SSL Setup in a load balanced portal

Similar Messages

• SSL setup with a load balancer

  We are running EP 7.0 SP14 and have set it up to run through a Cisco ACE loadbalancer.  We have also setup SSL with the certificate on the ACE load balancer.  Everythign work fine, except we keep getting a Security Alert popup message in IE that states "You are about to be redirected to a connection that is not secure."
  Are there some additional configurations that I need to do in EP to make this go away?
  Maximum points to the first correct answer.

  You can change logoff URL to any value:
  http://help.sap.com/saphelp_nw04s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
  Regarding VC apps.
  It is strange you cannot see HTTP in the IEWatch. IE should not be able to alert about something it does not see. I suggest you to use something more substantial to trace network calls: http://www.wireshark.org
  This is the best tool I know for network tracing.
  Regards,
  Slava

• Recommended configuration for load balanced Portal with load balancer, multiple gateways and multiple servers.

  Does anyone have a recommended network, hardware and software configuration guide for a Portal installation running with multiple gateways load balanced (ie one URL) that talk to multiple servers?

  David,
  We've used Resonate (software) to load balance the gateways. It allows
  you to group all the gateways under 1 virtual URL and load balance the
  incoming connections over each gateway depending on the rules that you
  define in Resonate. Look in the SUN portal whitepapers there is one that
  talks about it specifically.
  As far as load balancing the calls to the portals, the gateways will
  automatically load balance across all the portals that they know about
  using a simple round-robin rotation. You may be able to use Resonate in
  front of the portals but you may need to activate persistance within
  Resonate to ensure that the user always ends up on the portal that he
  established his initial connection on (if you want that), check with Sun
  on this one.
  David Broeren wrote:
  Recommended configuration for load balanced Portal with load balancer,
  multiple gateways and multiple servers.
  Does anyone have a recommended network, hardware and software
  configuration guide for a Portal installation running with multiple
  gateways load balanced (ie one URL) that talk to multiple servers?
  Try our New Web Based Forum at http://softwareforum.sun.com
  Includes Access to our Product Knowledge Base!

• SSL termination using Hardware Load Balancer

  We are trying to implement SSL at the Hardware LoadBalancer layer and terminate the SSL there.  Architecture includes Apache Reverse Proxy and Portal server running EP7 SP18.  In this scenario we want encruption between the client browser and the Load Balancer (BigIP F5).  The Load blancer will then decrypt the request and send it to the Apache reverse proxy on port 80.  Apache Reverse proxy will send request to Portal J2EE engine on the http port.
  this scenario seems to work in most cases but we are having issues with the standard portal login page.  The login page is sent to the browser on https but when entering credentials and selecting the login button a request gets generated on port 80, not 443 (https) and is not serviced by the load balancer.  99% of the requests that get generated from the client borwser stay on port 443 as expected but for some reason this particular request switches to port 80.
  How can we keep all requests generated on port 443 (https)?

  Hello Brian (all)
  I am facing the same issue - except we do not have the Apache proxy in the setup..... just HTTPS to a Cisco ACE load balancer and then HTTP to the portal. 
  Nearly all of the portal content is working great, but am facing the situation that some ESS content is switching to HTTP.  In discussing with the network team, they have done the following:
  1/ Replies from the portal server back to the client have an SSL rewrite performed, which modifies a 301 or 302 reply and changes http ULRs to https.
  2/ The load balancer adds an HTTP header u201CClientProtocol httpsu201D to the request it sends to the portal server.
  They feel we need to find a way to have the portal server only send either references with no host:header (i.e. http) or only send host:header with https to keep it all SSL.
  Any advice?
  Edited by: Eric Poellinger on Jan 5, 2011 5:09 AM

• Load Balancing Portal that uses JPDK portlets

  We are having the following Portal architecture :
  -Browser
  -Firewall
  -Load Balancers
  -Multiple 9iAS middle-tiers (2)
  -DB Server
  We are using Web Providers registered with Portal which calls JPDK portlets.
  We have registered the Web Provider url's, but of course had to
  enter a URL to point to the location of the provider.xml. If we enter the URL specifying a particular 9iAS middle-tier hostname, all requests for the provider from any of the middle-tiers are routed through the one 9iAS server, which places a heavy load on this server.
  Requirement : We want to specify the location of the provider.xml as local to the particular 9iAS server and so call the portlet from the same server, which will spread the load.
  What would be the best way to achieve this ?

