cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Web Dispatcher HTTPS - Multiple backends

Go to solution
Private_Member_19084
Active Contributor

on ‎12-09-2015 4:57 PM

0 Kudos

Hi experts,

we have one webdispatcher in DMZ which is forwarding to different backends, depending on the URL you are entering to access the WebDispatcher (routing-rules).

So, we have host A = webdispatcher and host B and C which is an alias to host A.

If you are entering www.b.com you get another backedn as www.c.com.

Now we want to setup https for the webdispatcher.

My question, is, how do I have to issue the certificate-req for the webdispatcher?
For host A or for B and C.

If for B and C, where can I import multiple certificates, for me it look like I can do it only once and like there is only one certificate possible...

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member227283
Active Contributor
‎12-09-2015 5:27 PM
0 Kudos

Hi,

One instance will have only one server PSE. So you have to request the certificate for host A only.


Regards,

Anil

Show replies
Show replies
Private_Member_19084
Active Contributor
‎12-16-2015 12:23 PM
0 Kudos

Hello Anil,

but now we did figure out, that we can only register on the DNS-aliases, as this is the dns name which is known in the www.

Therefore I need to install 2 certificates...right?

former_member227283
Active Contributor
‎12-16-2015 12:50 PM
0 Kudos

But when you say DNS alias it should be like

www.abc.xyz.com

www.def.xyz.com

www.ghi.xyz.com

Is it like same what you are going to configure ??

Regards,

Anil

Private_Member_19084
Active Contributor
‎12-16-2015 12:52 PM
0 Kudos

Yes, but if the certificate contains www.abc.xyz.com it will not be trusted for www.def.syz.com

Just if I have a wildcard certificate...

former_member227283
Active Contributor
‎12-16-2015 1:08 PM
0 Kudos

Yes, you are correct, you need to get the certificate for wildcard. So it will be like  *.xyz.com

Regards,

Anil

LutzR
Active Contributor
‎12-17-2015 10:42 AM
0 Kudos

Hi Christian, I would recommend using the SAN (Subject Alternative Name) feature.

Have a look at attributes of the certificate of https://www.verisign.com. The alternative name attribute is a long list of DNS names:

DNS-Name=verisign.asia

DNS-Name=verisign.biz

DNS-Name=verisign.ch

DNS-Name=verisign.co.in

...

Wildcard certificates are expensive and delicate. I would only use them if there really is no practical alternative.

Regards,

Lutz

Private_Member_19084
Active Contributor
‎12-17-2015 11:48 AM
0 Kudos

Hello Lutz,

thats right, we are also doing this at the moment.

Thank you very much for your help.

Kind regards

Answers (2)

Answers (2)

Private_Member_19084
Active Contributor
‎12-10-2015 12:59 PM
0 Kudos

I have now imported the certificate for host A, with credentials for user of host A and did restart the webdispatcher.

However, if I go to a url via www.b.com I just a get blank page/error.

How can I analyze the error?

In the log I don't see a problem...on 1st view...

wdisp/ssl_encrypt = 2

wdisp/system_0 = SID=<SID A>, MSHOST=a.com, MSPORT=81<No A>,

wdisp/system_1 = SID =<SID B>, MSHOST=b.com MSPORT=81<No B>

icm/server_port_0 = PROT=HTTP,PORT=80

icm/server_port_3 = PROT=HTTPS,PORT=443

Kind regards

Show replies
Show replies
Private_Member_19084
Active Contributor
‎12-10-2015 2:16 PM
0 Kudos

it seems like the error is at another place.

The https-service stays inactive, if I want to activate via the admin-tool, I get the error "ssl error(-14)".

I've already checked the cryptolibrary, which seems to be ok.

Any other ideas regarding this?

Private_Member_19084
Active Contributor
‎12-10-2015 3:45 PM
0 Kudos

According to a lot of posts, I tried to re-set the Password for the PSE again.

I did u se exactly the same password for the new setting (tried it twice) and always after setting the password again, it works.

Kind regards

isaias_freitas
Advisor
Advisor
‎12-09-2015 8:36 PM
0 Kudos

Hello,

The Web Dispatcher acts like a "reverse proxy".

The end user will reach the Web Dispatcher only.

Thus, you would need certificates for the Web Dispatcher hostname(s) only, not for the backend systems.

The following WIKI pages might help you as well.

Using multiple SSL server certificates at the Web Dispatcher - Application Server Infrastructure - S...

Web Dispatcher for Multiple Systems - Understanding and Examples - Application Server Infrastructure...

Regards,

Isaías

Show replies
Show replies
Private_Member_19084
Active Contributor
‎12-10-2015 10:09 AM
0 Kudos

I think you missunderstood.

The alias, URL, is depending on the backend.

Therefore I thought, I have to issue a certificate per alias-hostname, not per physical hostname.

Ask a Question