SSL implementaion on portal

Similar Messages

• SSL implementation on portal development

  Hi, All
  I have implemented SSL on QA using the standard port 443 and it is working fine.I did the same SSL implementation on portal development using the same port 443 and it doesn't work.When I call up the https url from IE for my portal development it seems like it's not connecting it just stays blank and it is not displaying anything.
  However when I change the port to 50001 it works fine nad everything on the web page is displayed but I want it to work on the standard port 443.Please help on rectifying this or any Ideas on how to solve this.
  Thank you

  You need to change the http provider service on your DEV portal dispatcher to use port 443 instead of 50001.
  Also, make sure there are no other web servers using that portal number on the same host as the DEV portal.
  Cheers
  Message was edited by:
          Michael Nicholls

• Error when configuring Web Dispatcher for SSL with Enterprise Portal

  We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ).  We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103).  We are now receiving this strange certificate error when we start the Web Dispatcher:
  [Thr 5332] Tue Mar 20 00:36:23 2007
  [Thr 5332]   MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
  [Thr 5332]   SSL socket: local=<IPADDRESS>:4742  peer=<IPADDRESS>:8103
  [Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
  [Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
  [Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c      4919]
  [Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c      2301]
  [Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c      2302]
  [Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c      2303]
  We have gone through the trouble shooting note 552286 as listed in the error above.  Any assistance is appreciated.

  Hello, did you receive any resolution for this problem?  We are receiving a similar error and I am unsure of how to resolve.

• SSL config in PORTAL

  To all the Portal Guru's out there....I have a two simple questions....
  I have two servers - one that holds the MR (repository) and one that holds the OID Infrastructure and Portal tiers (2 different mount points)
  This is a new install - and upgraded to 10.1.4. With the OID and portal tiers on the same server, it is possible to SSL enable access to the portal (i.e. HTTPS in place of currently HTTP) - without having to re-install.......the entire stack.....
  Is it also wise to go ahead and do this - in other words, does religiously adhering to Sec 5.2 of the Oracle® Application Server Portal Configuration Guide
  10g Release 2 (10.1.4) B19305-03 - get me to enable SSL through out the portal?
  Thanks

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• Need to Publish Portal on internet -introducing SSL & Apache infront Portal

  Hi,
  Recently we have installed Portal server u2013 EP 7.01 and our backend systems are ECC and BW.   UME Data source is Database Only.
  On Portal server we have one central instance and one server node.  Currently we are accessing our Portal through http by maintaining host file entries on our local PCu2019s.
  We want to make our Portal available on the internet for end users.and URL should be like https://mysapportal.customer.com/irj/portal
  Hence we planned to introduce SSL (https) and Apache Web server in front of our Portal server
  We have gone through few documents but we didn't get complete information.
  Can anyone tell us the procedure and the detailed configurations steps which are required on both Portal and Apache systems?
  Advance Thanks
  Thanks
  Phani

  Hi,
  If you are looking for configuration to make apache Web server configuration run via HTTPS, then this is a Wrong place to search and you can find apache configuration in apache sites.
  You can Make Portal Access via https. i have given one wiki link for the same below and there are many available for your reference.
  http://wiki.sdn.sap.com/wiki/display/EP/ConfiguringtheUseofSSLontheSAPJ2EE+Engine
  Regarding Apache, You can Configure SSO Between Portal and Apache, using kerberos or other relevant methods.  this way, Portal will be accessed via Https and apache Pages will be accessed from portal. Reduction of complexity. This is just one suggestion and i believe this is what olivier suggested as well to design your architecture as requirement will change based on project.
  I hope it helps

• SSL impact on Portal performance.

  I was wondering if anyone knows of any benchmarks of Portal performance with SSL enabled versus a non SSL enabled Portal.
  I realize that SSL does create some additional overhead on the server during the encyrpt/decrypt process. I'm trying to determine if a dedicated reverse proxy may be more beneficial to support approximately 1000 concurrent connections.
  Thanks in advance, and as always points awarded.

  I haven't seen any official figures, but you also have to consider the applications running in the portal. For example, if you plan to encrypt SAPGUI for HTML, that will have an imapact etc.
  Reallistically you need to do your own tests, as relying on someone else's figures based on their specific portal applications may lead you to problems later on.

