06-15-2010 6:27 PM
There are 5 web dispatcher configurations:
1: Client - (HTTP) - Web Disp - (HTTP) - Portal
2: Client - (HTTP) - Web Disp - (HTTPS) - Portal
3: Client - (HTTPS) - Web Disp - (HTTP) - Portal
4: Client - (HTTPS) - Web Disp - (HTTPS) - Portal
5: Client - (HTTPS) - Web Disp - (HTTPS) - Portal
Everything works if we use configuration 1, 3 or 5. We are required to use configuration 4 which is not working.
HTTPS works if the web dispatcher is set to PROT=ROUTER. However, it does not work if it is set to decrypt and reencrypt between the web dispatcher and portal; PROT=HTTPS and wdisp/ssl_encrypt=1
What is the correct steps for setting this up.
I have copied the verify.der and verify.pse, that was exported from the portal keystore, to the sec folder on the web dispatcher but it did not work.
The web dispatcher profile is as follows:
SAPSYSTEMNAME = WDP
SAPGLOBALHOST = webdispatcher.company.com
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
#----
Accesssability of Message Server
#----
rdisp/mshost = portal.company.com
ms/http_port = 8101
ms/https_port = 8443
#----
Configuration for large scenario
#----
icm/max_conn = 16384
icm/max_sockets = 16384
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 250
mpi/total_size_MB = 500
mpi/max_pipes = 21000
#----
SAP Web Dispatcher Ports
#----
icm/server_port_0 = PROT=HTTP, PORT=80, TIMEOUT=900
icm/server_port_1 = PROT=HTTPS, PORT=888, TIMEOUT=900
#icm/server_port_1 = PROT=ROUTER, PORT=443, TIMEOUT=900
#----
Parameters for the SAP Cryptographic Library
#----
DIR_INSTANCE = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64
ssl/ssl_lib = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll
ssl/server_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse
ssl/client_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\verify.pse
#----
Parameters for Using SSL to the backend server
#----
wdisp/ssl_encrypt = 1
wdisp/server_info_protocol=http
is/HTTP/show_detailed_errors=TRUE
icm/HTTP/error_templ_path=C:\usr\sap\WDP\SYS\profile
wdisp/ssl_auth = 2
wdisp/ssl_cred = verify.pse
wdisp/permission_table = C:\usr\sap\WDP\SYS\profile\ptabfile
#----
Parameters for locking port and path
#----
icm/HTTP/redirect_0 = PREFIX=/,FROM=*, FROMPROT=http,PROT=https,HOST=webdisp.company.com
Please advise,
Aubrey Smih
06-15-2010 6:46 PM
There are 5 web dispatcher configurations:
1: Client - (HTTP) - Web Disp - (HTTP) - Portal
2: Client - (HTTP) - Web Disp - (HTTPS) - Portal
3: Client - (HTTPS) - Web Disp - (HTTP) - Portal
4: Client - (HTTPS) - Web Disp - (HTTPS) - Portal
5: Client - (HTTPS) - Web Disp - (HTTPS) - Portal
Everything works if we use configuration 1, 3 or 5. We are required to use configuration 4 which is not working.
HTTPS works if the web dispatcher is set to PROT=ROUTER. However, it does not work if it is set to decrypt and reencrypt between the web dispatcher and portal; PROT=HTTPS and wdisp/ssl_encrypt=1
What is the correct steps for setting this up?
I have copied the verify.der and verify.pse, that was exported from the portal keystore, to the sec folder on the web dispatcher but it did not work.
The web dispatcher profile is as follows:
SAPSYSTEMNAME = WDP
SAPGLOBALHOST = webdispatcher.company.com
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
#----
Accesssability of Message Server
#----
rdisp/mshost = portal.company.com
ms/http_port = 8101 ms/https_port = 8443
#----
Configuration for large scenario
#----
icm/max_conn = 16384
icm/max_sockets = 16384
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 250
mpi/total_size_MB = 500
mpi/max_pipes = 21000
#----
SAP Web Dispatcher Ports
#----
icm/server_port_0 = PROT=HTTP, PORT=80, TIMEOUT=900
icm/server_port_1 = PROT=HTTPS, PORT=888, TIMEOUT=900
#icm/server_port_1 = PROT=ROUTER, PORT=443, TIMEOUT=900 #----
Parameters for the SAP Cryptographic Library
#----
DIR_INSTANCE = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64
ssl/ssl_lib = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll
ssl/server_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse
ssl/client_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\verify.pse
#----
Parameters for Using SSL to the backend server
#----
wdisp/ssl_encrypt = 1
wdisp/server_info_protocol=http is/HTTP/show_detailed_errors=TRUE
icm/HTTP/error_templ_path=C:\usr\sap\WDP\SYS\profile
wdisp/ssl_auth = 2 wdisp/ssl_cred = verify.pse
wdisp/permission_table = C:\usr\sap\WDP\SYS\profile\ptabfile
#----
Parameters for locking port and path
#----
icm/HTTP/redirect_0 = PREFIX=/,FROM=*, FROMPROT=http,PROT=https,HOST=webdisp.company.com
Please advise,
Aubrey Smith
06-16-2010 7:54 AM
Hi,
Please split your question in 2 posts in order to get a chance of getting it readable...
