Reverse proxy + SSL question

Hi everyone.
I try to setup a proxy for my organization (I downloaded the latest 4.0.x version of Sun Web Proxy Server). The idea is that, through it we need to offer acces to a part of our intranet.
There is a public (internet) address available (with SSL activated, it's an Apache server).
The idea is :
- normal extranet : https://foo.bar.com
- reverse proxy : https://foo.bar.com:4443/path/inside/intranet (which would be, for the proxy https://intranet.foo.bar.com/path/inside/intranet).
Do you have any advice on how I should do that ? I tried to import the apache certificate inside the proxy, but it won't work. Is there something I'm missing ?
Thanks in advance for your answers.
Edited by: TiamatB5 on Dec 8, 2008 7:42 AM

Alright, I found the solution :
- apache is used as a front reverse proxy, accepting SSL requests
- a specific url is used like : https://extranet.foo.bar/intranet that does the reverse proxy to http://extranet.foo.bar:8888 (on the same server as apache)
- Sun Proxy Web server is used to do the real reverse proxying of http://extranet.foo.bar:8888 to http://intranet.foo.bar
- the content rewriting is used to rewrite internal url to https ones like : http://intranet.foo.bar/foo/bar is rewritten to https://extranet.foo.bar/intranet/foo/bar
After testing it works like a charm. No need to request a specific certificate for the Sun Proxy, and it's exactly what's been asked to me, that is : the client mustn't see the internal redirection. With this, they don't see that there is a proxy and they don't see the http://extranet.foo.bar:8888 part. It seems a bit complicated, but at least it works ;)
Edited by: TiamatB5 on Dec 9, 2008 12:50 AM

Similar Messages

  • CSM, Reverse Proxy, and Sticky

    First, here is a diagram of my setup:
    CSM w/VIP for Front-End Web Servers (acting as Authorization and Reverse Proxy)
    |
    SSL Module for termination of HTTPS traffic
    |
    Front-End Web Servers
    |
    CSM w/VIP for Back-end Web Servers
    |
    Back-end Web Servers
    What I need a way to do is to ensure that users gets to the same Back-end Web Server for their entire session. The Front-End Web Servers act as a Reverse Proxy for all requests going to the Back-End Web Servers and are configured to send requests to the VIP for the Back-End Web Servers.

    Gilles,
    Thanks for the response. This is https traffic for the user, but from the Front-End to the Back-End it's just http. Unfortunately it's SAP so it's not a normal HTTP Back-end that can generate cookies. Currently I am only running 3.1(7). What is the status of the 4.1 train? Being new I am concerned about utilizing this level. What has been the experience of customers on this code level in the field?

  • What is the alternative to TMG/ISA For SSL-Bridging-Capable Reverse Proxy For System Center 2012 R2 IBCM?

    When I look up alternatives to TMG many other answers say something like "Don't worry about it. TMG 2010 is under support until 2020."
    Well, we don't have TMG and can't buy it since it is off the market.  Can it still be legitimately purchased through any resellers?
    We need a reverse proxy that specifically supports SSL-Bridging so that device certificate authentication is not broken when the connection passes through the proxy.
    Which reverse proxies that are currently on the market are known to work successfully with System Center Config Manager Internet-Based Client Management and also with other Microsoft products such as Lync 2010 and RD Gateway 2012 R2?
    Do any Cisco ASA or ACE models support the required functionality for machine certificate authentication?
    We have ISA 2006 licenses available, but I would hate to roll that out and then have to replace it in only 2 years rather than using something that can stay in place long term.  Maybe we could use ISA 2006 temporarily as a stopgap if the next version
    released of Windows Server Web Application Proxy would meet the requirements and can be deployed in production before ISA 2006 is completely EOL.
    I hate that Microsoft keeps discontinuing all the related products to this before they have their replacements ready.

