Https serverfarm with http sorry server

Similar Messages

• ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

  Hi All,
  I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
  The customer wants the following:
  They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
  So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
  The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
  I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
  For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
  The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
  Anyone have an idea how to build this?

  Hi,
  It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
  In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
  As per the below example:
  I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
  serverfarm host 1313-GIN-GWAP-SDC-80
    rserver RSERVER1
      backup-rserver test1
      inservice
    rserver test1
      inservice standby
    rserver test2
      inservice standby
  regards,
  Ajay Kumar

• HTTP-ADAPTER with HTTPS =  ICM_HTTP_SSL_ERROR

  Hi,
  we are trying to sending data via HTTPS with the HTTP-Adapter. Therefor we create a RFC_Destination with SM59. For HTTP it works fine but after changing to HTTPS we receive a ICM_HTTP_SSL_ERROR. 
  The server on the other side expect authentification via User/Pwd on port. Also we added an entry in STRUST for CN=anonymous in STRUST.
  Any idea whats wrong ?

  Hi Sammer,
  - authentification is username/pwd.
  - SSL is active because of https
  - Service is set to the https-port of the server.
  I receive the following error in the log.
  [Thr 10] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
  [Thr 10] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth
  ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
  [Thr 10] << ---------- End of Secude-SSL Errorstack ----------
  [Thr 10]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
  [Thr 10]   SSL socket: local=10.172.11.11:41579  peer=195.14.237.44:3577
  [Thr 10] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1054e08b0)==SSSLERR_SSL_CONNECT
  [Thr 10] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00021653} [icxxconn_mt.c 1813]
  when I delete in STRUST all the certificates under  Client_certificate (standard/anonymus) I receive the same error msg. it also the same error when I am trying to connect to another server with https.
  regards bernd

• Http webrequest with https uri is not working in windows phone 8.1

  I am building a Windows Phone application in which the uat environment was working fine with http url,
  But the production url is https, then the applictaion is not able to get the response from http web request method. Please help me on the same.
  Cynthia Mareia

  Any errors returned in response?
  http://developer.nokia.com/community/wiki/Using_Crypto%2B%2B_library_with_Windows_Phone_8

• Flat HTTP Payload with HTTP Receiver

  Hello,
  I have the requirement to send a flat structure (no XML) within the Payload of an HTTP POST. The flat structure should be URL-encoded. I already have a combined XSLT/Java Mapping which creates and encodes the desired structure.
  Problem now is that an XML-prolog is added to the message after the mapping step. The rest of the message looks fine, just the prolog cannot be handled of course.
  Is there any way having the XML prolog removed in a simple way? I want to avoid having the URL encoding logic in a module as I  use some parameters in the already existing Java Mapping and the mapping is already working fine.
  Thank you!

  Hi Guppenberger,
  I understand after mapping step XML prolog <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> is getting added to non XML payload. Now, you want to delete it from payload. Please consider below solution as last resort.
  As payload is not XML, graphical and XSLT mapping cannot be used. So to remove prolog, you need to implement below Java Mapping as last mapping in Operational Mapping.
  package com.prolog;
  import com.sap.aii.mapping.api.*;
  import java.io.*;
  public class RemoveProlog_JavaMapping extends AbstractTransformation {
      public void transform(TransformationInput transformationInput, TransformationOutput transformationOutput) throws StreamTransformationException {
          OutputStream outputstream = null;
          try {
              //Read input payload and write the same to output payload after "?>" .
              //Beacuse <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> ends with "?>"
              InputStream inputstream = transformationInput.getInputPayload().getInputStream();
              outputstream = transformationOutput.getOutputPayload().getOutputStream();
              byte[] b = new byte[inputstream.available()];
              inputstream.read(b);
              String inputFileContent = new String(b);
              outputstream.write(inputFileContent.substring(inputFileContent.indexOf("?>")+2).getBytes());
          } catch (Exception exception) {
              exception.printStackTrace();
  Regards,
  Raghu_Vamsee

• HTTPS Portal with HTTP BSPs

  Hi there,
  We have a portal (EP6 SP18) running on HTTPS, and in the portal we have several eRecruiting BSPs, running on HTTP. We are getting "access is denied" javascript errors whenever the users try to access the calendar or dropdown menu popups. I opened a OSS note about this, but SAP have said that some of the javascript codes require domain relaxing which is not possible when mixing HTTPS & HTTP and the only solution is to run the BSPs through HTTPS as well. Does anyone know a workaround for this, or have experience of running HTTP BSPs through a HTTPS portal?
  Many thanks in advance,
  Jane

