SSL setup in PI 7.1

Hi,
I used NWA to create secure store, CSR and imported the CSR response. Its working fine on the CI. I added a dialog instance and want to include that server (instance) into SSL. I exported my certificate from the CI and imported into DI (NWA-Key storage). However I could not access PI tools with just the java stack of DI running. So I am not sure if there is a missing step. Also in STRUST under Client PSE where I have both instances listed, the DI is showing RED. The CI is green. I have the root certificates imported into it to access other systems (ECC etc) using https.
I did not use STRUST at all to create server PSEs as with 7.1 we would have to use either NWA or STRUST and maintain the using the same tool.
Your help/suggestions would be much appreciated.
Thanks.

Hi,
Find below link for more help on SSL configuration
SSL Configuration
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/23894238-0701-0010-40b0-a0a6d5c4ad9f?prtmode=navigate
SSL Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Certificate Authority
http://www.tc.umn.edu/~brams006/selfsign.html
Digital signature & document entryption
http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/frameset.htm

Similar Messages

SSL setup - Weblogic 10.3 and OIM 9.1.0.1

I am using self generated certs. I have followed all the steps in configuring SSL for OIM given in section 8.6.2 SSL Certificate Setup given in Installation and Configuration Guide for Oracle WebLogic Server Release 9.1.0.1 E14047-02.
But when I try to perform the following step:
To configure the trust store:
1. Copy the supportcert.pem file to the following location on the Design Console:
OIM_DC_HOME\java\lib\security.
2. Open a command prompt at OIM_DC_HOME\java\lib\security and run the
following command:
cd OIM_DC_HOME\java\lib\security
keytool -import
-alias support
-trustcacerts
-file supportcert.pem
-keystore cacerts
-storepass changeit
I don't see any folder in oim client as given above of \java\lib\security. So I created the same and followed the instructions but still the keytool.exe s not present in it. So is something missing in the document that we are not aware of? Do we have to copy the keytool.exe from BEA_HOME? I tried that too but it propped up an error saying some DLL/JAR not found.
I found this viewlet which shows something different related to SSL setup in weblogic
\S21880\Setup_SSL_Certificates_WLS70_61_viewlet_swf.htm
Are the steps given in the guide enough for the SSL configuration between weblogic and oim ? or do we need to follow some other steps too ?
Any ideas/clues/suggestions? Very appreciative.
Many Thanks in advance.
- oidm.

I had a look into the xlclient.cmd file and went to the JAVA directory which is being used. And did a search for the "cacerts" and found out that there is a file named cacerts in the JAVA_HOME/jre/lib/security folder over there.
But how does that relate to the problem of running the keytool command successfully at the right place (OIM_DC_HOME) ?
Any hints Kevin....
Thanks,
- oidm.

SSL Setup in a load balanced portal

Hi,
We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
So the configuration would be:
Portal requests --> Load Balancer --> Portal --> Backend
We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
Now, can we install the same certificate (that we put on the LB) on the portal as well?
(This might not work because the server type will be different)
(or)
Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
Thank You ,
Raj

Raj Kumar wrote:
My question is about how to go about installing the certificates on the LB and on the portal.
If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
Regards,
Sean

Impact of running autoconfig on SSL setup

Hi,
I have SSL setup in production and need to apply the latest autoconfig patch there. Can you please advice if running autoconfig will impact the current SSL setup in any way?
My EBS version is 11.5.10.2 with 10.2.0.4 database. I have a multinode configuration with Web and forms server on one node and Database, reports, concurrent and admin server on the other.

user503988 wrote:
Hi,
I have SSL setup in production and need to apply the latest autoconfig patch there. Can you please advice if running autoconfig will impact the current SSL setup in any way?
My EBS version is 11.5.10.2 with 10.2.0.4 database. I have a multinode configuration with Web and forms server on one node and Database, reports, concurrent and admin server on the other.AutoConfig should not impact your SSL setup, as long as you followed these MOS docs to implement SSL and have all the context variables set properly.
11i: A Guide to Understanding and Implementing SSL for Oracle Applications [ID 123718.1]
11i: Troubleshooting SSL with Oracle Applications [ID 300969.1]
Thanks,
Hussein

Upgrading WLS 8.1 SP2 to SP5: does SSL setup need to be re-done?

