Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring SAP Web Dispatcher to Support SSL - Trust Manager

former_member182675
Contributor
‎06-13-2016 1:20 PM

Configuring SAP Web Dispatcher to Support SSL - With Trust Manager


Information:


The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system, which consists of one or more SAP NetWeaver application servers. As a “software webswitch”, the SAP Web dispatcher can reject or accept connections. When it accepts a connection, it balances the load to ensure an even distribution across the servers. The SAP Web Dispatcher therefore contributes to security and also balances the load inyour SAP system. (SAP)

Our missions this year is to focus on the security side of SAP system, we make many activities to make the SAP system more protected, more secure.

Introduction:


One of our web service applicationused SAP Web Dispatcher and we want that incoming connection will use HTTPS. For this we must configure SAP Web Dispatcher as an SSL (Secure Sockets Layer) server.

Pics by SAP

Pics by SAP

More information regarding the Web Dispatcher:

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/8FE37933114E6FE10000000A421937/frameset.htm

There are 2 ways to configure SSL for Web Dispatcher.

  • Using the trust manager.
  • Using the configuration tool sapgenpse.

This guide will help you to configure SSL for Web Dispatcher using trust manager.

Prerequisites:


You are familiar with the architecture and functions of SAP Web Dispatcher. In particular, you are familiar with the possible connections and how SSL is used with them. See the figure above. (SAP)

The SAP Web Dispatcher is installed and configured to use SSL.

Profile parameter:icm/server_port_ <xx> = PROT=ROUTER, PORT= <port>,TIMEOUT= <timeout_in_seconds>

Configuration:


Configure Environment variable


Picture 1.0 - environment variable SECUDIR

  • Variable value = d:\usr\sap\SID\W00\sec

The reason we set the environment variable SECUDIR is because we will use thesapgenpseforCredentials and for export the certificate.

Creating the SAP Web Dispatcher's PSEs Using the Trust Manager


Picture 1.1 - trust manager


Go to transaction code STRUST right click on the File and choose create. (You have to be in edit Mode).


Picture 1.2 - Create (RSA)


  • Change the name – Full FQDN of WD
  • Change the Algorithm to RSA with SHA-1 (I used the old algorithm)

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. (Wikipedia)

https://en.wikipedia.org/wiki/SHA-1

Picture 1.3 – Save the PSE

Save the PSE to local file.

Sending the Certificate Requests to a CA.


Click on File and choose the PSE we download before

Picture 2.0 - PSE you saved in the previous procedure

Click on Create certificate request, save the certificate reques to local file and send it to the CA for request response.

Picture 2.1 - certificate request

Picture 2.2 – Export certificate request

Picture 2.3 - Pics by SAP

After you get back the certificate response from the CA, Choose file and import the certificate response.p7b

Picture 2.4 – Import certificate response

Picture 2.5 – certificate response

Picture 4.3 – Add to certificate list

Click on Add to certificate list Save and replace

Picture 4.4 – the certificate is in the list

Now you can see the certificate is signed and valid.

Creating Credentials for the SAP Web Dispatcher


The SAP Web Dispatcher must have active credentials at runtime to be able to access itsPSEs.

Put the SIDPSE.pseinthe secdirectory

Picture 5.0 – PSE in the SEC directory

Run the following command:

sapgenpse seclogin -p SAPSSLS.pse -x abcpin -O ABCadm

Picture 5.1 - The following command line opens the SAP Web Dispatcher's SSL server PSE and creates credentials for the user SIDadm

Profile parameter


Add the following parameter to the WD profile


Picture 5.2 – Profile parameter

Restart the WD!


Test the SSL connection

Picture 6.0 – Certificate is issued

Export P12 certificate for F5 - Option


Picture 6.1 – Export the certificate


SAP Sources:


https://help.sap.com/saphelp_nw74/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/4590d23a293b5be10000000a42189b/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/4561a6f4383659e10000000a42189b/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/458f193a293b5be10000000a42189b/content.htm

https://help.sap.com/saphelp_nw74/helpdata/en/49/458f193a293b5be10000000a42189b/content.htm

I hope this document will help you Feel free to ask questions

Thanks Naor.


3 Comments
Labels in this area
Popular Blog Posts