cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Communication between Customer and Web Dispatcher

Former Member

on ‎12-01-2014 3:42 PM

0 Kudos

Dear ladies and gentlemen,

we have follow Scenario:

Customer(outside our Network) -> WebDispatcher -> SAP System

The connection works w/o any problems if we have an untrusted Certificate.

If we use a trusted Certificate, we get always back, that the server expect a certificate and doesn't work.

if we use the pfx file, with include the private key it is working.

But not with only the certificate file and its not possible, to deliver the pfx file include the private key to

the customer.

We try it now several settings on the WebDispachter and creating several different Chain Trusted certificates,

but w/o any success.

I get from our Certificate department. 4 files (include the trusted certificate).

And we try to generate the PSE file with sapgenpse....

Doesn't work...

So, it would be kindly, if someone can help us...

If you need more information, please let me know...

Thanks in advanced

S. Kohler

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎12-02-2014 10:18 AM
0 Kudos

Hello Stephan,

what exactly is your problem?

Can you import the certificates to NWA? You'll need a server certificate to establish SSL handshake and a client certificate to authentificate. In this case you are the server, so you'll have to import the client's server certificate to your TrustedCAs and his client certificate to ICM_SSL_<Instance>. Then you need to send the client your server certificate, so that he'll be able to import it to his TrustedCAs. Then you might have to map his client certificate to a user on your system.

Basically, that should be the procedure. At which point do you have a problem?

Regards,

Jörg

Show replies
Show replies
Former Member
‎12-02-2014 12:55 PM
0 Kudos

Hello Jörg,

we gnerate a request file from our WebDispatcher, and extract the privatekey as well from the request. Than we sent the request to a TrustCenter and got back the client certificate and

3 additonal certificates.

e.g.

a.) AddTrustExternalCARoot.crt

b.) USERTrustRSAAddTrustCA.crt

c.) TrustedSecureCertificateAuthority5.crt

We try to generate the PSE file with a doucmentation found on SDN:

http://wiki.scn.sap.com/wiki/display/Basis/Creating+SAPSSLS.pse+with+certificates+generated+in+opens...

  1. Gnerate the chain file (includes all mentioned three files above)
  2. To generate the p12 file
  3. Generate the PSE file for the server.

And import the result into the WebDispachter Certifcate Container.

This is working and if you do some comparison checks on the server..works w/o any problems.

But if you try to connect the server, dosen't work.

It is only working, if you use the p12 file in the Client.

But for the customers it should only the certificate.

BTW: We check the certificate chain an it seems okay:

Former Member
‎12-02-2014 4:03 PM
0 Kudos

Hello Stephan,

just to clarify: This has nothing to do with SAP PI, right?

In general, with SSL communication on server side you need to import the client's server certificate in your TrustedCAs and then its client certificate into your SSL keystore (however they are named). Then you should be able to establish SSL connection without the need to send a private key.

Do you have logs available that tell you the error message of that SSL connection issue?

Regards,

Jörg

Former Member
‎12-03-2014 9:26 AM
0 Kudos

Hello Jörg,

thanks for your response.

You are right, the communication would be between the customer and the WebDispatcher.

The connection between WebDispachter and SAP PI is working without any problems.

I found follow picture in the SAP Helpportal:

So we try to use teh Scenario 3...as I mentioned, it is working with

an untrusted certificate. But we had trouble with a trusted certificate.

Only I use the certificate with the private key, it is working.

So, what we need is a right setup for Scenario 3. Our outsourcer implement

the trusted chain in the WebDispatcher and a test says, that there no issues.

Could it be, that some parameters has to setup in the WebDispatcher ?

Like

icm/HTTPS/trust_client_with_issuer = <issuer>

icm/HTTPS/trust_client_with_subject = <subject>

found in article http://help.sap.de/saphelp_nw74/helpdata/en/48/9ab5d73e6d062be10000000a42189d/content.htm

Thanks

Kind regards Stephan

Former Member
‎12-03-2014 10:22 AM
0 Kudos

Hello Stephan,

the parameters you mention are set in the ICM, so they surely don't apply to the WebDispatcher. If I understand correctly, your problem occurs in the WebDispatcher once you send a request there using only a client certificate, right? Is this the place where the error occurs? Or do you see the error later in ICM? Have you configured the HTTP header mapping as mentioned on the help page? A detailed error description would help analysis, since I (and probably most of the others) have no means of looking at your system.

How did you test your WebDispatcher? soapUI or something similar?

Regards,

Jörg

Former Member
‎12-04-2014 6:51 AM
0 Kudos

Hello Jörg,

we did the test only with the Explorer to check, if the https service available or could we call the Java Netweaver Administrator Side.

Regarding the HTTP header mapping, I'll check the parameter. Unfortunaltey the WebDispatcher is

managed by our Outsourcer and they have a training till end of the week.

This means, I'll validate such parameter together with our Outsourcer on Monday.

We'll check as well any log files on the WebDispatcher..

I let you know the outcome.

Thanks

Ask a Question