Configuring SAP Web Dispatcher to Support SSL

In this step, you configure the SAP NetWeaver Enterprise Search Web Dispatcher to support secure communication using SSL. Secure communication also requires minor changes to the configuration of the Internet Communication Framework (ICF) and the firewall.

Recommendation

SAP strongly recommends configuring SSL encryption as described below for secure data communication between server and client. The absence of this kind of encryption is considered to be a security risk, therefore users see a corresponding security warning each time that they log on.

End of the recommendation.

Prerequisites

You have made available the SAP Cryptographic Library during the automatic installation of SAP NetWeaver Enterprise Search.

More information: http://service.sap.com/nwes72 SAP NetWeaver Enterprise Search 7.2 Installation Guide Downloading Additional Security Software

Procedure

Log on to the master blade at the operating system level with the <sapsid>adm user.
Open the instance profile for the SAP Web dispatcher:
/usr/sap/<SAPSID>/SYS/profile/<SAPSID>_SCS<instance_number>_<virtual_host>
Add the following parameters to the profile:
wdisp/ssl_encrypt = 0

wdisp/add_client_protocol_header = true

icm/HTTPS/verify_client = 0
Add the following new HTTPS handler to the profile:
icm/server_port_<X> = PROT=HTTPS,PORT=5$(SAPSYSTEM)01,TIMEOUT=60,PROCTIMEOUT=600

Search the profile for other icm/server_port_<X> statements and enter the next higher number instead of <X>.

Note
The $SAPSYSTEM variable in the port number is resolved in the two-digit SCS instance number. Therefore, the default port is 50101 because the default SCS instance number on the master blade is 01.

End of the note.
If you want to prevent any unencrypted communication using HTTP, search the icm/server_port_<X> statement for the HTTP protocol and set the port number to 0 as follows:
icm/server_port_<X> = PROT=HTTP,PORT=0

Note
If you set the HTTP port to zero, the SAP Web dispatcher can open outbound connections using HTTP, but cannot receive any inbound requests using HTTP.

End of the note.
Copy the license ticket file ticket of SAP Cryptographic Library to the following folder:
/usr/sap/<SAPSID>/SCS<instance_number>/sec

Note
Depending on the legal situation in your country, you have to download the license ticket file separately from SAP Service Marketplace or the file is included in the installation archive of SAP Cryptographic Library. If the file is part of the installation archive, you can copy the file from the following folder:

/usr/sap/<SAPSID>/DVEBMGS<instance_number>/sec

End of the note.
To allow the sapgenpse command line tool to find the ticket, define the SECUDIR environment variable in such as way that it refers to the SCS security folder. Use the following command to do this:
setenv SECUDIR /usr/sap/<SAPSID>/SCS<instance_number>/sec

Note
Alternatively or in addition, you can add ithe variable to the .cshrc profile file of your <sapsid>adm user.

End of the note.
To create an SSL key pair and a certificate request, run the following command in the sec folder of the SCS:
sapgenpse get_pse -p SAPSSLS.pse -x <PIN> -r SAPSSLS.req "CN=<FQDN>, OU=<organizational_unit>, O=<company>, C=<country>"

Note
For <FQDN>, specify the external, fully-qualified domain name that allows access to SAP NetWeaver Enterprise Search in your company's IT landscape.

If you do not use the -x parameter, sapgenpse interactively asks for a PIN. This provides extra security since nobody can read the password from the screen or find it in the command history.

End of the note.

The command creates two files in the current directory. The latter file, SAPSSLS.req, is a simple ASCII file whose content must be sent to a CA (certification authority). According to the rules of the CA, the CA will sign the request and return a file with the signed certificate. SAP offers CA services via http://service.sap.com/trust. On this page, you can have test certificates signed instantly.
To import the signed certificate, copy it to the SAPSSLS.cer file in the sec folder of the SCS. In addition, copy the root certificate from your CA to this folder and run the following command:

sapgenpse import_own_cert -c SAPSSLS.cer -p SAPSSLS.pse -x <PIN> -r <root_certificate>

Note
Make sure that the date and time settings on the server are correct and synchronized with the CA, otherwise the certificate might be interpreted as not valid.

