Hi all,

to anybody who might be interested: it was the certificate of the J2EE engine which was invalid due to a system copy. We adjusted this certificate and everything worked fine. Thanks to everyone who tried to help.

Regards,

Michael

Sorry for the late reply...

This didn't help either. Maybe I can get it to work the way I want by only allowing https and no http on my portal. Is that possible? If yes, how do I do it?

Regards,

Michael

Dear Michael,

you need to specify the protocol that is to be used by the redirect. The documentation on icm/HTTP/redirect_<xx> states:

<i><b>The parameter has the following syntax:

icm/HTTP/redirect_<xx> = PREFIX=<URL prefix>[, FROM=<pattern for URL>, FROMPROT=<incoming protocol>, FOR=<pattern for host name:port>,TO=<new URL prefix>, PROT=<protocol>, HOST=<host>, PORT=<port number/name>]

<xx> must be specified in ascending order from 0.</b></i>

Try

icm/HTTP/redirect_0 PREFIX=/, TO=/irj, PROT=https

you can also use

icm/HTTP/redirect_0 PREFIX=/, TO=/irj, FROMPROT=http, PROT=https

to ensure that yll requests using HTTP will be redirected to HTTPS.

Best Regards,

Tim

No success again, with wdisp/ssl_encrypt = 2 I still get the "certificate expired" error as stated in the tracefile above. I also think this is the wrong value anyway. If I understand correctly wdisp/ssl_encrypt = 2 would get me an encrypted connection between the webdispatcher and the portal server. What I need is an encrypted connection between the client (browser) and the webdispatcher. But when I enter the URL with HTTPS I get redirected to HTTP immediately.

Hope this made it clearer.

[edit]

Oh I forgot to mention I get a lot of

[Thr 6940] *** WARNING => redispatching of failed stateful request [http_route.c 3021]

in my tracefile. Could that also be a reason?

[/edit]

Regards,

Michael

Thanks for the reply. I already read through this page, but didn't find anything that helps. The only thing I tried is to change the parameter wdisp/ssl_encrypt to 1 (was 0). Result: http still works fine, https doesn't work at all. In the tracefile I can see that the certificate for the ssl connection between WebDispatcher and WebAS in not valid anymore:

Tracefile:

[Thr 2212] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 2212] SSL socket: local=<WebDisp IP>:3509 peer=<WebAS IP>:58801

[Thr 2212] <<- ERROR: SapSSLSessionStart(sssl_hdl=00BF9F08)==SSSLERR_SSL_CONNECT

[Thr 2212] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxpool.c 2077]

[Thr 2212] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 2212] session uses PSE file "<SECUDIR>\SAPSSLS.pse"

[Thr 2212] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 2212] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 2212] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=070119143315Z)

ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=070119143315Z)

[Thr 2212] << -

End of Secude-SSL Errorstack -

The certificate file SAPSSLS.pse is the same as for the https connection to the WebDispatcher and expires 2008. Where do the "notbefore" and "notafter" values come from?

Any suggestions?

Regards,

Michael

Hi,

Please check the following link:

http://help.sap.com/saphelp_nw2004s/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm

Regards,

Siddhesh