ssl configuration switching to http from https pag...

Dear All,

We are using SAP EP (7.02) and backend is ABAP source (ERP 6.0 EHP 5). In front of portal we have SAP Web dispatcher.

We have configured SSL. We are able to login to portal page via https but after login it is switching to http url which should not happen.

Please suggest what can be the reason?

Tarun

SAP Managed Tags:
NW AS Java Administrator (NWA)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (3)

Hello,

You do not need to use the "ROUTER" protocol at the port being opened at the Web Dispatcher.

This will not help with the reported issue.

Set the parameter "wdisp/add_client_protocol_header = true" at the Web Dispatcher profile and restart it.

Keep this parameter set, even if it does not help in all cases.

In addition, for each iView that is changing the URL to HTTP, you need to edit the System Object and adjust the protocol to be used there.

Cheers!

Isaías

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Isaias,

Thanks for reply.

In my case entire ESS tab is not working, i mean when i click on ESS tab, all links and iviews are visible but when i click on it nothing is working.

Tarun

Hi Tarun,

Please check below link

Configuring the SAP Web Dispatcher to Support SSL - SAP Web Dispatcher - SAP Library

Regards,

Jithin M

Hello Tarun,

And where do the links point to?

Is it to the Web Dispatcher? Using HTTPS?

And where should they point to?

Have you verified the "System object" properties at the Portal? Look for the "ITS" and "WebAS" properties of the system object.

Cheers!

Isaías

Hallo,

you have to set below parameter in the Web Dispatcher if you want to pass the SSL connection to the backend:

icm/server_port_<xx> = PROT=ROUTER, PORT=<port>, TIMEOUT=<timeout_in_seconds>

This page is pretty good to give you a general overview of available SSL options with the Web Dispatcher and how to configure it:

SAP Web Dispatcher and SSL - SAP Web Dispatcher - SAP Library

Regards

Thomas.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

HI Thomas,

I also used parameter parameter "icm/server_port_<xx> = PROT=ROUTER, PORT=<port>," in instance profile of web dispatcher.

By this parameter my page is opening with https but all backend iviews and urls are not working, i mean when i click on it nothing is opening.

If i do not use parameter suggested by you than all urls and ivews are working but page is opening with http not with https.

Hallo,

has the backend been configured to use SSL?

Anything in the web dispatcher or backend ICM log files?

Regards

Thomas.

HI Thomas,

SSL is also configured at backend.

I am able to open test program of r/3 over https. Is there any thing else please let me know?

Hallo,

did you set up the certifcates, PSE configuration??

In general as suggested: I would check the ICM logs files on the web dispatcher and the backend.

They are located in the work directory of the instance. Look for dev_icm.

Regards

Thomas.

Hi Thomas,

In backend ICM log i am continuously getting below message:

[Thr 2828] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 2828] {0002b914} [icxxconn_mt.c 2108]

[Thr 2828] Mon Mar 21 11:01:41 2016

[Thr 2828] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 2828] {0002b93c} [icxxconn_mt.c 2108]

[Thr 772] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 772] {0002b93d} [icxxconn_mt.c 2108]

[Thr 1543] Mon Mar 21 11:06:41 2016

[Thr 1543] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 1543] {0002b972} [icxxconn_mt.c 2108]

[Thr 2571] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 2571] {0002b973} [icxxconn_mt.c 2108]

[Thr 2314] Mon Mar 21 11:06:43 2016

[Thr 2314] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 2314] {0002b974} [icxxconn_mt.c 2108]

[Thr 1800] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1800] {0002b975} [icxxconn_mt.c 2108]

[Thr 2314] Mon Mar 21 11:06:44 2016

[Thr 2314] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 2314] {0002b988} [icxxconn_mt.c 2108]

[Thr 1800] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1800] {0002b989} [icxxconn_mt.c 2108]

[Thr 772] Mon Mar 21 11:11:41 2016

[Thr 772] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 772] {0002b9b5} [icxxconn_mt.c 2108]

[Thr 1286] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1286] {0002b9b6} [icxxconn_mt.c 2108]

[Thr 2314] Mon Mar 21 11:16:41 2016

[Thr 2314] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 2314] {0002b9ec} [icxxconn_mt.c 2108]

[Thr 1800] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1800] {0002b9ed} [icxxconn_mt.c 2108]

[Thr 2057] Mon Mar 21 11:16:43 2016

[Thr 2057] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 2057] {0002b9ee} [icxxconn_mt.c 2108]

