on 02-03-2012 5:42 PM
Hi Experts
I already configured the SAP Web Dispatcher due to a performance reasons (load balancing), but something is wrong with the SSL configuration. The problem seems to be the Entrust certificates who is our CA, because the dispatcher sends an error when client try to access.
This is the error:
*Thr 9388] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 9388] ERROR in ssl3_get_server_certificate: (9/0x0009) the
verification of the server's certificate chain failed*
*[Thr 9388] ERROR in af_verify_Certificates: (27/0x001b) Chain of
certificates is incomplete : "CN=localhost, OU=ssl-enabled-server,
O=app-server"*
*[Thr 9388] ERROR in get_path: (27/0x001b) Found root certificate of
<CN=localhost, OU=ssl-enabled-server, O=app-server> which does not fit
the given PKRoot*
It seems that webdispatcher does not identify the Entrust certifu00EDcate.
Steps done for my configuration are:
1.- Configuring the Use of SSL on the AS Java -> Add new SSL Access on port 50443 -> Testing the URL https://FQN:50443/startPage = Sucesfully
2.- Configuring the SAP Web Dispatcher to Support SSL -> Install the SAP Cryptographic Library on the SAP Web Dispatcher.-> set the LD_LIBRARY_PATH and SECUDIR variables.
3.- Create the SAP Web Dispatcher's PSE(s) and certificate request(s).
sapgenpse get_pse -p SAPSSLS.pse -s 2048 -x abcpin -r wdispbpp.req "CN=bpm.consupago.com, OU=Infrastructure, O=Consupago S.A. de C.V. SFOL, L=Mexico D.F., C='MX" OK
4.-Send the certificate request(s) to a CA to be signed -> Sended the certificate request to Entrust CA. -> Entrust CA return
Certificate: SapWebDispacher.cer
5.- Import the certificate request response(s) into the PSE.-> Import with root and Intermediate certificates
N:\usr\sap\sapwebdisp>sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" u2013r "L1CIntermediate.cer" -p SAPSSLS.pse -x abcpin CA-Response successfully imported into PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"
6.- Create credentials for the SAP Web Dispatcher
N:\usr\sap\sapwebdisp>sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O --CONSUPAGO\b
ppadm-- running seclogin with USER="bppadm" creating credentials for user CONSUPAGO\bppadm"... Adjusting credentials and PSE ACLs to include "CONSUPAGO\bppadm"... Oh, you supplied your own name explicitly ... ok.
N:\usr\sap\sapwebdisp\sec\cred_v2 ... ok. N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse ... ok. Added SSO-credentials for PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse" "CN=bpm.consupago.com, OU=Infrastructure, O="Consupago, S.A. de C.V. SFOL", L="Mexico, D.F.", C=MX"
Set the profile parameters: according to the connection type HTTPS u2013 HTTPS
SAPSYSTEM = 88
DIR_EXECUTABLE = .
DIR_INSTANCE = N:\usr\sap\sapwebdisp
ssl/ssl_lib = N:\usr\sap\sapwebdisp\sapcrypto.dll
ssl/server_pse = N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse
rdisp/mshost = clussapbpm
ms/http_port = 8101
ms/https_port = 443
wdisp/auto_refresh = 25
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
icm/max_conn = 500
icm/max_sockets = 1024
icm/req_queue_len = 500
icm/min_threads = 10
icm/max_threads = 50
mpi/total_size_MB = 80
wdisp/HTTP/max_pooled_con = 500
wdisp/HTTPS/max_pooled_con = 500
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=900
icm/server_port_1 = PROT=HTTP, PORT=80
icm/HTTPS/verify_client = 0
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt
wdisp/ssl_encrypt = 2
wdisp/ssl_certhost = clussapbpm
Does anybody can help me with this error ?
Best Regards !!!
is this still concern to you or it has been resolved ?
Regards,
Vincent
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.