Web Disp Step by Step Docu

How-To install&configure

How-To install&configure

the SAP Web Dispatcher

the SAP Web Dispatcher

Last modification: 18. January 2007

Last modification: 18. January 2007

Oliver Luik / Christian Goldbach

Oliver Luik / Christian Goldbach

1 IN

1 INTRODTRODUCTIUCTIONON ... 44 2

2 SAP SAP WEB WEB DISDISPATCPATCHER HER INSINSTALLTALLATIATION ON WITH WITH SAPSAPINSINSTT ... 44 3

3 SSL SSL INSINSTALLTALLATIOATION N AND AND CONCONFIGUFIGURATIRATION...ON... 44

3

3..1 1 TTHEHESASAPP CCRYPTOGRAPHICRYPTOGRAPHICLLIBRARYIBRARYIINSTALLATIONNSTALLATIONPPACKAGEACKAGE... 55

3.1.1

3.1.1 DefinitioDefinition n ... 55 3.1.2 St

3.1.2 Structuructure...re... 55

3

3..2 2 IINSTALLING THENSTALLING THESASAPP CCRYPTOGRAPHICRYPTOGRAPHICLLIBRARYIBRARY... 55

3.2.1 P

3.2.1 Procedrocedure...ure... 55 3.2.2

3.2.2 Result Result ... 6 6 

3

3..3 3 SSETTING THEETTING THESSSSLL PPROFILEROFILEPPARAMETERS FOR THEARAMETERS FOR THESASAPP WWEBEBDDISPATCHERISPATCHER... 66

3

3..4 4 CCREATING THEREATING THEPSEPSES ANDS ANDCCERTIFICATEERTIFICATERREQUESTSEQUESTS... 88

3.4.1

3.4.1 UseUse ... 88 3.4.2 Prereq

3.4.2 Prerequisites...uisites... 88 3.4.3 P

3.4.3 Procedrocedure...ure... 99

3

3..5 5 SSENDING THEENDING THECCERTIFICATEERTIFICATERREQUESTS TO AEQUESTS TO ACACA ... 1010

3.5.1

3.5.1 UseUse ... 1010 3.5.2 Prereq

3.5.2 Prerequisites...uisites... 1111 3.5.3

3.5.3 ProProcedurceduree ... 1111 3.5.4

3.5.4 Result Result ... 1212

3

3..6 6 IIMPORTING THEMPORTING THECCERTIFICATEERTIFICATERREQUESTEQUESTRRESPONSESESPONSES... 1313

3.6.1

3.6.1 UseUse ... 1313 3.6.2 Prereq

3.6.2 Prerequisites...uisites... 1313 3.6.3

3.6.3 ProProcedurceduree ... 1313 3.6.4

3.6.4 Result Result ... 1414

3

3..7 7 CCREATINGREATINGCCREDENTIALS FOR THEREDENTIALS FOR THESAPSAP WWEBEBDDISPATCHERISPATCHER... 1414

3.7.1

3.7.1 UseUse ... 1414 3.7.2 Prereq

3.7.2 Prerequisites...uisites... 1414 3.7.3

3.7.3 ProProcedurceduree ... 1414 3.7.4

3.7.4 Result Result ... 1515

3

3..8 8 TTESTING THEESTING THESSSSLL CCONNECTION TO THEONNECTION TO THESASAPP WWEBEBDDISPATCHERISPATCHER... 1616

3.8.1

3.8.1 UseUse ... 16 16  3.8.2 Prereq

3.8.2 Prerequisites...uisites... 16 16  3.8.3

3.8.3 ProProcedurceduree ... 16 16  3.8.4

3.8.4 Result Result ... 16 16 

3

3..9 9 SSAMPLEAMPLEPPROFILE FOR THEROFILE FOR THESASAPP WWEBEBDDISPATCHERISPATCHERWWHENHENTTERMINATINGERMINATINGSSL...SSL... 1717

3

3..110 0 SSAMPLEAMPLEPPROFILE FOR THEROFILE FOR THESASAPP WWEBEBDDISPATCHERISPATCHERWWHENHENRREENCRYPTINGEENCRYPTINGSSLSSLAND RETRIEVING METAAND RETRIEVING META DATA USING

DATA USINGSSL...SSL... 1818

4

4 SAP SAP WEB WEB DISDISPATCPATCHER HER CONCONFIGUFIGURATIRATION...ON... 2020

4

4..1 1 CCONFIGURING THEONFIGURING THEWWEBEBDDISPATCHERISPATCHERWWEBEBAADMINISTRATIONDMINISTRATIONIINTERFACENTERFACE..EERRORRROR!! BBOOKMARKOOKMARK NOT DEFINED

4

4..3 3 SSETTINGETTINGUUPPYYOUROUROOWNWNEERRORRRORPPAGESAGES... 2020

4.3.1

4.3.1 UseUse ... 2020 4.3.2 Prereq

4.3.2 Prerequisites...uisites... 2121 4.3.3

4.3.3 ProProcedurceduree ... 2121

4.3

4.3.3.1.3.1 StaStatic tic ErroError r PagPageses ... 2121 4.3

4.3.3.2.3.2 DynDynamic Eramic Error Paror Pageges...s... 2121

4.3.4 Exa

4.3.4 Example...mple... 2222

4

4..4 4 HHOW TO DISOW TO DIS PLAY A WELCOME PAGEPLAY A WELCOME PAGE... 2323

4.4.1

4.4.1 UseUse ... 2323 4.4.2

4.4.2 ProProperties...perties... 2323

4.4

4.4.2.1.2.1 ValValue Rue Rangange ane and Synd Syntaxtax... 2323 4.4

4.4.2.2.2.2 ExExamplamplee ... 2424 4.4

4.4.2.3.2.3 CacCachinhing...g... 2424 4

4..5 5 HHOW TO CONFIGURE AUTOMATIC REDIRECTS TOOW TO CONFIGURE AUTOMATIC REDIRECTS TOHTTPHTTPS...S... 2525

4.5.1

4.5.1 UseUse ... 2525 4.5.2 In

4.5.2 Integrattegration...ion... 2525 4.5.3

4.5.3 ProProperties...perties... 2525

4.5

4.5.3.1.3.1 ValValue Rue Rangange ane and Synd Syntaxtax... 2525 4.5

4.5.3.2.3.2 ExExamplampleses ... 2626

4.5.4

4.5.4 More More InforInformatiomation n ... 27 27 

5

5 REFREFERENERENCESCES ... 2727

5

5..1 1 SSAAP NP NOTESOTES... 2727

5

5..2 2 HHOWOW-T-TOOGGUIDESUIDES... 2828

5

5..3 3 EEXTERNALXTERNALRREFERENCESEFERENCES... 2828

6

1 Introduction

1 Introduction

This document is a Step-By-Step installation manual for the SAP Web Dispatcher for This document is a Step-By-Step installation manual for the SAP Web Dispatcher for the Service Desk usage.

the Service Desk usage.

2

2 SAP

SAP Web

Web Dispatcher

Dispatcher Installation

Installation with

with SAPinst

SAPinst

Th

Thiis s sseectctiion deon desscricribebes s tthe he ininssttaallllaattiion of ton of the he SSAPWeAPWeb b DiDisspapattchecher wir witth Sh SAPAPiinst. Inst. It t cacan tn teechnichnicacalllly be y be done done on ton thehe s

saame sme seerrver ver aas s tthe Whe Weeb ASb AS. T. Thhe e sseettup up on on tthe she saame sme seerrver ver iis s ffor or sseecurcuriitty ry reeaassons onlons only ry reecommcommeendndeed fd foror de

demo/mo/iintnteerrnal nal ssysystteemsms. I. In n a produa productctiive sve seettup up tthe She SAPAPWWeeb Dispab Dispattcher cher aand tnd the Whe Weeb ASshoulb ASshould be d be sseepaparraatteed by ad by a firewall.

firewall.

It is recommended to install the ASCII Version of the WebDispatcher. It is recommended to install the ASCII Version of the WebDispatcher.

Please refer to the "Installation Guide Web Dispatcher” for detailed installation Please refer to the "Installation Guide Web Dispatcher” for detailed installation descriptions.

descriptions.

