cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate error after SSL implementation

Go to solution
Former Member

on ‎09-25-2016 2:43 AM

0 Kudos

Hi All,

We have implemented webdispatcher and SSL (end-to-end-SSL)config in EP,ECC,BW,BWJ system.

we are using a friendly URL in EP as SAPEP@xyz.com, ECC--> SAPECC@xyz.com, BWJ-->SAPBWJ@xyz.com and BW -->SAPBW@xyz.com

So I generated the SSL cert for webdispatcher with friendly url for each system and in backend we used webdispatcher servername.domain to cerate SSL .

The issue is when we maintain friendly url and access backend system from sharepoint we get certificate error and says name mismatch and if we click on option to ignore and continue it goes through.

If we maintain the webdispatcher servername.domain this erro doesnt come

The flow is Sharepoint--> EP/BWJ-->ECC/BWA

Please suggest how to resolve.

Regards,

Amit

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member227283
Active Contributor
‎09-25-2016 6:16 AM
0 Kudos

Hello Amit,

Can you please elaborate with example URL flow with error in share point and without error in webdipatcher.

This will help to understand very clearly.

There are couple of webdipatcher parameter which help to ignore mismatch error, but before suggesting it we need to understand issue very clearly.

SSL Parameters for the Web Dispatcher - SAP Web Dispatcher - SAP Library

Regards,

Anil Bhandary

Show replies
Show replies
Former Member
‎09-25-2016 3:19 PM
0 Kudos

Hi Anil,

Sharepoint URL --> Sharepoint@xyz.com

Wbedispatcher EP url--> EPwebdisp@xyz.com

Friendly EP -->SAPEP@xyz.com

Wbedispatcher ECC --> ECCwebdisp@xyz.com

Friendly ECC url-->SAPECC@xyz.com


Now as per STD doc for END to end ssl

SSL certificate creation was done with below urls


EP webdisp -->SAPEP@xyz.com 

EP backend -->EPwebdisp@xyz.com


ECC webdisp -->SAPECC@xyz.com

ECC backend -->ECCwebdisp@xyz.com


HTTPS port value :


Webdispatcher in all system -->44380

In backend systems -->443<instancenumber>



Please find the flow diagram below




Error scenario:


So if I maintain friendly ulr value and web dispatcher port number  I get the certificate error message

Stating name mismatched  and I need to ignore and continue.

The error is due to the value used in generating the SSL certificate in webdispatcher and backend where the mismatch is happening.


No error:

and If I maintain the web dispatcher url and back end  port value directly i dont get the error message .

In this case the load balancing will not happen as I am maintaining direct app server details.


Thanks and Regards,

Amit

former_member227283
Active Contributor
‎09-25-2016 4:34 PM
0 Kudos

Dear Amit,

Thanks for detail.

As you are using end to end SSL, parameter wdisp/ssl_encrypt=1 Would have been defined in all you of your webdispatcher

So, try to maintain parameter wdisp/ssl_ignore_ host_mismatch = TRUE in of all webdispatcher and restart the webdispatcher and check if it solves your problem.

If not, then would best to generate certificate on Common name as



*.xyz.com

(So it will not give certificate mismatch error)

Regards,

Anil Bhandary

Answers (2)

Answers (2)

Former Member
‎09-27-2016 7:32 PM
0 Kudos

Thanks Anil and Isaías for the inputs.

The issue seems to be resolved by maintaining the parameter wdisp/ssl_ignore_ host_mismatch = TRUE.

Thanks and Regards,

Amit

Show replies
Show replies
Former Member
‎09-25-2016 5:35 PM
0 Kudos

Thanks for the recommendation Anil.

Yes its End-to-end SSL and the parameter wdisp/ssl_encrypt=1 is maintained,Sure we will try with wdisp/ssl_ignore_ host_mismatch = TRUE and let you know if the issue gets resolved.

Can you let me know if I need to set the parameter wdisp/ssl_certhost too?

Thanks and Regards,

Amit

Show replies
Show replies
former_member227283
Active Contributor
‎09-26-2016 5:02 AM
0 Kudos

Hello Amit,

I am not sure about that parameter as you have generated on hostname and not on dns name.

Regards,

Anil Bhandary

isaias_freitas
Advisor
Advisor
‎09-27-2016 12:33 AM
0 Kudos

Hello Amit,

"End-to-end SSL" would mean that you are using the protocol "ROUTER" at the Web Dispatcher.

Is this correct? If yes, be aware of the item 7 of the SAP note 1026191.

The parameter wdisp/ssl_ignore_ host_mismatch is related to the Web Dispatcher connecting to the backends through HTTPS. Nothing related to the end user connecting to the Web Dispatcher.

Regards,

Isaías

Ask a Question