Hi Experts

I already configured the SAP Web Dispatcher due to a performance reasons (load balancing), but something is wrong with the SSL configuration. The problem seems to be the Entrust certificates who is our CA, because the dispatcher sends an error when client try to access.

This is the error:

*Thr 9388] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 9388] ERROR in ssl3_get_server_certificate: (9/0x0009) the

verification of the server's certificate chain failed*

*[Thr 9388] ERROR in af_verify_Certificates: (27/0x001b) Chain of

certificates is incomplete : "CN=localhost, OU=ssl-enabled-server,

O=app-server"*

*[Thr 9388] ERROR in get_path: (27/0x001b) Found root certificate of

<CN=localhost, OU=ssl-enabled-server, O=app-server> which does not fit

the given PKRoot*

It seems that webdispatcher does not identify the Entrust certifu00EDcate.

Steps done for my configuration are:

1.- Configuring the Use of SSL on the AS Java -> Add new SSL Access on port 50443 -> Testing the URL https://FQN:50443/startPage = Sucesfully

2.- Configuring the SAP Web Dispatcher to Support SSL -> Install the SAP Cryptographic Library on the SAP Web Dispatcher.-> set the LD_LIBRARY_PATH and SECUDIR variables.

3.- Create the SAP Web Dispatcher's PSE(s) and certificate request(s).

sapgenpse get_pse -p SAPSSLS.pse -s 2048 -x abcpin -r wdispbpp.req "CN=bpm.consupago.com, OU=Infrastructure, O=Consupago S.A. de C.V. SFOL, L=Mexico D.F., C='MX" OK

4.-Send the certificate request(s) to a CA to be signed -> Sended the certificate request to Entrust CA. -> Entrust CA return

Certificate: SapWebDispacher.cer

5.- Import the certificate request response(s) into the PSE.-> Import with root and Intermediate certificates

N:\usr\sap\sapwebdisp>sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" u2013r "L1CIntermediate.cer" -p SAPSSLS.pse -x abcpin CA-Response successfully imported into PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

6.- Create credentials for the SAP Web Dispatcher

N:\usr\sap\sapwebdisp>sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O --CONSUPAGO\b

ppadm-- running seclogin with USER="bppadm" creating credentials for user CONSUPAGO\bppadm"... Adjusting credentials and PSE ACLs to include "CONSUPAGO\bppadm"... Oh, you supplied your own name explicitly ... ok.

N:\usr\sap\sapwebdisp\sec\cred_v2 ... ok. N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse ... ok. Added SSO-credentials for PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse" "CN=bpm.consupago.com, OU=Infrastructure, O="Consupago, S.A. de C.V. SFOL", L="Mexico, D.F.", C=MX"

Set the profile parameters: according to the connection type HTTPS u2013 HTTPS

SAPSYSTEM = 88

DIR_EXECUTABLE = .

DIR_INSTANCE = N:\usr\sap\sapwebdisp

ssl/ssl_lib = N:\usr\sap\sapwebdisp\sapcrypto.dll

ssl/server_pse = N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse

rdisp/mshost = clussapbpm

ms/http_port = 8101

ms/https_port = 443

wdisp/auto_refresh = 25

wdisp/max_servers = 100

wdisp/shm_attach_mode = 6

icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80

wdisp/HTTP/max_pooled_con = 500

wdisp/HTTPS/max_pooled_con = 500

icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=900

icm/server_port_1 = PROT=HTTP, PORT=80

icm/HTTPS/verify_client = 0

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt

wdisp/ssl_encrypt = 2

wdisp/ssl_certhost = clussapbpm

Does anybody can help me with this error ?

Best Regards !!!