09-18-2008 4:55 PM
Hi,
we establish a connection from an external client via a reverse proxy to a internal SAP PI. That is working in general.
In the next step the client should authorizate against the reverse proxy with a client certificate. That is working, too.
Now in the last step the reverse proxy should forward this client certificate to the SAP PI. Here I want to import this certificate and connect this to a specific user.
However I have not the apache knowledge to implement a correct proxy configuration. I read a lot threads in this SAP forum and in some apache mailing list. Some users here are using the method. Could anyone give me an example of an correct proxy configuration for the apache, where the client certificate is forwarded?
Thanks in advance,
Nils Kloth
09-18-2008 5:48 PM
Hi,
I have done something similar :
A business partner connects to our PI server through, first an Apache reverse proxy and secondly a SAP Web dispatcher.
We are exchanging Rosettanet messages with this partner
The authentication is done at the PI level (RNIF adapter) with a X.509 client certificate.
It means that the client customer passes through Apache and the web dispatcher.
I just checked the Apache configuration file and did not find any specific command to forward the certificate. It just works !
Regards,
Olivier
09-18-2008 5:48 PM
Hi,
I have done something similar :
A business partner connects to our PI server through, first an Apache reverse proxy and secondly a SAP Web dispatcher.
We are exchanging Rosettanet messages with this partner
The authentication is done at the PI level (RNIF adapter) with a X.509 client certificate.
It means that the client customer passes through Apache and the web dispatcher.
I just checked the Apache configuration file and did not find any specific command to forward the certificate. It just works !
Regards,
Olivier
09-19-2008 7:46 AM
Hi Olivier,
thank you for your answer. Could you post you apache configuration (without hostnames and IPs) here? So I can have a look?
Thanks,
Nils
09-19-2008 9:24 AM
Hi,
Well the configuration is complex because this Apache is alltogether a reverse proxy and a forward proxy. It is also reverse proxy for both SAP SRM and SAP XI/PI.
Here is an extract to give you an idea of the reverse proxy configuration part :
<VirtualHost externalhost.domain:443>
ServerName externalhost.domain
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/externalhost.domain.crt
SslCertificateKeyFile /etc/apache2/ssl/externalhost.domain.key
SSLCertificateChainFile /etc/apache2/ssl/VerisignIntermediate.crt
ErrorLog /var/log/apache2/error_ssl.log
LogLevel Warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
######### Configuration reverse proxy
ProxyRequests off
ProxyTimeout 600
ProxyPreserveHost on
RequestHeader set ClientProtocol https
RequestHeader set x-sap-webdisp-ap HTTPS=443
RewriteEngine on
#RewriteLog /var/log/apache2/rewrite.log
#RewriteLogLevel 9
# REDIRECTIONS SUR LE SAP WEBDISPATCHER DE SRM SUR LE PORT HTTPS 443
#
RewriteRule ^/$ <a href="https://webdisphost:443/sap/bc/gui/sap/its/bbpstart" TARGET="test_blank">https://webdisphost:443/sap/bc/gui/sap/its/bbpstart</a> [P]
#
# Redirige les URLs commençant par /sap/ sur le webdispatcher SRM
RewriteRule ^/sap/(.*) <a href="https://webdisphost:443/sap/$1" TARGET="test_blank">https://webdisphost:443/sap/$1</a> [P,L]
#
# Redirige les URLs contenant /sap( sur le webdispatcher SRM
RewriteRule ^/(sap(.*) <a href="https://webdisphost:443/$1" TARGET="test_blank">https://webdisphost:443/$1</a> [P,L]
# REDIRECTIONS SUR LE SAP WEBDISPATCHER DE XI SUR LE PORT HTTPS 444
#
# Redirige les URLs commençant par /rosettanet vers l'URL technique sur le webdispatcher de XI
RewriteRule ^/rosettanet(.*) <a href="https://webdisphost:444/MessagingSystem/receive/RNIFAdapter/RNIF/$1" TARGET="test_blank">https://webdisphost:444/MessagingSystem/receive/RNIFAdapter/RNIF/$1</a> [P]
<Location></Location>
SSLRequireSSL
Order allow,deny
Allow from all
ProxyPassReverse <a href="https://webdisphost:443" TARGET="test_blank">https://webdisphost:443</a>
</Location>
</VirtualHost>
Regards,
Olivier
09-05-2011 11:45 AM
Hi Nils / Oliveir , This is an old thread and I am trying to do a similar setup for SAP PI RosettaNet using just webdispatcher but no luck so far.
Could you please let me know the basic configurations required if I just use Apache. My scenario would be like this ..
1. Customers will access Apache over SSL .. Ex, https://<apacheinDMZ.domain.com:443/RNIF)
2. Apache should re-direct the URL to SAP PI .. https://<saphost>.domain.com:5xx01/MessagingSystem/receiver/RNIFAdapter/RNIF
I would like to understand whether we need to install SSL certficates signed by Verisign or other trusted authorities at Apache SSL and/or SAP PI J2EE stack.
I tried using webdispatcher with an End-to-End SSL configuration but certificate logins are not working. It is prompting for Basic authentication (username/Password). Thats why I thought of exploring Apache as an option. Thank you for your help
Thanks
Kishore