cancel
Showing results for 
Search instead for 
Did you mean: 

Sap webdispatcher certificate not getting renewed

former_member183788
Active Participant
0 Kudos

Dear,

We installed the new sap webdispatcher and generation of certificate was also finished.

After the installation a /sec folder was generated on usr/sap/sys/sid/sec, we tried to install the certificate here, but failed, so we created a new folder /sec in usr/sap/sys/sec and the certificate generated successfully, But still the secure folder is pointing to usr/sap/sys/sid/sec and gives certificate error.please advice.

SNC_LIB and secure lib is defined in environment variables as usr/sap/sys/sec

Profile as follows:

SAPSYSTEMNAME = WDA

SAPGLOBALHOST = AWQ-WEBDISP1

SAPSYSTEM = 00

INSTANCE_NAME = W00

DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64

DIR_EXECUTABLE = $(DIR_CT_RUN)

DIR_PROFILE = $(DIR_INSTALL)\profile

_PF = $(DIR_PROFILE)\WDA_W00_AWQ-WEBDISP1

SETENV_00 = PATH=$(DIR_EXECUTABLE);%PATH%

#-----------------------------------------------------------------------

# Back-end system configuration

#-----------------------------------------------------------------------

wdisp/system_0 = SID=JPR, MSHOST=sbdc.hilan.com, MSPORT=8100

wdisp/system_1 = SID=PRD, MSHOST=sabc.hilan.com, MSPORT=8100

#-----------------------------------------------------------------------

# Configuration of maximum number of concurrent connections

#-----------------------------------------------------------------------

icm/max_conn = 2000

#-----------------------------------------------------------------------

# SAP Web Dispatcher Ports

#-----------------------------------------------------------------------

icm/server_port_0 = PROT=HTTPS,PORT=443

icm/server_port_1 = PROT=HTTP,PORT=8005

#-----------------------------------------------------------------------

# SAP Web Dispatcher Administration

#-----------------------------------------------------------------------

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)

#-----------------------------------------------------------------------

# Start webdispatcher

#-----------------------------------------------------------------------

_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)

Restart_Program_00 = local $(_WD) pf=$(_PF)

SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec

#-----------------------------------------------------------------------

icm/HTTP/redirect_0 = PREFIX=/, FROMPORT=http, FOR=sapprtlclus, TO=/irj/portal, PROT=http, HOST=sapprtlclus

Accepted Solutions (1)

Accepted Solutions (1)

former_member183788
Active Participant
0 Kudos

Dear,

I removed the /sec folder from /user/sap/sys/sec and created .pse file in /usr/sap/sys/sid/sec and imported again and my problem is solved.

Answers (2)

Answers (2)

former_member227283
Active Contributor
0 Kudos

Hi Philip,

Change below parameter in your instance profile and restart the webdispatcher.

Current Parameter:

#-----------------------------------------------------------------------

_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)

Restart_Program_00 = local $(_WD) pf=$(_PF)

SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec

#-----------------------------------------------------------------------

Parameter after change

#-----------------------------------------------------------------------

_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)

Restart_Program_00 = local $(_WD) pf=$(_PF)

SETENV_01 = SECUDIR=<<Put the sec folder location where the PSE exist>>>

#-----------------------------------------------------------------------

Regards,

Anil Bhandary

former_member183788
Active Participant
0 Kudos

Dear Anil,

I edited as below, but still same error:

_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)

Restart_Program_00 = local $(_WD) pf=$(_PF)

SETENV_01 = SECUDIR = F:\usr\sap\WDA\sec

former_member227283
Active Contributor
0 Kudos

Dear Prathish,

Please enable the trace level by using the following parameter in webdispatcher.

1. Logoff from OS user and login again on OS.

2. Set the parameter in instance profile icm/log_level = 1

3. Restart Webdispatcher.

Check the dev_webdisp file for the entry of SEC folder and SECUDIR parameter and share the required logs on Thread.

Regards,

Anil

former_member183788
Active Participant
0 Kudos

Dear Anil,

Log as follows:

[Thr 1104] Mon Jan 04 22:23:02 2016

[Thr 1104] started security log to file ./dev_icm_sec

[Thr 1104] SAP Web Dispatcher running on: AWQ-WEBDISP1.awqaf.gov.kw

[Thr 1104] MtxInit: 30001 0 2

[Thr 1104] ***LOG IM1=> IcmInit, Startup (SAP Web Dispatcher&AWQ-WEBDISP1.awqaf.gov.kw&292&) [icxxman.c    1966]

[Thr 1104] IcmInit: listening to admin port: 65000

[Thr 1104] MPI: dynamic quotas disabled.

