SAP Web Dispatcher Configuration (SSL, certificates)
Hi all,
We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
The following access point have been specified in the profile:
Description of the Access Points
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
icm/HTTPS/verify_client = 2
Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
The Web Dispatcher returns an error upon accessing it using HTTPS:
Dispatching Error
Error: -26
Version: 6040
Component: HTTP_ROUTE
Date/Time: Tue Mar 14 07:19:38 2006
Module: http_route.c
Line: 2383
Server: sapvm1_DVS_26
Detail: no valid destination server available for '!ALL' rc=13
Any help would be highly appreciated. Thanks!
Frodo
Hi KS,
Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
All is working now.
Frodo
Similar Messages
-
Client authentication in PI when SAP Web dispatcher terminates SSL
PI Security Experts,
Here is our design for Third-party Peoplesoft system initiating SOAP Call to PI Web Service created on our PI server.
1) Third-party Peoplesoft Application server initiates a SOAP call.
2) Third-party Network Gateway has a URL server certificate from our gateway and our gateway server has a root certificate from the CA used by third-party gateway. this will be used to establish the SSL tunnel between gateway.
3) SOAP request in our network will be routed through load balancer to SAP web dispatcher.
4) SAP web dispatcher terminates SSL connection
5) We will generate client cert for authentication and pass it onto third-party which they will load onto their PeopleSoft application server. SOAP call initiating from the PeopleSoft server will pass the client cert along with the message (My understanding is that the client cert will not be a part of SOAP message body. Ina other words we are not implementing message-level security. Is that true? How will the client cert be passed? How and where will a client attach the client cert with message?My understanding is that this is a network layer security and client certificate will be authenticated on PI J2ee server at SSL protocol level..Is my understanding correct?)
6) We will also load client certificate generated for client onto J2EE server using Visual Admin and map it to PI user for authentication.
7) SAP web dispatcher terminates SSL and passes the SOAP message to PI (J2EE) along with client cert in a http header variable.
There is some conflicting SAP documents. some say that client cert can't be used for PI authentication if Web Dispatcher terminates SSL connection (http://help.sap.com/saphelp_nw04s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm). There is some other documents that say that authentication using client cert is possible by having J2EE trusting Web Dispatcher and by passing client cert from Web Dispatcher to J2EE in a httpheader variable (http://help.sap.com/saphelp_erp2005/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm).
Now if client cert authentication is possible even if Web dispatcher terminates SSL, what cert do we need on J2EE, a cert from Web dispatcher or a client cert that's coming in from the client appication (the one that we created and provided to our third-party)?
If we install a cert from web dispatcher on J2EE then do we need a client cert on Web dispatcher instead of on J2EE? If so how and where do we map client cert to PI User?
I will really appreciate any advise on whether we are going down the right path and any pointers to my questions.
Thanks,
SaurabhHi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup -
SAP Web Dispatcher Configuration guide for Windows
Hi,
I am searching for SAP Web Dispatcher Configuration guide for Windows. It is WAS 6.4, SP14 and JAVA. If any one knows this mean please guide.
Thanks.Hi Mahesh,
check out the help pages here:
http://help.sap.com/saphelp_nw04/helpdata/en/f5/51c7d170bc4a98b1b5a0339213af57/frameset.htm
Regards,
Pascal -
SAP Web Dispatcher Configuration in a FPN
Hi all,
We are using SAP Web Dispatcher 720 (latest patch 85).
We are having a FPN network. One consumer portal, with more than 5 producer portal (ECC JAVA, BW JAVA..etc) and more than 5 different backends (ECC, BW, SRM..etc)
We are using SSL termination at the web dispatcher.
We have configured all our consumer, producer, backends in our web dispatcher instance, to use the domain name with different ports.
Eg :
https://domainname.com - refers to our consumer portal
https://domainname.com:7110 - refers to our producer portal 1
https://domainname.com:7111 - refers to our producer portal 2
https://domainname.com:6100 - refers to our ABAP backend system 1
https://domainname.com:6111 - refers to our ABAP backend system 2 ..etc..,
by configuring so, we are facing lots of page not found issue intermittenly, as SAPlb cookies are passed incorrectly, since all refers to the same domain name (it ignores the different ports).
Can someone helps us to narrate how to configure web dispatcher which suites our FPN network. We can't go for different URLs for each system, as it requires more than 16 URLs and 16 web dispatcher instances.
Can someone share their experience
Thanks & Regards
SenthilHello Ravi,
Try to include directory 'admin' within directory
'sapwebdisp'.
You can let sapwebdisp create a sapwebdisp.pfl on your
behalf with option '-bootstrap'.
You will see the password for user 'icmadm'.
and this line
"icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin"
Then you use URL
'http://sapwedisphost:<xxxx>/sap/wdisp/admin/default.html'
See this documentation in
'http://help.sap.com/saphelp_nw04/helpdata/en/b4/9aa8862e714e6db8e74e48e5d3283b/frameset.htm'
(specially topic "Monitoring ..."
