SSL Cetificate and F5 load balancer.
Hi All,
I need to created SSL certificate to enable SSL on the HTTP server can you please give me the steps for that also i need to configure SSL on the load balancer how would i do that, i will be thankful if anybody can provide me detail steps, thanks in advance.
Thanks,
Virendra
Hi,
What is the application release?
For SSL, please see these documents.
Note: 123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
Note: 300969.1 - Troubleshooting SSL with Oracle Applications 11i'
Note: 376700.1 - Enabling SSL in Release 12
For Load Balancing, please refer to:
Note: 380489.1 - Using Load-Balancers with Oracle E-Business Suite Release 12
Note: 727171.1 - Implementing Load Balancing On Oracle E-Business Suite - Documentation For Specific Load Balancer Hardware
Note: 601694.1 - How To Check Session Persistence On BigIP F5 And Cisco Ace Load Balancer Appliances
Note: 603325.1 - Using Cisco ACE Series Application Control Engine with Oracle E-Business Suite Release 12
Regards,
Hussein
Similar Messages
-
SSL termination using Hardware Load Balancer
We are trying to implement SSL at the Hardware LoadBalancer layer and terminate the SSL there. Architecture includes Apache Reverse Proxy and Portal server running EP7 SP18. In this scenario we want encruption between the client browser and the Load Balancer (BigIP F5). The Load blancer will then decrypt the request and send it to the Apache reverse proxy on port 80. Apache Reverse proxy will send request to Portal J2EE engine on the http port.
this scenario seems to work in most cases but we are having issues with the standard portal login page. The login page is sent to the browser on https but when entering credentials and selecting the login button a request gets generated on port 80, not 443 (https) and is not serviced by the load balancer. 99% of the requests that get generated from the client borwser stay on port 443 as expected but for some reason this particular request switches to port 80.
How can we keep all requests generated on port 443 (https)?Hello Brian (all)
I am facing the same issue - except we do not have the Apache proxy in the setup..... just HTTPS to a Cisco ACE load balancer and then HTTP to the portal.
Nearly all of the portal content is working great, but am facing the situation that some ESS content is switching to HTTP. In discussing with the network team, they have done the following:
1/ Replies from the portal server back to the client have an SSL rewrite performed, which modifies a 301 or 302 reply and changes http ULRs to https.
2/ The load balancer adds an HTTP header u201CClientProtocol httpsu201D to the request it sends to the portal server.
They feel we need to find a way to have the portal server only send either references with no host:header (i.e. http) or only send host:header with https to keep it all SSL.
Any advice?
Edited by: Eric Poellinger on Jan 5, 2011 5:09 AM -
H-REAP and Client Load-Balancing
I'm told by Cisco that H-REAP does not support client load-balancing.
We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
We can't re-write the application so we are looking for a wireless solution.
Anyone hear about how other organizations have dealt with this type of situation?
I'll be glad to supply more details if I am not being clear in my description of the problem.
Thanks in advance. All responses will be rated.
PaulThis is the functionality which is missing in H-REAP: Client and Network Load Balancing
"Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access. -
Hi,
I am configuring 2 ASA5540 for internet trafic inside to outside ,
outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
In the doc I can configure them for internet trafic as Active/Standby or Active/active.
for vpn : I can use vpn load balancing
But no information if I want to use the active/passif and vpn load balancing together.
Any thoughts on which way to go? what is the best thing to do ?
RegardsHi,
I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
Hope it helps -
SSL Setup in a load balanced portal
Hi,
We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
So the configuration would be:
Portal requests --> Load Balancer --> Portal --> Backend
We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
Now, can we install the same certificate (that we put on the LB) on the portal as well?
(This might not work because the server type will be different)
(or)
Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
Thank You ,
RajRaj Kumar wrote:
My question is about how to go about installing the certificates on the LB and on the portal.
If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
Regards,
Sean -
Lync 2010 and ACE load balancing
Hi there,
Has anyone deployed [or will be deploying] Lync 2010 utilising the ACE as a hardware load balancer. The ACE is not {yet] on the Microsoft list of supported devices for this product, but I am told this because of lack of documentation from Cisco.
