Entering content frame

Procedure documentation Metadata Exchange Using SSL Locate the document in its SAP Library structure

Use

The SAP Web dispatcher gets information about the application servers and groups, which it needs for load distribution, from the message server and application servers.

        It gets the server information from the message server.

        It gets information about the logon groups and URL mapping from an ABAP application server.

HTTP is used for this communication.

You can encrypt the communication channel SSL to increase security by using the HTTPS protocol.

Note

What’s important here is the metadata that the Web dispatcher gets from the message server, rather than the HTTP(S) data that the SAP Web Dispatcher forwards to the application server (see Structure linkSAP Web Dispatcher and SSL).

Prerequisites

To use HTTPS between the Web dispatcher and the message server, the following prerequisites must be met.

        The SAP Web Dispatcher must be set up for SSL, that is, the sapcryptolib must be installed and the certificates must be treated the same as when scheduling HTTPS in the Web dispatcher. For details see Configuring SAP Web Dispatcher to Support SSL.

        The message server must be set up for SSL, that is, the sapcryptolib must be installed, a server certificate must exist, and an HTTPS port must be configured. The following parameters must be set in the message server profile:

        ms/server_port_<xx> = PROT=HTTPS, PORT=<HTTPS port>

        ssl/ssl_lib=<storage location of the SAP Cryptographic Library>

        ssl/server_pse=<storage location of the SSL server PSE>

        ssl/client_pse=<storage location of the SSL client PSE>

        The SAP Web dispatcher requires a service (port) (icm/server_port_<xx>) with PROT=HTTPS for the outgoing requests. If you have already configured SSL termination, the entry will already exist. Otherwise you can define icm_server_port_<xx> = PROT=HTTPS,PORT=0. Then the Web dispatcher can send SSL requests, but it cannot receive SSL requests.

        The SAP Web Dispatcher must be able to accept the server certificates from the message server and from the application server.  To ensure they are, the certificate authorities (CAs) from the server certificates must be contained as "trusted CAs" in the SSL client PSE of the SAP Web Dispatcher.

        For Server Info Only: The HTTPS port of the message server, which the SAP Web Dispatcher is to connect to, must be defined in the Web dispatcher profile (parameter ms/https_port).

Caution

Be aware of the different parameters: in the Web dispatcher profile, the HTTP(S) port of the message server is specified in ms/https_port. In the message server profile it is specified in ms/server_port_<xx>.

        Group Info and URL Mapping Info: To exchange information between the SAP Web Dispatcher and application servers, there must be at least one HTTPS port set up on one application server (icm/server_port_<xx>). The internal group!DIAGS must not be empty (see Structure linkArchitecture of the SAP Web Dispatcher).

Procedure

Set the profile parameters wdisp/server_info_protocol, wdisp/group_info_protocol or wdisp/url_map_protocol to the value https (see Profile Parameters of the SAP Web Dispatcher). You can set the parameters for the different information individually.

If you want to encrypt the entire information, you have to set:

wdisp/server_info_protocol = https

wdisp/group_info_protocol = https

wdisp/url_map_protocol = https

Result

Information on the application servers, logon groups, and URL prefixes is encrypted with SSL, when it is transferred from the message server to the Web dispatcher.

Further Information

The following sections contain information about using SSL with the SAP Web Dispatcher.

        Structure linkSAP Web Dispatcher and SSL

        Structure linkEnd-to-End SSL

        Structure linkX.509-Based Logon to Web AS Using SAP Web Dispatcher

 

 

 

Leaving content frame