cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Configuration - SAP ERP 2005 - SAP Web Dispatcher

former_member238852
Participant

on ‎06-02-2010 4:10 PM

0 Kudos

Dear Friends,

Here is the architecture we have...

> We have SAP Web Dispatcher named "web.abc.com' on the DMZ.

> On our internal LAN, we have SAP ERP 2005 server (orion.abc.com and its application server, saturn.abc.com)

We have genarated the Server and Client pse's on Web Displatcher Server and on the Back-End 2 ERP SAP Servers...

> I haven't found in the documentaion on how to exchange these certificates between the SAP Web Dispatcher and the Back-End 2 ERP SAP Servers...

Here my questions are:

> What files do we need to exchange between these servers?

> Once we exchange the files between the servers, will the communication between the servers (Wed Dispatcher - SAP ERP)will pass thru the SSL standards?

> In this scenario, what do we need to set: to the following parameters on SAP Web Dispatcher Server...

wdisp/ssl_auth = 0/1/2 ????

wdisp/ssl_cred = ???

wdisp/ssl_certhost = which host name should we place here???

Thank you,

Nikee

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

nelis
Active Contributor
‎06-03-2010 9:43 AM
0 Kudos

This is what I did...

  • For a single SAP system and all it's application servers create a SSL server certificate using a single CN across all servers(this would be your external web.abc.com address). Make sure it is signed by a CA.

  • Copy the SAPSSLS.pse(SSL CA signed server PSE) from your SAP system to your web dispatcher system and setup your profiles ssl/server_pse and ssl/client_pse pointing to this PSE.

  • Set webdispatcher profiles to the following:

wdisp/ssl_encrypt = 2

wdisp/ssl_certhost = web.abc.com (your web dispatcher)

Note, this is for setting up your web dispatcher for SSL Re-encryption. You will pass SSL requests to your SAP systems by connecting to the web dispatcher via a single domain name(web.abc.com) and your backend systems will accept these requests because they are using the same domain(CN) certificate. Naturally, you should have configured the connection to your message server for load balancing etc

Nelis

Show replies
Show replies
former_member238852
Participant
‎06-03-2010 3:52 PM
0 Kudos

Hello Nelis & Dibya,

Thanks for the response.

Here is what we are trying to do:

From the following link, we are trying to configure the 4th scenario. HTTPS - HTTPS

http://help.sap.com/SAPHELP_NWPI71/helpdata/EN/49/3db10a19341067e10000000a42189c/frameset.htm

Here are the parameters we did set:

icm/server_port_0 = PROT=HTTP,PORT=80

icm/server_port_1 = PROT=HTTPS,PORT=443

is/HTTPS/default_root_hdl = abap

DIR_INSTANCE = D:\usr\sap\WDP\W00

ssl/ssl_lib = D:\usr\sap\WDP\W00\sec\sapcrypto.dll

sec/libsapsecu = D:\usr\sap\WDP\W00\sec\lsapcrypto.dll

ssf/ssfapi_lib = D:\usr\sap\WDP\W00\sec\sapcrypto.dll

ssf/name = SAPSECULIB

wdisp/ssl_encrypt = 0

wdisp/ssl_auth = 0

icm/HTTPS/verify_client = 1

icm/HTTPS/forward_ccert_as_header = true

We did generated the SAPSSLC.pse & SAPSSLS.pse on SAP Web Dispatcher Server and also on the Back-End SAP ERP 2005 servers. Based on the pse generated on SAP Web Dispatcher, we obtained the Signed CA certificate and imported it on to the SAP Web Dispatcher.

In this scenario, do I need to exchange any pse information between the SAP Web Dispatcher and Back-End SAP Servers to have a HTTPS-HTTPS communication (Scenario 4)???

When the users connect to SAP Web Dispatcher using https://web.abc.com, this URL will be converted in the background to call the back-end service as https://abcerp.abc.com:4433. But on the URL the user still see as https://web.abc.com due to Web Disptcher will perform the Reverse Proxy.

When the communication happens via the URL, will the communication between the servers (Wed Dispatcher - SAP ERP)will pass thru the SSL standards?

In this scenario, what do we need to set: to the following parameters on SAP Web Dispatcher Server...

wdisp/ssl_auth = 0/1/2 ????

wdisp/ssl_cred = ???

wdisp/ssl_certhost = which host name should we place here???

Thank you,

Nikee

Edited by: Nikee Reddy on Jun 3, 2010 11:03 AM

cris_hansen
Advisor
Advisor
‎06-08-2010 12:38 AM
0 Kudos

Hi Nikee,

If you want to use the 4th scenario from the SAP Help Portal then here is one error:

wdisp/ssl_encrypt = 0

You need to use:

wdisp/ssl_encrypt = 1

and, complementary:

ssl/ssl_lib = <dir>sapcrypto.dll

ssl/client_pse = <dir>SAPSSLC.pse

ssl/server_pse = <dir>SAPSSLS.pse

The scenario would be something like:

BROWSER <--

> WEB DISPATCHER <--

> BACKEND ABAP

HTTPS Port (e.g.) = 1443 HTTPS Port (e.g.) =44443

Best regards,

Cristiano

Edited by: Cristiano Hansen on Jun 8, 2010 1:38 AM

cris_hansen
Advisor
Advisor
‎06-02-2010 4:33 PM
0 Kudos

Hello Nikee,

May I ask you to first have a look at [How to Configure SAP Web Dispatcher for SSL|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60d6de2e-085b-2b10-7a8f-bc9ae1e0bba6] file, available here in SDN?

Let me know your comments.

Thanks and regards,

Cristiano

Show replies
Show replies
cris_hansen
Advisor
Advisor
‎06-02-2010 5:30 PM
0 Kudos

Hi Nikee,

It seems that the SDN file was moved to somewhere else.

You can still download the file through this [link|https://sapmats-us.sap-ag.de/download/download.cgi?id=81SUDOMN748FVT9FK94S7TGD6LHMR01CJDMIWRNDEL5FA882U1 ].

It is valid for the next 21 days (meantime I hope the SDN file be back online).

All the best,

Cristiano

former_member238852
Participant
‎06-02-2010 8:58 PM
0 Kudos

Hello Cristiano,

I have gone thru the document already.

The document don't tell us on how to exchange the certificates between the systems....

Thank you,

Nikee

Former Member
‎06-03-2010 6:03 AM
0 Kudos

What you are looking for is an end-to-end SSL configuration via Web Dispatcher. You don't have to exchange certificates from/to WD to the ERP system. But you'll have to make the ERP system & the WD individually compliant for SSL/HTTPS sceanrio.

You get the information on this over here:

http://help.sap.com/SAPHELP_NWPI71/helpdata/EN/49/3db10a19341067e10000000a42189c/frameset.htm

For an overview of the SSL WD Parameters, you'll get it here:

http://help.sap.com/SAPHELP_NWPI71/helpdata/EN/49/3e9e2382a33e90e10000000a42189c/content.htm

And if you wan't to generate URLs using using WD you'll have to maintain the HTTPURLLOC table in the ERP back-end as well, the information is here:

http://help.sap.com/saphelp_nw70/helpdata/en/42/d547ab30b6473ce10000000a114e5d/frameset.htm

- Regards, Dibya

Ask a Question