Technical Articles
Single web dispatcher – multiple HTTPS ports and SSL Certificates
It has been a long time since I wrote something related to SAP.
I am not surprised at this myself given my lazy habits, but I thought that this will be a good option to kick myself out of my procrastinating habits. So here it goes.
Introduction
SAP Web-dispatchers play a very critical role in the SAP Environment as an entry point of external traffic into the Environment. SAP provides us with several options for web dispatchers which makes it a very robust and powerful tool.
This blog is going to describe a complex scenario where the requirement was to have 2 HTTPS ports on the web dispatcher external facing environment each having its separate SSL Certificate.
Generally, this comes about when we have a public facing interface, like a sales portal which needs world-wide internet access and a specific business interface/requirement which operates on only specific ports.
And having multiple HTTPS ports on the same Web Dispatcher server also saves on Infrastructure costs of a completely new server.
Scenario Description
Let’s call our Web dispatcher WP1. I am sure that this will be a web dispatcher name in many organisations around the world, something like PRD being used as the System Identifier for Production systems ?.
We are going to have 2 HTTPS ports – 443 (which is the default HTTPS port) and 8443 which will be our custom HTTPS port.
Let’s assume that the certificate for port 443 is Cert1. And the one for port 8443 is Cert2.
The technical requirement is that for any request coming to 443 port, the SSL Termination needs to be resolved by Cert 1 and for any request to 8443, the SSL Termination needs to be resolved by Cert2.
Configuration Solution
The first step is to create separate PSE Files for each of the 2 Certificates. We can name them as SAPSSLS1.PSE and SAPSSLS2.PSE
This can be done using the standard sapgenpse import_p12 command.
Sapgenpse import_p12 -p <File_location>/SAPSSLS1.PSE <Location of .Cer file for Cer1>
Sapgenpse import_p12 -p <File_location>/SAPSSLS2.PSE <Location of .Cer file for Cer2>
This will create the 2 PSE Files – SAPSSLS1.PSE and SAPSSLS2.PSE.
The next step is to define the below ICM Parameters
icm/ssl_config_0 = CRED=<File Location>\SAPSSLS1.pse
icm/ssl_config_1 = CRED=<File Location>\SAPSSLS2.pse
The above 2 parameters will be utilised in the port definition to start up the Ports as per the below.
icm/server_port_n= PROT=HTTPS, HOST=<External IP Address>, SSL_CONFIG=ssl_config_0
In this way, we can have multiple SSL Ports which can utilise different SSL Certificates to cater to incoming traffic
Please note that although the parameter is defined as icm/ssl_config_0, when it is used in the port parameter, it needs to be mentioned as SSL_CONFIG.
This parameter, along with the several others makes SAP Web Dispatchers the best routing tool when back-end Sap and even non-SAP environments are involved.
Conclusion
Using the parameter ssl_config, we can cater for multiple SSL Certificates on the web dispatcher.
Hi Dear Rishi,
New version of webdispatcher does not support "Sapgenpse import_p12 " comand. Have you any other alternative solution for creating .PSE file ?
Regards,
Fazıl
Hello Fazil,
You can manage the PSE files through the Web Administration interface, on newer Web Dispatchers. Check out this wiki:
http://wiki.scn.sap.com/wiki/x/tIahG
Regards,
Isaías
Thanks Isaias for sharing this wiki link.
@Fazil - in the new version of the web dispatcher, it can all be done using the web administration interface.
Thanks
Rishi
You're welcome!
Thanks for your response Isaias Freitas and @Rishi
You're welcome!
In my scenario, I have a port in my JAVA system for external traffic. In there I have my external CA certificates catering to external traffic.
I have another port in that JAVA system for internal traffic. In there I have my internal CA certificates catering to internal traffic on our internal domain using our internal PKI certificates.
My traffic always comes in through my web dispatcher and is forwarded from web dispatcher to my Java system SCS. On the SCS it appears that the traffic is always forwarded to the default app server ssl port. It ignores my port-specific ssl port that I also have in the NWA.
Of course, when my internal traffic comes into my JAVA system via the SCS, I do not want my default (external) port to answer and supply my external certificates. I want my port-specific port to answer and supply my internal certificates. Both cert stores can be seen in NWA > Security > SSL screen and they work when you target an app server on the respective ports.
My external facing domain is not equal to my internal domain so the browser will complain saying you are trying to reach *.abc.com, but your certificate says you are *.123.com. This occurs apparently because, no matter what port my web dispatcher forwards to my SCS... my SCS always sends that traffic to the default SSL port in JAVA and always responds with my external certificates.
This blog explains 'single web dispatcher and multiple https ports and certificates' - perhaps there is also room for a blog on 'one SCS(java) and multiple https ports and ssl certificates'?