    Hi,
    You are correct, all TMG product sales officially ended in December 2012.
    In addition, an ISA Server and a TS Gateway server can be used together to enhance security for remote connections to internal network resources. However, it
    seems that ISA 2006 cannot support that on Windows Server 2012 R2. For more detailed information:
    Configuring the TS Gateway ISA Server Scenario
    Personally, Web application proxy would be an alternate. In addition, for the question related to Cisco product, you can contact Cisco for assistance.
    Best regards,
    Susie

  • Apache reverse proxy and SSL termination

    Hi Guru's
        Can anyone tell me, how to do SSL termination at apache reverse proxy. I am using apache reverse proxy for accesing portal from internet. Apache is configured for SSL and portal is NON SSL.
    I am using header variable login module in portal. i wanted to terminate SSL at apache reverse proxy and then all traffic after that should be clear text.
    should i maitain any property. is there any documentation for it.
    Please help me
    Tom

    The majority of the work here is around configuring your Web Dispatcher and Apache Reverse proxy. The work on the portal is straight forward enabling of SSL.
    You can follow http://help.sap.com/saphelp_nw2004s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm for setting this up.
    what level I need to configure SSL and how do I proceed in both scenarios?
    Your question itself says where you need SSL. SSL is required where ever you need HTTPS communication.
    how do I proceed in both scenarios?
    From a portal perspective, the configuration should remain the same.
    Do I have to install SSL at portal, web dispatcher or at Apache level?
    SSL needs to be configured at all the 3 levels if you are looking at end to end SSL implementation.
    See the following for possible SSL implementation options:
    http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
    https://cw.sdn.sap.com/cw/docs/DOC-115509
    Will SSL termination work for scenario 2?
    Yes this should work - see http://help.sap.com/saphelp_nw2004s/helpdata/en/36/fd39eacf4cde4a8fe32d7f29b3db16/frameset.htm
    However in case of SSL Termination, the request to your portal from the web dispatcher will be sent as HTTP.
    I would recommend you to take a step by step (backward approach).
    First, enable SSL on your portal and make sure it works - going directly to the server.
    Then, you can introduce the Web Dispatcher - and test if every thing works going through the web dispatcher.
    Finally - you can test the end to end flow - with your Reverse proxy involved.
    - Shanti

  • Lync 2013 edge-no reverse proxy question

    I deployed lync 2013 edge server and no reverse proxy yet.I am trying to connect from my windows 7 machine with no luck and I can see a top reset on the firewall,my question is is reverse proxy required for the normal client to connect and do basic IM?
    Plz confirm.thx

    *****Update**********
    now when i am trying to test connevity using microsoft connecvitry analyer i am getting error realted to the external certifictare stating that " certificate couldn't be validated because SSL negotiation
    wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation." with UC troubleshotter i am getting the same.any idea?
    PS certificate is from Digi
    cert and i have checked the installation with thier tool and all was green
    regards
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with
    the certificate installation.

  • Charts, reverse proxy and SSL

    I have set up an APEX server running XE under Windows 2003. I upgraded it to APEX 3.0.1. I have an application almost completed that I now want to start testing remotely, and that I want to protect with SSL. So, I installed the Windows version of Apache, and got one of my network experts to help me install an SSL certificate. We used a reverse proxy method per non-Oracle documentation we dug up using Google. (I think one of my problems may be that I did not actually configure APEX to use an external web server -- read on.) Everything seems to be working fine except the flash charts, which generate an error message that "XML loading failed." There is a URL in the error message that starts: http://127.0.0.1:8080/apex... Clearly, when APEX generates an internal URL, it is not aware of the fact that the browser is remote and the reverse proxy is only working from the Apache server to the internal APEX server (and not the other direction). This may or may not be complicated by the fact that the URL's being proxied contain "https".
    I tried to configure APEX for an external web server per instructions in the APEX 3.1 Installation Guide. HOWEVER, per step 4.4.5, I cannot find "ORACLE_HTTPSERVER_HOME\Apache\modplsql\conf\dads.conf". In fact, there is NO apache directory anywhere (except for the one that I installed indepentdently of APEX). I had this problem prior to installing Apache myself, i.e there is no obvious place where the web server that comes with APEX is installed, and there is no DADS file. I searched the ENTIRE C: drive and there is no DADS file.
    You've already guessed that I have not been using APEX very long, and I am guessing that I probably have more than one problem. I have spent hours reading documentation, and have had a lot of success with APEX. This just went further than I know how to diagnose.
    Here are some of my questions, some of which I'm sure are related:
    - Where is dads.conf?
    - Where is the 3.0.1 web server?
    - What do I have to do to get APEX to generate the correct https URL's?
    - Is it possible to set up a reverse proxy from the APEX internal web server to the external Apache server?
    Oh... and P.S.: I installed the upgrade to APEX 3.1 in the hope that it would fix something. I spent a lot of time trying to follow every step precisely. The 3.1 installation acts the same way as 3.0.1 where everything that I have done except charts works fine.
    I will be incredibly gateful if someone can help me with this.

