We have install a DEV web dispatcher with the purpose to have both HTTP and HTTPS running on the same server.

This web dispatcher will be replacing our old server running on 7.0 eventually in the production environment later.

Web Dispatcher Version=7.2  (latest patch)

OS platform=Linux RHEL 5 (latest patch)

Final Location=DMZ

Scenario 1 Web Dispatcher (webdisp.abc.com) connecting to Webgui ITS at Web AS

(HTTP & HTTPS without metadata SSL)

Web Dispatcher HTTPS: Installed with PSE, SSL Server PSE and SSL Client PSE ==> test cert from SAP Trust.

WebAS Test HTTPS: Installed with PSE, SSL Server PSE and SSL Client PSE ==> test cert from SAP Trust.

(Server Certificate + CA Root is exported and imported into Web Dispatcher SSL Client PSE).

Profile Parameter (Web Dispatcher)

icm/server_port_0 = PROT=HTTP,PORT=80,TIMEOUT=600,PROCTIMEOUT=600,EXTBIND=1

icm/server_port_1 = PROT=HTTPS,PORT=443,TIMEOUT=600,PROCTIMEOUT=600,EXTBIND=1

wdisp/system_0 = SID=MCQ, MSHOST=webastest.abc.com, MSPORT=8120, SRCSRV=*:443

wdisp/system_1 = SID=PRD, MSHOST=webasdev.abc.com, MSPORT=8100, SRCSRV=*:80

icm/HTTP/redirect_0 = PREFIX=/, PROT=https, TO=/sap/bc/gui/sap/its/webgui

wdisp/ssl_encrypt = 1

wdisp/ssl_auth = 1

icm/HTTPS/verify_client = 1

WebAS Test Configuration at webastest.abc.com:

Webgui ITS configuration at SICF is set to SSL

Both WebAS Webgui is setup correctly and enable to work independently without Web Dispatcher.

.

The above setting works for both http://webdisp.abc.com (redirect to webasdev.abc.com) and https://webdisp.abc.com (redirect to webastest.abc.com)

Scenario 2 Web Dispatcher (webdisp.abc.com) connecting to Webgui ITS at Web AS

(HTTPS with metadata SSL)

Settings are the same as scenario 1 except the following are change and added

Change

wdisp/system_0 = SID=MCQ, MSHOST=webastest.abc.com, MSSPORT=8143, SRCSRV=*:443

(WebAS webastest.abc.com: have ms/server_port_1 = PROT=HTTPS,PORT=8143)

Add

wdisp/server_info_protocol = https

When the web dispatcher is stop and restart the HTTP part [wdisp/system_1 = SID=PRD, MSHOST=webasdev.abc.com, MSPORT=8100, SRCSRV=*:80]

is not working and can't connect to the message server.

[Thr 47923374422336] *** ERROR => Connection request from (-1/65535/0) to host:webasdev.abc.com, service:  failed (NIECONN_REFUSED) {0000034a} [icxxconn_mt.c 2712]

[Thr 47923374422336] *** ERROR => IcmConnClientRqCreate() failed (rc=-8) [icrxx_mt.c   6922]

[Thr 47923374422336] *** ERROR => Could not connect to SAP Message Server at webasdev.abc.com. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c   3878]

[Thr 47923374422336] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c   3879]

[Thr 47923374422336] *** ERROR => see also SAP note 552286 [icrxx_mt.c   3880]

Questions:

1. Could metadata SSL configuration exist for both HTTP and HTTPS in the same web dispatcher ?

If I revert scenario 2 back to 1, it work perfectly. I am not sure if the [wdisp/server_info_protocol = https] preventing HTTP from working?

I am not sure to make this work correctly. Really need help here.

2. How could I test whether the SSL communication from client <=> Web Dispatcher <=> Web As is really secure?

Is there a free tool to test in a intranet environment? Any recommendation?

3. Is metadata SSL really matters since I have in scenario 1 whereby Web dispatcher => WebAS (webasdev.abc.com) are both SSL

(terminate and re-encrypt) ? Is this secure enough without metadata SSL?

Thanks.