Solved: Client certificate forwarding via Apache reverse p...

Former Member · ‎09-18-2008

Hi,

we establish a connection from an external client via a reverse proxy to a internal SAP PI. That is working in general.

In the next step the client should authorizate against the reverse proxy with a client certificate. That is working, too.

Now in the last step the reverse proxy should forward this client certificate to the SAP PI. Here I want to import this certificate and connect this to a specific user.

However I have not the apache knowledge to implement a correct proxy configuration. I read a lot threads in this SAP forum and in some apache mailing list. Some users here are using the method. Could anyone give me an example of an correct proxy configuration for the apache, where the client certificate is forwarded?

Thanks in advance,

Nils Kloth

Former Member · ‎09-18-2008

Hi,

I have done something similar :

A business partner connects to our PI server through, first an Apache reverse proxy and secondly a SAP Web dispatcher.

We are exchanging Rosettanet messages with this partner

The authentication is done at the PI level (RNIF adapter) with a X.509 client certificate.

It means that the client customer passes through Apache and the web dispatcher.

I just checked the Apache configuration file and did not find any specific command to forward the certificate. It just works !

Regards,

Olivier

Former Member · ‎09-18-2008

Hi,

I have done something similar :

A business partner connects to our PI server through, first an Apache reverse proxy and secondly a SAP Web dispatcher.

We are exchanging Rosettanet messages with this partner

The authentication is done at the PI level (RNIF adapter) with a X.509 client certificate.

It means that the client customer passes through Apache and the web dispatcher.

I just checked the Apache configuration file and did not find any specific command to forward the certificate. It just works !

Regards,

Olivier

Former Member · ‎09-19-2008

Hi Olivier,

thank you for your answer. Could you post you apache configuration (without hostnames and IPs) here? So I can have a look?

Thanks,

Nils

Former Member · ‎09-19-2008

Hi,

Well the configuration is complex because this Apache is alltogether a reverse proxy and a forward proxy. It is also reverse proxy for both SAP SRM and SAP XI/PI.

Here is an extract to give you an idea of the reverse proxy configuration part :


<VirtualHost externalhost.domain:443>

        ServerName externalhost.domain

        SSLEngine on
        SSLProxyEngine on

        SSLCertificateFile      /etc/apache2/ssl/externalhost.domain.crt
        SslCertificateKeyFile   /etc/apache2/ssl/externalhost.domain.key
        SSLCertificateChainFile /etc/apache2/ssl/VerisignIntermediate.crt

        ErrorLog /var/log/apache2/error_ssl.log
        LogLevel Warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

######### Configuration reverse proxy

        ProxyRequests off
        ProxyTimeout 600

        ProxyPreserveHost on
        RequestHeader set ClientProtocol https
        RequestHeader set x-sap-webdisp-ap HTTPS=443


        RewriteEngine on
        #RewriteLog /var/log/apache2/rewrite.log
        #RewriteLogLevel 9

        # REDIRECTIONS SUR LE SAP WEBDISPATCHER DE SRM SUR LE PORT HTTPS 443
        #
        RewriteRule  ^/$            <a href="https://webdisphost:443/sap/bc/gui/sap/its/bbpstart" TARGET="test_blank">https://webdisphost:443/sap/bc/gui/sap/its/bbpstart</a>  [P]
        #
        # Redirige les URLs commençant par /sap/ sur le webdispatcher SRM 
        RewriteRule  ^/sap/(.*)     <a href="https://webdisphost:443/sap/$1" TARGET="test_blank">https://webdisphost:443/sap/$1</a>  [P,L]
        #
        # Redirige les URLs contenant /sap( sur le webdispatcher SRM
        RewriteRule  ^/(sap(.*)    <a href="https://webdisphost:443/$1" TARGET="test_blank">https://webdisphost:443/$1</a>  [P,L]

        # REDIRECTIONS SUR LE SAP WEBDISPATCHER DE XI SUR LE PORT HTTPS 444
        #
        # Redirige les URLs commençant par  /rosettanet vers l'URL technique sur le webdispatcher de XI
        RewriteRule ^/rosettanet(.*)   <a href="https://webdisphost:444/MessagingSystem/receive/RNIFAdapter/RNIF/$1" TARGET="test_blank">https://webdisphost:444/MessagingSystem/receive/RNIFAdapter/RNIF/$1</a> [P]


        <Location></Location>

             SSLRequireSSL
             Order allow,deny
             Allow from all

             ProxyPassReverse  <a href="https://webdisphost:443" TARGET="test_blank">https://webdisphost:443</a>
         </Location>

</VirtualHost>

Regards,

Olivier

Former Member · ‎09-05-2011

Hi Nils / Oliveir , This is an old thread and I am trying to do a similar setup for SAP PI RosettaNet using just webdispatcher but no luck so far.

Could you please let me know the basic configurations required if I just use Apache. My scenario would be like this ..

1. Customers will access Apache over SSL .. Ex, https://<apacheinDMZ.domain.com:443/RNIF)

2. Apache should re-direct the URL to SAP PI .. https://<saphost>.domain.com:5xx01/MessagingSystem/receiver/RNIFAdapter/RNIF

I would like to understand whether we need to install SSL certficates signed by Verisign or other trusted authorities at Apache SSL and/or SAP PI J2EE stack.

I tried using webdispatcher with an End-to-End SSL configuration but certificate logins are not working. It is prompting for Basic authentication (username/Password). Thats why I thought of exploring Apache as an option. Thank you for your help

Thanks

Kishore

Client certificate forwarding via Apache reverse proxy to a SAP WAS + PI