cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setting up HTTPS

Former Member

on ‎09-02-2008 2:01 PM

0 Kudos

Hi All,

There is a MS Windows terminal server which communicates via http with SAP NW04 BW3.5

I`d like to set up an HTTPS connection between them but don`t know if an SSL certificate is required?

Is there any notes and links relating on this?

Many thanks!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (7)

Answers (7)

Former Member
‎09-25-2008 9:48 AM
0 Kudos

The https connection is going to be used to secure connection between 2 BI systems (dev and prod) printing Web Reports into a portal. (BI servers and Portal are located on separate servers)

We switch from Dev to Prod thanks to a Web dispatcher located on an other server having no SAP instance.

Is there something to do with the SAP portal J2EE config to accept HTTPS connections?

I´m using port 1443 as for the parameter icm/server_port_X on BI systems, is that the correct port?

Do I have to specify this onto the Portal´s J2EE configtool?

Thanks for your answers!

Show replies
Show replies
Former Member
‎10-22-2008 10:18 AM
0 Kudos

Hi All,

There is a webdispatcher, BI system and a portal.

I have created a set of pse and req files from BI system for setting up End-to-End SSL.

Does the webdispatcher server has to have its own pse file to be imported?

Is it mandatory to request a certificate from SAP or Verisign?

When starting the Webdispatcher I find the following error:

[Thr 7956] started security log to file dev_icm_sec

[Thr 7956] SAP Web Dispatcher running on: HOST

[Thr 7956] MtxInit: 30001 0 2

[Thr 7956] IcmInit: listening to admin port: 65000

[Thr 7956] IcrCoreInitSessionTable: Session table initialized

[Thr 6312] =================================================

[Thr 6312] = SSL Initialization on PC with Windows NT

[Thr 6312] = (700_REL,Jan 23 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)

[Thr 6312] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe

[Thr 6312] = current UserID: NT AUTHORITY\SYSTEM

[Thr 6312] = found SECUDIR environment variable

[Thr 6312] = using SECUDIR=C:\secudir

*[Thr 6312] *** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\SID\D00\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]*

[Thr 6312] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --

secude_error 4356 (0x00001104) = "unknown structure"

[Thr 6312] >> -

Begin of Secude-SSL Errorstack -
>>

[Thr 6312] ERROR in SSL_CTX_set_default_pse_by_name: (4356/0x1104) unknown structure

ERROR in ssl_set_pse: (4356/0x1104) unknown structure

ERROR in af_open: (4356/0x1104) unknown structure

ERROR in secsw_open: (4356/0x1104) unknown structure

ERROR in secsw_open_pse_or_extension: (4356/0x1104) unknown structure

ERROR in sec_get_PSEtype: (4356/0x1104) unknown structure

[Thr 6312] << -

End of Secude-SSL Errorstack -

*[Thr 6312] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential* for "C:\usr\sap\SID\D00\sec\SAPSSLS.pse" [ssslxxi.c 2278]

*[Thr 6312] *** ERROR => Initialization of SSL library failed -- NO SSL available!*

[Thr 6312] =================================================

[Thr 6312] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR[Thr 6312] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary

X.509 cert data will be removed from header [http_plgrt.c 719]

[Thr 6312] *** WARNING => HttpAdmHandlerInit: archive
svgts1011\sapmnt\SID\SYS\exe\run/wdispadmin.SAR does not exist [http_adm.cpp 290]

[Thr 6312] *** WARNING => HttpAdmHandlerInit: archive ./wdispadmin.SAR does not exist - nothing extracted [http_adm.cpp 305]

[Thr 6312] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=0, flags=4101) for /sap/admin:0

[Thr 6312] CsiInit(): Initializing the Content Scan Interface

[Thr 6312] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)

[Thr 6312] CsiInit(): CSA_LIB = "
HOST\sapmnt\SID\SYS\exe\run\sapcsa.dll"

[Thr 6312] *** ERROR => DlLoadLib: LoadLibrary(
svgts1011\sapmnt\SID\SYS\exe\run\sapcsa.dll) Error 126 [dlnt.c 237]

[Thr 6312] Error 126 = "The specified module could not be found."

