Show TOC

Procedure documentationMetadata Exchange Using SSL Locate this document in the navigation structure

 

The SAP Web Dispatcher gets information about the application servers and groups, which it needs for load distribution, from the message server and application servers.

  • It gets server information (the list of servers that it can use for requests) from the message server.

  • It gets information about the logon groups and URL mapping from an ABAP application server.

  • The Web Dispatcher checks the availability of the application servers using ping requests to the application servers.

HTTP is used for this communication.

You can encrypt the communication channel SSL to increase security by using the HTTPS protocol.

Note Note

What’s important here is the metadata that the Web Dispatcher gets from the message server, rather than the HTTP(S) data that the Web Dispatcher forwards to the application server (see SAP Web Dispatcher and SSL).

End of the note.

Prerequisites

To use HTTPS between the Web Dispatcher and the message server, the following prerequisites must be met.

  • The SAP Web Dispatcher must be set up for SSL, that is, the sapcryptolib must be installed and the certificates must be treated the same as when scheduling HTTPS in the Web Dispatcher. For details see Configuring SAP Web Dispatcher to Support SSL.

  • The message server must be set up for SSL, that is, the sapcryptolib must be installed, a server certificate must exist, and an HTTPS port must be configured. The following parameters must be set in the message server profile:

    • ms/server_port_<xx> = PROT=HTTPS, PORT=<HTTPS port>

    • ssl/ssl_lib=<Ablageort_der_SAP_Cryptographic_Library>

    • ssl/server_pse=<storage location of the SSL server PSE>

    • ssl/client_pse=<storage location of the SSL client PSE>

  • The SAP Web Dispatcher requires a service (port) (icm/server_port_<xx>) with PROT=HTTPS for the outgoing requests. If you have already configured SSL termination, the entry will already exist. Otherwise you can define icm_server_port_<xx> = PROT=HTTPS,PORT=0. Then the Web Dispatcher can send SSL requests, but it cannot receive SSL requests.

  • The SAP Web Dispatcher must be able to accept the server certificates from the message server and from the application server. To ensure they are, the certificate authorities (CAs) from the server certificates must be contained as "trusted CAs" in the SSL client PSE of the SAP Web Dispatcher.

  • For server info only: The HTTPS port of the message server, which the SAP Web Dispatcher is to connect to, must be defined in the Web Dispatcher profile (parameter ms/https_port or the MSSPORT option of parameter wdisp/system_<xx>).

    Caution Caution

    Be aware of the different parameters. In the Web Dispatcher profile, the HTTP(S) port of the message server is specified in ms/https_port (or the MSSPORT option of parameter wdisp/system_<xx>). In the message server profile it is specified in ms/server_port_<xx>.

    End of the caution.

  • Group Info and URL Mapping Info: To exchange information between the SAP Web Dispatcher and application servers, there must be at least one HTTPS port set up on one application server (icm/server_port_<xx>). The internal group !DIAGS must not be empty (see Architecture of the SAP Web Dispatcher).

    Recommendation Recommendation

    SAP recommends that you set up at least two HTTPS enabled application servers so that you do not receive a single point of failure here.

    End of the recommendation.

  • ping Requests: If the ping requests are to go through HTTPS, all application servers must be set up for SSL and SSL ports must be available.

    More information: Configuring the SAP Web AS for Supporting SSL

Procedure

Set the profile parameters wdisp/server_info_protocol, wdisp/group_info_protocol,wdisp/url_map_protocol or wdisp/ping_protocol to the value https (see Profile Parameters of the SAP Web Dispatcher). You can set the parameters for the different information individually.

If you want to encrypt the entire information, you have to set:

wdisp/server_info_protocol = https

wdisp/group_info_protocol = https

wdisp/url_map_protocol = https

wdisp/ping_protocol = https

Result

Information on the application servers, logon groups, and URL prefixes is encrypted with SSL, when it is transferred from the message server to the Web Dispatcher.

More Information

The following sections contain information about using SSL with the SAP Web Dispatcher.