OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

Similar Messages

• Configuring RFC connections for load balancing.

  Hi ,
  We have the following landscape for our systems.
  The database is installed on z/os , db2 (mainframe). The central services( SCS and ASCS) are also on the mainframe. So the message server is on mainframe.
  The CI is on AIX and The DI is on AIX.
  We have Logon groups configured and load balancing Configured and is RFC enabled.
  1) When we connect to SAP using the SAPGUI and  the portal connection is made to either CI or DI depending upon the best response times.  Now recently we are running the mercury load testing, all the users are connecting to DI. Why are the users connecting to DI even though we have load balancing?
  2) I have a system with SID BP0, with one CI and one DI. The logon group is BP0 and the message server name is cyrix. Now I have other another system EP0. I have created a RFC connection from EP0 to BP0. In SM59 I have selected the load balancing option, and provide the message server name, SID and logon group name. The connection does not work. If I connect directly to the CI or DI the connection works. Please tell me how can I configure load balancing for RFC connections.
  Thanks
  Manmath.

  Dear 917996,
  There are two types of load balancing:
  - Client-side load balancing (setting up the tnsnames.ora on client side). More information here (http://ggsig.blogspot.co.uk/2012/04/client-side-
  load-balancing-in-oracle.html). Very good video produced my friend Igor Melnikov is here (http://www.dsvolk.ru/oracle/racdd4d/demos/video/loadbalance/client/clientloadbalance_viewlet_swf.html)
  -Server-side load balancing (remote_listener and setting service parameter clb_goal). Very good Igor Melnikov's video is here (http://www.dsvolk.ru/oracle/racdd4d/demos/video/loadbalance/server/serverloadbalance_viewlet_swf.html).
  I have read about client side and server side load balancing. By editing tnsnames.ora I have enabled client side load balancing which is suppose to select listeners at random. then why does it only go to second node?Could you please show your tnsnames.ora on client?
  Please can anyone help me to configure server side load balancing with SCAN. I have read many many post but couldn't find a clear answer.Based on your output (remote_listener string cmbtrnrac-scan:1521) you have already configured the server side load balancing.
  SQL> show parameter listener
  NAME TYPE VALUE
  listener_networks string
  local_listener string (DESCRIPTION=(ADDRESS_LIST=(AD
  DRESS=(PROTOCOL=TCP)(HOST=10.1
  7.67.214)(PORT=1521))))
  remote_listener string cmbtrnrac-scan:1521How many SCANs do you use? Do you use DNS?
  regards,
  Gennady

• Internal Server Error - after installing apex using http server

  hi,
  i just installed apex 3.2 using http server. after finished, i try to to open apex admin (http://faiz:7777/pls/apex/apex_admin) but i got this error:
  Internal Server Error
  The server encountered an internal error or misconfiguration and was unable to complete your request.
  this is my log file:
  [Thu Dec 31 11:55:56 2009] [error] [client 10.10.10.10] [ecid: 1262231756:10.10.10.10:396:2036:1,0] mod_plsql: DAD '/pls/apex' is disabled because of misconfiguration. Please refer to the log entries during server startup for more information.
  10.10.10.10 - - [31/Dec/2009:11:55:56 +0800] "GET /pls/apex/ HTTP/1.1" 500 645
  this is my dads.conf :
  Alias /i/ "E:/oracle/product/10.2.0/db/Apache/images/"
  AddType text/xml xbl
  AddType text/x-component htc
  <Location /pls/apex>
  Order deny,allow
  PlsqlDocumentPath docs
  AllowOverride None
  PlsqlDocumentProcedure wwv_flow_file_mgr.process_download
  PlsqlDatabaseConnectString faiz:1521:orcl ServiceNameFormat
  PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
  PlsqlAuthenticationMode Basic
  SetHandler pls_handler
  PlsqlDocumentTablename wwv_flow_file_objects$
  PlsqlDatabaseUsername APEX_PUBLIC_USER
  PlsqlDefaultPage apex
  PlsqlDatabasePassword orcl
  PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
  Allow from all
  </Location>
  and ii got blank page when i try accessing this page http://faiz:1521/pls/apex/apex_admin
  thanks,
  -akulala
  Edited by: akulala on Dec 30, 2009 7:57 PM

