Technical Articles
Free SSL for SAP Web Dispatcher – Let’s Encrypt
Recently I came across situation where I need to configure my SAP Web Dispatcher to SSL and in order to perform testing I have to start with my sandbox environment. When you talk about SSL it has approximately $250.00 price tag associated with certificate for your each environment.
Now my challange was to get this testing done as soon as possible with free of cost and users should not get certificate errors when accessing from internet or intranet.
Let me share what type of architecture I have
Now lets start configuring SAP Web Dispatcher for SSL
Creating PSE file for SAP Web Dispatcher
- Login to SAP webdispatcher administration URL https://hostname.domain.com/sap/wdisp/admin/public/default.html
- Navigate to PSE Management
- Create PSE as shown below…(just for an example)
- Now you have PSE created as below
Requesting Certificate
Note: Open firewall port 80 for your SAP web dispatcher prior steps below
Note: This can be done via https://zerossl.com/ with similar steps
- Provide website URL as below
- Click On Manual Verification
- Click on Manually Verify Domain
- Now will be on screen below
- Click on step 1. Download File #1
- Once you save this file it will be long name like – XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo
- Now add below to you SAP Web Dispatcher instance profile petameter
#-----------------------------------------------------------------------
# SSL Letsencrypt
#-----------------------------------------------------------------------
icm/HTTP/redirect_0 = PREFIX=/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo, TO=/sap/wdisp/admin/public/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo
- Copy this file in to location below on your SAP Web Dispatcher installation ….
E:\usr\sap\WFX\W00\data\icmandir\admin\public\.well-known\acme-challenge
Note: You need to create folders manually
Tip: Use command prompt to create folders
- Now restart your SAP Webdispatcher
- Now you should able to access this URL shown on page … example below
Note:
For new version of SAP webdispatcher (Version 7.77 and UP) you need to modify admin parameter as below to access URL without WEBADM username and password
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),ALLOWPUB=TRUE
Ref: https://wiki.scn.sap.com/wiki/display/SI/Tips+and+best+practices+for+security+on+Web+Dispatcher+and+ICM
- Now Click Download SSL Certificate
- On next screen you will see all three certificates been generated… as below and Download All SSL Certificate files
- Save file
- Extract file and you will have files as below
Extract Root Certificate from Certificate.crt file
- Open certificate.crt and click on Certification Path TAB
- Highlight DST Root CA X3 and click View certificate and go to Details tab and Click Copy to File
- Save as DER encoded…
- Save as Root certificate
- Now you have certificate as below
Install OPENSSL in to your local computer/PC
You need to install openssl software prior you go to next step in your local computer
You can download for windows from : https://slproweb.com/products/Win32OpenSSL.html
Note: Get 64x if possible
Once you install you will able to run openssl command as below
Working with files to generate SAPSSLS.pse file
Note: Make sure SECUDIR is setup properly on your server with sidadm user account
- Run following command
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt
Note: No password required…
- You have new file created as below Certificate.pfx
- Delete or rename SAPSSLS.pse file from sec folder…
- Copy Root.cer, certificate.pfx and ca_bundle.crt to X:\usr\sap\SID\W00\sec folder
- Run command as below as login <sidadm>
sapgenpse import_p12 -r ca_bundle.crt -r root.cer -p SAPSSLS.pse certificate.pfx
- This will crate pse file as below
Restart SAP Webdispatcher and now you see that your certificate is issues by Let’s Encrypt authority
Hope you enjoy reading this technical document and last note… Make sure to revert your profile parameter in your SAP instance profile and disable firewall port 80
We do not have HTTP port enable on our SAP Web Dispatcher
Thank you
Yogesh Patel
Thanks for sharing.
By any chance per note # https://launchpad.support.sap.com/#/notes/2107899, did you face issue of not able to access UI ? I'm getting error as - 'HANA Web Dispatcher is denied. 403 Forbidden responses are returned for requests to /sap/hana/xs/wdisp/admin'?
Hello Anand Tigadikar
What version of HANA are you using?
Open the Website of the Web Dispatcher Administration (http://<yourhanaserver>:<yourhttpport>/sap/hana/xs/wdisp/admin/public/default.html)
-Yogesh
Pls ignore this is resolved now..
I'm able to open relevant URL.
Hello Anand Tigadikar,
I am glad that you resolve the issue.
Thank you
Yogesh
I have successfully done your guide, but when i restart my webdispatcher , i can not access webdispatcher via web browser
my problem was solve by generate new PSE thanks,
Hello Yogesh, thanks for your blog entry!
I have followed all the steps successfully but at final step I get “import_p12: Error creating PSE /home/awdadm/sec/SAPSSLS.pse!” error when generating PSE file.
Did you face something similar?
Thanks in advance.
BR.