    Did you ever find a solution to this issue?

  • WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

    I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
    The appserver7 has both listener for port 80 and 443 enabled.
    I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
    When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
    <Object name="passthrough">
    ObjectType fn="force-type" type="magnus-internal/passthrough"
    Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
    8.48.53"
    However, it still doesn't work.
    Do I need to install a self cert in the webserver and enable the ssl listener as well?
    Do I need to install any reverse proxy addon for the appserver? Any
    setup for the obj.conf in the appserver?
    Any ideas how to get this done?
    Thanks.
    Mac.

    The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
    If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
    If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
    The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.

  • Apache Reverse proxy with SSL

    Hi,
    I'm trying to install Apache Reverse proxy which will support both HTTP and HTTPS request.
    <b>What do I need to activate to support the HTTPS requests?</b>
    I installed Apache 2.0.53 Released and trying to activate the mod_ssl.
    From Where can I get the mod_ssl.so?
    I saw that there are 2 projects:
    Apache Interface to OpenSSL (mod_ssl)
    Apache-SSL
    Do I need to use them in case I want to use HTTPs?
    Regards,
    Yael

    Get the latest oppenssl compile it. before you compile apache, execute ./configure --help in the apache directory. It will give you the commands that you need to use to activate and deactivate various things in apache.
    mine is as follows:
    ./configure --with-layout=GNU --enable-proxy --enable-ssl --with-ssl=/usr/lo
    cal/src/apachessl/openssl-0.9.7f/ --enable-vhost-alias --enable-rewrite --enable
    -so --enable-proxy-http --enable-proxy-connect --enable- headers
    then make and make install.
    hope it helps.
    Jai

  • Reverse Proxy Configuration - Apache as an SSL reverse-proxy

    Hi,
    We have EP 6.0 SP 14 installed with SSL configured.
    We are in need to open the application to internet.
    For the same we have set up a reverse proxy server (Apache as SSL
    Reverse Proxy).
    Our requirement is to open the application to the internet with
    web address https://abc.domain.com.
    The issue is we are able to access the application from internet only when
    https://abc.domain.com/irj/potal is typed.
    (ie.) Mapping is working fine for
    https://abc.domain.com/irj/portal to
    our EP Portal address https://abc2.domain.com:50001/irj/portal
    And not working for mapping https://abc.domain.com to our EP Portal
    address https://abc2.domain.com:50001/irj/portal
    We have been working on to resolve this issue for days together but have been really unsuccessful
    Kindly help us in resolving the same asap.
    Note : The references we used are:
    1. SAP's document:
    "Apache Reverse Proxy Configuration for J2ee 6.20 and 6.40 Web Applications"
    2. Weblogs:
    The Reverse Proxy Series -- Part 1: Introduction
    The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
    The Reverse Proxy Series -- Part 3.1: Apache as an SSL reverse-proxy
    Regards,
    venkat.

    Thanks much for the feedback. We're using the default settings on the HTTP rule we have set up for the portal on the ISA server. We'll be looking into the details of what the default rule settings are, however we did find a note in the Microsoft Knowledge base detailing with the ISA server screening high bits in URL strings for Outlook Web Access (OWA). This generates a similar error message. Here is the link to the detailed note on the Microsoft web site:
    http://support.microsoft.com/?scid=kb;en-us;837865
    Also,we are going to be applying the SP1 upgrade to the ISA server (released in March) to see if this might be some type of issue that may have been identified and corrected by the service pack. We'll see what happens with that.
    One area where we can recreate the problem at will is when we set up the system landscape configuration. We can navigate to a system configuration object, however when we attempt to right click to edit the object we get the error. There are other circumstances where we get errors but that is one that occurs for sure. Anyone have any idea as to what might be special about that type of transaction??
    Thanks again.
    Rich