[Thr 1104] MPI init: pipes=4000 buffers=2718 reserved=815 quota=10%

[Thr 1104] CCMS: SemInMgt: Semaphore Management initialized by AlAttachShm_Ext.

[Thr 1104] CCMS: SemInit: Semaphore 38 initialized by AlAttachShm_Ext.

[Thr 1104] IcrIAddSingleSystem: Added backend system: SID=JPR, MSHOST=sapprtlclus.awqaf.gov.kw, MSPORT=8100

[Thr 1104] IcrIAddSingleSystem: Added backend system: SID=PRD, MSHOST=sapprdcluster.awqaf.gov.kw, MSPORT=8100

[Thr 1104] *** ERROR => ERROR Parameter icm/HTTP/redirect_0 defined multiple times. [icxxcheckcon 2697]

[Thr 1104] *** ERROR => ERROR Parameter icm/server_port_0 defined multiple times. [icxxcheckcon 2697]

[Thr 1104] *** ERROR => ERROR Parameter icm/server_port_1 defined multiple times. [icxxcheckcon 2697]

[Thr 1104] IcrCoreInitSessionTable: Session table initialized

[Thr 2136] Adding HttpRedirectHandler: PREFIX=/,TO=/irj/portal,HOST=sapweb.awqaf.gov.kw

[Thr 2136] HttpISubHandlerAdd: Added handler HttpRedirectHandler(0000000007357CA0), slot=0, flags=4098) for /, active: 1, table 0000000007357A70

[Thr 2136] Adding HttpAdminHandler: PREFIX=/sap/wdisp/admin,DOCROOT=F:\usr\sap\WDA\W00\data\icmandir,AUTHFILE=F:\usr\sap\WDA\SYS\global\security\data\icmauth.txt

[Thr 2136] HttpExtractArchive: files from archive F:\usr\sap\WDA\SYS\exe\uc\NTAMD64/wdispadmin.SAR in directory F:/usr/sap/WDA/W00/data/icmandir are up to date

[Thr 2136] HttpISubHandlerAdd: Added handler HttpAdminHandler(00000000073A85E0), slot=1, flags=45061) for /sap/wdisp/admin, active: 1, table 0000000007357A70

[Thr 2136] Adding HttpModHandler: PREFIX=/

[Thr 2136] CsiInit(): Initializing the Content Scan Interface

[Thr 2136]            PC with Windows NT (mt,unicode,SAP_CHAR/size_t/void* = 16/64/64)

[Thr 2136] CsiInit(): CSA_LIB = "F:\usr\sap\WDA\SYS\exe\uc\NTAMD64\sapcsa.dll"

[Thr 2136] HttpISubHandlerAdd: Added handler HttpModHandler(00000000073403B0), slot=2, flags=12293) for /, active: 1, table 0000000007357A70

[Thr 2136] Adding HttpAuthHandler: PREFIX=/,FILTER=SAP

[Thr 2136] HttpISubHandlerAdd: Added handler HttpAuthHandler(00000000073404B0), slot=3, flags=12293) for /, active: 1, table 0000000007357A70

[Thr 2136] HttpISubHandlerAdd: Added handler HttpWebDispHandler(00000000073405B0), slot=4, flags=1060869) for /, active: 1, table 0000000007357A70

[Thr 2136] WebSocketPlugInInit: WebSocket Plugin initialized

[Thr 2136] IcmAddHiddenService: Hidden service WEBSOCKETS started

[Thr 2136] =================================================

[Thr 2136] = SSL Initialization    platform tag=(ntamd64-msc18)

[Thr 2136] Mon Jan 04 22:23:02 2016

[Thr 2136] =   (745_REL,Oct 12 2015,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 2136]   DIR_INSTANCE="F:\usr\sap\WDA\W00"

[Thr 2136]   DIR_LIBRARY="F:\usr\sap\WDA\SYS\exe\uc\NTAMD64"

[Thr 2136]   ssl/ssl_lib="F:\usr\sap\WDA\SYS\exe\uc\NTAMD64\sapcrypto.dll"

[Thr 2136]   profile param "ssl/ssl_lib" = "F:\usr\sap\WDA\SYS\exe\uc\NTAMD64\sapcrypto.dll"

[Thr 2136]            resulting Filename = "F:\usr\sap\WDA\SYS\exe\uc\NTAMD64\sapcrypto.dll"

[Thr 2136] =   disabled FIPS 140-2 crypto kernel

[Thr 2136] =   found CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.41 pl40 (Aug 18 2015) MT-safe

[Thr 2136] =   current UserID: AWQAF\SAPServiceWDA

[Thr 2136] =   found SECUDIR environment variable

[Thr 2136] =   using SECUDIR=F:\usr\sap\WDA\W00\sec

[Thr 2136]   ssl/ciphersuites="HIGH:MEDIUM:+e3DES:!aNULL"

[Thr 2136]   ssl/client_ciphersuites="HIGH:MEDIUM:+e3DES:!aNULL"

[Thr 2136] = Success -- SapCryptoLib SSL ready!