Kind Regards,
Toni -
Simple steps to set up SAP Web Dispatcher and SSL
Hi,
Could someone please provide simple steps explaining how to configure the SWD to communicate using end-2-end SSL with an XI server? The J2EE engine is listening on port 50001 for HTTPS requests. I have verified SSL is fine through direct connectivity.
Also our SWD now works fine with HTTP.
Could someone explain the following:
1. What parameters must I specify in the SWD profile file?
2. Do I have to add any parameters via RZ10 to the instance profile?
3. Do I have to create and activate an HTTPS service via SMICM?
4. Do I have to activate any internet services via SICF?
ThanksHi Eddy,
Sorry just got round to checking on this. The documentation you point to here is what we used as the basis for our setup.
We are attempting to use End-2-End SSL and did modify the SWD profile accordingly. It does not work however. If I connect via SSL directly to the J2EE server it works fine. Also connecting via HTTP thru the SWD works as well.
We are unsure as to whether there is something (parameters, service, etc.) that we have to set up via SMICM and/or RZ10 to enable SSL on the ICM? Or even whether that is necessary.
Ideally what I'd like is if someone can explain step-by-step what needs to be set up in the ABAP stack/message server that would be great.
Thanks
Brian -
Web Dispatcher configured but not working
Hi,
We wish to configure SAP Web Dispatcher as a reverse proxy. For this we've installed using sapinst SAP Web Dispatcher Version 7.00.11, multithreaded, ASCII, 64 BIT Patch Level 140 which was manally updated to SAP Web Dispatcher Version 7.10.1, multithreaded, ASCII, 64 BIT Patch Level 152.
The SAP Web Dispatcher server is in DMZ whereas the Enterprise Portal servers are in the intranet.
The updated SAP Web Dispatcher is available in /sapmnt/<SID>/exe and not in a seperate directory (/usr/sap/<SID>/sapwebdisp) as per SAP note 908097. The SAP Web Dispatcher has been installed on a standalone machine with instance number 00.
I've configured the Sap Web dispatcher with the -bootstrap option. The -checkconfig option completes with 0 warning 0 errors.
The TCP ports between SAP Web Dispatcher and Enterprise Portal servers are opened in the firewall. Also, required ports 22 & 8100 are opened from my computer to the SAP Web Dispatcher Server.
Yet when I try to connect to the administrator interface with the URL http://<Web_Disp_IP>:8100/sap/wdisp/admin/default.html, I receive the following text on the browser:
Network Error (tcp_error)
A communication error occurred: "Operation timed out"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
Similar message is received even if the SAP Web Dispatcher is installed in a seperate directory.
Has anyone come across a similar issue?
Thanks.
Regards.
SAP Web Dispatcher Profile generated by bootstrap
Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 00
add default directory settings
DIR_EXECUTABLE = .
DIR_INSTANCE = .
Accessibility of Message Servers
rdisp/mshost = <EP_CI_IP_address>
ms/http_port = 8104
SAP Web Dispatcher Parameter
wdisp/auto_refresh = 25
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
configuration for default scenario (medium size)
icm/max_conn = 500
icm/max_sockets = 1024
icm/req_queue_len = 500
icm/min_threads = 10
icm/max_threads = 50
mpi/total_size_MB = 80
#maximum number of concurrent connections to one server
wdisp/HTTP/max_pooled_con = 500
wdisp/HTTPS/max_pooled_con = 500
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTP,PORT=8100
icm/server_port_1 =
SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt,PORT=8100
WebDisp:wdpadm 16> sapwebdisp pf=sapwebdisp.pfl -checkconfig
Checking SAP Web Dispatcher Configuration
=========================================
maximum number of sockets supported on this host: 8192
Server info will be retrieved from host: <EP_CI_IP_address>:8104 with protocol: http
Checking connection to message server...OK
Retrieving server info from message server...OK
Message Server instance list:
------++--
+
instance name
hostname
HTTP port
HTTPS port
------++--
+
J2EE37031000
sappqxx03
50300
50301
J2EE53924900
sappqxx05
50500
50501
------++--
+
Checking ABAP servers with URL "/sap/public/icman/ping":
no server group "!DIAG" defined
Checking J2EE servers with URL "/index.html":
Checking J2EE server sappqxx03:50300...OK
Checking J2EE server sappqxx05:50500...OK
Web Dispatcher configuration for J2EE only system: No server group !DIAG defined
On double stack systems, configure Web Dispatcher to accessMessage Server of SAP Web AS ABAP
Check ended with 0 errors, 0 warningsHi,
We wish to configure SAP Web Dispatcher (WDP) as a reverse proxy. For this we've installed using sapinst SAP Web Dispatcher Version 7.00.11, multithreaded, ASCII, 64 BIT Patch Level 140 which was manally updated to Version 7.10.1, multithreaded, ASCII, 64 BIT Patch Level 152.