At the end of this installation the Web Dispatcher is up and running, you are able to At the end of this installation the Web Dispatcher is up and running, you are able to use the Web Admin interface and you are able to send requests to the Web

use the Web Admin interface and you are able to send requests to the Web Dispatcher ports which are forwarded to the application server (with the HTTP Dispatcher ports which are forwarded to the application server (with the HTTP protocol).

protocol).

3

3 SSL

SSL Installation

Installation and

and Configuration

Configuration

This section describes the installation of the SAP Cryptographic Library for SSL and This section describes the installation of the SAP Cryptographic Library for SSL and the required configuration to use it in the Web Dispatcher.

the required configuration to use it in the Web Dispatcher.

The configuration of SSL described in this chapter is required in case the Web The configuration of SSL described in this chapter is required in case the Web

Dispatcher should terminate the SSL traffic. If End-to-End SSL should be used, then Dispatcher should terminate the SSL traffic. If End-to-End SSL should be used, then the configuration described in this chapter is not necessary. However, when the configuration described in this chapter is not necessary. However, when End-to-End SSL is used, the Web Dispatcher is not able to look inside the HTTP data, thus End SSL is used, the Web Dispatcher is not able to look inside the HTTP data, thus features like URL filtering and redirect are not available.

3.1 The SAP Cryptographic Library Installation Package

3.1 The SAP Cryptographic Library Installation Package

3.1.1 Definition

3.1.1 Definition

The installation package available for using the SAP Cryptographic Library. The The installation package available for using the SAP Cryptographic Library. The installation package is available for authorized customers on the SAP Service installation package is available for authorized customers on the SAP Service Marketplace at

Marketplace at http://service.sap.com/swdc.http://service.sap.com/swdc.

For unpacking the installation package use the SAPCAR utility. SAPCAR is available For unpacking the installation package use the SAPCAR utility. SAPCAR is available on the SAP Service Marketplace -> Support Packages and Patches -> Additional on the SAP Service Marketplace -> Support Packages and Patches -> Additional Components -> SAPCAR -> SAPCAR 7.00.

Components -> SAPCAR -> SAPCAR 7.00.

3.1.2 Structure

3.1.2 Structure

The SAP Cryptographic Library installation package

The SAP Cryptographic Library installation package sapcrypto.carsapcrypto.car contains thecontains the following files:

following files: 1.

1.  The SAP Cryptographic Library (The SAP Cryptographic Library ( sapcrypto.dllsapcrypto.dll for Windows NT orfor Windows NT or

libsapcrypto.<ext>

libsapcrypto.<ext> for UNIX)for UNIX) 2.

2.  A corresponding license ticket (A corresponding license ticket ( ticketticket))

3.

3.  The configuration toolThe configuration tool sapgenpse.exesapgenpse.exe

3.

3.2

2

In

Inst

sta

all

llin

ing

g th

the

e SA

SAP

P Cr

Cry

ypt

ptog

ogrrap

aphi

hic

c L

Lib

ibrrar

ary

y

Use the following procedure to install the SAP Cryptographic Library on your host. Use the following procedure to install the SAP Cryptographic Library on your host.

3.2.1 Procedure

3.2.1 Procedure

As user

As user <sid>adm<sid>adm:: 1.

1. ExtrExtract the act the contencontents of ts of the Sthe SAP AP CryptogCryptographic raphic Library Library installation installation packapackage.ge. 2.

2. CopCopy thy the libe library rary file afile and tnd the che confonfiguraiguration tion tootooll sapgenpse.exesapgenpse.exe to theto the directory specified by the application server's profile parameter

directory specified by the application server's profile parameter

DIR_EXECUTABLE

DIR_EXECUTABLE. In the following, we represent this directory with the. In the following, we represent this directory with the notation

notation $(DIR_EXECUTABLE)$(DIR_EXECUTABLE)..

Examples Examples UNIX: UNIX:

1.

1.  DIR_EXECUTABLEDIR_EXECUTABLE:: /usr/sap/<SID>/SYS/exe/run//usr/sap/<SID>/SYS/exe/run/

2.

2.  Location of SAP Cryptographic Library:Location of SAP Cryptographic Library:

/usr/sap/<SID>

/usr/sap/<SID>/SYS/exe/run//SYS/exe/run/libsapcrypto.slibsapcrypto.soo Windows NT:

3.

3.  DIR_EXECUTABLEDIR_EXECUTABLE::

<DRIVE>:\usr\sap\<SID>\SYS\exe\run\ <DRIVE>:\usr\sap\<SID>\SYS\exe\run\

4.

4.  Location of SAP Cryptographic Library:Location of SAP Cryptographic Library:

<DRIVE>:\usr\s

<DRIVE>:\usr\sap\<SID>\SYS\ap\<SID>\SYS\exe\run\sapcryexe\run\sapcrypto.dllpto.dll

3.

3. Check Check the fithe file permle permissions issions for the for the SAP SAP CryptoCryptographigraphic Libraryc Library. If, fo. If, forr example, you copied the library to its location using

example, you copied the library to its location using ftpftp on UNIX, then the fileon UNIX, then the file permissions may not be set correctly.

permissions may not be set correctly. Make sure thatMake sure that <sid>adm<sid>adm (or(or

SAPService<SID>

SAPService<SID>under Windows NT) is able to execute the library'sunder Windows NT) is able to execute the library's functions.

functions. 4

4.. CCooppy y tthhee ticketticket file to the sub-directoryfile to the sub-directorysecsec in the instance directoryin the instance directory

$(DIR_INSTANCE) $(DIR_INSTANCE).. Examples Examples U UNNIIXX:: hh 5.

5.  DIR_INSTANCEDIR_INSTANCE:: /usr/sap/<SID>/<instance>/usr/sap/<SID>/<instance>

6.

6.  Location of the ticket:Location of the ticket:

/usr/sap/<SID>/<instance>/sec/ticket /usr/sap/<SID>/<instance>/sec/ticket Windows NT: Windows NT: 7. 7.  DIR_INSTANCEDIR_INSTANCE:: <DRIVE>:\usr\sap\<SID>\<instance> <DRIVE>:\usr\sap\<SID>\<instance> 8.

8.  Location of the ticket:Location of the ticket:

<DRIVE>:\usr\s

<DRIVE>:\usr\sap\<SID>\<insap\<SID>\<instance>\sec\tictance>\sec\ticketket

5.

5. SeSet tht the ee envnviroironmnmenent vt variariabablele SECUDIRSECUDIR to theto the secsec sub-directory. Thesub-directory. The application server uses this variable to locate the ticket and its credentials at application server uses this variable to locate the ticket and its credentials at run-time.

run-time.

If you set t

If you set the environment variable using the command line, then the vhe environment variable using the command line, then the value may not bealue may not be applied to the server's processes. Therefore, we recommend setting

applied to the server's processes. Therefore, we recommend setting SECUDIRSECUDIR in thein the startup profile for

startup profile for the server's user or in the registry (Wthe server's user or in the registry (W indows NT).indows NT).

3.2.2 Result

3.2.2 Result

The SAP Cryptographic Library is installed on the application server and the The SAP Cryptographic Library is installed on the application server and the

environment is set up correctly so that the Web Dispatcher can locate the library at environment is set up correctly so that the Web Dispatcher can locate the library at run-time.

run-time.

3.

3.3

3

S

Set

etttin

ing t

g the

he SS

SSL P

L Prrof

ofil

ile P

e Pa

ara

ram

met

eter

ers

s fo

for t

r th

he S

e SA

AP W

P Web

eb

Dispatcher

Setting profile parameters for Web Dispatcher is performed using a text editor on the Setting profile parameters for Web Dispatcher is performed using a text editor on the Web Dispatcher profile file. The profile file created by the Web Dispatcher Installation is Web Dispatcher profile file. The profile file created by the Web Dispatcher Installation is contained in directory /usr/sap/<SID>/SYS/profile

contained in directory /usr/sap/<SID>/SYS/profile

(<DRIVE>:\usr\sap\<SID>\SYS\profile on Windows), the name of the profile file is (<DRIVE>:\usr\sap\<SID>\SYS\profile on Windows), the name of the profile file is <SID>_<instance>_<hostname>.

<SID>_<instance>_<hostname>.

1.

