cancel
Showing results for 
Search instead for 
Did you mean: 

Web Dispatcher and SSL

Former Member
0 Kudos

Hi Experts

I already configured the SAP Web Dispatcher due to a performance reasons (load balancing), but something is wrong with the SSL configuration. The problem seems to be the Entrust certificates who is our CA, because the dispatcher sends an error when client try to access.

This is the error:

*Thr 9388] >> Begin of Secude-SSL Errorstack >>

Thr 9388 ERROR in ssl3_get_server_certificate: (9/0x0009) the

verification of the server's certificate chain failed*

*Thr 9388 ERROR in af_verify_Certificates: (27/0x001b) Chain of

certificates is incomplete : "CN=localhost, OU=ssl-enabled-server,

O=app-server"*

*Thr 9388 ERROR in get_path: (27/0x001b) Found root certificate of

<CN=localhost, OU=ssl-enabled-server, O=app-server> which does not fit

the given PKRoot*

It seems that webdispatcher does not identify the Entrust certifu00EDcate.

Steps done for my configuration are:

1.- Configuring the Use of SSL on the AS Java -> Add new SSL Access on port 50443 -> Testing the URL https://FQN:50443/startPage = Sucesfully

2.- Configuring the SAP Web Dispatcher to Support SSL -> Install the SAP Cryptographic Library on the SAP Web Dispatcher.-> set the LD_LIBRARY_PATH and SECUDIR variables.

3.- Create the SAP Web Dispatcher's PSE(s) and certificate request(s).

sapgenpse get_pse -p SAPSSLS.pse -s 2048 -x abcpin -r wdispbpp.req "CN= bpm.consupago.com, OU=Infrastructure, O=Consupago S.A. de C.V. SFOL, L=Mexico D.F., C='MX" OK

4.-Send the certificate request(s) to a CA to be signed -> Sended the certificate request to Entrust CA. -> Entrust CA return

Certificate: SapWebDispacher.cer

5.- Import the certificate request response(s) into the PSE.-> Import with root and Intermediate certificates

N:\usr\sap\sapwebdisp>sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" u2013r "L1CIntermediate.cer" -p SAPSSLS.pse -x abcpin CA-Response successfully imported into PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

6.- Create credentials for the SAP Web Dispatcher

N:\usr\sap\sapwebdisp>sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O --CONSUPAGO\b

ppadm-- running seclogin with USER="bppadm" creating credentials for user CONSUPAGO\bppadm"... Adjusting credentials and PSE ACLs to include "CONSUPAGO\bppadm"... Oh, you supplied your own name explicitly ... ok.

N:\usr\sap\sapwebdisp\sec\cred_v2 ... ok. N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse ... ok. Added SSO-credentials for PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse" "CN=bpm.consupago.com, OU=Infrastructure, O="Consupago, S.A. de C.V. SFOL", L="Mexico, D.F.", C=MX"

Set the profile parameters: according to the connection type HTTPS u2013 HTTPS

SAPSYSTEM = 88

DIR_EXECUTABLE = .

DIR_INSTANCE = N:\usr\sap\sapwebdisp

ssl/ssl_lib = N:\usr\sap\sapwebdisp\sapcrypto.dll

ssl/server_pse = N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse

rdisp/mshost = clussapbpm

ms/http_port = 8101

ms/https_port = 443

wdisp/auto_refresh = 25

wdisp/max_servers = 100

wdisp/shm_attach_mode = 6

icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80

wdisp/HTTP/max_pooled_con = 500

wdisp/HTTPS/max_pooled_con = 500

icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=900

icm/server_port_1 = PROT=HTTP, PORT=80

icm/HTTPS/verify_client = 0

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt

wdisp/ssl_encrypt = 2

wdisp/ssl_certhost = clussapbpm

Does anybody can help me with this error ?

Best Regards !!!

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

I understand that you have used a self signed certificate on the backend Java system.

I understand also that you use HTTPS between the web dispatcher and backend system.

Did you import this self-signed certificate in the PSE of the web dispatcher ?

