on 06-02-2010 4:10 PM
Dear Friends,
Here is the architecture we have...
> We have SAP Web Dispatcher named "web.abc.com' on the DMZ.
> On our internal LAN, we have SAP ERP 2005 server (orion.abc.com and its application server, saturn.abc.com)
We have genarated the Server and Client pse's on Web Displatcher Server and on the Back-End 2 ERP SAP Servers...
> I haven't found in the documentaion on how to exchange these certificates between the SAP Web Dispatcher and the Back-End 2 ERP SAP Servers...
Here my questions are:
> What files do we need to exchange between these servers?
> Once we exchange the files between the servers, will the communication between the servers (Wed Dispatcher - SAP ERP)will pass thru the SSL standards?
> In this scenario, what do we need to set: to the following parameters on SAP Web Dispatcher Server...
wdisp/ssl_auth = 0/1/2 ????
wdisp/ssl_cred = ???
wdisp/ssl_certhost = which host name should we place here???
Thank you,
Nikee
This is what I did...
For a single SAP system and all it's application servers create a SSL server certificate using a single CN across all servers(this would be your external web.abc.com address). Make sure it is signed by a CA.
Copy the SAPSSLS.pse(SSL CA signed server PSE) from your SAP system to your web dispatcher system and setup your profiles ssl/server_pse and ssl/client_pse pointing to this PSE.
Set webdispatcher profiles to the following:
wdisp/ssl_encrypt = 2
wdisp/ssl_certhost = web.abc.com (your web dispatcher)
Note, this is for setting up your web dispatcher for SSL Re-encryption. You will pass SSL requests to your SAP systems by connecting to the web dispatcher via a single domain name(web.abc.com) and your backend systems will accept these requests because they are using the same domain(CN) certificate. Naturally, you should have configured the connection to your message server for load balancing etc
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Nelis & Dibya,
Thanks for the response.
Here is what we are trying to do:
From the following link, we are trying to configure the 4th scenario. HTTPS - HTTPS
http://help.sap.com/SAPHELP_NWPI71/helpdata/EN/49/3db10a19341067e10000000a42189c/frameset.htm
Here are the parameters we did set:
icm/server_port_0 = PROT=HTTP,PORT=80
icm/server_port_1 = PROT=HTTPS,PORT=443
is/HTTPS/default_root_hdl = abap
DIR_INSTANCE = D:\usr\sap\WDP\W00
ssl/ssl_lib = D:\usr\sap\WDP\W00\sec\sapcrypto.dll
sec/libsapsecu = D:\usr\sap\WDP\W00\sec\lsapcrypto.dll
ssf/ssfapi_lib = D:\usr\sap\WDP\W00\sec\sapcrypto.dll
ssf/name = SAPSECULIB
wdisp/ssl_encrypt = 0
wdisp/ssl_auth = 0
icm/HTTPS/verify_client = 1
icm/HTTPS/forward_ccert_as_header = true
We did generated the SAPSSLC.pse & SAPSSLS.pse on SAP Web Dispatcher Server and also on the Back-End SAP ERP 2005 servers. Based on the pse generated on SAP Web Dispatcher, we obtained the Signed CA certificate and imported it on to the SAP Web Dispatcher.
In this scenario, do I need to exchange any pse information between the SAP Web Dispatcher and Back-End SAP Servers to have a HTTPS-HTTPS communication (Scenario 4)???
When the users connect to SAP Web Dispatcher using https://web.abc.com, this URL will be converted in the background to call the back-end service as https://abcerp.abc.com:4433. But on the URL the user still see as https://web.abc.com due to Web Disptcher will perform the Reverse Proxy.
When the communication happens via the URL, will the communication between the servers (Wed Dispatcher - SAP ERP)will pass thru the SSL standards?
In this scenario, what do we need to set: to the following parameters on SAP Web Dispatcher Server...
wdisp/ssl_auth = 0/1/2 ????
wdisp/ssl_cred = ???
wdisp/ssl_certhost = which host name should we place here???
Thank you,
Nikee
Edited by: Nikee Reddy on Jun 3, 2010 11:03 AM
Hi Nikee,
If you want to use the 4th scenario from the SAP Help Portal then here is one error:
wdisp/ssl_encrypt = 0
You need to use:
wdisp/ssl_encrypt = 1
and, complementary:
ssl/ssl_lib = <dir>sapcrypto.dll
ssl/client_pse = <dir>SAPSSLC.pse
ssl/server_pse = <dir>SAPSSLS.pse
The scenario would be something like:
BROWSER <--
> BACKEND ABAP
HTTPS Port (e.g.) = 1443 HTTPS Port (e.g.) =44443
Best regards,
Cristiano
Edited by: Cristiano Hansen on Jun 8, 2010 1:38 AM
Hello Nikee,
May I ask you to first have a look at [How to Configure SAP Web Dispatcher for SSL|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60d6de2e-085b-2b10-7a8f-bc9ae1e0bba6] file, available here in SDN?
Let me know your comments.
Thanks and regards,
Cristiano
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nikee,
It seems that the SDN file was moved to somewhere else.
You can still download the file through this [link|https://sapmats-us.sap-ag.de/download/download.cgi?id=81SUDOMN748FVT9FK94S7TGD6LHMR01CJDMIWRNDEL5FA882U1 ].
It is valid for the next 21 days (meantime I hope the SDN file be back online).
All the best,
Cristiano
What you are looking for is an end-to-end SSL configuration via Web Dispatcher. You don't have to exchange certificates from/to WD to the ERP system. But you'll have to make the ERP system & the WD individually compliant for SSL/HTTPS sceanrio.
You get the information on this over here:
http://help.sap.com/SAPHELP_NWPI71/helpdata/EN/49/3db10a19341067e10000000a42189c/frameset.htm
For an overview of the SSL WD Parameters, you'll get it here:
http://help.sap.com/SAPHELP_NWPI71/helpdata/EN/49/3e9e2382a33e90e10000000a42189c/content.htm
And if you wan't to generate URLs using using WD you'll have to maintain the HTTPURLLOC table in the ERP back-end as well, the information is here:
http://help.sap.com/saphelp_nw70/helpdata/en/42/d547ab30b6473ce10000000a114e5d/frameset.htm
- Regards, Dibya
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.