cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Web Dispatcher configuration

JAMpe
Participant

on ‎03-25-2014 11:25 AM

0 Kudos

Hello, I'm trying to configure SAP Web Dispatcher with SSL with re-encryption. I'm not interested in load balancing.

Systems info:

  • SAP Web Dispatcher 7.4
  • backend NW AS ABAP 7.02

So far, I've done the following:

1- SSL Configuration in backend

a) Setting these parameters:

ssf/name

SAPSECULIB

ssl/ssl_lib

sec/libsapsecu

ssf/ssfapi_lib

icm/HTTPS/verify_client  <---- Should I use 0, 1 or 2? The client should be the SAP Web disp, right? So I guess 2?

icm/server_port_<x>

b) Create Private key and Certificates and generate CSR certificate --> using STRUST

c) Import digitally signed entrust certificates into ABAP AS --> using STRUST

2 - SAP Web Dispatcher Installation and set the normal parameters

3 - Install the SAP Cryptographic Library in the SAP Web Dispatcher

4 - Creating the PSEs and Certificate Requests: SSLS (Server) and SSLC (Client) --> using sapgenpse in SAP Web Dispatcher

5 - Sending the Certificate Requests to a CA (Im using SAP Test SSL)

6 - Importing the Certificate Request Responses --> using sapgenpse in SAP Web Dispatcher

7 - Creating Credentials for the SAP Web Dispatcher  --> using sapgenpse in SAP Web Dispatcher

8 - Setting these parameters in the SAP Web Dispatcher profile for SSL:

DIR_INSTANCE =  <secudir Path>

ssl/ssl_lib =  <secudir Path>sapcrypto.dll

ssl/server_pse = <secudir Path>\SAPSSLS.pse

ssl/client_pse =  <secudir Path>\SAPSSLC.pse

icm/server_port_1 = PROT=HTTPS, PORT=<Port>, TIMEOUT=900

icm/HHTPS/verify_client = 0 --> I dont want clients from the Internet to provide certificate

wdisp/ssl_encrypt = 1

wdisp/ssl_auth = 2

wdisp/ssl_cred = <secudir Path>\SAPSSLC.pse

ms/https_port = <same port set in NW backend>

So far, my questions are the following:

  • Am I missing any step?
  • Do I have to import the SSLS (PSE) somehow in the NW AS backend? Like in STRUST? or is sufficient with setting those parameters in the SAP Web Dispatcher profile?
  • Can I have this scenario (SSL with re-encryption) without setting metadata exchange with SSL?
  • Do I have to change any additional parameter in the NW AS backend for this scenario?


Regards,


JAM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-25-2014 6:40 PM
0 Kudos

Since you are re-encrypting, I'm assuming you are not using X.509 user certificates hence it doesn't make sense to use verify_client in the backend system either. Yes, you can use HTTP for metadata exchange meaning SSL is not required. As long as the backend system trusts the root CA of the Web Dispatcher client certificate, there is no need to upload anything to the backend system.

Show replies
Show replies
JAMpe
Participant
‎03-25-2014 10:18 PM
0 Kudos

Hello Samuli,

Thanks for your reply. How can I check if my backend trust the root CA of my Web Dispatcher client certificate?

I've been using "SAP SSL Test Server Certificate" and the root CA is also from SAP (SAP root CA for test).

If I need to import it, what are the steps?

Regards,

JAM

Ask a Question