Regards,

Olivier

Former Member
0 Kudos

Hi Olivier,

I'm not totally sure if I understood you, but do you refer to point 5 when I import the certificates into Web Dispatcher PSE ?

5.- Import the certificate request response(s) into the PSE.-> Import with root and Intermediate certificates

N:\usr\sap\sapwebdisp>sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" u2013r "L1CIntermediate.cer" -p SAPSSLS.pse -x abcpin CA-Response successfully imported into PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

Best Regards u00A1u00A1u00A1

Former Member
0 Kudos

Hi Francisco,

If your configuration is like this :

browser https> Web Dispatcher https> Backend system

The web dispatcher opens a new SSL connection to the backend system.

If the backend system uses a self signed certiificate, you need to import this certificate in the PSE of the web dispatcher.

Regards,

Olivier

Former Member
0 Kudos

Hi Olivier,

Yes, that is my configuration. So then, from what I understand I need to import the certificate of my backend system (Java System CE 7.20) in the PSE of the web dispatcher. Is this certificate is the one called "ssl-credentials-cert"? or where do I can find it?

Regards ¡

Former Member
0 Kudos

Hi again,

Check the documentation : [http://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm]

In fact, I was wrong you need to create a second PSE for your web dispatcher. You already have a SSL server PSE and you need now to create a SSL client PSE.

Then :

4.For outgoing connections that use SSL, import the CA root certificate for the CA that issued the back-end application server its SSL server certificate into the SAP Web Dispatcher's SSL client PSE.

For a self signed certificate, the certificate is its own CA, so you have to import the self signed certificate inside the SSL client PSE.

By the way, for these kind of tasks I always use transaction STRUST (fram any abap system) that I find much easier to use thant the command line toool sapgenpse.exe.

Regards,

Olivier

Former Member
0 Kudos

Hi Olivier,

I'm really confused, I followed the guide you mention during my configuration, but I had no PSE client for the web dispatcher (sapsslc.pse), so I did not follow step 4 of the guide.

I am configuring the Web dispatcher for load balancing between java portals (AS JAVA CI - AS JAVA Application Server), can you help me with two questions?

Can I create the SSL client PSE from the transaction STRUST from any ABAP instance like SOLMAN ? or How can I create that ?

Regards ¡¡¡

Former Member
0 Kudos

Hi Francisco,

Can I create the SSL client PSE from the transaction STRUST from any ABAP instance like SOLMAN ? or How can I create that ?

Yes, you can.

The trick for using STRUST is to right click on the "File" entry in the left part and to choose "create".

You will get the "Create PSE" popup where you can enter the necessary information. You can click on the "pencil" button to get a more traditional entry of the DN, Algorithm and key length.

Regards,

Olivier

Former Member
0 Kudos

Hi again Oliver,

I just create the PSE client file through SOLMAN but I get an error when I try to import the CA certificate into SAPSSLC.pse:

sapgenpse import_own_cert -c SapWebDispacher.cer -r "RootCert Entrust.cer" -r "L1CIntermediate.cer" -p SAPSSLC.pse -x abcpin

import_own_cert: Installation of certificate failed

ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public key found

As for the PSE file server (SAPSSLS.pse) I had to create a key length 2048KB as a condition of ENTRUST, the SOLMAN can not create it for more than 1024KB, I had to create through "sapgenpse" as follows:

sapgenpse get_pse -p SAPSSLC.pse -s 2048 -x abcpin "CN=bpm.consupago.com, OU=Infrastructure, --O=Consupago S.A. de C.V. SFOL, L=Mexico D.F., C=MX" OK But appears the same error

This error only appears with the file SAPSSLC.pse, if I import the certificate on file SAPSSLS.pse done correctly. I read in forums that the error may be is the PSE file that I just created but i don't know where the error is.

