SSL and IISProxy
We are using IIS in a DMZ and proxy servlet requests to WLS inside a
firewall. The clients will connect using a SSL session to IIS, passing a
client certificate. How do we get access to the certificate in order to
parse it and identify the client on WLS? Should WLS be set up with SSL as
well? Is the certificate proxied as well?
What is the best way to configure this scenario?
Thanks,
Ernst.
e> How do we get access to the certificate in order to parse it and
e> identify the client on WLS?
Our servlet documentation should explain how to do this.
<b
Similar Messages
-
Hello All,
We have set up proxy server in DMZ and installed IISPROXY in it. Now we want to apply the SSL on IISPROXY.
Browser to IISPROXY (HTTPS) -->IISPROXY to Portal (HTTP)
--> IISPROXY to R3 (HTTP)
We access all other SAP Enterprise Portal and SAP R/3, BW systems using http. We wanted to terminate the SSL at IISPROXY itself.
I have successfully configured the SSL based on SAP documentation. I have maintained <protpcol-header> at each mapping also. Everything works except accessing SAP R3/BW Systems. I guess request is being sent as https instead of http and its gives Forbidden 403.4 error.
Can anyone kindly post me the iisproxy.xml with SSL for verification. or Does anybody know as what else had to be done to terminate ssl at IISPROXY and send http request to R3 or BW servers.
Thanks,
MayaHello All,
Anybody has suggestions on this??
Thanks,
Maya -
How do I bind to directory server with SSL and authentication?
I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
Here are the problems:
1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
2) I was never prompted to authenticate for the directory binding.
So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
Thank you.You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
Cheers,
Vikas -
EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility
Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
AndrewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
Business Connector problem with SSL and Web Services
Hi,
I have generated a Web Connector Service and tested this in our DEV and QA environment with http and no credentials.
All is fine.
I now switched to SSL and was provided with an https WSDL by our Web Server developers. The Web Connector service generates fine however as soon as I execute the service I get a NumberFormatException. Exact error is:
java.io.IOException:java.lang.NumberFormatException: null
The error occurs in pub.client:http
I traced through the working (in QA) and non-workinfg versions and checked the pipeline prior to the call and can see no different apart from the difference in protocol.
Does anyone have any idea what the cause is? I cannot determine what value is null.
Thanks
BrianHi,
I have generated a Web Connector Service and tested this in our DEV and QA environment with http and no credentials.
All is fine.
I now switched to SSL and was provided with an https WSDL by our Web Server developers. The Web Connector service generates fine however as soon as I execute the service I get a NumberFormatException. Exact error is:
java.io.IOException:java.lang.NumberFormatException: null
The error occurs in pub.client:http
I traced through the working (in QA) and non-workinfg versions and checked the pipeline prior to the call and can see no different apart from the difference in protocol.
Does anyone have any idea what the cause is? I cannot determine what value is null.
Thanks
Brian -
Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
ThanksHi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks -
Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30
Hey experts,
i need your help!
We make webservice calls to sap me with our own software.
We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
At the beginning the software runs without any problems and than we become the following message on all our webservice:
thats the webservice configurations
(configuration - connectivity - single service administration):
(configuration - security - authentication and single sign-on)
if we restart the software after the error display, the webservice call runs successfully again.
is it a timeout?
can anybody help us?
Thanks,
Markus
our system info:
NetWeaver 7.30 Java
SAP ME 6.0
software runs log looks as following
software doesn't runs log looks as following
security Log Entry
more info from security_00.0.log
#2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
Read data of type username and value MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
Read data of type username and value from HTTP header and set on module javax.security.auth.callback.NameCallback
Read data of type password and value xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).Hi,
the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
Cheers -
What is "use SSL" and "S/MIME" mail settings for?
What is "use SSL" and "S/MIME" mail settings for?
it has do with encrypting your mail when sent over the web
-
JDBC Thin Connections with SSL and client certificates
Hi ,
we are going have a look at JDBC Thin Connections with SSL and client certificates.