• SSL Setup in a load balanced portal

  Hi,
  We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
  So the configuration would be:
  Portal requests --> Load Balancer --> Portal --> Backend
  We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
  The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
  So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
  I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
  Now, can we install the same certificate (that we put on the LB) on the portal as well?
  (This might not work because the server type will be different)
  (or)
  Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
  Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
  Thank You ,
  Raj

  Raj Kumar wrote:
  My question is about how to go about installing the certificates on the LB and on the portal.
  If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
  Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
  You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
  On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
  Regards,
  Sean

• Analyze link generated by Portal not working after SSL Configuration

  Hi,
  We've installed OracleAS Portal 10.1.4 and Oracle Discoverer Version 10.1.2.48.18 on the same machine. We recently configured SSL on OracleAS Portal for SSO server only. Discoverer was not SSO enabled.
  Now after successful SSL configuration we are facing one problem. The Analyze link that is generated by Portal to analyze the worksheet in Single Worksheet Viewer is no longer working. when we click on the analyze link we get the "HTTP 500 Internal Server Error" and a message that Page cannot be displayed.
  Please advise...

  Hi Andrew
  It sounds like you need to enable SSO for Discoverer too.
  Best wishes
  Michael

• Com.sap.portal.htmlb in SSL

  Hello,
  We have implemented SSL on the portal platform (on the J2EE) and it seems to be working for the most part.  We are using it with Kerberos authentication.  We have noted that there are some issues and they mostly revolve around the com.sap.portal.htmlb "portalapp".  Firstly, when using SSL on port 50001, items in the HTMLB component are being called without SSL VIA port 50000.
  Also, we noted that there are a few files physically missing from the ../com.sap.portal.htmlb/jslib directory (for example: refresh.gif and pagerror.gif).  When we manually created them, those particular errors have disappeared but we also see the:
  "http://bnpdsapepc1d.corp.brucepower.com:50000/irj/portalapps/com.sap.portal.htmlb/jslib/emptyhover.html"
  and
  "http://bnpdsapepc1d.corp.brucepower.com:50000/irj/portalapps/com.sap.portal.pagebuilder/html/emptydocument.html"
  In the trace - but we are using HTTPS for everything else...?
  Is there something that points the HTMLB component to a static URL or to pick up the http with 50000?  We have not made any custom changes here.
  Any help would be humbly appreciated,
  Judson

  We seem to have figured it out.  It turns out that the registration of the ktpass is very case sensative.  We registered the FQDN of the host with the hostname part in UPPERCASE.  Now the portal - Kerberos with SSL works fine when using the https://HOSTNAME.company.com:50001/irj.  Otherwise, we receive "Action Cancelled" from the TLN and down.  We checked the SSL cert and it looked lowercase so we checked the keytab and found the HTTP/[email protected] - we will try to resolve the UPPERCASE by re-running that part of the process.
  Thanks,
  Judson

• How to implement SSL for Portal with ADS (for Adobe besed MSS Application)

  Hi Experts,
  What is the Minimum setting is required to implement the SSL for Portal with ADS.
  Http is working fine with Portal with ADS and R/3 for Adobe Based MSS Form.
  Please let me know.
  Regards
  Ali

  Rajat,
  Nice to see your reply...
  Could you please write me the steps how to do that.
  I would like to implement SSL only in portal. So is that mandatory to implement the SSL in ADS and R/3 too.
  Please what are the minimum setting is required.
  Sure points will be rewarded
  Regards
  Ali

• How to Setup SSL on Oracle Application Server 10g Release 2 (10.1..2)

  Hi All,
  Can anybody tell me How to setup the SSL on Oracle Application Server 10g Release 2 (10.1.2).
  I have all the required documents like
  1. Oracle Application Server Portal Server Configuration Guide.
  2. Oracle Application Server Web Cache Configuration Guide.
  3. Oracle Application Server SSO Administration Guide.
  I tried to follow all this documents but still i am not able to set SSL for Oracle Portal Server.