1. Location of the Location of the SAP SAP Cryptographic Library and Cryptographic Library and Personal Security EnPersonal Security Environmentsvironments to use:

to use:

ssl/ssl_lib=<

ssl/ssl_lib=<Location_of_SALocation_of_SAP_CryptographP_Cryptographic_Library>ic_Library> ssl/server_ps

ssl/server_pse=<Location_ofe=<Location_of_SSL_server_P_SSL_server_PSE>SE> ssl/client_ps

ssl/client_pse=<Location_ofe=<Location_of_SSL_client_P_SSL_client_PSE>SE> The client PSE is only required when SSL

The client PSE is only required when SSL is used betweenis used between the SAP Web Dispatcher and the SAP

the SAP Web Dispatcher and the SAP Web Application ServerWeb Application Server or between the Web Dispatcher and the SAP Message Server. or between the Web Dispatcher and the SAP Message Server.

4.

4. SAP SAP Web Dispatcher Web Dispatcher SSL SSL information information to to use use for for incoming incoming connections:connections:

icm/server_po

icm/server_port_<xx>=PROT=Hrt_<xx>=PROT=HTTPS, TTPS, PORT=<HTTPS_PoPORT=<HTTPS_Port>,rt>, TIMEOUT=900

TIMEOUT=900

icm/HTTPS/verify_client=<0,1> icm/HTTPS/verify_client=<0,1> Documentation for

Documentation for parameter icm/HTTPS/verify_clieparameter icm/HTTPS/verify_clientnt

5.

5. Connection PaConnection Parameters rameters to to the the SAP SAP Web AS Web AS Message Message Server Server in the in the backendbackend

rdisp/mshost=<message_server_host> rdisp/mshost=<message_server_host> ms/https_port

ms/https_port=<message_serv=<message_server_HTTPS_Porter_HTTPS_Port>> if you want to useif you want to use Metadata Exchange Using SSL

Metadata Exchange Using SSL. Otherwise, use. Otherwise, use

ms/http_port=

ms/http_port=<message_serve<message_server_HTTP_Port>r_HTTP_Port> if the connection shouldif the connection should not use SSL.

not use SSL. Only one of

Only one of the two parameters ms/https_port and ms/http_port needs to bethe two parameters ms/https_port and ms/http_port needs to be set, depending on the protocol used for retrieving meta data from the SAP set, depending on the protocol used for retrieving meta data from the SAP Message Server.

Message Server.

The SAP Message Server HTTP and HTTPS ports are defined by profile The SAP Message Server HTTP and HTTPS ports are defined by profile parameters ms/server_port_0, ms/server_port_1, … and can be viewed parameters ms/server_port_0, ms/server_port_1, … and can be viewed inin transaction SMMS => Goto => Parameters => Displ

transaction SMMS => Goto => Parameters => Display.ay. 6.

6. Parameter Parameter for for Client Client ProtocolProtocol

wdisp/add_cli

wdisp/add_client_protocol_hent_protocol_header=<true,feader=<true,false>alse>

Set this parameter to

Set this parameter to truetrue if there is a change in the protocol at the SAP Webif there is a change in the protocol at the SAP Web Dispatcher (HTTPS to HTTP or vice versa). If this parameter is set to true, then Dispatcher (HTTPS to HTTP or vice versa). If this parameter is set to true, then the SAP Web Dispatcher sets the header variable

the SAP Web Dispatcher sets the header variable clientprotocolclientprotocol to theto the protocol used between the client and the SAP Web Dispatcher (either HTTP or protocol used between the client and the SAP Web Dispatcher (either HTTP or HTTPS). The application server then uses this value as the protocol to use for HTTPS). The application server then uses this value as the protocol to use for generated absolute URIs.

generated absolute URIs. 7.

The following parameters are required only when SSL is used between SAP The following parameters are required only when SSL is used between SAP Web Dispatcher and SAP Web Application server or between SAP Web Web Dispatcher and SAP Web Application server or between SAP Web Dispatcher and SAP Message Server.

Dispatcher and SAP Message Server.

wdisp/ssl_encrypt=<0,1,2> wdisp/ssl_encrypt=<0,1,2>

Documentation for wdisp/ssl_encrypt

Documentation for wdisp/ssl_encrypt wdisp/ssl_auth=<0,1,2>

wdisp/ssl_auth=<0,1,2>

Documentation for wdisp/ssl_auth

Documentation for wdisp/ssl_auth wdisp/ssl_cre

wdisp/ssl_cred=<File_name_od=<File_name_of_client_PSE>f_client_PSE>

This parameter is only necessary if

This parameter is only necessary if wdisp/ssl_authwdisp/ssl_auth = 2.= 2. Documentation for wdisp/ssl_cred

Documentation for wdisp/ssl_cred wdisp/ssl_cer

wdisp/ssl_certhost=<Common_thost=<Common_host_name>host_name>

Use this parameter if multiple servers in the backend use the same host name Use this parameter if multiple servers in the backend use the same host name in their SSL server certificates (for example,

in their SSL server certificates (for example, www.mycompany.comwww.mycompany.com).). Documentation for wdisp/ssl_certhost

Documentation for wdisp/ssl_certhost

3.

3.4

4

C

Crrea

eati

ting

ng th

the

e P

PSE

SEs

s an

and

d Ce

Cerrttif

ific

icat

ate

e Re

Requ

que

est

sts

s

3.4.1 Use

3.4.1 Use

If the SAP Web Dispatcher is to terminate the SSL connection, then it needs to If the SAP Web Dispatcher is to terminate the SSL connection, then it needs to possess a key pair and public-key certificate to use for the incoming SSL

possess a key pair and public-key certificate to use for the incoming SSL connection. This information is stored in the SAP Web Dispatcher’s

connection. This information is stored in the SAP Web Dispatcher’s SSL serverSSL server PSE

PSE..

If it also uses SSL for the connection to the backend server, then it also needs to If it also uses SSL for the connection to the backend server, then it also needs to possess a key pair to use for this connection. This information is stored in its

possess a key pair to use for this connection. This information is stored in its SSLSSL client PSE

client PSE. Although you can use the same file for both of these PSEs, we refer to. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.

them separately in the documentation.

You can either use the trust manager to create the PSEs or you can use the You can either use the trust manager to create the PSEs or you can use the configuration tool

configuration tool sapgenpsesapgenpse. See the procedures below.. See the procedures below.

If t

If the SAP Web Dispatcher is to pass the SSL connection to the SAP Web Applicationhe SAP Web Dispatcher is to pass the SSL connection to the SAP Web Application Server, then you do not need to perform these steps.

Server, then you do not need to perform these steps.

3.4.2 Prerequisites

3.4.2 Prerequisites

8.

8.  You know the naming convention to use for the SAP Web Dispatcher’sYou know the naming convention to use for the SAP Web Dispatcher’s

Distinguished Name. The syntax of the Distinguished Name depends on the CA Distinguished Name. The syntax of the Distinguished Name depends on the CA that you use.

For example, if you use the SAP CA, the naming convention is

For example, if you use the SAP CA, the naming convention isCN=<host_name>,CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE

Trust Community, C=DE..

3.4.3 Procedure

3.4.3 Procedure

You can use the configuration tool

You can use the configuration tool sapgenpsesapgenpse to create the SAP Web Dispatcher’sto create the SAP Web Dispatcher’s PSEs.

PSEs.

Before you can use

Before you can usesapgenpsesapgenpseto create the SSL server PSE, the envito create the SSL server PSE, the environmentronment variable

variable SECUDIRSECUDIRmust be set to the directory where the license ticket is located. If must be set to the directory where the license ticket is located. If thethe environment v

environment variable is not yet ariable is not yet set, then set it set, then set it using the command line as shown below.using the command line as shown below.

Setting the environment v

Setting the environment variable SECUDIR on Windows:ariable SECUDIR on Windows:

set SECUDIR=<SECUDIR_directory> set SECUDIR=<SECUDIR_directory>

On Unix systems the syntax f

On Unix systems the syntax for setting environment variables is dependeor setting environment variables is dependent on the Unixnt on the Unix shell.

shell.

Use the tool’

Use the tool’s commands commandget_pseget_pse as shown below to create the SAP Webas shown below to create the SAP Web Dispatcher’s PSE.