End of the note.
As the PSE file is password-protected, the SAP Web dispatcher cannot access the PSE file without the password. Instead of supplying the password in the profile, you must create a credential file. The owner of this file has access to the PSE.
To create the credential file, run the following command:

sapgenpse seclogin -p SAPSSLS.pse -x <PIN> -O <sapsid>adm

This command creates a file named cred_v2 in the sec folder.
The cred_v2 file contains the password for the SAP Web dispatcher, therefore, access to it should be limited to the owner.
To do this, execute the following command in the sec folder:

chmod 600 cred_v2

Example
The sec folder of the SCS should now look as follows:

master:abcadm 77> ls -la /usr/sap/ABC/SCS01/sec/

drwxr-xr-x abcadm sapsys 4096 2007-06-21 11:32 .

drwxr-xr-x abcadm sapsys 4096 2007-06-10 11:12 ..

-rw------- abcadm sapsys 164 2007-06-21 11:32 cred_v2

-rw------- abcadm sapsys 1655 2007-06-21 10:45 SAPSSLS.pse

End of the example.
If you have imported the signed certificate and the root certificate into the PSE file, you can remove both *.cer files and the SAPSSLS.req file from the sec folder.
Caution
Make sure that the following files remain in the sec folder:
- SAPSSLS.pse
- cred_v2
- ticket
End of the caution.
Restart the Web dispatcher by running the following command:
sapcontrol –nr <SCS instance_number> -function RestartInstance

You can check the status of the SCS instance by running the following command:

sapcontrol –nr <SCS instance_number> -function GetProcessList

In the event of errors, you can find more precise information in the following log file:

/usr/sap/<SAPSID>/SCS<instance_number>/work/dev_webdisp

Note
When you restart the SCS instance, it can take several minutes for the central AS ABAP to connect to the message server and the Web dispatcher again. During this time, you cannot access SAP NetWeaver Enterprise Search.

End of the note.

Adjusting the Internet Communication Framework Configuration to Support SSL

Log on to the ABAP system using the Search_Admin user.
Start transaction SE16.
Enter the table name HTTPURLLOC and press F5.
Enter the following values in the HTTPURLLOC table:

MANDT

SORT_KEY

PROTOCOL

APPL

HOST

PORT

001

010

HTTPS

*

<FQDN>

50101

For <FQDN>, specify the external, fully-qualified domain name that allows access to SAP NetWeaver Enterprise Search in your company's IT landscape.

Note
If you have used a port other than the default port 50101 in the Web dispatcher configuration, you must adjust the port here accordingly.

End of the note.

MANDT	SORT_KEY	PROTOCOL	APPL	HOST	PORT
`001`	`010`	`HTTPS`	`*`	`<FQDN>`	`50101`

Changing the Configuration of the Firewall to Support SSL

SAP NetWeaver Enterprise Search is protected by a firewall that allows access to only a few TCP/IP ports. You must add the port that you have defined for the HTTPS handler in the SAP Web dispatcher profile to the list of permitted ports. Proceed as follows:

Log on to the master blade at the operating system level with the root user.
Use the yast command to launch the configuration tool.
Choose Security and Users Firewall .
In the firewall configuration area, choose Allowed Services.
Make sure that the External Zone is selected below Allowed Services for Selected Zone.
To open the advanced service configuration, choose Advanced.
Add the port of your HTTPS handler (for example 50101) to the list of permitted TCP ports and choose OK.
To activate the changed list, choose Next and then Accept.

More Information

SAP NetWeaver Security Guide: Configuring the SAP Web Dispatcher to Support SSL
SAP NetWeaver Enterprise Search Security Guide: Security of the Communications Channels