on 01-26-2013 9:02 AM
We have install a DEV web dispatcher with the purpose to have both HTTP and HTTPS running on the same server.
This web dispatcher will be replacing our old server running on 7.0 eventually in the production environment later.
Web Dispatcher Version=7.2 (latest patch)
OS platform=Linux RHEL 5 (latest patch)
Final Location=DMZ
Scenario 1 Web Dispatcher (webdisp.abc.com) connecting to Webgui ITS at Web AS
(HTTP & HTTPS without metadata SSL)
Web Dispatcher HTTPS: Installed with PSE, SSL Server PSE and SSL Client PSE ==> test cert from SAP Trust.
WebAS Test HTTPS: Installed with PSE, SSL Server PSE and SSL Client PSE ==> test cert from SAP Trust.
(Server Certificate + CA Root is exported and imported into Web Dispatcher SSL Client PSE).
Profile Parameter (Web Dispatcher)
icm/server_port_0 = PROT=HTTP,PORT=80,TIMEOUT=600,PROCTIMEOUT=600,EXTBIND=1
icm/server_port_1 = PROT=HTTPS,PORT=443,TIMEOUT=600,PROCTIMEOUT=600,EXTBIND=1
wdisp/system_0 = SID=MCQ, MSHOST=webastest.abc.com, MSPORT=8120, SRCSRV=*:443
wdisp/system_1 = SID=PRD, MSHOST=webasdev.abc.com, MSPORT=8100, SRCSRV=*:80
icm/HTTP/redirect_0 = PREFIX=/, PROT=https, TO=/sap/bc/gui/sap/its/webgui
wdisp/ssl_encrypt = 1
wdisp/ssl_auth = 1
icm/HTTPS/verify_client = 1
WebAS Test Configuration at webastest.abc.com:
Webgui ITS configuration at SICF is set to SSL
Both WebAS Webgui is setup correctly and enable to work independently without Web Dispatcher.
.
The above setting works for both http://webdisp.abc.com (redirect to webasdev.abc.com) and https://webdisp.abc.com (redirect to webastest.abc.com)
Scenario 2 Web Dispatcher (webdisp.abc.com) connecting to Webgui ITS at Web AS
(HTTPS with metadata SSL)
Settings are the same as scenario 1 except the following are change and added
Change
wdisp/system_0 = SID=MCQ, MSHOST=webastest.abc.com, MSSPORT=8143, SRCSRV=*:443
(WebAS webastest.abc.com: have ms/server_port_1 = PROT=HTTPS,PORT=8143)
Add
wdisp/server_info_protocol = https
When the web dispatcher is stop and restart the HTTP part [wdisp/system_1 = SID=PRD, MSHOST=webasdev.abc.com, MSPORT=8100, SRCSRV=*:80]
is not working and can't connect to the message server.
[Thr 47923374422336] *** ERROR => Connection request from (-1/65535/0) to host:webasdev.abc.com, service: failed (NIECONN_REFUSED) {0000034a} [icxxconn_mt.c 2712]
[Thr 47923374422336] *** ERROR => IcmConnClientRqCreate() failed (rc=-8) [icrxx_mt.c 6922]
[Thr 47923374422336] *** ERROR => Could not connect to SAP Message Server at webasdev.abc.com. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c 3878]
[Thr 47923374422336] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c 3879]
[Thr 47923374422336] *** ERROR => see also SAP note 552286 [icrxx_mt.c 3880]
Questions:
1. Could metadata SSL configuration exist for both HTTP and HTTPS in the same web dispatcher ?
If I revert scenario 2 back to 1, it work perfectly. I am not sure if the [wdisp/server_info_protocol = https] preventing HTTP from working?
I am not sure to make this work correctly. Really need help here.
2. How could I test whether the SSL communication from client <=> Web Dispatcher <=> Web As is really secure?
Is there a free tool to test in a intranet environment? Any recommendation?
3. Is metadata SSL really matters since I have in scenario 1 whereby Web dispatcher => WebAS (webasdev.abc.com) are both SSL
(terminate and re-encrypt) ? Is this secure enough without metadata SSL?
Thanks.
Hello Steven,
I would like to recommend you reviewing the following How to guide:
http://scn.sap.com/docs/DOC-16078
For the Metadata exchange using SSL, please review:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/86c931e22c3912e10000000a42189b/frameset.htm
About testing the communication, you can use the Fiddler 2 trace tool in the client PC.
You should also raise the web dispatcher trace level to 2; do the same in the ICM of your web AS. By setting:
icm/trace_secured_data = 1
(and restarting the instance) you will be able to see the HTTPS content (in the web dispatcher and in the Web AS).
Between the web dispatcher and the Web AS you can also capture the network traffic using, for example, the WireShark software.
I hope this helps,
Cris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.