Configuring SAP Web Dispatcher to Support SSL – Trust Manager
Configuring SAP Web Dispatcher to Support SSL – With Trust Manager
The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system, which consists of one or more SAP NetWeaver application servers. As a “software webswitch”, the SAP Web dispatcher can reject or accept connections. When it accepts a connection, it balances the load to ensure an even distribution across the servers. The SAP Web Dispatcher therefore contributes to security and also balances the load inyour SAP system. (SAP)
Our missions this year is to focus on the security side of SAP system, we make many activities to make the SAP system more protected, more secure.
One of our web service applicationused SAP Web Dispatcher and we want that incoming connection will use HTTPS. For this we must configure SAP Web Dispatcher as an SSL (Secure Sockets Layer) server.
Pics by SAP
Pics by SAP
More information regarding the Web Dispatcher:
There are 2 ways to configure SSL for Web Dispatcher.
- Using the trust manager.
- Using the configuration tool sapgenpse.
This guide will help you to configure SSL for Web Dispatcher using trust manager.
You are familiar with the architecture and functions of SAP Web Dispatcher. In particular, you are familiar with the possible connections and how SSL is used with them. See the figure above. (SAP)
The SAP Web Dispatcher is installed and configured to use SSL.
Profile parameter:icm/server_port_ <xx> = PROT=ROUTER, PORT= <port>,TIMEOUT= <timeout_in_seconds>
Configure Environment variable
Picture 1.0 – environment variable SECUDIR
- Variable value = d:\usr\sap\SID\W00\sec
The reason we set the environment variable SECUDIR is because we will use thesapgenpseforCredentials and for export the certificate.
Creating the SAP Web Dispatcher’s PSEs Using the Trust Manager
Picture 1.1 – trust manager
Go to transaction code STRUST right click on the File and choose create. (You have to be in edit Mode).
Picture 1.2 – Create (RSA)
- Change the name – Full FQDN of WD
- Change the Algorithm to RSA with SHA-1 (I used the old algorithm)
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. (Wikipedia)
Picture 1.3 – Save the PSE
Save the PSE to local file.
Sending the Certificate Requests to a CA.
Click on File and choose the PSE we download before
Picture 2.0 – PSE you saved in the previous procedure
Click on Create certificate request, save the certificate reques to local file and send it to the CA for request response.
Picture 2.1 – certificate request
Picture 2.2 – Export certificate request
Picture 2.3 – Pics by SAP
After you get back the certificate response from the CA, Choose file and import the certificate response.p7b
Picture 2.4 – Import certificate response
Picture 2.5 – certificate response
Picture 4.3 – Add to certificate list
Click on Add to certificate list Save and replace
Picture 4.4 – the certificate is in the list
Now you can see the certificate is signed and valid.
Creating Credentials for the SAP Web Dispatcher
The SAP Web Dispatcher must have active credentials at runtime to be able to access itsPSEs.
Put the SIDPSE.pseinthe secdirectory
Picture 5.0 – PSE in the SEC directory
Run the following command:
sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O ABCadm
Picture 5.1 – The following command line opens the SAP Web Dispatcher’s SSL server PSE and creates credentials for the user SIDadm
Add the following parameter to the WD profile
Picture 5.2 – Profile parameter
Restart the WD!
Test the SSL connection
Picture 6.0 – Certificate is issued
Export P12 certificate for F5 – Option
Picture 6.1 – Export the certificate
I hope this document will help you Feel free to ask questions