Web Dispatcher and SSL

Similar Messages

• Web Dispatcher and SSL on ABAP+Java

  Hello,
  Have installed SAP web dispatcher on WAS 6.40 ABAP+Java system. Communicating with Portal SP16 system.
  The HTTP works fine. Have not been able to get SSL working with web dispatcher.
  For troubleshooting activated ITS on this system and HTTPS works fine with ITS webgui.
  Have followed the "how to" SSL for web dispatcher guide.
  Also should mention that we have generated certificate requests and PSE's but our organization has not yet chosen a certificate authority to sign the cerficates. For other scenarios (log onto Portal, XI, etc) the only difference is the certifcate warning dialog, otherwise works fine.  Would this cause a problem for Web Dispatcher?
  Trying the SSL end to end scenario receive
  WARNING: Could not start service 0 for protocol HTTPS on host "max-sap" on all adapters
  Is there anything
  unique for the ABAP+Java configuration?
  Thanks,
  Alan

  I solved this problem by setting the following profile parameter on my webdispatcher profile.
  wdisp/ssl_ignore_host_mismatch = true
  Doesn't fix the underlying problem but got me going until I can figure it out.

• Simple steps to set up SAP Web Dispatcher and SSL

  Hi,
  Could someone please provide simple steps explaining how to configure the SWD to communicate using end-2-end SSL with an XI server? The J2EE engine is listening on port 50001 for HTTPS requests. I have verified SSL is fine through direct connectivity.
  Also our SWD now works fine with HTTP.
  Could someone explain the following:
  1. What parameters must I specify in the SWD profile file?
  2. Do I have to add any parameters via RZ10 to the instance profile?
  3. Do I have to create and activate an HTTPS service via SMICM?
  4. Do I have to activate any internet services via SICF?
  Thanks

  Hi Eddy,
  Sorry just got round to checking on this. The documentation you point to here is what we used as the basis for our setup.
  We are attempting to use End-2-End SSL and did modify the SWD profile accordingly. It does not work however. If I connect via SSL directly to the J2EE server it works fine. Also connecting via HTTP thru the SWD works as well.
  We are unsure as to whether there is something (parameters, service, etc.) that we have to set up via SMICM and/or RZ10 to enable SSL on the ICM? Or even whether that is necessary.
  Ideally what I'd like is if someone can explain step-by-step what needs to be set up in the ABAP stack/message server that would be great.
  Thanks
  Brian

• Error when configuring Web Dispatcher for SSL with Enterprise Portal

  We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ).  We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103).  We are now receiving this strange certificate error when we start the Web Dispatcher:
  [Thr 5332] Tue Mar 20 00:36:23 2007
  [Thr 5332]   MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
  [Thr 5332]   SSL socket: local=<IPADDRESS>:4742  peer=<IPADDRESS>:8103
  [Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
  [Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
  [Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c      4919]
  [Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c      2301]
  [Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c      2302]
  [Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c      2303]
  We have gone through the trouble shooting note 552286 as listed in the error above.  Any assistance is appreciated.

  Hello, did you receive any resolution for this problem?  We are receiving a similar error and I am unsure of how to resolve.

• SAP Web Dispatcher Configuration (SSL, certificates)

  Hi all,
  We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
  The following access point have been specified in the profile:
  Description of the Access Points
  icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
  icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
  icm/HTTPS/verify_client = 2
  Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
  The Web Dispatcher returns an error upon accessing it using HTTPS:
  Dispatching Error
  Error: -26
  Version: 6040
  Component: HTTP_ROUTE
  Date/Time: Tue Mar 14 07:19:38 2006 
  Module: http_route.c
  Line: 2383
  Server: sapvm1_DVS_26
  Detail: no valid destination server available for '!ALL' rc=13
  Any help would be highly appreciated. Thanks!
  Frodo

  Hi KS,
  Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
  icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
  icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
  However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
  All is working now.
  Frodo

