SSL config in PORTAL

Similar Messages

• Https ssl config Oracle AS, webcache, portal...almost works

  Hi,
  I have searched the forums and I havent found anything that works for me.
  I have Oracle infrastructure on one server, and Oracle App server/portal on another server. I can get as far as the http server showing the "welcome to oracle" page in https form. When I try to access a page in the portal (plsql) I get a blank page. It does convert the "https://myserver:xxxx//pls/portal/url/page/IRWEB/HOME
  " to "https://myserver:xxxx/portal/page?_pageid=73,86254,73_86264:73_86316:73_8632...." but nothing comes up.
  Also, it uses the Infrastructure server for single-sign-on...so I need to make the app server do the single sign-on. I've tried by adding /pls/orasso entry in DADS.conf of http server..
  So as far as I can tell...the http server IS operating in https/ssl, but the single-sign-on and the pages in the portal are not.
  I have to do everything manually since I am using 10.1.2 (no Oracle Collab Suite installed, so no SSLConfigTool and other assistants)
  Here is what I've done to get https://myserver:xxxx/ to come up ok.
  server 1: Oracle Infrastructure and Oracle database release 1 10.1.2.0.0
  server 2: Oracle Application Server / Portal with webcache release 2 10.1.2
  using Oracle Wallet for certificate,
  http server -> process management "ssl-enabled",
  http server -> advanced -> ssl.config: SSLWallet file:, SSLWalletPassword, virtual host for ssl
  webcache -> added settings for ssl (I used the current entries for non-ssl as a guide for the ssl entries)
  Interesting issue...with the ports in the ssl.conf file example:
  Port 4459
  Listen 4459
  VirtualHose myserver.blah.edu:4450
  Port 4458
  When I get the blank page trying to use ssl and 4459, I can manually change the url in my browser to 4458 (or maybe its the other way around) and get this message: "Error: The portlet could not be contacted"
  Is this a problem with webcache? Do I have to do any ssl config on the server with the database?
  I've even tried disabling the webcache, both with the oracle sql script and through web interface but neither made a difference...same problem.
  Any help would be greatly appreciated..I feel as if I'm almost there.
  If I did not post enough info for accurate help, please ask what you need to know to provide help! Thanks in advance.

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• SSL config

  Dear Sir,
  I have a pair of 11501, which load balance two SSL server behind them. The cert is stored in SSL server(10.106.13.20 & 21). The external vip is 10.106.13.224.
  I read the SSL Config Gide and made the below configuration. Can you check if my config below is ok?
  ssl-proxy-list PIS-SSL-LIST
  backend-server 1
  backend-server 1 type backend-ssl
  backend-server 1 ip address 10.106.13.224
  backend-server 1 server-ip 10.106.13.20
  backend-server 1 version ssl3
  backend-server 1 session-cache 300
  backend-server 1 tcp virtual ack-delay 0
  backend-server 2
  backend-server 2 type backend-ssl
  backend-server 2 ip address 10.106.13.224
  backend-server 2 server-ip 10.106.13.21
  backend-server 2 version ssl3
  backend-server 2 session-cache 300
  backend-server 2 tcp virtual ack-delay 0
  active
  service PIS-SSL-SERVICE
  type ssl-accel-backend
  ip address 10.106.13.224
  add ssl-proxy-lit PIS-SSL-LIST
  active
  owner PIS-SSL-OWNER
  content PIS-SSL-VIP-1
  vip adddress 10.106.13.224
  port 80
  advanced-balance arrowpoint-cookie
  url "/*"
  add service PIS-SSL-SERVICE
  active
  Thanks

  this is totally wrong unfortunately.
  What are you trying to achieve here ?
  Normally the connection between CSS and server does not need to be encrypted because they are close to each other.
  You probably want to encrypt the connection from the client to the CSS since this connection goes throug the Internet.
  Is this what you need ?
  Here are sample configs:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html#wp999094
  backend-ssl is @
  SSL Transparent Proxy Configuration - HTTP and Back-End SSL Servers
  You will see that you did many mistakes, like ip addresses used in the ssl-proxy-list.
  Gilles.

