cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Metadata Exchange Using SSL SAP Webdispatceher

Go to solution
Former Member

on ‎04-19-2013 11:40 AM

0 Kudos

Team

We are building a webdsip in DMZ to communicate with PI systems(distributed enviroment) internally. I have few questions on this subject

     1. Internal PI systems already running with Web dispatcher. will it have any other impact if we use another webdisp in DMZ ?

     2. Gone through different links in sdn/help.sap.com on END2END and Decrypt/Encryt method. We were trying to mimic this option with the internal Webdisp before we approach in DMZ.

          2.1 Activated https on Message server and its up and running (ASCS running on different host as we have distributed environment)

          2.2 Activated https on webdisp and now we can login to webdisp on https port (self signed certificate)

Confusion is on the certificates part as we have ssl/server_pse and ssl/client_pse part. Please note we are not going with CA to sign the server certificate and we have only use the untrusted self signed certificates on the both Message Server/Webdisp. Keeping in this mind, can you tell me how do i need o approach on PSe part. How i will import PSE of Wedispatcer in Message server or vice versa ?

Do we need to get the certificates from application server (https is also enable in underlying application servers) ?

Please guide me the correct approach for the above questions.

Thanks

Umesh K

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

tobias_winterhalter
Employee
Employee
‎04-19-2013 5:03 PM
0 Kudos

Hello Umesh,

You questions regarding the certificates on Web Dispatcher, Message Server and application server side should be answered here:

http://help.sap.com/saphelp_nw73/helpdata/en/48/86c931e22c3912e10000000a42189b/content.htm?frameset=...

Specifically in this section:

"The SAP Web Dispatcher must be able to accept the server certificates from the message server and from the application server. To ensure they are, the certificate authorities (CAs) from the server certificates must be contained as "trusted CAs" in the SSL client PSE of the SAP Web Dispatcher."

Best regards,

Tobias

Show replies
Show replies
Former Member
‎04-19-2013 5:24 PM
0 Kudos

Hi Tobias,

Thanks for the reply, I went through this documentation how ever still i am unable to visualize the settings required on ASCS and Webdispatcher profiles. As the above documentation is unclear on commands we have to execute on both ends.

""The SAP Web Dispatcher must be able to accept the server certificates from the message server and from the application server. To ensure they are, the certificate authorities (CAs) from the server certificates must be contained as "trusted CAs" in the SSL client PSE of the SAP Web Dispatcher.''

Because the backend system is PI (distributed) where ASCS has Server PSE and application server possess self signed certificates . CN names for both are different. Do we need to get signed these two server certificates from CA and import in Webdispatcher and vice versa ?

Can you bit more explain

Thanks

Umesh K

Former Member
‎04-19-2013 5:54 PM
0 Kudos

You can use self-signed certificates. On the Web Dispatcher in the DMZ you would probably want to use a certificate signed by one of the root certificate authorities. Otherwise you would have to install the self generated root certificate on the clients. As written in the documentation, the self-signed certificates have to be trusted meaning the self generated root certificate used to sign the certificates must be included in the PSE. As long as the self generated root certificate used for signing the certificates on the message server and on the application servers is the same you should be fine.

Former Member
‎04-20-2013 3:47 AM
0 Kudos

Thank you for detailing me..Just some more info required here, Samuli

Say i have generated SAPSSLS.pse.(RSA) in Message server host (CN=<different host name>) and SAPSSLS.pse.in webdispatcher (CN=<DMZ hostname>)

Are you saying to export the server certificate from PSE of Message server and import in Webdipatcerh Client PSE ?

and export the server certificate from Webdispatcher and import in Message server client PSE ?

you help is highly appreciated

Thanks

Umesh K

Former Member
‎04-22-2013 8:57 AM
0 Kudos

All I got the solution and it worked.. I just exported the own certificates of c/s and app server and imported into webdisp client pse (maintain_pk) and worked..

Thanks to all

Umesh K

Answers (0)

Ask a Question