on 10-13-2010 8:20 AM
Hi, All
I am using webdispatcher as reverse proxy for SSL terminiation. let me explain my steps.
to create pse
1-get request file
sapgenpse get_pse u2013s2048 -p C:\usr\sap\FW2\W00\sec\SAPSSLS.pse -r C:\usr\sap\FW2\W00\sec\SAPSSLS.req "CN=portal.xxx.com, OU=xxx company"
I got request file.
2-import
sapgenpse import_own_cert -p C:\usr\sap\FW2\W00\sec\SAPSSLS.pse -c C:\usr\sap\FW2\W00\sec\reponse.cer -r C:\usr\sap\FW2\W00\sec\subroot.cer -r C:\usr\sap\FW2\W00\sec\root.cer -x 12345
CA-Response successfully import int0 PSE
3-create credentials
sapgenpse seclogin -p C:\usr\sap\FW2\W00\SAPSSLS.pse -x 12345 -O SAPServiceFW2
Added SSO-credentials for PSE "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse
4-I also check permission of SAPSSLS.pse for SAPServiceFW2 and fw2adm (win 2008 )
5- sapcrypto installed
here profile parameters
wdisp/shm_attach_mode = 6
rdisp/mshost = xxxxx
ms/http_port = 8101
DIR_INSTANCE = C:\usr\sap\FW2\W00
ssl/ssl_lib = C:\usr\sap\FW2\W00\sec\sapcrypto.dll
ssl/server_pse = C:\usr\sap\FW2\W00\sec\SAPSSLS.pse
wdisp/auto_refresh = 120
wdisp/max_servers = 100
icm/server_port_0 = PROT=HTTPS, PORT=443
icm/server_port_1 = PROT=HTTP, PORT=80
icm/HTTP/admin_0 = PREFIX=/sap(wdisp/admin,DOCROOT=./admin
wdisp/ssl_encrypt = 0
wdisp/add_client_protocol_header = true
icm/HTTPS/verify_client = 0
icm/HTTPS/trust_client_with_issuer = *
icm/HTTPS/trust_client_with_subject = *
ssf/name = SAPSECULIB
ssf/ssfapi_lib = C:\usr\sap\FW2\W00\sec\sapcrypto.dll
sec/libsapsecu = C:\usr\sap\FW2\W00\sec\sapcrypto.dll
-
here dev_webdisp
-
trc file: "dev_webdisp", trc level: 1, release: "700"
-
sysno 00
sid FW2
systemid 562 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 250
intno 20050900
make: multithreaded, ASCII, 64 bit, optimized
pid 3612
[Thr 3500] started security log to file dev_icm_sec
[Thr 3500] SAP Web Dispatcher running on: webdisp.com
[Thr 3500] MtxInit: 30001 0 2
[Thr 3500] IcmInit: listening to admin port: 65000
[Thr 3500] IcrCoreInitSessionTable: Session table initialized
[Thr 3896] =================================================
[Thr 3896] = SSL Initialization on PC with Windows NT
[Thr 3896] = (700_REL,May 3 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 3896] profile param "ssl/ssl_lib" = "C:\usr\sap\FW2\W00\sec\sapcrypto.dll"
resulting Filename = "C:\usr\sap\FW2\W00\sec\sapcrypto.dll"
[Thr 3896] profile param "ssl/server_pse" = "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
resulting Filename = "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
[Thr 3896] = found SAPCRYPTOLIB 5.5.5C pl30 (Jul 23 2010) MT-safe
[Thr 3896] = current UserID: FRIK\SapServiceFW2
[Thr 3896] = found SECUDIR environment variable
[Thr 3896] = using SECUDIR=C:\usr\sap\FW2\W00\sec
[Thr 3896] *** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse" not found! [ssslsecu.c 1360]
[Thr 3896] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 3896] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 3896] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse"
[Thr 3896] << -
End of Secude-SSL Errorstack -
[Thr 3896] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "C:\usr\sap\FW2\W00\sec\SAPSSLS.pse" [ssslxxi.c 2314]
[Thr 3896] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 3896] =================================================
[Thr 3896] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 3896] HttpSubHandlerAdd: Added handler HttpRedirectHandler(slot=0, flags=4098) for /:0
[Thr 3896] HttpExtractArchive: files from archive C:\usr\sap\FW2\SYS\exe\nuc\NTAMD64/wdispadmin.SAR in directory . are up to date
[Thr 3896] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap(wdisp/admin:0
[Thr 3896] CsiInit(): Initializing the Content Scan Interface
[Thr 3896] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
[Thr 3896] CsiInit(): CSA_LIB = "C:\usr\sap\FW2\SYS\exe\nuc\NTAMD64\sapcsa.dll"
[Thr 3896] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 3896] HttpSubHandlerAdd: Added handler HttpWebDispHandler(slot=3, flags=28677) for /:0
[Thr 3896] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
[Thr 3896] Started service 80 for protocol HTTP on host "webdisp.com"(on all adapters) (processing timeout=60, keep_alive_timeout=30)
[Thr 3500] IcmCreateWorkerThreads: created worker thread 0
[Thr 3500] IcmCreateWorkerThreads: created worker thread 1
[Thr 3500] IcmCreateWorkerThreads: created worker thread 2
[Thr 3500] IcmCreateWorkerThreads: created worker thread 3
[Thr 3500] IcmCreateWorkerThreads: created worker thread 4
[Thr 3500] IcmCreateWorkerThreads: created worker thread 5
[Thr 3500] IcmCreateWorkerThreads: created worker thread 6
[Thr 3500] IcmCreateWorkerThreads: created worker thread 7
[Thr 3500] IcmCreateWorkerThreads: created worker thread 8
[Thr 3500] IcmCreateWorkerThreads: created worker thread 9
[Thr 3336] IcmWatchDogThread: watchdog started
Regards
ABH
Edited by: ABH on Oct 13, 2010 9:34 AM
Hi,
it was domain installation. But I needed to create SAPServieSID user on the local too. this solved my problem. I gave required permmison to pse again for local user. it is sound weird but it is working now.
Regrads
ABH
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.