All,
Our production application has been built using Workshop 8.1 SP2, and is deployed on a WLS 8.1 SP2. We are now wanting to upgrade to SP5, and so I used the "Smart Update" utility to upgrade my local instance to SP5. Our application is accessed over SSL, so I was wondering if the whole SSL-setup that was done when we setup our production SP2 environment a year ago needs to be re-done? Our application has a web module, two java projects, uses SSL-based web-services and has a custom Oracle JAAS login module. I already found out that there is a particular setting on the domain that has changed between SP2 and SP5 that allows anonymous lookup of MBeans(Anonymous Admin Lookup Enabled). Are there any other such settings/considerations i need to be aware of in moving from SP2 to SP5?
All help is appreciated..it will help me decide on moving to SP5.
Thanks in advance!
Vik.

Hi Vik
When you use smartupdate to upgrade from sp2 to sp5, it will upgrade only the weblogic workshop instance and not the domains.
Either you will have to upgrade the existing sp2 domain to sp5 or create a new sp5 domain and configure it just like sp2.
After the upgrade open the config.xml under the new domain and check the SSL config under the server just to make sure.As far as the SSL config is concerned it did not change from sp2 to sp5.
More information on this is available at
http://e-docs.bea.com/platform/docs81/upgrade/faq.html
Thanks
Vimala

SSL setup with a load balancer

We are running EP 7.0 SP14 and have set it up to run through a Cisco ACE loadbalancer. We have also setup SSL with the certificate on the ACE load balancer. Everythign work fine, except we keep getting a Security Alert popup message in IE that states "You are about to be redirected to a connection that is not secure."
Are there some additional configurations that I need to do in EP to make this go away?
Maximum points to the first correct answer.

You can change logoff URL to any value:
http://help.sap.com/saphelp_nw04s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
Regarding VC apps.
It is strange you cannot see HTTP in the IEWatch. IE should not be able to alert about something it does not see. I suggest you to use something more substantial to trace network calls: http://www.wireshark.org
This is the best tool I know for network tracing.
Regards,
Slava

WebAccess and SSL setup

Hi all: I just moved our webaccess server from our old bordermanager server (gateway in a secondary domain) to our groupwise server 8.0.2 (primary domain) behind the firewall. I did this as we will be decommissioning our BM server sometime in the future. Webaccess now runs on an OES2 sp3 server.
I have WebAccess setup the running, but for some reason I cannot get SSL working with the correct certificate. Currently webaccess is using the server certificate from our internal CA, while I want it to use a signed certificate from godaddy. I have setup the webaccess gateway with the godaddy signed certificate (pfx) via consoleone. This is how I had set it up when it was running on our BM server. However, webaccess is not using the godaddy certificate.
I am no SSL expert and just do it enough to get by, like once every 2 years.
Thanks for the assistance, Chris.

Like this:
http://www.novell.com/documentation/...a/a7q514o.html
Yes. Did not find a discussion on SSL certs. I have found lots of discussions on SSL redirection and the like, but not on SSL certificates.
>>> Michael Bell<[email protected]> 3/23/2012 10:42 AM >>>
On 3/23/2012 5:47 AM, Chris wrote:
> Hi all: I just moved our webaccess server from our old bordermanager
> server (gateway in a secondary domain) to our groupwise server 8.0.2
> (primary domain) behind the firewall. I did this as we will be
> decommissioning our BM server sometime in the future. Webaccess now runs
> on an OES2 sp3 server.
> I have WebAccess setup the running, but for some reason I cannot get SSL
> working with the correct certificate. Currently webaccess is using the
> server certificate from our internal CA, while I want it to use a signed
> certificate from godaddy. I have setup the webaccess gateway with the
> godaddy signed certificate (pfx) via consoleone. This is how I had set
> it up when it was running on our BM server. However, webaccess is not
> using the godaddy certificate.
> I am no SSL expert and just do it enough to get by, like once every 2
> years.
> Thanks for the assistance, Chris.
Did you read the (quite good) documentation on how to use SSL certs with GW?