• Client authentication in PI when SAP Web dispatcher terminates SSL

  PI Security Experts,
  Here is our design for Third-party Peoplesoft system initiating SOAP Call to PI Web Service created on our PI server.
  1) Third-party Peoplesoft Application server initiates a SOAP call.
  2) Third-party Network Gateway has a URL server certificate from our gateway and our gateway server has a root certificate from the CA used by third-party gateway. this will be used to establish the SSL tunnel between gateway.
  3) SOAP request in our network will be routed through load balancer to SAP web dispatcher.
  4) SAP web dispatcher terminates SSL connection
  5) We will generate client cert for authentication and pass it onto third-party which they will load onto their PeopleSoft application server. SOAP call initiating from the PeopleSoft server will pass the client cert along with the message (My understanding is that the client cert will not be a part of SOAP message body. Ina other words we are not implementing message-level security. Is that true? How will the client cert be passed? How and where will a client attach the client cert with message?My understanding is that this is a network layer security and client certificate will be authenticated on PI J2ee server at SSL protocol level..Is my understanding correct?)
  6) We will also load client certificate generated for client onto J2EE server using Visual Admin and map it to PI user for authentication.
  7) SAP web dispatcher terminates SSL and passes the SOAP message to PI (J2EE) along with client cert in a http header variable.
  There is some conflicting SAP documents. some say that client cert can't be used for PI authentication if Web Dispatcher terminates SSL connection (http://help.sap.com/saphelp_nw04s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm). There is some other documents that say that authentication using client cert is possible by having J2EE trusting Web Dispatcher and by passing client cert from Web Dispatcher to J2EE in a httpheader variable (http://help.sap.com/saphelp_erp2005/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm).
  Now if client cert authentication is possible even if Web dispatcher terminates SSL, what cert do we need on J2EE, a cert from Web dispatcher or a client cert that's coming in from the client appication (the one that we created and provided to our third-party)?
  If we install a cert from web dispatcher on J2EE then do we need a client cert on Web dispatcher instead of on J2EE? If so how and where do we map client cert to PI User?
  I will really appreciate any advise on whether we are going down the right path and any pointers to my questions.
  Thanks,
  Saurabh

  Hi,
  May be below links will be helpful
  Check the following links.. you will get the information all about the securities...
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
  Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Also find soeminformation in these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  /people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
  Step by step guide for SSL security
  step by step guide to implement SSL
  Please go through below link for referance (above information is from below link)
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
  General guide
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
  Message level security
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Regarding message level you can encrypt the message using certificates.
  For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
  Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
  Thanks
  Swarup

• IE browser and Web Cache and SSL - Internet Explorer cannot display the web page

