02-20-2012 12:17 AM
Dear Experts,
SAP documentation for Configuring the SAP Web Dispatcher to Support SSL talks about two options:
1. Passing the SSL Connection to the Backend Server
2. Terminating the SSL Connection
But it is not much clear in which case which approach is to be chosen. Please advice to help make the decision.
Best Regards,
Bhagwat
02-20-2012 2:07 AM
your decision depends what you want.
in the first option:
"1. Passing the SSL Connection to the Backend Server"
the web dispatcher will receive an user's package and directly forward it to the backend, without open the package, without changing anything or checking the package. Therefore, with this option you do not need to install SSL certificate in the web dispacher. It only get the package and forward.
the second one
"2. Terminating the SSL Connection"
the web dispatcher will receive the package, open it, encrypt again with its own certificate and forward to the backend.
The goal of this option is that the web dispatcher can read the contents of the package and make decisions. The web disaptcher can check the URL, if there is a session created already , etc..
With this option you have to install the SSL certificate in the Web Dispatcher
Clébio
02-20-2012 5:37 AM
Thanks clebio.
With this explanation it looks the first option easier. But why one would need to Terminate the SSL Connection as in second option.
Regards,
Bhagwat
02-20-2012 9:19 AM
Hi,
There is also a third option :
3 - "Terminating the SSL Connection with no re encryption"
In that case the web dispatcher uses http to communicate with the back office SAP system. It is much simpler and often secure enough. For exemple, in my systems the web dispatcher is installed on the ECC6 Central Instance server.
Options 2 and 3 are the most commonly used ones3
Regards,
Olivier
02-20-2012 10:32 PM
Thanks clebio.
> With this explanation it looks the first option easier. But why one would need to Terminate the SSL Connection as in second option.
>
> Regards,
> Bhagwat
For example you don't want to put additional load on your backend systems. Another reason is that if you want to perform URL filtering. In this case dispatcher must be able to look inside of SSL connection to see what is requested. Without terminating SSL this is not possible.
the web dispatcher will receive the package, open it, encrypt again with its own certificate and forward to the backend.
Just small technical detail, but this is not true. Client connects to web dispatcher, dispatcher creates another connection to back end system. For this connection it uses certificate stored on backend system, not own certificate. Web dispatcher's certificate is used for connection between client and dispatcher.
Cheers
02-21-2012 8:45 AM
Hi Martin,
> Just small technical detail, but this is not true. Client connects to web dispatcher, dispatcher creates another connection to back end system. For this connection it uses certificate stored on backend system, not own certificate. Web dispatcher's certificate is used for connection between client and dispatcher.
I have not yet tested this re-encryption scenario and I am surprised by this precision. I would have thought that a client certificate on the web dispatcehr would be necessary as well as the ssl server certificate on the backend system ?
Regards,
Olivier
02-21-2012 9:22 AM
Hi Olivier,
maybe there is confusion on certificate roles. Web dispatcher has SSL certificate that is used for connection between client and dispatcher. Then backend system has also certificate that is used for connection between backend system and dispatcher. There is fundamentally no difference between connection client -> dispatcher and dispatcher -> backend system. Dispatcher tries to connect to backend system, the backend system responds with its certificate, dispatcher checks if certificate is valid. There is no need for client certificate for this connection. Dispatcher does not authenticate against backend system. There are some options related to certificate check. For example you can say that all backend systems return a certificate for same host name. Normally, this would caase a host name mismatch because only one backend server could have same hostname as it's stored in certificate.
Cheers
02-21-2012 12:07 PM
Martin,
Thanks for answering. In fact I thought that authentication (using client certificate) was mandatory from the web dispatcher to the backend system.
I've never tried this configuration because I think this is a little bit "overkill" and my company security team did not impose it to me.
But I did try client authentication from the browser to the backend system with no re-encryption by sending the certificate in a header field.
Browser -- https --> web dispatcher -- http --> ECC6
It works perfectly as soon as you have a high enough basis support package level.
In that case :
Browser -- https --> web dispatcher -- https --> ECC6
If we use web dispatcher client certificate authentication, is it still possible to use client authentication from the browser side ?
Regards,
Olivier
02-21-2012 10:30 PM
Hi,
if authentication was mandatory then it wouldn't make sense. All users would be authenticated as user from client SSL certificate on web dispatcher.
My current customer terminates SSL on web dispatcher and it means less trouble with certificates for them. The problem is that you can't always do it. For example PCI DSS requires end to end encryption when you transfer card details over the network. I've never seen option when you allow HTTP to web dispatcher and then HTTPS to back end system.
The scenario with web dispatcher and client SSL certificates should be supported. Check [SAP doc|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm] for Java AS. I believe it will work exactly same for ABAP AS.
Cheers
02-22-2012 9:13 AM
Hi Martin,
> if authentication was mandatory then it wouldn't make sense. All users would be authenticated as user from client SSL certificate on web dispatcher.
I was speaking about authentication between web dispatcher and backend system, not between browser and backend system.
I've never seen option when you allow HTTP to web dispatcher and then HTTPS to back end system.
I agree this would make no sense.
> The scenario with web dispatcher and client SSL certificates should be supported. Check [SAP doc|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm] for Java AS. I believe it will work exactly same for ABAP AS.
OK, so it seems that the same header field technique is also used with SSL re-encryption.
Thanks,
Olivier
02-22-2012 3:41 PM
Dears,
I'm going to setup a test scenario with SSL termination on the Webdispatcher, so:
HTTPS <-> Webdispatcher <-> HTTP <---> Sap Web As (intranet)
But as this is a test scenario, and will be tested just in the intranet, we do not want to buy now a real Certifcate from some CA.
How we can generate an SSL Certificate free of charge to be installed on the webdispatcher ?
Better shoudl be this certificate does not expire.
I saw that on service.sap.com/tcs the SSL certificates are not free.
Any advise ?
02-22-2012 3:52 PM
Hi Roberto,
You can just use a self signed certificate and just acknoledge the warning message from the web browser.
If you want to get rif of the warning message, you can import the self signed certificate in the certificate repository of your browser.
You can also use opensssl (freeware) to sign your own certiificates with your own "private certification authority".
Regards,
Olivier