  • SSL tunneling with reverse proxy

    Hi,
    I have configured reverse proxy on Sun Web Proxy server. Now I am trying to configure SSL tunneling .
    Steps followed :
    1. Server Manager tab -> my server instance -> Routing tab.
    2. Clicked the Enable/Disable Proxying link.
    3. Created a new regular expression connect://.*.5000 (as my content server listens for SSL connections on port 5000.
    4. Selected the connect://.*.5000 resource from the drop-down list.
    5. Selected Enable Proxying Of This Resource and clicked OK.
    But it doesn't seems to work, Is there a way to verify ? Does SSL tunneling applicable to reverse proxy ?
    Thanks,
    Nitin

    SSL tunneling is a forward proxy operation.

  • SSL Issue with reverse proxy module

    Hi there,
    I'm hoping someone can help me. I am using Sun ONE Web Server 6.1SP7 Reverse Proxy Plugin to connect to a backend server over SSL.
    However the backend server is reporting errors on the SSL handshake: SSL_ERROR_NO_CYPHER_OVERLAP
    I have installed ssldump and can see the following set of cipher suites are offered by the client (in this case, the reverse proxy module:
    New TCP connection #6: dptettsw02(62951) <-> dptdevss01(31006)
    6 1 0.0105 (0.0105) C>S SSLv2 compatible client hello
    Version 3.1
    cipher suites
    SSL2_CK_RC4
    SSL2_CK_RC2
    SSL2_CK_3DES
    SSL2_CK_DES
    SSL2_CK_RC4_EXPORT40
    SSL2_CK_RC2_EXPORT40
    TLS_RSA_WITH_RC4_128_MD5
    Unknown value 0xfeff
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    Unknown value 0xfefe
    TLS_RSA_WITH_DES_CBC_SHA
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS_RSA_EXPORT_WITH_RC4_40_MD5
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    How do I configure the reverse proxy module to use a different cipher suite?
    Any help would be greatly appreciated and please let me know if anything is unclear
    Thanks!
    Kev