Regards,
Olivier
06-16-2010 1:25 AM
Hi,
it's really hard to read your config. What do you get in web dispatcher logs? You can also increase temporally trace level using switch -t to see where the problem is. Have a look at articles related to web dispatcher here on SDN. I remember one really good but I can't find it.
Cheers
06-16-2010 2:58 PM
The config file with non relevant parameters removed:
SAPGLOBALHOST = webdispatcher.company.com rdisp/mshost = portal.company.com ms/http_port = 8101 ms/https_port = 8443 icm/server_port_0 = PROT=HTTP, PORT=80, TIMEOUT=900 icm/server_port_1 = PROT=HTTPS, PORT=888, TIMEOUT=900 icm/server_port_1 = PROT=ROUTER, PORT=443, TIMEOUT=900 DIR_INSTANCE = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64 ssl/ssl_lib = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll ssl/server_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse ssl/client_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\verify.pse wdisp/ssl_encrypt = 1 wdisp/server_info_protocol=http is/HTTP/show_detailed_errors=TRUE icm/HTTP/error_templ_path=C:\usr\sap\WDP\SYS\profile wdisp/ssl_auth = 2 wdisp/ssl_cred = verify.pse wdisp/permission_table = C:\usr\sap\WDP\SYS\profile\ptabfile icm/HTTP/redirect_0 = PREFIX=/,FROM=*, FROMPROT=http,PROT=https,HOST=webdisp.company.com
dev_webdisp:
-
[Thr 1960] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary
X.509 cert data will be removed from header [http_plgrt.c 723]
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=0, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=1, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=2, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=3, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=4, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=5, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=6, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=7, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=8, flags=4098) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=9, flags=4098) for /:0
[Thr 1960] HttpExtractArchive: files from archive C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64/wdispadmin.SAR in directory C:/usr/sap/WDP/SYS/exe/nuc/NTAMD64/data/icmanroot are up to date
[Thr 1960] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=10, flags=4101) for /sap/admin:0
[Thr 1960] CsiInit(): Initializing the Content Scan Interface
[Thr 1960] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
[Thr 1960] CsiInit(): CSA_LIB = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcsa.dll"
[Thr 1960] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=11, flags=12293) for /:0
[Thr 1960] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=12, flags=28677) for /:0
[Thr 1960] Started service 80 for protocol HTTP on host "bpwebp1"(on all adapters) (processing timeout=900, keep_alive_timeout=30)
[Thr 1960] =================================================
[Thr 1960] = SSL Initialization on PC with Windows NT
[Thr 1960] = (701_REL,Feb 24 2009,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 1960] profile param "ssl/ssl_lib" = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll"
resulting Filename = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll"
[Thr 1960] profile param "ssl/server_pse" = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"
resulting Filename = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"
[Thr 1960] profile param "ssl/client_pse" = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"
resulting Filename = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"
[Thr 1960] = found SAPCRYPTOLIB 5.5.5C pl29 (Jan 30 2010) MT-safe
[Thr 1960] = current UserID: BPWEBP1\SAPServiceWDP
[Thr 1960] = found SECUDIR environment variable
[Thr 1960] = using SECUDIR=C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec
[Thr 1960] = secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLA.pse" not found,
[Thr 1960] = using PSE "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse" as fallback
[Thr 1960] = Success -- SapCryptoLib SSL ready!
[Thr 1960] =================================================
06-16-2010 5:02 PM
Error log:
[Thr 636] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 636] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=100616155658Z)
ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=100616155658Z)
[Thr 636] << -
End of Secude-SSL Errorstack -
[Thr 636] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 636] SSL NI-sock: local=192.168.1.156:2656 peer=192.168.1.154:50001
[Thr 636] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000002556BE40)==SSSLERR_SSL_CONNECT
[Thr 636] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxpool.c 2097]
[Thr 636] *** ERROR => IcmConnPoolAllocEntry(1) failed 0. Too many attempts (6) [ictxxroute_r 2268]
[Thr 636] *** ERROR => no valid destination server available for '!ALL' rc=7 [http_route.c 3139]
06-16-2010 8:13 PM
Latest error:
[Thr 1932] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=webdispatcher.company.com"
ERROR in get_path: (27/0x001b) Found root certificate of <CN=webdispatcher.company.com> which does not fit the given PKRoot
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=webdispatcher.company.com> which does not fit the given PKRoot
06-17-2010 12:08 AM
Hi,
are you sure that your certificate installed on server is correct? If you connect directly with IE to your server do you get any error? There is a switch which you can use to turn off certificate validation but that's not a good idea. You can see from your error log that there is a problem with certificate expiry date as well as problem with chain of certificates. First I would check if the server's certificate is still valid. If it's still valid I would check if web dispatcher has root certificate (top certificate of chain) in PSE.
Cheers
06-21-2010 9:41 PM
This worked when we used the web dispatcher name in the SAPSSL.PSE file and the portal name in the SAPSSC.PSE file.