SSL setup with a load balancer

Similar Messages

• SSL Setup in a load balanced portal

  Hi,
  We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
  So the configuration would be:
  Portal requests --> Load Balancer --> Portal --> Backend
  We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
  The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
  So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
  I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
  Now, can we install the same certificate (that we put on the LB) on the portal as well?
  (This might not work because the server type will be different)
  (or)
  Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
  Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
  Thank You ,
  Raj

  Raj Kumar wrote:
  My question is about how to go about installing the certificates on the LB and on the portal.
  If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
  Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
  You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
  On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
  Regards,
  Sean

• SSO with Webcache Load Balancing ???

  Hi,
  My system (in Win2K servers)
  +Infrastructure sever 9.0.2.3
  +Midtier1 using OC4J_BI_Forms 9.0.2.3
  +Midtier2 using OC4J_BI_Forms 9.0.2.3
  I have followed the Note:207668.1 to setup Webcache as load balancer for 2 Midtiers. I also completed the steps in the Note:241891.1 to re-register the two Midtiers again SSO server.
  The system runs well if I start OHS only on the Midtier1 or Midtier2. If I startup both OHS in the two Midtiers, when I connect to our apps using SSO, the SSO login windows is open to aks SSO userid and pass. When I key-in SSO userid and pass, there is an error in the Apache:
  apache.exe - Application error: The instruction at "..." could not be read.
  Please advice,
  Pham

  advice : get the apache trace dump to find out what stack it is in. I think you must open a TAR .
  The error possibly coming from mod_osso ?

• Cache refresh issue with PI Load Balanced HA setup.

  Dear Experts,
  Wei have installed a HA Load Balanced PI Production Server with the below specifications. Its a four node cluster. Two nodes for Application Cluster and another two nodes for Database Cluster.
  Node1
  Physical Hostname  : axsappci
  Virtual Hostname  : axsapp00
  Instances         : CI,SCS and ASCS.
  Node2
  Physical Hostname : axsappdi
  Virtual Hostname   : axsapp00
  Instances          : Dialog instance installed with physical hostname axsappdi
  Node3
  Physical Hostname : axsappd1
  Virtual Hostname   : axsappdb
  Instances  : DB Instance.
  Node4
  Physical Hostname : axsappd2
  Virtual Hostname   : axsappdb
  Instances  : Standby DB Instance (passive).
  Web Dispatcher Hostname : h2h
  Application Switchover : CI,SCS and ASCS to switchover to Node2 and dialog instance Node2 forcing to go down
  Database Switchover : DB Instance switchover to Node2 if Node1 fails.
  We have changed all the parameters according to note 951910 -> NW2004s High Availability Usage Type PI
  I am facing an issue with the cache Notifications in the Integration Repository and Directory. The cache notifications are not happening properly particularly with the ABAP Cache.
  I get the below error in my ID when i try to do the manual cache notification.
  Unable to notify integration runtime (ABAP) of data changes
  Unable to establish http connection "http://h2h:8002/sap/xi/cache?sap-
  client=001"
  Kindly assist.
  Thanks and Regards
  Raghu.

  Hi Srikanth,
  Thanks for the reply.
  I have configured my web disptacher to use default HTTP and HTTPS ports i.e 80 and 443. According to note 951910 i have changed parameters in exchange profile to use these ports.
  Regards
  Raghu.

• SSL termination using Hardware Load Balancer

  We are trying to implement SSL at the Hardware LoadBalancer layer and terminate the SSL there.  Architecture includes Apache Reverse Proxy and Portal server running EP7 SP18.  In this scenario we want encruption between the client browser and the Load Balancer (BigIP F5).  The Load blancer will then decrypt the request and send it to the Apache reverse proxy on port 80.  Apache Reverse proxy will send request to Portal J2EE engine on the http port.
  this scenario seems to work in most cases but we are having issues with the standard portal login page.  The login page is sent to the browser on https but when entering credentials and selecting the login button a request gets generated on port 80, not 443 (https) and is not serviced by the load balancer.  99% of the requests that get generated from the client borwser stay on port 443 as expected but for some reason this particular request switches to port 80.
  How can we keep all requests generated on port 443 (https)?