Dispatcher’s PSE.

sapgenpse get_pse <additional_options> -p <PSE_Name> -r sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_f

<cert_req_file_name> -x ile_name> -x <PIN> <PIN> <Distinguis<Distinguished_Name>hed_Name>

The sapgenpse commands (create the PSE and the certification request, create the The sapgenpse commands (create the PSE and the certification request, create the credential file, i

credential file, import the own certificate, immport the own certificate, import trusted certificates) must be performedport trusted certificates) must be performed once for every PSE

once for every PSE (for example SAPSSLS.pse and SAPSSLC.ps(for example SAPSSLS.pse and SAPSSLC.pse).e).

Where: Where:

Standard Options Standard Options

O

Oppttiioon n PPaarraammeetteerr DDeessccrriippttiioonn AAlllloowweed d VVaalluueess DDeeffaauulltt

--pp <<PPSSEE__NNaammee>> _{Path and file name forPath and file name for} the PSE.

the PSE.

If the complete path is If the complete path is not included, then the not included, then the PSE file is created in PSE file is created in the

theSECUDIRSECUDIRdirectory.directory.

The file name must The file name must correspo

correspond to the fnd to the fileile name specified in the name specified in the profile parameter profile parameter ssl/server_pse ssl/server_pse andand wdisp/ssl_cred wdisp/ssl_cred forfor the SSL server PSE the SSL server PSE and the SSL client and the SSL client PSE respectively (for PSE respectively (for example, example, SAPSSLS.pse SAPSSLS.pseoror SAPSSLC.pse SAPSSLC.pse).). None None

--rr <<ffiillee__nnaammee>> _{File name for theFile name for the} certificate

certificate requerequestst

Path description (in Path description (in quotation marks, if quotation marks, if

Stdout Stdout

spaces exist) spaces exist)

--xx <<PPIINN>> _{PIN that protects thePIN that protects the} PSE

PSE

C

Chhaarraacctteer r ssttrriinngg NNoonnee

None

None <Distinguished_Name><Distinguished_Name> _{The DistinguishedThe Distinguished} Name for the SAP Web Name for the SAP Web Dispatcher

Dispatcher

Character string (in Character string (in quotation marks, if quotation marks, if spaces exist) spaces exist) None None Additional Options Additional Options O

Oppttiioon n PPaarraammeetteerr DDeessccrriippttiioonn AAlllloowweed d VVaalluueess DDeeffaauulltt

--ss <<kkeeyy__lleenn>> _{KKeey y lleennggtthh 551122, , 11002244, , 22004488 11002244}

--aa <<aallggoorriitthhmm>> _{AAllggoorriitthhm m uusseedd RRSSAA, , DDAASS RRSSAA} -noreq

-noreq _{NNoonnee OOnnlly y ggeenneerraatte e a a kkeey y ppaaiirr} and PSE. Do not create a and PSE. Do not create a certificate

certificate requerequest.st.

N

Noot t aapppplliiccaabbllee NNoot t sseett

-only -only req req

N

Noonnee GGeenneerraatte e a a cceerrttiiffiiccaattee reque

request for st for the public keythe public key stored in the PSE

stored in the PSE specified by the specified by the–p–p parameter.

parameter.

N

Noot t aapppplliiccaabbllee NNoot t sseett

The command line below creates the SAP W

The command line below creates the SAP W eb Dispatcher’eb Dispatcher’s SSL server PSE s SSL server PSE andand certificate request using the following information:

certificate request using the following information:

9.

9.  The environment variableThe environment variable SECUDIRSECUDIR is set tois set to C:\ProgramC:\Program

Files\SAP\SAPWebDisp\sec Files\SAP\SAPWebDisp\sec.. 10.

10. The PSE is to be located atThe PSE is to be located at C:\ProgramC:\Program

Files\SAP\SAPWebDisp\sec\SAPSSLS.pse Files\SAP\SAPWebDisp\sec\SAPSSLS.pse.. 11.

11. The PIN used to protect the PSE isThe PIN used to protect the PSE is abcpinabcpin....

12.

12. The name of the certificate request file isThe name of the certificate request file is abc.reqabc.req..

13.

13. The SAP Web Dispatcher is accessed using the fully-The SAP Web Dispatcher is accessed using the

fully-qualified host name

qualified host name host123.mycompany.comhost123.mycompany.com.. 14.

14. The CA used is the The CA used is the SAP CA.SAP CA.

15.

15. Therefore, the server’s Distinguished Name isTherefore, the server’s Distinguished Name is

CN=host123.myc

CN=host123.mycompany.com, ompany.com, OU=I12345678OU=I1234567890- 90-MyCompany, OU=SAP Web AS, O=SAP

MyCompany, OU=SAP Web AS, O=SAP Trust Community,Trust Community, C=DE

C=DE..

sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req

"CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web  AS, O=SAP T

3

3.5

.5

S

Se

en

ndi

din

ng t

g th

he C

e Ce

errttiiffic

ica

atte R

e Re

eq

qu

ue

es

stts t

s to a

o a C

CA

A

3.5.1 Use

3.5.1 Use

After you have generated a key pair and certificate request for each PSE, send the After you have generated a key pair and certificate request for each PSE, send the certificate requests to a CA to be signed. The response from the CA is a signed certificate requests to a CA to be signed. The response from the CA is a signed public-key certificate for the server when it is using the designated PSE.

public-key certificate for the server when it is using the designated PSE.

3.5.2 Prerequisites

3.5.2 Prerequisites

You can send the certificate requests to the CA of your choice, for example, the SAP You can send the certificate requests to the CA of your choice, for example, the SAP CA. Note however, the corresponding certificate request response from the CA must CA. Note however, the corresponding certificate request response from the CA must be available in one of the following formats:

be available in one of the following formats: 9.

9.  PKCS#7 certificate chain formatPKCS#7 certificate chain format

In this case, the issuing CA provides the certificate request response in the In this case, the issuing CA provides the certificate request response in the necessary format. For example, the SAP CA provides the r

necessary format. For example, the SAP CA provides the response in thiesponse in this format,s format, or you can request this format from your CA.

or you can request this format from your CA. 10.

10.  PEM formatPEM format

In this case, the certificate request response from your CA contains only the In this case, the certificate request response from your CA contains only the signed public-key certificate. Therefore, you must also have access to the CA’s signed public-key certificate. Therefore, you must also have access to the CA’s root certificate. When using

root certificate. When using sapgenpsesapgenpse, then it must exist as a file in the file, then it must exist as a file in the file system.

system.

3.5.3 Procedure

3.5.3 Procedure

For each certificate request that you created, send the contents of the certificate For each certificate request that you created, send the contents of the certificate request to your CA.

request to your CA.

The exact procedure to use depends on the CA that you use. For the SAP CA, follow The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at

the instructions provided by the SAP Trust Center Service at http://service.sap.com/tcs

http://service.sap.com/tcs..

The link

The link http://service.sap.com/tcshttp://service.sap.com/tcs => SSL Test Server => SSL Test Server Certificates allows you to createCertificates allows you to create signed test certificates. You can sign certificates for testing which will be v

signed test certificates. You can sign certificates for testing which will be v alid for twoalid for two months. In order to create a CA response in format PKCS#7, select “Choose server months. In order to create a CA response in format PKCS#7, select “Choose server type” => PKCS#7 certificate chain.

type” => PKCS#7 certificate chain.

To vi

To view the contents of the certificate, open the certifiew the contents of the certificate, open the certificate requecate request with a text st with a text editor.editor. Because many editors use hidden characters for formatting, use a text editor that does Because many editors use hidden characters for formatting, use a text editor that does not suppo

not support formattirt formatting features, for example, Notepad. If ng features, for example, Notepad. If carriage returcarriage returns or line feedsns or line feeds have been corrupted, for example, during download, then correct these errors.

have been corrupted, for example, during download, then correct these errors.

The example below shows a correct certif

---BEGIN CERTIFICATE

---BEGIN CERTIFICATE REQUEST----REQUEST---

-MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i 4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF 4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2 AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2 MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi +6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE= +6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE= ---END CERTIFICATE

---END CERTIFICATE

REQUEST---3.5.4 Result

3.5.4 Result

The CA will validate the information contained in the certificate request (according to The CA will validate the information contained in the certificate request (according to its own policy) and return a response that contains the signed public-key certificate. its own policy) and return a response that contains the signed public-key certificate.

3.