  When using IE8, IE9, or IE10 with Web Cache and SSL certain pages which display a lot of data returns the error - "Internet Explorer cannot display the web page."
  if we eliminate SSL but continue to use Web Cache, the error does *not* reproduce & If we eliminate Web Cache altogether the error again does *not* reproduce.  The error is only reproducible when we use SSL with Web Cache and if we use IE and we access *large* pages. The error is not reproducible with Firefox or Chrome. This is a Web Tier 11.1.1.7 installation with WebLogic 10.3.6 & Red Hat Enterprise 5 Linux x86-64
  Event_log shows below errors.
  [2013-06-13T16:34:35-04:00] [webcache] [NOTIFICATION:1] [WXE-09002] [logging] [ecid: ] Generated by Oracle Web Cache on Thu Jun 13 16:34:35 2013 - Build 11.1.1.7.0 130113.0721
  [2013-06-13T16:34:36-04:00] [webcache] [NOTIFICATION:1] [WXE-08513] [logging] [ecid: ] Cache server process ID 4469 is starting up.
  [2013-06-13T16:34:36-04:00] [webcache] [NOTIFICATION:1] [WXE-09612] [main] [ecid: ] Oracle Web Cache 11g (11.1.1.6), Build 11.1.1.7.0 130113.0721
  [2013-06-13T16:34:37-04:00] [webcache] [NOTIFICATION:1] [WXE-13002] [config] [ecid: ] Maximum allowed incoming connections are 1000
  [2013-06-13T16:35:00-04:00] [webcache] [NOTIFICATION:1] [WXE-09441] [stats] [ecid: ] DMS enabled
  [2013-06-13T16:35:28-04:00] [webcache] [NOTIFICATION:1] [WXE-12209] [cluster] [ecid: ] A 1 node cluster successfully initialized
  [2013-06-13T16:35:29-04:00] [webcache] [NOTIFICATION:1] [WXE-09614] [main] [ecid: ] The following Oracle Web Cache internal files are pre-populated to the cache: [[
          /nssb-p.adm.fit.edu:7785/_oracle_http_server_webcache_static_.html
          /nssb-p.adm.fit.edu:4448/_oracle_http_server_webcache_static_.html
  [2013-06-13T16:35:29-04:00] [webcache] [NOTIFICATION:1] [WXE-09614] [main] [ecid: ]  [[
  The following Oracle Web Cache internal files are pre-populated to the cache: [[
          /nssb-p.adm.fit.edu:7785/_oracle_http_server_webcache_checkserviceavailability_.html
          /nssb-p.adm.fit.edu:4448/_oracle_http_server_webcache_checkserviceavailability_.html
  [2013-06-13T16:35:29-04:00] [webcache] [NOTIFICATION:1] [WXE-09608] [main] [ecid: ] The cache server process started successfully.
  [2013-06-13T16:35:29-04:00] [webcache] [WARNING:1] [WXE-12104] [utl] [ecid: ] Oracle Web Cache process has page faulted
  [2013-06-13T16:44:22-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-29049
  [2013-06-13T16:44:22-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: The record type is unknown.
  [2013-06-13T16:44:22-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: Remote IP [163.118.22.16]:55145
  [2013-06-13T16:44:22-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: Local IP 163.118.170.70:4448
  [2013-06-13T16:44:22-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: SSL error during handshake (details: internal=The record type is unknown. system=Success)
  [2013-06-13T16:44:27-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-29049
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: The record type is unknown.
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: Remote IP [163.118.22.16]:55144
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: Local IP 163.118.170.70:4448
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: SSL error during handshake (details: internal=The record type is unknown. system=Success)
  [2013-06-13T16:44:27-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-29049
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: The record type is unknown.
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: Remote IP [163.118.22.16]:55148
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: Local IP 163.118.170.70:4448
  [2013-06-13T16:44:27-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: SSL error during handshake (details: internal=The record type is unknown. system=Success)
  [2013-06-13T16:44:35-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-28864
  [2013-06-13T16:44:35-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-28864
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:44:47-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:45:18-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:45:18-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:45:22-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-28864
  [2013-06-13T16:45:22-04:00] [webcache] [ERROR:32] [WXE-11904] [security] [ecid: ] SSL handshake fails SSL-28864
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:45:38-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  [2013-06-13T16:45:41-04:00] [webcache] [WARNING:1] [WXE-11905] [security] [ecid: ] SSL additional information: This error occurred because the peer closed the connection.
  [2013-06-13T16:45:41-04:00] [webcache] [WARNING:1] [WXE-11906] [security] [ecid: ] SSL details: success during initialization (details: internal=success system=Success)
  Any help or suggestions are greatly appreciated
  Tnx a lot,
  Lokesh

  Hello ,
  Try Below Workarounds:
  Workaround 1:
  Open Central Admin
  àApplication Management  à
  Configure Alternate access mapping-->Edit your web application zone and add your server name in Intranet zone. So default can be serverIP and intranet could be servername.
  Workaround 2:
  Might be there is some issue with DNS and try to check that WebApplication is pointing to correct IP or not.  
  Also try to access your Sharepoint site using ip Address .. If you still gets error Kindly share the logs .. 
  Best
  Regards Kuldeep Verma
  Please remember to click "Mark As Answer"
  if a post solves your problem or "Vote As Helpful" if it was useful.