[Thr 1029] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1029] {0002b9ef} [icxxconn_mt.c 2108]

[Thr 2057] Mon Mar 21 11:16:44 2016

[Thr 2057] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)

[Thr 2057] {0002ba02} [icxxconn_mt.c 2108]

[Thr 1029] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 1029] {0002ba03} [icxxconn_mt.c 2108]

[Thr 2828] Mon Mar 21 11:21:41 2016

In Web dispatcher ICM log getting below error message:

trc file: "dev_icm_sec_5", trc level: 1, release: "720"

---------------------------------------------------

Fri Mar 18 16:38:57 2016

hostname HOST.com

logfile name dev_icm_sec

max file size 512000

switch type 0

max file size 512000

file wrap 0

logging level 2

***********************************************************************************

****** SECURITY LOG STARTED ******

***********************************************************************************

****** SECURITY WARNING ******

***********************************************************************************

Sat Mar 19 02:12:41 2016

Error: Protocol error (-21), illegal path specified [http_plgrt.c 4558]

***********************************************************************************

****** SECURITY WARNING ******

***********************************************************************************

Sat Mar 19 15:34:54 2016

Error: Protocol error (-21), illegal path specified [http_plgrt.c 4558]

***********************************************************************************

---------------------------------------------------

trc file: "dev_icm_sec_5", trc level: 1, release: "720"

---------------------------------------------------

Mon Mar 21 11:29:18 2016

hostname host.com

logfile name dev_icm_sec

max file size 512000

switch type 0

max file size 512000

file wrap 0

logging level 2

***********************************************************************************

****** SECURITY LOG STARTED ******

***********************************************************************************

Hallo,

those messages in the backend have nothing to with the issue.

It seems your connections are not even reaching the backend.

Please post content of dev_webdisp which is in the work directory of the Web Dispatcher.

Regards

Thomas.

HI,

Please have below wdp trace file log:

Thr 4532] Started service 443 for protocol HTTPS on host "host.com"(on all adapters) (processing timeout=900, keep_alive_timeout=600)

[Thr 4532] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 4532] Started service 8443 for protocol HTTPS on host "host.com"(on all adapters) (processing timeout=900, keep_alive_timeout=600)

[Thr 4532] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 8860] IcmCreateWorkerThreads: created worker thread 0

[Thr 8860] IcmCreateWorkerThreads: created worker thread 1

[Thr 8860] IcmCreateWorkerThreads: created worker thread 2

[Thr 8860] IcmCreateWorkerThreads: created worker thread 3

[Thr 8860] IcmCreateWorkerThreads: created worker thread 4

[Thr 8860] IcmCreateWorkerThreads: created worker thread 5

[Thr 8860] IcmCreateWorkerThreads: created worker thread 6

[Thr 8860] IcmCreateWorkerThreads: created worker thread 7

[Thr 8860] IcmCreateWorkerThreads: created worker thread 8

[Thr 8860] IcmCreateWorkerThreads: created worker thread 9

[Thr 5816] IcmWatchDogThread: watchdog started

[Thr 3980] Mon Mar 21 11:52:52 2016

[Thr 3980] *** ERROR => HttpPlugInHandleNetData: server: premature EOS (0/-1) in request [http_plgrt.c 1971]

[Thr 3944] Mon Mar 21 14:30:13 2016

[Thr 3944] *** ERROR => NULL bytes in HTTP request {00020a1c} [http_plgrt.c 6010]

[Thr 3944] CONNECTION (id=2/2588):

used: 1, type: default, role: Server(1), stateful: 0

NI_HDL: 197, protocol: HTTP(1)

local host: HOST:80 ()

remote host: 169.229.3.91:47106 ()

status: READ_REQUEST

connect time: 21.03.2016 14:30:13

MPI request: <2d4> MPI response: <2d5>

request_buf_size: 65464 response_buf_size: 0

request_buf_used: 64 response_buf_used: 0

request_buf_offset: 0 response_buf_offset: 0

[Thr 3944] Address Offset REQUEST:

[Thr 3944] ------------------------------------------------------------------------

[Thr 3944] 0000000003366118 000000 24dcf634 00e4225e db9a523b db2309cb |$..4.."^..R;.#..|

[Thr 3944] 0000000003366128 000016 790e3214 c463331e c8b818e2 3af5eea9 |y.2..c3.....:...|

[Thr 3944] 0000000003366138 000032 b8ed6948 0f6878c2 ac17180a 098eb2b9 |..iH.hx.........|