3.6

6

IImp

mpor

orttin

ing

g tthe

he C

Cer

erti

tifi

fica

cate

te Re

Req

que

uest

st Re

Resp

spo

on

nse

ses

s

3.6.1 Use

3.6.1 Use

The CA will send you a certificate request response that contains the signed The CA will send you a certificate request response that contains the signed public-key certificate for the SAP Web Dispatcher. Once you have received this response, key certificate for the SAP Web Dispatcher. Once you have received this response, import it into the SAP Web Dispatcher’s corresponding PSE. You can either use the import it into the SAP Web Dispatcher’s corresponding PSE. You can either use the trust manager or you can use the configuration tool

trust manager or you can use the configuration tool sapgenpsesapgenpse. See the procedures. See the procedures below.

below.

3.6.2 Prerequisites

3.6.2 Prerequisites

11.

11.  If you are usingIf you are using sapgenpsesapgenpse, then each certificate request response exists, then each certificate request response exists

as a file in the file system. Otherwise, if you are using the trust manager, then the as a file in the file system. Otherwise, if you are using the trust manager, then the responses can either exist as a file or you can use Copy&Paste to insert it into responses can either exist as a file or you can use Copy&Paste to insert it into the PSE.

the PSE. 12.

12.  If the certificate request responses do not contain the CA’s root certificate,If the certificate request responses do not contain the CA’s root certificate,

then you also have access to this certificate. If you are using the trust manager, then you also have access to this certificate. If you are using the trust manager, then it must exist in the trust manager’s database. If you are using

then it must exist in the trust manager’s database. If you are using sapgenpsesapgenpse,, then it exists as a file in the file system.

then it exists as a file in the file system.

3.6.3 Procedure

3.6.3 Procedure

You can use the configuration tool

You can use the configuration tool sapgenpsesapgenpse to import the certificate requestto import the certificate request response into the

response into the PSEs. Use the tool’s commandPSEs. Use the tool’s commandimport_own_certimport_own_cert as shownas shown below.

below.

sapgenpse import

sapgenpse import_own_cert <A_own_cert <Additional_options> -p <PSE_file> dditional_options> -p <PSE_file> -c <Cert_file> [-r-c <Cert_file> [-r <RootCA_cer

<RootCA_cert_file>] -x t_file>] -x <PIN><PIN>

Where: Where:

Standard Options Standard Options

O

Oppttiioon n PPaarraammeetteerr DDeessccrriippttiioonn AAlllloowweed d VVaalluueess DDeeffaauulltt

--pp <<PPSSEE__NNaammee>> _{Path and file name of thePath and file name of the} PSE.

PSE.

The path is the The path is the

SECUDIR

SECUDIR directorydirectory and the file name is and the file name is

SAPSSLS.pse SAPSSLS.pse. for. for the SSL server PSE the SSL server PSE or

or SAPSSLC.pseSAPSSLC.pse forfor the SSL client PSE the SSL client PSE (if it

(if it existsexists).).

Path description (in Path description (in quotation marks, if quotation marks, if space

spaces exs exist)ist)

None None

certificate

certificate requerequestst response

response

quotation marks, if quotation marks, if space

spaces exs exist)ist)

--rr <<RRoooottCCAA__cceerrtt__ file>

file> File containing the CA’sFile containing the CA’s_{root certificate root certificate (and any(and any} intermediate CA intermediate CA certificates). This certificates). This parameter is necessary if parameter is necessary if the CA root and any the CA root and any intermediate CA intermediate CA certificates are not certificates are not

included in the certificate included in the certificate request response.

request response.

Path description (in Path description (in quotation marks, if quotation marks, if space

spaces exs exist)ist)

Not set Not set

--xx <<PPIINN>> _{PPIIN N tthhaat t pprrootteecctts s tthhe e PPSSEE CChhaarraacctteer r ssttrriinngg NNoonnee}

3.6.4 Result

3.6.4 Result

The certificate request response is imported into the PSE. The certificate request response is imported into the PSE.

The following command li

The following command line imports the certifne imports the certificate request respoicate request response (nse (ABC.cerABC.cer) into the) into the SAP W

SAP Web Dispatcher’s SSL sereb Dispatcher’s SSL server PSE ver PSE that is stored atthat is stored atC:\ProgramC:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse

Files\SAP\SAPWebDisp\sec\SAPSSLS.pse. (. (SECUDIRSECUDIRis set tois set toC:\ProgramC:\Program Files\SAP\SAPWebDisp\sec

Files\SAP\SAPWebDisp\sec). The PIN that protects the PSE is). The PIN that protects the PSE isabcpinabcpin.. sapgenpse import_own_cert -c ABC.cer -p SAPSSLS.pse -x abcpin sapgenpse import_own_cert -c ABC.cer -p SAPSSLS.pse -x abcpin

3.

3.7

7

C

Cre

reat

atin

ing C

g Crre

ed

den

enti

tial

als f

s fo

or t

r the

he S

SA

AP W

P Web

eb D

Dis

isp

pa

atc

tche

herr

3.7.1 Use

3.7.1 Use

The SAP Web Dispatcher must have active credentials at run-time to be able to The SAP Web Dispatcher must have active credentials at run-time to be able to access its PSEs. Therefore, to produce active credentials, use the configuration access its PSEs. Therefore, to produce active credentials, use the configuration tool’s

tool’s commcommandand secloginseclogin to “open” each PSE.to “open” each PSE.

The credentials ar

The credentials are located in the fie located in the filele cred_v2cred_v2in the directory specified by thein the directory specified by the environment variable

environment variable SECUDIRSECUDIR. Make sure that. Make sure that only the user under which the SAPonly the user under which the SAP Web Dispatcher runs

Web Dispatcher runs has access to this fhas access to this f ile (iile (including read accessncluding read access).).

3.7.2 Prerequisites

3.7.2 Prerequisites

13.

13.  The SAP Cryptographic Library is installed and the environment variableThe SAP Cryptographic Library is installed and the environment variable

SECUDIR

SECUDIR is set to the directory where the license ticket and PSEs are located.is set to the directory where the license ticket and PSEs are located. 14.

3.7.3 Procedure

3.7.3 Procedure

Use the following command line to open each PSE and create credentials. Use the following command line to open each PSE and create credentials.

sapgenpse sec

sapgenpse seclogin <additional login <additional options> -p <PSE_Name> -x <PIN> -Ooptions> -p <PSE_Name> -x <PIN> -O [<Windows_Domain>\]<user_ID> [<Windows_Domain>\]<user_ID> Where: Where: Standard Options Standard Options O

Oppttiioon n PPaarraammeetteerr DDeessccrriippttiioonn AAlllloowweed d VVaalluueess DDeeffaauulltt

--pp <<PPSSEE__NNaammee>> _{Path and file namePath and file name}

for the PSE. for the PSE.

Path description (in Path description (in quotation marks, if quotation marks, if spaces exist) spaces exist) None None

--xx <<PPIINN>> _{PPIIN N tthhaat t pprrootteecctts s tthhe e PPSSEE CChhaarraacctteer r ssttrriinngg NNoonnee} --OO [[<<WWiinnddoowwss__ Domain>\] Domain>\] <user_ID> <user_ID>

User for which the User for which the credentials are created. credentials are created. (The user that runs the (The user that runs the SAP W

SAP Web Dispatchereb Dispatcher process.)

process.)

If t

If the user that runs thehe user that runs the SAP Web Dispatcher is SAP Web Dispatcher is the current user, then this the current user, then this parameter is optional. parameter is optional. Use the parameter Use the parameter –v–v (verbose) to see the (verbose) to see the results.

results.

Valid operating system Valid operating system user user The The current current user user Additional Options Additional Options O

Oppttiioon n PPaarraammeetteerr DDeessccrriippttiioonn AAlllloowweed d VVaalluueess DDeeffaauulltt -l

-l _{NNoonnee LLiisst t aalll l aavvaaiillaabbllee} credentials for the

credentials for the currentcurrent user.

user.

N

Noot t aapppplliiccaabbllee NNoot t sseett

-d

-d _{NNoonnee DDeelleette e ccrreeddeennttiiaallss NNoot t aapppplliiccaabbllee NNoot t sseett} -chpin

-chpin _{NNoonnee SSppeecciiffiiees s tthhaat t yyoou u wwaannt t ttoo} change the PIN

change the PIN

N

Noot t aapppplliiccaabbllee NNoot t sseett

After creating the credentials, restart the SAP Web Dispatcher. After creating the credentials, restart the SAP Web Dispatcher.

