on 06-14-2011 3:17 PM
Hi,
I have successfully configured a Web Dispatcher Cascade. Now I want to setup SSL for this scenario.
Can anybody provide useful information / tutorials / blogs / best practices for this issue?
If I am right I cannot use End-To-End SSL. So I have to terminate SSL on every Web Dispatcher.
In addition to this I configured the second (inner) Web Dispatcher to connect to many systems depending on the port using the
wdisp/system_1 = SID=ER1, MSHOST=saperp1, MSPORT=8100, SRCSRV=*:8010
What about Metadata Exchange Using SSL? Is this possible in such a scenario?
Regards,
Bernd
Hi Bernd,
Do you really want to use SSL everywhere ?
Would SSL set up on the first web dispatcher only be secure enough ?
Because otherwise I think that the configuration will be complex and difficult to maintain (lots of certificates...).
I have an SRM system used from the internet and to protect it, I use a cascade of an Apache reverse proxy and a SAP Web Dispatcher. I have setup SSL only on the Apache server for the internet connection.
I got our security team validation for this setup.
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Olivier,
yes, I thought about using SSL everywhere.
Is it true, that I should use a "real" (not self-signed) certificate only for the Web Dispatchter accessed from the internet? Can I use self-signed certificates for the other connections (WEBAS <> WD2 <> WD1)?
Could you provide an example configuration for this scenario? Which parameters are important and should be considered?
In this case I would prefer to use a certificate from SAP CA for this Web Dispatcher. Is the corrensponding root certificate available in common browsers?
You say you are using an Apache Reverse Proxy. What is the advantage over using the Web Dispatcher (if there is any)?
Could you provide an example secure configuration for the first Web Dispatcher? Is it possible to hide / rewrite URLs there like:
https://mydomain.com/sap/bc/gui/sap/its/webgui to https://mydomain.com/webgui ?
Thank you and regards
Bernd
Hi Bernd,
Is it true, that I should use a "real" (not self-signed) certificate only for the Web Dispatchter accessed from the internet? Can I use self-signed certificates for the other connections (WEBAS <> WD2 <> WD1)?
I think so but you will have to import the self-signed certificate of WD2 in the PSE of WD1.
Could you provide an example configuration for this scenario? Which parameters are important and should be considered?
Sorry, I 've never cascaded 2 web dispatchers.
In this case I would prefer to use a certificate from SAP CA for this Web Dispatcher. Is the corrensponding root certificate available in common browsers?
No, SAP CA is not a well known CA...
You say you are using an Apache Reverse Proxy. What is the advantage over using the Web Dispatcher (if there is any)?
Well, as the web dispatcher was not "qualified" by our security team, I had no choice but to use Apache...
One advantage was to be able to rewrite URLs and to use the same Apache for an SRM and a PI backoffice system.
Is it possible to hide / rewrite URLs there like:
https://mydomain.com/sap/bc/gui/sap/its/webgui to https://mydomain.com/webgui ?
Yes, with Apache and Web dispatcher 7.2. Before 7.2, it was only possible to use URL redirects.
Regards,
Olivier
Hi Olivier,
thanks for your reply.
No, SAP CA is not a well known CA...
Could you recommend another one, so that the internet users don't get a certificate warning?
Well, as the web dispatcher was not "qualified" by our security team, I had no choice but to use Apache...
In this post () you wrote that there is no better way than having two Web Dispatchers... ?!?
Yes, with Apache and Web dispatcher 7.2
Could you tell me or give an example how to do this with WD 7.2?
Thanks a lot,
Bernd
Hi Bernd,
To find the well known CA, check the content of your brower certificate repository.
Some exemples of classical well known CA are Verisign, Thawte, GeoTrust, Comodo, etc...
I said that 2 web dispatchers is the best way: That is still my opinion but this was not the opinion of my company security team whose members don't know SAP products and had decided that the company qualified reverse proxy for internet usage had to be Apache. That said, Apache works perfectly but I had to learn how to use it.
To use URL rewriting with SAP Web Dispatcher 7.2, you just have to follow SAP documentation.
In the profile file (usually named sapwebdisp.pfl) you set the parameter
icm/HTTP/mod_0 = PREFIX=/,FILE=Filter_rules.txt
And you define your rules in the Filter_rules.txt file.
Read [Modifications of HTTP requests|http://help.sap.com/saphelp_nw73/helpdata/en/48/9266ffaa6b17cee10000000a421937/frameset.htm]
Regards,
Olivier
Hi Olivier,
again thanks for your reply.
I am trying to apply the following rule.
RegIRewriteUrl ^/mywdapp(.*) /sap/bc/webdynpro/sap/zmywdapp$1
When I open the URL http://<myhost>/mywdapp the login dialog appears. The URL is still http://<myhost>/mywdap12, but after logging in the URL is
Regards, Bernd
Hi Olivier,
I think I found the solution / problem.
If the name of the application is the same it works fine. But when they are different, an error with no valid destination server... comes up.
An example:
RegIRewriteUrl ^/zmywdapp(.*) /sap/bc/webdynpro/sap/zmywdapp qsappend
would work.
RegIRewriteUrl ^/superapp(.*) /sap/bc/webdynpro/sap/zmywdapp qsappend
did not work. The error appears.
And explanation for this?
Regards, Bernd
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.