on 09-02-2008 2:01 PM
Hi All,
There is a MS Windows terminal server which communicates via http with SAP NW04 BW3.5
I`d like to set up an HTTPS connection between them but don`t know if an SSL certificate is required?
Is there any notes and links relating on this?
Many thanks!
The https connection is going to be used to secure connection between 2 BI systems (dev and prod) printing Web Reports into a portal. (BI servers and Portal are located on separate servers)
We switch from Dev to Prod thanks to a Web dispatcher located on an other server having no SAP instance.
Is there something to do with the SAP portal J2EE config to accept HTTPS connections?
I´m using port 1443 as for the parameter icm/server_port_X on BI systems, is that the correct port?
Do I have to specify this onto the Portal´s J2EE configtool?
Thanks for your answers!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
There is a webdispatcher, BI system and a portal.
I have created a set of pse and req files from BI system for setting up End-to-End SSL.
Does the webdispatcher server has to have its own pse file to be imported?
Is it mandatory to request a certificate from SAP or Verisign?
When starting the Webdispatcher I find the following error:
[Thr 7956] started security log to file dev_icm_sec
[Thr 7956] SAP Web Dispatcher running on: HOST
[Thr 7956] MtxInit: 30001 0 2
[Thr 7956] IcmInit: listening to admin port: 65000
[Thr 7956] IcrCoreInitSessionTable: Session table initialized
[Thr 6312] =================================================
[Thr 6312] = SSL Initialization on PC with Windows NT
[Thr 6312] = (700_REL,Jan 23 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 6312] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
[Thr 6312] = current UserID: NT AUTHORITY\SYSTEM
[Thr 6312] = found SECUDIR environment variable
[Thr 6312] = using SECUDIR=C:\secudir
*[Thr 6312] *** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\SID\D00\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]*
[Thr 6312] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 4356 (0x00001104) = "unknown structure"
[Thr 6312] >> -
[Thr 6312] ERROR in SSL_CTX_set_default_pse_by_name: (4356/0x1104) unknown structure
ERROR in ssl_set_pse: (4356/0x1104) unknown structure
ERROR in af_open: (4356/0x1104) unknown structure
ERROR in secsw_open: (4356/0x1104) unknown structure
ERROR in secsw_open_pse_or_extension: (4356/0x1104) unknown structure
ERROR in sec_get_PSEtype: (4356/0x1104) unknown structure
[Thr 6312] << -
*[Thr 6312] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential* for "C:\usr\sap\SID\D00\sec\SAPSSLS.pse" [ssslxxi.c 2278]
*[Thr 6312] *** ERROR => Initialization of SSL library failed -- NO SSL available!*
[Thr 6312] =================================================
[Thr 6312] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR[Thr 6312] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary
X.509 cert data will be removed from header [http_plgrt.c 719]
[Thr 6312] *** WARNING => HttpAdmHandlerInit: archive
svgts1011\sapmnt\SID\SYS\exe\run/wdispadmin.SAR does not exist [http_adm.cpp 290]
[Thr 6312] *** WARNING => HttpAdmHandlerInit: archive ./wdispadmin.SAR does not exist - nothing extracted [http_adm.cpp 305]
[Thr 6312] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=0, flags=4101) for /sap/admin:0
[Thr 6312] CsiInit(): Initializing the Content Scan Interface
[Thr 6312] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)
[Thr 6312] CsiInit(): CSA_LIB = "
HOST\sapmnt\SID\SYS\exe\run\sapcsa.dll"
[Thr 6312] *** ERROR => DlLoadLib: LoadLibrary(
svgts1011\sapmnt\SID\SYS\exe\run\sapcsa.dll) Error 126 [dlnt.c 237]
[Thr 6312] Error 126 = "The specified module could not be found."