• Web Dispatcher and SNC WAS

  If I connect my Web Dispatcher to a WAS that is not running SNC it connects okay but if I point it to a WAS that is running SNC I get SNC related arrors in the file dev_webdisp.log:
  [Thr 6968] *** ERROR => invalid service descriptor token 'p:GB\SAPServiceQAS' [ictxxroute_r 2681]
  [Thr 6968] *** ERROR => syntax error in text description near line 4 [ictxxroute_r 3135]
  [Thr 6968] *** ERROR => IcrUpdateServerPoolFromDescrString() failed 6 [icrxx.c      1762]
  If I call the /sap/public/ping service on the WAS directly from Internet Explorer on my PC it connects okay, but if I call the same service from my PC via the Web Dispatcher it failes with the above message in the log file and the below HTTP message:
  500 Dispatching Error
  Dispatching Error
  Error: -26
  Version: 6040
  Component: HTTP_ROUTE
  Date/Time: Tue Feb 07 12:47:50 2006 
  Module: http_route.c
  Line: 2352
  Server: UKLONSAP011_QE7_10
  Detail: no valid destination server available for '!ALL' rc=13
  I cannot find any information relating to the Web Dispatcher and SNC on help.sap.com or OSS.
  Do I have to install the SNC library onto the Web Dispatcher server? If so, how do I then reference it?
  Any ideas?
  Thanks.
  Paul

  Hi Paul,
  SNC library is not required for Web Dispatcher.
  The problem seems to be the data the message server provides with the URL http://<msg_host>:<msg_http_port>/msgserver/text/logon?version=1.2
  If SNC is activated you will have an entry for RFCS in the data like:
  RFCS     bin.wdf.sap.corp     4853     p/secude:CN=BIN, O=SAP-AG, C=DE
  The error " invalid service descriptor token 'p:GB\SAPServiceQAS' " indicates that the parser could not parse the response from the message server. Then the server list is empty and you get the "dispatching error".
  Maybe the backslash lets the parser struggle. Please  check that you have an up to date version running (6.40 kernel patch level > 90). If that is the case, then this problem should be handled by OSS message.
  Kind regards,
     Oliver

• Diff. between Web Dispatcher and ICM

  hi gurus,
  Please help to understand the Difference between Web Dispatcher and ICM in whereas ways like
  When do we use which tool?
  The architec differences between them?
  Anything more that would help me to understand better!
  Thanks a lot in advance
  Regards
  Sekhar

  Hi
  At top level, Web dispatcher is like simple dispatcher which handles all the internet related requests like Http, Https, Smtp.
  ICM is Internet connection Manager which is used to administer the flow between SAP and outside world using HTTP, HTTPs, SMTP
  Please read these
  Web Dispatcher
  http://help.sap.com/saphelp_47x200/helpdata/en/42/5cfd3b0e59774ee10000000a114084/content.htm
  ICM
  http://help.sap.com/saphelp_nw04/helpdata/en/0a/a7903febb15a7be10000000a11405a/content.htm

• SSL Configuration between Web Dispatcher and Portal

  Here is the scenario:
  INTERNET -
  https--> WEB DISPATCHER (decryipts)-https> PORTAL
  When a request for portal page is sent to WEB DISPATCHER, it gives the following error in dev_webdisp:
  [Thr 1087416640] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  ERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificate of path failed because the CA flag of its basic constraints is set to FALSE
  ERROR in check_basicConstraints: (12851/0x3233) Verification of one certificate of path failed because the CA flag of its basic constraints is set to FALSE
  I am using SAP's test certificates and there is no documentation for the error as far as I know.
  Any ideas ?

  Hi Cristiano,
  I solved the problem.
  This error message is being caused by the mismatch between the issuer (SAP Test) and server pse generation strings (for example O and OU values ).
  As the documentation suggests:
  "For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE."
  Thanks for the reply,
  Best Wishes
  Edited by: Yuksel Guney Hanedan on Aug 6, 2010 4:35 PM

• CRM_UI Reporting - HTTPS Terminating at Web Dispatcher or SSL all the way

  Hi,
  We need to set up access to crm_ui reports (leads and marketing mainly) in CRM 7.0 for vendors coming from the internet. The CRM server is in the internal network. In order for this to work I plan to setup the web-dispatcher in the application dmz. The initial login is going to be via  the web dmz layer (using sun's iplanet server), which then routes the crm URL to the web dispatcher in the App dmz and then from the web dispatcher to CRM server.
  One requirement from our security team is to set up the flow as HTTPS.
  On going through SAP help I get the impression that it can be set up two ways, one, configuring web dispatcher to pass the SSL connection to backend, & two - configuring the web dispatcher to terminate SSL.
  Seems the former is quite straight forward (from SAP online help we have to set the icm/server_port_<xx>> = PROT=ROUTER) but does it also require that we setup the crm_ui_frame service as SSL and activate the HTTPS service in ICM?
  Or is it better to go via the second option (HTTPS termination) without changing the backend setup? SAP Online help lists steps to do the HTTPS termination but I have not come across any detailed documentation for the first method.
  Any thoughts, suggestions will be helpful for either scenario.
  Thanks,
  Rommel Bhan