[Thr 3944] 0000000003366148 000048 c722d9ab aa658e11 f67a8059 fee879c1 |."...e...z.Y..y.|

[Thr 3944] ------------------------------------------------------------------------

[Thr 3944] *** ERROR => HttpPlugInHandleNetData: HttpParseRequestHeader failed (rc=701) [http_plgrt.c 2235]

[Thr 4036] Mon Mar 21 15:23:15 2016

[Thr 4036] SSL_get_state() returned 0x00001190 "SSLv3 read client key exchange A"

[Thr 4036] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 4036] session uses PSE file "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse"

[Thr 4036] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 4036] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 4036] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 4036] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 4036] << ---------- End of Secude-SSL Errorstack ----------

[Thr 4036] SSL NI-sock: local=HOST:443 peer=184.105.247.195:50815

[Thr 4036] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000ACB7E40)==SSSLERR_SSL_ACCEPT

[Thr 4036] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1676]

[Thr 4036] Tue Mar 22 08:27:12 2016

[Thr 4036] *** ERROR => illegal path specified {00044394} [http_plgrt.c 4558]

[Thr 4036] CONNECTION (id=4/17300):

used: 1, type: default, role: Server(1), stateful: 0

NI_HDL: 64, protocol: HTTP(1)

local host: host:80 ()

remote host: 111.248.102.95:1661 ()

status: READ_REQUEST

connect time: 22.03.2016 08:27:12

MPI request: <1050> MPI response: <1051>

request_buf_size: 65464 response_buf_size: 0

request_buf_used: 53 response_buf_used: 0

request_buf_offset: 0 response_buf_offset: 0

[Thr 4036] Address Offset REQUEST:

[Thr 4036] ------------------------------------------------------------------------

[Thr 4036] 00000000033560D8 000000 434f4e4e 45435420 76697031 36336d78 |CONNECT vip163mx|

[Thr 4036] 00000000033560E8 000016 30302e6d 786d6169 6c2e6e65 74656173 |00.mxmail.neteas|

[Thr 4036] 00000000033560F8 000032 652e636f 6d3a3235 20485454 502f312e |e.com:25 HTTP/1.|

[Thr 4036] 0000000003356108 000048 300d0a0d 0a |0.... |

[Thr 4036] ------------------------------------------------------------------------

Hallo,

the log file covers quite a time frame, so I am not sure which error appeared during your testing.

One error indicates that the backend (peer) does not like your Web Dispatcher certificate:

[Thr 4036] Mon Mar 21 15:23:15 2016

(...)

[Thr 4036] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

Did you import the certificate of the Web Dispatcher into your backend??

It seems you only use the one PSE file (G:\usr\sap\WD1\W04\sec\SAPSSLS.pse) where you would need to export the certificate:

sapgenpse export_own_cert -p SAPSSLS.pse > SAPSSLS.crt

You then have to import SAPSSLS.crt in STRUST under "SSL Server Standard"

The "SSL Server Standard" also needs to be exported from ABAP and imported into the Web Dispatcher.

Export it from STRUST and import into the Web Dispatcher PSE using the following the command:

sapgenpse maintain_pk –a ABAPcert.crt –p SAPSSLS.pse

Furthermore the ABAP AS backend ICM needs to trust the Web Dispatcher as a trusted intermediate by adding the following parameters:

icm/HTTPS/trust_client_with_issuer = <Issuer of WebDispatcher>
icm/HTTPS/trust_client_with_subject = <Subject of WebDispatcher>

Again, I am not sure if the error at 15:23:15 2016 is the one we need to look at (the error appearing at the time of testing), you might need to confirm this!

Also might be worth not to implement above steps all at once but one by one and testing in between and reviewing the log files.

Regards

Thomas.

HI Thomas,

I have already exported certificate from java and imported in ABAP and vice versa .
Is there any to check that certificate import has been done properly?

