How to configure web dispatcher with decrypt / ree...

Former Member · ‎06-15-2010

There are 5 web dispatcher configurations:

1: Client - (HTTP) - Web Disp - (HTTP) - Portal

2: Client - (HTTP) - Web Disp - (HTTPS) - Portal

3: Client - (HTTPS) - Web Disp - (HTTP) - Portal

4: Client - (HTTPS) - Web Disp - (HTTPS) - Portal

5: Client - (HTTPS) - Web Disp - (HTTPS) - Portal

Everything works if we use configuration 1, 3 or 5. We are required to use configuration 4 which is not working.

HTTPS works if the web dispatcher is set to PROT=ROUTER. However, it does not work if it is set to decrypt and reencrypt between the web dispatcher and portal; PROT=HTTPS and wdisp/ssl_encrypt=1

What is the correct steps for setting this up.

I have copied the verify.der and verify.pse, that was exported from the portal keystore, to the sec folder on the web dispatcher but it did not work.

The web dispatcher profile is as follows:

SAPSYSTEMNAME = WDP

SAPGLOBALHOST = webdispatcher.company.com

SAPSYSTEM = 00

INSTANCE_NAME = W00

DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64

DIR_EXECUTABLE = $(DIR_CT_RUN)

#----

Accesssability of Message Server

#----

rdisp/mshost = portal.company.com

ms/http_port = 8101

ms/https_port = 8443

#----

Configuration for large scenario

#----

icm/max_conn = 16384

icm/max_sockets = 16384

icm/req_queue_len = 6000

icm/min_threads = 100

icm/max_threads = 250

mpi/total_size_MB = 500

mpi/max_pipes = 21000

#----

SAP Web Dispatcher Ports

#----

icm/server_port_0 = PROT=HTTP, PORT=80, TIMEOUT=900

icm/server_port_1 = PROT=HTTPS, PORT=888, TIMEOUT=900

#icm/server_port_1 = PROT=ROUTER, PORT=443, TIMEOUT=900

#----

Parameters for the SAP Cryptographic Library

#----

DIR_INSTANCE = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64

ssl/ssl_lib = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll

ssl/server_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse

ssl/client_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\verify.pse

#----

Parameters for Using SSL to the backend server

#----

wdisp/ssl_encrypt = 1

wdisp/server_info_protocol=http

is/HTTP/show_detailed_errors=TRUE

icm/HTTP/error_templ_path=C:\usr\sap\WDP\SYS\profile

wdisp/ssl_auth = 2

wdisp/ssl_cred = verify.pse

wdisp/permission_table = C:\usr\sap\WDP\SYS\profile\ptabfile

#----

Parameters for locking port and path

#----

icm/HTTP/redirect_0 = PREFIX=/,FROM=*, FROMPROT=http,PROT=https,HOST=webdisp.company.com

Please advise,

Aubrey Smih

Former Member · ‎06-15-2010

There are 5 web dispatcher configurations:

1: Client - (HTTP) - Web Disp - (HTTP) - Portal

2: Client - (HTTP) - Web Disp - (HTTPS) - Portal

3: Client - (HTTPS) - Web Disp - (HTTP) - Portal

4: Client - (HTTPS) - Web Disp - (HTTPS) - Portal

5: Client - (HTTPS) - Web Disp - (HTTPS) - Portal

Everything works if we use configuration 1, 3 or 5. We are required to use configuration 4 which is not working.

HTTPS works if the web dispatcher is set to PROT=ROUTER. However, it does not work if it is set to decrypt and reencrypt between the web dispatcher and portal; PROT=HTTPS and wdisp/ssl_encrypt=1

What is the correct steps for setting this up?

I have copied the verify.der and verify.pse, that was exported from the portal keystore, to the sec folder on the web dispatcher but it did not work.

The web dispatcher profile is as follows:

SAPSYSTEMNAME = WDP

SAPGLOBALHOST = webdispatcher.company.com

SAPSYSTEM = 00

INSTANCE_NAME = W00

DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64

DIR_EXECUTABLE = $(DIR_CT_RUN)

#----

Accesssability of Message Server

#----

rdisp/mshost = portal.company.com

ms/http_port = 8101 ms/https_port = 8443

#----

Configuration for large scenario

#----

icm/max_conn = 16384

icm/max_sockets = 16384

icm/req_queue_len = 6000

icm/min_threads = 100

icm/max_threads = 250

mpi/total_size_MB = 500

mpi/max_pipes = 21000

#----

SAP Web Dispatcher Ports

#----

icm/server_port_0 = PROT=HTTP, PORT=80, TIMEOUT=900

icm/server_port_1 = PROT=HTTPS, PORT=888, TIMEOUT=900

#icm/server_port_1 = PROT=ROUTER, PORT=443, TIMEOUT=900 #----

Parameters for the SAP Cryptographic Library

#----

DIR_INSTANCE = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64

ssl/ssl_lib = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll

ssl/server_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse

ssl/client_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\verify.pse

#----

Parameters for Using SSL to the backend server

#----

wdisp/ssl_encrypt = 1

wdisp/server_info_protocol=http is/HTTP/show_detailed_errors=TRUE

icm/HTTP/error_templ_path=C:\usr\sap\WDP\SYS\profile

wdisp/ssl_auth = 2 wdisp/ssl_cred = verify.pse

wdisp/permission_table = C:\usr\sap\WDP\SYS\profile\ptabfile

#----

Parameters for locking port and path

#----

icm/HTTP/redirect_0 = PREFIX=/,FROM=*, FROMPROT=http,PROT=https,HOST=webdisp.company.com

Please advise,

Aubrey Smith

Former Member · ‎06-16-2010

Hi,

Please split your question in 2 posts in order to get a chance of getting it readable...

