Skip to Content
Technical Articles
Author's profile photo Rishi Das

Single web dispatcher – multiple HTTPS ports and SSL Certificates

It has been a long time since I wrote something related to SAP.

I am not surprised at this myself given my lazy habits, but I thought that this will be a good option to kick myself out of my procrastinating habits. So here it goes.

 

Introduction

SAP Web-dispatchers play a very critical role in the SAP Environment as an entry point of external traffic into the Environment. SAP provides us with several options for web dispatchers which makes it a very robust and powerful tool.

This blog is going to describe a complex scenario where the requirement was to have 2 HTTPS ports on the web dispatcher external facing environment each having its separate SSL Certificate.

Generally, this comes about when we have a public facing interface, like a sales portal which needs world-wide internet access and a specific business interface/requirement which operates on only specific ports.

And having multiple HTTPS ports on the same Web Dispatcher server also saves on Infrastructure costs of a completely new server.

Scenario Description

Let’s call our Web dispatcher WP1. I am sure that this will be a web dispatcher name in many organisations around the world, something like PRD being used as the System Identifier for Production systems ?.

We are going to have 2 HTTPS ports – 443 (which is the default HTTPS port) and 8443 which will be our custom HTTPS port.

Let’s assume that the certificate for port 443 is Cert1. And the one for port 8443 is Cert2.

The technical requirement is that for any request coming to 443 port, the SSL Termination needs to be resolved by Cert 1 and for any request to 8443, the SSL Termination needs to be resolved by Cert2.

Configuration Solution

The first step is to create separate PSE Files for each of the 2 Certificates. We can name them as SAPSSLS1.PSE and SAPSSLS2.PSE

This can be done using the standard sapgenpse import_p12 command.

Sapgenpse import_p12 -p   <File_location>/SAPSSLS1.PSE   <Location of .Cer file for Cer1>

Sapgenpse import_p12 -p   <File_location>/SAPSSLS2.PSE   <Location of .Cer file for Cer2>

 

This will create the 2 PSE Files – SAPSSLS1.PSE and SAPSSLS2.PSE.

The next step is to define the below ICM Parameters

icm/ssl_config_0 = CRED=<File Location>\SAPSSLS1.pse

icm/ssl_config_1 = CRED=<File Location>\SAPSSLS2.pse

The above 2 parameters will be utilised in the port definition to start up the Ports as per the below.

icm/server_port_n= PROT=HTTPS, HOST=<External IP Address>, SSL_CONFIG=ssl_config_0

 

In this way, we can have multiple SSL Ports which can utilise different SSL Certificates to cater to incoming traffic

Please note that although the parameter is defined as icm/ssl_config_0, when it is used in the port parameter, it needs to be mentioned as SSL_CONFIG.

This parameter, along with the several others makes SAP Web Dispatchers the best routing tool when back-end Sap and even non-SAP environments are involved.

 

Conclusion

Using the parameter ssl_config, we can cater for multiple SSL Certificates on the web dispatcher.

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo FAZIL KURUCU
      FAZIL KURUCU

      Hi Dear Rishi,

      New version of webdispatcher does not support "Sapgenpse import_p12 " comand. Have you any other alternative solution for creating .PSE file ?

       

      Regards,

      Fazıl

      Author's profile photo Isaias Freitas
      Isaias Freitas

      Hello Fazil,

      You can manage the PSE files through the Web Administration interface, on newer Web Dispatchers. Check out this wiki:

      http://wiki.scn.sap.com/wiki/x/tIahG

      Regards,

      Isaías

       

      Author's profile photo Rishi Das
      Rishi Das
      Blog Post Author

      Thanks Isaias for sharing this wiki link.

      @Fazil - in the new version of the web dispatcher, it can all be done using the web administration interface.

       

      Thanks

      Rishi

      Author's profile photo Isaias Freitas
      Isaias Freitas

      You're welcome!

       

      Author's profile photo FAZIL KURUCU
      FAZIL KURUCU

      Thanks for your response Isaias Freitas and @Rishi

      Author's profile photo Isaias Freitas
      Isaias Freitas

      You're welcome!

       

      Author's profile photo Alex Smith
      Alex Smith

      In my scenario, I have a port in my JAVA system for external traffic. In there I have my external CA certificates catering to external traffic.

      I have another port in that JAVA system for internal traffic. In there I have my internal CA certificates catering to internal traffic on our internal domain using our internal PKI certificates.

      My traffic always comes in through my web dispatcher and is forwarded from web dispatcher to my Java system SCS. On the SCS it appears that the traffic is always forwarded to the default app server ssl port. It ignores my  port-specific ssl port that I also have in the NWA.

      Of course, when my internal traffic comes into my JAVA system via the SCS, I do not want my default (external) port to answer and supply my external certificates. I want my port-specific port to answer and supply my internal certificates. Both cert stores can be seen in NWA > Security > SSL screen and they work when you target an app server on the respective ports.

       

      My external facing domain is not equal to my internal domain so the browser will complain saying you are trying to reach *.abc.com, but your certificate says you are *.123.com. This occurs apparently because, no matter what port my web dispatcher forwards to my SCS... my SCS always sends that traffic to the default SSL port in JAVA and always responds with my external certificates.

      This blog explains 'single web dispatcher and multiple https ports and certificates' - perhaps there is also room for a blog on 'one SCS(java) and multiple https ports and ssl certificates'?