Secure SAP Web Dispatcher with TLS V1.2, SSL Termination and Encryption

The purpose of this blog post is to share the info on how to secure SAP Web Dispatcher with TLS V1.2, SSL Termination and Encryption. It also includes troubleshooting tips which may be useful for a successful implementation. At the end it includes the links and SAP Notes for each section and parameter.

SAP Web Dispatcher can be secured by upgrading the existing Web Dispatcher or installing a new Web Dispatcher as it required latest CommonCryptoLib 8.X.X.

The approach we followed is to install new Web Dispatcher 7.53 keeping existing old WD landscape. This gave flexibility to migrate the existing ABAP systems from old WD to new WD one by one adding better control and reduce the business disruption.

Required TLS V1.2 cipher suites are available in SAPCRYPTOLIB 5.5.5pl28+ and CommonCryptoLib 8.4.10 or higher versions.

A typical audience of this blog post will be basis administrators. I am writing this blog post to help and share my experience to secure the WD and to place all things at one place instead of searching the forums which may help many admins and save their valuable time.

Requirement:

1) SAP Web Dispatcher 7.53 or higher

2) CommonCryptoLib (CCL) – 8.4.48 or higher OR Old library – “SAPCRYPTOLIB 5.5.5 plXX” – 5.5.5pl38 or higher. Per SAP Note 510007

3) Digital certificate

Planning:

1) Build new Web Dispatcher 7.53 on new hardware

2) Download and install latest CommonCryptoLib

Approach:

1) Build new Web Dispatcher 7.53 on new hardware

2) Enable TLS V1.2 parameters in WD

3) Import the Digital Certificate

4) Configure the backend ABAP Systems and import the certificate in new WD

5) Configure TLS V1.2 parameters in backend ABAP systems

Steps:

1) #Install WD and enable WD auto-start script to server post reboot

Autostart = 1

SignalMask_00 = default, 9

logfile/rotate = true

2) #Configuration of maximum number of concurrent connections

icm/max_conn = 32000

3) #TLS V1.2 Parameters – Per SAP Note 510007

ssl/ciphersuites = 547:PFS:eAES256:HIGH (512+32+2+1)

ssl/client_ciphersuites = 563:PFS:eAES256:HIGH (512+32+16+2+1)

4) #Back-end ABAP system configuration

wdisp/system_0 = SID=XXX, MSHOST=XXXXXXascs, MSPORT=81XX, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https, SRCVHOST=XXXXXX.XXX.XXX:443

wdisp/system_1 = SID=XXX, MSHOST=XXXXXXascs, MSPORT=81XX, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https, SRCVHOST=XXXXXX.XXX.XXX:443

…

…..

wdisp/system_x = SID=XXX, MSHOST=XXXXXXascs, MSPORT=81XX, SSL_ENCRYPT=2, CONFIG_PROTOCOL=https, SRCVHOST=XXXXXX.XXX.XXX:443

5) #SAP Web Dispatcher Administration

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),ALLOWPUB=FALSE,PORT=44300,HOST=localhost;Physical_host,CLIENTHOST=*.XXXXX.XXX (Domain name)

6) #SSL Configuration parameters and Encryption

icm/server_port_0 = PROT=HTTPS,HOST=localhost,PORT=44300,TIMEOUT=90,PROCTIMEOUT=3600

icm/server_port_1 = PROT=HTTPS,HOST=Physical_host,PORT=44300,TIMEOUT=90,PROCTIMEOUT=3600

ssl/server_pse = /usr/sap/<SID>/W00/sec/SAPSSLS.pse

ssl/client_pse = /usr/sap/<SID>/W00/sec/SAPSSLC.pse

wdisp/ssl_cred = /usr/sap/<SID>/W00/sec/SAPSSLC.pse

wdisp/HTTPS/context_timeout=4000

wdisp/HTTPS/max_pooled_con=32000

wdisp/HTTPS/min_pooled_con=0

wdisp/HTTP/use_pool_for_new_conn=1

## Encryption

wdisp/ssl_encrypt=2

wdisp/ssl_auth=2

icm/HTTPS/verify_client=1

7) #Logging (System Specific)

icm/HTTP/logging_0 = PREFIX=/sap/admin/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.adm, LOGFORMAT=SAP, SWITCHTF=day

icm/HTTP/logging_1 = PREFIX=/, LOGFILE=$(DIR_INSTANCE)/log/httpaccess/dev_httpaccess.log.<sid>, LOGFORMAT=SAP, SWITCHTF=day, SYSTEM=<SID>

8) #System_conflict_resolution – BEST_MATCH

wdisp/system_conflict_resolution = 2

is/HTTP/show_detailed_errors = FALSE

wdisp/permission_table = $(DIR_PROFILE)/$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_permission_table

icm/HTTP/file_access_0 = PREFIX=/File_name.txt, DOCROOT=$(DIR_INSTANCE)/data/public/File_name.txt

icm/HTTP/file_access_1 = PREFIX=/File_name.ico, DOCROOT=$(DIR_INSTANCE)/data/public/File_name.ico