  Hello Brian (all)
  I am facing the same issue - except we do not have the Apache proxy in the setup..... just HTTPS to a Cisco ACE load balancer and then HTTP to the portal. 
  Nearly all of the portal content is working great, but am facing the situation that some ESS content is switching to HTTP.  In discussing with the network team, they have done the following:
  1/ Replies from the portal server back to the client have an SSL rewrite performed, which modifies a 301 or 302 reply and changes http ULRs to https.
  2/ The load balancer adds an HTTP header u201CClientProtocol httpsu201D to the request it sends to the portal server.
  They feel we need to find a way to have the portal server only send either references with no host:header (i.e. http) or only send host:header with https to keep it all SSL.
  Any advice?
  Edited by: Eric Poellinger on Jan 5, 2011 5:09 AM

• SSL Cetificate and F5 load balancer.

  Hi All,
  I need to created SSL certificate to enable SSL on the HTTP server can you please give me the steps for that also i need to configure SSL on the load balancer how would i do that, i will be thankful if anybody can provide me detail steps, thanks in advance.
  Thanks,
  Virendra

  Hi,
  What is the application release?
  For SSL, please see these documents.
  Note: 123718.1 - 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
  Note: 300969.1 - Troubleshooting SSL with Oracle Applications 11i'
  Note: 376700.1 - Enabling SSL in Release 12
  For Load Balancing, please refer to:
  Note: 380489.1 - Using Load-Balancers with Oracle E-Business Suite Release 12
  Note: 727171.1 - Implementing Load Balancing On Oracle E-Business Suite - Documentation For Specific Load Balancer Hardware
  Note: 601694.1 - How To Check Session Persistence On BigIP F5 And Cisco Ace Load Balancer Appliances
  Note: 603325.1 - Using Cisco ACE Series Application Control Engine with Oracle E-Business Suite Release 12
  Regards,
  Hussein

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• Testing Forms Services availability with Hardware Load Balancer

  I have posted a question about load balancing to a group of application services running Forms Services here on the Forms forum but have had no reply:
  Forms Services availability checking for BIGIP Load Balancer
  My basic questions are:
  a) What do people recommend for load balancing Forms ... least connection, round robin ... ?
  b) Do people use http://server:port/forms/frmservlet?ifcmd=status or have some of you used something else?
  My reason for the question is we had a Forms Services failure that was not detected by the ifcmd servlet as the HTTP side of things was still working. This meant that the BIGIP load balancer sent everything to the failed server as it had the least connections. So basically no-one could logon.
  I've raised an SR with Oracle but they recommend the standard URL above. Has anyone else had a problem like this and if so were you able to fix it?
  Regards,
  Philippe

  Well SR followed up and it looks like the only course of action is to use the standard HTTP check: http://server:port/forms/frmservlet?ifcmd=status ...
  ... unless that is you want to do some serious customisation. Oracle don't support any other form of checking.
  I'm guessing from the lack of responses to this thread that this hasn't been an issue for anybody else ... ???
  Any thoughts/suggestions really welcome as we go into production in 4 weeks.
  a) What do people recommend for load balancing Forms ... least connection, round robin ... ?
  b) Do people use http://server:port/forms/frmservlet?ifcmd=status or have some of you used something else?
  Thanks,
  Philippe

• Bug with Network Load Balancing Services and SkipAsSource always reverting to true