[Thr 6312] *** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth.c 304]

[Thr 6312] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=1, flags=12293) for /:0

[Thr 6312] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=2, flags=28677) for /:0

[Thr 6312] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]

Here is the pfl file:

# SAPSYSTEMNAME must be set so that the default profile is

# read. If not, a warning is displayed on the console.

SAPSYSTEMNAME = SID

# SAPSYSTEM must be set so that the shared memory areas

# can be created.

# The number must be different from the other SAP instances

# on the host.

#SAPSYSTEM = 01

SAPSYSTEM = 00

# Message Server Description

#rdisp/mshost = FQDN

rdisp/mshost = BI IP Address Server

ms/http_port = 8100

icm/server_port_0 = PROT=HTTPS,PORT=8080,TIMEOUT=7200

#icm/server_port_0 = PROT=HTTP,PORT=8000

icm/server_port_1 = PROT=ROUTER,PORT=1443

icm/HTTPS/verify_client = 0

#Reduce pool memory usage

ipc/shm_psize_10 = 1000000

ipc/shm_psize_10_ignore_default = 1

#SAP Web Dispatcher Parameters

wdisp/auto_refresh = 120

wdisp/max_servers = 100

wdisp/ssl_emcrypt = 2

wdisp/ssl_certhost = WebdispServerName

#Description of the resources

icm/min_threads = 20

icm/max_threads = 40

icm/max_conn = 300

#Communication Buffer

mpi/total_size_MB = 100

mpi/buffer_size = 65536

I have also created on the webdispatcher (not running any SAP instance) the directory structure and share like C:\usr\sap\SID\sys\exe\run and C:\usr\sap\SID\D00\sec where there the sapgenpse.exe, sapcryptolib.dll, SAPSSLS.pse and ticket.

The SAP directory is shared as sapmnt and saploc as well.

Thanks for your help!

Edited by: Siavauch Saleki on Oct 22, 2008 11:23 AM

Edited by: Siavauch Saleki on Oct 22, 2008 11:38 AM

hemant_chahal
Contributor
‎10-22-2008 11:39 AM
0 Kudos

Please refer this for correct web dispatcher ssl configurations

http://help.sap.com/saphelp_nw04/helpdata/en/82/5fcd8af02d07438148302ceb8b2500/frameset.htm

Former Member
‎10-22-2008 12:56 PM
0 Kudos

Hi Hermant,

Thanks for the reply.

I have managed to create PSE files, but the link is not explaining anything about the cituation I`m facing.

The path C:\usr\sap\SID\exe\run is not defined into the environnement variables, there is only C:\secudir set as LD_LIBRARY_PATH and SECUDIR.

Thanks for your help!

hemant_chahal
Contributor
‎10-22-2008 1:03 PM
0 Kudos

Have you created SAPSSLC.PSE in webdispatcher,

Please explain the data flow and the steps you have already completed so that error can be located.

Former Member
‎10-22-2008 1:50 PM
0 Kudos

Here are the steps:

- configuring webdispatcher without ssl (OK)

- genetating local PSE on both Bi server and webdispatcher (OK), the signed certificate is to be obtained; therefore, not imported yet onto any systems

- setting up profile parameters on the BI system and the ,pfl file (on the webdispatcher server) for SSL connection with the (OK)

- I dont have any SAPSSLC.pse file on the webdispatcher (not running any SAP instance)

The data flow is quite simple:

User --> webdisp --> portal getting web reports from BI system

Edit:

On the Webdispatcher:

I do have a pse file called SAPSSL.pse generated with the command:

sapgenpse getpse -p SAPSSL.pse -x PIN -r SAPSSL.req "CN=...."