The SAP WDP server is in DMZ whereas the Enterprise Portal servers are in the intranet.
The updated SAP WDP is available in /sapmnt/<SID>/exe and not in a seperate directory (/usr/sap/<SID>/sapwebdisp) as per SAP note 908097. The SAP WDP has been installed on a standalone machine with instance number 00.
I've configured the Sap WDP with the -bootstrap option. The -checkconfig option completes with 0 warning 0 errors.
The TCP ports between SAP WDP and Enterprise Portal 7.0 SP14 servers are opened in the firewall confirmed as per note 552286. Also, required ports 22 & 8100 are opened from my computer to the SAP WDP Server.
Yet when I try to connect to the administrator interface with the URL http://<Web_Disp_IP>:8100/sap/wdisp/admin/default.html, I receive the following text on the browser:
Network Error (tcp_error)
A communication error occurred: "Operation timed out"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
Similar message is received even if the SAP WDP is installed in a seperate directory.
Has anyone come across a similar issue?
Thanks.
Regards.
SAP Web Dispatcher Profile generated by bootstrap
SAPSYSTEM = 00
DIR_EXECUTABLE = .
DIR_INSTANCE = .
rdisp/mshost = <EP_CI_IP_address>
ms/http_port = 8104
wdisp/auto_refresh = 25
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
icm/max_conn = 500
icm/max_sockets = 1024
icm/req_queue_len = 500
icm/min_threads = 10
icm/max_threads = 50
mpi/total_size_MB = 80
wdisp/HTTP/max_pooled_con = 500
wdisp/HTTPS/max_pooled_con = 500
icm/server_port_0 = PROT=HTTP,PORT=8100
icm/server_port_1 =
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=icmauth.txt,PORT=8100
Brief output of checkconfig
Maximum number of sockets supported on this host 8192
Server info will be retrieved from host EPHostIPAddres 8104 protocol http
Checking J2EE server sappqxx03:50300...OK
Checking J2EE server sappqxx05:50500...OK
Web Dispatcher configuration for J2EE only system: No server group DIAG defined
Check ended with 0 errors, 0 warnings -
Web Dispatcher Configuration.
Hi,
1)Our srm server is connected to portal and end-users are using portal to connect to it. Srm server has another 2 other application server for load balancing.
As Load balancing is not happening we are getting ITS memory bottle neck issue.
We have installed Webdispatcher for load balancing but I have confusion how will be connectivity Portal --> SAP Web Dispatcher --> SRM.
2) C:\usr\sap>sapwebdisp.exe -checkconfig pf=c:\usr\sap\sapwebdisp.pfl
Checking SAP Web Dispatcher Configuration
=========================================
maximum number of sockets supported on this host: 32768
Server info will be retrieved from host: CIserver:8100 with protocol: http
Checking connection to message server...OK
Retrieving server info from message server...OK
Message Server instance list:
------++--
+
instance name
hostname
HTTP port
HTTPS port
------++--
+
APPS602_PRD_01
APPS602
8001
50101
APPS601_PRD_00
APPS601
8000
50001
CIserver_PRD_02
CIserver
8002
8003
------++--
+
Checking ABAP servers with URL "/sap/public/icman/ping":
Checking ABAP server APPS602:8001...OK
Checking ABAP server APPS601:8000...OK
Checking ABAP server CIserver:8002...OK
Checking J2EE servers with URL "/index.html":
Checking J2EE server APPS602:8001...ERROR: unexpected OK code: 404
ERROR: check if application is deployed and active
Checking J2EE server APPS601:8000...ERROR: unexpected OK code: 404
ERROR: check if application is deployed and active
Checking J2EE server CIserver:8002...OK
Retrieving group info from server APPS602:8001...OK
Defined server groups:
+
group name
#entries
+
!J2EE
3
!J2EES
3
!DIAG
3
!DIAGS
1
!ALL
3
LOGON_PRD
3
+
Retrieving url info from server APPS602:8001...OK
Url map info file "/sap/public/icf_info/icr_urlprefix" is OK
Check ended with 2 errors, 0 warnings
Please advise
Regards
MazherHi All,
I have crossed checked in T-code SMLG still load balancing is not happening
some time getting below warnings in SM21
ITS, New user session denied due to memory bottleneck.
ITS, User session terminated
Can you please advise.
Thanks -
Buenas tardes estimados,
Configure el web dispatcher con solman pero el webdispatcher solo me permite acceder a los servicios del stack de java que corren en el puerto 50000 pero no me deja ver los servicios abap de la SICF que corren en el puerto 8000 alguno tendra una idea de porque ocurre esto? y como puedo solucionarlo?Hola Diego,
Te comento si estan corriendo perfectamente mis servicios de la sicf por el puerto 8000 y los de java por el 50000 mi ms/http_port es el 8101 lo que pasa es que el web dispatcher solo me detecta el stack de java no me detecta el stack de abap por ende puedo acceder a cualquier servicio que corra en el puerto 50000 pero a los que corren en el puerto 8000 que son los de abap no le llego por el webdisp porque el mismo no me esta detectando el stack de abap.