  Once you start using HTTPS, you seem to end up having to implement everywhere. Another limitation here is the protocols have to match else the DSM terminator won't work, and BW sessions won't get terminated.
  It's not that hard to implement SSL on your BW system so that the protocols match. Alternatively, you can install the SAP Web Dispatcher "in front of" the BW system to do SSL termination.
  Regards,
  Sean

• CSS Sorry Server for HTTPS

  How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443
  In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81
  Please suggest
  !************************** SERVICE **************************
  service prisorry
  ip address 10.100.11.11
  keepalive type http
  keepalive port 81
  port 81
  active
  service secsorry
  ip address 10.100.11.12
  keepalive port 81
  keepalive type http
  port 81
  active
  service server1
  ip address 10.100.11.11
  keepalive type http
  keepalive port 80
  active
  service server2
  ip address 10.100.11.12
  keepalive type http
  keepalive port 80
  active
  !*************************** OWNER ***************************
  owner Loadbalancing
  content L4Rule1
  protocol tcp
  add service server2
  add service server1
  port 80
  url "/*"
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  active
  content L4Rule2
  protocol tcp
  add service server2
  port 443
  add service server1
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  application ssl
  active
  content L4Rule3
  add service server2
  protocol tcp
  port 1443
  add service server1
  vip address 10.100.11.4
  advanced-balance sticky-srcip-dstport
  primarySorryServer prisorry
  secondarySorryServer secsorry
  active
  Thanks

  I just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.

• ACE loadbalancing : cannot get to the same farm with http / ssl ?

  Hello there,
  I configured 2 farms, and one call on a specific host adress is redirected to farm 2.
  This is working, but only for HTTP traffic : for HTTPS, it's redirected to farm 1 !
  I need help, if someone can help...
  I post my configuration here :
  probe tcp PROBE_TCP  interval 30rserver host MTP01  ip address 172.16.0.1  inservicerserver host MTP02  ip address 172.16.0.2  inservicerserver host MTP03  ip address 172.16.0.3  inserviceserverfarm host FARM01  predictor leastconns  probe PROBE_TCP  rserver MTP01    inservice  rserver MTP02    inserviceserverfarm host FARM02  predictor leastconns  probe PROBE_TCP  rserver MTP02    inservice  rserver MTP03    inserviceparameter-map type http HTTP_PARAMETER_MAP  persistence-rebalanceclass-map match-all CLASSMAP_L3L4  2 match virtual-address 178.xx.xx.xx tcp eq wwwclass-map type http loadbalance match-all CLASSMAP_L7  3 match http header Host header-value "theurloftheserver.com"class-map match-all L4-HTTPS-IP  2 match virtual-address 178.xx.xx.xx tcp eq httpsclass-map match-all L4-WEB-IP  2 match virtual-address 178.xx.xx.xx tcp eq wwwpolicy-map type loadbalance http first-match HTTPS_POLICY  class CLASSMAP_L7    serverfarm FARM02  class class-default    serverfarm FARM01    insert-http x-forward header-value "%is"policy-map type loadbalance http first-match WEB_L7_POLICY  class CLASSMAP_L7    serverfarm FARM02  class class-default    serverfarm FARM01    insert-http x-forward header-value "%is"policy-map multi-match WEB-to-vIPs  class L4-WEB-IP    loadbalance vip inservice    loadbalance policy WEB_L7_POLICY    loadbalance vip icmp-reply active    nat dynamic 1 vlan 2369    appl-parameter http advanced-options HTTP_PARAMETER_MAP  class L4-HTTPS-IP    loadbalance vip inservice    loadbalance policy HTTPS_POLICY    loadbalance vip icmp-reply active    nat dynamic 1 vlan 2369    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  What is really weird is that traffic to http (CLASSMAP_L7) is ok, so I don't get it : this should match on HTTPS_POLICY, where am I wrong ?
  Thanks a lot !