Java SSL setup in NW PI 7.1 EHP1

I am trying to set up SSL in a Netweaver PI 7.1 system on EHP1. According to the SAP Help documentation, the default keystore view for SSL should be ICM_SSL_<instance_ID>. It is my understanding that this view is created automatically. I don't remember ever having to manually create it before. But in my current system this keystore view does not exist. Can anyone confirm whether or not this view should have been created automatically during installation as the help documentation suggests?

Hi Kevin,
I found your thread while searching for something else but I am also trying to set up the SSL connection for JAVA.
I would appreciate it if you could help.
Where we are; we intalled sap cryptographic library and on the ABAP side the SSL is working. Now we want to call a Web Service which uses https with a SOAP adapter. But we couldn't configure the SOAP adapter and the SSL cert.
Can you give some intput in what we should do on JAVA to get this working?
Thank you very much.

How to use an existing certificate for the ABAP SSL setup using STRUST

Hi
All the documentation say to Create certificate Request and subsequently import the Certificate response from a CA.
In our case, the company has a certificate from a valid CA root and we would like to use this when creating the SSL PSE files, in particular, the SSL Server PSE.
Should I use sapgenpse instead of strust??
What are the steps to apply the certificate (www.company.com.au) to this instance (host.dom.internal)??????
Thanks
Doug

Hi Dough,
pls chk out this for SSL certificate
http://help.sap.com/saphelp_nw04/helpdata/en/20/37c33ae8361838e10000000a11402f/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/20/37c33ae8361838e10000000a11402f/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/16/1bb23bdb0d0156e10000000a11402f/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/16/1bb23bdb0d0156e10000000a11402f/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/c1/96b13b6e95b72ce10000000a114084/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/c1/96b13b6e95b72ce10000000a114084/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/e1/b6b13bd0ac933ae10000000a11402f/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/e1/b6b13bd0ac933ae10000000a11402f/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/aa/a8463c6796e61ce10000000a114084/frameset.htm
pls reward points
Thanx
Metha

WLS 6.0 - SSL Setup error

We have configured a managed server to be SSL enableb but the admin
server is not SSL enable. We get the following error when starting
the managed server that is SSL enabled.
<Mar 23, 2001 6:10:06 PM PST> <Alert> <WebLogicServer> <Inconsistent
security co
nfiguration, java.lang.Exception: Unable to open url: http://192.168.10.6:7001/w
l_management java.io.FileNotFoundException: Response: '500' for
url: 'http://192
.168.10.6:7001/wl_management'>
java.lang.Exception: Unable to open url: http://192.168.10.6:7001/wl_management
java.io.FileNotFoundException: Response: '500' for url: 'http://192.168.10.6:700
1/wl_management'
at weblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
stenThread.java:198)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Thanks
Viren

Have you verified that your managed server has a valid
ServerCertificateFileName as well as a ServerCertificateChainFileName? The
first certificate in the ServerCertificateChainFileName must be the signer
of the cert in the ServerCertificateFileName file. The last certificate (may
also be the first) in the ServerCertificateChainFileName must be
self-signed. From the stack trace it looks as though the code may be trying
to get a property or file from the admin server. Does the admin server's
log have any errors in it that contain info about a certificate?
Paul
I think that the
"Viren" <[email protected]> wrote in message
news:3abf8a9f$[email protected]..
>
We have configured a managed server to be SSL enableb but the admin
server is not SSL enable. We get the following error when starting
the managed server that is SSL enabled.
<Mar 23, 2001 6:10:06 PM PST> <Alert> <WebLogicServer> <Inconsistent
security co
nfiguration, java.lang.Exception: Unable to open url:http://192.168.10.6:7001/w
l_management java.io.FileNotFoundException: Response: '500' for
url: 'http://192
168.10.6:7001/wl_management'>
java.lang.Exception: Unable to open url:http://192.168.10.6:7001/wl_management
>
java.io.FileNotFoundException: Response: '500' for url:'http://192.168.10.6:700
1/wl_management'
atweblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
stenThread.java:198)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Thanks
Viren

