cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Web Dispatcher 7.2 for End-to-End SSL

Former Member
0 Kudos

Hi,

I have 1 webdispacher 7.2 server & 1 solman system.

I want internet web connections to solman web (https 8101) have to bassby webdispatcher server firstly - SAP Web Dispatcher 7.2 is configured for End-to-End SSL for simplicity

Here's Webdispatcher profile's content:

-


  1. unique instance number

SAPSYSTEM = 1

wdisp/shm_attach_mode = 6

  1. add default directory settings

DIR_EXECUTABLE = D:\usr\sap

DIR_INSTANCE = D:\usr\sap

  1. configuration for default scenario (medium size)

icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80

#Standard SSL configuration

ssl/ssl_lib = D:\usr\sap\sapcrypto.dll

ssl/server_pse = D:\usr\sap\SAPSSLS.pse

  1. SAP Web Dispatcher Parameter

wdisp/auto_refresh = 25

wdisp/max_servers = 100

#maximum number of concurrent connections to one server

wdisp/HTTP/max_pooled_con = 500

wdisp/HTTPS/max_pooled_con = 500

#WDP server ports:

icm/server_port_0 = PROT=ROUTER,PORT=60000,TIMEOUT=120

icm/server_port_1 = PROT=HTTPS,PORT=0

#WDP 7.20 can connect to different systems, the following parameter was set:

wdisp/system_0 = SID=SOL,MSHOST=solserver.abc.com,MSSPORT=8101,SRCSRV=:443*

#Metadata exchange should be done via HTTPS:

wdisp/server_info_protocol = https

#HTML dump into trace (for production: trace level 1 ()default; for testing: trace level 3):

icm/trace_secured_data = 1

rdisp/TRACE = 3

  1. SAP Web Dispatcher Web Administration

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt

-


When I run command sapwebdisp.exe pf=sapwebdisp.pfl -checkconfig, it shows error as following:

-


...

Server info will be retrieved from host: solserver.abc.com:8101 with protocol: https

Checking connection to message server of system SOL...

[Thr 3596] Mon Mar 05 02:45:17 2012

[Thr 3596] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERR

OR_CONNECTION_LOST

[Thr 3596] session uses PSE file "D:\usr\sap\SAPSSLS.pse"

[Thr 3596] No Secude Error present in trace stack!

[Thr 3596] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 3596] SSL NI-sock: local=192.168.111.1:3492 peer=172.18.2.200:8101

[Thr 3596] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000000656530)==SSSLERR_SSL

_CONNECT

ERROR: SapSSLSessionStart failed SSSLERR_SSL_CONNECT(-57)

Check ended with 1 errors, 0 warnings

-


I think if I use Webdisp End-2-End SSL, the webdispatcher should only forward SSL request to message server; why does it use its own SAPSSLS.pse to connect to the message server. What should I do to solve the SSL error?

Thanks,

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

> I think if I use Webdisp End-2-End SSL, the webdispatcher should only forward SSL request to message server; why does it use its own SAPSSLS.pse to connect to the message server. What should I do to solve the SSL error?

Hi,

Because you set

#Metadata exchange should be done via HTTPS:

wdisp/server_info_protocol = https

which means that the connection from the web dispatcher to the message server uses https.

It is different from the connection from the web browser to solman.

Regards,

Olivier

Former Member
0 Kudos

Hi

Sorry: icm/server_port_0 = PROT=ROUTER,PORT=60000,TIMEOUT=120

--> icm/server_port_0 = PROT=ROUTER,PORT=443,TIMEOUT=120

wdisp/server_info_protocol = https because wdisp/system_0 = SID=DE1,MSHOST=solserver.abc.com,MSSPORT=8101,SRCSRV=*:443 (8101 : https).

I'm wondering that SSL at solman server has no relation to SSL at webdisp server; is it right? And for Webdisp End-2-End SSL scenario, I only have to make sure SSL at solman run well?

Former Member
0 Kudos

Hi Toan,

In matter of fact, in your current configuration you don't have any configuration of SSL server on Web Dispatcher. The requests that contain SSL and connects to the Web Dispatcher are forwarded directly to the SolMan system. Your assumption is correct, if you have end-to-end SSL, you only have to make sure that the SSL on SolMan stand healthy.

As Olivier described earlier, the reason why you receive the SSL errors is because you are using SSL for communicating between the Web Dispatcher and the message server.

Cheers,

Maurício

Former Member
0 Kudos

Hi Maurício.

What do you recommend me do do/check?

Regards,

Former Member
0 Kudos

Hi,

Try first to NOT use SSL for the connection from the web dispatcher to the message server.

When it works, you will be able to use SSL.

For that you will have to import the CA certificate of your web dispatcehr inside the SSL server PSE of your backend system.

Regards,

Olivier