  The Portal Configuration Guide, available on OTN at http://www.oracle.com/technology/documentation/appserver1012.html does provide some very specific information on how to set up OracleAS Portal.
  Section 6.3.2.1 Configuring SSL for OracleAS Portal describes various configurations, such as:
  SSL to OracleAS Single Sign-On
  SSL to OracleAS Web Cache
  SSL Throughout OracleAS Portal
  External SSL with Non-SSL Within Oracle Application Server
  For larger enterprise configurations, you can refer to the Enterprise Deployment Guide.
  Can you give a bit more background on what you are trying to set up? Which scenario, what sort of hardware, software versions, and so on.
  Regards,
  Pete

• Iplanet LDAP Configuration in Portal

  Hi All,
  I was trying to configure my UME with LDAP - iplanet. (Sun one Directory Server) in SAP Netweaver CE. I downloaded the xml file using config tool.
  1. dataSourceConfiguration_iplanet_readonly_db
  2. dataSourceConfiguration_iplanet_not_readonly_db
  3. dataSourceConfiguration_iplanet_deep_readonly_db
  while one should i use? How do i know whether iplanet uses a deep or Flat Hierarchy?  When i try to use the
  dataSourceConfiguration_iplanet_not_readonly_db. on click of save changes, it gives me some "Technical error". But Validate connection in LDAP Server Properties is working fine.
  "Test Connection successful".
  But server not starting after restart.   How else do i change the UME Configurationfrom Database to LDAP? What is the xml file to use? Is there some other configurations to be done?
  Thanks,
  Divya
  Edited by: Divya V on Nov 19, 2010 10:23 AM

  Hi Divya,
  Try to contact the systems team who is responsible for maintaining the LDAP in your company. Then call tell you if you use deep or flat hierarchy.
  The you need to decide if you want to connect to LDAP only for read only purposes or if you want to update any thing on the LDAP from the portal and have write access.
  1. dataSourceConfiguration_iplanet_readonly_db - FOR READ ONLY ACCESS TO LDAP WITH FLAT HIERARCHY
  2. dataSourceConfiguration_iplanet_not_readonly_db - FOR WRITEABLE ACCESS TO LDAP
  3. dataSourceConfiguration_iplanet_deep_readonly_db - FOR READ ONLY ACCESS TO LDAP WITH DEEP HIERARCHY
  You are getting the error when using dataSourceConfiguration_iplanet_not_readonly_db.xmL most likely because the system user that is used to connect to your LDAP might not have write access on the LDAP.
  Also, please note that some LDAPs will require an SSL connection between portal and LDAP for writing any thing to the LDAP.
  In that case, you will have to setup SSL between EP and LDAP.
  Read the documentation for further help:
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
  Hope that helps !!
  Thanks,
  Shanti Mupkala

• STS: Portal HTTPS to BSP HTTP transfer issue

  Hi Experts,
  We have the following issue.
  We use portal with SSL, and we put SSL on out BW backend system. We also use STS, and we created a BSP iView in the portal to use STS inside portal.
  The problem occurs when a link to the iView is clicked. What happens is that when the iView is being loaded, all the session cookies are getting blocked for some reason, so that clicking on any link in STS results in timeout error.
  My observation is that STS only uses SSL for the login page. So when a request comes through the portal that uses SSL it goes to a BSP iView without an SSL (you get the warning that you are about to display non-secure items).
  A workaround solution is to goo to IE properties, security/privacy and click the "Allow all session cookies" checkbox. This a bad solution because it involves telling users to configure their browser. I am wondering if anybody had the same or similar issue, and if there is any other resolution then just explicitly allowing cookies in the browser.
  We have another environment setup in QA that does NOT use SSL for either portal or a backend BW, and this problem with cookies does not happen there. I am guessing it has something to do with a switch from HTTPS to an HTTP request when it comes through the portal.
  Please let me know if you know how to resolve this.
  Thank you,
  AG

