on 03-18-2016 6:32 AM
Dear All,
We are using SAP EP (7.02) and backend is ABAP source (ERP 6.0 EHP 5). In front of portal we have SAP Web dispatcher.
We have configured SSL. We are able to login to portal page via https but after login it is switching to http url which should not happen.
Please suggest what can be the reason?
Tarun
Hello,
You do not need to use the "ROUTER" protocol at the port being opened at the Web Dispatcher.
This will not help with the reported issue.
Set the parameter "wdisp/add_client_protocol_header = true" at the Web Dispatcher profile and restart it.
Keep this parameter set, even if it does not help in all cases.
In addition, for each iView that is changing the URL to HTTP, you need to edit the System Object and adjust the protocol to be used there.
Cheers!
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tarun,
Please check below link
Configuring the SAP Web Dispatcher to Support SSL - SAP Web Dispatcher - SAP Library
Regards,
Jithin M
Hallo,
you have to set below parameter in the Web Dispatcher if you want to pass the SSL connection to the backend:
icm/server_port_<xx> = PROT=ROUTER, PORT=<port>, TIMEOUT=<timeout_in_seconds>
This page is pretty good to give you a general overview of available SSL options with the Web Dispatcher and how to configure it:
SAP Web Dispatcher and SSL - SAP Web Dispatcher - SAP Library
Regards
Thomas.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Thomas,
I also used parameter parameter "icm/server_port_<xx> = PROT=ROUTER, PORT=<port>," in instance profile of web dispatcher.
By this parameter my page is opening with https but all backend iviews and urls are not working, i mean when i click on it nothing is opening.
If i do not use parameter suggested by you than all urls and ivews are working but page is opening with http not with https.
Hi Thomas,
In backend ICM log i am continuously getting below message:
[Thr 2828] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 2828] {0002b914} [icxxconn_mt.c 2108]
[Thr 2828] Mon Mar 21 11:01:41 2016
[Thr 2828] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 2828] {0002b93c} [icxxconn_mt.c 2108]
[Thr 772] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 772] {0002b93d} [icxxconn_mt.c 2108]
[Thr 1543] Mon Mar 21 11:06:41 2016
[Thr 1543] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 1543] {0002b972} [icxxconn_mt.c 2108]
[Thr 2571] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 2571] {0002b973} [icxxconn_mt.c 2108]
[Thr 2314] Mon Mar 21 11:06:43 2016
[Thr 2314] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 2314] {0002b974} [icxxconn_mt.c 2108]
[Thr 1800] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 1800] {0002b975} [icxxconn_mt.c 2108]
[Thr 2314] Mon Mar 21 11:06:44 2016
[Thr 2314] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 2314] {0002b988} [icxxconn_mt.c 2108]
[Thr 1800] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 1800] {0002b989} [icxxconn_mt.c 2108]
[Thr 772] Mon Mar 21 11:11:41 2016
[Thr 772] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 772] {0002b9b5} [icxxconn_mt.c 2108]
[Thr 1286] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 1286] {0002b9b6} [icxxconn_mt.c 2108]
[Thr 2314] Mon Mar 21 11:16:41 2016
[Thr 2314] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 2314] {0002b9ec} [icxxconn_mt.c 2108]
[Thr 1800] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 1800] {0002b9ed} [icxxconn_mt.c 2108]
[Thr 2057] Mon Mar 21 11:16:43 2016
[Thr 2057] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 2057] {0002b9ee} [icxxconn_mt.c 2108]
[Thr 1029] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 1029] {0002b9ef} [icxxconn_mt.c 2108]
[Thr 2057] Mon Mar 21 11:16:44 2016
[Thr 2057] *** WARNING => Connection request from (4/5/0) to host: 10.26.24.44, service: 1090 failed (NIECONN_REFUSED)
[Thr 2057] {0002ba02} [icxxconn_mt.c 2108]