    Hi there.
    The server.xml file is below:
    <?xml version="1.0" encoding="UTF-8"?>
    <!--
    Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
    Use is subject to license terms.
    -->
    <!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///opt/SUNWwbsvr/servers/bin/https/dtds/sun-web-server_6_1.dtd">
    <SERVER qosactive="no" qosmetricsinterval="30" qosrecomputeinterval="100">
    <PROPERTY name="docroot" value="/opt/iplanet/servers/docs"/>
    <PROPERTY name="user" value=""/>
    <PROPERTY name="group" value=""/>
    <PROPERTY name="chroot" value=""/>
    <PROPERTY name="nice" value=""/>
    <PROPERTY name="dir" value=""/>
    <PROPERTY name="accesslog" value="/opt/SUNWwbsvr/servers/https-ETT03WEB02/logs/accessSSL"/>
    <LS id="group1" ip="0.0.0.0" port="2080" acceptorthreads="1" blocking="no" security="off" defaultvs="https-ETT03WEB02" servername="dptettsw02"/>
    <LS id="ls2_default" ip="0.0.0.0" port="20443" acceptorthreads="1" blocking="no" security="on" defaultvs="https-ETT03WEB02" servername="ptpcam-ptpett-drs.dwpptp.londondc.com">
    <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="&#43;rc4,&#43;rc4export,&#43;rc2,&#43;rc2export,&#43;desede3,&#43;des" ssl3="on" ssl3tlsciphers="-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,-rsa_3des_sha,-rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,&#43;rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,&#43;fortezza_null,-fips_3des_sha,-fips_des_sha" tls="on" tlsrollback="off" clientauth="off"/>
    </LS>
    <MIME id="mime1" file="mime.types"/>
    <ACLFILE id="acl1" file="/opt/SUNWwbsvr/servers/httpacl/generated.https-ETT03WEB02.acl"/>
    <VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
    <PROPERTY name="docroot" value="/opt/iplanet/servers/docs"/>
    <PROPERTY name="user" value=""/>
    <PROPERTY name="group" value=""/>
    <PROPERTY name="chroot" value=""/>
    <PROPERTY name="nice" value=""/>
    <PROPERTY name="dir" value=""/>
    <VS id="https-ETT03WEB02" connections="group1" urlhosts="dptettsw02" mime="mime1" aclids="acl1" state="on">
    <USERDB id="default" database="default"/>
    </VS>
    <VS id="ETT03WEB02_SSL" connections="ls2_default" urlhosts="ptpcam-ptpett-web.dwpptp.londondc.com" mime="mime1" aclids="acl1" state="on">
    <USERDB id="default" database="default"/>
    </VS>
    </VSCLASS>
    <JAVA javahome="/opt/SUNWwbsvr/servers/bin/https/jdk" serverclasspath="/opt/SUNWwbsvr/servers/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/opt/SUNWwbsvr/servers/bin/https/jar/webserv-ext.jar:/opt/SUNWwbsvr/servers/bin/https/jar/webserv-jstl.jar:/opt/SUNWwbsvr/servers/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" debug="false" debugoptions="" dynamicreloadinterval="2">
    <JVMOPTIONS>-Dorg.xml.sax.parser=org.xml.sax.helpers.XMLReaderAdapter</JVMOPTIONS>
    <JVMOPTIONS>-Dorg.xml.sax.driver=org.apache.crimson.parser.XMLReaderImpl</JVMOPTIONS>
    <JVMOPTIONS>-Djava.security.policy=/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/server.policy</JVMOPTIONS>
    <JVMOPTIONS>-Djava.security.auth.login.config=/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/login.conf</JVMOPTIONS>
    <JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
    <JVMOPTIONS>-Xmx256m</JVMOPTIONS>
    <JVMOPTIONS>-Xrs</JVMOPTIONS>
    <SECURITY defaultrealm="file" anonymousrole="ANYONE" audit="false">
    <AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
    <PROPERTY name="file" value="/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/keyfile"/>
    <PROPERTY name="jaas-context" value="fileRealm"/>
    </AUTHREALM>
    <AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
    <PROPERTY name="directory" value="ldap://localhost:389"/>
    <PROPERTY name="base-dn" value="o=isp"/>
    <PROPERTY name="jaas-context" value="ldapRealm"/>
    </AUTHREALM>
    <AUTHREALM name="certificate" classname="com.iplanet.ias.security.auth.realm.certificate.CertificateRealm"/>
    </SECURITY>
    <RESOURCES/>
    </JAVA>
    <LOG file="/opt/SUNWwbsvr/servers/https-ETT03WEB02/logs/errors" loglevel="finest" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
    </SERVER>

  • ACE SSL Reverse Proxy for multible URLs

    Hi,
    I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
    1. Use different VIP for each URL and do
    L4 loadbalancing or use a
    combination of IP address and port.
    2. Use different VIP for each URL, do
    SSL offloading and do L7 URL based
    loadbalancing.
    So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
    Any comments appreciated
    George Georgiou

    Geroge,
    your understanding is absolutely correct.
    We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
    But without decrypting, we can't see the domain name.
    So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
    There is no other solution.
    Gilles.

  • HTTP adapter using SSL through a reverse proxy (Apache)

    I've configured SSL on the PI Server (Double_Stack) and it is working fine.  I need to configure an Apache server to act as a reverse proxy which will accept client certificates.  Is there a how to or SDN post on this?  I have been searching but no luck.  I have found info on www.apache.org but it is confusing.  Web Dispatcher is not an option in this case (mandated Apache).  Thanks for the help.

    Didn't need to use Apache.

  • Issues in ssl configuration with apache server (using reverse proxy)

    Hi,
    I am able to use apache server as a reverse proxy to connect to Portal. When I enter the web server url as https://mywebserver.com, I am able to connect to the http url of the Portal. But the moment I try to connect to the https url of Portal with this https url, I am not able to connect to the Portal. Thus I am not able to use apache as a proxy server for https connections it makes. What must I do. I read that mod_proxy_connect needs to be used, but how do I use this?
    The second problem is that I need to use more than one kind of mapping.
    For example I must be redirected to the Portal even if I use http://webserver.com , or even if I use https://webserver.com or even if I use http://webserver.com/irj or https://webserver.com/irj or http://ipaddress-websserver/irj etc

