cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Agentry with SMP 3.0 and Nginx

Go to solution
Former Member

on ‎12-17-2014 2:10 PM

0 Kudos

Hi all,

We are trying to use Nginx as two way reverse proxy for agentry application in SMP 3.0.

Stuff done so far:

    1) Installed Nginx in DMZ and have configured the configuration file as described in the document found under the link

    2) Have created a self signed certificate for Nginx server and installed it in smp keystore.

    3) In Nginx config file the upstream backend we have put the url of the agentry application i.e (<server ip>:8082/SAPWM)

    4) After all the configurations we are able get hit the https port of the smp server via Ngix server (https://<nginx server>:<configured port>/SAPWM) and able to get the message  "i am here" from the browser .

  5)  The issue is when we try to login to the server from the agentry client with the same  Nginx url from step 4) we get a communication error. As seen from the agentry client it stops before getting certificate from the server. and the Nginx log records a error "client 10.76.16.211 closed keepalive connection"and the client fails to login to SMP agentry application.

  

Also please find the Nginx.conf file attached with the post.

Any suggestions will be appreciated.

Thanks,

Rakshit

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-17-2014 5:23 PM
0 Kudos

Here is a copy of the location / section of the nginx.conf that I had configurated before and was working.  Note, I did this around 2 years ago and haven't used it since.

proxy_pass  https://<Server Address>:8081/MobileNorthwind;

  proxy_set_header 10.172.246.190 $remote_addr;

  proxy_set_header localhost $host;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Show replies
Show replies
Former Member
‎12-18-2014 8:58 AM
0 Kudos

Hi Stephen,

Thanks for the response. After i changed the location  section in my Nxing conf file it worked.

Thanks again.

Answers (3)

Answers (3)

D_Olderdissen
Advisor
Advisor
‎12-17-2014 7:00 PM
0 Kudos

In theory, the Agentry client should check the validity of the SSL endpoint server, in your case most likely the NGINX box. It seems you are using a self signed cert - have you imported the root cert of your signing entity into the device keystore? This would be in line with the suspicion you are seeing an SSL error.

Cheers,

Dirk

Show replies
Show replies
bill_froelich
Product and Topic Expert
Product and Topic Expert
‎12-18-2014 5:19 AM
0 Kudos

Correct, assuming NGINX is setup as a true proxy and not a pass through, the Agentry client will receive the certificate from NGINX when it establishes the https connection and validate that the CN on the certificate matches the server information entered on the client.

In turn NGINX will establish an https connection to the SMP3 server and NGINX will then attempt to verify the certificate presented (unless you have configured this off in NGINX).  The Agentry client will have no knowledge or direct communication to the SMP3 server so the Agentry client will not care what certificate the SMP3 server presents.  It only cares about the one from NGINX.

The Agentry client is fairly explicit about SSL certificate errors when the client cannot validate the certificates.

--Bill

kirankola
Advisor
Advisor
‎12-17-2014 2:41 PM
0 Kudos

Hi Rakshit,

- In SMP, 8081 is used for one way SSL and 8082 is used for two way SSL setup.

- Your step 4 tells your that your server is running fine. In your browser, I hope there is no certificate error

-  To see if one-way https working from Agentry server

try following:

https://<agentry host>:443  (in this case you should see SMP Server info without any certificate error, as mentioned in the documentation)

- You mentioned two-way SSL is planned, which is mutual/client based authentication; But In your configuration, I see ssl_verify_client is off (which is required in case of mutual).

-  In our documentation, Client Certificate based authentication is not covered for Nginx setup. Only http and one-way https is covered.

Regards,

Kiran

Show replies
Show replies
bill_froelich
Product and Topic Expert
Product and Topic Expert
‎12-17-2014 2:30 PM
0 Kudos

In step 5 what exactly is the error you are getting from the Agentry client?   Is it an SSL error or something more generic?

--Bill

Show replies
Show replies
Ask a Question