Pude observar que al introducir esta url http://ServidorDeSolman:8101/msgserver/text/logon obtengo este resultado:
version 1.0
J2EE4070400
J2EE ServidorDeSolman 50000 LB=1
J2EES ServidorDeSolman 50001 LB=1
P4 ServidorDeSolman 50004 LB=1
P4S ServidorDeSolman 50006 LB=1
P4HTTP ServidorDeSolman 50005 LB=1
JC_MIASRV00_LCS_00
ServidorDeSolman 50018
Como podemos observar solo arroja info del stack de java y los puertos java pero no arroja la info del stack de ABAP.
Tambien por el webdisp realice esta prueba via linea de comandos en el cmd:
C:\usr\sap\WEB\SYS\profile>sapwebdisp -checkconfig pf=WEB_W02_MIASRV00
Checking SAP Web Dispatcher Configuration
=========================================
maximum number of sockets supported on this host: 8192
Server info will be retrieved from host: ServidorDeSolman:8101 with protocol: http
Checking connection to message server...OK
Retrieving server info from message server...OK
Message Server instance list
------++--
+
instance name
hostname
HTTP port
HTTPS port
------++--
+
J2EE4070400 ServidorDeSolman
50000
50001
------++--
+
Checking ABAP servers with URL "/sap/public/icman/ping":
No server group "!DIAG" defined
Checking J2EE servers with URL "/index.html":
Checking J2EE server http://ServidorDeSolman:50000...OK
Web Dispatcher configuration for J2EE only system: No server group !DIAG defined
On double stack systems, configure Web Dispatcher to access Message Server of SAP Web AS ABAP
Pareciera que debo agregar algun parametro en el webdisp que indique que el sistema es dual stack pero de verdad no tengo idea si sea ese el problema y cual seria el parametro.
Alguna idea de que se puede hacer?
Muchas gracias por la ayuda
Saludos Cordiales -
Error when configuring Web Dispatcher for SSL with Enterprise Portal
We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ). We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103). We are now receiving this strange certificate error when we start the Web Dispatcher:
[Thr 5332] Tue Mar 20 00:36:23 2007
[Thr 5332] MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
[Thr 5332] SSL socket: local=<IPADDRESS>:4742 peer=<IPADDRESS>:8103
[Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
[Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c 4919]
[Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2301]
[Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2302]
[Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c 2303]
We have gone through the trouble shooting note 552286 as listed in the error above. Any assistance is appreciated.Hello, did you receive any resolution for this problem? We are receiving a similar error and I am unsure of how to resolve.
-
We are having issues with our SSL connection to the SAP Web AS. Below is the error in the log files:
[Thr 472] =================================================
[Thr 472] = SSL Initialization on PC with Windows NT
[Thr 472] = (700_REL,Jul 14 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 472] profile param "ssl/ssl_lib" = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sapcrypto.dll"
resulting Filename = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sapcrypto.dll"
[Thr 472] profile param "ssl/server_pse" = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
resulting Filename = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
[Thr 472] profile param "ssl/client_pse" = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\SAPSSLC.PSE"
resulting Filename = "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\SAPSSLC.PSE"
[Thr 472] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
[Thr 472] = current UserID: NT AUTHORITY\SYSTEM
[Thr 472] = found SECUDIR environment variable
[Thr 472] = using SECUDIR=c:\program files\sap\sapwebdisp\
[Thr 472] *** ERROR => secudessl_Create_SSL_CTX(): PSE "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse" not found! [ssslsecu.c 1354]
[Thr 472] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 472] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 472] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<Our PSE>.pse"
[Thr 472] << -
End of Secude-SSL Errorstack -
[Thr 472] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "C:\Program Files\SAP\SAPWebDisp\DEV\<Our Site>\sec\<OurPSE>.pse" [ssslxxi.c 2278]
[Thr 472] Tue Mar 31 13:30:06 2009
[Thr 472] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 472] =================================================
[Thr 472] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 472] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c 319]
[Thr 3744] IcmCreateWorkerThreads: created worker thread 0
[Thr 2952] *** ERROR => IcmConnClientRqCreate: No service for protocol HTTPS started [icxxconn.c 2701]
[Thr 2952] *** ERROR => IcmConnClientRqCreate() failed (rc=-1) [icrxx.c 5234]
[Thr 2952] *** ERROR => Could not connect to SAP Message Server at onebase. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2591]
[Thr 2952] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2592]
[Thr 2952] *** ERROR => see also OSS note 552286 [icrxx.c 2593]
[Thr 3744] IcmCreateWorkerThreads: created worker thread 1
[Thr 3744] IcmCreateWorkerThreads: created worker thread 2
[Thr 3744] IcmCreateWorkerThreads: created worker thread 3
[Thr 3744] IcmCreateWorkerThreads: created worker thread 4
[Thr 3292] IcmWatchDogThread: watchdog started
I've already used sapgenpse seclogin -p <PSE File> -x <PIN> to create a pin. I've also gone and deleted the old pin that used to be there and created a new one.