I have two questions:
1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
Thanks for your help
regards
Markus ReichertI could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
Steps to add the SSL Certificate:
1. Run the form with the https mode in the IE Browser.
2. Security Alert is raised.
3. Click on the View Certificate button.
4. In the Certificate Window, click on the Details tab.
5. Click on the Copy to File button to copy the certificate.
6. Copy the certificate and append to the certdb.txt file. -
Does anyone know how I can forward to two different WLS? I have a website with two virtual directories for two applications. one is /fw and the other /tw but in the .ini file there is only one weblogichost entry and no way to distinguish that /fw needs to go to WLS1 and /tw goes to WLS2Please help.
Scott,
If you are using the iisforward.dll, you can only have 1 instance of that dll
per website (on an IIS server a website is a unique combination of port, ip, and
host header). I had a similar issue and I just created two server instances on
separate ports (though separate hosts names might look neater), each forwarding
to different WL servers. For example. IIS address http://iisserver:7777/ forwarded
to http://wlserver_1:7001 and http://iisserver:7778/ forwarded to http://wlserver_2:7001.
Each IIS website had it's own copy of iisforward.dll, iisproxy.dll and iisproxy.ini.
If you must keep your virtual directories you could have them forward to the other
iis websites on the same server.
Good luck,
Barrett
Scott <[email protected]> wrote:
Does anyone know how I can forward to two different WLS? I have a website
with two virtual directories for two applications. one is /fw and the
other /tw but in the .ini file there is only one weblogichost entry
and no way to distinguish that /fw needs to go to WLS1 and /tw goes
to WLS2Please help. -
Connect - SSL and certificate chain
Hi,
is it possible to place a certificate chain somewhere, so
that Adobe connect users dont have to manually install the
certificates from the chain?Hi cj63, why isn't your cert accepted automatically? We're
using hardware SSL and encountered an issue with our cert. We ended
up changing the cert chain on the F5, I believe. I'm not sure of
the "how" other than to know we did it with hardware SSL, so it
should be possible. -
What is SSO , SSL, and other terms?
Hi,
I always hear the terms SSO, SSL and some other terms, but I am not aware of the exact meaning of them.
Can anyone focus some light on this ?
Thanks!
YoginiHi Yogini,
if you are referring SSO( Single sign on ) and SSL ( security socket layer) for Discoverer, check out the link below.
http://download.oracle.com/docs/html/B13918_03/security2.htm#BABGEIEC
Here topics on 14.6 Using Discoverer with OracleAS Framework Security
14.7 Using Discoverer with Oracle Identity Management Infrastructure -
Delete or disable ssl and https on exchange web url
Hi,
I disable by clear check box on Default Web Site --> SSL Settiings --> Require SSL
and also inseret my domain name example: http://mail.myexchange.com/owa in Exchange admin center Console --> Servers --> Virtual Directory --> owa
and also i change <add key="UseHttpsForWacUrl" value="true" /> to <add key="UseHttpsForWacUrl" value="false" /> in C:\Program Files\Microsoft\Exchange
Server\V15\ClientAccess\Owa\web
But, after this steps for removing https on my url i can use it. and after loggin in https mode i can delete https on my url manually but did't work good and i get this error when i want see my email body "Error: Your
request can't be completed right now. Please try again later."Hi S.Ali,
Have you restarted IIS after changing all the settings?
If not, please try to restart iis and check again.
Best regards,
Niko Cheng
TechNet Community Support -
dear all,
i have AS 10g Release 1 with froms90, i want to know how to enable the ssl with from90 on the AS. are there any notes or tips.
please let me know
fadi... maybe you find this useful
SSL and Application Server 10G
Frank -
IISForward and IISProxy Configuration Internals/Interaction
Can someone give a detailed description of how IISForward and IISProxy interact
with IIS as ISAPI modules? We have the IIS plugins functioning properly, we would
just like a more detailed explanation on how they interact and work together when
proxying multiple virtual hosts. It seems that many people are in the dark on
this process, and that any clarification would alleviate many of the posts we
see here. I would also settle for a link to some documentation (not BEA's, it
is very poor!) on this.
