cancel
Showing results for 
Search instead for 
Did you mean: 

Web Dispatcher Cascade - SSL configuration

bernd_speckmann
Contributor
0 Kudos

Hi,

I have successfully configured a Web Dispatcher Cascade. Now I want to setup SSL for this scenario.

Can anybody provide useful information / tutorials / blogs / best practices for this issue?

If I am right I cannot use End-To-End SSL. So I have to terminate SSL on every Web Dispatcher.

In addition to this I configured the second (inner) Web Dispatcher to connect to many systems depending on the port using the

wdisp/system_1 = SID=ER1, MSHOST=saperp1, MSPORT=8100, SRCSRV=*:8010

What about Metadata Exchange Using SSL? Is this possible in such a scenario?

Regards,

Bernd

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Bernd,

Do you really want to use SSL everywhere ?

Would SSL set up on the first web dispatcher only be secure enough ?

Because otherwise I think that the configuration will be complex and difficult to maintain (lots of certificates...).

I have an SRM system used from the internet and to protect it, I use a cascade of an Apache reverse proxy and a SAP Web Dispatcher. I have setup SSL only on the Apache server for the internet connection.

I got our security team validation for this setup.

Regards,

Olivier

bernd_speckmann
Contributor
0 Kudos

Hi Olivier,

yes, I thought about using SSL everywhere.

Is it true, that I should use a "real" (not self-signed) certificate only for the Web Dispatchter accessed from the internet? Can I use self-signed certificates for the other connections (WEBAS <> WD2 <> WD1)?

Could you provide an example configuration for this scenario? Which parameters are important and should be considered?

In this case I would prefer to use a certificate from SAP CA for this Web Dispatcher. Is the corrensponding root certificate available in common browsers?

You say you are using an Apache Reverse Proxy. What is the advantage over using the Web Dispatcher (if there is any)?

Could you provide an example secure configuration for the first Web Dispatcher? Is it possible to hide / rewrite URLs there like:

https://mydomain.com/sap/bc/gui/sap/its/webgui to https://mydomain.com/webgui ?

Thank you and regards

Bernd

Former Member
0 Kudos

Hi Bernd,

Is it true, that I should use a "real" (not self-signed) certificate only for the Web Dispatchter accessed from the internet? Can I use self-signed certificates for the other connections (WEBAS <> WD2 <> WD1)?

I think so but you will have to import the self-signed certificate of WD2 in the PSE of WD1.

Could you provide an example configuration for this scenario? Which parameters are important and should be considered?

Sorry, I 've never cascaded 2 web dispatchers.

In this case I would prefer to use a certificate from SAP CA for this Web Dispatcher. Is the corrensponding root certificate available in common browsers?

No, SAP CA is not a well known CA...

You say you are using an Apache Reverse Proxy. What is the advantage over using the Web Dispatcher (if there is any)?

Well, as the web dispatcher was not "qualified" by our security team, I had no choice but to use Apache...

One advantage was to be able to rewrite URLs and to use the same Apache for an SRM and a PI backoffice system.

Is it possible to hide / rewrite URLs there like:

https://mydomain.com/sap/bc/gui/sap/its/webgui to https://mydomain.com/webgui ?

Yes, with Apache and Web dispatcher 7.2. Before 7.2, it was only possible to use URL redirects.

Regards,

Olivier

bernd_speckmann
Contributor
0 Kudos

Hi Olivier,

thanks for your reply.

No, SAP CA is not a well known CA...

Could you recommend another one, so that the internet users don't get a certificate warning?

Well, as the web dispatcher was not "qualified" by our security team, I had no choice but to use Apache...

In this post () you wrote that there is no better way than having two Web Dispatchers... ?!?

Yes, with Apache and Web dispatcher 7.2

Could you tell me or give an example how to do this with WD 7.2?

Thanks a lot,

Bernd

Former Member
0 Kudos

Hi Bernd,

To find the well known CA, check the content of your brower certificate repository.

Some exemples of classical well known CA are Verisign, Thawte, GeoTrust, Comodo, etc...

I said that 2 web dispatchers is the best way: That is still my opinion but this was not the opinion of my company security team whose members don't know SAP products and had decided that the company qualified reverse proxy for internet usage had to be Apache. That said, Apache works perfectly but I had to learn how to use it.

To use URL rewriting with SAP Web Dispatcher 7.2, you just have to follow SAP documentation.

In the profile file (usually named sapwebdisp.pfl) you set the parameter

icm/HTTP/mod_0 = PREFIX=/,FILE=Filter_rules.txt

And you define your rules in the Filter_rules.txt file.

Read [Modifications of HTTP requests|http://help.sap.com/saphelp_nw73/helpdata/en/48/9266ffaa6b17cee10000000a421937/frameset.htm]

Regards,

Olivier

bernd_speckmann
Contributor
0 Kudos

Hi Olivier,

again thanks for your reply.

I am trying to apply the following rule.

RegIRewriteUrl ^/mywdapp(.*) /sap/bc/webdynpro/sap/zmywdapp$1

When I open the URL http://<myhost>/mywdapp the login dialog appears. The URL is still http://<myhost>/mywdap12, but after logging in the URL is

https://<myhost>/sap/bc/webdynpro/sap/zmywdapp?sap-system-login-basic_auth=X&sap-client=040&sap-lang...

Regards, Bernd

Former Member
0 Kudos

Hi Bernd,

Your Rewrite rule seems fine to me.

I suggest that you use HTTPWATCH to see what's going on with the browser side and the web dispatcher trace file after, if necessary increasing the trace level.

Regards,

Olivier

bernd_speckmann
Contributor
0 Kudos

Hi Olivier,

I think I found the solution / problem.

If the name of the application is the same it works fine. But when they are different, an error with no valid destination server... comes up.

An example:

RegIRewriteUrl ^/zmywdapp(.*) /sap/bc/webdynpro/sap/zmywdapp qsappend

would work.

RegIRewriteUrl ^/superapp(.*) /sap/bc/webdynpro/sap/zmywdapp qsappend

did not work. The error appears.

And explanation for this?

Regards, Bernd

Former Member
0 Kudos

Hi Bernd,

I absolutely don't understand why the second rule should not work !

Did you try to look at the web dispatcher trace file after increasing the trace level ?

Regards,

Olivier

Answers (1)

Answers (1)

Former Member
0 Kudos

This message was moderated.