  Steps to reproduce:
  Add an IP address to the cluster (2 nodes running Windows Server 2012) using the Network Load Balancing Manager
  Using PowerShell set the SkipAsSource flag on the IP Address to true (Set-NetIpAddress -IpAddress 192.168.1.10 -SkipAsSource $true). The flag is correctly set.
  Try to reverse the setting (Set-NetIpAddress -IpAddress 192.168.1.10 -SkipAsSource $false). Flag stays as true.
  It appears as though Network Load Balancing Services is remembering the setting from someone.
  Things I've tried all without success (in no particular order):
  Removing the IP address from the cluster and adding it back in
  Using PowerShell to remove the IP address and add it back in manually (on each host).Flag stays set as true on the 1st node but takes a second before it reverts back to true on the 2nd node.
  Using netsh to remove the IP address and add it back in manually (on each host). Flag stays set as true on the 1st node but takes a second before it reverts back to true on the 2nd node.
  Deleting each host from the cluster (one at a time), removing the registry keys CurrentControlSet\Services\WLBS and
  Removing both hosts from the cluster
  Restarting the hosts
  Using processmon (sysinternals) to try and find a registry entry that might be set when SkipAsSource is set
  Does anyone know:
  How to resolve this issue? I'm guessing resetting the TCP/IP stack would work but that's a last resort as it requires an on sight visit to the datacentre.
  Where the SkipAsSource flag it stored?
  How to reset the master/global cluster config?
  Thank in advance,
  Antony

  Hi Antony,
  I am trying to involve someone familiar with this topic to further look at this issue.
  There might be some time delay. Appreciate your patience.
  Best Regards.
  Steven Lee
  TechNet Community Support

• HTTP Redirect with Global Load Balancing

  I've seen a lot of documentation about redirects and what I am trying to do seems simple enough yet I can't get it to work. Here is a summary:
  We have two CSSs in different data centers with load balancing in a roundrobin fashion.
  User types www.test.com:9086/test.html
  User hits one of the CSSes configured to respond to www.test.com, CSS1 and CSS2.
  If CSS1 gets the request, it should redirect request to server1:9086/test.html
  If CSS2 gets the request, it should redirect request to server2:9086/test.html
  Here is a sample of one of the CSSes:
  content vTEST
  dnsbalance roundrobin
  add dns www.test.com
  url "/*"
  protocol tcp
  port 9086
  vip address 192.168.3.135
  add service rTEST
  active
  service rTEST
  protocol tcp
  port 9086
  type redirect
  keepalive type none
  ip address 2.2.2.2
  redirect-string "server1:9086/test.html"
  active
  I've seen a lot of example of using HTTP Redirects, but none of them touch on using global load balancing as we are trying to accomplish.
  Now, if I type in a browser:
  http://www.test.com:9086/test.html
  it fails. Why? because the CSS returns back an IP of 2.2.2.2 for www.test.com, which isn't a real IP address (this is by design). If I type:
  http://192.168.3.135:9086/test.html
  it works because it successfully redirects to:
  http://server1:9086/test.html
  because it is going directly against the VIP and redirecting as it should.
  So the redirect function we know is working on the CSS as expected. However, the problem is this:
  When I ping www.test.com I should get back the VIP address of the content rule (192.168.3.135) and I do UNTIL I ADD THE REDIRECT TYPE to the service. Once I do that if I ping www.test.com I will get back 2.2.2.2. Somehow once the redirect is added the IP address of the service (2.2.2.2) is returned instead of the content VIP (192.168.3.135). That shouldn't happen.
  I hope this makes sense and any help would be greatly appreciated!!!

  I think what you want to do is explained at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml
  For your information, you should also look at this solution :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801dcd75.shtml
  Regards,
  Gilles.

• LACP with Weighted Load Balancing

  Hi,
  I am trying to figure out how to use weighted load balancing (WLB) with LACP in Nexus 5K. Please can you give any duidance on this because the documentation I found so far is not helpful.
  Basically I have a port channel cosisting of two physical 1G ethernet ports and one backup server connecting with two remote SAN hosts over this port channel. Unfortunately the two remote SAN hosts have similar even mac and ip addresses. Thus ordinary source ip/mac load balancing puts them on the same link in the port channel. I want to apply a weight to try to distribute this load.
  Many thanks
  Sankung
  PS: Ultimately, I am getting a 10G NIC for the backup server but in the meantime want to explore this WLB possibility.

  advice : get the apache trace dump to find out what stack it is in. I think you must open a TAR .
  The error possibly coming from mod_osso ?