    I have SSLCertificateFile and
    and SSLCertificateKeyFile .
    My problem is with regard to ssl/CertificateChainFile?
    what is this? Also how do I upload my J2EE Certificate into apache.
    The problem is with Apache handshake is not happening.
    I am forwarding the entire log during . I have put what I consider important in bold.Please have a look.
    <b>----
    </b>
    Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1769): OpenSSL: Handshake: start
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: before/connect initialization
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv2/v3 write client hello A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 7/7 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 16 03 01 04 1a 02                                ......           |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 0007 - <SPACES/NULS>
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 1048/1048 bytes from BIO#629160 [mem: 47855af] (BIO dump follows)
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 00 36 03 01 44 74 67 cb-38 b5 8e 42 3b 59 c3 6c  .6..Dtg.8..B;Y.l |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0010: 23 5c 07 d0 8b 24 89 89-11 2e 0d 80 ed 1a 06 ea  #
    ...$.......... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0020: 1d 10 b0 59 10 28 7c b4-02 cb d6 08 a8 e4 ea 5a  ...Y.(|........Z |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0030: e5 88 5c 5d 90 00 39 00-0b 00 01 cc 00 01 c9 00  ..
    ]..9......... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0040: 01 c6 30 82 01 c2 30 82-01 2b a0 03 02 01 02 02  ..0...0..+...... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0050: 04 36 0b 23 72 30 0d 06-09 2a 86 48 86 f7 0d 01  .6.#r0...*.H.... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0060: 01 04 05 00 30 14 31 12-30 10 06 03 55 04 03 13  ....0.1.0...U... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0070: 09 6c 6f 63 61 6c 68 6f-73 74 30 1e 17 0d 30 33  .localhost0...03 |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0080: 31 30 30 32 30 37 32 35-30 30 5a 17 0d 30 35 31  1002072500Z..051 |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0090: 30 30 32 30 37 32 35 30-30 5a 30 14 31 12 30 10  002072500Z0.1.0. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00a0: 06 03 55 04 03 13 09 6c-6f 63 61 6c 68 6f 73 74  ..U....localhost |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00b0: 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01  0..0...*.H...... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00c0: 05 00 03 81 8d 00 30 81-89 02 81 81 00 ef d6 ff  ......0......... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00d0: a6 39 e1 64 a5 d3 fb 16-de 4e ee 1d 81 84 31 bc  .9.d.....N....1. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00e0: e6 b7 96 07 3e 81 b9 94-d1 c1 e0 f9 00 3a 84 e8  ....>........:.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00f0: 7a 30 11 cd 41 26 d6 6c-95 90 93 95 17 e0 1a b7  z0..A&.l........ |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0100: 00 0f 59 33 7d 1d f3 a0-83 17 c5 f3 7e b3 ad ed  ..Y3}.......~... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0110: c9 60 ac af 9e 31 d2 ec-42 71 f9 c3 98 2e 93 f9  .`...1..Bq...... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0120: 9d c3 c4 3d b3 7d 9b 97-83 1c 6b bd c0 75 cc 96  ...=.}....k..u.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0130: dc b9 a0 1b 00 79 85 e4-19 1f 61 42 54 db 91 94  .....y....aBT... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0140: d8 1d 72 13 08 36 22 49-3b fb 05 dc 33 02 03 01  ..r..6"I;...3... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0150: 00 01 a3 21 30 1f 30 1d-06 03 55 1d 0e 04 16 04  ...!0.0...U..... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0160: 14 ed ed 02 af 94 13 59-1c 42 e6 69 40 e5 80 dd  .......Y.B.i@... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0170: a4 e9 33 91 02 30 0d 06-09 2a 86 48 86 f7 0d 01  ..3..0...*.H.... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0180: 01 04 05 00 03 81 81 00-2c 22 08 bd 71 b6 80 43  ........,"..q..C |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0190: 5a 2a 8b e8 62 34 b4 b4-84 8a 47 4b 97 5e bf dd  Z*..b4....GK.^.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01a0: 17 4c 0a 1c b7 0e cd c5-d1 cc d8 77 cd 38 10 ef  .L.........w.8.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01b0: 22 02 f0 02 7f a2 39 2b-53 eb 31 b6 18 49 37 a0  ".....9+S.1..I7. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01c0: 50 47 f2 34 ab 33 eb 5f-ec 5a f9 f7 53 5f 27 eb  PG.4.3._.Z..S_'. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01d0: 02 7f b4 28 3e e8 b1 c7-59 df 2c 93 25 c5 34 14  ...(>...Y.,.%.4. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01e0: 7a 34 7c 45 b4 eb 6b 34-93 26 98 51 37 d3 e6 b0  z4|E..k4.&.Q7... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01f0: 7f 83 e3 a9 04 d3 47 b3-3d de 43 57 27 45 82 c0  ......G.=.CW'E.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0200: 4d 48 bf c0 a7 2f 66 0c-0c 00 02 08 00 80 af 76  MH.../f........v |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0210: 1f f5 f6 48 a0 01 0f ed-55 4c 53 9a 7c 07 7a ba  ...H....ULS.|.z. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0220: c7 9d 77 e8 8b c7 66 8f-80 03 18 c5 1f 4f 2a a0  ..w...f......O*. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0230: 08 6f 9f e3 13 94 30 56-e7 2f 96 7c 26 97 ba 12  .o....0V./.|&... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0240: aa fd 3e 43 e1 46 c2 d1-32 94 56 45 52 c0 24 6f  ..>C.F..2.VER.$o |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0250: 38 e0 93 0f 3a f8 0a 7c-41 0e 4c 54 4f 5a 7e d4  8...:..