X.509-Based Logon to NW AS from SAP Web Dispatcher (SAP Library

X.509-Based Logon to NW AS from SAP Web Dispatcher

Problem

With End-to-End SSL the SAP Web Dispatcher does not terminate the SSL data stream. The client certificate is extracted (after SSL termination) in the ICM of the application server and transported via MPIs to the work process. The client certificate of the user can be used to logon to the application server.

But if the SAP Web Dispatcher does terminate SSL, the (public) certificate of the user will lie unpacked in the Web Dispatcher and has to be passed securely to the application server (ABAP or J2EE). To forward certificates you need to ensure secure communication based on mutual trust between the application server and the Web dispatcher.An SSL-encrypted connection between the Web dispatcher and the application server will provide a secure connection.

Implementation

Data Transfer and Formats

The values of the user certificates are transferred in HTTP header fields.

Name of Header Field	Value	Format
SSL_CLIENT_CERT	Client certificate	Base64-coded data, one line
SSL_CLIENT_CERT_CHAIN_1	First non-root CA certificate issued by the client.	Same as SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n	Last non-root CA certificate	Same as SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n+1	This element is the corresponding root certificate It must not be transferred to the server.	Same as SSL_CLIENT_CERT
SSL_CIPHER_USEKEYSIZE	Number of encryption bits actually used	Numeric decimal value transferred as a string (for example, 0, 40, 56, 128, 168)
SSL_CIPHER_SUITE	Cipher suite in accordance with the definition in the SSL and TLS specification (draft free ssl version 3-02 or RFC 2246)	The cipher suite consists of two (SSL 3.0 / TLS) or three (SSL 2.0) numeric 8 bit values.

Mutual Trust Between SAP Web Dispatcher and ICM on Application Server

The trusted relationship between the SAP Web Dispatcher and the ICM is based on a client certificate, which the Web dispatcher uses for the SSL connection. The ICM uses this Web dispatcher certificate to decide whether the intermediate server is trustworthy or not.

SAP Web Dispatcher Parameters

To terminate SSL, you have to set parameters in the profile of the SAP Web Dispatcher (see SAP Web Dispatcher and SSL):

icm/server_port_<xx> = ...PROT=HTTPS,...

SSL parameters, see Configuring SAP Web Dispatcher to Support SSL

You also have to set the parameters below to encrypt the request with SSL again.

wdisp/ssl_encrypt=<0,1,2>

wdisp/ssl_auth=<0,1,2>

wdisp/ssl_cred=<File_name_of_client_PSE>

wdisp/ssl_host=<Common_host_name>

The client certificate of the Web dispatcher is specified with file <File_name_of_client_PSE>. The trusted connection between the ICM and application server is created with this certificate.

For details see SSL Parameters.

Set the parameters below to transfer the user certificate to the header fields.

icm/HTTPS/forward_ccert_as_header = true

ICM Parameters

To specify the trusted intermediate, the following parameters must be set in the ICM profile:

icm/HTTPS/trust_client_with_issuer = <issuer>

icm/HTTPS/trust_client_with_subject = <subject>

If <subject> and <issuer> of the Web dispatcher client certificate are the same as these values, the ICM accepts the SSL header fields. If they are not the same, the ICM deletes them.

If the SSL header fields are not set, the HTTPS request carries its own certificate and this is used to logon to the application server (direct connection from the browser to the application server).

Security Measures in the SAP Web Dispatcher and ICM

The following actions should guarantee security when certificates are forwarded:

● With incoming HTTP requests any SSL header fields that may have been set are deleted.

● If the intermediate server is not trustworthy, any SSL header fields that may have been set are deleted.

Cascading SAP Web Dispatchers

You can activate several SAP Web Dispatchers (intermediate servers) one after the other. In this case each node that is to accept the SSL header fields has to trust its direct predecessor. You can control this using the parameters icm/HTTPS/trust_client_with_subject and icm/HTTPS/trust_client_with_subject for the Web dispatcher too (see above).