  Thanks Martin the document helped.
  Now the web dispatcher seems to talk to the HTTPS port on the backend.
  However there is one issue I see in the dev_webdisp and was wondering if you have an insight.
  Based on webdispatcher parameters, its taling to ms_https_port 8533 of backend
  [Thr 773] Mon Feb 15 15:03:35 2010
  [Thr 773] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
  [Thr 773] SecudeSSL_SessionStart: SSL_connect() failed --
  [Thr 773]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
  [Thr 773] >> -
  Begin of Secude-SSL Errorstack -
  >>
  [Thr 773] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  [Thr 773] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"
  [Thr 773] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
  [Thr 773] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
  [Thr 773] << -
  End of Secude-SSL Errorstack -
  [Thr 773]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
  [Thr 773]   SSL NI-sock: local=10.104.146.81:62579  peer=10.104.146.81:8533
  [Thr 773] <<- ERROR: SapSSLSessionStart(sssl_hdl=110acb850)==SSSLERR_SSL_CONNECT
  [Thr 773] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]
  [Thr 773] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c   5976]
  [Thr 773] *** ERROR => Could not connect to SAP Message Server at sapcms02. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c   3289]
  [Thr 773] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c   3290]
  [Thr 773] *** ERROR => see also SAP note 552286 [icrxx_mt.c   3291]
  My backend is setup with SSL and web dispatcher is set to the following. Also since the backend and sapweb dispatcher are on the same host, using the same sidadm, the SSL stuff is on one location. I generated the SAPSSLS.pse in the backend using STRUST
  Accessibility of Message Servers
  rdisp/mshost = sapcms02
  ms/http_port = 8100
  ms/https_port = 8533
  wdisp/server_info_protocol = https
  SAP Web Dispatcher Ports
  icm/server_port_0 = PROT=ROUTER,PORT=60000
  icm/server_port_1 = PROT=HTTPS,PORT=0
  icm/server_port_2 = PROT=HTTP,PORT=8080 <-- web dispatcher admin port
  #SSL parameters similar to one in backend
  ssf/ssfapi_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
  sec/libsapsecu = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
  ssf/name = SAPSECULIB
  ssl/ssl_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
  ssl/server_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLS.pse
  ssl/client_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLC.pse

• Web dispatcher with SSL

  Hi,
  We have EP 6.0 SP16 paltform on win2003/oracle.
  We configured SSL, so we connect using https protocol.
  We have two application servers for our portal platform.
  For load balancing we use SAP Web Dispatcher.
  we didn't configure SSL for the host where Web dispatcher resides. So we want web dispather to convert http requests to https.
  For this purpose we used parameters
  icm/server_port_0 = PROT=HTTP, PORT=8003
  wdisp/ssl_encrypt = 2 
  as said in
  http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
  we get error:
  Detail: no valid destination server available for '!ALL' rc=7
  How can we solve this error ?
  Best regards

  Hello ..,
  By defining wdisp/ssl_encrypt = 2 in your pfl file is not enough. I'm assuming you ahve missed the following steps:-
  1. Install the SAP Cryptographic Library on the SAP Web Dispatcher.
  2. Set the profile parameters.
  3. Create the SAP Web Dispatcher’s PSE(s) and certificate request(s).
  4. Send the certificate request(s) to a CA to be signed.
  5. Import the certificate request response(s) into the PSE.
  6. Create credentials for the SAP Web Dispatcher.
  7. Restart the SAP Web Dispatcher.
  8. Test the connection.
  You need to perform all the above mentioned steps for the SSL. Please refer this link:-
  http://help.sap.com/saphelp_nw04/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
  Regards
  Vaib