Here is an excerpt from some documentation that we have written up internally
that helped us keep track of what we were doing when setting up the IIS Plugins.
Some of this content draws from BEA's documentation so we here at Servicemaster
make no claims on this content:
START OF EXCERPT:
6. Configuring IISForward
6.1 Installing iisforward.dll
Before creating the Virtual hosts in IIS, we need to create the directories that
are going to contain the DLL’s. There is going to be a one-to-one relationship
between Virtual Hosts and DLL directories. First create a directory where all
of the DLL directories will reside:
D:\WebLogicVHosts
Within this directory create the directory for each Virtual Host that will be
connecting to the WebLogic instance:
D:\WebLogicVHosts\vhost1-svmhome.com
D:\WebLogicVHosts\vhost2-svmwork.com
D:\WebLogicVHosts\vhost3-svmmemphis.com
Now copy the iisforward.dll from the directory WL_HOME/server/bin into each of
the directories you created for each of the Virtual Hosts.
6.2 Creating iisforward.ini
Create a file called iisforward.ini. Place this file in the same directories for
each of the virtual hosts that contain the iisforward.dll. This file should contain
the following entry for each virtual website defined in IIS:
vhostN=websiteName:port
websiteName:port=dll_directory/iisproxy.ini
Where:
N is an integer representing the virtual website. The first virtual website you
define should use the integer 1 and each subsequent website should increment this
number by 1.
websiteName is the name of the virtual website as registered with IIS.
port is the port number where IIS listens for HTTP requests.
dll_directory is the path to the directory you created in step 1.
For example:
vhost1=svmhome.com:7001
svmhome.com:7001=D:\WebLogicVHosts\vhost1-svmhome.com \iisproxy.ini
vhost2=svmwork.com:7002
svmwork.com:7002= D:\WebLogicVHosts\vhost2-svmhome.com \iisproxy.ini
vhost3=svmmemphis.com:7003
svmmemphis.com:7003= D:\WebLogicVHosts\vhost3-svmmemphis.com \iisproxy.ini
7. Configuring IISProxy
7.1 Installing IISProxy
Now copy the iisproxy.dll from the directory WL_HOME/server/bin into each of the
directories you created for each of the Virtual Hosts.
D:\WebLogicVHosts\vhost1-svmhome.com
D:\WebLogicVHosts\vhost2-svmwork.com
D:\WebLogicVHosts\vhost3-svmmemphis.com
7.2 Creating iisproxy.ini
The iisproxy.ini file contains name=value pairs that define configuration parameters
for the plug-in. Changes in the parameters will not go into effect until you
restart the "IIS Admin Service".
We need to create a iisproxy.ini configuration file for each of the virtual hosts.
Here is a sample iisproxy.ini file for use with a single, non-clustered WebLogic
Server. Comment lines are denoted with the "#" character.
# This file contains initialization name/value pairs
# for the IIS/WebLogic plug-in.
WebLogicHost=examplehost16
WebLogicPort=7001
ConnectTimeoutSecs=20
ConnectRetrySecs=2
Here is a sample iisproxy.ini file with clustered WebLogic Servers. Comment lines
are denoted with the "#" character.
# This file contains initialization name/value pairs
# for the IIS/WebLogic plug-in.
WebLogicCluster=examplehost07:7001,examplehost08:7001
ConnectTimeoutSecs=20
ConnectRetrySecs=2
8. Configuring IIS Virtual Hosts
8.1 Proxying by file extension
At this point we are now ready to configure the virtual hosts within IIS. First
create a new virtual website as you would normally do within IIS. Second add
the iisforward.dll file as a filter service in IIS (WebSite Properties —> ISAPI
Filters tab —> Add the iisforward dll). For each virtual host the path to the
iisforward.dll should be unique. The paths should match the ones that you created
previously. Again, there should be a unique path for each virtual website.
