https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428860#M1550190 <HTML><HEAD></HEAD><BODY><P>Of course, I have thought about a live distribution but my PC is protected against booting on cdrom or usb key !</P><P>I am an administrator of the SAP ECC6 production server but not on my PC !</P><P></P><P>Cheers</P></BODY></HTML> Thu, 25 Nov 2010 11:57:24 GMT Former Member 2010-11-25T11:57:24Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428850#M1550180 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>We have a SAP Portal 7.01 with 1 CI and 2 App servers. SSL configuration has been done on it and HTTPS is working fine. We have also imported the CA certificate request response as well and it works perfectly.</P><P></P><P>However, now we have introduced a hardware load balancer (URL: <A href="http://eptest01.domain.com)" target="test_blank">http://eptest01.domain.com)</A> that redirects to one of the app servers of the system. We have also enabled it to direct the requests to HTTPS URLs of the portal's app servers so the following URL works: <A href="https://eptest01.domain.com" target="test_blank">https://eptest01.domain.com</A>.</P><P></P><P>Redirection also works fine but the problem is that the browser shows a certificate warning page which says that "the security certificate presented by this website was issued for a different website's address."</P><P></P><P>I can ignore this and continue to the website and then I can click on the lock icon and see the certificate. In that, it shows the website address as hostname of the app server that it redirects to: appserver.domain.com. I think this might be the problem.</P><P></P><P>How can I configure for the correct certificate? Can someone please provide the correct steps? I have already created a new view in Key Storage and called it ReverseProxy. Within it, I create a keypair entry with CN=hostname of load balancer (eptest01.domain.com). Exported the CSR and ordered a certificate. Received the CSR response and imported into key storage. But still I get the certificate warning as stated earlier. Why is this certificate not being issued by the server instead of the app server's own cert?</P><P></P><P>Thanks,</P><P>Shitij</P></BODY></HTML> Mon, 22 Nov 2010 11:56:18 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428850#M1550180 Former Member 2010-11-22T11:56:18Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428851#M1550181 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>you are right. The hostname has to match exactly with name on SSL certificate. There are usually two options. The first is is terminating SSL connection on reverse proxy. Hence you need to generate a proper certificate for reverse proxy host name and use it there. The second option is to create another SSL connection between proxy and application server. In this case the proxy has more work because it has to decrypt data and encrypt them again but you don't send data unencrypted over network. Check documentation for SAP web dispatcher. It has a nice description of these use cases.</P><P></P><P>Cheers</P></BODY></HTML> Mon, 22 Nov 2010 20:04:01 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428851#M1550181 mvoros 2010-11-22T20:04:01Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428852#M1550182 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Yes, I am aware of the scenarios, but my main question is, how do I generate the certificate? It is a reverseproxy and not a Web Dispatcher. If it were a WDisp, I could still have installed SAP Cryptolib and set parameters and used sapgenpse for the cert generation, but what to do in our case?</P><P></P><P>Do I need to create an entry in Key Storage in my AS Java system? If yes, where and in which View? Because the ICM_SSL_&lt;instanceid&gt; view already contains a key pair for the SSL of the app server and as far as I know, one view cannot have 2 key pairs.</P><P></P><P>What exactly should I do?</P><P>Thanks,</P><P>Shitij</P></BODY></HTML> Tue, 23 Nov 2010 06:19:56 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428852#M1550182 Former Member 2010-11-23T06:19:56Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428853#M1550183 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>How to Installi a signed certificate on your reverse proxy has nothing to do with the SAP java system.</P><P>You have to read the reverse proxy documentation to learn how to do it.</P><P></P><P>By the way, a web dispatcher <STRONG>IS</STRONG> a reverse proxy...