[Thr 6312] *** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth.c 304]
[Thr 6312] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=1, flags=12293) for /:0
[Thr 6312] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=2, flags=28677) for /:0
[Thr 6312] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
Here is the pfl file:
# SAPSYSTEMNAME must be set so that the default profile is
# read. If not, a warning is displayed on the console.
SAPSYSTEMNAME = SID
# SAPSYSTEM must be set so that the shared memory areas
# can be created.
# The number must be different from the other SAP instances
# on the host.
#SAPSYSTEM = 01
SAPSYSTEM = 00
# Message Server Description
#rdisp/mshost = FQDN
rdisp/mshost = BI IP Address Server
ms/http_port = 8100
icm/server_port_0 = PROT=HTTPS,PORT=8080,TIMEOUT=7200
#icm/server_port_0 = PROT=HTTP,PORT=8000
icm/server_port_1 = PROT=ROUTER,PORT=1443
icm/HTTPS/verify_client = 0
#Reduce pool memory usage
ipc/shm_psize_10 = 1000000
ipc/shm_psize_10_ignore_default = 1
#SAP Web Dispatcher Parameters
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/ssl_emcrypt = 2
wdisp/ssl_certhost = WebdispServerName
#Description of the resources
icm/min_threads = 20
icm/max_threads = 40
icm/max_conn = 300
#Communication Buffer
mpi/total_size_MB = 100
mpi/buffer_size = 65536
I have also created on the webdispatcher (not running any SAP instance) the directory structure and share like C:\usr\sap\SID\sys\exe\run and C:\usr\sap\SID\D00\sec where there the sapgenpse.exe, sapcryptolib.dll, SAPSSLS.pse and ticket.
The SAP directory is shared as sapmnt and saploc as well.
Thanks for your help!
Edited by: Siavauch Saleki on Oct 22, 2008 11:23 AM
Edited by: Siavauch Saleki on Oct 22, 2008 11:38 AM
Please refer this for correct web dispatcher ssl configurations
http://help.sap.com/saphelp_nw04/helpdata/en/82/5fcd8af02d07438148302ceb8b2500/frameset.htm
Hi Hermant,
Thanks for the reply.
I have managed to create PSE files, but the link is not explaining anything about the cituation I`m facing.
The path C:\usr\sap\SID\exe\run is not defined into the environnement variables, there is only C:\secudir set as LD_LIBRARY_PATH and SECUDIR.
Thanks for your help!
Here are the steps:
- configuring webdispatcher without ssl (OK)
- genetating local PSE on both Bi server and webdispatcher (OK), the signed certificate is to be obtained; therefore, not imported yet onto any systems
- setting up profile parameters on the BI system and the ,pfl file (on the webdispatcher server) for SSL connection with the (OK)
- I dont have any SAPSSLC.pse file on the webdispatcher (not running any SAP instance)
The data flow is quite simple:
User --> webdisp --> portal getting web reports from BI system
Edit:
On the Webdispatcher:
I do have a pse file called SAPSSL.pse generated with the command:
sapgenpse getpse -p SAPSSL.pse -x PIN -r SAPSSL.req "CN=...."
I have downloaded the certificate from service.sap.com/tcs under root certificate. When I execute the command:
sapgenpse import_own_cert -c getcert.cert -r SAPSSL.pse -x PIN
I have the following error message:
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"
ERROR in ssf_read_certs_from_file: (1281/0x0501) aux_file2OctetString failed : "No such file or directory"
ERROR in aux_file2OctetString: (1281/0x0501) stat("getcert.cert") returned : "No such file or directory"
Edited by: Siavauch Saleki on Oct 23, 2008 10:16 AM
Edit 2:
There is actually a saprouter and a webdispatcher on the same server.
Therefore, I had to generate a PSE for the saprouter (at C:\saprouter) and an other PSE file for the webdispatcher (located at C:\secudir). The environement variables are set to C:\secudir
The PSE files are different in names and content, the CN, OU and O are not set in the same way.
Thanks for your help
Edited by: Siavauch Saleki on Oct 23, 2008 11:07 AM
Edit3:
The command : sapgenpse.exe maintain_pk -l
returns:
maintain_pk for PSE "C:\saprouter\local.pse"
PKList is empty.
