Single web dispatcher – multiple HTTPS ports and SSL Certificates
It has been a long time since I wrote something related to SAP.
I am not surprised at this myself given my lazy habits, but I thought that this will be a good option to kick myself out of my procrastinating habits. So here it goes.
SAP Web-dispatchers play a very critical role in the SAP Environment as an entry point of external traffic into the Environment. SAP provides us with several options for web dispatchers which makes it a very robust and powerful tool.
This blog is going to describe a complex scenario where the requirement was to have 2 HTTPS ports on the web dispatcher external facing environment each having its separate SSL Certificate.
Generally, this comes about when we have a public facing interface, like a sales portal which needs world-wide internet access and a specific business interface/requirement which operates on only specific ports.
And having multiple HTTPS ports on the same Web Dispatcher server also saves on Infrastructure costs of a completely new server.
Let’s call our Web dispatcher WP1. I am sure that this will be a web dispatcher name in many organisations around the world, something like PRD being used as the System Identifier for Production systems ?.
We are going to have 2 HTTPS ports – 443 (which is the default HTTPS port) and 8443 which will be our custom HTTPS port.
Let’s assume that the certificate for port 443 is Cert1. And the one for port 8443 is Cert2.
The technical requirement is that for any request coming to 443 port, the SSL Termination needs to be resolved by Cert 1 and for any request to 8443, the SSL Termination needs to be resolved by Cert2.
The first step is to create separate PSE Files for each of the 2 Certificates. We can name them as SAPSSLS1.PSE and SAPSSLS2.PSE
This can be done using the standard sapgenpse import_p12 command.
Sapgenpse import_p12 -p <File_location>/SAPSSLS1.PSE <Location of .Cer file for Cer1>
Sapgenpse import_p12 -p <File_location>/SAPSSLS2.PSE <Location of .Cer file for Cer2>
This will create the 2 PSE Files – SAPSSLS1.PSE and SAPSSLS2.PSE.
The next step is to define the below ICM Parameters
icm/ssl_config_0 = CRED=<File Location>\SAPSSLS1.pse
icm/ssl_config_1 = CRED=<File Location>\SAPSSLS2.pse
The above 2 parameters will be utilised in the port definition to start up the Ports as per the below.
icm/server_port_n= PROT=HTTPS, HOST=<External IP Address>, SSL_CONFIG=ssl_config_0
In this way, we can have multiple SSL Ports which can utilise different SSL Certificates to cater to incoming traffic
Please note that although the parameter is defined as icm/ssl_config_0, when it is used in the port parameter, it needs to be mentioned as SSL_CONFIG.
This parameter, along with the several others makes SAP Web Dispatchers the best routing tool when back-end Sap and even non-SAP environments are involved.
Using the parameter ssl_config, we can cater for multiple SSL Certificates on the web dispatcher.