[Thr 1029] *** WARNING => Connection request from (4/5/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)
[Thr 1029] {0002ba03} [icxxconn_mt.c 2108]
[Thr 2828] Mon Mar 21 11:21:41 2016
In Web dispatcher ICM log getting below error message:
trc file: "dev_icm_sec_5", trc level: 1, release: "720"
---------------------------------------------------
Fri Mar 18 16:38:57 2016
hostname HOST.com
logfile name dev_icm_sec
max file size 512000
switch type 0
max file size 512000
file wrap 0
logging level 2
***********************************************************************************
****** SECURITY LOG STARTED ******
***********************************************************************************
***********************************************************************************
****** SECURITY WARNING ******
***********************************************************************************
Sat Mar 19 02:12:41 2016
Error: Protocol error (-21), illegal path specified [http_plgrt.c 4558]
***********************************************************************************
***********************************************************************************
****** SECURITY WARNING ******
***********************************************************************************
Sat Mar 19 15:34:54 2016
Error: Protocol error (-21), illegal path specified [http_plgrt.c 4558]
***********************************************************************************
---------------------------------------------------
trc file: "dev_icm_sec_5", trc level: 1, release: "720"
---------------------------------------------------
Mon Mar 21 11:29:18 2016
hostname host.com
logfile name dev_icm_sec
max file size 512000
switch type 0
max file size 512000
file wrap 0
logging level 2
***********************************************************************************
****** SECURITY LOG STARTED ******
***********************************************************************************
HI,
Please have below wdp trace file log:
Thr 4532] Started service 443 for protocol HTTPS on host "host.com"(on all adapters) (processing timeout=900, keep_alive_timeout=600)
[Thr 4532] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 4532] Started service 8443 for protocol HTTPS on host "host.com"(on all adapters) (processing timeout=900, keep_alive_timeout=600)
[Thr 4532] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 8860] IcmCreateWorkerThreads: created worker thread 0
[Thr 8860] IcmCreateWorkerThreads: created worker thread 1
[Thr 8860] IcmCreateWorkerThreads: created worker thread 2
[Thr 8860] IcmCreateWorkerThreads: created worker thread 3
[Thr 8860] IcmCreateWorkerThreads: created worker thread 4
[Thr 8860] IcmCreateWorkerThreads: created worker thread 5
[Thr 8860] IcmCreateWorkerThreads: created worker thread 6
[Thr 8860] IcmCreateWorkerThreads: created worker thread 7
[Thr 8860] IcmCreateWorkerThreads: created worker thread 8
[Thr 8860] IcmCreateWorkerThreads: created worker thread 9
[Thr 5816] IcmWatchDogThread: watchdog started
[Thr 3980] Mon Mar 21 11:52:52 2016
[Thr 3980] *** ERROR => HttpPlugInHandleNetData: server: premature EOS (0/-1) in request [http_plgrt.c 1971]
[Thr 3944] Mon Mar 21 14:30:13 2016
[Thr 3944] *** ERROR => NULL bytes in HTTP request {00020a1c} [http_plgrt.c 6010]
[Thr 3944] CONNECTION (id=2/2588):
used: 1, type: default, role: Server(1), stateful: 0
NI_HDL: 197, protocol: HTTP(1)
local host: HOST:80 ()
remote host: 169.229.3.91:47106 ()
status: READ_REQUEST
connect time: 21.03.2016 14:30:13
MPI request: <2d4> MPI response: <2d5>
request_buf_size: 65464 response_buf_size: 0
request_buf_used: 64 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 3944] Address Offset REQUEST:
[Thr 3944] ------------------------------------------------------------------------
[Thr 3944] 0000000003366118 000000 24dcf634 00e4225e db9a523b db2309cb |$..4.."^..R;.#..|
