cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SMP 3.0.8.3 SSL setup with Netscaler (RP/LB)

Former Member

on ‎10-30-2015 3:58 PM

0 Kudos

Hi,

We have been trying to setup SSL in our landscape for quite sometime already without any success. Using the guide , we tried scenario 2 (one way HTTPS).

Here's what we did in SMP

1) Signed smp_crt with our internal PKI system

- CN used is internal FQDN (smp.company.local)

- updated local_smp_keystore.jks

2) Uploaded internal root and intermediate CA (used to sign smp_crt) in smp_keystore.jks

3) Uploaded Netscaler certificate in smp_keystore.jks

- CN used is external FQDN (smp.company.com)

4) Uploaded Verisign (root) and Symantec (intermediate) CA certificate (used to sign Netscaler certificate) in smp_keystore.jks

5) Changed one way SSL port to 8443

Here's what we did in Netscaler

1) Setup SSL offload

2) Uploaded signed SMP certificate in Netscaler trust store

- CN used is internal FQDN (smp.company.local)

3) Uploaded internal root and intermediate CA in Netscaler trust store

4) Changed the backend server settings

backend FQDN = smp.company.local

backend protocol = HTTPS

backend port = 8443

Are the steps correct? Did we miss anything?

With this setup, we can't access SMP from the internet. We tested this using a browser by calling https://smp.company.com. We don't even get any entries in the SMP access logs. But if we don't use SSL (HTTP and 8080), we are able to access SMP from outside.


I also saw this just recently in the SMP Administration Overview:

"A reverse proxy that is used with SAP Mobile Platform must be a straight passthrough proxy server"

What should be the setup in Netscaler? SSL offload or SSL bridge?


Appreciate any feedback as we have spent a lot of time trying to make it work.


Thanks!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎10-30-2015 6:23 PM
0 Kudos

What type of application connection are you looking to use with this?  Agentry, Kapsel, Hybrid?

--Bill

Show replies
Show replies
Former Member
‎10-31-2015 12:34 AM
0 Kudos

Hi Bill,

We deployed a Kapsel app. It's a Fiori Launchpad (with My Inbox) accessed via a custom Fiori Client.

This is working right now if we don't setup SSL between Netscaler and SMP. We're trying to setup SSL now because of some errors we encountered. As per the diagnosis of SAP support, our errors will be fixed if we establish SSL between the 2. So we're attempting again to make SSL work.

However, we're not even using the app to test the SSL. We're just accessing https://smp.company.com via the browser. It's failing even just that test.

Thanks!

Kevin_SAP
Advisor
Advisor
‎11-02-2015 2:24 PM
0 Kudos

You're going to need to look a bit closer on what is causing the issue.  Probably look at Netscaler log and perhaps trace.  You need to check if Netscaler is even forwarding the request to SMP (Netscaler log, Wireshark or other network trace on SMP server).

Regards,

Kevin

Former Member
‎11-02-2015 3:06 PM
0 Kudos

Thanks for the reply Kevin.

Actually, we just established SSL connection by changing the config in the default-server.xml. We set sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1". Originally it was set to just TLSv1.2. I'm really not sure why it worked since this is all new to us. We are now able to access https://smp.company.com over the internet.

However, we are seeing these persistent "errors" in the SMP logs.

#DEBUG#org.apache.tomcat.util.net.JIoEndpoint###http-bio-8443-exec-6########Handshake failed java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL

#DEBUG#org.apache.tomcat.util.net.JIoEndpoint###http-bio-8083-exec-6########Handshake failed java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL

#DEBUG#org.apache.tomcat.util.net.jsse.JSSESupport###http-bio-8083-exec-9########Error trying to obtain a certificate from the client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Port 8443 is our one way SSL port while port 8083 is the Admin SSL port.

Any idea what these mean? I'm still researching about the possible cause.


Kevin_SAP
Advisor
Advisor
‎11-02-2015 5:58 PM
0 Kudos

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated generally indicates certificate is not trusted in SMP, but you can add the JVM debug setting -Djavax.net.debug=all to get more information.

Regards,

Kevin

Kevin_SAP
Advisor
Advisor
‎11-02-2015 6:03 PM
0 Kudos

If you want to limit it to ssl, try -Djavax.net.debug=ssl

Former Member
‎11-02-2015 9:52 PM
0 Kudos

Hi Kevin,

Where do I add that debug setting?

And given that it's happening on port 8083, it means that my "certificate" is being checked wheb I access the admin cockpit? Is this correct?

Thanks

Kevin_SAP
Advisor
Advisor
‎11-03-2015 11:32 AM
0 Kudos

JVM settings go in \SAP\MobilePlatform3\Server\props.ini.  Make sure you backup the file first and it requires a restart.  I beleieve the error is a trust issue in the keystore, but tracing should provide more info.

Regards,

Kevin

Former Member
‎11-03-2015 2:03 PM
0 Kudos

Thanks Kevin for the feedback.

I was able to place the jvm parameters eariler today. I already sent the logs to the SAP support for further investigation. As mentioned previously, the SSL connection is already working. I just need some explanation regarding the errors in the logs before implementing SSL in our production environment.

Ask a Question