3.7.4 Result

3.7.4 Result

The credentials file (

The credentials file (cred_v2cred_v2) for the user provided with the) for the user provided with the –O–O option is created inoption is created in the

the SECUDIRSECUDIR directory.directory.

The following command line opens the SAP Web Dispatcher’s SSL ser

The following command line opens the SAP Web Dispatcher’s SSL server PSE tver PSE that ishat is located at

credentials for the

credentials for the useruserABCadmABCadm. (. (SECUDIRSECUDIRis set tois set toC:\ProgramC:\Program Files\SAP\SAPWebDisp\sec

Files\SAP\SAPWebDisp\sec). The PIN that protects the PSE is). The PIN that protects the PSE isabcpinabcpin.. sapgenpse seclogin p SAPSSLS.pse x abcpin

3

3.8

.8

T

Te

est

stiin

ng t

g th

he

e S

SS

SL C

L Co

on

nn

ne

ect

ctiio

on

n tto t

o th

he S

e SA

AP W

P We

eb

b

Dispatcher

Dispatcher

3.8.1 Use

3.8.1 Use

Use the following test to test the SSL connection to the SAP Web Dispatcher. In this Use the following test to test the SSL connection to the SAP Web Dispatcher. In this test, the SAP Web Dispatcher connects to the SAP Web Application Server using a test, the SAP Web Dispatcher connects to the SAP Web Application Server using a Business Server Page (BSP).

Business Server Page (BSP).

3.8.2 Prerequisites

3.8.2 Prerequisites

15.

15.  The SAP Web Dispatcher’s PSEs and credentials exist.The SAP Web Dispatcher’s PSEs and credentials exist.

16.

16.  The SAP Web Dispatcher has been restarted.The SAP Web Dispatcher has been restarted.

17.

17.  You know the port number that the SAP Web Dispatcher is using for HTTPSYou know the port number that the SAP Web Dispatcher is using for HTTPS

connections. connections.

The port number is specified in the profile parameter

The port number is specified in the profile parameter icm/server_port_<xx>icm/server_port_<xx>

in the SAP Web Dispatcher’s profile. in the SAP Web Dispatcher’s profile.

3.8.3 Procedure

3.8.3 Procedure

2.

2. StaStart a rt a BSBSP uP usinsing an g an HTTHTTPS cPS connonnecection tion to yto your our SAP SAP Web DiWeb Dispaspatchtcher aer and tnd thehe corresponding SSL port.

corresponding SSL port.

For example, start

For example, start the standarthe standard BSP td BSP test application IT00 with the URLest application IT00 with the URL

https://mywebdisp.mycompany.com:443/sap/bc/bsp/sap/it00/ https://mywebdisp.mycompany.com:443/sap/bc/bsp/sap/it00/ default.htm 

default.htm ..

If your Web browser cannot completely verify the SAP Web Dispatcher's If your Web browser cannot completely verify the SAP Web Dispatcher's public-key certificate, then you will receive a dialog that states the reason why. For key certificate, then you will receive a dialog that states the reason why. For example, if your Web browser does not possess the issuing CA's root certificate example, if your Web browser does not possess the issuing CA's root certificate as a trusted root certificate, then you are informed and can choose to trust the as a trusted root certificate, then you are informed and can choose to trust the server at this time.

server at this time. 3.

3. If yIf you tou trusrust tht the see serverver's cr's certifertificaicate (ete (eitheither aur automtomaticatically ally or mor manuanuallyally), th), then ten thehe next step is to authenticate yourself.

next step is to authenticate yourself.

If your authentication was successful, the page appears. If your authentication was successful, the page appears.

3.8.4 Result

3.8.4 Result

You are connected to the SAP Web AS via the SAP Web Dispatcher. SSL is used You are connected to the SAP Web AS via the SAP Web Dispatcher. SSL is used for the connection between your Web browser and the SAP Web Dispatcher, which for the connection between your Web browser and the SAP Web Dispatcher, which is indicated in your Web browser.

S

SAAPPRR//33uunnddHHTTTTPP --118

8--3.

3.9

9

S

Sam

ampl

ple P

e Prrof

ofil

ile f

e fo

or

r th

the

e SA

SAP

P We

Web D

b Dis

ispa

pattch

che

er

r Wh

When

en

Terminating SSL

Terminating SSL

# SAPSYSTEMNAME must be set so that the

# SAPSYSTEMNAME must be set so that the default profile isdefault profile is # read. If not, a

# read. If not, a warning is displayed on the console.warning is displayed on the console. SAPSYSTEMNAME

SAPSYSTEMNAME = = ABCABC

# SAPSYSTEM must be set so

# SAPSYSTEM must be set so that the shared memory areasthat the shared memory areas # can be created.

# can be created.

# The number must be

# The number must be different from the other SAP instancesdifferent from the other SAP instances # on the host.

# on the host. SAPSYSTEM = 26 SAPSYSTEM = 26

# Set DIR_INSTANCE so that the SAP

# Set DIR_INSTANCE so that the SAP CryptographiCryptographic Library canc Library can # find the sec sub-directory.

# find the sec sub-directory. DIR_INSTANCE =

DIR_INSTANCE = C:\Program Files\SAP\SAPWebDisC:\Program Files\SAP\SAPWebDispp

# Message Server Description # Message Server Description rdisp/mshost = abcmain

rdisp/mshost = abcmain ms/http_port = 8081 ms/http_port = 8081

# Description of the Access Points # Description of the Access Points icm/server_po

icm/server_port_0 = rt_0 = PROT=HTTP, PORT=1081, TIMEOUT=900PROT=HTTP, PORT=1081, TIMEOUT=900 icm/server_po

icm/server_port_1 = rt_1 = PROT=HTTPS, PORT=1443, TIMEOUT=900PROT=HTTPS, PORT=1443, TIMEOUT=900 icm/HTTPS/ver

icm/HTTPS/verify_client = ify_client = 00

# Parameters for the

# Parameters for the SAP Cryptographic LibrarySAP Cryptographic Library ssl/ssl_lib =

ssl/ssl_lib = C:\Program Files\SAP\SAPWebDisp\sC:\Program Files\SAP\SAPWebDisp\sapcrypto.dllapcrypto.dll ssl/server_ps

ssl/server_pse = e = C:\ProgramC:\Program

Files\SAP\SAPWebDisp\sec\SAPSSLS.pse Files\SAP\SAPWebDisp\sec\SAPSSLS.pse

S

SAAPPRR//33uunnddHHTTTTPP --119

9--3.

3.10

10

Im

Impo

port

rtin

ing t

g the

he a

app

ppli

lica

cattio

ion s

n ser

erve

verr’s

’s ce

cert

rtif

ific

icat

ate t

e to t

o the

he

Web Dispatcher

Web Dispatcher

This configuration is only used when SSL is used for the communication between This configuration is only used when SSL is used for the communication between SAP Web Dispatcher and SAP Web Application Server or between SAP Web SAP Web Dispatcher and SAP Web Application Server or between SAP Web Dispatcher and SAP Message Server.

Dispatcher and SAP Message Server.

Export the SSL certificate of a PSE (e.g. the SSL certificate of the SAP Web Export the SSL certificate of a PSE (e.g. the SSL certificate of the SAP Web

Application Server or the SSL certificate of the SAP Message Server) and import it Application Server or the SSL certificate of the SAP Message Server) and import it into the Web Dispatcher’s client PSE.

into the Web Dispatcher’s client PSE.

Export the server’s certificate Export the server’s certificate

sapgenpse export_own_cert -p SAPSSLS.pse -x WASPIN sapgenpse export_own_cert -p SAPSSLS.pse -x WASPIN

Save the output to a file WAS.cer and import it to the Web Dispatcher’s client Save the output to a file WAS.cer and import it to the Web Dispatcher’s client PSE using the command

PSE using the command

sapgenpse.exe maintain_pk -a WAS.cer -p SAPSSLC.pse -x ABCPIN sapgenpse.exe maintain_pk -a WAS.cer -p SAPSSLC.pse -x ABCPIN

The opposite direction of importing the Web Dispatcher’s client certificate into the The opposite direction of importing the Web Dispatcher’s client certificate into the server PSE is not required, unless the server explicitely requests that a client

server PSE is not required, unless the server explicitely requests that a client certificate is

certificate is provided uprovided using paramsing parameter eter icm/HTTPS/verify_client=2.icm/HTTPS/verify_client=2.

