Skip to Content

Configuring SAP Web Dispatcher to Support SSL – With Trust Manager


Information:


The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system, which consists of one or more SAP NetWeaver application servers. As a “software webswitch”, the SAP Web dispatcher can reject or accept connections. When it accepts a connection, it balances the load to ensure an even distribution across the servers. The SAP Web Dispatcher therefore contributes to security and also balances the load inyour SAP system. (SAP)

Our missions this year is to focus on the security side of SAP system, we make many activities to make the SAP system more protected, more secure.

Introduction:


One of our web service applicationused SAP Web Dispatcher and we want that incoming connection will use HTTPS. For this we must configure SAP Web Dispatcher as an SSL (Secure Sockets Layer) server.

/wp-content/uploads/2016/06/1_973586.png

Pics by SAP

/wp-content/uploads/2016/06/2_973587.png

Pics by SAP

More information regarding the Web Dispatcher:

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/8FE37933114E6FE10000000A421937/frameset.htm

There are 2 ways to configure SSL for Web Dispatcher.

  • Using the trust manager.
  • Using the configuration tool sapgenpse.

This guide will help you to configure SSL for Web Dispatcher using trust manager.

Prerequisites:


You are familiar with the architecture and functions of SAP Web Dispatcher. In particular, you are familiar with the possible connections and how SSL is used with them. See the figure above. (SAP)

The SAP Web Dispatcher is installed and configured to use SSL.

Profile parameter:icm/server_port_ <xx> = PROT=ROUTER, PORT= <port>,TIMEOUT= <timeout_in_seconds>

Configuration:


Configure Environment variable


/wp-content/uploads/2016/06/3_973588.png

Picture 1.0 – environment variable SECUDIR

  • Variable value = d:\usr\sap\SID\W00\sec

The reason we set the environment variable SECUDIR is because we will use thesapgenpseforCredentials and for export the certificate.

Creating the SAP Web Dispatcher’s PSEs Using the Trust Manager


/wp-content/uploads/2016/06/4_973595.png

Picture 1.1 – trust manager


Go to transaction code STRUST right click on the File and choose create. (You have to be in edit Mode).


/wp-content/uploads/2016/06/5_973596.png

Picture 1.2 – Create (RSA)


  • Change the name – Full FQDN of WD
  • Change the Algorithm to RSA with SHA-1 (I used the old algorithm)

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. (Wikipedia)

https://en.wikipedia.org/wiki/SHA-1

/wp-content/uploads/2016/06/6_973597.png

Picture 1.3 – Save the PSE

Save the PSE to local file.

Sending the Certificate Requests to a CA.


Click on File and choose the PSE we download before

/wp-content/uploads/2016/06/7_973598.png

Picture 2.0 – PSE you saved in the previous procedure

Click on Create certificate request, save the certificate reques to local file and send it to the CA for request response.

/wp-content/uploads/2016/06/8_973599.png

Picture 2.1 – certificate request

/wp-content/uploads/2016/06/9_973600.png

Picture 2.2 – Export certificate request

/wp-content/uploads/2016/06/10_973601.png

Picture 2.3 – Pics by SAP

After you get back the certificate response from the CA, Choose file and import the certificate response.p7b

/wp-content/uploads/2016/06/11_973602.png

Picture 2.4 – Import certificate response

/wp-content/uploads/2016/06/12_973608.png

Picture 2.5 – certificate response

/wp-content/uploads/2016/06/13_973609.png

Picture 4.3 – Add to certificate list

Click on Add to certificate list Save and replace

/wp-content/uploads/2016/06/14_973610.png

Picture 4.4 – the certificate is in the list

Now you can see the certificate is signed and valid.

Creating Credentials for the SAP Web Dispatcher


The SAP Web Dispatcher must have active credentials at runtime to be able to access itsPSEs.

Put the SIDPSE.pseinthe secdirectory

/wp-content/uploads/2016/06/15_973611.png

Picture 5.0 – PSE in the SEC directory

Run the following command:

sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O ABCadm

/wp-content/uploads/2016/06/16_973612.png

Picture 5.1 – The following command line opens the SAP Web Dispatcher’s SSL server PSE and creates credentials for the user SIDadm

Profile parameter


Add the following parameter to the WD profile


/wp-content/uploads/2016/06/17_973614.png

/wp-content/uploads/2016/06/18_973616.png

Picture 5.2 – Profile parameter

Restart the WD!


Test the SSL connection

/wp-content/uploads/2016/06/19_973617.png

Picture 6.0 – Certificate is issued

Export P12 certificate for F5 – Option


/wp-content/uploads/2016/06/20_973624.png

/wp-content/uploads/2016/06/21_973622.png

Picture 6.1 – Export the certificate


SAP Sources:


https://help.sap.com/saphelp_nw74/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/4590d23a293b5be10000000a42189b/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/4561a6f4383659e10000000a42189b/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/458f193a293b5be10000000a42189b/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/458f193a293b5be10000000a42189b/content.htm

I hope this document will help you Feel free to ask questions

Thanks Naor.


To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply