Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Portal/ESS Configuration for HTTPS, SANs in SAP Certificates

bjoern_tralls
Explorer

‎02-03-2012 12:35 PM

0 Kudos

Hi everybody,

I am trying to set up the following portal environment with SSL:

1. SAP web dispatcher connected with two backend systems: portal and erp

2. SAP enterprise portal installation abc.internaldomain.com

3. SAP ERP 6.0 EhP5 installation def.internaldomain.com with HCM Enterprise Self Services

The HCM ESS application is integrated into the portal with the external name sap-erp.externaldomain.com. The web dispatcher is connected with both backend systems via icm/HTTP/mod_ ... parameters and a filter file which dispatches the requests between the two backend systems according to their external hostnames.

The web dispatcher is reachable on the external portal name sap-portal.externaldomain.com and in addition on the external erp name sap-erp.externaldomain.com so it can dispatch the ingoing requests to the right backend system.

The SSL connections should terminate at the web dispatcher so there has been created a SSL server pse file with the own certificate's CN "sap-portal.externaldomain.com". For this certificate a certificate request has been signed by a CA and the certificate answer was imported into the pse.

When calling the portal installation with URL https://sap-portal.externaldomain.com the signed certificate is accepted from the browser and no warning or error message is displayed. But if one starts a portal embedded ESS webdynpro application from erp system the browser shows a certificate error because the certificate was only issue for sap-portal.externaldomain.com and not for sap-erp.externaldomain.com.

In browser firefox one can define and save an exception so that the error message will not appear in further sessions. In IE8 one can choose the option to display the blocked content but this is only possible within the same browser session.

There is an option to use subject alternative names (SANs) within one certificate for multiple hostnames, but I did not found any support within SAPs tools sapgenpse or transaction STRUST.

Can anyone give a recommendation how to set up the portal integrated HCM self services applications with SSL and CA-signed certificates where no error messages concerning certificates are displayed?

Many thanks in advance

Björn Tralls

6 REPLIES 6

Former Member

‎02-03-2012 12:50 PM

0 Kudos

Hi,

In your case, I would use one single DNS name for the SAP Web Dispatcher and use an URL prefix to direct the different URLs to the correct back office system.

Regards,

Olivier

bjoern_tralls
Explorer

‎02-03-2012 1:08 PM

0 Kudos

Hello Olivier,

thanks for your fast reply.

I didn't configure the separation by URL-prefixes as there are plans to integrate more backend systems (Business objects, E-Recruiting, BW) into this enterprise portal and there sure will be identical URL-prefixes in the several backends. So it made more sense for me to seperate the backends with different external hostnames like sap-portal, sap-erp, sap-bo, sap-bw etc.

Kind regards

Björn Tralls

Former Member
In response to bjoern_tralls

‎02-06-2012 5:24 PM

0 Kudos

Hello Bjoern,

You can use as much URL prefixes as yous need.

There is no problem if you need to call the same technical URL on different backoffice systems.

For exemple :

https://webdisp/bo/.

https://webdisp/erecrut/.

https://webdisp/bw/.

Martin's idea is also possible. I have a configuration with an apache reverse proxy in a DMZ for URL rewrting and routing and 2 different web dispatchers, 1 to give access to a SAP SRM system and the other to give access to a SAP PI system.

https://ApacheReverseProxy/ gives access to SAP SRM web IHM.

https://ApacheReverseProxy/Rosettanet directs the B2B data to SAP PI.

Regards,

Olivier

mvoros
Active Contributor

‎02-05-2012 7:25 AM

0 Kudos

Hi,

it's common to use some other reverse proxy with more capabilities such as Apache. The only problem with completely replacing web dispatcher is that you loose load balancing feature. So you can have Apache listening on port 443 and web dispatcher on other port. Apache will terminate SSL and redirect to web dispatcher. Apache supports SAN and wild cards for sub-domains (one cert for *.externaldomain.com).

Cheers

Former Member

‎09-10-2012 10:31 AM

0 Kudos

Hi all,

I had similar problem with SSL certificate installation

we had DMZ and LAN and having different domain name ,

In DMZ we had SAP Dispatcher and Sap backend server (abap stack)

In LAN we had SAP web dispatcher and EP system ,

now system showing my SSL certificate had expired ,though we changed third party certificate provider

please tell me in details how to do SSL certificate Installation in step by step 

regards,

ras v

Private_Member_19084
Active Contributor

‎01-07-2016 7:58 AM

0 Kudos

Hello Bjoern,

we have a similar requirement like you, how could you solve the problem?

Kind regards