Example:
D:\WebLogicVHosts\vhost1-svmhome.com\iisforward.dll
D:\WebLogicVHosts\vhost2-svmwork.com\iisforward.dll
D:\WebLogicVHosts\vhost3-svmmemphis.com\iisforward.dll
On the App Mappings tab, click the Add button to add file types and configure
them to be proxied to WebLogic Server. In the dialog box, browse to find the
"iisproxy.dll" file that matches the path to the unique iisproxy.dll file for
the virtual host.
Example:
D:\WebLogicVHosts\vhost1-svmhome.com\iisproxy.dll
D:\WebLogicVHosts\vhost2-svmwork.com\iisproxy.dll
D:\WebLogicVHosts\vhost3-svmmemphis.com\iisproxy.dll
Set the Extension to the type of file that you want to proxy to WebLogic Server.
Register .wlforward as a special file type to be handled by iisproxy.dll. Deselect
the "Check that file exists" check box. Set the Method exclusions as needed
to create a secure installation.
When you finish, click the OK button to save the configuration. You can repeat
this process for each file type you want to proxy to WebLogic. When you finish
configuring file types, click the OK button to close the Properties panel.
In the URL, any path information you add after the server and port is passed directly
to WebLogic Server. For example, if you request a file from IIS with the URL:
Example:
http://svmhome.com/jspfiles/myfile.jsp
it is proxied to WebLogic Server with a URL such as
http://examplehost07:7001/jspfiles/myfile.jsp
8.2 Proxying by path
Now, within the iisproxy.dll file for each virtual host, define the property WlForwardPath
in iisproxy.ini. WlForwardPath defines the path that is proxied to WebLogic
Server.
Example:
WlForwardPath=/apps
Set the PathTrim parameter to trim off the WlForwardPath when necessary.
Example:
WlForwardPath=/apps
PathTrim=/apps
The previous trims a request from IIS to Weblogic Server. Therefore, /apps/exampleapp
is changed to /exampleapp.
If you want requests that do not contain extra path information (in other words,
requests containing only a host name), set the DefaultFileName parameter to the
name of the welcome page of the Web Application to which the request is being
proxied. The value of this parameter is appended to the URL.
If you need to debug your application, set the Debug=ON parameter in iisproxy.ini.
A c:\tmp\iisforward.log is generated containing a log of the plug-in's activity
that you can use for debugging purposes.
For each virtual host that you configure to be proxied to WebLogic, set the value
for the Application Protection option to high (isolated) as opposed to Low or
Medium. This allows separate iisforward and iisproxy DLL’s to be loaded into
each virtual hosts (dllhost.exe) memory address space.
END OF EXCERPT
Can someone at BEA verify this information or possible add to it?
TonyNice write-up.
Though, I may have found an easier way to use VirtualHost and/or Virtual
Directories with IIS without the need to use the iisforward.dll.
A lot of customers are asking about using multiple WlForwardPath to proxy to
different WebLogic instances. It is possible to use Virtual Directories to
do this.
All that you need to do is set the Application Protection to HIGH for each
Virtual Directory
and then each directory can use it's own iisproxy.dll/iisproxy.ini. Fairly
straight forward and it seems to
work.
As well, you can do Virtual Websites with each one having the application
protection set to HIGH as well. And of course they will each use their own
iisproxy.dll/iisproxy.ini. These virtual Websites can also all listen on
the
same IP/Port and if you want to proxy based on Host header, you can click on
the advanced tab and set the Host header for which this virtual website will
use.
So, all that really needs to be done is when you create the virtual
directory, make sure the
application protection is set to HIGH and change the App Mapping to point to
the new iisproxy.dll/iisproxy.ini.
If you want to proxy everything under that path, then Add another App
Mapping
that has an extension of *.
I do believe this will allow us to completely bypass the need of the
iisforward.
I have tested this with IIS5. With IIS4 it is not possible to register an
App Mapping of *(not sure why).
I hope this helps many of you.
Best regards,
Eric
"Tony Mendoza" <[email protected]> wrote in message
news:[email protected]...
>
Can someone give a detailed description of how IISForward and IISProxyinteract
with IIS as ISAPI modules? We have the IIS plugins functioning properly,we would
just like a more detailed explanation on how they interact and worktogether when
proxying multiple virtual hosts. It seems that many people are in thedark on
this process, and that any clarification would alleviate many of the postswe
see here. I would also settle for a link to some documentation (notBEA's, it
is very poor!) on this.
