ACE - SAP SSL Offload - HTTPS - HTTP

Unanswered Question
Sep 11th, 2007
User Badges:

Using ACE to offload SSL, where the ACE talks to the client over SSL and then talks to a couple of SAP WebDispatchers (WD) on HTTP.


All setup and working except for a niggling issue. Basically the WD see the request from ACE on HTTP and build some dynamic links hardcoded within content as "http://excample.com/..." not "https://example.com/..".


Our SAP development say this is a common issue and can be solved by getting the ACE to ammend the host header to include "ClientProtocol" setting defined as HTTPS.


Has anyone seen this before and know the syntax?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dcarlton Wed, 09/12/2007 - 10:07
User Badges:

I'm trying to config the same thing. Are you willing to share your configs?

Roble Mumin Thu, 09/13/2007 - 00:23
User Badges:
  • Bronze, 100 points or more

You guys are trying to run an Enterprise Portal? I am running EP6 over the ACE's and the SAP-Netweaver Admins have to adjust several parameters within the Application and NOT the ACE.

To make sure ssl termination works flawlessly they had to set a proxy value/parameter on the J2EE Engine with the according ports.


If you need further info or config examples i can help you out once i am back in the office i can also ask the SAP guys at my place for the settings you need.


Roble

marvinio Thu, 09/13/2007 - 02:00
User Badges:

Hi Roble,


Any info/config that you have would be very useful. The sap guys say the can get the ClientProtocol setting work via Apache as a reverse proxy, without the need to change the SAP end, but I think they are looking to push the burden!


If you can let me know the changes to the proxy value/param for J2EE that would be great.


Rich

Roble Mumin Fri, 09/14/2007 - 00:54
User Badges:
  • Bronze, 100 points or more

Got the Settings for the URL Rewrite within the Netweaver Portal.


Set in the HTTP-Servers section of the dispatcher the parameter "ProxyMappings" to following.


50200=(Host:foo.bar.com,Port:443,Scheme:https,Override:true)


As the servers increment their dialog port per server instance you probably need this entry for every server in your farm e.g. 50200,50300 etc.

And we don't use an apache as proxy here just ACE and then Portal-Servers.


If you need some ACE specific settings let me know.


Hope it helps.


Roble


dcarlton Fri, 09/14/2007 - 03:13
User Badges:

I would sure appreciate the ACE config.


Thanks!

Roble Mumin Fri, 09/14/2007 - 03:52
User Badges:
  • Bronze, 100 points or more

This config is from a productive portal context featuring 8 application and 2 sorry servers.

I had to sanitize it but i think it still shows pretty much everything you probably need.


Roble





dcarlton Fri, 09/14/2007 - 05:39
User Badges:

Are you using the sing sign on feature that uses your windows credentials to log you on to SAP?

Roble Mumin Fri, 09/14/2007 - 06:07
User Badges:
  • Bronze, 100 points or more

Yes the portal uses the SPNEGO/Kerberos Add-on for single sign on.


kekarthick Thu, 05/22/2008 - 07:46
User Badges:

Hi Roble,


Do you mean to say that The load balancer can do an HTTPS GET over SSL to verify that the portal environment is up and running.

Am I correct?Please calrify my Doubt and let me know whether I need to make the changes explained by you in this thread to achieve the https request?


Regards,

Karthick Eswaran

Roble Mumin Thu, 05/22/2008 - 10:18
User Badges:
  • Bronze, 100 points or more

We terminate the SSL Traffic on the ACE and speak "plain" HTTP towards the EP6 Servers running the Dispatchers.


Client <-HTTPS-> ACE <-HTTP-> EP6 Server.


The probes are done in plain http in our design. We have a page that simply gets generated if the J2EE Engine and all the other related SAP stuff is up and running. We check this page for return code 200 or 401. If we don't get them we assume the server is down.


The Proxy statement i posted earlier was necessary to make sure the EP-Application does not break the SSL traffic. The SAP code sometimes generates http URL's within the portal navigation and that setting makes sure it uses https instead. But for details you have to ask the Netweaver Admins.


Hope it helps


Roble

Actions

This Discussion