cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connection between NW 740 Portal&Webseal(TAM) broken

Former Member

on ‎11-14-2015 5:03 AM

Our scenario is like, end users will be loginTO Portal through Web Seal (Tivoli Access Manager) where portal defined as one of junction.

And UME for Portal is LDAP.

Recently we have upgraded portal from NW 702 to NW 740, since then connection through Webseal to portal is stopped working.

Simply throwing error "Third Party Server not responding" and also there is no logs writing on Webseal side as there is no connection with portal.

There is communication between both thru certificates:

in NW 702:

TAM certificate was exported in path => VA => Keystore->TrustedCAs

Portal certificate under => VA=> Service_ssl was updated in TAM.

(This certificate generated with same name defined under VA => SSL Provider => runtime=> Dispatcher xx => Serveridentiy)

In NW740, these paths got some how changed, ICM came into picture. (missing concept with this)

WebSeal Admin says:

WebSEAL verifies a back-end server certificate according to the standard SSL protocol. The back-end server sends its server certificate to WebSEAL. WebSEAL validates the server certificate against a pre-defined list of root Certificate Authority (CA) certificates.

The Certificate Authority (CA) certificates that form the trust chain for the application server certificate (from the signing CA up to and including the root certificate) must be included in the key database in use by WebSEAL.

You use the iKeyman utility to create and manage the database of root CA certificates.

Below are ICM params defined instance profile:

icm/HTTP/ASJava/disable_url_session_tracking = TRUE

icm/HTTPS/client_certificate_header_name = SSL_CLIENT_CERT

icm/HTTPS/client_certificate_chain_header_prefix = SSL_CLIENT_CERT_CHAIN_

icm/keep_alive_timeout = 300

icm/HTTPS/client_cipher_suite_header_name = SSL_CIPHER_SUITE

icm/HTTPS/client_key_size_header_name = SSL_CIPHER_USEKEYSIZE

icm/server_port_0 = PROT=IIOP, PORT=50007

icm/server_port_1 = PROT=TELNET, PORT=50008, HOST=localhost

icm/server_port_2 = PROT=IIOPSEC, PORT=50003, SSLCONFIG=ssl_config_2

icm/ssl_config_2 = VCLIENT=1, CRED=/usr/sap/QXP/J00/sec/SAPSSLS.pse

icm/server_port_3 = PROT=P4, PORT=50004

icm/server_port_4 = PROT=P4SEC, PORT=50006, SSLCONFIG=ssl_config_4

icm/ssl_config_4 = VCLIENT=1, CRED=/usr/sap/QXP/J00/sec/SAPSSLS.pse

icm/server_port_5 = PROT=HTTPS, PORT=1443, TIMEOUT=60, PROCTIMEOUT=600, SSLCONFIG=ssl_config_5

icm/ssl_config_5 = VCLIENT=1, CRED=/usr/sap/QXP/J00/sec/SAPSSLS.pse

icm/server_port_6 = PROT=HTTP, PORT=50000, TIMEOUT=60, PROCTIMEOUT=600

Portal HTTPS port is 1443 => with this port we are experiencing strange behaviour when accessing portal directly also, like for few users from FireFox its opening without any issue, but few users getting error "Secure Connection Failed", but from IE no one able to open portal page with https port 1443 either with host or ip.

I am expecting we are missing something with HTTPS ,ICM, Certificates once we went on to NW 740.

There will not be issue with WebSeal as their side no changes occured.

Any help on this well appreciated. Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

isaias_freitas
Advisor
Advisor
‎11-16-2015 8:12 PM
0 Kudos

Hello,

About the communication between WebSeal and the Portal, it seems that what is missing is the take the certificate exported at the Portal and import it at the WebSeal.

About the direct connections from end users to the Portal, it would also seem that the root cause is that the users' browsers do not have the Portal certificate imported, or the certificate of the root CA that issued it. Importing the Portal / CA certificate at the users' browsers would fix the direct connection issue.

Regards,

Isaías

Show replies
Show replies
Former Member
‎11-17-2015 12:07 AM
0 Kudos

Hi Isaias,

Thanks for your reply.

We have exchanged certificates between WebSeal & Portal, but still it is issue.

I wanted to know whether anything changed for NW740 version related to WebSeal configuration?

as connection lost since when we upgraded NW740.

Portal certificate is self signed, we are not doing any CA signed., I have not done before like uploading portal certificate in end user browsers. how exactly we need to do this, which certificate we need to export from portal, Is it changed from NW 740?

Thanks again for your response.

Regards,

Bala

isaias_freitas
Advisor
Advisor
‎11-17-2015 11:09 AM
0 Kudos

Helo Bala,

You need to export the server certificate of the Portal (the self-signed server certificate you have mentioned) and import it at the users' browsers.

About the WebSeal configuration, I am not aware of any SAP document for that.

SAP does not provide support for third party load balancers.

You should contact your WebSeal support again.

They need to at least provide more details about why the connection from WebSeal to the Portal is not working.

Regards,

Isaías

former_member601483
Discoverer
‎02-05-2016 5:18 AM
0 Kudos

Hi Bala,

I have seen your post. We also facing same issue. could you please help us how you fixed the issue.

We are login to portal via WebSeal after that when we click and SRM link we are getting WebSeal cannot find the resource but when we login direct portal no issues.

Thanks,

Navaneethan

Ask a Question