How to Configure Web Dispatcher with SMP for X509 Certificate
In this blog we are going to see how to configure Web Dispatcher and its profile parameters to allow X509 certificate via Web Dispatcher.
Prerequisite:
- Ensure you are able to Register & Read data using X509 Certificates with SMP URL & port 8082 in REST Client
- You have a working Web Dispatcher setup with Admin access
- Root Certificate and corresponding Intermediate certificate if any
- SMP Server Certificate signed by CA
- Access Web Dispatcher Remote system
- PKI for signing the certificates
To get X509 working with oData and SMP you may refer to
- Configuring Client Certificate Authentication (mutual https) on SAP Gateway
- How to configure Mutual Authentication using X.509 Certificate in SMP 3.0
By end of this blog we would achieve the following:
As part of the configurations, we shall follow these sequence below:
- Importing Certificate into WD
- Configure SAPSSLC
- Modify Profile Parameters
- Configure SMP Impersonator Role
Let us being:
Importing Certificate into WD
Login to web dispatcher admin URL:
Eg: http://xxxxxxxx/sap/admin/public/default.html
Navigate to SSL & Trust Configuration and PSE Management.
You should be able to see options Manage PSE, you will have 3 options:
- SAPSSLA
- SAPSSLC – SSL client PSE
- SAPSSLS – SSL server PSE
Select SAPSSLC
Under Trusted Certificates, click on “Import Certificate”, Select the Root Certificate and Import it
For security reasons, I have hidden the details. However, the steps are simple and you should be able to continue the confirmations and get them working with this procedure.
Click on “Import Certificate” again and select your Intermediate Certificate if you have them
Click on “Import Certificate” again and select your SMP Certificate which is signed by Intermediate Certificate / Root Certificate
Repeat the same steps for SAPSSLS and import all the three certificates.
Configuring SAPSSLC
- Select SAPSSLC which is for Client
- Create CA Request and submit the request to your PKI and download the signed details
- Import the CA Response and create a certificate .CER format
After the import the configurations looks like this:
Where Subject “CN=XXX” is the XXX Certificate which will be used as Impersonator in SMP Server.
Modifying the Profile Parameters:
Login to WD Remote System and Navigate to the following path:
C:\WD Installation Path\sap\WDS\SYS\profile
Open the file – WD_FILE_NAME
a. Adding Message Server
b. Adding ICM and Cipher
c. Modify the “mod_rules” as required according to your setup
Configuring SMP Impersonator Role
a. Login to SMP Sandbox and Navigate to Settings and Select the X509 Security profile and then click on Role Mapping
c. Import the WD Certificate to Physical Role Mapping, click on Browse and Select the certificate and add the Role to Mapped Role. The detail should like this
d. Click on Save and Save to get back to Setting Screen.
The configurations are completed and you should be able to test X509 with Web Dispatcher.
This should help you get the authentication with X509 from Web-Dispatcher.
Looking forward for your comments and feedback.
Regards,
Nagesh