Technical Articles
Secure SAP Web Dispatcher with TLS V1.2, SSL Termination and Encryption
The purpose of this blog post is to share the info on how to secure SAP Web Dispatcher with TLS V1.2, SSL Termination and Encryption. It also includes troubleshooting tips which may be useful for a successful implementation. At the end it includes the links and SAP Notes for each section and parameter.
SAP Web Dispatcher can be secured by upgrading the existing Web Dispatcher or installing a new Web Dispatcher as it required latest CommonCryptoLib 8.X.X.
The approach we followed is to install new Web Dispatcher 7.53 keeping existing old WD landscape. This gave flexibility to migrate the existing ABAP systems from old WD to new WD one by one adding better control and reduce the business disruption.
Required TLS V1.2 cipher suites are available in SAPCRYPTOLIB 5.5.5pl28+ and CommonCryptoLib 8.4.10 or higher versions.
A typical audience of this blog post will be basis administrators. I am writing this blog post to help and share my experience to secure the WD and to place all things at one place instead of searching the forums which may help many admins and save their valuable time.
Requirement:
1) SAP Web Dispatcher 7.53 or higher
2) CommonCryptoLib (CCL) – 8.4.48 or higher OR Old library – “SAPCRYPTOLIB 5.5.5 plXX” – 5.5.5pl38 or higher. Per SAP Note 510007
3) Digital certificate
Planning:
1) Build new Web Dispatcher 7.53 on new hardware
2) Download and install latest CommonCryptoLib
Approach:
1) Build new Web Dispatcher 7.53 on new hardware
2) Enable TLS V1.2 parameters in WD
3) Import the Digital Certificate
4) Configure the backend ABAP Systems and import the certificate in new WD
5) Configure TLS V1.2 parameters in backend ABAP systems
Steps:
1) #Install WD and enable WD auto-start script to server post reboot
Autostart = 1
SignalMask_00 = default, 9
logfile/rotate = true
2) #Configuration of maximum number of concurrent connections
icm/max_conn = 32000
3) #TLS V1.2 Parameters – Per SAP Note 510007
ssl/ciphersuites = 547:PFS:eAES256:HIGH (512+32+2+1)
ssl/client_ciphersuites = 563:PFS:eAES256:HIGH (512+32+16+2+1)
4) #Back-end ABAP system configuration
wdisp/system_0 = SID=XXX, MSHOST=XXXXXXascs, MSPORT=81XX, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https, SRCVHOST=XXXXXX.XXX.XXX:443
wdisp/system_1 = SID=XXX, MSHOST=XXXXXXascs, MSPORT=81XX, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https, SRCVHOST=XXXXXX.XXX.XXX:443
…
…..
wdisp/system_x = SID=XXX, MSHOST=XXXXXXascs, MSPORT=81XX, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https, SRCVHOST=XXXXXX.XXX.XXX:443
5) #SAP Web Dispatcher Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),ALLOWPUB=FALSE,PORT=44300,HOST=localhost;Physical_host,CLIENTHOST=*.XXXXX.XXX (Domain name)
6) #SSL Configuration parameters and Encryption
icm/server_port_0 = PROT=HTTPS,HOST=localhost,PORT=44300,TIMEOUT=90,PROCTIMEOUT=3600
icm/server_port_1 = PROT=HTTPS,HOST=Physical_host,PORT=44300,TIMEOUT=90,PROCTIMEOUT=3600
ssl/server_pse = /usr/sap/<SID>/W00/sec/SAPSSLS.pse
ssl/client_pse = /usr/sap/<SID>/W00/sec/SAPSSLC.pse
wdisp/ssl_cred = /usr/sap/<SID>/W00/sec/SAPSSLC.pse
wdisp/HTTPS/context_timeout=4000
wdisp/HTTPS/max_pooled_con=32000
wdisp/HTTPS/min_pooled_con=0
wdisp/HTTP/use_pool_for_new_conn=1
## Encryption
wdisp/ssl_encrypt=2
wdisp/ssl_auth=2
icm/HTTPS/verify_client=1
7) #Logging (System Specific)
icm/HTTP/logging_0 = PREFIX=/sap/admin/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.adm, LOGFORMAT=SAP, SWITCHTF=day
icm/HTTP/logging_1 = PREFIX=/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.<sid>, LOGFORMAT=SAP, SWITCHTF=day, SYSTEM=<SID>
8) #System_conflict_resolution – BEST_MATCH
wdisp/system_conflict_resolution = 2
is/HTTP/show_detailed_errors = FALSE
wdisp/permission_table = $(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_permission_table
icm/HTTP/file_access_0 = PREFIX=/File_name.txt, DOCROOT=$(DIR_INSTANCE)/data/public/File_name.txt
icm/HTTP/file_access_1 = PREFIX=/File_name.ico, DOCROOT=$(DIR_INSTANCE)/data/public/File_name.ico
9) #Cache (Global)
icm/HTTP/server_cache_0/http_cache_control = true
icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR = $(DIR_INSTANCE)/data/cache/0
icm/HTTP/server_cache_0/expiration = 86400
icm/trace_secured_data = 1
rdisp/TRACE = 1
10) #Permission_table – Example <SID>_W00_permission_table
S /sap/bc/*
S /sap/saml2/*
S /sap/opu/*
S /sap/es/ina/*
S /sap/public/*
# Deny all others
D *
11) #Backend ABAP System – Per SAP Note 510007
– ssl/ciphersuites = 547:PFS:eAES256:HIGH (512+32+2+1)
– ssl/client_ciphersuites = 563:PFS:eAES256:HIGH (512+32+16+2+1)
– icm/HTTPS/verify_client=1
– Import the Digital Certificate for ABAP system
12) # Check the SSL status using per script ssl-hellotest.pl which is available in SNOTE 2110020
Syntax: perl ssl-hellotest.pl Application_Host Port_Number
Conclusion: By following above recommendations and parameters we can secure Web Dispatcher which will protect complete SAP environment from many complex attacks and protect entire SAP landscape from compromise.
