Skip to Content
Author's profile photo Naor Shalom

Configuring SAP Web Dispatcher to Support SSL – Trust Manager

Configuring SAP Web Dispatcher to Support SSL – With Trust Manager


The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system, which consists of one or more SAP NetWeaver application servers. As a “software webswitch”, the SAP Web dispatcher can reject or accept connections. When it accepts a connection, it balances the load to ensure an even distribution across the servers. The SAP Web Dispatcher therefore contributes to security and also balances the load inyour SAP system. (SAP)

Our missions this year is to focus on the security side of SAP system, we make many activities to make the SAP system more protected, more secure.


One of our web service applicationused SAP Web Dispatcher and we want that incoming connection will use HTTPS. For this we must configure SAP Web Dispatcher as an SSL (Secure Sockets Layer) server.


Pics by SAP


Pics by SAP

More information regarding the Web Dispatcher:

There are 2 ways to configure SSL for Web Dispatcher.

  • Using the trust manager.
  • Using the configuration tool sapgenpse.

This guide will help you to configure SSL for Web Dispatcher using trust manager.


You are familiar with the architecture and functions of SAP Web Dispatcher. In particular, you are familiar with the possible connections and how SSL is used with them. See the figure above. (SAP)

The SAP Web Dispatcher is installed and configured to use SSL.

Profile parameter:icm/server_port_ <xx> = PROT=ROUTER, PORT= <port>,TIMEOUT= <timeout_in_seconds>


Configure Environment variable


Picture 1.0 – environment variable SECUDIR

  • Variable value = d:\usr\sap\SID\W00\sec

The reason we set the environment variable SECUDIR is because we will use thesapgenpseforCredentials and for export the certificate.

Creating the SAP Web Dispatcher’s PSEs Using the Trust Manager


Picture 1.1 – trust manager

Go to transaction code STRUST right click on the File and choose create. (You have to be in edit Mode).


Picture 1.2 – Create (RSA)

  • Change the name – Full FQDN of WD
  • Change the Algorithm to RSA with SHA-1 (I used the old algorithm)

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. (Wikipedia)


Picture 1.3 – Save the PSE

Save the PSE to local file.

Sending the Certificate Requests to a CA.

Click on File and choose the PSE we download before


Picture 2.0 – PSE you saved in the previous procedure

Click on Create certificate request, save the certificate reques to local file and send it to the CA for request response.


Picture 2.1 – certificate request


Picture 2.2 – Export certificate request


Picture 2.3 – Pics by SAP

After you get back the certificate response from the CA, Choose file and import the certificate response.p7b


Picture 2.4 – Import certificate response


Picture 2.5 – certificate response


Picture 4.3 – Add to certificate list

Click on Add to certificate list Save and replace


Picture 4.4 – the certificate is in the list

Now you can see the certificate is signed and valid.

Creating Credentials for the SAP Web Dispatcher

The SAP Web Dispatcher must have active credentials at runtime to be able to access itsPSEs.

Put the SIDPSE.pseinthe secdirectory


Picture 5.0 – PSE in the SEC directory

Run the following command:

sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O ABCadm


Picture 5.1 – The following command line opens the SAP Web Dispatcher’s SSL server PSE and creates credentials for the user SIDadm

Profile parameter

Add the following parameter to the WD profile



Picture 5.2 – Profile parameter

Restart the WD!

Test the SSL connection


Picture 6.0 – Certificate is issued

Export P12 certificate for F5 – Option



Picture 6.1 – Export the certificate

SAP Sources:

I hope this document will help you Feel free to ask questions

Thanks Naor.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Isaias Freitas
      Isaias Freitas


      You can manage the Web Dispatcher PSE file through the Web Dispatcher itself (Administration Page).

      Take a look at: Managing PSE files at the Web Dispatcher - Application Server Infrastructure - SCN Wiki



      Author's profile photo Naor Shalom
      Naor Shalom
      Blog Post Author

      Hi Isaías

      I know.

      But I want to share different and easy way



      Author's profile photo Reza Ejersbo
      Reza Ejersbo


      Hi Naor,


      Thanks for very good blog. I have a certificate.pfx  file for Oure web dispatcher.

      I need to import this file in to .pse and .crt file.

      As i know web dispatcher has no Trust Manager. Which Trust Manager can I use for action. Can i use any Trust Manager for any abap system?

      I had tried us sapgenpse but i get this error when i use this command.

      sapgenpse import_own_cert -p SAPSSLS.pse" -c onlinetest.cer"
      Please enter PSE PIN/Passphrase: ****************
      import_own_cert: Installation of certificate failed