• Web Dispatcher with SSL termination for EP

  Hi All,
  I want to configure SAP Web Dispatcher (installed on windows) for SSL
  termination scenario. I did all the configuration steps, SSL Basic,
  SSL termination steps without Metadata Exchange scenario.
  But , when i am trying to access the portal using "<b>
  https://<DispatcherHost>:<Port>/irj/portal</b>", its giving <b>page
  can not be displayed</b> error
  <i>This is how the profile file of the dispatcher looks like,</i>
  profile file **************
  Profile generated by sapwebdisp bootstrap
  unique instance number
  SAPSYSTEM = 2
  Accessibility of Message Servers
  rdisp/mshost = <portal server>
  ms/http_port = 8101
  SAP Web Dispatcher Parameter
  wdisp/auto_refresh = 120
  wdisp/max_servers = 100
  wdisp/shm_attach_mode = 6
  configuration for large scenario
  icm/max_conn      = 16384
  icm/max_sockets   = 16384
  icm/req_queue_len = 6000
  icm/min_threads   = 100
  icm/max_threads   = 250
  mpi/total_size_MB = 500
  mpi/max_pipes     = 21000
  #maximum number of concurrent connections to one server
  wdisp/HTTP/max_pooled_con = 2000
  wdisp/HTTPS/max_pooled_con = 2000
  SAP Web Dispatcher Ports
  SAP Web Dispatcher Web Administration
  icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
  icm/server_port_0 = PROT=HTTPS,PORT=5000
  icm/server_port_1 = PROT=HTTP,PORT=0
  icm/HTTPS/verify_client = 0
  DIR_INSTANCE=D:\SAP_SSL\secudir
  ssl/ssl_lib=D:\SAP_SSL\secudir\sapcrypto.dll
  sss/server_pse=D:\SAP_SSL\secudir\SAPSSL.pse
  wdisp/ssl_encrypt = 0
  wdisp/add_client_protocol_header = true
  profile file **************
  After modifying the profile file, restarting the dispatcher gives the
  following information in the command prompt,
  Information in command prompt *******
  D:\SAP_SSL\sapwebdisp\sapwebdisp pf=sapwebdisp.pfl
  **Warning: Could not start service 5000 for protocol HTTPS on host
  <hostname>" <on all adapters>
  *SAP Web Dispatcher up and operational <pid: 1700>*
  Information in command prompt *******
  What may be problem? Did i miss out any steps ?
  Please help !
  Regards,
  Sandip

  Hi Sandip,
  Please check this thread..
  /thread/41459 [original link is broken]
  cheers,
  Prashanth
  P.S : Please mark helpful answers

• Securing file download with standard web security and ssl

  Hi,
  I want to put some files for download in my webapp. At the same time, I want to protect these files using standard servlet security and ssl. So I added <security-constraint> in my web.xml and configured tomcat to allow SSL connection. Now I got the files protected as I expected. When I try to access the file directly from browser, tomcat shows me the login page. However, after correct login, I.E. pops up an error saying something like "Internet Explorer cannot download XXX from XXX. The file could not be written to the cache.". The log file showed the following exception:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1154)
       at com.sun.net.ssl.internal.ssl.AppInputStream.available(AppInputStream.java:40)
       at org.apache.tomcat.util.net.TcpConnection.shutdownInput(TcpConnection.java:90)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:752)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1407)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
       at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:747)
       at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:403)
       at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:400)
       at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:961)
       at org.apache.coyote.Response.action(Response.java:182)
       at org.apache.coyote.Response.finish(Response.java:304)
       at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:281)
       at org.apache.catalina.connector.Response.finishResponse(Response.java:473)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
       ... 4 more
  Caused by: java.net.SocketException: Connection reset by peer: socket write error
       at java.net.SocketOutputStream.socketWrite0(Native Method)
       at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
       at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
       at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
       at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       ... 15 more
  I've tried separating concerns, for example protect files but not require SSL, and enable SSL but do not protect files. Both works respectively but not together. I also tried using a download4j's DownloadServlet. Still doesn't work.
  Have any of you encouter the same situation? If so, could you enlight me what I did wrong? It maybe just a simple SSL configuration or something. Thanks in advance!
  Jack

