Securing the communication between a Web Dispatcher and its backend
If you want (or need) to have the most secure environment possible, there are a couple of things that you can do to secure the communication between an SAP Web Dispatcher and its backend system.
You can enable SSL at the backend as well (SAP note 510007 for ABAP – SAP Marketplace login required; Configuring the Use of SSL on the AS Java), and configure the Web Dispatcher for SSL re-encryption (parameter “wdisp/ssl_encrypt = 1”).
With these settings, the communication from the end users to the backend system will be protected (encrypted) throughout the entire communication path (notice that no other components are considered here, like a hardware load balancer in front of the Web Dispatcher), assuming that the Web Dispatcher already had an HTTPS port configured 😉 .
However, the Web Dispatcher needs to fetch data from the backend, periodically, in order to operate.
By default, this is performed using HTTP. You can switch this metadata exchange to HTTPS by setting the following parameters:
wdisp/server_info_protocol = https
wdisp/group_info_protocol = https
wdisp/url_map_protocol = https
wdisp/ping_protocol = https
For this to work, you need to enable an HTTPS port at the Message Server (parameter “ms/server_port_X”, at the backend), and configure the Web Dispatcher to use this HTTPS port (parameter “ms/https_port” or the MSSPORT option of the parameter “wdisp/system_X“).
OK! Now all communication is encrypted.
Is there anything else that can be done? If you have SSO enabled, yes! 🙂
You can configure a client certificate at the Web Dispatcher, and set the parameters “icm/HTTPS/trust_client_with_subject” and “icm/HTTPS/trust_client_with_issuer” at the backend.
In the past, managing the SSL certificates (the “PSE” files) at the Web Dispatcher was possible only with the sapgenpse command line tool.
In recent versions, PSE management was introduced at the Web Dispatcher Administration page.
This WIKI page shows this new interface.
You also have to import the required certificates at both the Web Dispatcher and the backend:
- At the Web Dispatcher client PSE file, you also need to import the Root and all Intermediate CAs certificates (“certificate chain”) of the CA that signed the backend server certificate. In case a self-signed server certificate is used at the backend, import the self-signed certificate instead;
- At the backend server PSE file, you need to import the Root and all Intermediate CA certificates of the CA that signed the Web Dispatcher client certificate. In case a self-signed client certificate is used at the Web Dispatcher, import the self-signed certificate instead.
Now, the backend will not accept client certificates forwarded as HTTP headers unless the intermediary (the Web Dispatcher, in this case) authenticates itself with a client certificate that matches the values configured at the “icm/HTTPS/trust_client_with*” parameters.
Update on May/14/2015: The SAP KBA 2160678 has the list of all certificates required in each PSE file involved, in case SSO is enabled and you want to maintain the “icm/HTTPS/trust_client_with*” parameters.
Edit on Oct/17/2016: updates related to the new SCN.