Metadata Exchange Using SSL

Use

The SAP Web Dispatcher gets information about the application servers and groups, which it needs for load distribution, from the message server and application servers.

  • It gets server information (the list of servers that it can use for requests) from the message server.

  • It gets information about the logon groups and URL mapping from an ABAP application server.

  • The Web Dispatcher checks the availability of the application servers using ping requests to the application servers.

HTTP is used for this communication.

You can encrypt the communication channel SSL to increase security by using the HTTPS protocol.

Prerequisites

To use HTTPS between the Web Dispatcher and the message server, the following prerequisites must be met.

  • The SAP Web Dispatcher must be set up for SSL, which means the certificates must be treated the same as when scheduling HTTPS in the Web Dispatcher.

  • The message server can also be set up for SSL, which means, a server certificate must exist, and an HTTPS port must be configured. This configuration is relevant if SSL re-encryption is used. The following parameters must then be set in the message server profile:

    • ms/server_port_<xx> = PROT=HTTPS, PORT=<HTTPS port>

    • ssl/server_pse=<storage location of the SSL server PSE>

    • ssl/client_pse=<storage location of the SSL client PSE>

  • The SAP Web Dispatcher requires a service (port) with PROT=HTTPS for the outgoing requests. If you have already configured SSL termination, the entry will already exist. Otherwise you can define icm_server_port_<xx> = PROT=HTTPS,PORT=0. Then the Web Dispatcher can send SSL requests, but it cannot receive SSL requests.

  • The SAP Web Dispatcher must be able to accept the server certificates from the message server and from the application server. To ensure they are, the certificate authorities (CAs) from the server certificates must be contained as "trusted CAs" in the SSL client PSE of the SAP Web Dispatcher.

  • For server info only: The HTTPS port of the message server, which the SAP Web Dispatcher is to connect to, must be defined in the Web Dispatcher profile (parameter ms/https_port or the MSSPORT option of parameter wdisp/system_<xx>).

  • Group Info and URL Mapping Info: To exchange information between the SAP Web Dispatcher and application servers, there must be at least one HTTPS port set up on one application server. The internal group !DIAGS must not be empty.

  • ping Requests: If the ping requests are to go through HTTPS, all application servers must be set up for SSL and SSL ports must be available.

    More information: Configuring the SAP Web AS for Supporting SSL

Procedure

Set the profile parameters wdisp/server_info_protocol, wdisp/group_info_protocol,wdisp/url_map_protocol or wdisp/ping_protocol to the value https. You can set the parameters for the different information individually.

If you want to encrypt the entire information, you have to set:

wdisp/server_info_protocol = https

wdisp/group_info_protocol = https

wdisp/url_map_protocol = https

wdisp/ping_protocol = https

Result

Information on the application servers, logon groups, and URL prefixes is encrypted with SSL, when it is transferred from the message server to the Web Dispatcher.