  My environment setup is:
  JDK 1.5.01
  Tomcat 5.5.7
  For downloading files, I just use plain old <a href> method. I simply right-click the link and choose "save target as...".
  Thanks,
  Jack

• RPC Style Web Service and SSL

  Hi,
  Has anyone tried (and maybe succeeded) in accessing an
  RPC-style Web Service deployed on WebLogic Server 6.1 using
  SSL? I have a Web Service deployed and am able to access it using JNDI and the
  weblogic.soap.http.SoapInitialContextFactory
  INITIAL_CONTEXT_FACTORY. However, when I try to set the
  Context.SECURITY_PROTOCOL to "ssl" and access the secure port,
  I get a "java.net.SocketException: Unexpected end of file from
  the server" error message.
  Does the weblogic.soap.http.SoapInitialContextFactory not
  support SSL? Do I need to do the SOAP/XML messaging myself,
  without being able to make use of the WebLogic convenience
  classes? Thanks! Rob

  Alright!
  Glad you got it working ;-)
  Actually, the problem with the protocol being hardcoded to http in the wsdl.jsp,
  is a bit strange. It's unusual that the BEA engineers that coded the wsgen component
  and support classes, didn't use something like the following:
  <soap:address location="<%= request.getScheme() + "://" + request.getServerName()
  + ":" + request.getServerPort() %>/security/examples/webservices/security/PhoneBookService"/>
  I don't use wsgen too much, because I need to have more control over the J2EE
  packaging. It (wsgen) is great for spitting out stuff, but not really setup for
  doing Web service packaging that use classes (i.e. helper files, frameworks, etc.)
  that it doesn't generate. I think they (BEA) might be looking into integrating
  the Web Services assembly process with other tools like WebGain, Forte, etc. to
  alleviate these types of issues.
  Anyway, glad you got it working, so now you can help somebody else (time permitting,
  of course) with this topic in the future!
  Regards,
  Mike Wooten
  "Rob Nelson" <[email protected]> wrote:
  >
  Mike,
  Thank you very much for your response! The next to
  last sentence did it for me (when you mentioned checking
  that the location attribute of the soap:address element
  was set properly)! I noticed that when I viewed the WSDL
  file via the browser (by clicking on the link in the
  index.html page), I saw http://host:<unsecure_port> when
  I requested it over the unsecure port, but I saw
  http://host:<secure_port> when I requested the WSDL over
  the secure port. Notice it did not say https!
  So, I unjarred the EAR file that was generated by my
  wsgen task, and then unjarred the generated WAR file
  contained therein. When I looked at wsdl.jsp, I noticed
  that "http" was hard-coded in the location attribute, but
  that the host name and port number were dynamically
  generated. So I added a scriplet to dynamically place an
  "s" after "http" (if request.isSecure()) and rejarred up
  the WAR and EAR files.
  Now when I deployed the EAR file, I see "https" when
  I request the WSDL over the secure port, and my client
  (actually your client;) works! Awesome! I really appreciate
  your help! Now my only issue is why did the wsdl.jsp have
  "http" hard-coded, not accounting for secure requests.
  These files were generated by the WSGEN task in ANT.
  I figure it's either: I have a configuration problem,
  I have a problem with my ANT build script, my version of
  WebLogic Server (6.1 w/SP1 built 9/18/2001) has a bug, or
  maybe you just have to manually go in and modify the wsdl.jsp
  file if you want to use https :(. Please let me know if
  you have any insight on this, and I will also follow up
  with WebLogic support. Thanks again! Rob
  "Michael Wooten" <[email protected]> wrote:
  Hi Rob,
  I am absolutely sure the code I posted works, so we need to approach
  this from
  a different angle ;-)
  First, I know why the Context.SECURITY_PROTOCOL approach doesn't works.
  It's because
  the namespace in the Web Services code examples is not the same oneas
  the one
  used for RMI objects, EJBs, JDBC Data Sources, etc. For those objects,
  the Context.PROVIDER_URL
  is something like "t3://localhost:7001", and the INITIAL_CONTEXT_FACTORY
  is "weblogic.jndi.WLInitialContextFactory".
  The one being used with WebLogic Web Services, is mainly just functioning
  as a