[Thr 3944] 0000000003366128 000016 790e3214 c463331e c8b818e2 3af5eea9 |y.2..c3.....:...|
[Thr 3944] 0000000003366138 000032 b8ed6948 0f6878c2 ac17180a 098eb2b9 |..iH.hx.........|
[Thr 3944] 0000000003366148 000048 c722d9ab aa658e11 f67a8059 fee879c1 |."...e...z.Y..y.|
[Thr 3944] ------------------------------------------------------------------------
[Thr 3944] *** ERROR => HttpPlugInHandleNetData: HttpParseRequestHeader failed (rc=701) [http_plgrt.c 2235]
[Thr 4036] Mon Mar 21 15:23:15 2016
[Thr 4036] SSL_get_state() returned 0x00001190 "SSLv3 read client key exchange A"
[Thr 4036] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 4036] session uses PSE file "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse"
[Thr 4036] SecudeSSL_SessionStart: SSL_accept() failed --
[Thr 4036] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 4036] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 4036] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
[Thr 4036] << ---------- End of Secude-SSL Errorstack ----------
[Thr 4036] SSL NI-sock: local=HOST:443 peer=184.105.247.195:50815
[Thr 4036] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000ACB7E40)==SSSLERR_SSL_ACCEPT
[Thr 4036] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1676]
[Thr 4036] Tue Mar 22 08:27:12 2016
[Thr 4036] *** ERROR => illegal path specified {00044394} [http_plgrt.c 4558]
[Thr 4036] CONNECTION (id=4/17300):
used: 1, type: default, role: Server(1), stateful: 0
NI_HDL: 64, protocol: HTTP(1)
local host: host:80 ()
remote host: 111.248.102.95:1661 ()
status: READ_REQUEST
connect time: 22.03.2016 08:27:12
MPI request: <1050> MPI response: <1051>
request_buf_size: 65464 response_buf_size: 0
request_buf_used: 53 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 4036] Address Offset REQUEST:
[Thr 4036] ------------------------------------------------------------------------
[Thr 4036] 00000000033560D8 000000 434f4e4e 45435420 76697031 36336d78 |CONNECT vip163mx|
[Thr 4036] 00000000033560E8 000016 30302e6d 786d6169 6c2e6e65 74656173 |00.mxmail.neteas|
[Thr 4036] 00000000033560F8 000032 652e636f 6d3a3235 20485454 502f312e |e.com:25 HTTP/1.|
[Thr 4036] 0000000003356108 000048 300d0a0d 0a |0.... |
[Thr 4036] ------------------------------------------------------------------------
Hallo,
the log file covers quite a time frame, so I am not sure which error appeared during your testing.
One error indicates that the backend (peer) does not like your Web Dispatcher certificate:
[Thr 4036] Mon Mar 21 15:23:15 2016
(...)
[Thr 4036] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
Did you import the certificate of the Web Dispatcher into your backend??
It seems you only use the one PSE file (G:\usr\sap\WD1\W04\sec\SAPSSLS.pse) where you would need to export the certificate:
sapgenpse export_own_cert -p SAPSSLS.pse > SAPSSLS.crt
You then have to import SAPSSLS.crt in STRUST under "SSL Server Standard"
The "SSL Server Standard" also needs to be exported from ABAP and imported into the Web Dispatcher.
Export it from STRUST and import into the Web Dispatcher PSE using the following the command:
sapgenpse maintain_pk –a ABAPcert.crt –p SAPSSLS.pse
Furthermore the ABAP AS backend ICM needs to trust the Web Dispatcher as a trusted intermediate by adding the following parameters:
icm/HTTPS/trust_client_with_issuer = <Issuer of WebDispatcher>
icm/HTTPS/trust_client_with_subject = <Subject of WebDispatcher>
Again, I am not sure if the error at 15:23:15 2016 is the one we need to look at (the error appearing at the time of testing), you might need to confirm this!
Also might be worth not to implement above steps all at once but one by one and testing in between and reviewing the log files.
Regards
Thomas.
HI Thomas,
I have already exported certificate from java and imported in ABAP and vice versa .
Is there any to check that certificate import has been done properly?