  In your middle tier (where your dads.conf file is located), do you have a file called marvel.conf (this was used in very early versions of APEX if memory servers)? If so you will either need to put your /pls/apex entry into your marvel.conf file of configure the App Server to user the dads.conf file. (I think all of this is done in the http.conf file but I am not 100%)
  Also, this sounds like a stupid question but can you ensure that you only have entry in you dads.conf or marvel.conf file that relates to /pls/apex
  If you are still having issues, try updating the line: PlsqlDatabaseConnectString faiz:1521:orcl ServiceNameFormat
  to: PlsqlDatabaseConnectString TNS_ENTRY TNSFormat
  where TNS_ENTRY is replaced by a valid TNS Identifier in the same Mid Tier home: ORACLE_HOME/network/admin/tnsnames.ora
  Finally, in earlier versions you had to use a forward slash character as the last value in the Alias line i.e. Alias /i/ "E:/oracle/product/10.2.0/db/Apache/images\". I always configure this line in this way and never seem to have an issues. Not sure if this is required anymore but may be one more thing that is mis configured.
  I hope all of that helps.
  Let me know how you get on.
  Regards
  Duncs
  http://djmein.blogspot.com
  As a courtesy, please remember to mark helpful or correct answers accordingly :)

• Do i need to configure failover group for load balancing? srs3.1

  hello
  we are installing ssrs3.1 on two sunfire v210 for 20 sunrays
  do i have to configure a failover group in order to have load balancing?
  thx

  thx a lot..
  finally yes it needs the failover to work with load balancing

• Configuring ACE 4710 for Load Balancing Speech servers

  Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
  hostname ace471001
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  rserver host nss01
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 10.20.17.21 255.255.248.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  How would I configure my speech server to isten on 554?
  Thanks in advance

  Hello Reginald
  Currently you have only basic network configuration, there is no loadbalancing config
  I'm not sure what exactly you're asking about , but basically you need to have
  - real servers configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
  - serverfarm configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
  - L7 policy map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
  - L4 policy map , class-map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
  And then apply it on necessary interface.
  This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
  links are for old config guids , but basic is pretty much the same for all versions.
  Please check them and try to narrow down your question a bit.

• SSL termination using Hardware Load Balancer

  We are trying to implement SSL at the Hardware LoadBalancer layer and terminate the SSL there.  Architecture includes Apache Reverse Proxy and Portal server running EP7 SP18.  In this scenario we want encruption between the client browser and the Load Balancer (BigIP F5).  The Load blancer will then decrypt the request and send it to the Apache reverse proxy on port 80.  Apache Reverse proxy will send request to Portal J2EE engine on the http port.
  this scenario seems to work in most cases but we are having issues with the standard portal login page.  The login page is sent to the browser on https but when entering credentials and selecting the login button a request gets generated on port 80, not 443 (https) and is not serviced by the load balancer.  99% of the requests that get generated from the client borwser stay on port 443 as expected but for some reason this particular request switches to port 80.
  How can we keep all requests generated on port 443 (https)?

  Hello Brian (all)
  I am facing the same issue - except we do not have the Apache proxy in the setup..... just HTTPS to a Cisco ACE load balancer and then HTTP to the portal. 
  Nearly all of the portal content is working great, but am facing the situation that some ESS content is switching to HTTP.  In discussing with the network team, they have done the following:
  1/ Replies from the portal server back to the client have an SSL rewrite performed, which modifies a 301 or 302 reply and changes http ULRs to https.
  2/ The load balancer adds an HTTP header u201CClientProtocol httpsu201D to the request it sends to the portal server.
  They feel we need to find a way to have the portal server only send either references with no host:header (i.e. http) or only send host:header with https to keep it all SSL.
  Any advice?
  Edited by: Eric Poellinger on Jan 5, 2011 5:09 AM

• ACE 4710 HTTPS load balance configuration

  Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.
  I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
  Any configuration examples would be helpful.
  Thanks.

  IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).
  when speaking of SSL
  SSL termination refers to ace terminating SSL and sending to server as clear text
  end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.
  You can find some config examples at
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples

• OAM 11gR2 - Remote Registration Exception - HTTP Error 501

  Hello
  I installed OAM 11gR2 and am trying to configure OAM with WebGate.
  While doing remote registration using rreg.bat I get an exception
  RemoteRegistrationException
  HTTP error 501 could not send HTTP Post message
  Can anyone help me?
  Thanks,
  Ram

  Its most likely a problem with your java version.
  I know for sure that Java version 1.6.0_37 doesn't work and that 1.6.0.41 works for sure.
  Can you try installing a different version of java.
  if on linux use the
  update-alternatives --config java
  as root to point to the java (other version that you installed) and try again.
  Let me know if that helps.
  Cheers
  -Kungo

• License error after configuring sapcrypto library

  I'm running ECC 6.0 (IDES).  After configuring SAP for HTTPS using SAPCRYPTO library, I get an "error in license check" when trying to login.  Here are my steps:
  1.Copy SAPCRYPTO.dll to kernel directory
  2. Add these parameters to instance profile:
  ssl/ssl_lib                   E:\usr\sap\NWD\SYS\exe\uc\NTI386\sapcrypto.dll
  sec/libsapsecu            E:\usr\sap\NWD\SYS\exe\uc\NTI386\sapcrypto.dll
  ssf/ssfapi_lib               E:\usr\sap\NWD\SYS\exe\uc\NTI386\sapcrypto.dll
  ssf/name                     SAPSECULIB
  icm/server_port_2         PROT=HTTPS,PORT=8443
  3.  Bounce SAP
  When I try to login, I get the error, "Logon not possible (error in license check)"
  Has anyone run into this?  Thank you.

  Yes... thank you... but i also noticed the response of the user "Srikishan D". Meanwhile we solved the issue.
  Our solution is very strange but it works: after the installation we added the parameters in the following order, two by two and doing everytime an istance restart.
  FIRST TIME
  icm/server_port_X = PROT=HTTPS,PORT=<Port number of the HTTPS log>
  icm/HTTPS/verify_client=1
  SECOND TIME
  sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB>
  ssl/ssl_lib = <Path and file name of the SAPCRYPTOLIB>
  THIRD TIME
  ssf/name = SAPSECULIB
  ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB>
  After that passage we noticed that the STRUST shows the SSL Server so we have the proof that the CryptoLib was in use.

• OAM 11gR2 and OVD

  Hi,
  It appears OVD did not make it into the Oracle Fusion Middleware Identity Management 11gR2 release. The latest version available is still the one included in the Oracle Fusion Middleware Identity Management 11gR1 release. Is that correct?
  If so, I have a deployment of Oracle Access Manager 11gR2, which I'd like to integrate with OVD. Does this situation mean that I must deploy another entire WebLogic domain for the Oracle Fusion Middleware Identity Management 11gR1 release? Or is it possible to somehow install the 11gR1 version of OVD into the 11gR2 instance I've already got?
  - Jim

  Yes, the latest version of OVD available is 11.1.1.6 (11g R1). You may use this version with OAM 11gR2.
  OVD 11.1.1.6 uses WebLogic 10.3.6 and OAM 11g R2 also uses the same weblogic version. Please let me know if you are on some other version of WLS.
  As per best practice, try to keep the OAM and OVD in separate WLS domains.

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• SSL setup with a load balancer

  We are running EP 7.0 SP14 and have set it up to run through a Cisco ACE loadbalancer.  We have also setup SSL with the certificate on the ACE load balancer.  Everythign work fine, except we keep getting a Security Alert popup message in IE that states "You are about to be redirected to a connection that is not secure."
  Are there some additional configurations that I need to do in EP to make this go away?
  Maximum points to the first correct answer.