• SSL implementation on portal development

  Hi, All
  I have implemented SSL on QA using the standard port 443 and it is working fine.I did the same SSL implementation on portal development using the same port 443 and it doesn't work.When I call up the https url from IE for my portal development it seems like it's not connecting it just stays blank and it is not displaying anything.
  However when I change the port to 50001 it works fine nad everything on the web page is displayed but I want it to work on the standard port 443.Please help on rectifying this or any Ideas on how to solve this.
  Thank you

  You need to change the http provider service on your DEV portal dispatcher to use port 443 instead of 50001.
  Also, make sure there are no other web servers using that portal number on the same host as the DEV portal.
  Cheers
  Message was edited by:
          Michael Nicholls

• SSL-Config: Oc4J does not reload keystore/truststore at runTime

  Hi all, i have a little question about the SSL-Config into OC4J.
  I have a webApp bound to a secure web site that requires mutual-authentication. If I add at run-time (without stopping OC4J) a trusted entry (a CA) to the keystore the secure-web-site is related to, OC4J does not "reload" the keystore with the new entry. Thus, i have to restart the OC4J to be able to accept SSLconnection that are authenticated by means of that new CA. The qeustion is: Does it exist a conifguration that has to be performed to reload at run-time a keystore in OC4J or it's necessary to restart OC4J each time a new entry to a keystore mapped for a given secure-web-site is added?
  I hope someone can give me a tip,
  Best Regards

  Hi I tried this with latest 10.1.3 Developer Preview 4 and it worked great and I could start OC4J standalone in https mode. Can you please download the latest version of OC4J 10.1.3 DP4 stand-alone and try in there ? The OC4J version embedded with JDev 10.1.3 Preview is pretty old and there have been many bugs fixed since then
  http://www.oracle.com/technology/tech/java/oc4j/index.html
  -Debu

• Tuple Config in Portal

  Hi Experts ,
  I have configured a Tuple in the console and it is working just fine when i execute it from the Data Manager .
  for the same i have done portal config and when i add a new tuple the values are not displayed in the worklist  . It is only displayed after i have saved it and click on the edit/ open button .
  Is this a normal functionality from the portal or am i missing any portal config .
  Regards,
  Vignesh

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• Error when configuring Web Dispatcher for SSL with Enterprise Portal

  We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ).  We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103).  We are now receiving this strange certificate error when we start the Web Dispatcher:
  [Thr 5332] Tue Mar 20 00:36:23 2007
  [Thr 5332]   MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
  [Thr 5332]   SSL socket: local=<IPADDRESS>:4742  peer=<IPADDRESS>:8103
  [Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
  [Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
  [Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c      4919]
  [Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c      2301]
  [Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c      2302]
  [Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c      2303]
  We have gone through the trouble shooting note 552286 as listed in the error above.  Any assistance is appreciated.

  Hello, did you receive any resolution for this problem?  We are receiving a similar error and I am unsure of how to resolve.

• Need to Publish Portal on internet -introducing SSL & Apache infront Portal

  Hi,
  Recently we have installed Portal server u2013 EP 7.01 and our backend systems are ECC and BW.   UME Data source is Database Only.
  On Portal server we have one central instance and one server node.  Currently we are accessing our Portal through http by maintaining host file entries on our local PCu2019s.
  We want to make our Portal available on the internet for end users.and URL should be like https://mysapportal.customer.com/irj/portal
  Hence we planned to introduce SSL (https) and Apache Web server in front of our Portal server
  We have gone through few documents but we didn't get complete information.
  Can anyone tell us the procedure and the detailed configurations steps which are required on both Portal and Apache systems?
  Advance Thanks
  Thanks
  Phani

  Hi,
  If you are looking for configuration to make apache Web server configuration run via HTTPS, then this is a Wrong place to search and you can find apache configuration in apache sites.
  You can Make Portal Access via https. i have given one wiki link for the same below and there are many available for your reference.
  http://wiki.sdn.sap.com/wiki/display/EP/ConfiguringtheUseofSSLontheSAPJ2EE+Engine
  Regarding Apache, You can Configure SSO Between Portal and Apache, using kerberos or other relevant methods.  this way, Portal will be accessed via Https and apache Pages will be accessed from portal. Reduction of complexity. This is just one suggestion and i believe this is what olivier suggested as well to design your architecture as requirement will change based on project.
  I hope it helps