The consensus from a few colleagues is that it should work as it did for OCS, which we have already deployed, so assuming that the set up and operation is similar, there shouldn't be much difference in the configurations.
regards,
Glenne.Hey Glenne,
It seems you got that working already but I wanted to share this simple sample:
parameter-map type http PARAMETER
set header-maxparse-length 65535
set content-maxparse-length 65535
============================================
interface vlan 112
ip address 10.198.16.71 255.255.255.192
alias 10.198.16.124 255.255.255.192
peer ip address 10.198.16.72 255.255.255.192
mac-sticky enable
access-group input anyone
nat-pool 25 10.198.16.125 10.198.16.125 netmask 255.255.255.0 pat
service-policy input ANS-MGT
service-policy input VIPS
no shutdown
============================================
policy-map multi-match VIPS
class LYNC_VIP
loadbalance policy LYNC_POLICY
ssl-proxy server SSL_LYNC_TERMINATION
loadbalance vip icmp-reply active
nat dynamic 25 vlan 112
appl-parameter http advanced-options PARAMETER
============================================
class-map match-all LYNC_VIP
2 match virtual-address 10.198.16.125 tcp eq https
============================================
ssl-proxy service SSL_LYNC_TERMINATION
key tac-key
cert tac-cert
chaingroup tac-chaingroup
============================================
policy-map type loadbalance first-match LYNC_POLICY
class class-default
sticky-serverfarm LYNC_COOKIE
============================================
sticky http-cookie ACE_COOKIE LYNC_COOKIE
timeout 30
replicate sticky
serverfarm LYNC_FARM
============================================
serverfarm host LYNC_FARM
rserver LYNC_SERVER1 80
inservice
rserver LYNC_SERVER2 80
inservice
============================================
rserver host LYNC_SERVER1
ip address 10.198.16.93
inservice
rserver host LYNC_SERVER2
ip address 10.198.16.113
inservice
===========================================
Jorge -
Hi,
I have been trying to understand webloigc clustering and load balancing capabilities. I have been through the edocs but it does not explain how things work, instead they only emphasis on how to configure.
Consider the following scenario:
--------cisco firewall/load balancer------------
apatche1 apache2 apache3
-------------------firewall-------------------------
WLP1 WLP2 WLP3 WLP4
My questions are:
(1) how apache servers load balance incoming requests amongst the four portal instances? I understand that it will use weblogic proxy plug-in. the httpd.config also should be configured to proxy requests to WLP instances by adding the corresponding address:prot entries for each instance, using WebLogicCluster keyword.
(2) Weblogic cluster will have nothing to do with load balancing? The only benefit I get of configuring weblogic cluster is session replication, right?
(3) even failover is going to be handled by apache servers?
(4) if I need to use SSL and I need to have my SSL encryption/decryption to be done on WLP instances; apache servers will only forward requests, no encryption/decryption to be done on the web tier. Is this possible?
See in WebSphere the edge component will handle the load balancing and through it I can assign load weights for each appserver instance.
(5) Are there any best practice to implement load balancing and failover on weblogic portal?
I appreciate any input in this regards.1. yes, configure the apache plugin. put your 4 servers in the WeblogicCluster property (host:port,host:port...). The proxy will round robin requests between the servers in the cluster, although sessions are pinned to a single server. So if a request with a session (jsessionid cookie) comes in, it will read the primary server from the cookie and route it to that server.
note that we have had trouble with keep alives ON and load balancing. we had to turn keep alives off to get load balancing working.
2. right, the cluster allows failover by replication. apache plugin will perform the failover.
3. the plugin will keep a dynamic server list so if a server goes down, it will update the cluster list and not route to it. it will also retry requests on another server on an error or timeout connecting. you can tweak timeout settings like WLSocketTimeoutSecs and ConnectTimeoutSecs. and keep idempotent ON which allows failover, unless you aplpication can't handle this. -
SSL setup with a load balancer
We are running EP 7.0 SP14 and have set it up to run through a Cisco ACE loadbalancer. We have also setup SSL with the certificate on the ACE load balancer. Everythign work fine, except we keep getting a Security Alert popup message in IE that states "You are about to be redirected to a connection that is not secure."
Are there some additional configurations that I need to do in EP to make this go away?
Maximum points to the first correct answer.You can change logoff URL to any value:
http://help.sap.com/saphelp_nw04s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
Regarding VC apps.