  mechanism for manufacturing WebServiceProxy objects, because it is a
  non-instanciable!
  It does this by using a subclass of javax.naming.Context called SOAPContext,
  which
  is completely hidden from you, but also doesn't do much except implement
  the lookup()
  method. The implementation of this method ignores the Context.SECURITY_URL
  property,
  but it does pay attention to the "java.naming.security.principal" and
  "java.naming.security.credentials"
  properties. You don't need these properties for SSL, just Basic Authentication.
  Enough about that, though. The service end-point is a servlet right?
  So this means
  it has a URL that begins with http or https, which in turn means the
  WebLogic
  servlet engine gets the SOAP request and sends it to the StatelessSessionAdapter
  servlet. To WLS, this is just like any other HTTP/HTTPS request sent
  to it ;-)
  There is no special "SOAP-related" HTTP/HTTPS handler in WLS, but the
  SSL challenge
  dance still happens. So my first question is, are you sure you havethe
  HTTPS
  attributes set properly in the WebLogic console. SSL/HTTPS should be
  enabled and
  the "Hostname Verification Ignored" checkbox should be checked. Next,
  are you
  sure the URL assigned to the location attribute of the <service> element
  in the
  WSDL is correct (i.e. https://localhost:7002)? Are you using the "dynamic
  client"
  approach?
  Regards,
  Mike Wooten
  "Rob Nelson" <[email protected]> wrote:
  Mike,
  Thanks for your response. I downloaded the code example that
  you
  posted
  last week, as well as the code example that you posted in October for
  a similar
  request (BEA Support pointed me towards that). Unfortunately, I still
  can't get
  the Web Service to respond to the client request when the client uses
  the HTTPS
  port for the WebLogic Server.
  I tried two different client approaches. The first uses the client
  code
  that you posted in October, the WebServiceProxy approach. The second
  approach
  is based on the example in the WebLogic documentation, which uses the
  weblogic.soap.SoapInitialContextFactory
  class with the javax.naming.Context object to perform a lookup on the
  service
  (which closely resembles rmi without the narrowing).
  Both client classes fail to invoke the the service itself viaHTTPS
  (although
  they both work when making HTTP requests to the unsecure port). However,
  when
  I run the client based on the client class that you posted in October
  and make
  an HTTPS request, I can see in the output where it is able to download
  the WSDL
  file and use it (via the WebServiceProxy) to describe the availablemethods
  for
  the associated Web Service. It is only when the actual invoke() method
  is called
  on the SoapMethod object (which in turn sends the XML request to the
  Web Service
  Servlet), that the server doesn't respond, and the client fails with
  an UnexpectedEndOfFileException
  (i.e. no response).
  So, do you know why the servlet that the RPC-style Web Serviceuses
  to handle
  requests would not respond to HTTPS requests, when it processes HTTP
  requests
  without a problem (using the same client code that fails with the HTTPS
  request)?
  I am using WebLogic Server 6.1 w/SP1 on a Solaris 8 platform. Thanks
  for any
  advice you can give me! Rob
  "Michael Wooten" <[email protected]> wrote:
  Hi Rob,
  Check out the attached zip for "insights" into how to do this. It
  contains
  the
  code for two Web service "consumers" (that the new fangled word fora
  "client")
  and the web.xml and weblogic.xml for the RPC-style Web Service, that
  they consume.
  Hope this helps,
  Mike Wooten
  "Rob Nelson" <[email protected]> wrote:
  Hi,
  Has anyone tried (and maybe succeeded) in accessing an
  RPC-style Web Service deployed on WebLogic Server 6.1 using
  SSL? I have a Web Service deployed and am able to access it using
  JNDI
  and the
  weblogic.soap.http.SoapInitialContextFactory
  INITIAL_CONTEXT_FACTORY. However, when I try to set the
  Context.SECURITY_PROTOCOL to "ssl" and access the secure port,
  I get a "java.net.SocketException: Unexpected end of file from
  the server" error message.
  Does the weblogic.soap.http.SoapInitialContextFactory not
  support SSL? Do I need to do the SOAP/XML messaging myself,
  without being able to make use of the WebLogic convenience
  classes? Thanks! Rob