  Hi,
  You are not getting match for https since with https header would be encrypted and ACE cannot read the URL and defaults to Farm01. HTTPS is encrypted HTTP.
  ACE should be able to decrypt the traffic to look into the packet and take decision. SSL termination on ACE is a feature for that. I would recommend going to the SSL guide for more details.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html
  Regards,
  Kanwal

• Configure ADF with HTTPS connections

  Hello.
  I am trying to deploy an ADF application with the protocol https.
  When I write the url:
  https://[my_domain]/[my_application]
  The request is done, but the adf controller answers suddenly with the url i sent, but it writes instead of https http, and adds in the end of the url a lot of get parameters like the next sample:
  http://[my_domain]/[my_application]/faces/[my_wellcomefile]?_afrLoop=2328230397945919&Adf-Window-Id=w0&_afrWindowMode=0&_adf.ctrl-state=14g97quz_327&_afrRedirect=2328230626510965
  I don`t mind the get parameters, I suppose that they are needed for adf to work. But the problem is that I need the request to connect with https, not with http, because my apache has only opened the port 8080.
  Please, anyone can tell me how to configure adf to disable this redirection, or to configure the redirection to point to:
  If the request comes from http -> redirect to http
  if the request comes from https -> redirect to https.
  Regards

  Thanks Chris,
  But I don`t think the problem is related with WebLogic Server. The weblogic is already with a ssl connection configured and working. In fact, after the redirection to the second url:
  http://[my_domain]/[my_application]/faces/[my_wellcomefile]?_afrLoop=2328230397945919&Adf-Window-Id=w0&_afrWindowMode=0&_adf.ctrl-state=14g97quz_327&_afrRedirect=2328230626510965
  if copy and paste this url but changing the protocol https:
  https://[my_domain]/[my_application]/faces/[my_wellcomefile]?_afrLoop=2328230397945919&Adf-Window-Id=w0&_afrWindowMode=0&_adf.ctrl-state=14g97quz_327&_afrRedirect=2328230626510965
  it works! So, summarizing, the problem is in the first redirection made in a transparent way for me.
  Refering to the post of Frank Niphus:
  Switching Http/Https in ADF
  you can understand my problem and we can see a workaround, but I want all the requests to go to https, not only some of them like is done in this post.
  Regards

• Sorry server request

  Hi,
  we have two CSS11503 to load balance http and https traffic, we have to know the source IP packet of request to a Sorry Server when all the services on the content are down.
  I mean, when all services into the content are down a request from a client i forwarded to the primary sorry server, is the source IP of the request the load balancer IP address, or is the client IP address wherefrom the request starts?!
  Thanks
  Cinzia

  By default we do not source nat the client ip address.
  But if the sorry server is at a remote location, you will NEED to do source nat for the connection to work, otherwise the sorry server will respond directly to the client bypassing the CSS and the client will not appreciate seeing a response from a different ip than the vip.
  You could use a redirect sorry server, so that a redirect response is sent to the client which does open a new connection directly with the sorry server.
  Gilles.

• Https on sender http adapter

  Hello Gurus,
  we have a synchronous XI from HTTP Sender adapter to RFC. The user of the interface would like to call it using the plain HTTP adapter with HTTPS. When we use the http port with the XI user/password as part of the url, it works OK. When we switch to the HTTPS port the interface does not provide a response. When we call the https url directly in Internet Explorer we get a pop-up requesting the user/password. Once
  this is entered the interface works OK until the ie session in closed.
  So can you please tell me what might be d problem?
  If i m calling it from http client it is not giving me response, and if m calling it directly then also it is asking for user id and password.
  Any help is appriciated.
  Thanks,
  Hetal

  Thanks Swarup.
  I already have configured SSL.
  But how i can make sure that what i need to use and how can i specify from below :
  HTTP with SSL (= HTTPS), but without client authentication
  HTTP with SSL (= HTTPS) and with client authentication
  Which i need to use?
  And if what shold be the url for that?
  right now m using url like :
  https://hostname:httpsport/sap/xi/adapter_plain?namespace=xyz&interface=xyz&service=xyz&party=&agency=&scheme=&QOS=BE&sap-user=xyz&sap-password=xyz&sap-client=xyz&sap-language=EN
  Can you please tell me how i have to specify that as we do not configure HTTP Sender adapter?
  Thanks,
  Hetal

• Sun Application Server 9 with https

  I want to run my Web application with https. When users access
  http://www.myweb.com, I want the Web server to automatically redirect to https://www.myweb.com. However, I am running into a few issues:
  1. How do I tell Application Server 9 to create a listener on the default port. Right now, I have the listener using port 80 - users will have to enter https://www.myweb.com:80. I don't want to require them to enter :80. I thought a listener on 80 automatically listens to URLs, even if they don't include that port. But, when I type in the URL without port, all I get is a "Gateway Timeout Error". What do I need to do to set up the port correctly?
  2. In the screen where I set up the listener, I checked the "Security: Enabled" check box. Now, when I load the Web application, the listener listens on https:. Now, how do I tell the application server to forward requests for http:// to https://?
  Thank you!

