Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CRM_UI Reporting - HTTPS Terminating at Web Dispatcher or SSL all the way

Go to solution
rommel_bhan
Explorer

‎02-03-2010 9:52 PM

0 Kudos

Hi,

We need to set up access to crm_ui reports (leads and marketing mainly) in CRM 7.0 for vendors coming from the internet. The CRM server is in the internal network. In order for this to work I plan to setup the web-dispatcher in the application dmz. The initial login is going to be via the web dmz layer (using sun's iplanet server), which then routes the crm URL to the web dispatcher in the App dmz and then from the web dispatcher to CRM server.

One requirement from our security team is to set up the flow as HTTPS.

On going through SAP help I get the impression that it can be set up two ways, one, configuring web dispatcher to pass the SSL connection to backend, & two - configuring the web dispatcher to terminate SSL.

Seems the former is quite straight forward (from SAP online help we have to set the icm/server_port_<xx>> = PROT=ROUTER) but does it also require that we setup the crm_ui_frame service as SSL and activate the HTTPS service in ICM?

Or is it better to go via the second option (HTTPS termination) without changing the backend setup? SAP Online help lists steps to do the HTTPS termination but I have not come across any detailed documentation for the first method.

Any thoughts, suggestions will be helpful for either scenario.

Thanks,

Rommel Bhan

1 ACCEPTED SOLUTION

Go to solution
rommel_bhan
Explorer

‎02-05-2010 5:59 PM

0 Kudos

Thanks Martin and Julius, I tried testing the end to end ssl in our sandbox but am getting some errors and was wondering if you can comment on my setup.

First I setup the backend sandbox as supporting SSL using the steps outlined in

http://help.sap.com/saphelp_nw2004s/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

And testing URL https://<server name>:8443/sap/bc/bsp/sap/it00/default.htm comes up fine

Now I installed the web dispatcher on the same server and this is my profile (important ones)

  1. unique instance number

SAPSYSTEM = 02

  1. Accessibility of Message Servers

rdisp/mshost = sapcms02

ms/http_port = 8100

  1. SAP Web Dispatcher Ports

#icm/server_port_0 = PROT=HTTP,PORT=8080

#icm/server_port_1 = PROT=HTTPS, PORT=8443

#wdisp/ssl_encrypt=1

icm/server_port_1 = PROT=ROUTER, PORT=70000 <--- using PROT=ROUTER at 70000 port

  1. Entered for HTTPS routing

  2. Parameters for the HTTPS Routing

wdisp/HTTPS/dest_logon_group = HTTPS

wdisp/HTTPS/max_client_ip_entries = 100000

wdisp/HTTPS/sticky_mask = 255.255.255.0

My webdispatcher starts up fine, however I see an error in the dev_wdisp

[Thr 515] IBM RS/6000 with AIX (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)

[Thr 515] CsiInit(): CSA_LIB = "./libsapcsa.o"

[Thr 515] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("./libsapcsa.o") FAILED

" 0509-022 Cannot load module ./libsapcsa.o.

"dev_webdisp" 57 lines, 3553 characters

[Thr 515] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("./libsapcsa.o") FAILED

" 0509-022 Cannot load module ./libsapcsa.o.

0509-150 Dependent module sapcpp47.o could not be loaded.

0509-022 Cannot load module sapcpp47.o.

0509-026 System error: A file or directory in the pat" (errno=2,No such file or directory) [dlux_mt.c 445]

[Thr 515] *** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth_mt 328]

These files exist in the /usr/sap/CMS/sapwebdisp direcrotyr where I installed the web dispatcher

I am unable to check out the admin page at https://<server name>:70000/sap/wdisp/admin?

thanks,

Rommel

11 REPLIES 11

Go to solution
martin_voros
Active Contributor

‎02-03-2010 10:32 PM

0 Kudos

Hi,

actually, there are [5 different ways|http://help.sap.com/saphelp_nw2004s/helpdata/EN/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm] of configuring web dispatcher. Four of them use SSL. Every option has some advantages and disadvantages. It depends on your requirements.

Yes, you are right. Just forwarding SSL to application server is pretty straightforward. With this option you can't use URL filtering because web dispatcher can't see any data. You don't need to change security requirement to SSL. Standard means that you can connect via HTTP or HTTPS. Option SSL forces using of SSL. So it may be a good idea.

Cheers

Go to solution
Former Member

‎02-03-2010 11:18 PM

0 Kudos

I guess it depends on how trusted your DMZ is and how hardened your webdispatcher's server is?

A 6th option is to decrypt on the webdispatcher to extract header information and then encrypt again, but there is a bottleneck depending on how many concurrent user's you have. This is also an attack vector for the dispatcher for "low-brainer" DoS enemies.

The easiest but most expensive way is to buy a bigger server and disregard the termination of connections (you can terminate at will normally) and size them before making security config decisions.

In the PI/XI area, some customers even install another PI/XI system as a proxy in the DMZ for that which is to be accessed from the internet. More hardware, but easier config for the scenario and less risk (except if you neglect the application layer...).