Here is an excerpt from some documentation that we have written upinternally
that helped us keep track of what we were doing when setting up the IISPlugins.
Some of this content draws from BEA's documentation so we here atServicemaster
make no claims on this content:
START OF EXCERPT:
6. Configuring IISForward
6.1 Installing iisforward.dll
Before creating the Virtual hosts in IIS, we need to create thedirectories that
are going to contain the DLL's. There is going to be a one-to-onerelationship
between Virtual Hosts and DLL directories. First create a directory whereall
of the DLL directories will reside:
D:\WebLogicVHosts
Within this directory create the directory for each Virtual Host that willbe
connecting to the WebLogic instance:
D:\WebLogicVHosts\vhost1-svmhome.com
D:\WebLogicVHosts\vhost2-svmwork.com
D:\WebLogicVHosts\vhost3-svmmemphis.com
Now copy the iisforward.dll from the directory WL_HOME/server/bin intoeach of
the directories you created for each of the Virtual Hosts.
6.2 Creating iisforward.ini
Create a file called iisforward.ini. Place this file in the samedirectories for
each of the virtual hosts that contain the iisforward.dll. This fileshould contain
the following entry for each virtual website defined in IIS:
vhostN=websiteName:port
websiteName:port=dll_directory/iisproxy.ini
Where:
N is an integer representing the virtual website. The first virtualwebsite you
define should use the integer 1 and each subsequent website shouldincrement this
number by 1.
websiteName is the name of the virtual website as registered with IIS.
port is the port number where IIS listens for HTTP requests.
dll_directory is the path to the directory you created in step 1.
For example:
vhost1=svmhome.com:7001
svmhome.com:7001=D:\WebLogicVHosts\vhost1-svmhome.com \iisproxy.ini
vhost2=svmwork.com:7002
svmwork.com:7002= D:\WebLogicVHosts\vhost2-svmhome.com \iisproxy.ini
vhost3=svmmemphis.com:7003
svmmemphis.com:7003= D:\WebLogicVHosts\vhost3-svmmemphis.com \iisproxy.ini
7. Configuring IISProxy
7.1 Installing IISProxy
Now copy the iisproxy.dll from the directory WL_HOME/server/bin into eachof the
directories you created for each of the Virtual Hosts.
D:\WebLogicVHosts\vhost1-svmhome.com
D:\WebLogicVHosts\vhost2-svmwork.com
D:\WebLogicVHosts\vhost3-svmmemphis.com
7.2 Creating iisproxy.ini
The iisproxy.ini file contains name=value pairs that define configurationparameters
for the plug-in. Changes in the parameters will not go into effect untilyou
restart the "IIS Admin Service".
We need to create a iisproxy.ini configuration file for each of thevirtual hosts.
Here is a sample iisproxy.ini file for use with a single, non-clusteredWebLogic
Server. Comment lines are denoted with the "#" character.
# This file contains initialization name/value pairs
# for the IIS/WebLogic plug-in.
WebLogicHost=examplehost16
WebLogicPort=7001
ConnectTimeoutSecs=20
ConnectRetrySecs=2
Here is a sample iisproxy.ini file with clustered WebLogic Servers.Comment lines
are denoted with the "#" character.
# This file contains initialization name/value pairs
# for the IIS/WebLogic plug-in.
WebLogicCluster=examplehost07:7001,examplehost08:7001
ConnectTimeoutSecs=20
ConnectRetrySecs=2
8. Configuring IIS Virtual Hosts
8.1 Proxying by file extension
At this point we are now ready to configure the virtual hosts within IIS.First
create a new virtual website as you would normally do within IIS. Secondadd
the iisforward.dll file as a filter service in IIS (WebSite Properties ->ISAPI
Filters tab -> Add the iisforward dll). For each virtual host the pathto the
iisforward.dll should be unique. The paths should match the ones that youcreated
previously. Again, there should be a unique path for each virtualwebsite.