Also I noticed it says "Beware: changing a PIN of a PSE will not auto-update the SSO-credential
Beware: adding a new credential will not auto-update an existing credential"
So once you change it how do you update it? Do you need to reboot the Web Dispatcher or do you just need to restarted the service?I am also facing same issue.
I have added credentials also and successfully done.
Here attaching trace file. Please suggest
trc file: "dev_webdisp", trc level: 1, release: "720"
sysno 00
sid WD1
systemid 390 (AMD/Intel x86_64 with Linux)
relno 7200
patchlevel 0
patchno 68
intno 20020600
make multithreaded, ASCII, 64 bit, optimized
profile /usr/sap/WD1/profile/WD1_W00_sapportal
pid 26732
[Thr 139840314074976] Thu Oct 31 13:54:15 2013
[Thr 139840314074976] *** WARNING => The maximum number of sockets supported on this host is 1020.
This is less than the number of sockets configured in parameter icm/max_sockets (8192) [icxxrout_mt. 3417]
[Thr 139840314074976] started security log to file ./dev_icm_sec
[Thr 139840314074976] SigISetDefaultAction : default handling for signal SIGCHLD
[Thr 139840314074976] SAP Web Dispatcher running on: sapportal.abrajoman.com
[Thr 139840314074976] MtxInit: 30001 0 2
[Thr 139840314074976] ***LOG IM1=> IcmInit, Startup (SAP Web Dispatcher&sapportal.abrajoman.com&26732&) [icxxrout_mt. 1914]
[Thr 139840314074976] IcmInit: listening to admin port: 65000
[Thr 139840314074976] MPI: dynamic quotas disabled.
[Thr 139840314074976] MPI init: pipes=4000 buffers=1279 reserved=383 quota=10%
[Thr 139840314074976] CCMS: SemInMgt: Semaphore Management initialized by AlAttachShm_Ext.
[Thr 139840314074976] CCMS: SemInit: Semaphore 38 initialized by AlAttachShm_Ext.
[Thr 139840314074976] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 139840314074976] IcrCoreInitSessionTable: Session table initialized
[Thr 139840167098112] HttpExtractArchive: files from archive /usr/sap/WD1/SYS/exe/run/wdispadmin.SAR in directory /usr/sap/WD1/W00/data/icmandir are up to date
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpAdminHandler(0x7f2f0c000e70), slot=0, flags=36869) for /sap/admin, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpModHandler(0x7f2f0c0012e0), slot=1, flags=12293) for /, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] CsiInit(): Initializing the Content Scan Interface
[Thr 139840167098112] AMD/Intel x86_64 with Linux (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)
[Thr 139840167098112] CsiInit(): CSA_LIB = "/usr/sap/WD1/SYS/exe/run/libsapcsa.so"
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpAuthHandler(0x7f2f0c001440), slot=2, flags=12293) for /, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] HttpISubHandlerAdd: Added handler HttpWebDispHandler(0x7f2f0c008340), slot=3, flags=1060869) for /, active: 1, table 0x7f2f0c000a10
[Thr 139840167098112] Started service PORT=8100,PROT=HTTP,TIMEOUT=60,PROCTIMEOUT=60
[Thr 139840167098112] =================================================
[Thr 139840167098112] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139840167098112] = (720_REL,Oct 15 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139840167098112] profile param "ssl/ssl_lib" = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840167098112] resulting Filename = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840167098112] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 139840167098112] = current UserID: "wd1adm", env-var USER="wd1adm"
[Thr 139840167098112] = using SECUDIR=/usr/sap/WD1/W00/sec
[Thr 139840167098112] profile param "ssl/server_pse" = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] resulting Filename = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/WD1/W00/sec/epssl.pse": unable to use! [ssslsecu_mt. 1735]
[Thr 139840167098112] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
[Thr 139840167098112] secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 139840167098112] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 139840167098112] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840167098112] << ---------- End of Secude-SSL Errorstack ----------
[Thr 139840167098112] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "/usr/sap/WD1/W00/sec/epssl.pse" [ssslxxi_mt.c 2324]
[Thr 139840167098112] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 139840167098112] =================================================
[Thr 139840167098112]
[Thr 139840167098112] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 139840167098112] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]
[Thr 139840167098112] *** WARNING => Could not start service (rc=-14) PORT=8300,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0 [icxxserv_mt. 651]
[Thr 139840314074976] SigISetDefaultAction : default handling for signal SIGCHLD
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 0
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 1
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 2
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 3
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 4
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 5
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 6
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 7
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 8
[Thr 139840314074976] IcmCreateWorkerThreads: created worker thread 9
[Thr 139840167098112] IcmWatchDogThread: watchdog started
[Thr 139840148838144] Thu Oct 31 13:54:36 2013
[Thr 139840148838144] =================================================