  Hi,
  You can very well provide the URL of 'Load balancer' while registering the WebProvider, provided it meets the following condition :
  Condition : For example, your middle-tiers are named 'machineA' & 'machineB'. Your loadbalancer's name being 'loadbalancer'. Say, a user wants to access a file by name 'test.html' which exists in both machineA & machineB and is identical. Let http://machineA/test.html & http://machineB/test.html be the URLS for accessing it.
  The user should get the output after specifying the loadbalancer's name in the place of the 'serverA' or serverB.
  Something like, http://loadbalancer/test.html
  If the condition is satisified, you can register the webprovider with Loadbalancer's URL.
  --Sriram                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• SSL Cetificate and F5 load balancer.

  Hi All,
  I need to created SSL certificate to enable SSL on the HTTP server can you please give me the steps for that also i need to configure SSL on the load balancer how would i do that, i will be thankful if anybody can provide me detail steps, thanks in advance.
  Thanks,
  Virendra

  Hi,
  What is the application release?
  For SSL, please see these documents.
  Note: 123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
  Note: 300969.1 - Troubleshooting SSL with Oracle Applications 11i'
  Note: 376700.1 - Enabling SSL in Release 12
  For Load Balancing, please refer to:
  Note: 380489.1 - Using Load-Balancers with Oracle E-Business Suite Release 12
  Note: 727171.1 - Implementing Load Balancing On Oracle E-Business Suite - Documentation For Specific Load Balancer Hardware
  Note: 601694.1 - How To Check Session Persistence On BigIP F5 And Cisco Ace Load Balancer Appliances
  Note: 603325.1 - Using Cisco ACE Series Application Control Engine with Oracle E-Business Suite Release 12
  Regards,
  Hussein

• XML Publisher Time out setup issue with load balancer

  I have a single node install of Oracle Apps 12.0.4. When running an XML report, it completes successfully and I can view the XML report by clicking on the "view output" button.
  I have an Oracle Apps 12.0.4 multi-node install with my database and admin tier running on the same box. I also have two app tiers front-ended with a cisco load balancer. In this environment, when I run an XML Report the job completes with a warning. I have reviewed the log file from the Output Post Processor log file and have the below errors.
  [10/14/08 3:40:48 PM] [14736:RT4712865] Executing post-processing actions for request 4712865.
  [10/14/08 3:40:48 PM] [14736:RT4712865] Starting XML Publisher post-processing action.
  [10/14/08 3:40:48 PM] [14736:RT4712865]
  Template code: FNDCPPGD_XML
  Template app: FND
  Language: en
  Territory: US
  Output type: PDF
  [10/14/08 3:44:33 PM] [UNEXPECTED] [14736:RT4712865] java.net.ConnectException: Connection timed out
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  at java.net.Socket.connect(Socket.java:516)
  at java.net.Socket.connect(Socket.java:466)
  at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  at sun.net.www.http.HttpClient.New(HttpClient.java:299)
  at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:796)
  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:748)
  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:673)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:917)
  at java.net.URL.openStream(URL.java:1007)
  at oracle.apps.fnd.cp.util.RemoteFile.readURL(RemoteFile.java:217)
  at oracle.apps.fnd.cp.util.RemoteFile.transferFile(RemoteFile.java:195)
  at oracle.apps.fnd.cp.util.RemoteFile.transfer(RemoteFile.java:131)
  at oracle.apps.fnd.cp.opp.XMLPublisherProcessor.process(XMLPublisherProcessor.java:224)
  at oracle.apps.fnd.cp.opp.OPPRequestThread.run(OPPRequestThread.java:172)
  I have double check my tnsnames.ora, opened an SR, researched in Metalink & on the web but am unable to find a resolution. Any help would be appreciated. Thanks!

  we have the same issue. Any workaround so far?