It is strange you cannot see HTTP in the IEWatch. IE should not be able to alert about something it does not see. I suggest you to use something more substantial to trace network calls: http://www.wireshark.org
This is the best tool I know for network tracing.
Regards,
Slava -
CSS on multiple subnets and separate load balancing
Hello,
I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
Basically I want to use the CSS for 3 different load balancing operations.
Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
Any help appreciated
Regards Tonyyou can have as many vlan as you want.
So yes you can do what you want.
Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
Gilles. -
Hi,
I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
real server http://192.168.17.12/irs.htm
real server http://192.168.17.14/irs.htm
real server http://192.168.10.37/irs.htm
VIP
http://192.168.200.58/irs.htm
Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
==========================================================================================
http://tptest.enoc.com/forms/frmservlet?config=tp (This is working fine).
========================================================================
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
=============================================================================
service IRC_1
ip address 192.168.17.12
keepalive type tcp
keepalive port 80
active
service IRC_2
ip address 192.168.17.14
keepalive type tcp
keepalive port 80
service IRC_DR
ip address 192.168.10.37
keepalive type tcp
keepalive port 80
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
owner ENOC_GIT
content ENOC_IRC
add service IRC_1
add service IRC_2
add service IRC_DR
vip address 192.168.200.58
protocol tcp
port 80
advanced-balance sticky-srcip
active
group ENOC_IRC
add destination service IRC_1
add destination service IRC_2
add destination service IRC_DR
vip address 192.168.200.58
active
===================================================================================================
ENOCDC-CSS01(config)# show service summary
Service Name State Conn Weight Avg State
Load Transitions
IRC_1 Alive 0 1 2 0
IRC_2 Suspended 0 1 255 1
IRC_DR Suspended 0 1 255 1
ENOCDC-CSS01(config)# show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
ENOC_GIT
ENOC_IRC Active IRC_1 103
IRC_2 10
IRC_DR 7
=======================================================================================================
Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
Kindly let me know what I am missing and how to fix the problem.
I have also attached the full configuration of CSS.Hi,
My point of concern is that I did the same for Oracle server and this is working fine
http://192.168.200.95/forms/frmservlet?config=tp
only when I am doing the load balancing for
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
I am doing almost 8 differenceservers load balancing in this CSS.
your expert opinion will definately help me. -
Web dispatcher and J2EE load balancing
I have portal DBCI on one server and DI on multiple servers. I implemented Web dispatcher in front of the DI and it does the load balancing across all DI and CI. What I want to do though is not to route any users to CI instance - ie take CI server processes out of load balancing.
In ABAP environment you could create a logon group and not put CI in the group and users coming through the logon group do not go to the CI. I would like to do the same with Portal Java processes. In help.sap.com I found that web dispatcher uses default !J2EE group if there are no groups defined - to distribute users but I can not find anyway to define a logon group for J2EE java.
Does anybody out there know how to do this - define a logon group and include only DI and not CI in that?> Raj,
>
> Which versions are you on J2EE? EP?
> If you are on EP SP14 or NW01 you can do workload
> distribution within the portal.
>
> James
We are using NW 04 based EP 6 SP 16. I am looking for to use web dispatcher to distribute users on the DI servers and not distribute any users on the CI server. What can I do so that if admin user enter http://CI_server:50000/irj then they can login to the CI server if users come through webdispatcher then they are not put on the CI but go to one of the DI servers only. By default web dispatcher would send some users to CI and I don't want that. -
New ASA5512- 5515: content filter and WAN load balancing
Hi,
it's possible to make the content filter with the new models of asa?
One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
It' s possible also make the load balancing between 2 WAN?
Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
Thanks in advance,
Paolo.I saw that you can add CX feature:
CX - Context Aware Security Feature:
Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.
Application Visibility Control (AVC):
This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.
Web Security Essentials (WSE):
This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".
Can somebody confirm that?
Have somebody already used and configured this features?
Thank you,
Paolo. -
WLS 5.1 JMS and Message load balancing
Would I be right in thinking that WLS 5.1 offers no out of the box component that distributes incoming messages over a series of JMS Destinations? (much like a distributed destination would do in WLS 8.1?)