[Thr 139840148838144] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139840148838144] = (720_REL,Oct 15 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139840148838144] profile param "ssl/ssl_lib" = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840148838144] resulting Filename = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840148838144] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 139840148838144] = current UserID: "wd1adm", env-var USER="wd1adm"
[Thr 139840148838144] = using SECUDIR=/usr/sap/WD1/W00/sec
[Thr 139840148838144] profile param "ssl/server_pse" = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] resulting Filename = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/WD1/W00/sec/epssl.pse": unable to use! [ssslsecu_mt. 1735]
[Thr 139840148838144] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
[Thr 139840148838144] secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 139840148838144] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 139840148838144] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840148838144] << ---------- End of Secude-SSL Errorstack ----------
[Thr 139840148838144] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "/usr/sap/WD1/W00/sec/epssl.pse" [ssslxxi_mt.c 2324]
[Thr 139840148838144] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 139840148838144] =================================================
[Thr 139840148838144]
[Thr 139840148838144] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 139840148838144] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]
[Thr 139840148838144] *** WARNING => Could not reactivate service (rc=-14) PORT=8300,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0 [icxxserv_mt. 1550]
[Thr 139840148838144] *** ERROR => ICP_icm_mod_service: ModService(7) failed for 8300, HTTPS(rc=-14) [icrxxadmin_m 5519]
[Thr 139840151480064] Fri Nov 1 10:54:13 2013
[Thr 139840151480064] =================================================
[Thr 139840151480064] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139840151480064] = (720_REL,Oct 15 2010,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139840151480064] profile param "ssl/ssl_lib" = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840151480064] resulting Filename = "/usr/sap/WD1/exe/libsapcrypto.so"
[Thr 139840151480064] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 139840151480064] = current UserID: "wd1adm", env-var USER="wd1adm"
[Thr 139840151480064] = using SECUDIR=/usr/sap/WD1/W00/sec
[Thr 139840151480064] profile param "ssl/server_pse" = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] resulting Filename = "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/WD1/W00/sec/epssl.pse": unable to use! [ssslsecu_mt. 1735]
[Thr 139840151480064] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
[Thr 139840151480064] secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 139840151480064] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 139840151480064] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "/usr/sap/WD1/W00/sec/epssl.pse"
[Thr 139840151480064] << ---------- End of Secude-SSL Errorstack ----------
[Thr 139840151480064] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "/usr/sap/WD1/W00/sec/epssl.pse" [ssslxxi_mt.c 2324]
[Thr 139840151480064] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 139840151480064] =================================================
[Thr 139840151480064]
[Thr 139840151480064] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 139840151480064] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]
[Thr 139840151480064] *** WARNING => Could not reactivate service (rc=-14) PORT=8300,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=900,VCLIENT=0 [icxxserv_mt. 1550]
[Thr 139840151480064] *** ERROR => ICP_icm_mod_service: ModService(7) failed for 8300, HTTPS(rc=-14) [icrxxadmin_m 5519]
Trace File
(11768bytes)
Thanks,
Kundan -
CRM_UI Reporting - HTTPS Terminating at Web Dispatcher or SSL all the way
Hi,
We need to set up access to crm_ui reports (leads and marketing mainly) in CRM 7.0 for vendors coming from the internet. The CRM server is in the internal network. In order for this to work I plan to setup the web-dispatcher in the application dmz. The initial login is going to be via the web dmz layer (using sun's iplanet server), which then routes the crm URL to the web dispatcher in the App dmz and then from the web dispatcher to CRM server.
One requirement from our security team is to set up the flow as HTTPS.
On going through SAP help I get the impression that it can be set up two ways, one, configuring web dispatcher to pass the SSL connection to backend, & two - configuring the web dispatcher to terminate SSL.
Seems the former is quite straight forward (from SAP online help we have to set the icm/server_port_<xx>> = PROT=ROUTER) but does it also require that we setup the crm_ui_frame service as SSL and activate the HTTPS service in ICM?
Or is it better to go via the second option (HTTPS termination) without changing the backend setup? SAP Online help lists steps to do the HTTPS termination but I have not come across any detailed documentation for the first method.
Any thoughts, suggestions will be helpful for either scenario.
Thanks,
Rommel BhanThanks Martin the document helped.
Now the web dispatcher seems to talk to the HTTPS port on the backend.
However there is one issue I see in the dev_webdisp and was wondering if you have an insight.