• Load Balancing ITS on ERP 2005 displayed through EP 7.0

  We are having trouble setting up our Cisco ACE load balancer for ITS on ERP 2005 displayed through EP 7.0.  The help documentation is a little confusing as to whether ITS does its load balancing by itself, or with ERP 2005, you need an external load balancer.  Does ITS on ERP 2005 provide load balancing?
  If it does not, we need an external load balancer and are trying to figure out how to configure the ACE tool for that, particularly around session persistence.  Since we are also doing reverse proxy, we would need to use session cookies to key the sticky round-robin load balancing off of.  The documentation is a little vague on what the cookie variable is for ITS sessions.  Can anyone point me to detailed instructions on how to do this?

  Hi,
  despite the SAP Help, you can also check out the following blogs. They explain step-by-step configuration to get a SAP Web Dispatcher running:
  How to...Configure SAP Webdispatcher as a reverse proxy
  How to...Configure SAP Webdispatcher as a reverse proxy
  Setup SAP Web Dispatcher with URL Filter
  Setup SAP Web Dispatcher with URL Filter on SuSE Linux 9.0
  How to setup webdispatcher to load balance portal in a clustered environment
  How to setup webdispatcher to load balance portal in a clustered environment
  br,
  Tobias

• Load balancing ssl that terminates on servers

  hi,
  right now i have a very simple clear-text http + https setup. initially, my load-balancer was terminating SSL, but because of the way our application works, we moved away from that and installed an SSL-server on the servers themselves which we know works fine when we access the servers directly.
  on the css i have a very simple ssl-balance rule:
  content srv.443
  add service srv1.ssl
  add service srv2.ssl
  advanced-balance sticky-srcip
  protocol tcp
  port 443
  url "/*"
  vip address 10.72.39.17
  active
  service srv1.ssl
  ip address 10.72.39.71
  protocol tcp
  keepalive port 51001
  port 51001
  active
  service srv2.ssl
  ip address 10.72.39.72
  protocol tcp
  port 51001
  keepalive port 51001
  active
  the problem i'm seeing right now is that even though i deleted all config regarding ssl-termination on the css, every time i hit the 'ssl-vip' i still get the locally generated certificate instead of the valid one i get when hitting the web-servers directly.
  it's weird that the css keeps trying to use its own certificate, when all related config has been deleted.
  now i have a question, i assumed that there was no problem if one tries to load-balance ssl-traffic when the traffic is terminated on the servers themselves. now i'm not so sure, so an initial question is: can this be done?
  regards,
  c.

  yes, SSL can be terminated on the servers and loadbalancer by the CSS.
  You should remove the "url" from your config because the traffic is now encrypted and the CSS can't see the url.
  If the config is what you indicated, there is no way the CSS can send its own certificate.
  Absolutely no way :-)
  Are you sure your server is sending the correct certificate ?
  Gilles.

• Cisco switches and virtual ip address(load balancing address) on xenapp portals

  Hi I am quite new in configuring cisco switches and stumble across an issue after installing xenapp7.6 with load balanced portal to the ddc`s
  It seems i only can ping or get access to portal if using real ip address behind cisco switch from other subnets in my network.
  I can ping ddc01 and ddc02 and connect to the portal with http without problem. However when i triy to access the load balancing address of the ddc`s
  it wont answer to ping or http
  In same subnett it is no problem connecting to the load balancing address of the ddc`s, but in loactions on other subnets i only can access real server ip
  eks
  dd01   192.168.1.4    ok ping and access behind cisco switch from subnets
  ddc02 192.168.1.5   ok to ping  access behind cisco switch from subnets
  load balancing for both ddc 192.168.1.6 not able to get answer og access from subnets, only in same subnett
  Is there any way to configure switch to access the load balancing address of the ddc`s ?
  Regards
  Pål Arne Røberg

  Wrong forum. This forum is dedicated to feedback related to CSC framework itself. You should not wish for response here.
  Moved by moderator, no longer apply.