WebLogic 10.3.3 - 2-Way SSL setup between WLS JMS Foregin Server & IBM MQ 6

Hi,
I am trying to configure 2-Way SSL between WebLogic 10.3.3 using JMS Foreign Server and IBM MQ 6. I could not find any documentation on this.
Can someone provide with steps for setting up 2-Way between WebLogic and IBM MQ?
Also I want to use SSLPEERNAME attribute in MQ Connection Factory and generate bindings so that I can connect to correct queuemanager on MQ side. Please let me know the configuration steps and check's that have to be done on WLS and IBM MQ side on this.
Thanks in advance
- BoyelT

Check this:
http://www.ibm.com/developerworks/websphere/library/techarticles/0510_fehners/0510_fehners.html

Problems in SSL setup for implementing SLM in the solution manager

Hello,
We are implementing Software Lifecycle manager (SLM) in our SolMan system.
On the step of setting-up SSL, we are no able to see SSL certificate in "view certificate" in our browser.
While trying to import certificate in visual admin we refered Note 1138061 - Maintenance Optimizer: HTTPS Connection for SLM, went to according to note .
On the step 3) Choose "Cluster -> Server... -> Services -> SSL Provider". In the port 5<nr>01, add the new certificate to "Enabled Credential". we are not able to find port 50001, also we are not able to create it in visual admin..
Please suggest.
Thanks,
Shobhit Garg

Issue resolved whithe help of SAP note 510007
Thanks,
Shobhit garg

Missing Active/New Sockets during SSL Setup

Hello Everyone,
We have a situation where we tried to upload a new signed SSL cert ( the previous one worked fine ).
After uploading the new cert; we have lost the SSL port (5XX01) under Active/New Sockets in VA
Anyone know what would cause this?

Thanks..
How do you re-add the ports? We didn't change anything to begin with.
Anyways, we removed the signed cert and bounced the system. The ports came back and everything worked.

SSL SSO Communications Suite 2005Q4 setup

I posted this a few days agao on google groups and have not gotten any responses. Can anyone tell me if its possible to do SSl SSO on Communications Suite. I just want my users to access Communications Express [uwc] with mail and calendar using SSL.
I have Messaging Server 6.2-3.04 (built July 15 2005)
Thanks in advance.
-James
SSL SUN Communications Suite 2005Q4
Only 1 message in topic - view as tree
From:          jamturtle - view profile
Date:          Mon, Apr 3 2006 3:48 pm
Email:           "jamturtle" <[email protected]>
Groups:           comp.sys.sun.apps, comp.sys.sun.admin, comp.unix.solaris, comp.unix.admin
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
Does anybody know how to setup step-by-step SSL and SSO on SUN's
Communications Suite? I am using [or rather testing] The following
products: Calendar Server 6, Messaging Server 6, Communications Express
6, Web Server 6.1 and Access Manager 7. All on just one machine.
I have managed to get Single Sign-On working fine with Comm Express but
I can not seem to manage to get it working with SSL. I mainly want to
run https via Comm Express to access messenger and calendar. This works
great on http.
I have also read [and read] SUN's documentation about setting up SSO
with SSL but that is a bit confusing [to say the least]. I found in the
Comm Express Admin Guide:
Messaging SSO is not supported in SSL.
Work around
To support Messaging SSO with SSL perform the following steps:
How to enable Messaging SSO with SSL
1. Configure Web Server in SSL mode.
2. Configure Communications Express for SSL port of Web Server.
3. Set uwcauth.ssl.enabled=true.
4. Set uwcauth.https.port to SSL port of Web Server.
5. Enable Messaging Server in SSL mode.
6. Set the webmail.port in uwcconfig.properties to SSL port of
Messaging Server.
7. Provide messagingsso.ims.url to Non SSL port of Messaging Server
8. Install the Certificate Management Server root Certificate Authority
(CMS root CA) on both Web Server and Messaging Server.
9. Restart Web Server.
10. Provide a value to local.webmail.sso.ims.verifyurl pointing to Non
SSL port of Messaging Server.
11. Restart Messaging Server.
The problem here is what is meant by "CMS root CA" ?? of course when
searched on Google I get the Communications Express Admin Guide lol :^)
Anyways I got a Thawte Cert for the web server, this seems to work fine
and the "uwc" login page works fine too. Now what do I do to get
messenger to work? Get another Cert?? It says "install CMS root CA on
both Web Server and Messenger" how??? maybe I need to create self
signed certificates??
I need to have calendar working too, there is a SSL setup for calendar
but will it run with SSO uwc??
I also run into the problem in the Admin Guides of using "iplanet
console" to manage certs and some other features, what is this? of
course I can't find it or SUN has changed its name [but still suggests
to use it].
Well I am a bit frustrated, maybe something I am missing or not read
correctly [my apologies]. I do not think this to be uncommon to want an
integrated mail and calendar application running SSO and SSL. So if
anybody knows an easy step-by-step setup or a link to such a thing
please let me know. I am not new to Unix nor Solaris but definitely
know little about Communications Suite [or maybe SUN has changed that
name too :^(
Thanks in Advance
-James