• SSL Config for SAP webgui service of ABAP

  Hi Gurus,
  We have a duel stack system, details are as follows:
  ECC 6.0 SR2
  ABAP Stack 11
  Java Stack 13
  we want to access the webgui via internet and for this we have configured the webdispatcher which is behid the firewall. we had created the ccr and got the CA response which is imported in the Dispatcher. So the traffice from the end user to Dispatcher is SSL enabled. Then we did same thing for ABAP as well and now the completed trafic is SSL enabled. Our problem is...
  when we use the URL to login to webgui it changes the url and hence does not work from internet. Please note that we dont want to expose our ECC system to public netowrk.
  e.g :
  https://portal.mycompany.com:8100 --> this is the web dispatcher URL this should give us the login screen and stay as it is all the time. But ......when it gives the login screen it gets changed to
  https://ecc60server.mycompany.com:8000 --> and as the ECC server cant be accessed via internet this URL fails when we are outside the company network.
  similarly for the Java stack of the same system also we have the URL and it works just fine.
  rewards will be awarded for the solutions....
  Pravin

  Hi Pravin,
  So if I get it right, you need an End-to-End SSL setup for you WebDispatcher.
  This means that the Webdispatcher simply re-directs the calls but still shows the official url to the client.
  I think you have a problem in the webdispatcher profile.
  there should be one entry like
  icm/server_port_0 = PROT=ROUTER,PORT=443
  This means that the webdispatcher is listening for traffic on port 443.
  then there should be another entry like
  icm/server_port_1 = PROT=HTTPS,PORT=0
  this means that the webdispatcher does not listen to this port (PORT=0) but simply send data to it.
  Then, the actual connection to the ABAP-system
  ms/https_port = 8101  (or whatever port you used for https)
  rdisp/mshost = <full.host.name.including.domain.name>
  another important parameters is: wdisp/server_info_protocol = https

• Succession planning config in portal.

  Hi all,
  I am new to HCM family. I got an opportunity to configure  succession planning in a live system. Just standard basic features only.
  Can anyone guide me how to do it..?
  We are in latest version ECC 6.0 EHP4.
  Thanks in advance.
  Namsheed.

  Hi Martin Hastik,
  Thanks for your prompt reply .
  We have already implemented PA,OM,Time,Payroll, Travel & PMS. For Succession Planning we haven't done any configurations. What config we have do for that..?
  When I executed the T-code system asked for business function activation. We are already on Production system. Will that BF Activation affect any other components..?
  Also Is it possible to do SP through Portal (NWBC).
  Thanks,
  Namsheed.

• SSL impact on Portal performance.

  I was wondering if anyone knows of any benchmarks of Portal performance with SSL enabled versus a non SSL enabled Portal.
  I realize that SSL does create some additional overhead on the server during the encyrpt/decrypt process. I'm trying to determine if a dedicated reverse proxy may be more beneficial to support approximately 1000 concurrent connections.
  Thanks in advance, and as always points awarded.

  I haven't seen any official figures, but you also have to consider the applications running in the portal. For example, if you plan to encrypt SAPGUI for HTML, that will have an imapact etc.
  Reallistically you need to do your own tests, as relying on someone else's figures based on their specific portal applications may lead you to problems later on.

