SSL Setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance
The goal of this blog post is to provide the steps which are necessary to configure the SSL termination scenario on web dispatcher integrated into SCS instance in process orchestration (as Java).
The blog post includes the configuration of the web dispatcher into an existing SCS instance running on NW 7.5 (as Java) system along with SSL termination configuration to access PO tools such as enterprise service repository, integration directory, process monitoring and SLD using HTTPS protocol
- SAP process orchestration server is installed
- SAP cryptographic library is already installed
Steps To Configure Integrated Web Dispatcher
1. Profile Parameters
Following parameters need to be updated in SCS instance profile to setup the integrated web dispatcher into existing SCS instance.
- _CPARGX = list:$(DIR_CT_RUN)/webdispinst.lst
- Execute_<xx> = immediate $(DIR_CT_RUN)/sapcpe$(FT_EXE) pf=$(_PF) $(_CPARGX)
- _WD = wd.sap$(SAPSYSTEMNAME)_$(INSTANCE_NAME)
- Execute_<xx> = local rm -f $(_WD)
- Execute_<xx> = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)
- Restart_Program_<xx> = local $(_WD) pf=$(_PF)
- wdisp/system_0 = SID=<SID>, MSHOST=<hostname>, MSPORT=81<inst_no>, SRCSRV=*:<disp_port_no>, SRCURL=/
- icm/authfile = /usr/sap/<SID>/SYS/global/security/data/icmauth.txt
- icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)
- icm/max_conn = 500
- icm/server_port_0 = PROT=HTTPS,PORT=<disp_port_no>
Please do adjust serial number XX in SCS profile
2. Extract Sapwebdisp SAR file
Download SAP web dispatcher SAR (version must be equal or greater than system kernel version) from service marketplace and extract it in kernel directory
3. SCS instance Restart
After restart, sap web dispatcher service will be visible running in SCS instance
Steps To Configure SSL Termination
1. Update Profile Parameter in SCS Profile
Update following SSL parameters in SCS instance profile and take dispatcher restart from admin console to activate them
- wdisp/add_client_protocol_header = true
- wdisp/handle_webdisp_ap_header = 1
- wdisp/add_xforwardedfor_header = true
- wdisp/ssl_encrypt = 0
- wdisp/ssl_auth = 1
- icm/HTTPS/verify_client = 1
2. Generate CSR Request
Login to SAP web dispatcher admin console and create new PSE as per the SAP system FQDN.
Generate the CSR and get it signed by authorized CA then import the response using dispatcher console.
3. Execute Dispatcher Profile Check
Execute the command sapwebdisp pf=<scs_instance_profile> -checkconfig
Make sure there shouldn’t be any error/warning in dispatcher profile check
Execute the NWA url with web dispatcher HTTPS port and you will find that certificate status is Ok
Steps to activate HTTPS for PO Tools
Login to NWA and modify the exchange profile properties
- Login to NWA and access the Java system properties under configuration tab.
- Search for “XPI Service: AII Config Service” in services tab
- Select the below parameters (related to ESR and IR tool) and change the ICM port to dispatcher HTTPS port
4. Select the parameter “com.sap.aii.connect.secure_connections” and change its value to all (Restart is not required).
Now, all the required PO tools will be accessible through HTTPS protocol running with web dispatcher port defined in SCS profile
In this blog post I have explained in detail about SSL termination setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance with relevant screen shots. I would conclude this blog by highlighting an important fact that SSL termination scenario establish the communication channel between web dispatcher and application server on HTTP protocol which means that unencrypted request will be forwarded from web dispatcher to the Application server.
The certificates looks good with IE browser.
The certificate has intermittent, and root certificate.
But, I am getting Certificate Error when opened in Chrome and Edge Browser.
Do you know how to fix that issue with Certificate Error?
This happen when SAN is not defined for the CN. Solution is to re-generate the certificates to include a Subject Alternative Name extension. Refer SAP note 2462126
Thanks Ashish. I just got fixed the issue.
I also referred another SAP note to 2502649 - Creating certificates with Subject Alternative Name (SAN) through the Web Admin page
Once again, thanks for your help.
Can we use new port in dispatcher configuration?
i mean PO runs on 50000 and 50001 ports. We want to access to PO via 443 through integrated web dispatcher's port.
Is this possible?