I have downloaded the certificate from service.sap.com/tcs under root certificate. When I execute the command:

sapgenpse import_own_cert -c getcert.cert -r SAPSSL.pse -x PIN

I have the following error message:

import_own_cert: Installation of certificate failed

ERROR in ssf_install_CA_response: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"

ERROR in ssf_read_certs_from_file: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"

ERROR in aux_file2OctetString: (1281/0x0501) stat("getcert.cert") returned : "No such file or directory"

Edited by: Siavauch Saleki on Oct 23, 2008 10:16 AM

Edit 2:

There is actually a saprouter and a webdispatcher on the same server.

Therefore, I had to generate a PSE for the saprouter (at C:\saprouter) and an other PSE file for the webdispatcher (located at C:\secudir). The environement variables are set to C:\secudir

The PSE files are different in names and content, the CN, OU and O are not set in the same way.

Thanks for your help

Edited by: Siavauch Saleki on Oct 23, 2008 11:07 AM

Edit3:

The command : sapgenpse.exe maintain_pk -l

returns:

maintain_pk for PSE "C:\saprouter\local.pse"

PKList is empty.

But local.pse was defined for the saprouter.

Environnement variables are set to C:\secudir and not c:\saprouter.

How is it possible to maintain this file and to have a central point of

administartion of PSE file for both Saprouter and Webdispatcher?

Thanks for your help

Edited by: Siavauch Saleki on Oct 23, 2008 11:41 AM

michael_mulvey
Employee
Employee
‎10-23-2008 3:07 PM
0 Kudos

Hi,

I have uploaded the SSL installation guide for the webdisp at the link below. It is the Unix version but the steps are the same for Windows.

http://www.sendspace.com/file/zmac7e

Michael

Former Member
‎10-24-2008 2:37 PM
0 Kudos

Hi,

I have already this documentation.

Thanks

Former Member
‎10-25-2008 10:57 AM
0 Kudos

Hi

Where did you kept the downloaded file

That need to be imported to /secudir

before this you need to set this path for SECUDIR and LD_LIBRARY_PATH

i think this is not set properly and so it is not able to find the file you downloaded from SAP

Thanks

Gaurav

Former Member
‎11-07-2008 8:33 AM
0 Kudos

Hi Gaurav,

Thanks for your reply.

The environement variables have been set properly.

As an update, I have imported successfully the signed certificate onto both Webdispatcher and BI SAP instance.

The BI SAP instance is refering to SAPSSLC.pse file which exists already at the path specified but not found by the system, here is a piece of dev_icm log file:

=================================================

= SSL Initialization on PC with Windows NT

= (700_REL,Jan 23 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)

profile param "ssl/ssl_lib" = "C:\usr\sap\SID\DVEBMGS00\sec\sapcrypto.dll"

resulting Filename = "C:\usr\sap\SID\DVEBMGS00\sec\sapcrypto.dll"

= found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe

= current UserID: HOSTNAME\SAPServiceSID

= found SECUDIR environment variable

= using SECUDIR=C:\usr\sap\SID\DVEBMGS00\sec

*** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\SID\DVEBMGS00\sec\*SAPSSLC.pse" not found!* [ssslsecu.c 1354]

secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed

ror 4356 (0x00001104) = "unknown structure"

>> Begin of Secude-SSL Errorstack >>

ERROR in SSL_CTX_set_default_pse_by_name: (4356/0x1104) unknown structure #

l_set_pse: (4356/0x1104) unknown structure #

_open: (4356/0x1104) unknown structure #

csw_open: (4356/0x1104) unknown structure #

csw_open_pse_or_extension: (4356/0x1104) unknown structure #

c_get_PSEtype: (4356/0x1104) unknown structure #

<< End of Secude-SSL Errorstack

*** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create CLIENT Credential

"C:\usr\sap\SID\DVEBMGS00\sec\SAPSSLC.pse" [ssslxxi.c 2278]

*** ERROR => Initialization of SSL library failed NO SSL available!

=================================================

<<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

*** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]

*** INFO => the EXTBIND attribute in parameter icm/server_port_<xx> for service 25000 is not necessary on Windows - ignor

Started service 25000 for protocol SMTP on host "HOSTNAME.toto.ext.company.no"(on all adapters) (processing timeout

Fri Nov 07 09:15:37 2008

*** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]

*** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c 46

Fri Nov 07 09:18:13 2008

Anyone has an idea on this?