• 2 way ssl config in WLS 8.1

  Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to authenticate
  clients(browser) without prompting for userid & passwords just through digital
  certificate. With out writing any programming in deployed Java app . Only through
  server side config can be done.
  Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on win2000.
  To begin with development, we are just using the Demo cert. This is being tested
  on same machine both client and server. This works perfectly fine for 1-way ssl
  no need to do any config. To extend this config for 2-way.
  I need a one more digital cert for client.
  I create the client digital cert/private key using Cert Gen utility.
  Now the confusing part how to add this to Server Trust key store.
  There are no proper doc on how to continue further.
  Different places say different things to do.
  If any one can provide some example steps how to do it will be great.
  Thanks in advance.
  --Prav

  Did you use the Demo CA to issue the new certificate (CertGen uses it by default)?
  Then you do not need to do anything. The CA certificate already exists in the
  DemoTrust.jks.
  Otherwise you can use keytool to import trusted certificate into a keystore. See
  this page for more info: http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1178523
  Pavel.
  "prav" <[email protected]> wrote:
  >
  Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to
  authenticate
  clients(browser) without prompting for userid & passwords just through
  digital
  certificate. With out writing any programming in deployed Java app .
  Only through
  server side config can be done.
  Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on
  win2000.
  To begin with development, we are just using the Demo cert. This is being
  tested
  on same machine both client and server. This works perfectly fine for
  1-way ssl
  no need to do any config. To extend this config for 2-way.
  I need a one more digital cert for client.
  I create the client digital cert/private key using Cert Gen utility.
  Now the confusing part how to add this to Server Trust key store.
  There are no proper doc on how to continue further.
  Different places say different things to do.
  If any one can provide some example steps how to do it will be great.
  Thanks in advance.
  --Prav

• Soap RECEIVER adapter ssl config

  we are consuming a web service in sap ECC system via XI using SSL. So I configured receiver soap adapter. Imported the certificate provided by web service provider to J2EE visual admin key store. However I am not able to see my ceritificates popluated in my communication channel selection list.
  Could you please provide steps to configure SSL in receiver soap adapter not for Sender adapter.
  Thanks.
  Bijay

  Okay, so this is a client certificate and not a CA certificate, right?
  In this case, you need to import the client certificate under ICM_SSL_xxx and you can find SSL_Provider if you scroll completly down. You need to import the private key of the client certificate under ICM_SSL_xxx.
  Only CA certificates goes in TrustedCA view. You can create a new view ICM_SSL_xxx or put the certificate under any existing ICM_SSL_xxx view, it doesn't matter.
  Do this step and let me know if it works. Might be, there is no requirement for private key at this point of time. It completely depends how the receiving system will accept and verify the call from PI server.
  Since it's a client certificate, they must be having public and private keys. But this certificate has to be signed by some one like VeriSign and they provide a different key to make it more secured. But anyways, you don't need to go in so much of details right now.
  Follow the steps that I mentioned above and hopefully, it should work.
  Regards,
  Neetesh

• Console cannot connect to ldap after SSL config

  Hi,
  I configured our iplanet DS 5.0 to use SSL (requested cert from DS, signed and created a new cert with openSSL, verified that DS could read that cert, and turned on ssl). Restarted DS and admin-serv. The ldap is working but ldaps is not. The console is unable to connect to DS and just hangs when trying to connect. The console is configured to connect to ldap not ldaps, but when I view the configuration for DS in console it shows port 636. So -
  - how do I make the console use port 389 to connect to the DS?
  - What do I need to do to get ldaps working?
  TIA.
  Raj Dolas

  There are some limitations in using the Console when SSL is enabled for the Directory Server. These are documented... in the release notes at least.
  Regards,
  Ludovic.

• SSL Config on Tomcat

  Hi Experts:
  My Apache+SSL is working now - thanks to you all. I checked it using https://www.hari.com.
  However, I have a small Application which contains JSP+Servlets which calls Oracle DB via JDBC. This application is working fine when I type http://www.hari.com:8080/hari/index.jsp but when I try HTTPS as https://www.hari.com:8080/hari/index.jsp it does'nt work - ie page does'nt shows up.
  I know that HTTPS listens to port 443 and my Application(Tomcat+JBoss) listens to port 8080 - so how do I integrate both the ports to work together? Any useful information on above is appreciated.
  THANKS!
  HARI

  Hi
  I guess that you haven't changed the pot that Tomcat listens for SSL connections.If not the default port for SSL is 8443 for Tomcat. SO if you want your application to run via SSL you must use s.g like https://localhost:8443/......
  if u use 8080 it won't run. The connection to the database should be again to the 8080 port, but the servlet should listen to 8443 for SSL. Check the port in the server.xml file