|A.LTOZ~. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0260: 62 e6 71 cd a0 dc 1e 9b-17 e5 10 71 3c 9d c6 39  b.q........q<..9 |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0270: 05 50 b6 15 37 0b 68 4f-24 50 74 47 13 1c 74 d8  .P..7.hO$PtG..t. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0280: 81 27 81 71 3a 4a c5 26-7d b8 e6 21 b3 d9 00 80  .'.q:J.&}..!.... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0290: 4f 6f 5d e6 2d dc 77 46-e6 77 b1 94 3d 65 5b b0  Oo].-.wF.w..=e[. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02a0: 3d 39 7a 6c a2 c7 0b e3-27 08 fa 48 8d 75 1a fe  =9zl....'..H.u.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02b0: 32 e6 13 d1 31 65 7d d5-11 34 21 78 38 d1 11 fb  2...1e}..4!x8... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02c0: ea 59 8e 24 79 5a 4b c2-f7 98 22 51 9f a7 4d 2b  .Y.$yZK..."Q..M+ |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02d0: 15 98 fe d4 43 4b 34 25-b3 9b b3 ae 57 d1 ea 69  ....CK4%....W..i |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02e0: 6e 02 7e 61 d7 80 b6 73-6a 3e ac eb 69 38 67 8f  n.~a...sj>..i8g. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02f0: a9 2a dc 93 3d 22 f3 6e-6a 5d 51 1f b1 b1 10 5e  .*..=".nj]Q....^ |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0300: 82 28 48 0d 5a 78 f8 17-61 e0 c5 43 61 7a 42 6a  .(H.Zx..a..CazBj |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0310: 00 80 42 fa 7e 11 b2 77-3a 8c de f1 52 5a e1 18  ..B.~..w:...RZ.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0320: d4 e7 8f ee 2c e0 06 ef-d5 37 87 62 07 14 d1 5a  ....,....7.b...Z |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0330: ca 30 be fd dd 76 47 8f-ed f4 5f f3 64 6c 32 a9  .0...vG..._.dl2. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0340: d5 07 e2 9b f1 29 a3 bf-33 4a ed 72 6b 2e c3 0f  .....)..3J.rk... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0350: 30 bd 13 a1 42 d8 f7 1d-58 8a 1c 53 d6 c3 c8 6e  0...B...X..S...n |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0360: 0e 51 e3 f5 a0 37 68 0d-04 c6 0e c4 4d cc ed 7c  .Q...7h.....M..| |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0370: ef 8f 81 b3 52 34 0c 60-eb f8 01 19 cc 95 31 55  ....R4.`......1U |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0380: 7d 16 bf 0c df b8 e0 3d-8f 7c 7a 4a 64 98 93 59  }......=.|zJd..Y |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0390: eb ae 00 80 ef cb bc 38-ab 16 0e a2 b2 2d fa 0f  .......8.....-.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03a0: da 55 2d 67 a8 b8 34 1b-bf 39 d9 d6 da 65 f2 8f  .U-g..4..9...e.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03b0: 6f a2 b1 1d db bb d5 dd-ab cf 9e 63 00 e4 57 a5  o..........c..W. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03c0: 18 4a dc 60 b0 97 5d 67-34 96 bf a2 43 2b 7d 70  .J.`..]g4...C+}p |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03d0: d6 99 d2 31 d2 11 f4 f2-19 b8 0c 41 7d bf b1 7c  ...1.......A}..| |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03e0: fb 31 cb 3e c2 0a e2 26-1a 7e 63 50 9b 62 c3 82  .1.>...&.~cP.b.. |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03f0: ca cd 36 82 0c 56 5f 26-f6 cc c6 6f 03 92 cc f5  ..6..V_&...o.... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0400: 6b 55 1a d6 92 f9 5b 59-18 c2 62 21 eb d8 a4 ea  kU....[Y..b!.... |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0410: fd b6 3e f7 0e                                   ..>..            |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 1048 - <SPACES/NULS>
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server hello A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server certificate A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server key exchange A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server done A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write client key exchange A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write change cipher spec A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write finished A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 flush data
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 5/5 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 15 03 01 00 02                                   .....            |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 2/2 bytes from BIO#629160 [mem: 47855ad] (BIO dump follows)
    Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 02 28                                            .(               |
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1782): OpenSSL: Read: SSLv3 read finished A
    [Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1801): OpenSSL: Exit: failed in SSLv3 read finished A
    [Wed May 24 07:03:54 2006] [info] SSL Proxy connect failed
    [Wed May 24 07:03:54 2006] [info] SSL Library Error: 336151568 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
    [Wed May 24 07:03:54 2006] [info] Connection to child 249 closed with abortive shutdown(server apacheserver:443, client j2eeserver)
    [Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserver)
    [<b>Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserve) from apacheserver ()
    [Wed May 24 07:04:10 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#612610 [mem: 62ac80]
    [Wed May 24 07:04:10 2006] [info] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  : SSL input filter read failed.
    [Wed May 24 07:04:10 2006] [debug] ssl_engine_kernel.c(1787): OpenSSL: Write: SSL negotiation finished successfully
    [Wed May 24 07:04:10 2006] [info] Connection to child 249 closed with standard shutdown(server apacheserver:443, client apacheserver)
    </b>