• Portal Drive not working with external load balancer

  Hi,
  We have a portal cluster and we are using external Load balancer from
  Juniper for load balancing the portal cluster. When given the direct
  portal URL (Central instance URL or Dialog instance URL), Portal Drive
  is able to connect to portal and shows the KM documents properly. But
  when given the Load balancer URL, it gives error saying "Can
  not connect to host using WebDAV protocol". Load balancer URL works
  fine from the browser without any problems. Any help is highly appreciated.
  Helpful points will be rewarded.
  Regards,
  Chandra

  Hi Steve,
  For Portal Drive, Windows integrated authentication, client certificates,basic authentication and Kerberos is supported.
  (in the default delivery of com.sap.km.cm.docs iview the authentication Scheme is set to basicauthentication - switching that to form based authenticationis not being supportedbywebdav clients).
  ALso now Integrated Windows Authentication (NTLM) has been made available with latest patch.
  Also read through SAP NOTE 1084683 for further clarifications.
  Regards,
  Shailesh

• 11gR2 SCAN config with F5 load balancer

  We are getting ready to set up our first RAC 2-node configuration. The hardware had already been purchased before deciding to go with 11gR2. Therefore, we have an F5 load balancer. The question is...can we use the IP address of the F5 in the /etc/hosts file as the SCAN IP address? Would this get us around the need to have a DNS configured SCAN host name?
  Has anyone done this before?
  Thanks,
  Mike

  Hi Mike,
  Welcome to the forum.
  I dont know works F5 Load Balancer.
  But i'll try...
  The question is...can we use the IP address of the F5 in the /etc/hosts file as the SCAN IP address?Oracle strongly recommends that you do not configure SCAN VIP addresses in the hosts file.
  But if you use the hosts file to resolve SCAN name, you can have only one SCAN IP address. You will not get full functionality of the SCAN.
  See this note on MOS:
  *11gR2 Grid Infrastructure Single Client Access Name (SCAN) Explained [ID 887522.1]*
  Would this get us around the need to have a DNS configured SCAN host name?If you want to use the SCAN feature, it is strongly recommended you use the DNS in your environment. This is my advice.
  Read the note above or link below to understand how SCAN works
  http://levipereira.wordpress.com/2010/12/18/single-client-access-name-scan-by-barb-lundhild/
  Regards,
  Levi Pereira
  <font size="1" color="black">Please close your thread when you get the solution to your problem.</font><br>
  <font size="1" color="black">Mark the replies answered "helpful" answer or "correct" answer that will help others with same problem.</font><br>
  <font size="1" color="black">Thanks for doing your part to make this community as valuable as possible for everyone!</font><br>

• FireWall ( with DMZ ) Load Balance

  Hi,
  I search CCO and find some Firewall load balance document ( http://www.cisco.com/warp/customer/117/fw_load_balancing.html ), but in this sample both firewall havn`t DMZ. Is there anyone can advise me how about the network diagram and hot to configure CSS if both firewall have DMZ?
  Best Regards,

  Hi,
  There are no issues with the firewalls having DMZ's. The firewall load balancing occours accross firewalls regardless of the firewall interface that the incomming packet is destined for.
  Regards Brett

• Need help with ACE Load Balancing Base on URL pattern

  This is the first time for me trying to configure something like this on the ACE load balancer.  I need help configuring a load balancing policy base on URL pattern.  URL https://ineedhelp.com base on /willuhelpme and /imlost
  Key: ineedhelp_key
  cert:  ineedhelp_cert
  serverfarmA
  serverA 10.1.1.1 443
  serverfarmB
  serverB 10.1.1.2 443
  ineedhelp.com/willuhelpme-------serverfarmA
  ineedhelp.ocm/imlost---------------serverfarmB

  This is the first time for me trying to configure something like this on the ACE load balancer.  I need help configuring a load balancing policy base on URL pattern.  URL https://ineedhelp.com base on /willuhelpme and /imlost
  Key: ineedhelp_key
  cert:  ineedhelp_cert
  serverfarmA
  serverA 10.1.1.1 443
  serverfarmB
  serverB 10.1.1.2 443
  ineedhelp.com/willuhelpme-------serverfarmA
  ineedhelp.ocm/imlost---------------serverfarmB