Regards,

Olivier

mvoros · ‎06-16-2010

Hi,

it's really hard to read your config. What do you get in web dispatcher logs? You can also increase temporally trace level using switch -t to see where the problem is. Have a look at articles related to web dispatcher here on SDN. I remember one really good but I can't find it.

Cheers

Former Member · ‎06-16-2010

The config file with non relevant parameters removed:

SAPGLOBALHOST = webdispatcher.company.com rdisp/mshost = portal.company.com ms/http_port = 8101 ms/https_port = 8443 icm/server_port_0 = PROT=HTTP, PORT=80, TIMEOUT=900 icm/server_port_1 = PROT=HTTPS, PORT=888, TIMEOUT=900 icm/server_port_1 = PROT=ROUTER, PORT=443, TIMEOUT=900 DIR_INSTANCE = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64 ssl/ssl_lib = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll ssl/server_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse ssl/client_pse = C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\verify.pse wdisp/ssl_encrypt = 1 wdisp/server_info_protocol=http is/HTTP/show_detailed_errors=TRUE icm/HTTP/error_templ_path=C:\usr\sap\WDP\SYS\profile wdisp/ssl_auth = 2 wdisp/ssl_cred = verify.pse wdisp/permission_table = C:\usr\sap\WDP\SYS\profile\ptabfile icm/HTTP/redirect_0 = PREFIX=/,FROM=*, FROMPROT=http,PROT=https,HOST=webdisp.company.com

dev_webdisp:

-

[Thr 1960] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary

X.509 cert data will be removed from header [http_plgrt.c 723]

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=0, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=1, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=2, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=3, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=4, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=5, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=6, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=7, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=8, flags=4098) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=9, flags=4098) for /:0

[Thr 1960] HttpExtractArchive: files from archive C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64/wdispadmin.SAR in directory C:/usr/sap/WDP/SYS/exe/nuc/NTAMD64/data/icmanroot are up to date

[Thr 1960] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=10, flags=4101) for /sap/admin:0

[Thr 1960] CsiInit(): Initializing the Content Scan Interface

[Thr 1960] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)

[Thr 1960] CsiInit(): CSA_LIB = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcsa.dll"

[Thr 1960] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=11, flags=12293) for /:0

[Thr 1960] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=12, flags=28677) for /:0

[Thr 1960] Started service 80 for protocol HTTP on host "bpwebp1"(on all adapters) (processing timeout=900, keep_alive_timeout=30)

[Thr 1960] =================================================

[Thr 1960] = SSL Initialization on PC with Windows NT

[Thr 1960] = (701_REL,Feb 24 2009,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 1960] profile param "ssl/ssl_lib" = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll"

resulting Filename = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sapcrypto.dll"

[Thr 1960] profile param "ssl/server_pse" = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"

resulting Filename = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"

[Thr 1960] profile param "ssl/client_pse" = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"

resulting Filename = "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse"

[Thr 1960] = found SAPCRYPTOLIB 5.5.5C pl29 (Jan 30 2010) MT-safe

[Thr 1960] = current UserID: BPWEBP1\SAPServiceWDP

[Thr 1960] = found SECUDIR environment variable

[Thr 1960] = using SECUDIR=C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec

[Thr 1960] = secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLA.pse" not found,

[Thr 1960] = using PSE "C:\usr\sap\WDP\SYS\exe\nuc\NTAMD64\sec\SAPSSLS.pse" as fallback

[Thr 1960] = Success -- SapCryptoLib SSL ready!

[Thr 1960] =================================================

Former Member · ‎06-16-2010

Error log:

[Thr 636] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 636] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=100616155658Z)

ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=031002072500Z, notafter=051002072500Z, now=100616155658Z)

[Thr 636] << -

End of Secude-SSL Errorstack -

[Thr 636] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 636] SSL NI-sock: local=192.168.1.156:2656 peer=192.168.1.154:50001

[Thr 636] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000002556BE40)==SSSLERR_SSL_CONNECT

[Thr 636] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxpool.c 2097]

[Thr 636] *** ERROR => IcmConnPoolAllocEntry(1) failed 0. Too many attempts (6) [ictxxroute_r 2268]

[Thr 636] *** ERROR => no valid destination server available for '!ALL' rc=7 [http_route.c 3139]

Former Member · ‎06-16-2010

Latest error:

[Thr 1932] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=webdispatcher.company.com"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=webdispatcher.company.com> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=webdispatcher.company.com> which does not fit the given PKRoot

mvoros · ‎06-17-2010

Hi,

are you sure that your certificate installed on server is correct? If you connect directly with IE to your server do you get any error? There is a switch which you can use to turn off certificate validation but that's not a good idea. You can see from your error log that there is a problem with certificate expiry date as well as problem with chain of certificates. First I would check if the server's certificate is still valid. If it's still valid I would check if web dispatcher has root certificate (top certificate of chain) in PSE.

Cheers

Former Member · ‎06-21-2010

This worked when we used the web dispatcher name in the SAPSSL.PSE file and the portal name in the SAPSSC.PSE file.

How to configure web dispatcher with decrypt / reencrypt