  • SSL /Reverse Proxy

    We have a ISA Server in DMZ which we want to use as reverse proxy for portal.
    does anyone have what configuration should i put in for ISA server.
    We installed sapwebdispatcher on portal server to do load balancing for portal dialog instances.portal is intended for ess/mss.
    On HCM server we also have webdispatcher .
    We are planning to terminate ssl at both webdispatcher(on portal and on hcm) .
    portal is portal.mycompany.com
    hcm is hcm.mycompany.com
    What should be the configuration for my system so that it points to sapwebdispatcher .
    ps. webdynpro is installed on hr as a j2ee addon.
    Regards,

    You probably want to use a real reverse proxy/load balancer. Take a look at the CSS.
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/overview.html#wp999771

Maybe you are looking for

  • My very messed up ipod nano

    I've had my Ipod nano for about a month, I havent used it that mcuh, havent dropped it, gotten it wet, or anything like that. Since a couple days ago it's had two problems: When I pick a song other than the Sk8er boi live acoustic EP, it just scrolls

  • Funds center and commetment item

    Good evening! We are HCM consultants. We were asked by our FI department to conduct a post run for two personnel numbers in development system. After the post run, the documents consider errors which say, for example, that "in position 00001 21 993-0

  • Transport in SAP BO

    Hi, I have one doubt how can we transport objects in SAP BO. from one environment to another........ regards Ravi

  • SAP Screen Personas - retain the conditional formatting

    Hi, I am currently trying to find a way to retain the conditional formatting (done on the table in a flavor) after the data is exported to a excel spreadsheet. Also, would like to know if conditional formatting can be implemented on a report (e.g. ca

  • Quest about parsing a JTextField

    Hello I am attempting to do the following: Display a JFrame that asks for miles the when you click enter or click the button "convert" the window will display the miles converted to kilometers. I am stuck because I am not aware of how to convert a JT