Cheers,

Julius

Go to solution
rommel_bhan
Explorer

‎02-05-2010 5:59 PM

0 Kudos

Thanks Martin and Julius, I tried testing the end to end ssl in our sandbox but am getting some errors and was wondering if you can comment on my setup.

First I setup the backend sandbox as supporting SSL using the steps outlined in

http://help.sap.com/saphelp_nw2004s/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

And testing URL https://<server name>:8443/sap/bc/bsp/sap/it00/default.htm comes up fine

Now I installed the web dispatcher on the same server and this is my profile (important ones)

  1. unique instance number

SAPSYSTEM = 02

  1. Accessibility of Message Servers

rdisp/mshost = sapcms02

ms/http_port = 8100

  1. SAP Web Dispatcher Ports

#icm/server_port_0 = PROT=HTTP,PORT=8080

#icm/server_port_1 = PROT=HTTPS, PORT=8443

#wdisp/ssl_encrypt=1

icm/server_port_1 = PROT=ROUTER, PORT=70000 <--- using PROT=ROUTER at 70000 port

  1. Entered for HTTPS routing

  2. Parameters for the HTTPS Routing

wdisp/HTTPS/dest_logon_group = HTTPS

wdisp/HTTPS/max_client_ip_entries = 100000

wdisp/HTTPS/sticky_mask = 255.255.255.0

My webdispatcher starts up fine, however I see an error in the dev_wdisp

[Thr 515] IBM RS/6000 with AIX (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)

[Thr 515] CsiInit(): CSA_LIB = "./libsapcsa.o"

[Thr 515] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("./libsapcsa.o") FAILED

" 0509-022 Cannot load module ./libsapcsa.o.

"dev_webdisp" 57 lines, 3553 characters

[Thr 515] *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("./libsapcsa.o") FAILED

" 0509-022 Cannot load module ./libsapcsa.o.

0509-150 Dependent module sapcpp47.o could not be loaded.

0509-022 Cannot load module sapcpp47.o.

0509-026 System error: A file or directory in the pat" (errno=2,No such file or directory) [dlux_mt.c 445]

[Thr 515] *** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth_mt 328]

These files exist in the /usr/sap/CMS/sapwebdisp direcrotyr where I installed the web dispatcher

I am unable to check out the admin page at https://<server name>:70000/sap/wdisp/admin?

thanks,

Rommel

Go to solution
Former Member
In response to rommel_bhan

‎02-05-2010 8:18 PM

0 Kudos

Do "normal" BSP's work okay?

See the "Restrictions" section in http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm

> Access to the Web administration interface of the Web dispatcher using SSL

If you are working within the server network (administration?) then start it on localhost - or remotely by tunneling into the network first?

Or am I missing something here?

Cheers,

Julius

Go to solution
martin_voros
Active Contributor
In response to rommel_bhan

‎02-06-2010 12:07 AM

0 Kudos

Hi,

definitely, the following line is not corerct.

icm/server_port_1 = PROT=ROUTER, PORT=70000 <--- using PROT=ROUTER at 70000 port

TCP port number is 16bit number and 70000 is more than 65535. There is also note 1142170 mentions similar error to yours.

Cheers

Go to solution
rommel_bhan
Explorer
In response to rommel_bhan

‎02-07-2010 7:57 AM

0 Kudos

Thanks, I was able to start the webdispatcher with port 60040, at least I am not getting any error now. And this is an internal server not in the DMZ, so for testing I installed the web dispatcher on the same host as my AS and with same sid, but instance 02. Now for a test I tried these URL's

HTTPS (via the WebAS)

https://server_name>:8443/sap/bc/bsp/sap/it00/default.htm --> works fine

HTTP (via the webdispatcher)

http://<server_name>:8100/sap/bc/bsp/sap/it00/default.htm --> uses the sap web dispatcher and routes to msg server on 8000 at WAS and works fine

HTTPS (via the webdispatcher)

http://<server_name>:60040/sap/bc/bsp/sap/it00/default.htm ---> doesn't work, comes with Page Cannot be found

The error I see in the dev_webdisp is

[Thr 2058] Sun Feb 7 01:38:26 2010

[Thr 2058] *** ERROR => RoutePlgAttachToNewServer: IcrAttachToServer(10.99.20.110) for group HTTPS: rc=13 [route_plg_mt 1220]

[Thr 2058] *** ERROR => RoutePlugInStartConn: RoutePlgAttachToNewServer(10.99.20.110): rc=-1 [route_plg_mt 659]

[Thr 2058] *** ERROR => IcmConnInitServer: PluginStartConn failed (rc=701) [icxxconn_mt. 1477]

[Thr 2572] *** ERROR => RoutePlgAttachToNewServer: IcrAttachToServer(10.99.20.110) for group HTTPS: rc=13 [route_plg_mt 1220]

My question is how does the webdispatcher know to route to the backend on HTTPS?