  I think I got it to work. Here is my solution: http://forums.java.net/jive/thread.jspa?threadID=23294&tstart=0
  Mike, I am trying to award to you Duke Stars, but the server returns a "server error" (http://forum.java.sun.com/rewards.jspa?doActions=reward&threadID=5138687&messageID=9514552&dukes=10) when I click on the duke. Sorry! I'll try again in a few days.
  Message was edited by:
  dailysun

• How to do Handshake with tired party(bank) HTTPS URL from SAP PI server

  Dear Expert,
  I have developed bunch of scenarios, all are synchronous ABAP proxy to HTTP_AAE with bank on PI 7.4(dual stack). Bank web server is HTTPS enabled server. Our ABAP developments are still in progress also we have few issue in connection from ECC to PI.but that is not the focus of discussion here.
  we want to do the handshake to check the connectivity with bank on their HTTPS URL from PI. Bank has provided the privet key for SSL from their server and corresponding public key they have maintained on their server. I have imported the private key under NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->PKCS#12->select the SSL.p12 file->import , also I have selected the option to "Use SSL" in HTTP_AAE receiver communication channel and selected the corresponding entryin  "keystore view" and "keystore entry". All these I have done in our DEV system, and we are trying to connect our PI dev to bank Dev server.
  Questions
  Is there any specific steps to do the handshake with third party HTTPS(bank in my case) server? if not, how can we just test the HTTPS connectivity by using the SSL private installed on our PI server, without running the complete scenarios. Our PI has been installed on UNIX, and "telnet https url 443" is working, as network team has opened the HTTPS port.
  We have not enabled the SSL technically on our PI server, and we have not installed any generated certificate from our PI server. Moreover, we have not made our PI url as "https:hostname:port" as we just need to communicate with bank by using their private key. Do you guys think we should enable the SSL? if yes, please explain why.
  What is the best practice to test the connection with third party having HTTPS URL? how can I just assure HTTPS communication is working fine, before testing my actual scenarios.
  Thanks for helping always.
  Regards,
  Farhan

  Hi Farhan,
  Some part of the blog is applicable for sending HTTPS request to partners/third party (Receiver SOAP Adapter).
  If banks certificates are already in trustedCA, then,  can you check if it also imported under user PIISuser under Identity management in NWA. If above 2 steps are done then i think your are good to go. But be careful when you install certificate, it should be in proper order.
  As you already mentioned, connectivity is already established and you are able to PIng/telnet from pi server, connectivity looks ok.
  While sending request, if you are getting 401 unauthorized, below might be the reason -
  1. Certificate not installed correctly or some missing steps
  2. Partner or TP is not ready to receive it, some certificate issue in there side.
  other than 401 means you are ok (As per certificate and Connectivity) - 403 and 500 errors are next stops.
  403 - error because of encoding method.
  500 - data issue.
  Regards
  Aashish Sinha

• Error Message: The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version. The request failed with HTTP status 404: Not Found.

  I have a web page that contains a ReportViewer control.  I am trying to display a report, which is an .rdl file located on the SSRS server, in this ReportViewer control.  I have set the ReportPath and ReportServerUrl correctly.  I am
  getting an error message.
  Am I suppose to use an .rdlc file rather than a .rdl file?  Does the web server configuration need to use a certain account?
   I am getting the following error message:
  The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version.
  The request failed with HTTP status 404: Not Found.

  Hi bucaroov,
  The error "The request failed with HTTP status 404: Not Found." means the ReportServerURL configured in the ReportViewer control is invalid.
  Please follow these steps to solve the issue:
  Logon the Report Server machine.
  Open the Reporting Services Configuration Manager.
  Copy the Report Server URL from 'Web Services URL'.
  Logon the application server(in this case, it is the server that host the web page), check if we can use the URL we got from step 3 to access the Report Server. If so, please replace the ReportServerURL in the ReportViewer control with this URL. If it is
  not available, could you please post the error message.
  Additionaly, we don't need to provide the extension for a server report. The ReportPath should be like: /<reports folder>/<report name>
  For more information, please see:
  Walkthrough: Using the ReportViewer Control in Remote Mode:
  http://msdn.microsoft.com/en-us/library/ms251669(VS.80).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Jin Chen
  Jin Chen - MSFT

