cancel
Showing results for 
Search instead for 
Did you mean: 

Using existing SSL Certificate for Web Dispatcher

HuseyinBilgen
Active Contributor
0 Kudos

Hi,

We've registered a SSL certificate with wildcard option via GlobalSign. The history of this process is as below:

1. We created a Certificate Request with IIS and send it to GS (GlobalSign).

2. They send us the certificate file Globalsign Primary Secure Server CA and Globalsign Server Sign CA files.

3. Import all ceritifcates into IIS and then exported the certificate into a Cert.pfx file.

4. By using this file, we are able to import the SSL certificate into J2EE WAS 640 of Portal system.

5. Now we want to use same certificate to establish a web dispatcher installation as intermediate server for internet access.

Web Dispatcher documentations says to create a pse and req file with sapgenpse program and then send it to CA (here globalsign) to get a certificate.

But when we asked GS, they told us to use the certificate they send us before. They cannot create a certificate file for the ourput of web dispatcher. It will be billed us if we persist.

So, we have to find a way to use the existing certificate to enable SSL of Web Dispatcher.

Any idea?

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Try using the import_p12 option of sapgenpse.

ie: sapgenpse import_p12 -p SAPSSLS.PSE exportfile.pfx

This is supposed to create a new "SAPSSLS.PSE" file with the private/public key pair, and signed cert from your export file. Let us all know if it works out for you.

Regards,

Karl

HuseyinBilgen
Active Contributor
0 Kudos

Hi Karl,

Thank you very much. Altough I found another solution, your solution worked!

Neither SDN nor OSS gave this answer to me.

Regards

Former Member
0 Kudos

Huseyin,

The documentation is hard to find for the import_p12 option to say the least. I had to figure it out by using "sapgenpse -h" and fumbling through the options. You can use export_p12 to move the cert back the other direction as well. Can you explain what your other option was?

Regards,

Karl Litterer

Former Member
0 Kudos

There is brief mention about the support for sapgenpse import_p12 and export_p12 in OSS 745063 "SAPCRYPTOLIB 555pl16: ASN.1 parser fixes, PKCS#12 support". That is all I have found.

Regards,

Karl

HuseyinBilgen
Active Contributor
0 Kudos

Hi Karl,

The other option, is to provide SSL-termination via Apache Web Server. This idea is raised by someone said "you can use IIS with Web Dispatcher which is SSL enabled."

On front, Apache is providing a standart html page which submits user/password to /irj/portal

This Web Server is SSL enabled and Apache is redirecting requests to https://<domain>/irj/portal which is under redirected to internal portal servers SSL address.

So, what we do is to set apache redirection to web dispatcher port via the following conf. in httpd.conf;

<b>

RewriteRule ^/irj/(.*) https://localhost:8003/irj/$1 [P]

RewriteRule ^/logon/(.*) https://localhost:8003/logon/$1 [P]

RewriteRule ^/webdynpro/(.*) https://localhost:8003/$1 [P]</b>

sap web dispatcher is configured for SSL termination with the following conf.

<b># Profile generated by sapwebdisp bootstrap

  1. unique instance number

SAPSYSTEM = 1

  1. Accesssability of Message Servers

rdisp/mshost = 10.180.1.10

ms/http_port = 8101

  1. SAP Web Dispatcher Parameter

wdisp/auto_refresh = 120

wdisp/max_servers = 100

wdisp/shm_attach_mode = 6

  1. configuration for large scenario

icm/max_conn = 8192

icm/max_sockets = 16384

icm/req_queue_len = 6000

icm/min_threads = 100

icm/max_threads = 200

mpi/total_size_MB = 300

mpi/buffer_size = 32768

mpi/max_pipes = 21000

#maximum number of concurrent connections to one server

wdisp/HTTP/max_pooled_con = 8192

wdisp/HTTPS/max_pooled_con = 8192

  1. SAP Web Dispatcher Web Administration

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin

  1. SAP Web Dispatcher Ports

icm/server_port_0 = PROT=HTTPS,PORT=8003

icm/server_port_1 = PROT=HTTP,PORT=0

wdisp/ssl_encrypt = 0

wdisp/add_client_protocol_header = true

icm/HTTPS/verify_client = 0

ssl/ssl_lib=/webdisp/secudir/libsapcrypto.so

ssl/server_pse=/webdisp/secudir/SAPSSL.pse</b>

This working at the moment.

regards

Answers (0)