Show TOC Start of Content Area

Procedure documentation Configuring the SAP Web Dispatcher to Terminate the SSL Connection  Locate the document in its SAP Library structure

Use

If the SAP Web Dispatcher is to terminate the SSL connection, then it must possess security information to use for the SSL communication(s). This information is stored in the SAP Web Dispatcher’s Personal Security Environments (PSEs) as follows:

·        For the connection where it is the server component, this information is stored in its SSL server PSE.

·        If the SAP Web Dispatcher also establishes an SSL connection to the AS Java, then its security information to use for this connection is stored in the SSL client PSE. The default SSL client PSE uses the file name SAPSSLC.pse.

To execute the necessary security functions, the SAP Web Dispatcher uses the SAP Cryptographic Library.

Use the procedure below to install the SAP Cryptographic Library on the SAP Web Dispatcher and to set up its security environments.

Prerequisites

·        You have obtained the SAP Cryptographic Library.

·        The CA root certificate belonging to the issuer of the AS Java’s server certificate exists as a file in the file system in Privacy Enhanced Mail (PEM) or DER (binary) format.

Procedure

...

       1.      Install the SAP Cryptographic Library on the SAP Web Dispatcher’s host.

                            a.      Extract the contents of the SAP Cryptographic Library package.

                            b.      Copy the library and the configuration tool to a local directory.

                            c.      Create a subdirectory called secon the SAP Web Dispatcher to use for the PSEs. Copy the license ticket to this directory. We refer to this directory as the SECUDIR directory.

       2.      Set the following profile parameters for the SAP Web Dispatcher:

       DIR_INSTANCE=<SECUDIR_Directory>

       icm/server_port_<xx>=PROT=HTTPS, PORT=<HTTPS_Port>, TIMEOUT=900

       icm/HTTPS/verify_client=<0,1>

       ssl/ssl_lib=<Location_of_SAP_Cryptographic_Library>

       ssl/server_pse=<Location_of_SSL_server_PSE>

       ssl/client_pse=<Location_of_SSL_client_PSE>

       wdisp/ssl_encrypt=<0,1,2>

       wdisp/ssl_auth=<0,1,2>

       wdisp/ssl_cred=<File_name_of_client_PSE>

       wdisp/ssl_host=<Common_host_name>

Note

Note the following:

    The parameter wdisp/ssl_cred is only necessary if wdisp/ssl_auth = 2.

    Use the parameter wdisp/ssl_host if multiple servers in the backend use the same host name in their SSL server certificates (for example, www.mycompany.com).

For more information about the individual parameters, see The SAP Web Dispatcher Profile Parameters.

       3.      Create the PSEs and certificate requests.

Using the command line editor:

                            a.      Change to the SECUDIR directory.

                            b.      Set the environment variable SECUDIR to this directory.

                            c.      Using the configuration tool’s command get_pse, create an SSL server PSE. If the SAP Web Dispatcher should also establish an SSL connection to the AS Java, then also create an SSL client PSE.

Syntax

sapgenpse get_pse –p <PSE_Name> -x <PIN> [-r <cert_req_file>] <Distinguished Name>

Note

Note the following:

·         For the SSL server PSE, create a certificate request.

·         For the SSL client PSE, you only need to create a certificate request if wdisp/ssl_auth=1 or 2.

       4.      Send the request(s) to a CA to be signed.

The exact procedure depends on the CA you use. For the SAP CA, see the instructions provided by the SAP Trust Center Services at service.sap.com/tcs.

The CA returns a certificate request response for each request that you send.

       5.      Import each certificate request response into the corresponding PSE. Use the configuration tool’s command import_own_cert:

Syntax

sapgenpse get_pse –p <PSE_Name> -x <PIN> [-r <cert_req_file>] <Distinguished Name>

       6.      Create credentials for the user that runs the SAP Web Dispatcher. Use the configuration tool’s command seclogin as shown below. Use the –O option to create the credentials for the specific user that runs the SAP Web Dispatcher, for example, SYSTEM.

Syntax

sapgenpse seclogin –p <PSE_Name> -x <PIN> -O [Windows_Domain>\]<user_ID>

       7.      Using the configuration tool’s command maintain_pk, import the root certificate for the CA that issued the AS Java its certificate into the SSL client PSE.

Syntax

sapgenpse maintain_pk –a <CA_root_cert> -p <PSE_Name> -x <PIN>

       8.      Restart the SAP Web Dispatcher.

       9.      If the SAP Web Dispatcher will be authenticated using SSL, (wdisp/ssl_auth = 1 or 2), then import the CA root certificate for the CA that issued the Web Dispatcher its SSL certificate into the list of trusted CAs on the AS Java. (Using the Key Storage service, import the CA root certificate into the TrustedCAs view.)

   10.      Using the SSL Provider service, specify how the AS Java should handle SSL client certificates:

                            a.      For the corresponding SSL port, choose the Client Authentication tab page and specify whether client certificates are to be used for authentication on the server. (The Web Dispatcher is the client for this connection.)

                            b.      Add the CA root certificate to the list of trusted CAs for the SSL port. (Choose Add.)

Result

The SAP Web Dispatcher terminates incoming SSL connections. If wdisp/ssl_encrypt = 1 or 2, then it also establishes an SSL connection to the AS Java. If wdisp/ssl_auth = 1 or 2, then SSL with mutual authentication is used for the connection to the AS Java.

See also:

For more information about the commands available with sapgenpse, see Configuring the SAP Web Dispatcher to Support SSL in the SAP Web Dispatcher documentation.

 

 

End of Content Area