More Info:

sapgenpse.exe get_my_name

SSO for USER "xxxxx"

with PSE file "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

Subject : CN=bpm.xxxxxxxx.com, OU=Infrastructure, O="Cxxxxxx, S.A. de C.V. SFOL", L="Mexico, D.F.", C=MX

Issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.",

OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US

Serialno: 4C:1C:18:F8

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Tue Jan 31 13:04:29 2012 (120131190429Z)

NotAfter: Sat Aug 29 01:01:05 2015 (150829060105Z)

Regards u00A1u00A1u00A1

Former Member
0 Kudos

Hi Francisco,

Why don't you use also STRUST to import the CA certifcate ?

What you describe is exactly why I never use sapgenpse. STRUST is so much easier !

PS: I can perfectly choose a 2048 key length when using STRUST. And I had STRUST generated certiifcates signed from Verisign with no problem.

Regards,

Olivier

Former Member
0 Kudos

Hi Olivier,

You were right, it's just that my SOLMAN system does not let me create PSA files with RSA algorithm, only DSA algorithm , now i try it with my CRM and allowed me to do it. I also saw that when importing the certificate through SAPGENPSE not done properly, and when I look the PSE files through CRM this files did not had any certificate. So then , i had to import the Entrurst certificates again for the PSE file (SAPSSLS.pse) via STRUST.

Now I have the PSE files and services start correctly

profile param "ssl/server_pse" = "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

[Thr 11156] resulting Filename = "N:\usr\sap\sapwebdisp\sec\SAPSSLS.pse"

[Thr 11156] = secudessl_Create_SSL_CTX(): PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLA.pse" not found,

[Thr 11156] = using PSE "N:\usr\sap\sapwebdisp\sec\SAPSSLC.pse" as fallback

[Thr 11156] = Success -- SapCryptoLib SSL ready!

[Thr 11156] =================================================

+[Thr 11156] +

[Thr 11156] Started service PORT=443,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0

[Thr 11156] SSL settings: verify_client: 0, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

But when I enter my URL https://clussapbpm.consupago.com/startPage sends me an error:

500 Dispatching Error

Error: -26

Version: 7200

Component: HTTP_ROUTE

Date/Time: Fri Feb 24 13:31:55 2012

Module: http_route.c

Line: 3360

Server: CSPXXXX01X__88

Error Tag:

Detail: no valid destination server available for '!ALL' rc=7

Thanks in advance

Regards u00A1u00A1u00A1

Edited by: Francisco Daniel Perez Aguilar on Feb 24, 2012 8:40 PM

Former Member
0 Kudos

Hi Francisco,

Usually, you get this error message when your web dispatcher is not connected to the message server of the back office system. Check the web dispatcher trace file after increasing the trace level.

Regards,

Olivier

Former Member
0 Kudos

Hi Francisco,

The error that you mentioned is thrown because the URL that you tried to access doesn't have a valid mapping into the backends system where the Web Dispatcher is connected.

Does this /startPage really exist in the backend application servers?

Can you access directly into the application servers this URL or you are just not able via Web Dispatcher?

Cheers,

Maurício

Former Member
0 Kudos

Hi Olivier and Mauricio,

I've increased the trace level for the log of the web dispatcher and saw that the connection to the message server is OK, otherwise I found an error indicating that there is no mapping between backend systems just as you said Mauricio.

Error found:

[Thr 9584] NiICheckPendConnection: connection of hdl 159 to 192.168.201.xxx:50443 established

[Thr 9584] NiIConnect: hdl 159 took local address 192.168.201.xxx:52070

[Thr 9584] NiIConnect: state of hdl 159 NI_CONNECTED

[Thr 9584] IcmConnPoolConnect: Connection to host: CSPSADBPM02.xxxxxxxx.com, service: 50443 established (nihdl=159)

[Thr 9584] <<- SapSSLSessionInit()==SAP_O_K

[Thr 9584] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 9584] SSL NI-sock: local=192.168.201.xxx:52070 peer=192.168.201.xxx:50443

[Thr 9584] <<- SapSSLSetNiHdl(sssl_hdl=000000001539C930, ni_hdl=159)==SAP_O_K

[Thr 9584] SapISSLComposeFilename(): Filename = "N:\usr\sap\sapwebdisp\sec\SAPSSLC.pse"

