok wrote:
I assume there is no firewall between the client (broswer) and the NW 7.0 application server?
No firewalls. The HTTP and HTTPS service are on the same server. I can telnet to the HTTPS port so the connection is being established, but if I had to guess there is a problem in the SSL handshake. I'm not sure.
Verono Kwok wrote:
Also, after you have the signed SSL certificate imported and the server restarted, was there any logs generated by the sapcryptolib?
I can't rememer exactly which dev trace in the instance work directory but I am pretty sure there is a dev trace file that has all the logs by the system has SSL enabled.
/usr/sap/<SID>/<Instance>/work contains no logs that are updated when I place my request.
Hi Philip,
There may not be logs updated when you browser to the URL in HTTPS. But the dev trace would show whether or not the sapcryptolib was started properly after you have imported signed certifcate.
I am stating this because I had some instances in the past that SSL could not be enabled because of the sapcryptolib compatibility, issue with the port, the profile parameter was not set correctly, and etc. They will show up in the trace.
If it is possible stop and restart the system without causing interruption, I would do so and go over the dev trace. If not, you may need to look at the time stamp within the trace file.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.