Also 2 parameters which you suggested that i added in my profile after that handshake issue is not appearing. But my problem is still same

Below is latest dispatcher log fyi:

[Thr 2664] HttpISubHandlerAdd: Added handler HttpAuthHandler(00000000005A11A0), slot=3, flags=12293) for /, active: 1, table 0000000000556F40

[Thr 2664] HttpISubHandlerAdd: Added handler HttpWebDispHandler(00000000005A2BA0), slot=4, flags=1060869) for /, active: 1, table 0000000000556F40

[Thr 2664] Started service 80 for protocol HTTP on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)

[Thr 2664] Started service 8000 for protocol HTTP on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)

[Thr 2664] =================================================

[Thr 2664] = SSL Initialization platform tag=(NTAMD64)

[Thr 2664] = (720_REL,May 6 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 2664] profile param "ssl/ssl_lib" = "G:\usr\sap\WD1\SYS\exe\nuc\NTAMD64\sapcrypto.dll"

[Thr 2664] resulting Filename = "G:\usr\sap\WD1\SYS\exe\nuc\NTAMD64\sapcrypto.dll"

[Thr 2664] = found SAPCRYPTOLIB 5.5.5C pl39 (Apr 28 2015) MT,[aesni],NB

[Thr 2664] = current UserID: HOST\SAPServiceWD1

[Thr 2664] = using SECUDIR=G:\usr\sap\WD1\W04\sec

[Thr 2664] profile param "ssl/server_pse" = "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse"

[Thr 2664] resulting Filename = "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse"

[Thr 2664] = secudessl_Create_SSL_CTX(): PSE "G:\usr\sap\WD1\W04\sec\SAPSSLC.pse" not found,

[Thr 2664] = using PSE "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse" as fallback

[Thr 2664] = secudessl_Create_SSL_CTX(): PSE "G:\usr\sap\WD1\W04\sec\SAPSSLA.pse" not found,

[Thr 2664] = using PSE "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse" as fallback

[Thr 2664] ******** Warning ********v3

[Thr 2664] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 2664] *** -- this will probably limit SSL-client side connectivity

[Thr 2664] ********

[Thr 2664] = Success -- SapCryptoLib SSL ready!

[Thr 2664] =================================================

[Thr 2664]

[Thr 2664] Started service 443 for protocol HTTPS on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)

[Thr 2664] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 2664] Started service 8443 for protocol HTTPS on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)

[Thr 2664] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 10924] IcmCreateWorkerThreads: created worker thread 0

[Thr 10924] IcmCreateWorkerThreads: created worker thread 1

[Thr 10924] IcmCreateWorkerThreads: created worker thread 2

[Thr 10924] IcmCreateWorkerThreads: created worker thread 3

[Thr 10924] IcmCreateWorkerThreads: created worker thread 4

[Thr 10924] IcmCreateWorkerThreads: created worker thread 5

[Thr 10924] IcmCreateWorkerThreads: created worker thread 6

[Thr 10924] IcmCreateWorkerThreads: created worker thread 7

[Thr 10924] IcmCreateWorkerThreads: created worker thread 8

[Thr 10924] IcmCreateWorkerThreads: created worker thread 9

[Thr 4916] IcmWatchDogThread: watchdog started

Hi Tarun,

Can you please paste the instance profile for your webdispatcher?

With Regards

Ashutosh Chaturvedi

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

HI,

Please see below instance profile:

SAPSYSTEMNAME = WD1

SAPGLOBALHOST = HOST

SAPSYSTEM = 04

INSTANCE_NAME = W04

DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64

DIR_EXECUTABLE = $(DIR_CT_RUN)

#rdisp/mshost = HOST

#ms/http_port = 8103

icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80

icm/server_port_0 = PROT=HTTP,PORT=80,TIMEOUT=600,PROCTIMEOUT=900

icm/server_port_1 = PROT=HTTP,PORT=8000,TIMEOUT=600,PROCTIMEOUT=900

icm/server_port_2 = PROT=HTTPS, PORT=443,TIMEOUT=600,PROCTIMEOUT=900

icm/server_port_3 = PROT=HTTPS, PORT=8443,TIMEOUT=600,PROCTIMEOUT=900

#icm/HTTP/redirect_0 = PREFIX=/,TO=/irj/portal

icm/HTTPS/redirect_2 = PREFIX=/,TO=/irj/portal

wdisp/system_0 = SID=DEV, MSHOST=HOST.com, MSPORT=8103, SRCSRV=*:80;*:443

wdisp/system_1 = SID=QAS, MSHOST=HOST.com, MSPORT=8100, SRCSRV=*:8000;*:8443

DIR_INSTANCE =G:\usr\sap\WD1\W04

ssl/ssl_lib = G:\usr\sap\WD1\SYS\exe\nuc\NTAMD64\sapcrypto.dll

ssl/server_pse = G:\usr\sap\WD1\W04\sec\SAPSSLS.pse

icm/HTTPS/verify_client = 0

icm/trace_secured_data=true

Ask a Question

Top Q&A Solution Author

User

Count