Skip to Content
Technical Articles
Author's profile photo Yogesh Patel

Free SSL for SAP Web Dispatcher – Let’s Encrypt

Recently I came across situation where I need to configure my SAP Web Dispatcher to SSL and in order to perform testing I have to start with my sandbox environment. When you talk about SSL it has approximately $250.00 price tag associated with certificate for your each environment.

Now my challange was to get this testing done as soon as possible with free of cost and users should not get certificate errors when accessing from internet or intranet.

Let me share what type of architecture I have

 

Now lets start configuring SAP Web Dispatcher for SSL

Creating PSE file for SAP Web Dispatcher

  • Create PSE as shown below…(just for an example)

  • Now you have PSE created as below

 

Requesting Certificate

Note: Open firewall port 80 for your SAP web dispatcher prior steps below

Note: This can be done via https://zerossl.com/ with similar steps

  • Provide website URL as below

  • Click On Manual Verification

  • Click on Manually Verify Domain

  • Now will be on screen below

 

  • Click on step 1. Download File #1

 

  • Once you save this file it will be long name like – XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo

 

  • Now add below to you SAP Web Dispatcher instance profile petameter
#-----------------------------------------------------------------------
# SSL Letsencrypt
#-----------------------------------------------------------------------
icm/HTTP/redirect_0 = PREFIX=/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo, TO=/sap/wdisp/admin/public/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo
  • Copy this file in to location below on your SAP Web Dispatcher installation ….

E:\usr\sap\WFX\W00\data\icmandir\admin\public\.well-known\acme-challenge

 

Note: You need to create folders manually

Tip: Use command prompt to create folders

  • Now restart your SAP Webdispatcher

 

  • Now you should able to access this URL shown on page … example below

 

Note:

For new version of SAP webdispatcher (Version 7.77 and UP) you need to modify admin parameter as below to access URL without WEBADM username and password

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),ALLOWPUB=TRUE

Ref: https://wiki.scn.sap.com/wiki/display/SI/Tips+and+best+practices+for+security+on+Web+Dispatcher+and+ICM

 

 

  • Now Click Download SSL Certificate

  • On next screen you will see all three certificates been generated… as below and Download All SSL Certificate files

 

  • Save file

 

  • Extract file and you will have files as below

 

Extract Root Certificate from Certificate.crt file

  • Open certificate.crt and click on Certification Path TAB

  • Highlight DST Root CA X3 and click View certificate and go to Details tab and Click Copy to File

  • Save as DER encoded…

  • Save as Root certificate

  • Now you have certificate as below

 

Install OPENSSL in to your local computer/PC

 

You need to install openssl software prior you go to next step in your local computer

You can download for windows from : https://slproweb.com/products/Win32OpenSSL.html

Note: Get 64x if possible

 

Once you install you will able to run openssl command as below

 

Working with files to generate SAPSSLS.pse file

Note: Make sure SECUDIR is setup properly on your server with sidadm user account

  • Run following command

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt  -certfile ca_bundle.crt

Note: No password required…

  • You have new file created as below  Certificate.pfx

  • Delete or rename SAPSSLS.pse file from sec folder…

 

  • Copy Root.cer, certificate.pfx and ca_bundle.crt to X:\usr\sap\SID\W00\sec folder

 

  • Run command as below as login <sidadm>

sapgenpse import_p12 -r ca_bundle.crt  -r root.cer -p SAPSSLS.pse certificate.pfx

  • This will crate pse file as below

 

Restart SAP Webdispatcher and now you see that your certificate is issues by Let’s Encrypt authority

 

 

Hope you enjoy reading this technical document and last note… Make sure to revert your profile parameter in your SAP instance profile and disable firewall port 80

We do not have HTTP port enable on our SAP Web Dispatcher

Thank you

Yogesh Patel

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Anand Tigadikar
      Anand Tigadikar

      Thanks for sharing.

      By any chance per note # https://launchpad.support.sap.com/#/notes/2107899, did you face issue of not able to access UI ? I'm getting error as - 'HANA Web Dispatcher is denied. 403 Forbidden responses are returned for requests to /sap/hana/xs/wdisp/admin'?

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Anand Tigadikar

      What version of HANA are you using?

      Open the Website of the Web Dispatcher Administration (http://<yourhanaserver>:<yourhttpport>/sap/hana/xs/wdisp/admin/public/default.html)

      -Yogesh

      Author's profile photo Anand Tigadikar
      Anand Tigadikar

      Pls ignore this is resolved now..

      I'm able to open relevant URL.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Anand Tigadikar,

      I am glad that you resolve the issue.

      Thank you

      Yogesh

      Author's profile photo Lukman Hakim
      Lukman Hakim

      I have successfully done your guide, but when i restart my webdispatcher , i can not access webdispatcher via web browser

      Author's profile photo Lukman Hakim
      Lukman Hakim

      my problem was solve by generate new PSE thanks, ?

       

      Author's profile photo Andres Chacon
      Andres Chacon

      Hello Yogesh, thanks for your blog entry!

      I have followed all the steps successfully but at final step I get “import_p12: Error creating PSE /home/awdadm/sec/SAPSSLS.pse!” error when generating PSE file.

      Did you face something similar?

      Thanks in advance.

      BR.