</P><P></P><P>Regards,</P><P>Olivier</P></BODY></HTML> Tue, 23 Nov 2010 12:23:18 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428853#M1550183 Former Member 2010-11-23T12:23:18Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428854#M1550184 <HTML><HEAD></HEAD><BODY><P>I just want to add that you can still use sapgenpse to generate certificate. How to import this certificate into your reverse proxy depends on what product you use. But I guess it's documented.</P><P></P><P>Cheers</P></BODY></HTML> Tue, 23 Nov 2010 20:48:59 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428854#M1550184 mvoros 2010-11-23T20:48:59Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428855#M1550185 <HTML><HEAD></HEAD><BODY><P>Hi Martin,</P><P></P><P>Is it possible to use sapgenpse to create a separate file for the private key and a separate file for the public key ?</P><P>I tried and I only found out how to create a PSE file and a PKCS12 file (p12) which was of no use for me.</P><P></P><P>I had to install an OpenSSL windows version on my PC to be able to generate a certificate for an Apache reverse proxy.</P><P></P><P>Regards,</P><P>Olivier</P></BODY></HTML> Wed, 24 Nov 2010 09:05:52 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428855#M1550185 Former Member 2010-11-24T09:05:52Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428856#M1550186 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>no I don't know better way than using PKCS#12 and convert it using OpenSSL. I just don't understand why you had to install OpenSSL. You had to have module mod_ssl installed on your reverse proxy which relies on OpenSSL library. Hence you should have already had it on your proxy.</P><P></P><P>Cheers</P></BODY></HTML> Wed, 24 Nov 2010 22:30:25 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428856#M1550186 mvoros 2010-11-24T22:30:25Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428857#M1550187 <HTML><HEAD></HEAD><BODY><P>Hi Martin,</P><P></P><PRE><CODE><P>I just don't understand why you had to install OpenSSL</P></CODE></PRE><P></P><P>I understand that you don't understand ! It is because of my company's strange security rules.</P><P>I am in charge of the Apache Reverse Proxy but, for security reason, because the Reverse proxy is in a DMZ giving access to the Internet, I am not allowed to connect to the Linux box running Apache !</P><P></P><P>I have to write a configuration document which will be played by the production team in charge of the DMZ hosts.</P><P>So it is much easier for me to use OpenSSL on my Windows PC (I don't even have a Linux box.)</P><P></P><P>Regards,</P><P>Olivier</P></BODY></HTML> Thu, 25 Nov 2010 08:32:00 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428857#M1550187 Former Member 2010-11-25T08:32:00Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428858#M1550188 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>there are some nice live distributions which you can use to avoid installing additional soft on your laptop.</P><P></P><P>Cheers</P></BODY></HTML> Thu, 25 Nov 2010 09:21:42 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428858#M1550188 mvoros 2010-11-25T09:21:42Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428859#M1550189 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>there are some nice live distributions which you can use to avoid installing additional soft on your laptop.</P><P></P><P>Cheers</P></BODY></HTML> Thu, 25 Nov 2010 09:25:12 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428859#M1550189 mvoros 2010-11-25T09:25:12Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428860#M1550190 <HTML><HEAD></HEAD><BODY><P>Of course, I have thought about a live distribution but my PC is protected against booting on cdrom or usb key !</P><P>I am an administrator of the SAP ECC6 production server but not on my PC !</P><P></P><P>Cheers</P></BODY></HTML> Thu, 25 Nov 2010 11:57:24 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428860#M1550190 Former Member 2010-11-25T11:57:24Z https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428861#M1550191 <HTML><HEAD></HEAD><BODY><P>I have solved this problem in another way. I have generated a new keystore entry in ICM_SSL_* view and this time I gave CN=hostname of proxy/load-balancer. Once I got the CSR response imported, then access using proxy started working without the certificate errors since it accepted the new certioficate.</P></BODY></HTML> Fri, 26 Nov 2010 06:46:22 GMT https://community.sap.com/t5/application-development-and-automation-discussions/certificate-warning-when-using-https-through-reverse-proxy/m-p/7428861#M1550191 Former Member 2010-11-26T06:46:22Z