Is it BEA's recommendation then that any JMS Client sending to these JMS destinations pick's up the responsibility for carrying out load balancing?
regards
BarryWould I be right in thinking that WLS 5.1 offers no > out of the box component that distributes incoming
> messages over a series of JMS Destinations? (much
> like a distributed destination would do in WLS 8.1?)
Yes.
>
>
> Is it BEA's recommendation then that any JMS Client
> sending to these JMS destinations pick's up the
> responsibility for carrying out load balancing?
Application dependent.
For example, you could set up an EJB that enqueues to the local queue - where the local queue's name is inferred from the server the EJB is running on.
Load balancing (and fail-over) would then be accomplished by invoking the EJB and depending on standard EJB features...
>
> regards
> Barry -
NW04 Portal and Cisco Load balancer
Hi everybody,
does anyone have a similar landscape as I have?
Reverse Proxy - Cisco Content Switch Module for Load Balancing - two NW04 Portal Servers.
How did you configure the stickyness / Load balancing mechanism on the load balancer in order to get it running?
Cheers
JochenHi,
Web AS Java issues a cookie called saplb.
You can check its value by connecting to the portal and then launching the command
"javascript:alert(document.cookie)"
within the browser. You will get a cookie value like
saplb_*=(J2EE6202500)6202551
The value in brackets determines the Instance; the second number equals the actual ClusterID (can also be found in the VisualAdmin. Usually 50 indicates the 1st server node, 51 the second one etc.
The saplb_*-cookie can be checked by the cisco see Cisco-Link above. Just configure the Cisco to be sticky on the instance number (value in the first brackets, in the example 6202500).
Several Customers do it like this, and actually the SAP Webdispatcher is also using this cookie to determine the instance to distribute the request to.
Good luck Bernhard -
HTTP type connectivity between XI and R3 - load balancing options ?
Hi
We have a http type connectivity setup between XI and R3 in order enable XI to communicate with R3 using ABAP proxies. We did this by creating a RFC destination on the ABAP stack of XI of type 'H' ( http connection between R3 systems ). Now, while setting up this rfc destination, there is no option to specify a message server on R3 - we just see a target server field that can be filled in.
In an rfc destination of type 3 - on the XI box ( which is used for a XI --> R3 idoc adapter ) , I can see an option for specifying message server.
Does this mean that using type 'H' connectivity between XI and R3 does not give us an option of hitting the load balancing - message server on R3 and thus cannot use the load balancing setup on R3 ? Is this is a limitation of type 'H' connectivity between XI and R3 ?for HTTP load balancing the options seems to be somewhat different....check if these threads provide you any help:
http://help.sap.com/saphelp_nw04s/helpdata/en/ae/9bfc3f9ec4e669e10000000a155106/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/79/a1ce9569444647956b0ec1cf443c4d/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/43/39c7b227b91bcbe10000000a1553f7/content.htm
Regards,
Abhishek.
Maybe you are looking for
-
Exception thrown when trying to use CacheStore
This message is for Mr. Rob Misek. Hi, Rob, As per our talk on the phone this morning, I have attached my cache confif file and a stubbed version of our CacheStore implementation(this is all we have at this moment). And also, the exception. Thank you
-
How to delete a customize table
HI, I need to delete a customize table . But while trying to delete the table it's showing a message " Still used in dictionary. can't delete'. because this table is used by some programs and search helps. How to delete the table? Thanks & regards sa
-
Restrict upload size of documents through KM
Hello One of the customers is implementing SAP EP KM Solutions. would like to know 2 things 1.how can we restrict the size of the document to be uploaded to portal KM folders. 2.what 's the normal configuration for storing documents through KM.(size
-
Calculate Maximum of a char numeric
Hi gurus, I have a DSO with the next fields 0CUSTOMER (CHAR), 0DOCUMENT (CHAR numeric), 0AMOUNT (NUMC) and the key fields are 0customer y 0document. I want to load the max or last 0document for each 0customer in other DSO. How can I do it? Thanks y r
-
If I run a report on 0CCA_C11 with Cost Center Hierarchy as a Mandatory variable - Does it have to show exactly how the Cost Center Hierarchy looks in IO Maintenance considering there will be no data in the cube for some cost centers? I dont see man