Instead of importing a server’s SSL certificate directly it would also be possible to Instead of importing a server’s SSL certificate directly it would also be possible to import the root certificate of the CA which was used to sign the server’s certificate. import the root certificate of the CA which was used to sign the server’s certificate. This is not described here.

This is not described here.

It is possible to use certificates which are not signed by a CA between SAP Web It is possible to use certificates which are not signed by a CA between SAP Web Dispatcher and SAP Web Application Server or SAP Web Dispatcher and SAP Dispatcher and SAP Web Application Server or SAP Web Dispatcher and SAP Message Server. However, in this case the certificates must be identical. This can Message Server. However, in this case the certificates must be identical. This can be achieved by copying the server’s server PSE file to the Web Dispatcher client be achieved by copying the server’s server PSE file to the Web Dispatcher client PSE file.

PSE file.

3

3.1

.11

1

Sa

Samp

mple

le Pr

Prof

ofil

ile f

e for

or th

the S

e SA

AP W

P Web

eb D

Dis

ispa

pattch

che

er W

r Whe

hen

n

Reencrypting SSL and retrieving meta data using SSL

Reencrypting SSL and retrieving meta data using SSL

When SSL reencryption is used, the SAP Web Application Server must be When SSL reencryption is used, the SAP Web Application Server must be configured to support SSL.

configured to support SSL.

When meta data is retrieved using SSL, additionally the SAP Message Server must When meta data is retrieved using SSL, additionally the SAP Message Server must be configured to support SSL.

be configured to support SSL.

# SAPSYSTEMNAME must be set so that the

# SAPSYSTEMNAME must be set so that the default profile isdefault profile is # read. If not, a

# read. If not, a warning is displayed on the console.warning is displayed on the console. SAPSYSTEMNAME

S

SAAPPRR//33uunnddHHTTTTPP --220

0--# SAPSYSTEM must be set so

# SAPSYSTEM must be set so that the shared memory areasthat the shared memory areas # can be created.

# can be created.

# The number must be

# The number must be different from the other SAP instancesdifferent from the other SAP instances # on the host.

# on the host. SAPSYSTEM = 26 SAPSYSTEM = 26

# Set DIR_INSTANCE so that the SAP

# Set DIR_INSTANCE so that the SAP CryptographiCryptographic Library canc Library can # find the sec sub-directory.

# find the sec sub-directory. DIR_INSTANCE =

DIR_INSTANCE = C:\Program Files\SAP\SAPWebDisC:\Program Files\SAP\SAPWebDispp

# Message Server Description # Message Server Description rdisp/mshost = abcmain

rdisp/mshost = abcmain ms/https_port = 8443 ms/https_port = 8443

# Description of the Access Points # Description of the Access Points icm/server_po

icm/server_port_0 = rt_0 = PROT=HTTP, PORT=1081, TIMEOUT=900PROT=HTTP, PORT=1081, TIMEOUT=900 icm/server_po

icm/server_port_1 = rt_1 = PROT=HTTPS, PORT=1443, TIMEOUT=900PROT=HTTPS, PORT=1443, TIMEOUT=900 icm/HTTPS/ver

icm/HTTPS/verify_client = ify_client = 00

# Parameters for the

# Parameters for the SAP Cryptographic LibrarySAP Cryptographic Library ssl/ssl_lib =

ssl/ssl_lib = C:\Program Files\SAP\SAPWebDisp\sC:\Program Files\SAP\SAPWebDisp\sapcrypto.dllapcrypto.dll ssl/server_ps

ssl/server_pse = e = C:\ProgramC:\Program

Files\SAP\SAPWebDisp\sec\SAPSSLS.pse Files\SAP\SAPWebDisp\sec\SAPSSLS.pse

# Parameters for Using SSL to the

# Parameters for Using SSL to the backend serverbackend server wdisp/ssl_enc

wdisp/ssl_encrypt = rypt = 22 wdisp/ssl_aut

wdisp/ssl_auth = h = 22 wdisp/ssl_cre

wdisp/ssl_cred = d = SAPSSLC.pseSAPSSLC.pse wdisp/ssl_cer

wdisp/ssl_certhost thost == www.mycompany.comwww.mycompany.com

# Parameters for retrieving meta data using SSL # Parameters for retrieving meta data using SSL wdisp/server_info_protocol=https wdisp/server_info_protocol=https wdisp/group_info_protocol=https wdisp/group_info_protocol=https wdisp/url_map_protocol=https wdisp/url_map_protocol=https

S

SAAPPRR//33uunnddHHTTTTPP --221

1--4

4 SAP

SAP Web

Web Dispatcher

Dispatcher Configuration

Configuration

The following steps are also covered in the Web Dispatcher documentation on the The following steps are also covered in the Web Dispatcher documentation on the SAP help portal:

SAP help portal:

http://help.sap.com/saphelp_nw2004s/helpdata/en/f5/51c7d170bc4a98b1b5a03392 http://help.sap.com/saphelp_nw2004s/helpdata/en/f5/51c7d170bc4a98b1b5a03392 13af57/frameset.htm

13af57/frameset.htm

4

4..1

1

H

Ho

ow

w tto

o c

co

on

nffiig

gu

urre

e tth

he

e U

UR

RL

L ffiilltte

err

To configure the URL filter you have to set the following profile parameter in the To configure the URL filter you have to set the following profile parameter in the instance profile of the Web Dispatcher:

instance profile of the Web Dispatcher:

wdisp/permiss

wdisp/permission_table ion_table = = $(DIR_DATA)/p$(DIR_DATA)/perm.txterm.txt

and create a textfile named perm.txt in the instance data directory with the following and create a textfile named perm.txt in the instance data directory with the following content:

content:

# URL permission table # URL permission table P /sap/bc/* P /sap/bc/* P /sap/public/bsp/* P /sap/public/bsp/* D D **

Please check the new settings with the Web Admin Interface and the menu: Please check the new settings with the Web Admin Interface and the menu: Dispatching Module -> URL Filter.

Dispatching Module -> URL Filter.

4

4..2

2

S

Se

ettttiin

ng

g U

Up

p Y

Yo

ou

ur

r O

Ow

wn

n E

Errrro

or

r P

Pa

ag

ge

es

s

4.2.1 Use

4.2.1 Use

For each

For each Error CodeError Code, you can create an HTML page, which is sent to the client, you can create an HTML page, which is sent to the client when this error occurs. You can define both static pages (ending

when this error occurs. You can define both static pages (ending .html.html) and) and dynamic pages (ending

dynamic pages (ending .shtml.shtml).). Moreover, you can create a file

Moreover, you can create a file ICMERR-EDEFAULT.{html,shtml}ICMERR-EDEFAULT.{html,shtml} in directoryin directory

icm/HTTP/error_templ_path

icm/HTTP/error_templ_path, whose contents are returned if there is no other, whose contents are returned if there is no other template for the error.

template for the error.

If external resources (such as images) should be referenced in the error templates, If external resources (such as images) should be referenced in the error templates, these can be delivered with the ICM’s file access handler. See also

these can be delivered with the ICM’s file access handler. See also icm/HTTP/file_access_<xx>

S

SAAPPRR//33uunnddHHTTTTPP --222

2--4.2.2 Prerequisites

4.2.2 Prerequisites

To use dynamic error handling in the ICM or Web dispatcher, you must set the To use dynamic error handling in the ICM or Web dispatcher, you must set the profile parameter

profile parameter icm/HTTP/error_templ_pathicm/HTTP/error_templ_path to the directory with the errorto the directory with the error template files. For example:

template files. For example:

icm/HTTP/error_templ_path = /usr/sap/WEB/D13/data/icmerror icm/HTTP/error_templ_path = /usr/sap/WEB/D13/data/icmerror

If you use the Internet Explorer Web browser, the option

If you use the Internet Explorer Web browser, the option Show friendly HTTP messages Show friendly HTTP messages  must be deactivated. You can set this from

must be deactivated. You can set this from the menu:the menu: Tools Tools Internet Options Internet Options 

Advanced 

Advanced underunder Browsing.Browsing.