  You can change logoff URL to any value:
  http://help.sap.com/saphelp_nw04s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
  Regarding VC apps.
  It is strange you cannot see HTTP in the IEWatch. IE should not be able to alert about something it does not see. I suggest you to use something more substantial to trace network calls: http://www.wireshark.org
  This is the best tool I know for network tracing.
  Regards,
  Slava

• Network Load Balancing - "access denied" when loading configuration information from host2

  We have 2 Windows 2012 R2 servers, both are running on workgroup.
  We set up NLB cluster.  When we open NLB Manager on the server2, then message shows "loading configuration information. Access denied. Error connecting to server1". 
  There is no issue doing this on server1, NLB Manager is able to connect to both servers. We login using default administrator account, both account name and password are the same for 2 servers.
  When we check security event log on server1, there is this strange Audit Failure log using account "test_nlb" from server2 which related to "Access denied" error. Please let us know how to resolve this. Thanks in advance.
        Event ID: 4776
        The computer attempted to validate the credentials for an account.
        Authentication Package:   
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Logon Account:   
  test_nlb
        Source Workstation:   
  WPAAP2
        Error Code:   
  0xc0000064           
        An account failed to log on.
  Event ID: 4625
  Subject:
      Security ID:       
  S-1-0-0
      Account Name:       
      Account Domain:       
      Logon ID:       
  0x0
  Logon Type:           
  3
  Account For Which Logon Failed:
      Security ID:       
  S-1-0-0
      Account Name:       
  test_nlb
     Account Domain:       
  WPAAP2
  Failure Information:
      Failure Reason:       
  Unknown user name or bad password.
      Status:           
  0xc000006d
      Sub Status:       
  0xc0000064
  Process Information:
      Caller Process ID:   
  0x0
      Caller Process Name:   
  Network Information:
      Workstation Name:   
  WPAAP2
      Source Network Address:   
  192.168.70.45
      Source Port:       
  55136
  Detailed Authentication Information:
      Logon Process:       
  NtLmSsp
      Authentication Package:   
  NTLM
      Transited Services:   
      Package Name (NTLM only):   
      Key Length:       
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

  Hi Zhong Gang,
  When you are using Network Load Balancing (NLB) Manager, you must be a member of the Administrators group on the host that you are configuring, or you must have been delegated
  the appropriate authority. If you are configuring a cluster or host by running NLB Manager from a computer that is not part of the cluster, you do not have to be a member of the Administrators group on that computer. Please disable your nodes firewall and
  try again.
  The related KB:
  Add a Host to the Network Load Balancing Cluster
  http://technet.microsoft.com/en-us/library/cc753744.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to configure Load Balancer in front of Web Logic Cluster

  hi all,
  I installed 2 weblogic servers in cluster and now i want to deploy Hardware Load balancer in front of them, i want to know do i require any configuration on servers or i just deploy hardware Load balancer in front clustered servers with round robin technique.
  Regards,
  imran

  I think there are two important configuration when you use hardware load balancer in front of WebLogic cluster.
  1) Passive Cookie Persistance
  You need to configure hardware load balancer so that it can identify Weblogic session cookie for routing request primary server holding HTTP sesstion.
  2) External DNS
  If there is firewall between hardware load balancer and weblogic cluster and NAT (Network translation ) is used, then you need to configure "External DNS" for each weblogic server in cluster. You need to specify the hostname used by load balancer in "external DNS".
  More details about this are available at.
  http://edocs.bea.com/wls/docs92/cluster/load_balancing.html#wp1026940
  http://e-docs.bea.com/wls/docs92/cluster/planning.html#wp1088950
  Hope this will help...
  Jayesh
  Yagna Sys

• Exchange 2010 ACE30 Load Balancer Configuration

  Afternoon Everybody,
  Does anybody have any good documentation, or example configurations on how to load balance client traffic inbound to distrbuted Exchange 2010 Client Access Servers they could share please?
  We have a basic configuration in place that is troblesome that is using sticky based persistence for all services, with basic health probes looking at ports 25, 80, 443 and RPC specific ports on 135, 6000, 60001.  We are seeing major packet drops/loss as well as resets of the connections between the health probes and the servers that in turn take the servers out of the farm causing major downtime.
  I would very much appreciate any pointers or guidance.
  Thanks in advance.
  Darrel

  Hi Darrel,
  Is there any specific requirement from the application side?
  Can you go through the below links and see if they help you?
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/hypervexchange.html
  https://supportforums.cisco.com/thread/2123412
  Regards,
  Kanwal