Skip to Content
Technical Articles
Author's profile photo Ashish Hans

SSL Setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance

Purpose

The goal of this blog post is to provide the steps which are necessary to configure the SSL termination scenario on web dispatcher integrated into SCS instance in process orchestration (as Java).

Overview

The blog post includes the configuration of the web dispatcher into an existing SCS instance running on NW 7.5 (as Java) system along with SSL termination configuration to access PO tools such as enterprise service repository, integration directory, process monitoring and SLD using HTTPS protocol

Prerequisites

  • SAP process orchestration server is installed
  • SAP cryptographic library is already installed

Steps To Configure Integrated Web Dispatcher

1. Profile Parameters

Following parameters need to be updated in SCS instance profile to setup the integrated web dispatcher into existing SCS instance.

  • _CPARGX = list:$(DIR_CT_RUN)/webdispinst.lst
  • Execute_<xx> = immediate $(DIR_CT_RUN)/sapcpe$(FT_EXE) pf=$(_PF) $(_CPARGX)
  • _WD = wd.sap$(SAPSYSTEMNAME)_$(INSTANCE_NAME)
  • Execute_<xx> = local rm -f $(_WD)
  • Execute_<xx> = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)
  • Restart_Program_<xx> = local $(_WD) pf=$(_PF)
  • wdisp/system_0 = SID=<SID>, MSHOST=<hostname>, MSPORT=81<inst_no>, SRCSRV=*:<disp_port_no>, SRCURL=/
  • icm/authfile = /usr/sap/<SID>/SYS/global/security/data/icmauth.txt
  • icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile)
  • icm/max_conn = 500
  • icm/server_port_0 = PROT=HTTPS,PORT=<disp_port_no>

Please do adjust serial number XX in SCS profile

2. Extract Sapwebdisp SAR file

Download SAP web dispatcher SAR (version must be equal or greater than system kernel version) from service marketplace and extract it in kernel directory

3. SCS instance Restart

After restart, sap web dispatcher service will be visible running in SCS instance

 

Steps To Configure SSL Termination

1. Update Profile Parameter in SCS Profile

Update following SSL parameters in SCS instance profile and take dispatcher restart from admin console to activate them

  • wdisp/add_client_protocol_header = true
  • wdisp/handle_webdisp_ap_header = 1
  • wdisp/add_xforwardedfor_header = true
  • wdisp/ssl_encrypt = 0
  • wdisp/ssl_auth = 1
  • icm/HTTPS/verify_client = 1

2. Generate CSR Request

Login to SAP web dispatcher admin console and create new PSE as per the SAP system FQDN.

Generate the CSR and get it signed by authorized CA then import the response using dispatcher console.

3. Execute Dispatcher Profile Check

Execute the command sapwebdisp pf=<scs_instance_profile> -checkconfig

Make sure there shouldn’t be any error/warning in dispatcher profile check

Execute the NWA url with web dispatcher HTTPS port and you will find that certificate status is Ok

Steps to activate HTTPS for PO Tools

Login to NWA and modify the exchange profile properties

  1. Login to NWA and access the Java system properties under configuration tab.
  2. Search for “XPI Service: AII Config Service” in services tab
  3. Select the below parameters (related to ESR and IR tool) and change the ICM port to dispatcher HTTPS port
    • com.sap.aii.connect.repository.httpsport 
    • com.sap.aii.connect.directory.httpsport

4. Select the parameter “com.sap.aii.connect.secure_connections” and change its value to        all (Restart is not required).

Now, all the required PO tools will be accessible through HTTPS protocol running with web dispatcher port defined in SCS profile

Conclusion

In this blog post I have explained in detail about SSL termination setup on SAP Web Dispatcher Integrated into Process Orchestration SCS Instance with relevant screen shots. I would conclude this blog by highlighting an important fact that SSL termination scenario establish the communication channel between web dispatcher and application server on HTTP protocol which means that unencrypted request will be forwarded from web dispatcher to the Application server.

 

 

 

 

 

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Prasad Prathi
      Prasad Prathi

      The certificates looks good with IE browser.

      The certificate has intermittent, and root certificate.

      But, I am getting Certificate Error when opened in Chrome and Edge Browser.

      Do you know how to fix that issue with Certificate Error? 

       

       

       

       

      Author's profile photo Ashish Hans
      Ashish Hans
      Blog Post Author

      This happen when SAN is not defined for the CN. Solution is to re-generate the certificates to include a Subject Alternative Name extension. Refer SAP note 2462126

      Author's profile photo Prasad Prathi
      Prasad Prathi

      Thanks Ashish. I just got fixed the issue.

      I also referred another SAP note to 2502649 - Creating certificates with Subject Alternative Name (SAN) through the Web Admin page

      Once again, thanks for your help.

      Author's profile photo Zafer Hursutagaoglu
      Zafer Hursutagaoglu

      Can we use new port in dispatcher configuration?

      i mean PO runs on 50000 and 50001 ports. We want to access to PO via 443 through integrated web dispatcher's port.

      Is this possible?