on 10-30-2015 3:58 PM
Hi,
We have been trying to setup SSL in our landscape for quite sometime already without any success. Using the guide , we tried scenario 2 (one way HTTPS).
Here's what we did in SMP
1) Signed smp_crt with our internal PKI system
- CN used is internal FQDN (smp.company.local)
- updated local_smp_keystore.jks
2) Uploaded internal root and intermediate CA (used to sign smp_crt) in smp_keystore.jks
3) Uploaded Netscaler certificate in smp_keystore.jks
- CN used is external FQDN (smp.company.com)
4) Uploaded Verisign (root) and Symantec (intermediate) CA certificate (used to sign Netscaler certificate) in smp_keystore.jks
5) Changed one way SSL port to 8443
Here's what we did in Netscaler
1) Setup SSL offload
2) Uploaded signed SMP certificate in Netscaler trust store
- CN used is internal FQDN (smp.company.local)
3) Uploaded internal root and intermediate CA in Netscaler trust store
4) Changed the backend server settings
backend FQDN = smp.company.local
backend protocol = HTTPS
backend port = 8443
Are the steps correct? Did we miss anything?
With this setup, we can't access SMP from the internet. We tested this using a browser by calling https://smp.company.com. We don't even get any entries in the SMP access logs. But if we don't use SSL (HTTP and 8080), we are able to access SMP from outside.
I also saw this just recently in the SMP Administration Overview:
"A reverse proxy that is used with SAP Mobile Platform must be a straight passthrough proxy server"
What should be the setup in Netscaler? SSL offload or SSL bridge?
Appreciate any feedback as we have spent a lot of time trying to make it work.
Thanks!
What type of application connection are you looking to use with this? Agentry, Kapsel, Hybrid?
--Bill
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Bill,
We deployed a Kapsel app. It's a Fiori Launchpad (with My Inbox) accessed via a custom Fiori Client.
This is working right now if we don't setup SSL between Netscaler and SMP. We're trying to setup SSL now because of some errors we encountered. As per the diagnosis of SAP support, our errors will be fixed if we establish SSL between the 2. So we're attempting again to make SSL work.
However, we're not even using the app to test the SSL. We're just accessing https://smp.company.com via the browser. It's failing even just that test.
Thanks!
Thanks for the reply Kevin.
Actually, we just established SSL connection by changing the config in the default-server.xml. We set sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1". Originally it was set to just TLSv1.2. I'm really not sure why it worked since this is all new to us. We are now able to access https://smp.company.com over the internet.
However, we are seeing these persistent "errors" in the SMP logs.
#DEBUG#org.apache.tomcat.util.net.JIoEndpoint###http-bio-8443-exec-6########Handshake failed java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
#DEBUG#org.apache.tomcat.util.net.JIoEndpoint###http-bio-8083-exec-6########Handshake failed java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
#DEBUG#org.apache.tomcat.util.net.jsse.JSSESupport###http-bio-8083-exec-9########Error trying to obtain a certificate from the client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Port 8443 is our one way SSL port while port 8083 is the Admin SSL port.
Any idea what these mean? I'm still researching about the possible cause.
Thanks Kevin for the feedback.
I was able to place the jvm parameters eariler today. I already sent the logs to the SAP support for further investigation. As mentioned previously, the SSL connection is already working. I just need some explanation regarding the errors in the logs before implementing SSL in our production environment.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.