cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL with Apache

Former Member

on ‎01-08-2006 6:54 PM

0 Kudos

Hi, gurus

One of our customers wants to enable HTTPS access to its Enterprise Portal 6.0 SP2. Its system landscape is the next:

Client browser ---> External web server (apache) ---> Firewall ---> Internal web server (apache) -> J2EE

---> HTTPS communication

-> HTTP communication

All traffic will be HTTPS between client browser and internal web server, but not with J2EE engine. So it’s not necessary to activate SSL in J2EE Engine.

We have configured both Apache servers to work with HTTP and it’s running OK. Furthermore, we have generated two different X509 certificates for every apache web servers and we have configured both Apache web servers to work with HTTPS too. However Apache web servers work with HTTPS only when they work standalone. If we try to connect with proxy directives, they don’t work.

In this point I’m in doubt with the following questions:

- ¿It’s necessary for every web server access to the public key of the other web server to establish communication? I think yes, and I think this configuration would be made via directive?

Thanks and best regards,

SERGIO SANCHEZ

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

JoergHeyne
Participant
‎01-24-2006 12:05 PM
0 Kudos

Hi Sergio,

if you make protocoll change, there is imho no way to avoid the popup from IE.

But why dont you use SSL from the R/3 backend to the client? You can make it like the portal: Client --> Apache -> R/3.

This is the way we do it and that works fine.

Regards

Jörg

Show replies
Show replies
Former Member
‎01-24-2006 1:10 PM
0 Kudos

Hi, Jörg

Our customer didn't want to use SSL in R/3 backend because it would suppose to change all iviews from HTTP protocol to HTTPS protocol.

Furthermore, if we change all iviews to HTTPS, then all users should logon to the portal via HTTPS. To avoid this, our customer wanted that only external users that access through Internet need HTTPS protocol and internal users logon via HTTP port.

Some hint about this?

Regards,

SERGIO

JoergHeyne
Participant
‎01-24-2006 2:21 PM
0 Kudos

Hi Sergio,

first the good news: its possible!

Now the "bad" news: Its not that easy.

Nick Kew wrote a module for apache (mod_proxy_html), that do the following: Parsing the response from a server and (if you want to) rewriting this. e.g.: The response (like HTML code) includes a link http://server/sap/bw/. and with a kind of rewrite rule you can change this response before it comes to the client maybe in https://server/sap/.

This module is only available for UNIX Apache, if you run apache on windows you have to compile the module on your own.

see: http://apache.webthing.com/mod_proxy_html/

a last question: Do you use the same apache for external and internal users or are this different apaches?

best regards

Jörg

Former Member
‎01-24-2006 2:29 PM
0 Kudos

Hi again, Jörg

I'm lucky for your good news. It will be a bit difficult, because our apache servers run on Windows platform.

Both apache servers run on Windows platform, one server in DMZ and another server in customer LAN. Apache version is 2.0.55 in both cases.

External users will use directly Apache server in DMZ, although it will connect to the portal through internal apache server.

For internal users, they would use internal apache server or external apache, as we decided.

Best regards,

SERGIO

JoergHeyne
Participant
‎01-24-2006 3:23 PM
0 Kudos

Hi again Sergio,

if you use different apaches for internal and external users you can use the module for the "external apache".

Nick Kew offers this module for Win32, but you have to pay for it. On his webpage you can find a contact email adress. If you ask Nick, he will compile the module for windows. I think its about 50$. Unfortunately there is no way to test it

There is another tool to do this, but i dont know if it works. The streaming editor "sed" (sed15.exe) can do the same. But i dont know if this works with apache.

see: http://www.student.northpark.edu/pemente/sed/

Good Luck

Jörg

Former Member
‎01-23-2006 9:52 PM
0 Kudos

Sergio,

Not sure about your other issues, but to keep the same url on the client side you can use Apache's mod_rewrite module along with a virtual host maybe. Go to apache.org and search for it and you should find good documentation.