9) #Cache (Global)

icm/HTTP/server_cache_0/http_cache_control = true

icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR = $(DIR_INSTANCE)/data/cache/0

icm/HTTP/server_cache_0/expiration = 86400

icm/trace_secured_data = 1

rdisp/TRACE = 1

10) #Permission_table – Example <SID>_W00_permission_table

S /sap/bc/*

S /sap/saml2/*

S /sap/opu/*

S /sap/es/ina/*

S /sap/public/*

# Deny all others

D *

11) #Backend ABAP System – Per SAP Note 510007

 – ssl/ciphersuites = 547:PFS:eAES256:HIGH (512+32+2+1)

 – ssl/client_ciphersuites = 563:PFS:eAES256:HIGH (512+32+16+2+1)

 – icm/HTTPS/verify_client=1

 – Import the Digital Certificate for ABAP system

12) # Check the SSL status using per script ssl-hellotest.pl which is available in SNOTE 2110020

Syntax: perl ssl-hellotest.pl Application_Host Port_Number

Conclusion: By following above recommendations and parameters we can secure Web Dispatcher which will protect complete SAP environment from many complex attacks and protect entire SAP landscape from compromise.

– Secured Web Dispatcher which enable only TLS V1.2 with strong ciphers

– Disabled weak ciphers, SSL3.0, TLSV1.0 and TLS V1.1 protocols

– Enabled SSL Termination, meaning more security at Web Dispatcher level and protect all incoming and outgoing traffic.

Troubleshooting Tips:

1) New WD URL – https://Physical_host:44300/sap/wdisp/admin/public/default.html

2) Check the parameters using below command and fix them.

sapwebdisp pf=<SID>_W00_Hostname_Profile -checkconfig

3) To import the ABAP backend system certificate in WD – Open the WD URL, click on the SID of backend system, go to right hand panel => Host Name => Establish Connection and import the certificate.

4) Enable HTTPS port using icm/server_port_X=PROT=HTTPS,PORT=XXXX,TIMEOUT=600,PROCTIMEOUT=600 and cross check using T_code SMICM

5. Check the log using T-Code SMICM (increase the trace level). You can find *.pse file for missing certificate. Import that if needed.

References:

1) #Install WD and enable WD auto-start script to server post reboot

 – 768727 – Automatic restart functions in sapstart for processes

2) #Configuration of maximum number of concurrent connections

 – 2007212 – This is not applycable for 7.53

3) #TLS V1.2 Parameters –

 – 510007 ignore the warning for these parameters

 – https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-termination/

 – https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-re-encryption/

– 2110020 – Enabling TLS or disabling SSLv3 protocol versions on SAP WebDispatcher, or SAP WebAS (AS ABAP 6xx, 7xx or AS Java >= 710)

– Find missing certificates – 2394406 – Required information for analyzing SSL issues on Web Dispatchers

– 2368112 – Outgoing HTTPS connection does not work in AS ABAP

– 2376200 – Required information for analyzing SSL issues on AS ABAP systems (ICM)

– For SSL certificate error, best option to enable the trace level in SMICM to level 3 and execute the scenario. Go to log and find the missing .pse file and certificate. Export that certificate using browser or from server and import it using STRUST or STRUSTSSO2.

4) #Back-end ABAP system configuration

 – https://help.sap.com/saphelp_nw74/helpdata/en/1b/b0fd8a12344c4ca89b7a1c5d1d7310/frameset.htm

 – https://launchpad.support.sap.com/#/notes/0002200552

 – 2010948 – SAP Web Dispatcher support of virtual hosts

5) #SAP Web Dispatcher Administration

 – https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.9/en-US/33ec0f6819bd4ee2a76fe86ea73c490a.html

6) #SSL Configuration parameters and Encryption

 – https://help.sap.com/saphelp_nwpi711/helpdata/en/48/3ae05299c172d0e10000000a42189c/frameset.htm

 – https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-re-encryption/

 – https://help.sap.com/saphelp_nwpi711/helpdata/en/48/957c6494cc73eae10000000a42189b/frameset.htm

 – https://help.sap.com/saphelp_nwpi711/helpdata/en/48/957c6494cc73eae10000000a42189b/frameset.htm For ssl_auth and ssl_encrypt

 – https://blogs.sap.com/2016/04/06/how-to-setup-the-sap-web-dispatcher-with-ssl-re-encryption/

 – https://help.sap.com/saphelp_nw73/helpdata/en/49/23691cbf5a1902e10000000a42189c/frameset.htm

 – https://help.sap.com/saphelp_nwpi711/helpdata/en/48/3e87afca6b72d0e10000000a42189c/frameset.htm

7) #Logging (System Specific)

 – 2155855 – Web Dispatcher – System specific logging, caching and file access

8) #System_conflict_resolution – BEST_MATCH

 – 2193190 – Web Dispatcher – wdisp/system_conflict_resolution – BEST_MATCH

 – https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.9/en-US/b0ebfa88e9164d26bdf1d21a7ef6fc25.html

 – 2200552 – Configuration of backend systems failed: Configuration conflict

  #Permission Table

 – 870127 – Security note for SAP Web Dispatcher

 – https://help.sap.com/saphelp_nw74/helpdata/en/48/9ac19148c673e8e10000000a42189b/frameset.htm

9) #Cache (Global)

 – https://launchpad.support.sap.com/#/notes/2155855

10) #Permission_table

 – https://launchpad.support.sap.com/#/notes/870127

 – https://help.sap.com/SAPHELP_NW73EHP1/HELPDATA/EN/48/9ab29948c673e8e10000000a42189b/frameset.htm