But local.pse was defined for the saprouter.
Environnement variables are set to C:\secudir and not c:\saprouter.
How is it possible to maintain this file and to have a central point of
administartion of PSE file for both Saprouter and Webdispatcher?
Thanks for your help
Edited by: Siavauch Saleki on Oct 23, 2008 11:41 AM
Hi,
I have uploaded the SSL installation guide for the webdisp at the link below. It is the Unix version but the steps are the same for Windows.
http://www.sendspace.com/file/zmac7e
Michael
Hi Gaurav,
Thanks for your reply.
The environement variables have been set properly.
As an update, I have imported successfully the signed certificate onto both Webdispatcher and BI SAP instance.
The BI SAP instance is refering to SAPSSLC.pse file which exists already at the path specified but not found by the system, here is a piece of dev_icm log file:
=================================================
= SSL Initialization on PC with Windows NT
= (700_REL,Jan 23 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
profile param "ssl/ssl_lib" = "C:\usr\sap\SID\DVEBMGS00\sec\sapcrypto.dll"
resulting Filename = "C:\usr\sap\SID\DVEBMGS00\sec\sapcrypto.dll"
= found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
= current UserID: HOSTNAME\SAPServiceSID
= found SECUDIR environment variable
= using SECUDIR=C:\usr\sap\SID\DVEBMGS00\sec
*** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\SID\DVEBMGS00\sec\*SAPSSLC.pse" not found!* [ssslsecu.c 1354]
secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed
ror 4356 (0x00001104) = "unknown structure"
>> Begin of Secude-SSL Errorstack >>
ERROR in SSL_CTX_set_default_pse_by_name: (4356/0x1104) unknown structure #
l_set_pse: (4356/0x1104) unknown structure #
_open: (4356/0x1104) unknown structure #
csw_open: (4356/0x1104) unknown structure #
csw_open_pse_or_extension: (4356/0x1104) unknown structure #
c_get_PSEtype: (4356/0x1104) unknown structure #
<< End of Secude-SSL Errorstack
*** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create CLIENT Credential
"C:\usr\sap\SID\DVEBMGS00\sec\SAPSSLC.pse" [ssslxxi.c 2278]
*** ERROR => Initialization of SSL library failed NO SSL available!
=================================================
<<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
*** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
*** INFO => the EXTBIND attribute in parameter icm/server_port_<xx> for service 25000 is not necessary on Windows - ignor
Started service 25000 for protocol SMTP on host "HOSTNAME.toto.ext.company.no"(on all adapters) (processing timeout
Fri Nov 07 09:15:37 2008
*** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]
*** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c 46
Fri Nov 07 09:18:13 2008
Anyone has an idea on this?
Is this might be due to the SAPServiceSID username?
I have imported the signed certificate onto this system with STRUST using an other SAP account than SAPServiceSID.
The https service canu00B4t be started from SMICM > Services.
Thanks for your help.
Sorry, I found it, it is TC STRUST
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a lot for the links.
Actually, there is no Java stack running, therefore, no need to configure it for HTTPS.
I´m using this link: http://help.sap.com/saphelp_nw04/helpdata/en/20/37c33ae8361838e10000000a11402f/content.htm
and don´t understant what is the "SSL Server PSE node", can someone help me on this please?
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI,
Web dispatcher is not mandatory for SSL configuration, without web dispatcher also we can do
find below links for more information.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok thanks!
Besides, do I need to reconfigure the SAProuter and the Webdispatcher?
Edit: what I ment by this is that is it better to set up HTTPS before setting up the saprouter and webdispatcher or are these elements independant and can be configured independently?
Thanks
Edited by: Saleki Siavauch on Sep 9, 2008 3:20 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you want to use HTTPS then you should have security configured on the BW system. please refer : http://help.sap.com/saphelp_nw04/helpdata/en/41/845cdb9c548b419ee4e089841f1b6c/frameset.htm
Edited by: Hemant Chahal on Sep 2, 2008 6:52 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
please have a look here:
http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm
Regards
Patrick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.