cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1644
Views
0
Helpful
10
Replies

ACE - SAP SSL Offload - HTTPS - HTTP

marvinio
Level 1
Level 1

Using ACE to offload SSL, where the ACE talks to the client over SSL and then talks to a couple of SAP WebDispatchers (WD) on HTTP.

All setup and working except for a niggling issue. Basically the WD see the request from ACE on HTTP and build some dynamic links hardcoded within content as "http://excample.com/..." not "https://example.com/..".

Our SAP development say this is a common issue and can be solved by getting the ACE to ammend the host header to include "ClientProtocol" setting defined as HTTPS.

Has anyone seen this before and know the syntax?

10 Replies 10

dcarlton
Level 1
Level 1

I'm trying to config the same thing. Are you willing to share your configs?

You guys are trying to run an Enterprise Portal? I am running EP6 over the ACE's and the SAP-Netweaver Admins have to adjust several parameters within the Application and NOT the ACE.

To make sure ssl termination works flawlessly they had to set a proxy value/parameter on the J2EE Engine with the according ports.

If you need further info or config examples i can help you out once i am back in the office i can also ask the SAP guys at my place for the settings you need.

Roble

Hi Roble,

Any info/config that you have would be very useful. The sap guys say the can get the ClientProtocol setting work via Apache as a reverse proxy, without the need to change the SAP end, but I think they are looking to push the burden!

If you can let me know the changes to the proxy value/param for J2EE that would be great.

Rich

Got the Settings for the URL Rewrite within the Netweaver Portal.

Set in the HTTP-Servers section of the dispatcher the parameter "ProxyMappings" to following.

50200=(Host:foo.bar.com,Port:443,Scheme:https,Override:true)

As the servers increment their dialog port per server instance you probably need this entry for every server in your farm e.g. 50200,50300 etc.

And we don't use an apache as proxy here just ACE and then Portal-Servers.

If you need some ACE specific settings let me know.

Hope it helps.

Roble

I would sure appreciate the ACE config.

Thanks!

This config is from a productive portal context featuring 8 application and 2 sorry servers.

I had to sanitize it but i think it still shows pretty much everything you probably need.

Roble

Are you using the sing sign on feature that uses your windows credentials to log you on to SAP?

Yes the portal uses the SPNEGO/Kerberos Add-on for single sign on.

Hi Roble,

Do you mean to say that The load balancer can do an HTTPS GET over SSL to verify that the portal environment is up and running.

Am I correct?Please calrify my Doubt and let me know whether I need to make the changes explained by you in this thread to achieve the https request?

Regards,

Karthick Eswaran

We terminate the SSL Traffic on the ACE and speak "plain" HTTP towards the EP6 Servers running the Dispatchers.

Client <-HTTPS-> ACE <-HTTP-> EP6 Server.

The probes are done in plain http in our design. We have a page that simply gets generated if the J2EE Engine and all the other related SAP stuff is up and running. We check this page for return code 200 or 401. If we don't get them we assume the server is down.

The Proxy statement i posted earlier was necessary to make sure the EP-Application does not break the SSL traffic. The SAP code sometimes generates http URL's within the portal navigation and that setting makes sure it uses https instead. But for details you have to ask the Netweaver Admins.

Hope it helps

Roble

Review Cisco Networking for a $25 gift card