Based on webdispatcher parameters, its taling to ms_https_port 8533 of backend
[Thr 773] Mon Feb 15 15:03:35 2010
[Thr 773] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 773] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 773] secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 773] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 773] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
[Thr 773] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"
[Thr 773] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
[Thr 773] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
[Thr 773] << -
End of Secude-SSL Errorstack -
[Thr 773] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 773] SSL NI-sock: local=10.104.146.81:62579 peer=10.104.146.81:8533
[Thr 773] <<- ERROR: SapSSLSessionStart(sssl_hdl=110acb850)==SSSLERR_SSL_CONNECT
[Thr 773] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]
[Thr 773] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c 5976]
[Thr 773] *** ERROR => Could not connect to SAP Message Server at sapcms02. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c 3289]
[Thr 773] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c 3290]
[Thr 773] *** ERROR => see also SAP note 552286 [icrxx_mt.c 3291]
My backend is setup with SSL and web dispatcher is set to the following. Also since the backend and sapweb dispatcher are on the same host, using the same sidadm, the SSL stuff is on one location. I generated the SAPSSLS.pse in the backend using STRUST
Accessibility of Message Servers
rdisp/mshost = sapcms02
ms/http_port = 8100
ms/https_port = 8533
wdisp/server_info_protocol = https
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=ROUTER,PORT=60000
icm/server_port_1 = PROT=HTTPS,PORT=0
icm/server_port_2 = PROT=HTTP,PORT=8080 <-- web dispatcher admin port
#SSL parameters similar to one in backend
ssf/ssfapi_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
sec/libsapsecu = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
ssf/name = SAPSECULIB
ssl/ssl_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
ssl/server_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLS.pse
ssl/client_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLC.pse -
SAP Web dispatcher not forwarding incoming HTTP portal sessions.
Hello,
We are using an EP6 Portal from which Abap Web dynpros are launched. The incoming http sessions were accessing our backend ECC6 SAP system through the sap server message . The http sessions were badly dispatched between the two abap servers. We have been advised by SAP to use the sap web dispatcher instead.
The sap web dispatcher has been correctly installed and configured (on the central abap instance ).
I have carefully read the SAP help section concerning the server selection using the sap web dispatcher :
http://help.sap.com/saphelp_nw04s/helpdata/en/5f/7a343cd46acc68e10000000a114084/frameset.htm
All our settings seem to be OK :
The incoming HTTP requests are forwarded to abap servers only.
*In transaction SICF, all the services under the tree
sap/public/icf_info have been assigned to the same logon group .
The capacity of the two servers included in the logon
group " is the same :
server40 LB=12
server60 LB=12
In the Web interface, capacity equal "1" for the two servers.
wdisp/load_balancing_strategy= weighted_round_robin
In the SAP web interface, the prefered server is ALWAYS the same :
Status of Server Group "LOADIS"
Loadbalancing Information
Number of Servers in this group 2
Last used Server
Preferred next Server server40_SPA_10
But it seems that the sap web dispatcher is not used at ALL.
The Load distribution is still based on the SMLG workload as it was the case, before, with the sap message server. The information displayed in the web interface (preferred server) is wrong.
The Preferred next Server is ALWAYS server40_SPA_10 (shown in the web interface), but, in fact, the http sessions are distributed between the two servers server60_SPA_00 and server40_SPA_10 depending on the server quality diplayed in transaction smlg. It was exactly the same behaviour we had before, only with the sap server message .
Any useful help would be highly appreciated.
Best Regards.Hi,
firstly, have you checked note 1094342? What variant do you want to use? Do you terminate a SSL connection on web dispatcher and create a new one between web dispatcher and application server? It looks like the web dispatcher can't verify SSL certificate used by application server. Maybe you've already tried this but you can try to turn off SSL between dispatcher and application server. If this setup works then problem is in SSL connection. You can check what host name is used in SSL certificate and what host name is used by dispatcher. You can use parameter wdisp/ssl_certhost which sets host name which will be used for certificate validation.
Cheers -
Web Dispatcher and SSL on ABAP+Java
Hello,
Have installed SAP web dispatcher on WAS 6.40 ABAP+Java system. Communicating with Portal SP16 system.
The HTTP works fine. Have not been able to get SSL working with web dispatcher.
For troubleshooting activated ITS on this system and HTTPS works fine with ITS webgui.
Have followed the "how to" SSL for web dispatcher guide.
Also should mention that we have generated certificate requests and PSE's but our organization has not yet chosen a certificate authority to sign the cerficates. For other scenarios (log onto Portal, XI, etc) the only difference is the certifcate warning dialog, otherwise works fine. Would this cause a problem for Web Dispatcher?
Trying the SSL end to end scenario receive
WARNING: Could not start service 0 for protocol HTTPS on host "max-sap" on all adapters
Is there anything
unique for the ABAP+Java configuration?
Thanks,
AlanI solved this problem by setting the following profile parameter on my webdispatcher profile.
wdisp/ssl_ignore_host_mismatch = true
Doesn't fix the underlying problem but got me going until I can figure it out. -
Hi,
We have EP 6.0 SP16 paltform on win2003/oracle.
We configured SSL, so we connect using https protocol.
We have two application servers for our portal platform.
For load balancing we use SAP Web Dispatcher.
we didn't configure SSL for the host where Web dispatcher resides. So we want web dispather to convert http requests to https.