4.2.3 Procedure

4.2.3 Procedure

Create files

Create files ICMERR-<error code>.(s)htmlICMERR-<error code>.(s)html in the relevant directory for thein the relevant directory for the error codes you want. You can create static or dynamic error pages.

error codes you want. You can create static or dynamic error pages. 4.2.3.1

4.2.3.1 Static EStatic Error rror PagesPages

If a static error page is defined for an error (ending .html), this is returned to the If a static error page is defined for an error (ending .html), this is returned to the client.

client.

4.2.3.2

4.2.3.2 Dynamic Dynamic Error Error PagesPages

The dynamic pages support the following SSI commands (server-die includes, see The dynamic pages support the following SSI commands (server-die includes, see http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html).

http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html).

For the dynamic substitutions, the who

For the dynamic substitutions, the whole fille file must be searched for the SSI tags "<!--".e must be searched for the SSI tags "<!--". The effort required to do this is related to the size of

The effort required to do this is related to the size of the file. the file. The dynamic pages canThe dynamic pages cannotnot be stored in the cache either.

be stored in the cache either.

The following section explains the SSI commands that are supported. The following section explains the SSI commands that are supported.

4.2.3.2.1 ECHO 4.2.3.2.1 ECHO

<!--#echo var="variab

<!--#echo var="variable" le" -->--> You can set the following variables: You can set the following variables: V

Vaarriiaabblle e NNaammee MMeeaanniinngg D

DAATTEE__LLOOCCAALL CCuurrrreennt t ttiimmee//ddaattee: : TTuue e MMaar r 226 6 1177::1155::332 2 22000022 D

DAATTEE__GGMMTT CCuurrrreennt t GGMMT T ttiimmee//ddaattee: : TTuue e MMaar r 226 6 1177::1155::332 2 22000022

L

LAASSTT__MMOODDIIFFIIEEDD TThhe e ttimime e wwhheen n tthhe e ccuurrrreennt t ffilile e wwaas s llaasst t mmooddiiffiieedd F

FIILLEE__SSIIZZEE SSiizze e oof f tthhe e ccuurrrreennt t ffiille e iin n BByytteess S

SEERRVVEERR_S_SOOFTFTWAWARREE SAP WeSAP Web Ab Apppplilicacatition on SeServrver er 6.6.3030 S

S

SAAPPRR//33uunnddHHTTTTPP --223

3--P

PAATTHH_T_TRRAANNSSLALATTEEDD URURL pL paatth (h (wwiiththouout pt paararammeetteersrs))

IICCMM__SSEERRVVEERR HoHosst t nnaamme e aannd d ppoorrt t tthhrroouuggh h wwhhiicch h tthhiis s sseerrvveer r ccaann be reached. For example:

be reached. For example: Is3022.wdf.sap-ag.de:1080

ag.de:1080

IICCMM__IINNSSTTAANNCCEE IInnssttaanncce e nnaammee: : llss33002222__BBIINN__1122 IICCMM__EERRRR__CCOODDEE ErrrroE or r tthhaat t ooccccuurrrreed d ((nnuummeerriicc)) IICCMM__EERRRR__VVEERRSSIIOONN IICCM M vveerrssiioonn

IC

ICM_M_ERERR_R_COMCOMPOPONENENTNT CoCommpoponenentnt IICCMM__EERRRR__MMOODDUULLEE MMoodduulle e NNaammee IICCMM__EERRRR__LLIINNEE LLiinnee

IICCMM__EERRRR__DDEETTAAIILL DDeettaaiil ol on n tthhe e eerrrroor r tthhaat t ooccccuurrrreedd

Not all fields are available for all errors. Not all fields are available for all errors. With error

With error ICMEOVERLOADICMEOVERLOAD, for example, the request has not yet been read, which is, for example, the request has not yet been read, which is why field

why fieldPATH_TRANSLATEDPATH_TRANSLATEDhas not been set.has not been set.

In your page you can wr

In your page you can write, fite, for example:or example:

<tr><td>Server:</td><td><!--#echo var="ICM_SERVER" --></td></tr> <tr><td>Server:</td><td><!--#echo var="ICM_SERVER" --></td></tr> </tr><tr><td background="http://<!--#echo var="ICM_SERVER" </tr><tr><td background="http://<!--#echo var="ICM_SERVER" -->/images/graybar_tile.jpg" height="31"> -->/images/graybar_tile.jpg" height="31"> 4.2.3.2.2 INCLUDE 4.2.3.2.2 INCLUDE

You can use this command to include a different file at this point. You can use this command to include a different file at this point.

<!--#include file="file name" --> <!--#include file="file name" -->

Your error page can be framed, for ex

Your error page can be framed, for example, by the ample, by the two INCLUDE statements:two INCLUDE statements:

<!--#include file="header.ht <!--#include file="header.html" ml" -->--> ... ... <!--#include file="footer.ht <!--#include file="footer.html" ml" -->-->

The file must not include itself!

The file must not include itself! Recursive inclusion causeRecursive inclusion causes the ICM to terminate.s the ICM to terminate.

4.2.4 Example

4.2.4 Example

You can find an example of a dynamic error page and the

You can find an example of a dynamic error page and the .shtml.shtml file infile in ExamplesExamples

of a Dynamic Error Page

S

SAAPPRR//33uunnddHHTTTTPP --224

4--4

4..3

3

H

Ho

ow

w tto

o d

diis

sp

plla

ay

y a

a w

we

ellc

co

om

me

e p

pa

ag

ge

e

4.3.1 Use

4.3.1 Use

The parameter icm/HTTP/file_access_<xx> determines for which URL prefixes static The parameter icm/HTTP/file_access_<xx> determines for which URL prefixes static file access should be set, and in which directory the static files are stored.

file access should be set, and in which directory the static files are stored.

If an attempt is made to access a page or file under ‘virtual_root’ defined by the URL If an attempt is made to access a page or file under ‘virtual_root’ defined by the URL prefix, ‘virtual_root’ is replaced by ‘document_root’. The handler then attempts to prefix, ‘virtual_root’ is replaced by ‘document_root’. The handler then attempts to read the file from the file system and to send it back to the client.

read the file from the file system and to send it back to the client.

4.3.2 Properties

4.3.2 Properties

W

Woorrk k aarreeaa IInntteerrnneet t CCoommmmuunniiccaattiioon n MMaannaaggeerr, , SSAAP P WWeeb b DDiissppaattcchheerr U

Unniitt CChhaarraacctteer r ssttrriinngg S

Sttaannddaarrd d vvaalluuee --Dynamically Dynamically changeable changeable No No 4.3.2.1

4.3.2.1 Value Value Range and Range and SyntaxSyntax The parameter has the following syntax: The parameter has the following syntax:

icm/HTTP/file

icm/HTTP/file_access_<xx> = _access_<xx> = PREFIX=<URL-PREFIX=<URL-prefix>, DOCROOT=<rootprefix>, DOCROOT=<root directory of files>,

directory of files>, CACHECTRL=<sCACHECTRL=<sec>ec> <xx>

<xx> must be specified in ascending order from 0.must be specified in ascending order from 0. For example,

For example,icm/HTTP/fileicm/HTTP/file_access_0 = _access_0 = PREFIX=/docs/PREFIX=/docs/,, DOCROOT=/tmp/documents

DOCROOT=/tmp/documents

Then when the ICM enters the URL prefix

Then when the ICM enters the URL prefix /docs/xxx/docs/xxx in the browser, the content ofin the browser, the content of file

file xxxxxx in directoryin directory/tmp/documents/tmp/documents is returned.is returned.

4.3.2.1.1

4.3.2.1.1 DisplayDisplaying ing Directory Directory ContentsContents

You can also define a directory index with this parameter. You can also define a directory index with this parameter. Use the following options for this.

Use the following options for this.

O

Oppttiioonn MMeeaanniinng g / / PPoossssiibblle e VVaalluueess

B

BRROOW SW SEEDDIIRR DDeetteerrmmiinnees s tthhe e lleevveel l oof f ddeettaaiil l iin n tthhe e lliisstt. . TThhe e ffoolllloowwiinngg values are permitted:

values are permitted:

0: Function is inactive – directory contents are not 0: Function is inactive – directory contents are not displayed.

displayed.

1: Only the file names are displayed. 1: Only the file names are displayed.

2: File names are displayed together with their size and 2: File names are displayed together with their size and