• Coyotepoint E350 and OracleAs 10g Hardware Load Balancing SSL

  Hi:
  Has anyone been successful using a CoyotePoint E350 with XCEL SSL accelerator card and OracleAS 10g with SSL to hardware load balance an HTTPS site?

  You're on the right track adding the SSL certificate to the Load Balancer. I'm not really sure what you mean 'without the use of Webcache'? However, if I had the choise, I'd always add the certificate to the Load Balancer.
  A good document setting up a load balanced environment is the Enterprise Deployment Guide. Chapter 8 describes the tasks for a Forms environment.
  Regards,
  Martin

• SSL credentials forwarding by the load balancer

  Hi,
  Is it possible to send the client authentication to a real server ? The idea is to leave the ssl termination to the load balancer but do autentication on the (real) server. Thanks in advance

  not possible.
  Gilles.

• Load Balancer and SSL

  What is the correct/recommended way to configure ssl through the load balancer with the DS or DPS? I see 3 options:
  1. SSL termination at the load balancer level
  2. using wildcard certs
  3. specifying the subjectAlternativeName in the cert.
  I am currently looking at using 2 or 3 and have some questions. 2 seems like the best option and makes it more seemless to applications if you bring in an additional backend server, then you dont need to load any other certs for any applications.
  For option 3 how can you specify the subjectAlternativeName when generating a CSR? I dont see anyway of doing that except mentioned here . I see in the Access Manager [docs |http://docs.sun.com/app/docs/doc/819-5899/gcdvv?l=ru&a=view] to specify the Subject DN as the load balancer name. Will this work correctly without have the subject DN as the FQDN of the DS/DPS?

  I'm not sure your 3 options are mutually exclusive. We're going to be doing a combination of 1 and 2. We're going to purchase a wildcard certificate and put it on our load balancer. The SSL traffic will terminate at the load balancer and go straight LDAP from the load balancer to the DS host.