>
Example:
D:\WebLogicVHosts\vhost1-svmhome.com\iisforward.dll
D:\WebLogicVHosts\vhost2-svmwork.com\iisforward.dll
D:\WebLogicVHosts\vhost3-svmmemphis.com\iisforward.dll
On the App Mappings tab, click the Add button to add file types andconfigure
them to be proxied to WebLogic Server. In the dialog box, browse to findthe
"iisproxy.dll" file that matches the path to the unique iisproxy.dll filefor
the virtual host.
Example:
D:\WebLogicVHosts\vhost1-svmhome.com\iisproxy.dll
D:\WebLogicVHosts\vhost2-svmwork.com\iisproxy.dll
D:\WebLogicVHosts\vhost3-svmmemphis.com\iisproxy.dll
Set the Extension to the type of file that you want to proxy to WebLogicServer.
Register .wlforward as a special file type to be handled byiisproxy.dll. Deselect
the "Check that file exists" check box. Set the Method exclusions asneeded
to create a secure installation.
When you finish, click the OK button to save the configuration. You canrepeat
this process for each file type you want to proxy to WebLogic. When youfinish
configuring file types, click the OK button to close the Properties panel.
In the URL, any path information you add after the server and port ispassed directly
to WebLogic Server. For example, if you request a file from IIS with theURL:
>
Example:
http://svmhome.com/jspfiles/myfile.jsp
it is proxied to WebLogic Server with a URL such as
http://examplehost07:7001/jspfiles/myfile.jsp
8.2 Proxying by path
Now, within the iisproxy.dll file for each virtual host, define theproperty WlForwardPath
in iisproxy.ini. WlForwardPath defines the path that is proxied toWebLogic
Server.
Example:
WlForwardPath=/apps
Set the PathTrim parameter to trim off the WlForwardPath when necessary.
Example:
WlForwardPath=/apps
PathTrim=/apps
The previous trims a request from IIS to Weblogic Server. Therefore,/apps/exampleapp
is changed to /exampleapp.
If you want requests that do not contain extra path information (in otherwords,
requests containing only a host name), set the DefaultFileName parameterto the
name of the welcome page of the Web Application to which the request isbeing
proxied. The value of this parameter is appended to the URL.
If you need to debug your application, set the Debug=ON parameter iniisproxy.ini.
A c:\tmp\iisforward.log is generated containing a log of the plug-in'sactivity
that you can use for debugging purposes.
For each virtual host that you configure to be proxied to WebLogic, setthe value
for the Application Protection option to high (isolated) as opposed to Lowor
Medium. This allows separate iisforward and iisproxy DLL's to be loadedinto
each virtual hosts (dllhost.exe) memory address space.
END OF EXCERPT
Can someone at BEA verify this information or possible add to it?
Tony
Maybe you are looking for
-
Automatic bank reconciliation with Electronic bank statement
Deal All, As mentioned in the subject of this mail, this is to request for your inputs to advice the configuration steps with process for Configuration of Electronic Bank Statment in R3 to eneble the user for automatic bank reconciliation with cleari
-
Hello, I have a scenario where i am converting the idoc to file and mailing the same after converting it to flatfile .I have used TransformMessageBean for doing so.Now I need to implement the TO Field (mail )dynamically based on the pay
-
Error in post process event handler
We should write a post process event handler that updates the manager field. So, I used the following code to update the manager field when a user gets created: Code: public EventResult execute(long processId, long eventId, Orchestration orchestratio
-
Am I able to trade in my mackbook for a mackbook pro?
I have the original mackbook that I bout back in 08-09 cant remember exactly when, I aboslutely love it. But I am wanting to upgrade to a newer and nicer macbook. I was looking at the pro, was wondering if apple will let me trade in my old macbook fo
-
MO Opearting UNIT value update through back end
Friends, I have a MO: Default operatng UNIT and MO: operatng UNIT defined in my Oracle apps 11i. and by mistake i deleted both theses values through system profile options. and now i would like to update the MO values through back end . please let me