• Https access to Sap Content Server 620 with R/3 46C

  We are trying to access the Sap Content Server 620 via Https.
  We do not want to administer it via HTTPS, (as we know CSADMIN doesn't support Https in rel. 46C as for note 712332). We want to do in way that the users when do check-in/out of originals these go across the
  network using Https instead Http.
  According note 712330 it should be possible.
  Anyone already did it ?
  Any suggestions ?
  NOte 506314 is not clear. We are in doubt how we applyed it.
  What we did:
  0)activate the SSL on the Sap COntent Server Web Site, requiring and installing a CA certificate.
  1)On the R/3 server in tx OAC0 with %HTTPS filled up the
  two boxes with "%HHTPS
  required"                                           
  1)unpacked the Sap criptolibrary and copied all the files (including those in ntintel subdirectory created during the unpacking) under c:\Programmi\Sap\Frontend\Sapgui on a frontend PC.                                                                               
  2)set the env. variable SAPHTTP=c:\Programmi\Sap\Frontend\Sapgui on 
  Frontend PC                                                                               
  3) from c:\Programmi\Sap\Frontend\Sapgui we created both the SAPSSLC.pse and the SAPSSLS.pse file with the command  :            
  3) from c:\Programmi\Sap\Frontend\Sapgui we created both the          
  SAPSSLC.pse and the SAPSSLS.pse file with the command  :              
  sapgenpse get_pse -noreq -p C:\Programmi\SAP\FrontEnd\SAPgui\<PSE-NAME>
  CN=localhost                                                                               
  4) we run the test: saphttp https://itmif069
  from the frontend to the server where the Content Server is (itmif069). We recive the error:
  trc file: "dev_http", trc level: 2, release: "620"
  Fri Oct 08 12:26:46 2004
  [2256] sccsid: @(#) $Id: //bas/620/src/krn/ftp/http.c#26 $ SAP
  [2256] HTTP Start : argc - 2 a0 - saphttp
  [2256] https//itmif069
  [2256] SECUDIR=C:\Programmi\SAP\FrontEnd\SAPgui
  <<- SapSSLSetTraceFile()==SAP_O_K
  =================================================
  = SSL Initialization
    SapISSLComposeFilename(ssl_lib): using default "sapcrypto.dll"
    SapISSLComposeFilename(server_pse): using default "SAPSSLS.pse"
    SapISSLComposeFilename(client_pse): using default "SAPSSLC.pse"
    SapISSLComposeFilename(anon_pse): using default "SAPSSLA.pse"
  = found SAPCRYPTOLIB  5.5.5C pl16  (Jun 10 2004) MT-safe
  = found SECUDIR environment variable
  = using SECUDIR=C:\Programmi\SAP\FrontEnd\SAPgui
  =  secudessl_Create_SSL_CTX():  PSE "SAPSSLA.pse" not found,
  =      using PSE "SAPSSLC.pse" as fallback
  = The Server SSL_CTX
  =    provides this ordered list of 9 ciphersuites:
  =       1.  SSL_RSA_WITH_RC4_128_SHA
  =       2.  SSL_RSA_WITH_RC4_128_MD5
  =       3.  SSL_RSA_WITH_3DES_EDE_CBC_SHA
  =       4.  SSL_RSA_WITH_DES_CBC_SHA
  =       5.  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  =       6.  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  =       7.  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  =       8.  SSL_RSA_WITH_NULL_SHA
  =       9.  SSL_RSA_WITH_NULL_MD5
  = Success -- SapCryptoLib SSL ready!
  =================================================
  <<- SapSSLInit(, read_profile=0)==SAP_O_K
  ERROR => [2256] URI https//itmif069 [http.c       774]
  ERROR => [2256] Connect to Host  Port 443 error: NIECONN_REFUSED
  [http.c       777]
  We do not know if the criptolibrary ha to be instyalled to the R/3 server to.
  We do not know if the CA certificate instalelled on the Sap COntent Server web site has to be installed on the R/3 server too.
  Any suggestion ?
  Regards

  Caro Mauro,
  I'm more or less in the same situation right now.
  Taking into account that you ask for help on this subject last 2004 Oct. I suppose that you have probably solved the problem.
  Please can you help me with the solution implemented.
  Find below my current work e-mail adress
  [email protected]
  Thanks in advance,
  Best regards, Xavier Grau.