Skip to end of metadata
Go to start of metadata

Installation of SAP Web Dispatcher and SSL Setup

Applies to:

SAP Netweaver Systems facing internet.  

Summary

SAP Web dispatcher is used for multiple purposes, mainly for URL routing and load balancing. Web dispatcher is exposed to the external world i.e. in internet, It is very important to use a secure protocol connection. This document will help us to install and setup SSL for SAP Webdispatcher. You also use this document to sign your own certificates. This document will describe about SSL termination method in webdispatcher.

Author: Vamshi Polasa

Company:   Tata Consultancy Services Ltd.

Created on: 15 April 2010

Author Bio

I am Vamshi Polasa, A certified SAP Netweaver consultant. Working for TCS, India from 2007 has good experience in SAP Implementations, and area of expertise is SAP BASIS, Netweaver portals, PI7.1, CTS+, NWDI, CRM WEBUI.


 

Introduction:

The SAP Web dispatcher lies between the Internet and our SAP system. It is the entry point for HTTP(s) or http requests into your system, which consists of one or more Netweaver application servers. As a "software web switch", the SAP Web dispatcher can reject or accept connections. When it accepts a connection, it balances the load to ensure an even distribution across the servers. The SAP Web Dispatcher therefore contributes to security and also balances the load in our SAP system.

There are different scenarios: SSL termination, SSL re-encryption and End-to-End SSL which web dispatcher supports.

In this document we will discuss about SSL termination scenario.

The web browser communicates with the SAP Web Dispatcher via an SSL secured http communication (https). The SSL encryption will be terminated at the SAP Web Dispatcher and will be forwarded without SSL encryption to the SAP WebAS via http.

Installation of SAP Webdispatcher using SAPINST:

Run the sapinst

Navigate as shown:

SAP Netweaver 2004s Support Release2 à Standalone Engines à Web Dispatcher à Web Dispatcher Installation


Enter the message server host name for which you want to use the SAP Web disp and the port of the message server it will be 81<XX>

Enter the password for the webadm, this will the admin user to administer the webdispatcher.

Show the path for the SAP Kernel files:





Make sure the below parameters for http_port and rdisp/mshost are set in the dispatcher profile:

We can check the log file in the work directory of our webdispatcher:

Logon to the webdispatcher admin tool using the below URL:

http://<webdisphost>:81<webdisp inst number>/sap/admin

SSL Setup:


Download the SAP Cryptographic software from the market place, UNCAR the files using SAPCAR.

We get the sapcrypto.dll and sapgenpse files

We get the sapcrypto.dll and sapgenpse files

Copy the sapcrypto.dll and sapgenpse.exe files to the path below

Copy the ticket file to the path usr\sap\SID\INST\SEC

The SECULIB file is missing in the folder , we need to download it from market place and place it in the folder usr\sap\<SID>\<INST>\SEC

Copy the sapsecu.dll into the sec folder.

Create a System variable SECUDIR with variable value where the sapsecu.dll file is located.


Make the below entries in the instance profile:

#-----------------------------------------------------------------------

#Https parameters for Web dispatcher

#-----------------------------------------------------------------------

icm/server_port_0 = PROT=HTTPS,PORT=443$$

DIR_INSTANCE = C:\usr\sap\WD1\W02\sec

ssl/ssl_lib = C:\usr\sap\WD1\W02\sec\sapcrypto.dll

ssl/server_pse = C:\usr\sap\WD1\W02\sec\SAPSSL.pse

wdisp/ssl_cred = C:\usr\sap\WD1\W02\sec\SAPSSL.pse

ssf/ssfapi_lib = C:\usr\sap\WD1\W02\sec\sapcrypto.dll

sec/libsapsecu = C:\usr\sap\WD1\W02\sec\sapcrypto.dll

ssf/name = SAPSECULIB

wdisp/ssl_encrypt = 0

#icm/server_port_1=PROT=HTTPS, PORT=44302, TIMEOUT=900

icm/server_port_1 = PROT=HTTP,PORT=0

icm/HTTPS/verify_client=0

wdisp/add_client_protocol_header = true

wdisp/auto_refresh = 120

wdisp/max_servers = 100

#-----------------------------------------------------------------------

Create the certificate using the below command:

Sapgenpse gen_pse --s <key length 1024 or 2048> -a < RSA or DSA> -p <name of the pse to be created>

This will ask the pin and the distinguished name just follow on screen instructions.