I tried putting in these values from help.sap.com but didn't help

wdisp/url_map_location=/sap/public/icf_info/icr_urlprefix

Go to solution
martin_voros
Active Contributor
In response to rommel_bhan

‎02-07-2010 11:11 AM

0 Kudos

Hi,

you are missing a HTTPS port config. Depending on your release it's ms/https_port=8443 or ms/server_port_1 = PROT=HTTPS ,PORT=8443. You are also missing line which will define connection between web dispatcher and application server. Something like icm/server_port_1 = PROT=HTTPS,PORT=0. Have a look at this [document|http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/60d6de2e-085b-2b10-7a8f-bc9ae1e0bba6], section 3.6.

Cheers

Go to solution
rommel_bhan
Explorer
In response to rommel_bhan

‎02-15-2010 11:17 PM

0 Kudos

Thanks Martin the document helped.

Now the web dispatcher seems to talk to the HTTPS port on the backend.

However there is one issue I see in the dev_webdisp and was wondering if you have an insight.

Based on webdispatcher parameters, its taling to ms_https_port 8533 of backend

-

[Thr 773] Mon Feb 15 15:03:35 2010

[Thr 773] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 773] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 773] secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 773] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 773] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

[Thr 773] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"

[Thr 773] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

[Thr 773] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

[Thr 773] << -

End of Secude-SSL Errorstack -

[Thr 773] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 773] SSL NI-sock: local=10.104.146.81:62579 peer=10.104.146.81:8533

[Thr 773] <<- ERROR: SapSSLSessionStart(sssl_hdl=110acb850)==SSSLERR_SSL_CONNECT

[Thr 773] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]

[Thr 773] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c 5976]

[Thr 773] *** ERROR => Could not connect to SAP Message Server at sapcms02. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c 3289]

[Thr 773] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c 3290]

[Thr 773] *** ERROR => see also SAP note 552286 [icrxx_mt.c 3291]

-

My backend is setup with SSL and web dispatcher is set to the following. Also since the backend and sapweb dispatcher are on the same host, using the same sidadm, the SSL stuff is on one location. I generated the SAPSSLS.pse in the backend using STRUST

-

  1. Accessibility of Message Servers

rdisp/mshost = sapcms02

ms/http_port = 8100

ms/https_port = 8533

wdisp/server_info_protocol = https

-

  1. SAP Web Dispatcher Ports

icm/server_port_0 = PROT=ROUTER,PORT=60000

icm/server_port_1 = PROT=HTTPS,PORT=0

icm/server_port_2 = PROT=HTTP,PORT=8080 <-- web dispatcher admin port

-

#SSL parameters similar to one in backend

ssf/ssfapi_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o

sec/libsapsecu = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o

ssf/name = SAPSECULIB

ssl/ssl_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o

ssl/server_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLS.pse

ssl/client_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLC.pse

-

Go to solution
martin_voros
Active Contributor
In response to rommel_bhan

‎02-16-2010 12:17 AM

0 Kudos

Hi,

the problem is with your SSL certificate. It looks like there is a mismatch between hostname (sapcms02) and CN name of certificate (sapcms02.reinternal.com). You can try to change your hostname definition (rdisp/mshost=sapcms02.reinternal.comto) or use parameter wdisp/ssl_certhost to define hostname in SSL certificate. Definitely, you are getting closer to your solution

Cheers

Go to solution
rommel_bhan
Explorer
In response to rommel_bhan

‎02-24-2010 5:56 AM

0 Kudos

Hi Martin, It looked closer but still farther then I thought

Somehow the parameter rdisp/ms_host=<hostname>.<domain_name> is not liked and my dispatcher dies with

***LOG CPS=> DpLoopInit, ICU ( 3.0 3.0 4.0.1) [dpxxdisp.c 1681]

***LOG Q0I=> NiPGetHostByName: hostname 'sapcms02.reinternal.3900' not found: gethostbyname [niuxi.c 1477]

Also I had the security folks issue me a root certificate along with one generated for my system by giving them the SSL server standard self signed certificate. Then I imported these into strustsso2 and restarted the SAP system and web dispatcher and still get the following in the dev_webdisp

[Thr 1287] Wed Feb 24 00:01:11 2010

[Thr 1287] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 1287] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 1287] secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 1287] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 1287] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

[Thr 1287] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"

[Thr 1287] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

[Thr 1287] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

[Thr 1287] << -

End of Secude-SSL Errorstack -

[Thr 1287] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 1287] SSL NI-sock: local=10.104.146.81:39643 peer=10.104.146.81:8533

[Thr 1287] <<- ERROR: SapSSLSessionStart(sssl_hdl=110ac77b0)==SSSLERR_SSL_CONNECT

[Thr 1287] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]

[Thr 1287] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c 5976]

[Thr 1287] *** ERROR => Could not connect to SAP Message Server at sapcms02.reinternal.com. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c 3289]

thanks, Rommel

Go to solution
martin_voros
Active Contributor
In response to rommel_bhan

‎02-24-2010 10:37 PM

0 Kudos

Hi,

web dispatcher can't verify chain of certificates. What certificate do you use on AS? Who signed this certificate? The root certificate which was used to sign certificate used on AS needs to be imported into web dispatcher.

Cheers