For this purpose we used parameters
icm/server_port_0 = PROT=HTTP, PORT=8003
wdisp/ssl_encrypt = 2
as said in
http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
we get error:
Detail: no valid destination server available for '!ALL' rc=7
How can we solve this error ?
Best regardsHello ..,
By defining wdisp/ssl_encrypt = 2 in your pfl file is not enough. I'm assuming you ahve missed the following steps:-
1. Install the SAP Cryptographic Library on the SAP Web Dispatcher.
2. Set the profile parameters.
3. Create the SAP Web Dispatchers PSE(s) and certificate request(s).
4. Send the certificate request(s) to a CA to be signed.
5. Import the certificate request response(s) into the PSE.
6. Create credentials for the SAP Web Dispatcher.
7. Restart the SAP Web Dispatcher.
8. Test the connection.
You need to perform all the above mentioned steps for the SSL. Please refer this link:-
http://help.sap.com/saphelp_nw04/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
Regards
Vaib -
Reverse Proxy - Apache vs SAP Web Dispatcher
Hi,
my config consists in a portal (EP7.0 - DB/CI + AS) and an ECC system (ECC 6.0 - DB/CI + AS).
Web developments are based on Abap Web Dynpro and are also located on ECC.
To ensure load balancing there are 2 web dispatchers : one on EP DB/CI, one on ECC DB/CI.
Those 2 systems are located in intranet. Intranet access are realized via http.
Moreover I need to open this solution to internet. I need a component to filter access in DMZ and ensure reverse proxy + https functions.
Technical target chain links are depicted below.
internet access : browser (https) -
> (https) reverse proxy in DMZ (http) -
> IS (Portal/ECC)
intranet access : browser (http) -
> IS (portal/ECC)
At the moment two application gateway solutions have been identified :
Apache (MOD_PROXY + MOD_HTTPS) - My configuration is based on Linux
SAP Web Dispatcher ("cascading" implementation as described in OSS note 740234)
I'm looking for PROs and CONs of those 2 solutions and I'm also seeking for the impact of ensuring https encryption/decryption at the application gateway level ("a priori" this usage is not transparent in term of server sizing - CPU/memory, do I require to implement an SSL accelerator ?).
Regards.
Frederic.Hi,
PRO Webdispatcher:
- Supports SAP Java + ABAP
- Loadbalancing of SAP applications (stateful)
- Supports load balancing (saplb_* cookie)
- Free of costs
- easy to set up (up & running in 2 minutes)
- Supports HA solutions out-of-the-box (process HA)
- Filter + Rules to modify the requests
CONS Webdispatcher
- not a full reverse proxy
- Limited functionality
- one more server/solution (normaly, a company already does have a reverse proxy solution in place)
- limited user base (only SAP customers)
PRO Apache
- free
- widly in use
- full reverse proxy
- allows more complex filtering / rewriting
- can be used for more web solutions, reuse of existing apache reverse proxy
CONS Apache
- does not support SAP load balancing (connection to the message server port for load distribution)
- can be more complex to set up
- SAP specific technology / problems are more harder to fix (ABAP, Stateful connections, sap_lb*)
Short: both will server well as a reverse proxy.
Rule of thumb: If you go for Apache or Web Dispatcher should mainly depend on you current IT landscape. If you already do have an apache in use, use Apache. You already have the people / knowledge, try to foster it .
If you start from scratch and have SAP Logon Groups or many WebDynpro ABAP applications, go for the Web Dispatcher.
br,
Tobias
Maybe you are looking for
-
Idoc Message type for Scheduling agreement
Dear Experts, How to configure to create Idoc for Scheduling agreement (not the releaseed schedule lines) ? I am trying to use message type ORDERS05 but it is not working. Will any body guide me preferably step by step process for this ? Thanks in Ad
-
Is there a way to remove a page from my old iwebsite after I upgraded to iCloud?
I already "upgraded" from MobileMe to iCloud. Before I did that I wanted to reduce my iWebsite to just 1 page, so I made the changes with iWeb and after the new (final version) of my site was up and confirmed, I made the switch to iCloud. HOWEVER, I
-
Trouble with new G570 - help needed
Dear All, I am a new, rather unhappy, customer of Lenovo UK as of this week, via a dealer called www.saveonlaptops.co.uk . I'm terribly disappointed to have had such a bad experience... I purchased a Lenovo G570 (product code M5143UK) from the above
-
Convert Oracle SQL query to single column output
Hello All, I need to build the query to have multiple columns in a single column with multiple rows. select a.customer_trx_id,a.previous_customer_trx_id from ra_customer_trx_all a where a.customer_trx_id = :customer_trx_id here, a.customer_trx_id and
-
ITunes Store- buying "protected files"
i want to use the song i just bought in imovie but i cannot convert it because the song is a "protected file". imovie needs an AIFF or MP3 so if i cannot convert the M4P then why do i want to buy it from itunes!? Is there a way to get it unprotected