Brent

Show replies
Show replies
Former Member
‎01-24-2006 8:31 AM
0 Kudos

Hi, Brent

We are using mod_rewrite and mod_proxy modules to keep the same URL on the client browser and it's OK. However, when a user try to access to an iview that retrieve data from R/3, a IE security popup is displayed, even address in client browser is like "https://server/irj...".

Our issue is that client browser detects that some iviews retrieve data from http source (not https), so this warning is displayed. Keep in mind that all connection between portal and backend systems are HTTP connections, not HTTPS.

Best regards,

SERGIO

JoergHeyne
Participant
‎01-24-2006 10:46 AM
0 Kudos

Hi Sergio,

we had the same problems. Be sure that the response from R/3 (like BSP, etc.) are on HTTPS. You can use a "sniffer tool" like httpwatch or httplook to see wich data is not on SSL.

Maybe you have to add a virtual host on wich the response from R/3 Backend is secured anyway.

Please let me know if you need help on this.

Best regards

Jörg

Former Member
‎01-24-2006 10:57 AM
0 Kudos

Hi Jörg

We are sure that R/3 response are on HTTP protocol. Our customer only wants to enable HTTPS between client browsers and Apache server, so communication between J2EE and R/3 are in HTTP protocol.

1. Client browser with Apache server 1 via HTTPS protocol

2. Apache server 1 with Apache server 2 via HTTPS protocol

3. Apache server 2 with J2EE server via HTTP protocol

4. J2EE server with Backend systems via HTTP protocol

My question is if it's possible to avoid this IE security popup. Perhaps it's possible if we hide to the client browser (in HTTP headers) which protocol was used during the communication. We've tried with Apache directive "RequestHeader set ClientProtocol HTTP", but it didn't work.

Do you know some hint to avoid this message?

Thanks,

SERGIO

JoergHeyne
Participant
‎01-24-2006 11:33 AM
0 Kudos

Hi Sergio,

to avoid this message there are a.f.a.i.k. many ways:

EVERY Response have to be on the same Protocoll (HTTP or HTTPS) -> then popup should not be displayed.

But you can change some settings on the client:

In IE: Open a IE Window. Go to "tools - Internet Options - Advanced." Deaktivate the option "warn if changing betweeen secure and not secure mode"

Another way in IE: Go to "tools - Internet Options - security - custom level." Set the option "Display mixed content" to "enable".

Hope this helps

(Please let me know)

Good luck

Jörg

Message was edited by: Jörg Heyne

Former Member
‎01-24-2006 11:47 AM
0 Kudos

Hi again, Jörg

We knew these IE security settings. We can't use IE alternatives because users can access via Internet and it's not possible to change this configuration on its browsers.

About the other option, there is a protocol change when a user try to access to an iview that retrieves data from R/3. So we can't use this alternative too.

Do you know another option? Perhaps there is no solution to our issue.

Regards,

SERGIO

JoergHeyne
Participant
‎01-23-2006 12:58 PM
0 Kudos

Hi Sergio,

we use the following scenario:

Client Browser --> WebServer(Apache) in DMZ -> J2EE.

you need to configure SSL on every Web Server.

Whats your problem in special? Why do you use two web servers?

Best regards

Jörg

Show replies
Show replies
Former Member
‎01-23-2006 5:07 PM
0 Kudos

Hi, Jörg

Our current scenario is similar. But our customer only wants to enable SSL in Web servers (Apache), not in J2EE neither backend systems.

In this case, when a user try to access to an iView that retrieve data from R/3, there is a IE security poput saying mixed data (secure and non-secure) will be displayed. Is it possible to avoid this popup with some configuration in Apache (perhaps with headers module)?

Thanks and regards

SERGIO SANCHEZ

Former Member
‎01-13-2006 2:46 PM
0 Kudos

Any help on this?

Show replies
Show replies
Ask a Question