[Thr 2136] =================================================

[Thr 2136]

[Thr 2136] Started service HOST=sapweb.awqaf.gov.kw,PORT=443,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=60,VCLIENT=1

[Thr 2136] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 2136] IcmAddHiddenService: Hidden service WEBSOCKET started

[Thr 2136] Started service HOST=sapweb.awqaf.gov.kw,PORT=80,PROT=HTTP,TIMEOUT=60,PROCTIMEOUT=60

[Thr 1104] IcmCreateWorkerThreads: created worker thread 0

[Thr 1104] IcmCreateWorkerThreads: created worker thread 1

[Thr 1104] IcmCreateWorkerThreads: created worker thread 2

[Thr 1104] IcmCreateWorkerThreads: created worker thread 3

[Thr 1104] IcmCreateWorkerThreads: created worker thread 4

[Thr 1104] IcmCreateWorkerThreads: created worker thread 5

[Thr 1104] IcmCreateWorkerThreads: created worker thread 6

[Thr 1104] IcmCreateWorkerThreads: created worker thread 7

[Thr 1104] IcmCreateWorkerThreads: created worker thread 8

[Thr 1104] IcmCreateWorkerThreads: created worker thread 9

[Thr 2660] IcmWatchDogThread: watchdog started

former_member227283
Active Contributor
0 Kudos

Dear Prathish,

Still I can see in the log SECUDIR is not directed to location which you have set in Environment variable.

1. goto command prompt and run command SET and share the output of the same.

Also try below steps:

1. login to WDAADM user

2. goto command prompt and run command SET SECUDIR= F:\usr\sap\WDA\sec

3. Then the webdispatcher without logining off the instance.

4. If problem still exists, then again share us the dev_webdisp logs.

Note: Also I can see the environment screenshot which you have shared does not have any SAP environment available in that, can you tell us reason why ??

Basically user wdaadm should have environment variables of kernel location and many more.

Regards,

Anil

isaias_freitas
Advisor
Advisor
0 Kudos

Hello Prathish,

Your Web Dispatcher instance profile is overwriting the value of the SECUDIR env. variable.

Check the "SETENV_01" parameter.

Either remove the parameter and set the variable at Windows level (as shown at the screenshots you have posted) or remove the variable from Windows level and adjust the parameter.

Regards,

Isaías

isaias_freitas
Advisor
Advisor
0 Kudos

Hello,

The SECUDIR is pointing to "DRIVE:\usr\sap\<SID>\<INSTANCE>\sec" (DRIVE:\usr\sap\WDA\W00\sec).

Try putting the PSE files there and restart the Web Dispatcher.

Cheers!

Isaías

former_member183788
Active Participant
0 Kudos

Dear Isaias,

Can i change the directory in profile to usr/sap/sys/sec, because the certificate is generated in this folder, if i am copy paste the .pse to \usr\sap\WDA\W00\sec ,should again i have to import certificate

isaias_freitas
Advisor
Advisor
0 Kudos

Dear Prathish,

Changing the folder or copying the PSE files will have the same results.

You do not need to import the certificates again, after copying the PSE files to the correct folder.

In addition, you could even move the PSE files, instead of copying them.

Maybe you can first copy them and confirm that the issue is solved.

Then, you can delete them from the "usr/sap/sys/sec" folder (so no confusion occurs in the future).

Regards,

Isaías

former_member183788
Active Participant
0 Kudos

Dar Isaias,

I copied .pse only then tried moving the folder, if am doing any changes in .pse of usr/sap/sys/sid/sec the site will not work.

isaias_freitas
Advisor
Advisor
0 Kudos

Dear Prathish,

The PSE files must exist at the folder configured at the SECUDIR environment variable.

I see your reply, in this thread, that you have changed its value.

Copy/Move the PSE files to the folder set at the SECUDIR environment variable and restart the Web Dispatcher.

Regards,

Isaías

former_member183788
Active Participant
0 Kudos

Dear Isaias,

Now i changed back everything to old, see the .pse file settings