• FIM Load Balancing and SPN's - Strange behaviour

  I have a FIM setup in a domain
  I have mycorp.com and a domain in the same forest contractor.mycorp.com (fictional setup)
  I have 2 servers built in the contractors.mycorp.com domain
  Id1
  Id2
  Id1 has the Service and portal on wss3 in SharePoint farm mode, Sp central admin is on this as well
  Id2 has the service and is a load balanced SharePoint farm.
  I have NLB setup and working the service name is identity.mycorp.com pointing at the IP of the NLB
  I have a CNAME identity pointing at identity.mycorp.com
  Identity.mycorp.com is used as the name of the Service and the Portal.
  In the ApplicationHost.config I have
  <system.webServer>
     <security>
        <authentication>
           <windowsAuthentication enabled="true" useKernelMode="true"
  useAppPoolCredentials="true" />
        </authentication>
     </security>
  </system.webServer>
  I have kernel mode enabled, and I have Windows authentication enabled in the IIS console on id1 and id2.
  The app pool credentials are a domain account SPService for SharePoint Service, the app pool is set on both id1 and id2 servers. The root domain account mycorp\SPService us used.
  In
  c:\inetpub\wwwroot\wss\VirtualDirectories
  I have set
  <resourceManagementClient
  requireKerberos="true"
  I have registered the alternate URL mappings for SharePoint as
  Identity
  Identity.myCorp.com
  I have registered SPN's for
  Setspn –S FIMService/identity.myCorp.com myCorp\FIMService
  Setspn –S FIMService/identity  myCorp\FIMService
  Setspn –S HTTP/identity.myCorp.com myCorp\SPService
  Setspn –S HTTP/identity myCorp\SPService
  I have configured delegation for both accounts in ADUC for the identity.mycorp.com
  So all is well and I installed everything fine.
  Now my problem is that if I go to id1 and browse to http://identity/identitymanagement I get redirected , and authenticated with my admin account to
  http://id1/IdentityManagement/default.aspx
  On id1 if I go to http://identity.myCorp.com/identitymanagement I get prompted for credentials, when I enter myCorp\FIMAdmin and my password I get redirected to the portal at
  http://id1/IdentityManagement/default.aspx
  If I try and authenticate to any of the previous URL's from other machines in my domain, including the load balanced box id2 I get "HTTP Error 401. The requested resource requires user authentication."
  Even if I try and browse to
  http://id1/identitymanagement from another machine I am getting 401. Only on
  http://id1 am I getting a result, even if there is a prompt.
  I am sure my SPN's are fine, there are no duplicate SPN's , I checked with the -x switch
  So my load balanced portal and service are not working as I would have thought , I have looked at
  http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
  http://social.technet.microsoft.com/Forums/en-US/484faae8-4df6-4b81-8b2d-9d75d5258e4f/fim-portal-http-error-401-the-requested-resource-requires-user-authentication?forum=ilm2
  http://social.technet.microsoft.com/wiki/contents/articles/4473.fim-http-error-401-the-requested-resource-requires-user-authentication.aspx
  http://setspn.blogspot.ie/2010/06/kerberos-basic-troubleshooting-tip-3.html
  The only thing that I can think of is that the machine is in the contractors.myCorp.com domain which makes the machine  
  unique from where the SPN's are registered, but if that was the case then browsing to the portal from
  http://id1 would certainly fail.
  Can anyone see anything wrong with my approach ?
  Normally I find SharePoint a pain, but this week it seems to be this.
  When I ran the fim service install I specified identity.myCorp.com as the name of the server
  Rob

  In my Load Balanced setup it helped a lot (on some strange behaviours) when I set up Load Balancer to keep session on one server.
  Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

• SAP GLM Print Request - Load Balancing of WWI server

  Hi GLM Experts,
  I am using new GLM + module that generates labels based on Print Requests. I am unable to understand how I can load balance the WWI services when there are multiple label printing requests.
  In GLM + we associate a WWI to a Print Station and which can then be associated with a printer. So in the configuration we are tying up a printer a WWI.
  Also during label printing, if the scenario uses print request module, then the use need to select a print station and printer. What happens if the WWI related to the print station is down?
  For example I have two services in WWI server GENPC1 and GENPC2. I created WWII and WWI2 as two print stations. I will associate my printer PRNWWI to both the print stations WWI1 and WWI2.
  During label printing if the user picks and WWI1 and Printer PDNWWI and if the GENPC1 WWI server assocaited with print status WWI1 is busy and down I want WWI GENPC2 to generate the label?
  How to setup the above load balancing or fall back? Please let me know.
  Thanks
  Pugal

  Dear Pugal
  we are not using GLM + and I am not sure about the technqiue used there to handle load balancing. Regarding general WWI setup I assume you know this Note: EH&amp;amp;S: Availability and performance of WWI and Expert servers
  On the top there is a further SAP Note abvailable which might be of interest. This is referenced here:
  http://de.scribd.com/doc/191576739/011000358700000861002013-e
  May be check OSS note: 1958655; OSS Note 1155294 is more related to normal WWI stuff; but may be check it as well. May be 1934253 might help better
  May be this might help.
  C.B.
  PS: may be check as well: consolut - EHS_MD_140_01 - EH&amp;amp;S-Management-Server einrichten
  The load balancing of synchron WWi servers is donein the "RFC" layer, therefore you have no inffluence here, for asynchron WWI servers you can do a lot to manage the WWI load balancing by using "exits" etc.