Also 2 parameters which you suggested that i added in my profile after that handshake issue is not appearing. But my problem is still same
Below is latest dispatcher log fyi:
[Thr 2664] HttpISubHandlerAdd: Added handler HttpAuthHandler(00000000005A11A0), slot=3, flags=12293) for /, active: 1, table 0000000000556F40
[Thr 2664] HttpISubHandlerAdd: Added handler HttpWebDispHandler(00000000005A2BA0), slot=4, flags=1060869) for /, active: 1, table 0000000000556F40
[Thr 2664] Started service 80 for protocol HTTP on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)
[Thr 2664] Started service 8000 for protocol HTTP on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)
[Thr 2664] =================================================
[Thr 2664] = SSL Initialization platform tag=(NTAMD64)
[Thr 2664] = (720_REL,May 6 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 2664] profile param "ssl/ssl_lib" = "G:\usr\sap\WD1\SYS\exe\nuc\NTAMD64\sapcrypto.dll"
[Thr 2664] resulting Filename = "G:\usr\sap\WD1\SYS\exe\nuc\NTAMD64\sapcrypto.dll"
[Thr 2664] = found SAPCRYPTOLIB 5.5.5C pl39 (Apr 28 2015) MT,[aesni],NB
[Thr 2664] = current UserID: HOST\SAPServiceWD1
[Thr 2664] = using SECUDIR=G:\usr\sap\WD1\W04\sec
[Thr 2664] profile param "ssl/server_pse" = "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse"
[Thr 2664] resulting Filename = "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse"
[Thr 2664] = secudessl_Create_SSL_CTX(): PSE "G:\usr\sap\WD1\W04\sec\SAPSSLC.pse" not found,
[Thr 2664] = using PSE "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse" as fallback
[Thr 2664] = secudessl_Create_SSL_CTX(): PSE "G:\usr\sap\WD1\W04\sec\SAPSSLA.pse" not found,
[Thr 2664] = using PSE "G:\usr\sap\WD1\W04\sec\SAPSSLS.pse" as fallback
[Thr 2664] ******** Warning ********v3
[Thr 2664] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 2664] *** -- this will probably limit SSL-client side connectivity
[Thr 2664] ********
[Thr 2664] = Success -- SapCryptoLib SSL ready!
[Thr 2664] =================================================
[Thr 2664]
[Thr 2664] Started service 443 for protocol HTTPS on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)
[Thr 2664] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 2664] Started service 8443 for protocol HTTPS on host "HOST"(on all adapters) (processing timeout=900, keep_alive_timeout=600)
[Thr 2664] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 10924] IcmCreateWorkerThreads: created worker thread 0
[Thr 10924] IcmCreateWorkerThreads: created worker thread 1
[Thr 10924] IcmCreateWorkerThreads: created worker thread 2
[Thr 10924] IcmCreateWorkerThreads: created worker thread 3
[Thr 10924] IcmCreateWorkerThreads: created worker thread 4
[Thr 10924] IcmCreateWorkerThreads: created worker thread 5
[Thr 10924] IcmCreateWorkerThreads: created worker thread 6
[Thr 10924] IcmCreateWorkerThreads: created worker thread 7
[Thr 10924] IcmCreateWorkerThreads: created worker thread 8
[Thr 10924] IcmCreateWorkerThreads: created worker thread 9
[Thr 4916] IcmWatchDogThread: watchdog started
Hi Tarun,
Can you please paste the instance profile for your webdispatcher?
With Regards
Ashutosh Chaturvedi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI,
Please see below instance profile:
SAPSYSTEMNAME = WD1
SAPGLOBALHOST = HOST
SAPSYSTEM = 04
INSTANCE_NAME = W04
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
#rdisp/mshost = HOST
#ms/http_port = 8103
icm/max_conn = 500
icm/max_sockets = 1024
icm/req_queue_len = 500
icm/min_threads = 10
icm/max_threads = 50
mpi/total_size_MB = 80
icm/server_port_0 = PROT=HTTP,PORT=80,TIMEOUT=600,PROCTIMEOUT=900
icm/server_port_1 = PROT=HTTP,PORT=8000,TIMEOUT=600,PROCTIMEOUT=900
icm/server_port_2 = PROT=HTTPS, PORT=443,TIMEOUT=600,PROCTIMEOUT=900
icm/server_port_3 = PROT=HTTPS, PORT=8443,TIMEOUT=600,PROCTIMEOUT=900
#icm/HTTP/redirect_0 = PREFIX=/,TO=/irj/portal
icm/HTTPS/redirect_2 = PREFIX=/,TO=/irj/portal
wdisp/system_0 = SID=DEV, MSHOST=HOST.com, MSPORT=8103, SRCSRV=*:80;*:443
wdisp/system_1 = SID=QAS, MSHOST=HOST.com, MSPORT=8100, SRCSRV=*:8000;*:8443
DIR_INSTANCE =G:\usr\sap\WD1\W04
ssl/ssl_lib = G:\usr\sap\WD1\SYS\exe\nuc\NTAMD64\sapcrypto.dll
ssl/server_pse = G:\usr\sap\WD1\W04\sec\SAPSSLS.pse
icm/HTTPS/verify_client = 0
icm/trace_secured_data=true
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.