[Thr 9584] <<- SapSSLSetSessionCredential(sssl_hdl=000000001539C930)==SAP_O_K

[Thr 9584] in: cred_name = "SAPSSLC.pse"

[Thr 9584] <<- SapSSLSetTargetHostname(sssl_hdl=000000001539C930)==SAP_O_K

[Thr 9584] in: hostname = "clussapbpm"

[Thr 9584] MatchTargetName("clussapbpm", CN="localhost") MISmatch

[Thr 9584] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000001539C930)==SSSLERR_SERVER_CERT_MISMATCH

[Thr 9584] status = "resumed SSL session"

[Thr 9584] Server DN = "CN=localhost, OU=ssl-enabled-server, O=app-server"

[Thr 9584] <<- SapSSLErrorName()==SSSLERR_SERVER_CERT_MISMATCH

[Thr 9584] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxpool.c 2096]

[Thr 9584] IcmIConnPoolAllocEntry: no entry for pool 000000000254F6A0 found: 0, timeout: 0

[Thr 9584] ICR: IcrAttachToServer: IcmConnPoolAllocEntry failed -12 -> Retry 6.

[Thr 9584] ICR: IcrAttachToServer: retry connection in 160 milliseconds.

[Thr 9584] *** ERROR => IcmConnPoolAllocEntry(1) failed 0. Too many attempts (6) [ictxxroute_r 2730]

[Thr 9584] ICR: IcrAttachToServer('!ALL' 2 2 4100 1 port:50443/1/0) 0-> 7

[Thr 9584] *** ERROR => no valid destination server available for '!ALL' rc=7 [http_route.c 3360]

By the way, I can access the system through the URL https://clussapbpm.xxxxxx.com:50443/startPage and http://clussapbpm.xxxxxx.com:50000/startPage , just not able via Web Dispatcher

Is the error due to a bad certificate or bad SAPSSLC.pse file again ?, the only place where these values ​​match "CN = localhost, OU = ssl-server-enabled, O = app-server" is on the certificate "ssl-credentials-cert" of my backend system.

Best Regards u00A1u00A1u00A1

Former Member
0 Kudos

Hi Francisco,

It seems that the web dispatcher is trying to open an SSL connection to a hostname clussapbpm but that it gets a certificate with "CN=localhost, OU=ssl-enabled-server, O=app-server"

As "clussapbpm" is different from "localhost" there is a certificate mismatch and the connection fails.

The question is therefore : why did you create an SSL server certificate with "CN=localhost" ? I think this is the problem...

Regards,

Olivier

Former Member
0 Kudos

Hi Francisco,

The issue here is that the certificate that you are using as client on your Web Dispatcher (SAPSSLC.pse) is not the client certificate for the backend that you are trying to access.

You are providing for the backend the following certificate: CN=localhost, OU=ssl-enabled-server, O=app-server, but the backend is expecting a certificate that matches the hostname clussapbpm. You should export from clussapbpm the correct certificate and then import it to the Web Dispatcher.

Note 1318906 has a brief description of this error.

Cheers,

Maurício

Former Member
0 Kudos

Hi Olivier, Mauricio and sorry for the late response,

After export the certificate with the correct data from the backend (CN = clussapbpm) all turned out ok, now I can connect by webdispatcher through https. But I have the following error when I signed for the first time the portal

The Browser sends error "There is a Problem with this website's security certificate."

Apparently the certificate is wrong or I did not import correctly. Can you help with this

Best Regards ¡

Former Member
0 Kudos

Hi Francisco,

This probally is hapenning because the certificate that you are using on the Web Dispatcher/Backend is not trusted by the browser. If you double click on the SSL icon in your browser you will be able to see the error.

What you can do to avoid this error is:

a) Buy a signed certificate from a trusted certificate authority

b) You can import this certificate on your browser as a trusted one and the message should not be displayed anymore.

Cheers,

Maurício

Former Member
0 Kudos

Thanks Mauricio, I will check that ¡

Best Regards ¡¡¡

Former Member
0 Kudos

Sure,

Come back after with the results.

Cheers,

Maurício

Answers (0)