Thanks Jay but I think we are now digressing. I am
sorry if it sounds like I am complaining, I just want
to figure out to how to make this work. Someone must
know how to set this up step-by-step. I think I
understand the difference between SSO and SSL and
that they are not interchangeable, I want both to
work.
If I was to use only ME then I don't need SSO, I
would just use it with SSL, which I still have not
figured out how to do, because I do not know where to
find iPlanet Console???Iplanet Console may be found in your Directory SErver install. command, "startconsole:
You do not need to use Console for anything.
You can use "certutil" to manipulate certificates, should you prefer to do that.
You can use "configutil" to change config settings.
do you know where it should
be, is there a default path? Does it install with ME?It's really the Directory Server console. You have it.
Can I download it?
I also understand that the benefit of SSO is not to
have to sign on several times and that in my case we
are talking about 3 different pieces of software, CE,
ME and Calendar [plus Access Manager].
I am running my system with SSO on CE, ME and
Calendar and it works great. I wish to offer this
setup so my users can access both mail and calendar
via one web interface, just like hotmail, yahoo etc.
I also want remote users to access the same web
b interface via SSL [their passwds will have some
level of security]. As usual, you need to take these one step at a time. First, get your SSL working. Then get CE working. Then follow the documentation to get SSO working. It does work. Many others have been successful getting it all to work.
The reason I asked about possibly another SUN product
is because I have setup other products like IMP and
Zimbra via SSL and they work in this fashion.
I am fairly sure this is possible with these SUN
products but I am still trying to figure out how to
do it.
This is why I am asking if anybody has any experience
setting up this combination of products in this
fashion, please let me know or guide me in the right
direction.
Thanks in advance
-James

May I know the document name which I need to follow when I setup SSL on Por

Hi Gurus,
We have installed 9iAS Portal 90201 and upgraded it to 9023. We are trying to setup SSL for everything in the server. We have both infrastructure and middle tier on the same server. We are not sure where to start the SSL setup. Infrastructure has a HTTP server, SSo server ..etc. and the middle tier has a HTTP and OC4j and Portal, webcache..etc. Is there a standard document or list of documents in sequence which I can follow to setup SSL on our server. I have found couple of them. But not sure which one has to go first and which one has to go next. I am planning to use the trial certificate from Verisign. Please post a reply if you have sojme info about it.
Thanks
Raj
----------

We're in the middle of trying to do the same for 904 on Solaris. If anyone has some advice, we'd really love to hear it.

SSL setup in PI 7.1

Similar Messages

Maybe you are looking for