cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Hostname Invalid - SMP 3.0 SP9 / Agentry client

Go to solution
rporanki
Explorer

on ‎12-23-2015 3:11 PM

0 Kudos

We are Looking for inputs from anyone who implemented SMP server ( single or clustered set-up) and using a reverse proxy.  Our scenario. We are hosting SAP Sales manager app on SMP 3.0 SP9 and running into issues with Agentry client when using reverse proxy in front of SMP servers. Our F5 is acting as tcp pass through with no SSL termination and forwarding to backend SMP server on https and port 8081 ( one way SSL).

We have maintained CA issued cert in shared key storage on SMP server using managment cockpit. I am assuming we don't have to replace the one in the local SMP certificate tab. We have the problem for both Android and IOS clients. It does work when we use sap delivered smp_crt and using backend server direct URL, but not reverse proxy URL. There are no errors on Server logs, it doesn't  appear to be reaching the server. We have the CA root and server cert installed on the device. I am not sure what steps we are missing to make this work. Any suggestions ? Thanks in advance !

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎12-23-2015 5:32 PM
0 Kudos

Raja,

In this case, do you intend to access the SMP server from both internal and external connections?  If so you will need to make sure your DNS is setup to have both internal and external hostnames resolve correctly to the SMP server address (internal ip vs external ip).

The Agentry client will be receiving the smp_crt certificate from the local storage.  I would recommend storing the CA issued cert under the smp_crt alias in the local store.  Since you are not terminating the SSL at the F5 the hostname entered on the client must match the common name of the certificate under the smp_crt alias.

--Bill

Show replies
Show replies
rporanki
Explorer
‎12-23-2015 6:42 PM
0 Kudos

Thanks Bill. Friendly URL without port on https is accessible both internal and external (outside the firewall). https://<friendlyURL>/SAPSALES is accessible with cert warning, but it seems to still present the cert from the local key store and not from shared store. From what I read in a cluster, key should be placed in the sharedkey store. what's is  the alias name, Does it need to be same in both local store of the app server and also on shared key store ?

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎12-24-2015 5:24 AM
0 Kudos

The alias name needs to be smp_crt.  I have not done a lot of clustering especially behind a proxy so I can't say for sure.  I'll have to try it out after the new year.

--Bill

rporanki
Explorer
‎12-28-2015 10:14 PM
0 Kudos

We got this to work after importing into the local_smp_keystore.jks and then copy over the file on to 2nd server in the SMP cluster to sync the cert. Now the Agentry client is working from  the Device using the F5 URL and the cert.

Thanks for your help !

Answers (0)

Ask a Question