The above command will generate the pse. Here I have used the certificate name as SAPSSL.

Let's generate the certificate request which we will send to CA.

Use the below command:

Sapgenpse get_pse --s <length of the key> -a <algorithm to be used RSA or DSA> -p <name of the pse for which certreq is to be created> -r < name of  certreq file which is to be created>

This will create the certificate request with the name certreq.req

We have to send the certreq.req file to the CA, they will give us the signed certificate which we have to import to the sap webdispatcher.

Signing certificates using Openssl :

Note: For Production environments it's always recommended to get a signed certificated from SAP or some CA.

Here I will use the openssl to generate the signed certificate.

I have already installed the OPENSSL, it's a free ware you can download it from internet.

Copy the below text in the openssl.conf [file:
]

                

Open the cmd prompt and go to the folder openssl\bin

Set up the directory structure and files required by OpenSSL:

C:\ssl>md keys

C:\ssl>md requests

C:\ssl>md certs

After creating the three directories we need to create a database.txt file.

Create the file database.txt - an empty (zero-byte) text file. or by creating an empty file manually:

c:\ssl>copy con database.txt

^Z

This should produce a zero-byte file called c:\ssl\database.txt

Create the serial number file serial.txt. This is a plain ASCII file containing the string "01" on the first line, followed by a newline. Again, we can use a little bit of ancient DOS magic:

C:\ssl>copy con serial.txt

      01

      ^Z

First, we create a 1024-bit private key to use when creating our CA.:

This will create the ca.key file the folder Keys we have created.

We will now create a master certificate based on this key, to use when signing other certificates:

C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

We need to enter the below details:

Country Name (2 letter code) :<eg IN, GB>

State or Province Name (full name) :<state>

Locality Name (eg, city) : <city>

Organization Name (eg, company) :<company name as expose it to internet>

Organizational Unit Name (eg, section) : <name>

Common Name (eg, your websites domain name) :<name>

Email Address :ssl@xyz.net

Copy the certreq file into c:\ssl\requests for which we will be creating a signed certificate.

Below is the command:

C:\ssl>openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/<request file> -keyfile keys/ca.key -days 360 -out certs/<name of the cert you want tocreate>

This completes the generating the signed certificate using the openssl.

Copy the ca.cer and sapssl.cer files to the sec folder:


Import the certificate into the web dispatcher using the below command:

Add the permissions to the user using the below command this will create file cred_v2 in the sec folder.

This completes the SSL setup.


Related Content

Please include at least three references to SDN documents or web pages.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ed/2429371ec14c23a7508affa1280d07/frameset.htm

Reference 2

Reference 3


 

Copyright

© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.


 

  1. Guest

    Hi Vamshi,

      In the last 3 sentence, you mentioned to import the certificate into the web dispatcher but the command is not shown.  Also, the add permissions to user to create the cred_v2 in the sec folder. How is this done ?

    Regards

  2. Guest

    Hi Vamshi,

    You mention that the SECULIB file is missing and to add this file. That is not correct and unnecessary. The SAPCRYPTOLIB superceeds the SECULIB.

    For more information please see the following Notes:

    Note 455033 - SAPCRYPTOLIB versions, bugs and fixes
    Note 870138 - SAPSECULIB updates (5.4.28M-x)
    Note 354819 - Collective note SAPSECULIB

    Apart from that - great post.

  3. Guest

    Dear Vamshi

    Thanks for the sharing. But how do you import the certificate into webdispatcher? you mention "the below command" but I think you missed to add the command.

  4. HI,

     

    I think you missed the add command.

     

    Regards