– Secured Web Dispatcher which enable only TLS V1.2 with strong ciphers
– Disabled weak ciphers, SSL3.0, TLSV1.0 and TLS V1.1 protocols
– Enabled SSL Termination, meaning more security at Web Dispatcher level and protect all incoming and outgoing traffic.
Troubleshooting Tips:
1) New WD URL – https://Physical_host:44300/sap/wdisp/admin/public/default.html
2) Check the parameters using below command and fix them.
sapwebdisp pf=<SID>_W00_Hostname_Profile -checkconfig
3) To import the ABAP backend system certificate in WD – Open the WD URL, click on the SID of backend system, go to right hand panel => Host Name => Establish Connection and import the certificate.
4) Enable HTTPS port using icm/server_port_X=PROT=HTTPS,PORT=XXXX,TIMEOUT=600,PROCTIMEOUT=600 and cross check using T_code SMICM
5. Check the log using T-Code SMICM (increase the trace level). You can find *.pse file for missing certificate. Import that if needed.
References:
1) #Install WD and enable WD auto-start script to server post reboot
– 768727 – Automatic restart functions in sapstart for processes
2) #Configuration of maximum number of concurrent connections
– 2007212 – This is not applycable for 7.53
3) #TLS V1.2 Parameters –
– 510007 ignore the warning for these parameters
– https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-termination/
– https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-re-encryption/
– 2110020 – Enabling TLS or disabling SSLv3 protocol versions on SAP WebDispatcher, or SAP WebAS (AS ABAP 6xx, 7xx or AS Java >= 710)
– Find missing certificates – 2394406 – Required information for analyzing SSL issues on Web Dispatchers
– 2368112 – Outgoing HTTPS connection does not work in AS ABAP
– 2376200 – Required information for analyzing SSL issues on AS ABAP systems (ICM)
– For SSL certificate error, best option to enable the trace level in SMICM to level 3 and execute the scenario. Go to log and find the missing .pse file and certificate. Export that certificate using browser or from server and import it using STRUST or STRUSTSSO2.
4) #Back-end ABAP system configuration
– https://help.sap.com/saphelp_nw74/helpdata/en/1b/b0fd8a12344c4ca89b7a1c5d1d7310/frameset.htm
– https://launchpad.support.sap.com/#/notes/0002200552
– 2010948 – SAP Web Dispatcher support of virtual hosts
5) #SAP Web Dispatcher Administration
– https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.9/en-US/33ec0f6819bd4ee2a76fe86ea73c490a.html
6) #SSL Configuration parameters and Encryption
– https://help.sap.com/saphelp_nwpi711/helpdata/en/48/3ae05299c172d0e10000000a42189c/frameset.htm
– https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-re-encryption/
– https://help.sap.com/saphelp_nwpi711/helpdata/en/48/957c6494cc73eae10000000a42189b/frameset.htm
– https://help.sap.com/saphelp_nwpi711/helpdata/en/48/957c6494cc73eae10000000a42189b/frameset.htm For ssl_auth and ssl_encrypt
– https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-re-encryption/
– https://help.sap.com/saphelp_nw73/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htm
– https://help.sap.com/saphelp_nwpi711/helpdata/en/48/3e87afca6b72d0e10000000a42189c/frameset.htm
7) #Logging (System Specific)
– 2155855 – Web Dispatcher – System specific logging, caching and file access
8) #System_conflict_resolution – BEST_MATCH
– 2193190 – Web Dispatcher – wdisp/system_conflict_resolution – BEST_MATCH
– https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.9/en-US/b0ebfa88e9164d26bdf1d21a7ef6fc25.html
– 2200552 – Configuration of backend systems failed: Configuration conflict
#Permission Table
– 870127 – Security note for SAP Web Dispatcher
– https://help.sap.com/saphelp_nw74/helpdata/en/48/9ac19148c673e8e10000000a42189b/frameset.htm
9) #Cache (Global)
– https://launchpad.support.sap.com/#/notes/2155855
10) #Permission_table
– https://launchpad.support.sap.com/#/notes/870127
– https://help.sap.com/SAPHELP_NW73EHP1/HELPDATA/EN/48/9ab29948c673e8e10000000a42189b/frameset.htm
Good info
Thanks for the informative blog.
Nice blog...
Thanks for the informative blog. keep going.
Good post sirji
Good Information. Thanks