  Hi Marc,
  Thank you very much. The note helped us ensure that all the STS pages are using HTTPS protocol. There is still one issue remaining though.
  When STS generates its start URL, for some reason it starts with HTTP, not HTTPS. It is evident when you go to BPS_TC tcode and try to execute option "Test call with display of URL". The URL that gets displayed is for example:
  http://test.somedomain.com:8000/sap/bc/bsp/sap/tunguska/start_sts2.htm?teilplan=ZBUDGET&version=002&sap-client=200&sap-language=E
  When pasting this link in the browser, STS automatically redirects you to the https protocol, which is fine if you are using STS BSP application stand alone.
  This represents a problem however, if the application is integrated into portal BSP iView. If portal is running under HTTPS, then clicking on the STS iView causes a warning message to be displayed saying that you are about to be redirected to the page that is not secure because for some reason the very first page STS generates uses http protocol disregarding the fact that HTTPS has been setup for STS. This warning message creates a false assumption that the pages are not secured, while in fact right after the warning message is displayed a redirect to https occurs making sure STS pages are protected.
  My question is there some sort of global setting where you can control the generation of STS start URL? I made changes for every page making sure Transfer Options set to HTTPS, and also made sure Logon page is using HTTPS in the SICF transaction for tunguska and tunguska_detail services.
  At this point we are stuck and do not know what to do to eliminate that warning and how to control the generation of start URL in STS. Any help would  be greatly appreciated.
  Thank you,
  Andrei

• How to avoid the port in portal

  Hi Gurus,
  Please help me on this
  we have implementd SSL in our portal EP7.0
  my question is i needs to avoid the port No. now and give normal url
  now the url is https://<host>.<company>:50001/irj/portal
  now want to change it to https://host.company/irj/portal
  thanks,
  Kishore

  Hi Kishore,
  Change the default portal URL to give the users a more user friendly URL. The following steps will show you how to modify the URL from the default port of 50000 to 80 which is the browser default. Also you will learn how to setup a redirect from the J2EE Engine so the user can find the portal without first inputting the /irj/portal to the URL.
  Change the Port:
  1.Switch to the J2EE Visual Administrator
  2.Go to Cluster &#61664; Dispatcher &#61664; Services &#61664; HTTP Provider
  3.Choose Ports
  4.Change the Port number to 80 for http and 81 for ssl
  5.Choos Update and Save.
  Remove the irj/portal:
  1.Go to Cluster &#61664; Server &#61664; Services &#61664; HTTP Provider
  2.Enter /irj/portal in the Start Page text field
  3.Choose Save Properties button
  4.Restart the Service
  Regards
  Krishna.

• Mod_wl_ohs with Webcache over SSL

  I am having a strange failure. Whenever I access portal, discoverer, or other Weblogic applications over an SSL connection, I am given WXE-12412 constantly no matter what browser is used. Everything works fine over non-ssl. In my case I have a pre-existing Wildcard SSL certificate that we use for all of our servers therefore my OWM is always fubar and I cannot use it to manage my wallets. I created my wallets in the form of a JKS that was then ported over to an Oracle Wallet through the conversion tool with Oracle 10g Middle Tier for SSO and OID. This wallet was then copied from the middle tier server to my applications middle tier server (11gR1). My wallet is identical across all hosts, just copied through sftp. I have been going through the guide (http://download.oracle.com/docs/cd/E12839_01/portal.1111/e10239/cg_secur.htm#BABCDFBI) and have completed all steps for SSL from clients to Webcache with a non-ssl backend. My OID is running SSL to clients but non-SSL to my portal server. Can anyone provide any sugestions? These problems only seem to be occurring through applications that run over Weblogic and the weblogic plugin instead of the OHS.

  This is a Very old post however i thought answering this might help someone.
  By Default in OAM 11G R2 all webgates have the DenyOnNotProtected as true.
  If you see Not Found (But not 404) when accessing it means its denied by webgate and you might want to create a anonymous access authentication scheme and protect your document root with that.
  If you are using mod_wl_ohs and seeing this error with a 404 on the screen.
  You will have to use the WLExcludePathorMIMEType property in the mod_wl_ohs.conf file.
  By default when you use mod_wl_ohs everything is sent to weblogic and OHS acts as proxy for all url.
  So you need to explicitly exclude what you dont want to proxy and want to use on local OHs document root.
  Hope this helps.
  - Kungo
  P.S. working sample of mod_wl_ohs.conf file for 11h ohs and 11g weblogic
  # NOTE : This is a template to configure mod_weblogic.
  LoadModule weblogic_module   "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"
  # This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level
  <IfModule weblogic_module>
      WebLogicHost  localhost
          WebLogicPort 7001
          WLExcludePathOrMimeType /*.html --> This excludes all html pages inside htdocs
  <Location /benefits>
        SetHandler weblogic-handler
        Debug ON
  </Location>
  </IfModule>