Purpose

The goal of this blog post is to provide the steps which are necessary to configure the SSL termination scenario on web dispatcher integrated into SCS instance in process orchestration (as Java).

Overview

The blog post includes the configuration of the web dispatcher into an existing SCS instance running on NW 7.5 (as Java) system along with SSL termination configuration to access PO tools such as enterprise service repository, integration directory, process monitoring and SLD using HTTPS protocol

Prerequisites

• SAP process orchestration server is installed


• SAP cryptographic library is already installed

Steps To Configure Integrated Web Dispatcher

1. Profile Parameters

Following parameters need to be updated in SCS instance profile to setup the integrated web dispatcher into existing SCS instance.

• _CPARGX = list:$(DIR_CT_RUN)/webdispinst.lst


• Execute_<xx> = immediate $(DIR_CT_RUN)/sapcpe$(FT_EXE) pf=$(_PF) $(_CPARGX)


• _WD = wd.sap$(SAPSYSTEMNAME)_$(INSTANCE_NAME)


• Execute_<xx> = local rm -f $(_WD)


• Execute_<xx> = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)


• Restart_Program_<xx> = local $(_WD) pf=$(_PF)


• wdisp/system_0 = SID=<SID>, MSHOST=<hostname>, MSPORT=81<inst_no>, SRCSRV=*:<disp_port_no>, SRCURL=/


• icm/authfile = /usr/sap/<SID>/SYS/global/security/data/icmauth.txt


• icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)


• icm/max_conn = 500


• icm/server_port_0 = PROT=HTTPS,PORT=<disp_port_no>

Please do adjust serial number XX in SCS profile

2. Extract Sapwebdisp SAR file

Download SAP web dispatcher SAR (version must be equal or greater than system kernel version) from service marketplace and extract it in kernel directory

3. SCS instance Restart

After restart, sap web dispatcher service will be visible running in SCS instance

 

Steps To Configure SSL Termination

1. Update Profile Parameter in SCS Profile

Update following SSL parameters in SCS instance profile and take dispatcher restart from admin console to activate them

• wdisp/add_client_protocol_header = true


• wdisp/handle_webdisp_ap_header = 1


• wdisp/add_xforwardedfor_header = true


• wdisp/ssl_encrypt = 0


• wdisp/ssl_auth = 1


• icm/HTTPS/verify_client = 1

2. Generate CSR Request

Login to SAP web dispatcher admin console and create new PSE as per the SAP system FQDN.

Generate the CSR and get it signed by authorized CA then import the response using dispatcher console.

3. Execute Dispatcher Profile Check

Execute the command sapwebdisp pf=<scs_instance_profile> -checkconfig

Make sure there shouldn't be any error/warning in dispatcher profile check

Execute the NWA url with web dispatcher HTTPS port and you will find that certificate status is Ok

Steps to activate HTTPS for PO Tools

Login to NWA and modify the exchange profile properties

1. Login to NWA and access the Java system properties under configuration tab.


2. Search for "XPI Service: AII Config Service" in services tab


3. Select the below parameters (related to ESR and IR tool) and change the ICM port to dispatcher HTTPS port

• 
  
  
  
  • com.sap.aii.connect.repository.httpsport 
  
  
  • com.sap.aii.connect.directory.httpsport
  
  
  
  

4. Select the parameter "com.sap.aii.connect.secure_connections" and change its value to        all (Restart is not required).

Now, all the required PO tools will be accessible through HTTPS protocol running with web dispatcher port defined in SCS profile

Conclusion

In this blog post I have explained in detail about SSL termination setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance with relevant screen shots. I would conclude this blog by highlighting an important fact that SSL termination scenario establish the communication channel between web dispatcher and application server on HTTP protocol which means that unencrypted request will be forwarded from web dispatcher to the Application server.