Is this might be due to the SAPServiceSID username?

I have imported the signed certificate onto this system with STRUST using an other SAP account than SAPServiceSID.

The https service canu00B4t be started from SMICM > Services.

Thanks for your help.

hemant_chahal
Contributor
‎11-07-2008 8:44 AM
0 Kudos

Even if you are facing problem with certificates, HTTPS in smicm should start. We used DDIC user for configuring SSL and it worked.

Edited by: Hemant Chahal on Nov 7, 2008 2:14 PM

Former Member
‎11-07-2008 9:35 AM
0 Kudos

Hi Hemant,

Thanks for your help, the used SAP account has SAP_ALL and SAP_NEW profile, same as DDIC account we have here.

Then what is the difference?

Former Member
‎09-24-2008 2:01 PM
0 Kudos

Sorry, I found it, it is TC STRUST

Show replies
Show replies
Former Member
‎09-24-2008 10:29 AM
0 Kudos

Thanks a lot for the links.

Actually, there is no Java stack running, therefore, no need to configure it for HTTPS.

I´m using this link: http://help.sap.com/saphelp_nw04/helpdata/en/20/37c33ae8361838e10000000a11402f/content.htm

and don´t understant what is the "SSL Server PSE node", can someone help me on this please?

Thanks!

Show replies
Show replies
former_member192295
Active Contributor
‎09-09-2008 2:26 PM
0 Kudos

HI,

Web dispatcher is not mandatory for SSL configuration, without web dispatcher also we can do

find below links for more information.

http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4...

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/23894238-0701-0010-40b0-a0a6d5c4...

Show replies
Show replies
Former Member
‎09-05-2008 12:56 PM
0 Kudos

Ok thanks!

Besides, do I need to reconfigure the SAProuter and the Webdispatcher?

Edit: what I ment by this is that is it better to set up HTTPS before setting up the saprouter and webdispatcher or are these elements independant and can be configured independently?

Thanks

Edited by: Saleki Siavauch on Sep 9, 2008 3:20 PM

Show replies
Show replies
hemant_chahal
Contributor
‎09-09-2008 3:05 PM
0 Kudos

If you have web dispatcher as reverse proxy then you have to configure HTTPS according to Web dispatcher as first the request will go to Web dispatcher then to the SAP server.

Accordingly you have to configure SSL.

hemant_chahal
Contributor
‎09-02-2008 2:21 PM
0 Kudos

If you want to use HTTPS then you should have security configured on the BW system. please refer : http://help.sap.com/saphelp_nw04/helpdata/en/41/845cdb9c548b419ee4e089841f1b6c/frameset.htm

Edited by: Hemant Chahal on Sep 2, 2008 6:52 PM

Show replies
Show replies
Former Member
‎09-03-2008 12:33 PM
0 Kudos

Hi,

Thanks for your replies!

We already have a SAP portal installed

Do I need to have an SSL certificate from a company such as Verisign?

Thanks!

stefan_grube
Active Contributor
‎09-04-2008 10:19 PM
0 Kudos

> Do I need to have an SSL certificate from a company such as Verisign?

No, this is only required for B2B scenarios. You can use self-signed certificates which can be created directly in the connected systems.

Regards

Stefan

Former Member
‎09-02-2008 2:02 PM
0 Kudos

Hi,

please have a look here:

http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

Regards

Patrick

Show replies
Show replies
Ask a Question